Fight Phishing! 6 MSP-Friendly Resources to Combat Phishing Attacks
Get great tools to educate your clients to Fight Phishing
Table of Contents
As a 100% MSP-focused business continuity and disaster recovery (BCDR) solutions provider, Axcient’s security experts compiled the following information, statistics, and resources to help MSPs discuss phishing with their SMB clients. It’s not just Nigerian Princes blatantly requesting your social security number – although those did pull in over $700,000 in 2019 alone. Today’s scams are subtle, believable, socially engineered, and account for over 45% of all email traffic.
The Problem with Phishing Is That It Works
In a survey of 1,000 MSPs, 54% say spam and phishing emails are the most common delivery method and the most significant cybersecurity vulnerability causing ransomware infections. The next two highest reported causes are ‘poor user practices/gullibility’ (27%) and ‘lack of cybersecurity training’ (26%). The positive takeaway from these statistics is the human factor.
Phishing doesn’t work without a human opening the email, clicking the link, or completing the action requested. In fact, more than 99% of cyberattacks rely on human interaction to work successfully. Despite that 95% of organizations say they deliver phishing awareness training, Terranova Security’s 2020 Gone Phishing Tournament finds that almost 20% of all employees are likely to click on phishing email links and, of those, 67.5% go on to enter their password credentials on a phishing website. Obviously, there’s a disconnect between employee training and identifying risks in the real world, and it costs SMBs an average of $25,612.
Everyone Makes Mistakes, but Educate to Limit Them
Unfortunately, clients can grow numb to all the cyberattack strategies and statistics threatening their business. The belief that ‘it won’t happen to me’ can cause business owners to put training on the back burner. Cost-conscious SMBs might prioritize profits and growth over cybersecurity and the consequences of data loss. Regardless of these hurdles, businesses need to regularly confront the number one cause of data loss they’re up against – human error. A staggering nine out of 10 (88%) data breach incidents are caused by employee mistakes that could be fatal to the business.
In a Business of Tech article, Dave Sobel, former MSP turned Evangelist, said, “The best solution for services companies is providing education services for their customers. It’s desperately needed, it’s effective, and beyond that, it shores up a company’s risk from being sued if something goes wrong. Showing documentation of a comprehensive security strategy, including education for users, will go a very, very long way in your defense for that inevitable day when something goes wrong.”
The Best Phishing Defense is a Good Offense – Proactive Communication
As part of your regular communication with clients, MSPs should always include information about the cybersecurity threats faced by SMBs. Phishing attacks today aren’t the same as they were ten years ago. New software, user behavior, business practices, and tools constantly evolve the cybersecurity landscape, and clients need to be aware.
You may know what a Homoglyph attack is – a.k.a. homograph attack, script spoofing, or homograph domain name spoofing – but do your clients? These attacks deceive users into visiting phony domains that look almost identical to legit sites. Once there, users are more likely to click links and input sensitive information.
Do your clients know Microsoft is warning its users about the BazarCall call center malware operation? Dave Sobel says, “It’s more dangerous than initially thought. It targets Office 365 and Microsoft 365 customers with phishing emails about an expiring bogus trial subscription, which then leads to a call to the call center to get the victim to install the Bazacall backdoor. The group can move quickly – within 48 hours of compromise.”
Most importantly, are clients aware that 91% of the time, phishing emails are the reason cyberattacks are successful? And SMBs are overwhelmingly targeted for these types of attacks? It is vital that to share these types of cybersecurity current events with clients, so they know what they’re up against, as well as what you’re offering to protect them.
Quick Tricks to Reduce PEBCAK Errors
A successful phishing attack is typically completed by a well-intentioned employee just trying to do their job. However, with the quickness and thoughtlessness that goes into opening emails and clicking links, it’s productive to give users easy-to-digest and memorable tricks for identifying potential attacks. Things like…
- ‘S’ is for Safe: All URLs should begin with ‘https’ – Never click a URL that doesn’t have the ‘s’ at the end of the protocol – or website address “prefix”.
- Just Say No to ‘REALLY!?!? Requests: Never give up your login credentials, payment information, or sensitive info via email.
- The 2 ‘P’s of Passwords: Perplexing and Periodic – Never reuse a password, make it complex, and change it regularly.
These types of quick reminders may seem silly, but they can really stick with employees. Encourage clients to think up more rules specific to their business practices. Create internal signage and post tricks around the office. These efforts are all in addition to, of course, regular cybersecurity training that should be required of all employees quarterly, if not monthly.
Faux Phishing, Testing, and Training Resources to #FightThePhish
Take advantage of these resources and share them with clients to highlight the need for ongoing phishing awareness training:
- CISA Cybersecurity Resources: Done-for-you partner presentation to explain cybersecurity and discuss technical topics with non-tech people, plus Tip Sheets on everything from phishing and spoofing to MFA, creating passwords, and workforce training.
- GoPhish: Free tool you can set up yourself to run internal phishing campaigns that test and prove how prepared an organization is to combat phishing attacks. This tool is handy for clients who believe their employees are trained appropriately to prevent exposure via phishing.
- SniperPhish: Also free, but this web-email, open-source phishing toolkit is more robust with the ability to capture login credentials to mimic real-world phishing simulations.
- Mimecast: A paid platform for security awareness training, including phishing campaigns that automatically bypass spam filters without requiring additional configuration.
- Webroot: Another paid security awareness training option that comes with pre-templated phishing campaigns and landing pages with phony login credential fields, designed to improve risky employee IT behaviors.
- Infosec IQ: A paid security awareness training and phishing simulator – also comes with pre-templated campaigns – focused on making employees part of the cybersecurity solution rather than the problem.
Axcient’s Patented, Always-On, Chain-Free Backup Technology is There When Human Error Strikes
All of Axcient’s backup products – x360Recover, x360Cloud, and x360Sync – are built on our proprietary and patented chain-free technology as the basis of our BCDR x360 Platform. As a 100% channel-focused solutions provider, Axcient developed our chain-free backup technology to eliminate storage and retention limitations, improve recovery time efficiency, and reduce complexity. Axcient wants to cure data loss – and help safeguard your clients’ data from phishing attacks.
Discover the benefits of chain-free backup with a Free 14-day Trial to see how it compares to your current solution.
About the Author:
Carissa Kohn-Johnson // Product Marketing Manager, Axcient
Carissa Kohn-Johnson has a background in marketing healthcare technology and information technology and currently works as the Product Marketing Manager for Axcient. She has a lot of MSP Channel experience from planning and attending hundreds of conferences and tradeshows, and found her passion for technology and working with MSPs in particular. She feels most at home with other technology-forward people. Connect with her on LinkedIn – perhaps you can contribute to the Axcient blog?
More From Our Blog:
Check out some other interesting pieces from our blog: we dove into how chain-based backup works and why chain-free is the way to be, we talked with Jason Phelps from Huntress Labs about planning for the next ransomware attack, our CEO David Bennett explains why the current cybersecurity landscape means traditional backup is dead, or learn how you can ditch pricey on-site appliances with Local Cache for Direct-to-Cloud BCDR.