Cyber Awareness Training Helps Defend Users from Brand Spoofing Attacks
Users may be more likely to fall for phishing emails that appear to come from trusted brands. Regular awareness training can help transform them into eagle-eyed threat detectors.
Key Points
- Bad actors often send email messages that impersonate brands in order to deliver malicious links or attachments.
- Employees may be more likely to be deceived by these messages because they appear to come from trusted brands.
- Cyber awareness training can greatly increase employees’ ability to avoid becoming victims of these brand exploitation attempts.
- To be effective, security awareness training programs need to be engaging, frequent, and relevant.
Phishing attempts and other cybersecurity attacks often exploit known brand names to entice users into clicking on links or attachments in email messages. Internal and external cybersecurity measures can help minimize this risk, but if a dodgy spoofed email makes it through those defenses unchecked, every organization wields a make-or-break last line of defense: humans. While humans are a weak link in cybersecurity, the right security awareness training program can transform them into strong allies against brand exploitation attacks and other phishing attempts.
Why Users Fall for Brand Exploitation Attacks
A key reason that brand exploitation attacks are so effective is that employees are more likely to click on a link or respond to an email request if it appears to come from a trusted brand. Furthermore, bad actors tend to play on users’ anxieties and desires in order to increase the likelihood that their attack will succeed.
For example, employees may feel under pressure to take action when an email seemingly from a legitimate supplier demands immediate payment for a late invoice. They may feel they need to act when their email service provider tells them their account has been compromised and they need to change their password as soon as possible.
But in reality, those emails may be from malicious actors impersonating reputable brands. Clicking the “invoice” attached to the supplier’s email might deploy malware, unknown to the user. Responding to an urgent request to wire money to a new bank account might send millions of dollars to fraudsters. The “password change request” that appears to come from an email service provider could direct the user to a credential-harvesting site that mimics the provider’s login page.
When employees fall for the deception, they may be completely unaware that they’ve put themselves and their company at jeopardy. In addition, if users can’t tell a legitimate email or website from a malicious impersonation attempt, they may forward risky brand exploitation attacks to others, exacerbating the problem. In fact, the 2020 Mimecast State of Email Security report found that 60% of organizations were hit by an attack spread by infected users to other employees.[1]
The unfortunate reality is that bad actors have found that exploiting brands provides them with an easy way into organizations. These brand exploitation attacks prey on human nature and our close digital relationships with the companies we know and trust. And that means bad actors aren’t going to stop impersonating brands in cyberattacks and phishing campaigns any time soon.
The good news is that the success of the attack ultimately depends on whether or not the attack recipient falls for the ruse. If you can raise employee security awareness, you can decrease the likelihood that they’ll succumb to brand exploitation attacks.
Regular Cyber Awareness Training is an Essential Defense
To avoid falling for brand exploitation attacks, individuals need to develop the skills to detect, or at the very least be suspicious of, even the most subtle spoofing attempts. Cybersecurity awareness training can help—if it’s done well.
Awareness training can be extraordinarily effective. One Mimecast analysis found that employees who received regular awareness training were 5.2 times less likely to click on risky links than those without.[2] But not all awareness training programs work well.[3] Often, awareness training methods lack engaging content and relevancy, are too long and drawn out, and are too infrequent.
Awareness training must be conducted regularly to make sure it remains top of mind for employees, and to help them stay abreast of the latest threats. Yet 55% of those who responded to the State of Email Security report do not provide awareness training on a frequent basis.
Good security awareness training programs regularly provide engaging content that’s short, sweet, and to the point.[4] Infrequent, extensive sessions with too much information to digest can lead to cognitive fatigue, and employees may forget what they need to know when it counts. Persistent—but not intrusive—short bursts of engaging training can help drill key points into memory. And they help to ensure that employees can keep up with rapidly evolving brand exploitation attempts—whether it’s via email or spoofed webpages.
Training also needs to resonate with individuals in order to be effective. Not every employee needs the same training or faces the same risks.[5] Risk profiling takes security awareness a step further by providing ways to safely test an employee’s risk factors and provide security administrators with the data they need to create customized awareness training. For example, who in your organization is often baited by phishing attempts that imitate well-known brands? Which employees tend to click on email attachments with abandon? Appropriate steps can then be taken to address problem areas before damage can be done.[6]
Technology Can Help to Reduce Online Brand Exploitation Attacks
Of course, technology can also help to reduce brand exploitation attacks. Email security services can block many brand exploitation attacks before they reach your users. And brands can apply online brand protection systems and DMARC email authentication to prevent bad actors from delivering those attacks. But inevitably, some attacks will penetrate any defenses—which is why you need to increase your employees’ ability to detect and avoid falling victim to those attacks.
The Bottom Line
Employees are the weakest link in many organizations’ cybersecurity defenses. And they’re particularly vulnerable to phishing attempts that spoof trusted brands. Security awareness training can vastly reduce the chance that employees will click on malicious links or attachments, or enter their credentials into a phishing page—ultimately helping to keep themselves and the organization safe.
[1] “The State of Email Security 2020,” Mimecast
[2] “Threat Intelligence Briefing: Security Awareness Training Helps Dramatically Reduces Unsafe Clicks Amid Surging Coronavirus Cyber Threats,” Mimecast Blog
[3] “Why Most Security Awareness Training Fails (And What To Do About It),” Dark Reading
[4] “How To Build A Strong Security Awareness Program,” Dark Reading
[5] “How to deliver cybersecurity awareness training that works,” SC Media
[6] “Mimecast Awareness Training: How Risk Scoring Works,” Mimecast
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!