The threat of email phishing is not going away any time soon, and as attacks become more advanced in the education environment, so should our defense against them. This is not just about sophistication, complexity or new technology. It has more to do with an attacker’s ability to follow, understand and even predict human social trends, as well as victims’ apathy to learn from infrequent mistakes. The heart of good defense lies in proper user education and training, and simulating these attacks in your environment is one of the most effective ways to accomplish this. One good solution is the service that KnowBe4 provides. Connecticut College leverages their robust platform for phish campaigns and general security training. There are many customization options for campaign building, as well as handling results and consequences for “taking the bait.” The platform even shows users the red flags that they should have identified to avoid responding or clicking the link.
If your budget is tight there are free, open-source options such as GoPhish that are also effective. Though the feature set is not as rich, GoPhish is a fairly solid phish simulation tool. It does require more resources to set up, and does not offer the degree of support that products like Knowbe4 provide.
If you want to have some fun educating yourself on your own time, Google offers a challenging quiz to test your ability to identify and avoid phish scams based on real-world scenarios. You can try for yourself here https://phishingquiz.withgoogle.com/ (Yes this link is safe. We’re happy you asked!)
Technical controls are another necessary layer of defense against phishing. Google’s Education Plus platform now offers enhanced phishing detection and remediation tools. In many instances, the same or similar phish email is deployed to multiple parties within an organization. The Security Investigation tool allows administrators to quickly search by subject, attachment or recipients to identify and remove all instances of those phishing emails en masse. Multifactor authentication is another critical tool. Though its accomplishments rarely see the spotlight, “no news” can be “good news” as it relates to user account protection. MFA remains a stout line of defense in the event that credentials have been compromised.
Remember to stay vigilant when communicating online. If you are unsure whether a message is safe to act upon, don’t hesitate to ask first! Contact the IT Service Desk (860-439-HELP) or submit a ticket request via firstname.lastname@example.org