Phishing attacks and not so clever people

[Grubscrew]

What can be done to protect against phishing attacks that can lead to mail accounts smart phones being compromised?
User education is an ongoing affair, but we do have some really special people working for us and if it says click here for more money/love/sex/promises of greatness, they click here...

Any software\solutions we can have a look at ?

 

[DA-LION-619]

Ad blocker + Internet security?

 

[Deadmanza]

A decent, well configured firewall with app and web filtering.

/Thread

 

[Grubscrew]

A decent, well configured firewall with app and web filtering.

/Thread

Problem is that 95% of employees are offsite and use multiple devices.

 

[Deadmanza]

Problem is that 95% of employees are offsite and use multiple devices.

Nothing you can do about that.

User education is key in your situation. Although there are a few software "firewall" applications that allow you to do web filtering.

 

[UrBaN963]

Problem is that 95% of employees are offsite and use multiple devices.

Personal or corporate owned devices?

 

[Grubscrew]

Personal or corporate owned devices?

Personal

 

[LazyLion]

A good slap up alongside the head.

 

[Venomous]

Problem is that 95% of employees are offsite and use multiple devices.

For the repeat offenders....
Get ESET parental control, install and set age to 13
No more pr0nz for them :twisted:

 

[Grubscrew]

For the repeat offenders....
Get ESET parental control, install and set age to 13
No more pr0nz for them :twisted:

We will have an open revolt.

 

[Venomous]

We will have an open revolt.

Then you tell them it can be uped to 14 within 30 days if they show improvement in responsibility. To be re-evaluated every 30 days. They can get to adult status in 6 months.

And if they try sidestep eset you simply add wake and sleeping hours





But on a more serious note....
Threaten to do just the above and see how quickly they change their habits

 

[Kazuya]

Personal

I think right there is your problem. You cannot tell people what to do on their personal devices.
The best you can do is set up your network to do all the security and filtering for devices when they are on your network. Otherwise get them corporate devices and set them up yourself. Create document detailing the proper usage for the devices and have people read and sign them. Have disciplinary actions in place for those who abscond.
Educate people on the issues of security and what to be on the lookout for.

 

[RoganDawes]

Nothing you can do about that.

User education is key in your situation.

This!

We did a phishing exercise with a simple text payload, requesting users in a specific department to complete an "inventory sheet" for their IT resources, including their username and password, and mail it back to us.

We got several responses :-(

Nothing would stop this, other than education.

 

[RoganDawes]

A decent, well configured firewall with app and web filtering.

/Thread

Nope. "Users are stupid". I say that in quotes, because even trained security folk fall for quality crafted phishes sometimes.

BEST solution is to train your users in critical thinking, while reducing opportunities for them to screw up. For example, use 2FA to reduce the risk of them giving out their credentials. Also, sign genuine messages from internal staff so that their mail clients can highlight genuine messages vs fake ones (and train them to check for signatures). And yes, I'm talking about S/MIME, not PGP, since most devices support S/MIME, and very few have native PGP support.

 

[Rickster]

A brain.

/thread.

 

[Venomous]

This!

We did a phishing exercise with a simple text payload, requesting users in a specific department to complete an "inventory sheet" for their IT resources, including their username and password, and mail it back to us.

We got several responses :-(

Nothing would stop this, other than education.

Bwhahahahahahaha

Education makes noooooo difference.

Earlier when posting here I was cleaning a pc that had been taken over and it was sending out physing mails.

Guess what CEO, PAs, attourneys and many others responded with their full names, id, phone numbers and work/home addresses.
All to claim their share of prizes.

See if work won't invest in eset antivirus. Its avail for multiple devices, then after that if staff devices get "taken" its their own fault for not being cautious enough with attachments