 We've got two wonderful experts here from just tech and her justice to talk to you about fishing. This is Extremely relevant and extremely important. I'm gonna be turning it over at this point To Michael green to get us started. I'm very happy about this particular topic and and excited to see it If you've got any questions as the presentation goes on, please feel free to ask them There's two ways to do that number one. You can type them in the question box and myself and cat will be monitoring that box And we will read those aloud. You can also use the raise hand function, which is going to allow you Us to unmute you. We will watch that and you can ask questions verbally If anything comes up, please feel free to message us or even contact us afterwards We're happy to do further follow-up on any of these topics Take it away for us, Michael All right. Thanks a lot, sir. I Appreciate the opportunity to come in here and do a webinar like this as as he was saying this is really relevant stuff and it's not going to get any easier and as IT professionals and training staff is a really important topic I Have a lot of experience 18 years myself in the IT field the majority of that has been in the nonprofit side and With the legal services, I've worked in the last couple of years especially and then with just tech now as one of their consultants and engineers so I Don't pretend to know everything, but I definitely have seen my fair share of Spam and fishing particular and I've seen Been in scenarios where we've had to do recoveries and have been in scenarios where we've had Little impact at all because we've been prepared. So Mary why don't you tell us a little bit about yourself as well? I have been around technology for years and I am not Going to not going to go that far back into how close to the invention of fire. It was I Have been with her justice in 2009 I was made director of information services the first manager then director of information services in 2012 we are a Legal services organization in New York City that helps low-income New York City women in civil law and we are Partially moved to the cloud and that means that you know, we Really pay a lot of attention to what's coming in through email and we've Come through a couple of attacks ourselves of crypto locker and because we had really good backups It was a lot less painful than it could have been. Oh, I'm really interested in this All right Let's move on to the next Slider to There we are that was us All the illustrations for this are Mike he's absolutely brilliant on this Thanks. All right, so I Think we're off, you know, if if we're here in this webinar We've kind of heard of fishing before but just as a our basics are just where basics are covered we just wanted to kind of lay down a definition of what we're we're calling fishing and I don't know if I you know It's basically trying to trick staff and users to to click or open something on impulse Just be you know, maybe it's a limited offer or a scare tactic And and we we're really just looking at trying to Minimize impact To our staff and what fishing has done we've we've seen it for down, you know affect huge corporations Who haven't been as prepared so this is really just a little bit of a Description and a little good image imagery of what we're looking at here and let's move on to the next slide All right, so What the end game for for all fishing attacks is money and in Whether it's lost money or for an arse or gained money for them. It's really all about our piggy bank, so that the common methods to do something like this or our Compromising our our key users typically in finance or the administration They're the ones that would normally hold the keys to any kind of money Also, they try to attack IT and human resources are our big targets as well because if they can spoof and human resources or an IT person's account and make you think it's coming from them You're more likely to click on it. Also like executive administration as well And the other way is they basically hold the like crypto locker They will hold your systems at ransom if they can get in and then either force you to pay a ransom Which is never ever recommended There's no guarantee you'll get your data back even if you do pay them but they they try to hold you hostage for your data and We'll go into later on, you know, how to Mitigate and avoid that those kind of pitfalls Let's go on to the next one Oops, you know that was going to happen. Here we go. Okay, so the first question is so what so what happens when someone clicks and Enter some information. What what does it really matter? Well, what really matters is that once the county information is exposed you have content management systems you have client databases and You have client information that can get out there and if you're in a sensitive Service organization that can be very damaging to your client You also have disclosure and protection rules if you're in healthcare that you have a hip of violation potentially Internal files include HR getting to your staff ID and getting staff ID staff addresses and staff personal information if Again, if you're a high-risk organization that can be bad for your own people what kind of damage can you get from Reputation hit if something comes out that is from a hacked account that that makes your Reputation suffer so something that is racist or otherwise offensive comes out from Your organization's account. That's very bad is very hard to come back And since we know that nothing really dies on the internet. I can go on forever Recovered on that Mary. I just if I can interject I just wanted to talk about you know, we've seen you know instances where Twitter accounts Facebook accounts have been compromised and Although ultimately, you know, someone can say you know, I got hacked But then there's always the the repercussion. Okay, they're they're they're not keeping track of their passwords They're not keeping them secure So it can really affect how people view your company whether it's You know the latest and greatest and they're capable people who can handle my my case or account To On the low end, you know, if they can't even handle their their Twitter account or their Facebook account How they supposed to come, you know, confidently handle my my case or my account. So it's important to keep those Passwords, you know hidden as much as possible and or in the right hands But also being able to lock them down if someone should leave in this scrunchel. It's something to that effect So we can minimize any kind of damage to a reputation That's a really important point about critical password should not just be in one person's hand particularly once that leaves and That's a recovery cost and it's downtown if any of these System access things go sideways what you need to do in order to Just track down the user account track down the password and be able to shut it off can be really difficult if you're dealing with a vendor system like web hosting And trying to convince Twitter or Facebook that you who are you say you are and you represent the company you say you do Can be real real saga So one one note here is that that is not on the slide is is is ransomware and that is it the pet your ransomware showed up as a Fake attachment and we're going to be talking later about the damage those attachments can do and and how you can see Who's the bad things happening? Yeah, you know Just on the pet. Yeah, you know a lot of that you have to they've they've talked about you know Why it was so widespread and and what really happened and what it really boiled down to is either your it hit a lot of European and Companies pretty hard. I know Marisk was a big name that went around But a lot of it had to do with just either out of date operating systems or unpatched operating systems So we'll talk we'll get more into that later, but that was Why that one really hit so hard and in certain companies So now we're going to talk about the bait what leads people to click on things and submit this information you know bait is attracted to fish because it's tasty and The bait that fish emails use is interesting it catches attention It seems like it's the kind of thing that a user would be getting generally so You know FedEx invoices the client assistance and urgent emails these are things that users get a lot Particularly people in finance they pay invoices they pay FedEx they get FedEx Routing flips so it doesn't make any it doesn't You know make anybody worried is this really different now I got a ten of these FedEx is a day Yeah, let me click on this Another sort of detail in this is this personalized where email seems to come directly from a known co-worker or Executive and we had one that looked like it came from our executive director who's not going to open an email from the executive director, right and the side thing here is that I have seen references to whaling as Actually email sent to top executives who are more likely to just open up and deal quickly with their email password reset and fake communications from IT if your organization is larger than You know having one IT person or two or three IT people that everybody knows To walk down the hall and talk to this is more likely to succeed, right? It's IT support I don't know who IT support is it's a bigger department People are more likely to fall for this URL manipulation What a link looks like in an email is not what the link actually is and we're going to show some examples of how You can teach users to look at what's in that link without actually clicking on it and The attachments with malware goes back to you know fake FedEx invoices something that looks like a PDF That is actually not a PDF. That is actually executable. So there are these are some of the the general areas that Are more likely to attract unfortunate opening and clicking from your users Mike That no, that's that's absolutely right. I think There's really kind of three big categories and I and I touched on them earlier is it's either You're looking at a scare tactic do something now or something bad is going to happen. It's a Basically a you've one scenario where hey, you have a limited time click this so you can get your prize or your free trip something to that effect or the The camouflage effect where this is a legitimate correspondence And you normally get these anyway or from a reputable source. It's it's completely safe at that point So those are the kind of like the three big Blanket categories that that fishing really tries to to disguise itself as I Did want to take a moment to pause to see if there were any questions or anything to that effect If anybody does have a question Feel free to you to put it in chat or use the raise hand function So we can try to address it I want to make sure we we stick to our time But I also want to make it as interactive as possible so people can can can talk about it Could you take just a second and explain a little bit one of the terms you mentioned earlier a ransomware what what that is and If you've got slides on it in the future that cover it in depth, but there's several people who are not familiar with that term Yeah, sure so basically a ransomware is Say you've already clicked on an email or open an attachment that has a a piece of code That allows access into your your system and your network what the the attacker will do is Either in typically it's an encrypt all of your your hardware your hard drive data or your network data So and then keep the password under their own lock and key And then they they hold your data for ransom So you essentially don't have access to any of your files or any of your data without Without them giving you the key and usually it's a sum of money, but even if you pay them, there is no guarantee and then the the way that we look to try to avoid that is having Current good backups, and I don't want to stress that enough and we'll talk about more that Down the down the line, but that's just kind of like a brief nutshell of what ransomware is That seems to it does that have help start oh Definitely and I've also posted in the chat one of our more popular articles from this last year is over ransomware and it emphasizes exactly what you're talking about especially with the pre things that you can do the the backups help significantly All right, let's go ahead sure we're going to talk about how you recognize this before the great oh no second which is the time frame Between having clicked on something and realizing you shouldn't have right so what can you see on your screen? the first thing is that the email to hone itself is is Urgent it is telling you have to do this now This is popular for on emails that seem to come from the IRS You must give us money now someone's going to show up at your door to arrest you Click here now to prevent puppies from Being starved right that's provoking or an email that Pretends to be Authentic in tone so another a kind of billing thing you know In regard to this account number, which is probably not your account number This invoice has been marked delinquent. It's over 90 days. Please please click here. So is that kind of thing? The fishers are trying to get you to do to take an action not just open the email Because opening the email generally doesn't Cause cause something bad to happen immediately It's taking an action within the email and that's what you're teaching users not to do is to open an email read it and calm down Take a breath Okay, the actual sender's email is not who they say they are so We have an example later on of an email it claims to be from ups and it's at the email itself is Addison this that are the other thing not net Yeah, the email address shows the return address shows up And it's easy to see and it's easy to teach people to see it If you move the mouse over the hyperlink the hyperlink Text is not what the hyperlink itself is That's like the in the story of Winnie the Pooh Winnie the Pooh is under the name Sanders If you click Sanders, you're not getting Sanders. You're getting Winnie the Pooh Here this is a lot less than ever went And there are spelling mistakes or grammar mistakes There are things that if you look at somebody in an organization really send this out Really would be this back So it this is a Smith test It's teaching people how to develop their own Smith test and how to tell whether something passes or fails And sender, you know Jennifer Lawrence is wonderful, but she may not be sending you a personal email Uh, neither would George Clooney, okay? Or You know CIO magazine, well CIO magazine is actually really good. I don't haven't seen that spoof too much, but that kind of Okay, Bill Gates is probably not sending you information on how to fix your windows patch So that that kind of thing is what you're looking for and Emphasize to people that mousing over is okay clicking is the problem So I think I as far as like claiming to be something again What we have some examples here that will show you a lot of them one of them being claims to be the irs one of them claims to be it support and So they They are what we would normally think of as a reputable source or internal or safe And that's really the the the guys of a phishing emails that it's safe So here's our first example And the first thing here is that you have a help desk from That's from that's okay But this she sends it addison parks dot or Doesn't say that it's a help desk You could be forgiven for thinking it's a person in the help desk department But that's not what a firm looks like. It's usually a real name with a real person Now the thing to know about this particular one is that if you were to google see sends it addison parks dot or you would actually find This is a real person Pretty common last name and there's nothing too out of the ordinary about the domain so If you get something that you're not sure about and it seems to be a real person You can try googling it and then does it make any sense? Here it doesn't So we have a subject that seems to make sense Um, then we get into the text and here's where we're talking about misspelling typos, so that's not how maintenance is spelled and that's a sentence fragment And then we have the please you or download your pending messages. So this is urgent, right? It's saying you have these urgent messages They're not delivered yet. We need you to get to these And then there's this promise that there's going to be An improvement to your mail system who doesn't want to promise to your who doesn't want an improvement. Yay. Yes. Let's click here, right? And then we get back to that mandatory And then you have it support team, which is not the same thing that helped us so there are a bunch of red flags here and it's it doesn't really take long to read them, but You have to kind of know what the clues are so Think about does this email make sense? Is it what it is? What is asking me to do sensible? And all of them have to be right, you know so the next one Is one that micah's going to talk about these apparently valid email addresses Yeah, and so all of these are are real examples that we've we've plucked uh From our our companies. So this is not like something that we fabricated for this webinar These are actual phishing emails that we've got and we've kind of you know, uh Doctored them a little bit so you can see the what we're looking at here, but So this example is one that pretends to be internal they um Actually put our organizations a domain name Which i've redacted because i'm not with them anymore But it was pretending to be someone named amanda roberts now me Being the one man it shop that i was there Of you know, uh an organization that was less than 100 people. I knew the names of everybody in the organization I knew there was no amanda roberts in the organization um But then what they did be below that was they used a different naming convention and typically and they still had the same Uh domain name underneath so that was a that's a big red flag to me Is what you know, we don't have a name didn't have a naming convention of amanda at you know, whatever dot org And then they changed it to look like it looks like a first initial of a first name in the last name of mendel at the same of domain uh address so Uh those if they don't have the same naming convention, that's that should be a red flag right there And especially if the name is unfamiliar like i'm not sure this person is even here Or maybe it's somebody who's no longer with the company and they're sending an email to the company That's a big red flag as well Um, and this one says, you know, we just got this notice from the irs We've seen, you know the irs emails plenty of times. These are especially prevalent Um from january to april for some reason. I wonder why But you know, it's got this irs notice, you know eight two four seven and then ask you so it's asking you the the Action item there is are these correct, you know, check it out. It's from the irs. It's trying to be important And then uh, I actually called these numbers at the bottom there and they just rang busy I just I thought that wasn't just like, well, let's see what happens if I call them, right? Um, so this is just a another case where they tried to pretend that they're internal Uh, it wasn't trying to be it support, but it had something to do with finance So then it's trying to access money again at this point Um, let's go on to the next one All right, so this one Is is uh went to an attorney, right and uh, this one's pretending to be at the the from there the office of the state attorney And then the red flag here and I and I didn't uh circle or should have but the uh, this is mail to Right next to the office of the state attorney. It has a dot department dot outlook dot com And if it's a if it's a state attorney I would assume that they're not going to have an outlook dot com email address They're going to have a dot gov something dot gov, right? That's typically the way the government would work. Uh, so an outlook dot com for a state attorney is a Is a red flag to me That it's it's fake and these are the kinds of things that we need to teach You know, uh, our the staff is that these are the the tell signs that this is probably not who they say they are and we should Delete it immediately and send out Usually what I do is when I see something like this I send a communication to all staff is say this is going around Don't click on it to open it And if they I guess the kind of the inverse of that is if you already did click on it, please let me know asap Because that's uh, uh happened Actually, it happened in this in this particular phishing emails case They they sent me this saying that they couldn't open this attachment and I was like, oh boy um So I know it's it's kind of a little uh Small here. So I had this this tan arrow Uh highlighting this complaint eight eight nine four seven dot pdf And if you mouse over it and this is kind of what the large version of it's actually a hyperlink And so he the the user was telling me I can't open this uh pdf document and I'm like, well, that's because it's not a pdf document and uh, it was it it's a actually a dot zip file which uh, probably installed some malware and it has Not by any coincidence the next day we received a spam message to the entire I believe they got our uh entire global address book because they sent a message an email to everybody Claiming it was internal. So there was a little bit of cleanup I had to play on that one because he'd already uh, collect this individual already clicked on it um, but again the The uh, the bottom red circle. There's a please review the enclosed complaint. So again, there's this urgency It's a complaint from the state attorney. We need to do something about it now Uh, again and at the bottom, it's you know, it says the office of the state attorney But there's no name. There's no contact information to directly, you know Contact anybody other than an email address to reply to so that's a big red flag as well. There's nothing to Verify it or validate the uh, sender Let's see here. I let's move on to the next one if unless anybody has anything else to add to it Mary No, I'm good on this. Okay. Um Okay This ups I I was actually waiting for a ups delivery when I got this email And it says ups quantum view which I believe is something is a service that ups has but again as my pointed out about the email address ups at pierce rx.com If I had been getting a prescription, I might thank rx Is this some insurance third party? Shipper that I don't know about But again, I would I would go and look I was more concerned because I knew it wasn't a shipment. I knew it wasn't prescription That the shipment number looked awfully short for ups So I went to the ups website myself where I was unfollowing a link typed in the shipment number and I said this is not a valid number Well, I kind of didn't think it was but this is how you check it out um And it's that the your and the email itself actually made sense to me. I have I do not have a way to get packages at home. So A power parcel go into their office makes sense. Okay um Nobody called me. Uh, I didn't get a phone call I could call ups, but I don't have a mail mail slip and mail and you on my ups guy does not put anything in my mailbox and then we get to the To to really the point of the mail, right? It's in health impact now and this Long link and no, I'm not going to click on this because at this point I know it's not prescription I am suspicious about the rest of the content Forget it, you know And then it had, you know, the shipping service ups air next day. It could be And that is my email address but the thing that really Clicked it for me was that it was not a valid ups address And that's something that anybody can check by going out of the email to their own browser Mike Yeah, I just wanted to add so if if ups is sending you like a delivering notification It's going to be Not ups at anything.com. It'll be, you know, like mail to at ups dot com Or something to that effect Where ups will be the the the domain name and not like the sender name. Does it make sense? So that's that's where I would look at that and say of course It's not right because if it was an actual ups, it would be like pierce rx at ups dot com So That's that's what I the phishing about that one All right, let's go on to the next one Sometimes if if you get an email That seems to be from a large corporation American Express or UPS Microsoft discover cards You may Want to if you want to pursue it These internet headers actually contain all the information About how the email was addressed and how it traveled to you So in outlook If you have the email open not just not just previewed but actually open File and properties gives you the internet headers. This is another way of looking at this It still shows us ups quantum view ups pierce rx And it shows you what kind of mail or it came from and Where it's going if you want if you were in communication With the actual firm Who who is is not going to be happy about this either right that their Email addresses are being spoofed You can copy everything in internet headers and send it to whichever place their support people tell you So it's usually like abuse at chase.com or abuse it discovered You know to help them Is it going to help them a lot probably not but you might feel better? Okay and Again here the you can see that the original email address had nothing Was not a ups.com email address So that's Yeah, and so this is this is from outlook. I don't know if I actually haven't looked it into you know, if I was in gmail myself or or Not using something besides outlook basically how I would get that information It might be something that we could look at to see if if there's any questions or How people can get the same kind of information from say like a google account I looked but I didn't talk about it. So Anything else or shall I move on? That's it for now, but so that's kind of like our case examples We're going to look at some of the the ways we can Prevent and do some prevention and we we broke it down into two two categories There's the the prevention that you can do at the the tech level the mechanisms that we can put in place as it on the backgrounds to mitigate in some cases, you know omit and and Keep the spam down in the first place Or keep us from getting infected or widespread infections So that's it's the technology prevention And as we talked about it initially, you know The biggest things that we can do are are some of the smallest things and and Keeping your operating system up to date and a current operating system You know not don't be using windows xp because it's not supported and they're not making updates for it And then keep having a reputable antivirus that's That keeps current and updated and so it's easier to do on a smaller scale And as corporations and companies become larger than it becomes the challenge of how do we do this effectively and then verify that it's being done So that's that right there is part of the challenge and so you they have these the enterprise solutions both from like microsoft for operating systems and then like group policy or Maybe i know some antics a big name, but there's also some other names out there that are also really good products But basically to allow you to effectively Push out updates and what i mean by push out is I'm providing the updates to the end user and the end user doesn't have to go out and and click on something to download something That's that's the real differences is I'm forcing these updates to happen either behind the scenes or or or to let them know and to have that kind of governance in As an it manager or an it support system That's the big key right there is being able to manage that On the back end and not in the user is really want to focus on their job And that should be our main goal too is that enable them to do their job and not have to worry about these it pieces behind the scenes as much as possible And so that Kind of leads into having some of the measures in place And some of that's getting the buy-in from administration to to get these kinds of Enterprise pieces of software that are are scaled to your company that really make the difference from a widespread Infection to just maybe one or two Computers that are easily cleaned off It can make all the world a difference to having the right tools for the job And then outside of that is a Just as important as a recovery plan and reliable backups that are tested regularly and I've had personal experience with a Ransomware virus that hit a company I was with and because we had Verified reliable backups I was able to replace the encrypted Files in a matter of a few hours Which and there I mean we're talking about terabytes of data that I was able that was encrypted and I was able to Basically go from a few hours before that I guess thank you much for the day before Um, so not much work lost And that's always the tough part is that if your your backups aren't current or they're not verified You're really talking about how much time am I losing? To go to a backup. Am I going a week? Am I going a month six months? You really don't want to have to do that when you're going to backups for these You know Crypto locker or ransomware kind of things you you need to have current things So the worst case scenario I only have to go back to yesterday And maybe I lose a few hours, but considering the alternative That's a huge savings on your part So if if you don't have anything in place or you're only backing up data, that's half that's half the battle Right, so your data is your most important piece But just as important as your data is your delivery system your server environment Make sure those are also backed up the configurations because if there's a virus and your or your servers go down Uh, sure your data your your data is intact But if you have no method of access or delivery to the staff, what good does it do you you're still down? So it's very important to make sure that your your server environment is in your uh, I guess there's there's also the internet environment. I don't want to go spin off too much on On on backups and that but uh, I do want to say that having those backups tested verified And I would say a monthly level is my preference But you know everybody's got their own budget to work with But just have something that's reliable and in place and a plan So you don't have to lose out so much when something does happen And I say when because it's it's really not a matter of if Um It and if you think you're not a target if you've gotten a phishing email Then you're a target. So I I think at this point there's there's no If you're a target, it's you are a target and and when something like this hits you It's just a matter of is it widespread or can I and I really just laser focus it and just you know clean a pc off with a With a quick check And then cyber insurance mary. Did you want to talk about that? Uh cyber insurance is is Relatively new and some auditors actually request it and some some audit and finance committees and boards request it And it obviously it can cover a variety of things it can cover ransomware attack not to say that it Would allow it would be funding for the payment of ransom, which again is really really not recommended But for cost associated with recovery And it's a it's a belt and suspenders thing If you have been hit and your board wants assurance that you have you'll have A capability of spending money to outside budget to Recover this is something you may want to talk about certainly if your auditors Bring it up have the conversation just don't say oh, that's not we're not big enough or we're not important enough Do have the conversation the other thing I would like to say about you know Mike is a hundred and fifty percent right about Not windows XP not outdated operating systems Not leaving patches go for months and months that said Uh today is patched tuesday for microsoft It is okay not to update your patches the same day Particularly in a smaller organization and I tend to wait till the friday Because if there's something wrong with the patch microsoft I I know this may come as a terrible shock to many people, but microsoft sometimes releases ugly patches And if you are an IT person of one or IT department of one or two you don't want to be the one discovering that so patches yes In the first 24 hours, maybe not but certainly in in a week okay, uh Mike shall I go on So there is a quick comment here Which is in gmail you hit drop down on the right and select show original and that shows you All those things you were looking at in microsoft and pretty much every email plan There is a way to get at that Backend information Right All right. Thanks for that So I just a quick tidbit of information. So this was this happened Last may when there was a wana cry, which is the name of a ransomware that happened last may the national health service for britain Did a kind of study And you know operating systems for computers just desktop computers and why why it was so widespread And so this was just last May 2017 and they found that um Probably, you know close to half of the the polled operating systems were Windows 7 But they weren't all they weren't fully patched. So that was a big factor and then there was still um A the third largest operating system used was still windows xp. So seven percent of of the computers We're still using windows xp, which isn't going to be patched for the for the Particularly vulnerability anyway so There's a that's particularly that's why i want to cry Ransomware was what's such a big hit is that they and apparently they didn't learn because pay you hit only like a month two months months later, so It's it's really a challenge for these huge organizations to really get these things at a comprehensive level But as you can see it has to be done Or you're just you're continually going to get hit With these types of attacks. All right, so let's move on to the next type of prevention that we have Human prevention there's always the human element, right? So we we have the technology the mechanisms that we can put in place on the back end But the the the element that we really can't Control as far as it ourselves is is the human element So this is really where like the coaching and the training is going to come into play with staff To really teach them the the tell signs that we talked about here and then how how to respond, you know, um and If they think something is suspicious and so this is really empowering all the staff and it's not enough for them um to just Call it I would say they really need to know these things because Um, if we know after the fact, you know, even if it's five minutes after they've clicked on something You know a thing can spread pretty fast pretty quickly So we need to make sure that we minimize The impact as much as possible So the first thing we've got here is is checking with it before any action if you think it's fishy You know, even if I've come across people who said, you know, is this is this, you know Fishing is this fake and I and I've looked at it. I'm like, no, it's not fake. It's legitimate That's that represents the I guess the the minority of the times that that's half usually it is fake but sometimes it's actually a legitimate email and I'm actually happy for those users because they took the time to to ask me and I and I've always told people I'd rather take the five minutes Time it takes to check something and have to worry about the fires I have to put out if something, you know, big happens It's well worth my time as as an it professional to the staff And it also helps build report and trust with the staff so they know they can come to me and I'm not gonna Say, oh, you're so stupid. Why did you do that? That's really not the approach that I take I'm always glad and happy when they approach me with those types of things so I can address it and and build that confidence Um, another way is just to ignore unsolicited email Um and attachments, you know, I I don't mind getting the first few emails from, you know from a particular fishing email from the organization, but When someone hits the reply all and and it keeps on going. I got this. Did you get this and then there's like the great vine chain? Um, You know, they get that goes old real fast at that, you know, one if I've sent out a communication I would you know, I think at that point, but that's my take. I don't know. Maybe mary's got a different tank I A lot of stuff to unpack there, but the hands-on training with staff Taking some examples letting staff look at them trying to look at side by side Two or three different emails and figure out which one of them is a fishing email That type of practical hands-on cannot be overemphasized It's very easy to look at these After they're already circled but going through that discovery process is really the type of Training that will work well with staff Yeah, and that kind of that's the the next point that continual training and those cheat sheets and like like I was saying that the the case examples Showing people is better than just telling them. It's better than just, you know iterating it through like a webinar or you know bullet points, you know Taking the time out with staff and showing them so that they feel like they can recognize it Uh, that's a really big empowering moment for them. I would say and and it's critical for the company to to minimize these kinds of things Uh, I kind of added this little this little saying I you know went in doubt ask about just because it rhymed but It's really just more of uh, you know, if you're not sure Uh, it's okay to ask It's not something we want to you know, I'm not going to we shouldn't be making Uh staff feel stupid about bringing these types of things to us Um, and then we we should also teach them how to be using their junk mail list how to uh, how they can Take action as much as possible on their end to either, you know, we you know We hear about when stuff is going to their junk email and it shouldn't be a lot of times But we should also be teaching them, you know, how to manage and send, you know, ignore and block senders To that effect, uh, can reduce a lot of phishing and spam Um on those ends Anything to add mary? Well, I am one thing that I find with my staff is When I when I how I feel stupid asking I You are not stupid You wouldn't be stupid if you're working here. You're a smart person You have different information than I do and we're sharing information to protect the organization So I always I talk about this with my staff and my users as teamwork And yeah, that builds morale. I agree. I worked for a legal services company and I I would get the comment quite often, you know, I feel stupid for for asking you this or this is a stupid question And uh, my my response is always, you know, you're it's not a stupid question You know, you're an attorney or a paralegal or administrative. That's your job Is to know the knows those areas your job isn't necessarily to be an expert at at phishing or uh phishing attacks That's my job and I'm here to educate. So that's That's really my take on that is always be supportive and empowering for the staff And we've we've got two more comments here. Um, one of them is on considering updating to windows 10 because of the stronger controls that they have over updating that's from tony white And I mean he goes beyond that and says that it's a strong reason to update to windows 10 and then Joanna Otero has a question here. Um as for junk email stuff, how safe are unsubscribed links? Or can this be a phishing link also? So I I guess that you really have to look at the email itself Is it something that you know, you've subscribed to right? If it's if you don't feel you subscribe to something and it says, you know, I you know click here to unsubscribe It very well could be like, you know Something disguised as a legitimate, you know, you've subscribed to this click here to unsubscribe But then the hyperlink is is taking you to someplace else So I'd be extremely skeptical, especially if you aren't like a typical subscriber of of you know Where it's coming from If you are how safe is the unsubscribe if if it's feels like, you know, I get these emails I don't want them anymore and I click the unsubscribe list Then it should be safe enough to click the list what they do with the list is is probably based on their own terms of service Of what they're going to do with it. I got to take them for their face value for if they say you're going to unsubscribe I would I would assume they're going to unsubscribe, but uh, I I just would would be skeptical only if it's A situation where I don't recognize the subscription in the first place I hope that makes sense. Oh and the answer the other question about windows 10 It's you know, it's it's going to happen. Everybody's going to move there Whether you know, it seems that it's not like windows 8 where microsoft kind of jumped off of that shit pretty quickly Uh, but windows 10 seems to be sticking around. So it's kind of a matter of Not if but when when are we going to do it? I think it's been around long enough and people are more and more agencies are looking to To migrate to windows 10 It's I'm I'm not gonna lie if if you've never used it and you're used to windows 7 There's there's a little bit of a there's quite a bit of shift into how you get to where you need to go and on the backside The same components as far as administrators go anyway are are still there But how you get to them is is always the uh, the the chase, right? How do I find what I what I know? I'm used to looking for and I don't know it's not there anymore So I recommend, you know finding or, you know Trainings and tutorials and it's always good as it Administrations and professionals to go ahead of the game and and and pilot out some computers And find those answers. So you're you're prepared when you're going through an implementation And uh, and don't And don't hurry into something like that. It's going to take some time And it's going to take some time for the staff as well because it's it's an adjustment yeah, william tell reinforces that the uh unsubscribe links Are are occasionally a really bad idea said unless you really trust the organization You know you signed up for it I in google I often just report them as spam and then google will tell me oh, wait There's an unsubscribe and this is an option and then google will unsubscribe for you But if if I don't want it there and I don't remember it and I don't know the org I'm not clicking on it We've got a question here from tony white. Um, is there any advice on how to work with office? 365 exchange fan spam and content settings They're defaults, but is their experience of setting those at other levels or policies that's helpful Uh, I think I probably have to uh I haven't had so much experience with that but mostly you worked directly with exchange server itself Uh, so if I know office 365, I'm just getting my hands dirty with that with um Just tech So I don't want to misinform Somebody on you know where to go and where to look for I don't know if you have any more insight on that mary We've been on office 365 for a couple of years and I would say at the beginning We've been using the standard. Um We we use the standard settings and I think that it tends to just go a little strongly in the other direction where people are finding stuff in jump mail And clutter that they don't really want to be there clutter is a useful mid step between jump mail and your actual live inbox and That it's worth installing sometimes when you first Deploy office 365 and clutter comes along people get frustrated, but it is worth A training with users to sit down and talk about what they think of as clutter and what they think of as junk and and that the fault uh system quarantine is pretty good. Uh, you can use the uh The office 365 administration tools to catch to catch before you to catch certain kinds of junk even before it hits the user box and that's been helpful And we've um had enough questions about 365 that we have put any short series of 365 specific resources this year I believe that our next webinar on a 365 resource is in october But I I do not know the best practices with 365 at this point But i'm happy to look into them Yeah, same here. I know and that was my next question. Sorry because I know you mentioned at the beginning There was a an office 365 Webinar coming up and I wasn't sure if that would be one of the topics or something that could be touched on for that or not I will definitely bring it up to the presenters because there's clearly interest in it Um, there's another question here, which um, is is there a cheat sheet or a Um, because you're mentioning here in this slide To have a cheat sheet for staff Is do you have one of those you would be willing to share with the community or something that we can post online? Along with the takeaways from this So I don't I guess I don't have one like right here in front of me But I could come up with something that would be general. Um, but there's uh I I guess so like This webinar might even you might you know if you if you took uh some of the slides from there from the case examples You could incorporate those for for a cheat sheet and that's perfect. I'm perfectly okay with that It's it's really a lot about uh dissecting, you know case examples As far as what I would think is as a cheat sheet and saying, you know, what's a classic, you know, you know It's phishing email and then pointed out in the little arrows and Numbers to the to the staff so they know what to look for I think it's helpful to also have it specific to your particular Email system if you're using google if you're using 365 if you're using 2012 screenshots from from what's Exactly the email types that they're looking at the general ideas are helpful But if you're this is already a little bit of a scary topic to your staff if they're not going to be familiar with it Um It's going to make it more confusing and the differences in systems will distract from your overall message And that would be my exact recommendation is is to tailor it to your system's Email system and so people can identify with it more Yeah, particularly if if you've got a good relationship with you with users who point these out because then You're you can give a shout out to the user who brought it up and then it it encourages morale and People feel like they will be appreciated for passing on these bad emails So yeah, definitely take the screenshots from your from your own system and do two sides of one page with Liberally illustrated with arrows and text boxes right, um Well, if we don't have any more we can move on to the next one you which is uh, whoops One two four. Here we go So, uh policies and training we've done a lot of talk about training already Uh, I did want to touch on on policies because that's kind of the the organizations, you know stance and they're that they're taking towards The the value of of these kinds of things of training and in keeping systems updated But some of the policies I've I've also here as examples are acceptable use, you know when when you onboard new people that they Uh, there is a precedent set so they know What's what they can do and where they can go and kind of and be relatively safe Um, some of that's also done the back end through through content filtering and span filtering But certainly people have to always be vigilant and and not you know, look to go to sites that might potentially have malware on them um Mobile devices are are always especially when you're bringing in devices from home Uh is a good policy to have to make sure that uh things are secure and people aren't bringing Infected devices from the outside Guest use kind of goes along with that being for uh In interns and volunteers and people visiting the organization for extended periods if they're accessing your network They could be potentially bringing something in from the outside that That you don't that's kind of they could be widespread. You don't know and then email policies, uh about Um, I think it's more of a usage policy but how you send emails can reflect on the company and uh, if if you're getting emails And so that's really might not be specifically to phishing but I think it pertains to it at some level um And then below that kind of jumping back into the training And you know, it's it kind of says whether they've been there for 20 years or or just or just a new person I I would even contend that the new people are more uh Receptive to the change because it's not as ingrained to them if someone's been there for 20 30 years They might have a pen and paper processor or a really old process that they're used to and they And they don't want to go away from I guess I guess the good thing about pen and paper is that there's no phishing or malware with that kind of thing um And then so we have this I want I want to jump down to this training practice this phishingbox.com I did want to tell kind of a case story that we used here at just tech internally actually Is what phishingbox.com and I believe it's open source and and what it does is let you as an as an it manager or administrator set up a mock phishing Email For your staff with zero consequence And what that does is allow you to see it gets you to You probably have a suspicion already if you've been there a while is who your clickers are who your attachment openers are And you can use that data then to have to bring into your trainings to say, you know And I don't know that I would mention names, but you can certainly use percentages, you know 15 of the company opened up this fake email that I set up And they entered in information Like like login credentials The good thing about this phishingbox.com is that it doesn't record any of that uh that entered in information So it's not your names and passwords it But it does do You can set things up internally. I know we went as far as the setting up registering a domain name And we made it look really, you know similar to a legitimate domain name and and then we set up, you know Uh a place for people to put in information like name and and use name and password to maybe it's a fake You know password reset kind of website and we actually did as an I You know, we we got we got some hits internally. So it's uh, nobody's immune to these types of attacks That being said, we had to be really really good about how we crafted it because to fool people in it You have to really be To know what you're doing and how and what people's general tendencies are um Hey, Mary, did you have anything to add on that? And no, but one point that uh Mike made when as we were talking about setting this up is that if if you are going to send out a test You do have to let the executive director know Yeah And you don't want to tell a lot of people but I believe the executive director is somebody that you should clue in Hey, um, this is what I'm thinking of doing. Is it okay first? So that you don't have unhappy people feeling fooled and and The executive director feeling fooled too Again and again, I would be named if you're going to use it for training leave names out and just say you just kind of Take it to percentages things that use as a teaching and a coaching method um Yeah, I think that's I think that's what we were saying and then the uh us uh gubsite is The is a federal incident response team tip is This is useful reading and I think that uh would take us into the resources side. Mike. Are you ready for that? Yeah, we're short on time. So I want to keep us, you know as honest as possible so on the the next slide there the the health of resources we have uh of Um ellison tap of course an ideal where who are who do lots of trainings to to teach staff? and people about generally speaking uh the the issues at hand in office 365 Uh, I also wanted to mention the the traveling coaches. There's a particular module in there that deals with security awareness it's uh, um, so that one is probably my Uh, my personal favorite of the of the modules in there Uh, I did want to mention that while they're not tailored or particularly you might have to do some digging YouTube videos can provide some sort of self help Uh at a minimal level if you don't really have access to anything else um, and then uh the uh the fbi archives at fbi Dot gov there talks about identity theft. Did you want to go into that more on Mary? uh, no it's a historical one on any Even though it's 10 years old. It's still valid about what happens when a company gets attacked. It's a It's a useful cautionary tale right, um So I know a real short on time I the the next couple of slides if you have any Questions or comments or feedback, uh, feel free, you know to contact us Again, I'm Mike Green with just tech and Mary Mary O'Shaughnessy with with her justice And we're all about helping the community become stronger and better ultimately That's really what we want to do Um, but I do I do want to say thank you to everybody who came out and participated and attended I'm really glad that this went as well as it did and I think Sartre would agree there Yeah, very happy with this overall We we did have another comment from Tony over Just that 365 is is very different than on premises and that is something we are going to look at more If people have any follow-up questions best practices that type of stuff I also recommend them taking it over to the lsn tap email list lsn tap.org on our front page We've got a link to the email list. It's hosted over on google groups There's about 700 of us that work in this field And it's a wonderful way to ask questions to share best practices that type of stuff If you come up with a sheet of best practices or a policy that you want to share on Use your own devices that type of stuff Or if you're looking for one ask that group of people A lot of people have already put this stuff together and are willing to share it widely with the rest of the community Thank you so much Michael. Thank you so much mary great topic. I look forward to doing more stuff on this On security in particular This is our third webinar this year that we focused on security and it's just so important to us to our clients and to the community overall All right. Thank you everybody. Thank you. Thank you