Keep valuable data safe from even the most sophisticated social engineering and phishing attacks

Fighting Phishing: Everything You Can Do To Fight Social Engineering and Phishing serves as the ideal defense against phishing for any reader, from large organizations to individuals. Unlike most anti-phishing books, which focus only on one or two strategies, this book discusses all the policies, education, and technical strategies that are essential to a complete phishing defense. This book gives clear instructions for deploying a great defense-in-depth strategy to defeat hackers and malware. Written by the lead data-driven defense evangelist at the world's number one anti-phishing company, KnowBe4, Inc., this guide shows you how to create an enduring, integrated cybersecurity culture.Learn what social engineering and phishing are, why they are so dangerous to your cybersecurity, and how to defend against themEducate yourself and other users on how to identify and avoid phishing scams, to stop attacks before they beginDiscover the latest tools and strategies for locking down data when phishing has taken place, and stop breaches from spreadingDevelop technology and security policies that protect your organization against the most common types of social engineering and phishing

Anyone looking to defend themselves or their organization from phishing will appreciate the uncommonly comprehensive approach inFighting Phishing.

ROGER A. GRIMEShas 35 years of experience in computer security and has authored 13 previous books on the topic. He is the Data-Driven Defense Evangelist at KnowBe4, a security awareness education company, and a senior computer security consultant and cybersecurity architect.

Introduction xiii

Part I Introduction to Social Engineering Security 1

Chapter 1 Introduction to Social Engineering and Phishing 3

What Are Social Engineering and Phishing? 3

How Prevalent Are Social Engineering and Phishing? 8

Chapter 2 Phishing Terminology and Examples 23

Social Engineering 23

Phish 24

Well- Known Brands 25

Top Phishing Subjects 26

Stressor Statements 27

Malicious Downloads 30

Malware 31

Bots 31

Downloader 32

Account Takeover 32

Spam 33

Spear Phishing 34

Whaling 35

Page Hijacking 35

SEO Pharming 36

Calendar Phishing 38

Social Media Phishing 40

Romance Scams 41

Vishing 44

Pretexting 46

Open- Source Intelligence 47

Callback Phishing 47

Smishing 49

Business Email Compromise 51

Sextortion 53

Browser Attacks 53

Baiting 56

QR Phishing 56

Phishing Tools and Kits 57

Summary 59

Chapter 3 3x3 Cybersecurity Control Pillars 61

The Challenge of Cybersecurity 61

Compliance 62

Risk Management 65

Defense-In-Depth 68

3x3 Cybersecurity Control Pillars 70

Summary 72

Part II Policies 73

Chapter 4 Acceptable Use and General Cybersecurity Policies 75

Acceptable Use Policy (AUP) 75

General Cybersecurity Policy 79

Summary 88

Chapter 5 Anti-Phishing Policies 89

The Importance of Anti-Phishing Policies 89

What to Include 90

Summary 109

Chapter 6 Creating a Corporate SAT Policy 111

Getting Started with Your SAT Policy 112

Necessary SAT Policy Components 112

Example of Security Awareness Training Corporate Policy 128

Acme Security Awareness Training Policy: Version 2.1 128

Summary 142

Part III Technical Defenses 145

Chapter 7 DMARC, SPF, and DKIM 147

The Core Concepts 147

A US and Global Standard 149

Email Addresses 151

Sender Policy Framework (SPF) 159

Domain Keys Identified Mail (DKIM) 165

Domain- based Message Authentication, Reporting, and Conformance (DMARC) 169

Configuring DMARC, SPF, and DKIM 174

Putting It All Together 175

DMARC Configuration Checking 176

How to Verify DMARC Checks 177

How to Use DMARC 179

What DMARC Doesnt Do 180

Other DMARC Resources 181

Summary 182

Chapter 8 Network and Server Defenses 185

Defining Network 186

Network Isolation 187

Network-Level Phishing Attacks 187

Network- and Server-Level Defenses 190

Summary 214

Chapter 9 Endpoint Defenses 217

Focusing on Endpoints 217

Anti- Spam and Anti- Phishing Filters 218

Anti- Malware 218

Patch Management 218

Browser Settings 219

Browser Notifications 223

Email Client Settings 225

Firewalls 227

Phishing- Resistant MFA 227

Password Managers 228

VPNs 230

Prevent Unauthorized External Domain Collaboration 231

DMARC 231

End Users Should Not Be Logged on as Admin 232

Change and Configuration Management 232

Mobile Device Management 233

Summary 233

Chapter 10 Advanced Defenses 235

AI- Based Content Filters 235

Single-Sign-Ons 237

Application Control Programs 237

Red/Green Defenses 238

Email Server Checks 242

Proactive Doppelganger Searches 243

Honeypots and Canaries 244

Highlight New Email Addresses 246

Fighting USB Attacks 247

Phone- Based Testing 249

Physical Penetration Testing 249

Summary 250

Part IV Creating a Great Security Awareness Program 251

Chapter 11 Security Awareness Training Overview 253

What Is Security Awareness Training? 253

Goals of SAT 256

Senior Management Sponsorship 260

Absolutely Use Simulated Phishing Tests 260

Different Types of Training 261

Compliance 274

Localization 274

SAT Rhythm of the Business 275

Reporting/Results 277

Checklist 277

Summary 278

Chapter 12 How to Do Training Right 279

Designing an Effective Security Awareness Training Program 280

Building/Selecting and Reviewing Training Content 295

Additional References 303

Summary 304

Chapter 13 Recognizing Rogue URLs 305

How to Read a URL 305

Most Important URL Information 313

Rogue URL Tricks 315

Summary 334

Chapter 14 Fighting Spear Phishing 335

Background 335

Spear Phishing Examples 337

How to Defend Against Spear Phishing 345

Summary 347

Chapter 15 Forensically Examining Emails 349

Why Investigate? 349

Why You Should Not Investigate 350

How to Investigate 351

Examining Emails 352

Clicking on Links and Running Malware 373

Submit Links and File Attachments to AV 374

The Preponderance of Evidence 375

A Real- World Forensic Investigation Example 376

Summary 378

Chapter 16 Miscellaneous Hints and Tricks 379

First- Time Firing Offense 379

Text- Only Email 381

Memory Issues 382

SAT Counselor 383

Annual SAT User Conference 384

Voice- Call Tests 385

Credential Searches 385

Dark Web Searches 386

Social Engineering Penetration Tests 386

Ransomware Recovery 387

Patch, Patch, Patch 387

CISA Cybersecurity Awareness Program 388

Passkeys 388

Avoid Controversial Simulated Phishing Subjects 389

Practice and Teach Mindfulness 392

Must Have Mindfulness Reading 393

Summary 393

Chapter 17 Improving Your Security Culture 395

What Is a Security Culture? 396

Seven Dimensions of a Security Culture 397

Improving Security Culture 401

Other Resources 404

Summary 404

Conclusion 405

Acknowledgments 407

About the Author 411

Index 413