As part of the Emailage, a LexisNexis Risk Solutions Company, Pop Up Webinar series, Eric Choi, Senior Vice President of Marketing interviewed Jair Basso, Director of Infrastructure and Operations to talk about preventing phishing scams. The transcript below features their conversation and has been edited for clarity and brevity.
Eric Choi: Welcome to this week’s Pop Up Webinar. Don’t take the bait: Top Five Tips to Prevent Phishing Scams from Emailage, a LexisNexis Risk Solutions Company.
Eric Choi: My name is Eric Choi. I’m the Global Senior Vice President of Marketing at Emailage. And today we have a very special guest, his name is Jair Basso.
Jair Basso: Thank you, Eric. My name is Jair Basso. I have been working with IT for more than 20 years now between development, security, infrastructure and operations. And I have been working at Emailage since 2014, first as the Global Infrastructure Manager and now as the Director of Infrastructure and Operations. And I’m glad to be here talking to you.
Eric Choi: Jair thanks very much and again, I really appreciate you coming on board for our Pop Up Webinar.
So, Jair, you know in this crazy, crazy environment where we’re all alone, but together, working from home. We’re seeing a significant change in the space that you are a subject matter expert in. Especially in the area of phishing scams. Can you share with us what do you see in terms of trends on the rise?
Jair Basso: What I’m seeing is attackers using COVID-19 to launch phishing attacks. Just last week I read on a security website that they saw an increase of about 600% of phishing traffic related to COVID-19 in the last six days. This is a huge volume. This is a huge spike. And it’s something that will last for a while for sure.
Eric Choi: You’re on the front lines tackling these issues, protecting all of us, keeping us safe from what’s going on, is one thing keeping you awake at night more than others?
Jair Basso: Well, I would say what surprised me the most is how easily the bad actors adapt to new situations. Attackers are always searching for new ways to deceive people and COVID-19 is in the news. It’s everywhere. Everybody’s affected by it. We have more people working from home. Attackers are already leveraging this, using new scans and phishing attacks. We’re seeing attacks through e-mails, attacks through text, through applications like WhatsApp. So that’s what is keeping me awake at night for sure.
Eric Choi: What are you guys doing on a day to day basis?
Jair Basso: Well, our teams are always on top of new trends. We are always watching the news. We also have automated tools that can help us identify any unusual activity. They can see a spike in network traffic or a big number of emails getting blocked, and they can even take action if they need to. But we are we also ask everybody in the company to help us reporting any suspicious activity or anything that looks unusual. We take every submission very seriously. Help from the users is something we rely a lot on.
Eric Choi: It sounds like there is automation or automated tools that are involved, to increase efficiency. What I also hear you saying is that behavior, user behavior, is just as important, if not more important. So, what kind of help are you asking from the users?
Jair Basso: Keep an eye on any kind of suspicious activity. If something looks weird or something looks fishy, we ask them to report right away. As soon as we get some evidence, we can start looking into it.
Eric Choi: So, when you say report right away and evidence, what does that look like?
Jair Basso: Well, just reporting and sending in the suspicious activity or the suspicious message they are getting. You can deploy all kinds of security tools to prevent and detect phishing. But one critical piece is strong security behavior by users. We train users to spot suspicious activity. We train users to report malicious content. We train people to not click on random links or open attachments from unknown sources. It’s important to create a security-minded culture in the company.
Eric Choi: I’ve personally been involved in the training sessions you’ve given. So I know those are very, very good. It looks like it’s a partnership process. You have the technology piece and you have the visual piece coming from your side, but also end user participation. Tell us a little bit about what are some of the trainings that you’ve given and what has worked well and what hasn’t?
Jair Basso: Internal phishing campaigns as a training help a lot, because they are the closest you can get from the real deal without exposing the company to real risks. It’s easy to set up, and the good news is commercial and open source tools can help you run your own phishing campaign. They are easy it to use, they’re not that expensive, some of them are free.
Eric Choi: Sounds like constant internal training…constant vigilance the key to the social behavior.
Eric Choi: From that perspective, is there any particular training that worked better than others?
Jair Basso: The phishing campaign helps. I think that’s the best way to do it. Of course, you have to run a secure no alarmist training annually, or maybe every quarter. But random internal phishing campaigns help a lot because you are testing your training to see how users act.
Eric Choi: What should someone do if they believe they clicked on a phishing link or a phishing scam?
Jair Basso: Oh, that’s a tough question because attackers are so sophisticated nowadays. There is not a silver bullet to resolve this if your computer is compromised. I think the best thing to do is get your security team to review your computer… see what is installed, what is running. You will need help from someone from a specialist for sure if you got compromised.
Eric Choi: Jair, what are some of the key resources that use to stay on top of these challenges, where do you go to find the most relevant information?
Jair Basso: Well, security websites in general. You want to be subscribed to vendors and bulletins as well so you’ll know what they’re reporting. I try at least to spend thirty minutes to forty-five minutes every day. Reading any news about security. That’s the minimal a security professional needs to do every day.
Eric Choi: It sounds like it’s more of a personal habit.
Jair Basso: Yeah, yeah, for sure. There is really good content out there.
Eric Choi: Based on your personal experience, have you ever caught a hacker or a security phishing scam? And what type was it? And was there any damage?
Jair Basso: We see lots of phishing attempts impersonating people. That’s something our monetary system get a lot. In my personal life I have seen some attempts of impersonating me. Trying to clone my cell phone number to get token access to my bank account. Fortunately, I was able to react soon enough to block it.
Eric Choi: One more, then we’ll get to your top five tips. Do anti-virus and other security software detect these kind of risky behaviors?
Jair Basso: Yes, definitely. They are getting more and more sophisticated. On the other hand, the antivirus suites, need more and more resources. We see antivirus programming using more and more CPU processes in computers. But, I mean, that’s the tradeoff. If you want the antivirus to be monitoring for more attacks, to be able to get more evidence, it requires more power.
Eric Choi: Ok Jair. Top five tips. Take it away.
Number one, identify the source of the message before opening. This is a basic thing. If you don’t know the sender, if don’t know the source of the message, then make sure you double check it. If it is a person, call that person to make sure they’re the sender. If it’s a company, search for it to see if the company is real.
Number two, be cautious. If it seems too good to be true, it’s phishy.
Number three, know this source before opening any links or attachments. This is related to number one. Make sure you know the source. Make sure you know who the sender is before opening any messages, or clicking on links, or opening attachments.
Number four, update your computer and run the latest software. Keep your operating systems up to date. We see new batches being released almost every other week. So make sure you deploy them. I know it takes time. Sometimes it takes an hour to deploy an update to our machine, but it’s valuable.
And just one more thing. Update your smartphone as well. Smartphones nowadays are just small computers and they need updates, too.
And the last one, I think this one is the most important tip. Think before you click. Who is the sender? Why did you get that message? This is the most important tip for sure.
Eric Choi: The obvious thing here — to me — is that these are things we should all be doing on a regular basis. So, it feels like to me that it’s more about what you said earlier, that it’s our social behavior and that’s what’s going to really drive preventing phishing scams.
Jair Basso: I think those tips they are easy to follow and it’s important that we take them and apply them to our personal lives. And we must help to spread this message to other people as well. Let’s say, our parents…they sometimes have a hard time with technology, and they are easy targets for attackers. So, spread this message. Let them know how easy it is to spot an attack. It will make everybody’s lives easier for sure.
Eric Choi: Jair, on that note, thank you very much for your time. Stay healthy and thank you for keeping us safe.
Jair Basso: Thank you, Eric.