[TRANSCRIPT]
0:00:00 - (Doug Jenkins): Coming up next on chamber amplified, they.
0:00:02 - (Kevin Stock): Can learn that person's name, spoof their email, email you, and say, hey, here are the wiring instructions for this transaction. Please send that payment here. Things like that. So it's more. It goes deeper.
0:00:19 - (Doug Jenkins): Hello, and welcome to the show. I'm Doug Jenkins from the Findlay Hancock County Chamber of Commerce. On each episode of Chamber Amplified, we examine issues impacting the local business community. Whether it's employee recruitment and retention, marketing it issues, it's really anything that can be impacting your business. Our goal is to give our members tips each week on at least one way they can improve operations and thrive in the current business environment.
0:00:42 - (Doug Jenkins): So remember the old days of email phishing when it was fairly easy to spot a sketchy email? You'd see some fairly obvious misspellings. The grammar was way off, that type of thing. You know, that was easy, right? Well, unfortunately for you and for your business, those days are largely over. And that's when the issues of trying to keep your business network and file secure becomes a larger issue. Today I'm joined by Kevin Stock of RCR Technology Group to talk not just about how phishing emails have evolved over the years and why they're so dangerous for your business, or businesses of all sizes, for that matter. But I'm also going to put myself on the line and take a phishing test live as we record, just to see if I can avoid giving unauthorized access to my computer. Actually, I had a lot of fun doing the exercise. I think you'll enjoy it as well.
0:01:26 - (Doug Jenkins): Thanks again for tuning in. Remember, if you're listening on Apple podcasts or Spotify, you can rate and review the show. It really does help spread the word. Now let's get into it. So another topic that we like to come back to on the podcast from time to time, that of taking care of your it and making sure that you have a secure infrastructure, all of that type of stuff. Cybersecurity. Kevin Stock from RCR Technology Group here to talk with us about it again. Kevin, thanks for joining us.
0:01:54 - (Kevin Stock): Thanks for having me.
0:01:55 - (Doug Jenkins): So we had a fun idea for this one. I guess you and I would consider it fun. We're going to see how this goes where I kind of go through a little cybersecurity test here. Live on the podcast or live as we record it. So this is going to be fun. What are we looking for as we do this?
0:02:13 - (Kevin Stock): Well, so standard we're looking at doing a phishing test email. And traditionally, phishing test emails have been sent out to users in an organization to trick them into clicking on a phishing email. And then afterwards, maybe it shows you a couple of videos of training of, you know, how you could have avoided that in the future. Right? Or how you could have avoided it and how you can avoid it in the future. So what this is, is a little bit more white hat.
0:02:45 - (Kevin Stock): It emails you through, through the training campaign to say, here's a phishing email. Here is some, here's some detail on what to look for in a phishing email. Okay, now what I want you to do is identify the areas in this email that could make it a phishing email. Whether that's something you know, it's identifying an email address of somebody that you know, but it's the wrong email address. Is there a sense of urgency in the body of the email?
0:03:17 - (Kevin Stock): Is there a sense of urgency in the subject line of the email? Those kinds of things to look for. To tag a phishing email, then it gives you a grade right after. And so that's what's going to be fun about it, is that we're going to be graded automatically. And if you want to retake it, you can retake it right away. But the things on that phishing email will change to different questions and different things, challenges for you.
0:03:40 - (Doug Jenkins): All right, so we'll take this in a second, but before we get into it, I want to talk a little bit about hash. Has this part of cyber attacks evolved over the last time we've talked, where it seems like maybe they're getting more quote unquote trustworthy or they're getting sneakier, their attacks to make it seem like they're more trustworthy.
0:04:00 - (Kevin Stock): Oh, my goodness. So it's constantly a social engineering idea from email, right. They want to not only send you the email, but make it seem as though it's familiar, it's safe, it's okay for you to click on it. When you click a link, they'll show you a page that maybe looks like a Microsoft login page and or maybe something, I think, you know, something from Uber Eats, you know, anything that you would recognize on your day to day that as you're going through your work day, maybe you would be none the wiser to. And it's like, oh, this seems cool, this is fine. That's not a big deal. And you go through, and next thing you know, you have logged into your Microsoft account on a fake login page that looks identical to the actual Microsoft login page. And what you've done at that point is you've given the credentials and so then what ends up happening is usually when your email gets hijacked, they don't do, they don't do a whole lot immediately because they don't want to get red flagged right away.
0:05:11 - (Kevin Stock): What they do is typically they sit in your email and they learn how you're using it. They learn who you're talking to most. They learn the conversations that you're having so that then the social engineering gets more specific, and then they can start to attack you based on these pieces of information. For instance, if somebody's communicating with you about a transaction that you've legitimately talked to that person about this transaction, they can learn that person's name, spoof their email, email you, and say, hey, here are the wiring instructions for this transaction.
0:05:50 - (Kevin Stock): Please send that payment here. Things like that. So it's more, it goes deeper. It starts with that email that looks legit, and then it goes deeper and deeper as they learn how you're using your email to get the attacks a little bit more specific to you.
0:06:08 - (Doug Jenkins): So we're worlds beyond the nigerian prince scams at this point, is what you say.
0:06:14 - (Kevin Stock): Yeah, well, but it's, it's still, that's still a thing that happens, and people get, people get tricked by it.
0:06:19 - (Doug Jenkins): Oh, wow. All right. So don't fall for that. Let's see what I fall for here. We're going to get into this. So I'm on the first page of this phishing training, and it shows me an email that appears to be from adobe. Maybe it is, maybe it's not. Let me read it real quick. It says that we've been, we've been notified, notified that there have been changes to your account involving your email address. We're sending this email to ensure that you've made changes to your Adobe account.
0:06:45 - (Doug Jenkins): If you've not made these changes, change your password immediately. There's an exclamation point, so that means it's serious. It's important to take action now to make sure that criminals aren't in your account and gaining access to sensitive information. Click the button below to log in and change your password. Thank you, the Adobe security team. So I'm looking at it. I can't see an email address on this one to see if it's goofy or not. But the thing that stands out to me on this one, Kevin, is that where it says that there have been changes to your account, Ben is spelled wrong. It spelled like the person's name, Ben instead of Ben.
0:07:16 - (Doug Jenkins): So that's a red flag for me when I hover over the link to change the password. It does appear to be an adobe account. No, wait. No, it doesn't. It says adobe.com. So I'm going to say this is unsafe.
0:07:32 - (Kevin Stock): Right, right. But you're looking at it. You're looking at it, you're really analyzing it. And the whole idea is to train yourself to be able to analyze those kinds of things.
0:07:42 - (Doug Jenkins): And that's, and that's great. And obviously we're doing this, so I'm preconditioned to do this, but you almost have to train your employees to do that is to be skeptical of any sort of email that doesn't seem expected or even expected at this point. Let's see. The next thing says, does the subject appear safe or unsafe? It says urgent account security changes. That's a tough question because, I mean, the subject would appear to be urgent. Obviously it says the word urgent in it.
0:08:11 - (Doug Jenkins): But I don't do anything on Adobe personally here at the chamber. So if I were to get something from Adobe and it was asking me to do anything on the account, I would, that would signal a red flag to me personally right away because that's not necessarily my department. So I'm going to say unsafe. Does the greeting appear to be safe or unsafe? Hi, Doug. Yeah, I mean, that's, everybody says that to me in email, so I'm going to click safe on this one, even though I think I'm going to get knocked for it. But that one seems, seems to be how everybody greets me.
0:08:43 - (Doug Jenkins): So we'll say that. Does the spelling, punctuation, and grammar appear safe or unsafe? Again, I will go back to unsafe because I noticed that it misspelled the word ben 100%.
0:08:55 - (Kevin Stock): Good call.
0:08:56 - (Doug Jenkins): Yeah. The text appears safe or unsafe. Oh, this is interesting. So if it's safe, it would be calm and informative, or if it's unsafe, it might be urgent or emotionally charged. According to the test that I'm taking here, the words again say, if you've not made these changes, change your password immediately. It's important to take action now. So, okay. Obviously with them putting, that's interesting. So if they put the urgency out there, and I'm talking really fast, like, this is a timed test. Is it a timed test?
0:09:24 - (Kevin Stock): I don't think it's time. Okay.
0:09:26 - (Doug Jenkins): All right. I can slow down.
0:09:28 - (Kevin Stock): It'll show, like, how long it took you to take the test.
0:09:31 - (Doug Jenkins): Okay.
0:09:31 - (Kevin Stock): That's gonna knock you.
0:09:32 - (Doug Jenkins): Okay. Gotcha. All right, so in this instance, so we can talk through these a little bit more. I don't have yeah, I don't have to speed race my way through this. In this instance, it does say things like immediately important, take action. Now, that's a red flag.
0:09:45 - (Kevin Stock): Then 100% urgency is a big deal.
0:09:49 - (Doug Jenkins): All right, so I'm clicking on safe there. And does the link appear unsafe? Like I said, that says adobe.com. So I'm going to say unsafe.
0:09:58 - (Kevin Stock): Unsafe. Absolutely.
0:09:59 - (Doug Jenkins): And then I'm going to submit. I got 100%, and the minimum score required was 80%. I'm feeling good about myself.
0:10:09 - (Kevin Stock): Kevin, you ought to. And I mean that. I mean, you really didn't do a whole lot of preemptive work. You didn't watch a whole long line of videos and train yourself on it. You're a little bit more techie, an average user.
0:10:26 - (Doug Jenkins): Nerd.
0:10:27 - (Kevin Stock): Okay, I wasn't going to go there. That's fine. But that being said, you know, it's users like you that can get tricked, and it's users that just, they don't keep up on what's trending in terms of cyber security awareness. And it's good to have these exercises for them to just have it be sort of muscle memory, to look at these kinds of details, to really look at that, and to have those triggers automatically set for them to say, this seems urgent, where it shouldn't be urgent, and from a vendor that I don't, I don't ever deal with. It's a common vendor. It's a known. Adobe is a very known vendor.
0:11:12 - (Kevin Stock): So it's not uncommon to receive emails from, from a company like that. But why would I receive an email to just question it, question everything regarding that?
0:11:20 - (Doug Jenkins): And while I got 100% on this, I mean, there have been times where I've been very close to clicking on a link or responding to a phishing email in just my day to day, one that stands out is our CEO, Don Bruce. I got an email that says, from. Don Bruce says, hey, when you get a minute, call me or just send an email to set up a time. And I went and I'm like, this seems really strange because he's right down the hall from me and would usually just stop, stop in.
0:11:46 - (Doug Jenkins): And that was the part where I paused, and then I looked at the email address and it was not a chamber email address, and that's where the red flag went off. But I was that close to responding that because it was just so innocuous, like, oh, yeah, I'll respond to that. And it took that extra second of thinking into it that caught that I was able to catch it.
0:12:08 - (Kevin Stock): Absolutely. Another common one would be an employee sending an email to HR or to really, anyone saying, you know, I'd like to, as soon as possible, change my direct deposit information. It's a very common one.
0:12:24 - (Doug Jenkins): Yeah. Oh, yeah, that's, that's a big one. And we saw something similar a couple of years ago where it was the unemployment scam that was going out. And. Sure, and I don't know that it was necessarily a cybersecurity thing through employers, but employers were getting unemployment filing notices from people who hadn't filed them. So that's really just another thing that we have to keep an eye on. This type of training. Obviously, you offer it through RCR. Are there resources where people can kind of get familiar with it online? Maybe if they want to go the extra mile and talk with you, certainly they can do that. But what are some online resources for people if they want their employees to start thinking a little bit more about this?
0:13:04 - (Kevin Stock): Really, any kind of cybersecurity awareness training? Probably the most common that we know is knowbe four, knowb, the letter b for, or something like that.
0:13:19 - (Doug Jenkins): It's a website, so it can't be spelled.
0:13:20 - (Kevin Stock): Yeah, it should be. Yeah, that's probably the most traditional one. But sometimes organizations, sometimes organizations just aren't large enough to make it make sense financially for that or something like that. So cyberhoot is really our vendor here, and I don't mind saying their name, you would want somebody. One of the reasons that you would go through a managed services provider like we are is that we help you manage the dashboard. This is a training dashboard for not just fish testing, but training videos about everything, your password hygiene, you know, how to, how to spot all kinds of things. In terms of cyber threats, the number one cyber threat in every organization, large or small, are the end users, untrained employees that are just using their computer and trying to get through their workday.
0:14:19 - (Kevin Stock): That's still the number one threat. So spending this much time training that team, making sure that those users have some training with regard to their safety, is going to be great, because we don't want these users letting people in. All of these safeguards that we put in place for them, be it antivirus, ransomware, protection filter, you know, email filtering, and two factor authentic multifactor authentication.
0:14:48 - (Kevin Stock): We do all these things, but then the end user just lets the threat in because they don't know, they don't realize that it's a threatening email and takes down all those guards. So we want to address this with cybersecurity awareness training. So Google cybersecurity awareness training. Communicate with us at RCR Technology group. We can help out your organization and send out these things. And it doesn't have to be that frequent.
0:15:15 - (Kevin Stock): It doesn't have to be every single week. It can be monthly if you'd like. But this also, for compliance reasons, tracks for your, like if HR needs to track for compliance, that you're training your employees for cybersecurity awareness, this you can run quick reports on that you've done it. If all of the users are compliant, have they done all of their training monthly or bi weekly or something like that?
0:15:42 - (Kevin Stock): And then, of course, if they have it, you can send reminders and say, hey, this is still due. You need to do this assignment. And then those reports can be sent. And so when it's time for an audit, when it's time to fill out that cybersecurity insurance questionnaire, you can respond with, yes, we're doing cybersecurity awareness training. And if you need to supply reports, you'll have those at a click of a button.
0:16:06 - (Doug Jenkins): Kevin, one last thing, and I know we've talked about it before, but I think it's bears repeating. This is for age or this is for organizations of any size. I know sometimes smaller businesses might think, well, they're not going to come after me. I'm not marathon down the street, they're going to attack marathon, where marathon's probably locked up pretty good, whereas that small business may not have those types of measures in place, and it makes them a bigger target.
0:16:33 - (Kevin Stock): I can, yeah, I can send you, I can give you all kinds of different metrics and percentages and data and everything, but the fact is that small businesses are more targeted than the larger businesses because they're more vulnerable. Many small businesses don't even have a firewall, whether that be a soft firewall or an appliance. A lot of them do not have multi factor authentication on any of their logins.
0:17:01 - (Kevin Stock): They're just an easier target. Smaller wins. But I mean, if you, you know, a small business can make a few million a year, and that small business, if they are cheated out of 60,000, 100,000, $200,000, that's a real devastating blow to a small business. And that, though, that's way less than if somebody were able to hack into marathon and get a chunk of money from them. That's still a big win if you can do it over and over again for these smaller businesses that just don't have the training and the resources for security.
0:17:44 - (Doug Jenkins): Kevin, again, we always appreciate the updates and the de facto training. Again, I'm going to pat myself on the back for the 100% score today. If people want to learn more about this or any other sort of it topic, what's the best way to get in touch with you?
0:18:00 - (Kevin Stock): You can go to our website, rcrtg.com. You can call our number anytime 419-581-6173 and my personal email is kstockg.com dot. Reach out at any time all right.
0:18:16 - (Doug Jenkins): Kevin, thanks for your time today.
0:18:18 - (Kevin Stock): Thank you.
0:18:22 - (Doug Jenkins): By the way, right after we got done recording, Kevin told me that I was taking the beginner test, so now I don't feel quite as smart as I did when we were recording. But either way, it's a good exercise for you to put yourself and your employees through, and I would highly encourage you look into an option for something like this. Chamber Amplified is a free podcast for the community thanks to the investment of members from the Findlay Hancock County Chamber of Commerce. Because of our robust membership, we're able to focus on providing timely information to the Findlay and Hancock county business community, run leadership programs for adults and teenagers, and be an advocate for the area while also providing tools to help local businesses succeed.
0:18:58 - (Doug Jenkins): If that sounds like something you'd like to be a part of, just let me know and we can talk about how an investment in the chamber helps strengthen the community and your business. That'll do it for this week's episode. If you have ideas for topics you'd like to hear us cover on future episodes, send me an email dashenkinsindleyhancockchamber.com Dot thanks again for listening. We'll see you next time on chamber amplified from the Findlay Hancock County Chamber of Commerce.