Salesforce Phishing Awareness
Being in the spotlight does not get the attention of just the right audience but the wrong ones too. When it comes to CRM, Salesforce, the company, has quite literally taken the place of the actual definition of Sales Force. Googling for Sales Force, employees of a company responsible for selling its services/products, will serve you all sorts of results about the company but what you are actually looking for. It really has become a household name today.
The customers to Salesforce, the company, include companies that belong to the top Fortune list to companies that have a few employees with revenue in the few thousands. And it being a Cloud only service has really broken the geographical barriers for anybody with an Internet connection to access the service. Salesforce is a runaway hit simply because of the way information is organized and made available to everyone within the company at any time any where. Companies store their most critical information, leads, opportunities and customer info, to their business on this platform.
Imagine, the Sales, Customer and all related information of a multi-billion dollar company being just a password away. Now, it is not just one multi-billion dollar company but almost every company in the world has their information stored on the platform. Who wouldn’t be tempted to get their hands on this treasure? There are people that tirelessly work to get past this barrier and claim prize.
There are plenty of ways by which bad actors can get into the Salesforce system, but most of it is fortified by Salesforce and they are successful in keeping it tightly sealed most of the time. But there is this just one method that always works in the pirates favor – tricking you to give up your password. This is a time tested method that is as old as time itself, but it has evolved and found its way into the Internet to be called “Phishing”.
Phishing is quite similar to “fishing” in ways where there is bait attached to an almost invisible line that the baiter uses to yank information out of you. It’s incredibly hard to come up with ways to prevent users from falling prey to this technique since the bad guys use a combination of ever evolving innovative methods to trick you. In hindsight we might be able to think of something that could have stopped users from falling for a Salesforce Phishing activity, but before the preventive method is implemented the bad guys have already moved on to new prey or changed their methods.
Scamming a person in the real world has existed for ever and on the Internet it is all the more easy because of a combination of factors such as naivety, illiteracy, busy schedules, sometimes just how sophisticated the scam is or just sheer stupidity. All the scammer has to do is gain the trust of the user in some form and have them part information. The extraction process can be slow and a trickle, but passwords are small and once leaked can open the flood gates.
As pointed earlier users are the weak links on this chain and the best method we have right now is to educate them. As kids we were not trained to not make mistakes but learn from them. But letting users lose their passwords a couple of times may not be the right way as once information is lost we could safely say “all is lost”.
What can be done is let the users make mistakes in a controlled scenario to learn from them and use that learning in the real world to avoid the mistakes from happening again. If a user is made to learn all the cue points that could lead to the user losing a login password or other critical info from these simulations, then the potential of the user falling victim in a real scenario can be drastically reduced.
Particle42 can help your team to identify these critical users in your system and have them tested in Salesforce Phishing Scenarios. The results can be used for creating appropriate awareness materials or campaigns to educate the users. Phishing simulations have proven effective in bringing down the overall victimization rate of an organization and are being used by many organizations to continuously validate their users and keep phishing at bay.