Risky Business: Phishing and Smishing Attacks
Last updated: September 26, 2016
Phishing and smishing (text message phishing) attacks are pummeling email accounts worldwide, and it’s foolish to believe that all are as transparent as the Nigerian prince scam (which continues to bear fruit, by the way, in old and new forms). A good many of these messages are extremely sophisticated and difficult to spot — and they’re winning at a high-stakes game. According to the Kaspersky Security Bulletin 2015, there were almost 2 million attempts to steal money via online access to bank accounts in 2015. An even greater threat to organizations are the fraudsters who want to gain access in order to steal intellectual property (IP), amass customer data, acquire insider knowledge, or wreak havoc on networks and systems. Case in point is the recent attack on the World Anti-Doping Agency (WADA), in which Russian hackers allegedly used a spear phishing attack to access confidential medical information about prominent athletes, some of which was publicly released.
How to fight these pervasive threats? As Andrew Walls, a vice president at Gartner, Inc., told TechTarget, “Employees can play a major role in detecting and responding effectively to social engineering threats, but the most effective approach is to combine employee-based risk management with automated, infrastructure-based risk management.”
We agree; but as we’ve noted before, not all security awareness and training programs deliver the same level of risk reduction. A successful 2015 phishing attack on the White House is an excellent case in point; as Nextgov reported, a phishing email workshop had been offered to personnel in shortly before that attack as part of a yearly training series, Cybersecurity Online Learning. According to the Nextgov article, “All federal security employees were invited to participate in the 90-minute online training session. But no one from the White House watched.”
Clearly, providing training that end users don’t see is akin to providing no training at all. But we can’t say we’re surprised to know that people who were given the option of attending a 90-minute session chose to decline the invitation.
Three Tips for Reducing Risk
Phishing and smishing threats are likely to persist for years — if not decades — to come. But the risk you face from these threats depends on your infrastructure and your employees. Our Continuous Training Methodology takes a unique, 360-degree view cyber security education. One-and-done methods and once-a-year mammoth videos and presentations aren’t as effective as our interactive approach, which delivers “bite-sized” training about specific topics. Education that is delivered at regular intervals and in digestible chunks builds a culture of awareness, changes user behaviors, and keeps cyber security top-of-mind for employees year round.
Consider this: If you aren’t helping your employees identify the hallmarks of suspicious email and text messages, they are almost certainly putting their personal information and your systems at risk. As you weigh the benefits of effective security education, use these three tips to get on the path to risk reduction:
- Think before you click – One of our customers’ IT security officers told us that a targeted training goal was to have their employees pause before they interacted with a new message. “We felt that if we could gain a second or even a half of a second pause between the moment when an employee sees a link or a file and the moment when he clicks, in that gap lies the opportunity for a thought process in which the user ultimately decides, ‘Maybe this isn’t safe. Maybe I shouldn’t do this.’” The customer gained that advantage and then some, reducing malware infections by 42% using our methodology.
- Don’t be afraid to follow up – A message can look and even sound legitimate but still set off a warning bell. For example, an email that comes from a corporate IT address and tells you to download new security software can seem trustworthy; it appears real and is on topic. But would that really be the process your IT department would follow? It takes just a minute to confirm a questionable message with the sender, whether it’s a coworker, internal department, or financial institution.
- Report suspicious messages – Fraudsters will often send the same message to hundreds or even thousands of accounts. It’s not uncommon for numerous people in a company to be included in a single attack. If you suspect an email or text is malicious and is targeting corporate or personal information, report it to your IT department. This could help identify a problem early, before unsuspecting users expose themselves and your organization to dangers.
Our Anti-Phishing Training Suite combines assessments, training, and reporting to deliver a balanced, effective approach to educating employees about the dangers associated with malicious emails and other social engineering attacks.
Subscribe to the Proofpoint Blog