Despite all the training programs, workshops, and seminars, your employees might still fall for various phishing scams. No matter what you do, you just cannot eradicate this threat from your office. It’s enough to drive most security teams to madness.
According to Verizon’s 2016 Data Breach Investigation Report, 30 percent of all phishing messages were opened upon receiving by the intended target. Also, about 12 percent of recipients went on to click the malicious attachment or links that enabled the attack to succeed.
The consequences of a security breach caused by human errors are bigger than ever. For starters, the No. 1 inflection point for ransomware is through phishing attacks. What’s more, a handful of competing for cyber mafias “are casting their nets wider and wider,” with more scams to more users, to get more hits.
As per reports, a single ransomware cyber mafia was able to collect $121 million in ransomware payments during the first half of 2016 alone, netting $94 million after expenses, according to McAfee Labs’ September 2016 Threats Report.
The total number of ransomware attacks also increased by 128 percent during the first half of 2016, compared with the same period last year. There were 1.3 million new ransomware samples recorded, the highest number since McAfee began to track them.
Human nature may be to blame for many security breaches, but there are ways to help employees avoid these scams.
‘It looked official’
Official-looking emails that appear to be work-related – with subject lines such as “Invoice Attached,” “Here’s the file you needed,” or “Look at this resume” can confuse employees into opening them.
A survey by Wombat Technologies found that employees were more cautious when receiving “consumer” emails with topics like gift card notifications or social networking accounts than they were with seemingly work-related emails. A subject line that read, “urgent email password change request,” had a 28 percent average click rate, according to the report.
In the absence of a secure file transfer system, users should hover their cursor over email addresses and links before they click to see if the sender and type of file are legitimate, he adds.
It is difficult for employees to resist freebies – from pizza to event tickets to software downloads – and they’ll click on just about any link to get them.
Nothing is truly ever free. It could be something that’s actually out there already for free, but they’re sending you through their website, which means you may be getting infected or compromised software.
Social media surfing at work
Employees who surf Facebook, Twitter, and a host of other social media sites can potentially open the door for cyber thieves because the scams require less work for them, and it’s also a relatively new area of awareness training for employees.
Social media’s cyber risks is still a topic that employees understand the least – with an average of 31 percent of questions missed regarding security awareness on the topic, according to Wombat.
However, 76 percent of organizations that were surveyed allowed employees to use social media on their work devices. This puts organizations at significant risk considering the lack of understanding in this particular area.
Fake LinkedIn invitations
One of the commonly repeated scams involves fraudulent employee accounts on LinkedIn that are being used for information gathering, says Devin Redmond, vice president, and general manager of digital security and compliance.
For instance, someone creates a fake LinkedIn account posing as a known member of a project team or even a company executive. As the employee, if it’s an executive account that you’re linked to, you’re happy and excited that this executive is communicating with you, and you start to, unknowingly, give information that’s sensitive or private to the organization.
Meanwhile, the information is being used as a broader campaign to gather sensitive information on the company.
Avoiding all sorts of social engineering scams is a must, and it can only be done by spreading proper awareness.