As
long as email dominates corporate communications, we’ll continue to see
cyber criminals orchestrating email attacks. You'll need to familiarize
yourself with the greatest risks if you hope to stay one step ahead of
these threats.
Impersonating your leadership.
Imagine
one of your employees received an email from your Chief Technology
Officer (CTO), asking her to open and review an attached file. The email
comes directly from the CTO’s email address, the body of the email
addresses the employee directly, and there are no obvious signs that
anything is awry. The employee opens the attached file and clicks on
the link. Just like that, a cyber criminal has found a way into your
servers. From that point, malware installations can compromise your
company's entire network.
This is an example of a spear-phishing
attack -- a more selective and sophisticated form of traditional
phishing. The cyber criminal deceives the user through a personalized
email tailored directly to the target. Unfortunately, criminals are
getting better at their trade. They pull publicly available information
from social media and company websites to learn more about their
targets. Every bit of information helps them customize their malicious
emails and make these messages appear more legitimate.
These
attacks will become only more difficult to detect. Encourage your
employees to always think twice before clicking links or downloading
materials. If they have any doubt about an email’s legitimacy, they
should call the apparent sender to confirm.
Creating a false sense of urgency.
In
this scenario, your employee receives an urgent email from his boss,
requesting a large sum of money to pay for overdue administrative
expenses. Again, the email appears to be legitimate. Your employee
clicks the link to wire money. But this sense of urgency and
personalized message have just made your employee a victim of
another spear-phishing attack.
Encourage your employees to remain
vigilant about clicking on links, especially when the sender creates a
sense of urgency in the message. Be wary of emails that suggest you must
“act now." Cyber criminals frequently tap into this
vulnerability. Users also should keep an eye out for misspellings or
slight differences in the sender’s domain. Again, the direct approach is
best: Contact the sender offline to confirm the claims are valid.
Tackling the threats.
Spear-phishing
attacks will continue to grow in sophistication, and they show no sign
of slowing in numbers. According to the Anti-Phishing Working Group’s
(APWG) Q1 2016 Phishing Activity Trends Report,
there were more phishing attacks in the first quarter of 2016 than in
any other three-month period since the organization began tracking data
in 2004. The organization also observed an overall 250 percent increase
in the number of phishing websites from October 2015 to March 2016. It’s
critical for business owners and employees to take proactive measures.
- Practice makes perfect: Consider conducting a phishing simulation to evaluate your company’s preparedness for attack. This is a low-risk way to start a conversation with your employees and provide an opportunity for education and training.
- Set standards around sharing: Some employees might not be aware which types of information are unsafe to share via email. They should never reveal personal or financial information, even if the sender is -- not just seems -- legitimate. Make it a best practice to never share passwords via email, regardless of whether it's a less-valuable account.
- Think before you click: Encourage employees to exercise caution. Be suspicious of clicking on links or opening attached files. When in doubt, call the sender directly to double check.
No comments:
Post a Comment