Don’t Get Fooled by Phishing

The more we do and share online, the more vulnerable we may be to “targeted” attacks to steal passwords and data. Phishing continues to pose a growing threat to the security of industries of every kind. Businesses have spent millions of dollars investing in spam filters, anti-virus software and firewalls, yet savvy cyber criminals still manage to evade these safeguards through carefully planned social engineering attacks. Social engineering attacks are not only becoming more common against enterprises and SMBs, they are also increasingly sophisticated.  Social engineering is responsible for many recent major attacks, including movie studios and presidential campaigns.

Some of the statistics include:

• 95% of espionage attacks involved phishing (1)

• Nearly 80% of companies have experienced a phishing attack in the last year (2)

• More than 58% of companies say phishing attacks are increasing (2)

1 Verizon 2015 Data Breach Investigations Report
ThreatSim State of the Phish Report, 2015


What is Social Engineering?

Social engineering attacks often involve some form of manipulation, fooling unsuspecting users into handing over confidential or sensitive data. It could look like an email that is designed to look like it is from a credible organization, like the company’s corporate email, a shipping company or even a bank. But when it is opened and attachments are clicked, it could be installing malware or ransomware. Instead of targeting technical vulnerabilities, attackers simply trick a user through some sort of social engineering scheme.

Thanks to the prevalence of social media, an attacker can look up everything they need to know about  a person and their interests and craft an email specially tailored to that person which increases the chances of that person clicking.

Types of social engineering include:

• Phishing is the practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information. These emails can be sent to an entire organization without targeting specific people. On the other hand, spear phishing emails are crafted specifically for a few people in an organization.

• Vishing (Voice & Phishing) is the attempt to elicit information or attempting to influence action via the telephone. This is common in customer service departments where employees try to satisfy the customer over the phone and inadvertently provide information that could be used to break into the network.

• Impersonation is the practice of pretexting as another person with the goal of obtaining information or access to a person, company or computer system. The attacker fabricates false circumstances to compel a victim to provide access to sensitive data or protected systems. An example would be masquerading as a company’s IT department in order to trick them into divulging login credentials.

Social engineering is a serious threat for many organizations.  All it takes in one click to fall victim to a phishing attack.


What can companies do to protect themselves from social engineering?

There are several ways organizations can mitigate becoming a victim of these attacks:

  1. Security awareness training should be conducted on an ongoing basis to ensure that the knowledge of the organization’s employees is up to date. Making users aware of the risks as well as helping them recognize what a phishing email may look like helps keep security top of mind. In fact, organizations that fall under requirements of PCI DSS Requirement 12.6 are required to develop a formal security awareness program and are given guidance to get started in PCI’s Best Practices for Implementing a Security Awareness Program.
  2. Employees can be tested by having a third party conduct a Social Engineering Test. These types of tests help keep employees on their toes and more likely to avoid attacks.
  3. Adopt new technologies that can block phishing exploits before they even reach internal servers.
  4. In case they do get through, an endpoint protection system that can block the latest malware should be in place.

In the technology world, no matter what steps are taken end-user training is the best protection against these types of attacks and statistics show there is a correlation between testing/training and the reduction of clicks.

Social engineering is a serious and ongoing threat to today’s businesses. No matter what steps are taken, education is the best protection against identifying and avoiding these types of attacks.