We Need More Than Employee Training Against Phishing

We Need More Than Employee Training Against Phishing.jpeg

By Atif Mushtaq

Phishing schemes continuously change as the bad guys develop more sophisticated techniques to lure business users. Emails have long been the customary approach for delivering phishing scams, which have affected more than one-third of all organizations [Note: link opens a PDF] as per Osterman Research.

In most cases, the cybercriminals send deceptive emails that appear as legitimate business inquiries in an attempt to steal login credentials and personal information, or to infect network endpoints with malware. However, as most organizations move toward improving their security, attackers are developing other methods that use more than just email. They are adopting newer, short-lived tactics that target human weaknesses and exploit employee vulnerabilities.

High-level and fast-paced phishing attacks are now regularly delivered through realistic-looking but fake ads, social media posts, chat apps, browser extensions and compromised websites. This tactic change is illustrated by the estimated 46,000+ new phishing sites that go live every day (and are taken down just as quickly), making the threat landscape much more dynamic and volatile.

In this climate, the phishers have become clever about crafting phony messages that are hard to distinguish from legitimate content. Even users who are skeptical about getting emails from questionable sources can be tricked into clicking on a malicious link or opening a bad attachment.

These types of Trojan Horse requests might take the form of a vendor requesting more information, an email from the HR department in an open-enrollment period for benefits, or even a fake receipt from Amazon Prime.

Another growing trend in the phishing deep-end is bogus file-sharing and collaboration services that spoof Microsoft OneDrive, Dropbox or Google Docs. Potential victims receive an email with a request to enter their credentials to download a large or encrypted file. In this way, the user’s credentials get stolen or malware is installed.

Criminal hackers are also using spear phishing as a more targeted approach aimed at a group of individuals, such as those within a specific company department. CEO fraud or Business Email Compromise (BEC) attacks are even more targeted by focusing on just one person or a very small group of individuals, such as a CFO or specific HR managers with access to employees’ personally identifiable information (PII) or other sensitive company data.

As the risks of phishing escalate, organizations are struggling to keep up and provide more staff trainings to help educate and protect employees from the rising number of new, more sophisticated threats. Nearly one-third of users (30 percent) receive security training only once per year, while another 21 percent are trained just twice per year, according to Osterman Research [Note: link opens a PDF]. Even worse, 3 percent of all users never receive any sort of training whatsoever for security protections.

Even the most thorough cybersecurity training can’t prevent employees from being human and making mistakes. Accidental disclosures can occur when busy employees become careless, such as when taking home an unencrypted laptop or losing a flash drive loaded with unprotected data.

Attacks can even succeed when employees are being careful. For example, if a corporate email system cannot support the transfer of very large files, an employee may turn to his or her personal email account to continue working. By bypassing corporate security defenses, such a step might increase an organization’s exposure to malware and data breaches.

Web surfing presents another potentially dangerous phishing activity on multiple levels. Surprisingly, many phishing threats are not delivered through “recreational” web surfing by employees at work. Rather, business users are often duped by valid, business-focused sites that have been compromised. The bad actors focus on phishing and social engineering through these compromised pages to steal user credentials and hack confidential data.

Online ads and browser pop-ups can also direct users to malicious websites or compromised pages on valid sites, resulting in the installation of malware, client-side scripting or other dangerous content.

A significant number of advertisements that appear on websites now deliver malicious content through what’s known as “malvertising.”

Lastly, search engine poisoning is another common method of distributing malicious content. In this approach, cybercriminals use search engine optimization (SEO) techniques to cause malicious content to appear prominently in search results.

To protect themselves and their employees from the dangers of these new phishing tactics, organizations can implement real-time phishing detection solutions that work across a broad spectrum of phishing attack vectors. Such solutions adopt cloud-based session emulation, machine learning and phishing detection algorithms to rapidly uncover threats.

Users should also receive regularly updated trainings on how to avoid the latest incoming threats that will undoubtedly continue to emerge. After all, the only foolproof way to protect against phishing is to not take the bait.


About Atif Mushtaq

Atif Mushtaq is founder and CEO of SlashNext, which is pioneering a more effective way of protecting companies from the growing number of fast-moving and sophisticated phishing threats.

More About Atif