Phishing is an attempt to acquire sensitive information by masquerading as a trustworthy entity. In today’s fast-paced electronic world, Phishing attacks are becoming more prevalent. As companies shore up their security footprints, hackers are forced to find more creative ways to attack systems and usually prey on unsuspecting or unknowing users who they hope are too busy to pay attention to the details.
Due to the availability of public data, hackers can easily access information about your organization. Hackers find the names and contact information about officers of your company to send a message that appears to be from an officer of your company.
A Phishing attack is typically carried out with the help of an unsolicited email or a fake website that poses as a legitimate site to lure in potential victims. Your employee will be prompted to provide valuable personal and financial information. Clicking on such a link or attachment may take you to a fraudulent web-site or download spyware designed to steal your personal information.
The results of a typical phishing campaign provide astounding numbers! For example, a test phishing campaign was sent to 147 accounts. Out of those 147 emails sent, 99 opened the email, 92 recipients clicked the link, and 28 recipients submitted the form.
“19% of Your Staff are Giving Hackers Access to Your Mission Critical Systems!”
It’s surprising that this many people would provide credentials to a false site. And, if you think this cannot happen to your organization, you are vulnerable!
A sample phishing scenario might look like this. A message from John Smith, VP of Human Resources, sends the following email message:
“Thank you for your service to the organization. For your exemplary service, you are to receive an additional PTO day. Please log into the HR system here (link to site looks just like your system) to add the day to your scheduled days off.”
BOOM! The hacker now has access to one of your systems and can break into your network.
From the extensive study of assessments, Awareness Training is lacking and inadequate in many organizations. To achieve better awareness, you should take the following steps:
- Train employees on some of the hacker techniques on accessing your systems. Include training on messages from executives, site naming, and protocols for announcements.
- Conduct regular Phishing Campaigns to measure the effectiveness of the campaigns.
- Perform one-on-one training with offenders of the policy.
- Publish the results to show staff the effectiveness of a phishing campaign.
- Develop a process to notify staff when another employee finds a good phishing email so that all employees know what to look for and to avoid clicking the email link.
- Implement a Security Information and Event Management (SEIM) system for critical systems to provide notification should a hacker obtain access to your systems.
The journey to data protection continues one step at a time. It can seem daunting, however by developing a plan, it’s possible to tackle something each quarter. With a consistent training and measurement program, the submitted form results can get to zero.
Remember, the best way to protect yourself is to STOP and THINK before you click.
