Gretel Egan | April 15, 2015

Risky Business: Phishing and Smishing Attacks

Last updated: January 16, 2019

Wombat_Phishing2015Phishing and smishing (SMS/text message phishing) attacks are pummeling email accounts and devices worldwide, and it’s foolish to believe that all are as transparent as the Nigerian prince scam (which continues to bear fruit, by the way, in old and new forms). A good many of these messages are extremely sophisticated and difficult to spot  and they’re winning at a high-stakes game.  In addition to the growing monetary impacts related to business email compromise (BEC) attacks, fraudsters are gaining access to login credentials, intellectual property (IP), customer data, and insider information, wreaking havoc on networks, systems, and consumer confidence. How to fight these pervasive threats? As Andrew Walls, a vice president at Gartner, Inc., told TechTarget, “Employees can play a major role in detecting and responding effectively to social engineering threats, but the most effective approach is to combine employee-based risk management with automated, infrastructure-based risk management.”

We agree; but as we’ve noted before, not all security awareness training programs deliver the same results. A successful phishing attack on the White House is an excellent case in point. As Nextgov reported, a phishing email workshop had been offered to personnel shortly before that attack as part of a yearly training series, Cybersecurity Online Learning. According to Nextgov, “All federal security employees were invited to participate in the 90-minute online training session. But no one from the White House watched.”

Clearly, providing training that end users don’t see is akin to providing no training at all. But we can’t say we’re surprised to know that people who were given the option of attending a 90-minute session chose to decline the invitation. 

color_bar.png

Assess Your Users' Vulnerability to Phishing Emails

color_bar.png

Three Tips for Reducing Phishing Risk

Phishing and smishing threats are likely to persist for years — if not decades — to come. But the risk you face from these threats depends on your infrastructure and your employees. Our Continuous Training Methodology takes a unique, 360-degree view cybersecurity education. One-and-done methods and once-a-year mammoth videos and presentations aren’t as effective as our interactive approach, which delivers “bite-sized” training about specific topics. Education that is delivered at regular intervals and in digestible chunks builds a culture of awareness, changes user behaviors, and keeps cybersecurity top-of-mind for employees year round. 

Consider this: If you aren’t helping your employees identify the hallmarks of suspicious email and text messages, they are almost certainly putting their personal information and your systems at risk. As you weigh the benefits of effective security education, share these three tips with your end users to get on the path to risk reduction:

  • Think before you click – One of our customers’ IT security officers told us that a targeted training goal was to have their employees pause before they interacted with a new message. “We felt that if we could gain a second or even a half of a second pause between the moment when an employee sees a link or a file and the moment when [he or she] clicks, in that gap lies the opportunity for a thought process in which the user ultimately decides, ‘Maybe this isn’t safe. Maybe I shouldn’t do this.’” The customer gained that advantage and then some, reducing malware infections by 42% using our methodology.
  • Don’t be afraid to follow up – A message can look and even sound legitimate but still set off a warning bell. For example, an email that comes from a corporate IT address and tells you to download new security software can seem trustworthy; it appears real and is on topic. But would that really be the process your IT department would follow? It takes just a minute to confirm a questionable message with the sender, whether it’s a coworker, internal department, financial institution, or other entity.
  • Report suspicious messages – Fraudsters will often send the same message to hundreds or even thousands of accounts. It’s not uncommon for numerous people in a company to be included in a single attack. Any email or text that seems suspicious or asks for sensitive corporate or personal information should be reported according to identified company processes (or via our PhishAlarm® reporting button). This could help identify a problem early, before unsuspecting users expose themselves and your organization to dangers.

Subscribe to Our Blog

2018 State of the Phish Report  Protect your organization from phishing attacks. Download Now
2018 Beyond the Phish Report  Protect your organization from threats including and beyond phishing. Download Now