Cyber security and data integrity are growing problems for organizations of all sizes – spurring a huge demand for cyber insurance to minimize any losses associated with data breaches. While much attention is focused on thwarting damage by malicious hackers and cyber criminals, the point of greatest vulnerability is often overlooked: your own employees. Any good security plan focuses on plugging internal leaks by training employees in keeping computers, devices and networks safe. And one common threat continues to be vulnerability to phishing scams – which can open access to your entire organization.
The Anti-Phishing Working Group (APWG) recently released its Phishing Trends Report for Q1 2014. Some key findings:
- The number of phishing sites leaped by 10.7 percent over the fourth quarter of 2013.
- The number of brands targeted by phishers was up, from 525 targeted in the fourth quarter of 2013 to 557 in the first quarter of 2014.
- The number of phishing attacks observed in Q1 was 125,215. That is the second-highest number of sites detected in a first quarter, eclipsed only by the 164,032 seen in the first quarter of 2012.
- Payment Services continued to be the most- targeted industry sector.
- 32.7 percent of personal computers around the world were infected with malware, aware, or spyware.
In light of this report, we are updated our prior post on Spear Phishing
Phishing is a type of email fraud in which the sender impersonates a trusted source to try to gain access to passwords, credit card numbers, and other sensitive information. The victim is at risk of theft, identity theft, or contacting malicious computer viruses. Fraudulent e-mail is frequently disguised as a message from a bank or a trusted merchant. Scam e-mails often contain a link to a site that either requires the person to enter sensitive data or instructs the user to download a special program. These fake e-mails often look and sound very authentic – even experienced users can be fooled. (It should be noted that phishing can happen by phone, too – every year, the IRS warns about phony calls from scammers posing as tax collectors) While consumer education has alerted many to the scams and most people know better than to give out sensitive information without vetting the source, millions of people are victims each year.
Scammers continue to up the ante. More recently, these fraudulent e-mail scams have gotten more sophisticated, targeting specific organizations in a practice called spear phishing, which is a more targeted approach. In these attacks, the phony e-mails masquerade as communication from within the organization – such as from the HR or IT department or from a specific manager. One pernicious example came in a report of spear phishing emails that targeted CEOS through emails disguised as court subpoenas.
Keep informed, educate your employees
Employers need to stay alert about new phishing scams and need to educate their workers about scams to protect the organization from vulnerabilities – it only takes one chink in the armor to launch an internal attack. A good source is the Anti Phishing Work Group, an organization which stays on top of the latest scams and is a good source of consumer information and education about phishing scams. In how to avoid phishing scams they offer consumer pointers, among them:
- Be suspicious of any email with urgent requests for personal financial information
- Don’t use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic – call the company on the telephone, or log onto the website directly by typing in the Web address in your browser
- Avoid filling out forms in email messages that ask for personal financial information – you should only communicate information such as credit card numbers or account information via a secure website or the telephone
- Always ensure that you’re using a secure website when submitting credit card or other sensitive information via your Web browser
- Consider installing a Web browser tool bar to help protect you from known fraudulent websites.
- Regularly log into your online accounts (to ensure that there has been not fraudulent activity)
- Ensure that your browser is up to date and security patches applied
- Always report “phishing” or “spoofed” e-mails to the following groups:
* forward the email to firstname.lastname@example.org
* forward the email to the Federal Trade Commission at email@example.com
Make a policy that you will never ask for confidential employee information (passwords, credit card numbers, social security numbers) via e-mail and publicize the policy widely. Use newsletters, company meetings, and bulletins to publicize security tips and to teach your employees that whether at work or at home, they should never share confidential information via e-mail. Here are a few consumer quizzes you can use to test their – and your – knowledge: