Of the many online threats out there, perhaps the most common and dangerous is the phishing email, in part because it’s proved to be so effective. Read on for a few considerations when building out a response plan in your organization.
Last week, the internet was roiled by an unusually effective phishing scheme involving fake Google Docs links sent by email. The scale of the attack, involving a massive number of users users of both Gmail and Google Apps, caught a lot of folks off guard, though Google was able to stop it dead in its tracks.
Perhaps we should have been expecting it, or something like it. Currently, we’re reaching peak phishing, and the waters don’t appear to be getting any less choppy.
Currently, the media giant Gannett is getting hit by a tech double whammy. According to press reports, the company is dealing with an unprecedented rise in fake Facebook accounts on its social media pages, a problem so significant that it has asked for the FBI’s help.
Then came round two: Gannett announced last week that it had been targeted in a sophisticated phishing attack that involved the data of as many as 18,000 current and former employees. The phishing emails were targeted at the company’s human resources staff.
The Google Docs attack was a freak incident that spread far beyond the walls of any individual organization, highlighting a weakness of Google’s own infrastructure. Your guard should be up for something like that to happen, even if it’s rare. The Gannett incident, on the other hand? That’s just the kind of thing that’s likely to happen at an association.
The key is continuous training and reinforcement to keep security top of mind every day.
And if you’re running an IT department, it’s enough to give you heartburn. Here are some considerations you should keep in mind when tackling phishing problems:
The average user isn’t phishing-savvy. A recent Pew report found that tech users had trouble answering a series of questions about cybersecurity in a recent survey—in fact, just 1 percent gave the correct responses to all 13 questions. While 54 percent of internet users were able to identify a phishing attack based on a set of descriptions, that means 46 percent weren’t able to—either answering wrong or skipping the question entirely. That finding suggests that a lot of work needs to be done to help prevent phishing within an organization.
Some departments are at higher risk than others. There was a lot of chatter recently about attacks targeting companies around tax season, when personal information, like W-2 forms, tends to be distributed to employees. The IRS, when reporting the scope of the issue, specifically noted that HR, finance, and payroll departments were particularly at risk. Certain types of organizations may be in danger as well. When originally reporting on the Google Docs phishing attack, Gizmodo noted that many of those targeted seemed to be journalists. Though the impact turned out to be much broader, that sort of targeting was not outside the realm of possibility. In general, employees who deal with sensitive information (say, member data) are at the highest risk. If you’re training your users, start with these employees.
Small mistakes can expose users to big problems. In 2015, an unemployed IT worker who had applied for a job at the fast-casual chain Chipotle exposed a weakness in the company’s internet security: Its HR department was emailing applicants from a domain it didn’t own. It was a small accident, the kind of thing that may have been a two-second mistake, but if the domain had fallen into the wrong hands, it could have created a disaster for Chipotle along the lines of the 2015 food-poisoning scare. Keep in mind that potential phishing attackers are looking for tactical errors just like that.
It’s not always email. Wombat Security, which recently released a report on the risk of phishing, found that alternative phishing attack vectors such as phone calls and texting were relatively common, with 44 percent of respondents affected by these types of attacks. (Less common, but still a factor, were attacks using rogue USB devices, which affected 4 percent of respondents.) While these kinds of attacks were down from 2015, the organization said that vigilance was key in preventing such attacks in the future. “The key is continuous training and reinforcement to keep security top of mind every day,” the report stated.
Focus on your response. With a whopping 91 percent of cyberattacks launched as a direct result of an email phishing attack, according to a PhishMe report, prevention may not go far enough for many organizations. And the threat is increasing: The Anti-Phishing Working Group reported [PDF] 65 percent more phishing attacks last year than in 2015, and a 5,753 percent increase over 2004. Wombat Security’s Gretel Egan notes that these numbers are high enough that the goal should be managing the risk, not preventing it. “If end-user risk management is not part of your cybersecurity plan … what are you waiting for?” she asked in an April blog post. “A security awareness and training program can offer a cost-effective, result-driven way to quickly impact end-user risk and generate improvements over time.”
How is your organization tackling the phishing risk before it’s too late? Offer up your thoughts in the comments below.