Phishing and ransomware top employee security concerns
As a productivity tool, the email inbox has proven to be both a blessing and a curse.
Among the types of attacks that workers often fall for, “phishing, spear-phishing and/or whaling” is number one, according to Dan Lohrmann, CSO at security awareness training provider Security Mentor.
“Remember that phishing can happen with people clicking on links in emails, but also via social media and even phone calls,” Lohrmann said. Also, people are still opening attachments from strangers, he added. Social engineering essentially involves running a con, using email or a phone call, to gain access to a protected system or information through deception. In the case of spear-phishing or whaling, both terms for more targeted attempts at scamming important high-value individuals, a considerable amount of effort can go into fooling victims.
Lance Spitzner, director of Security Awareness at the SANS Institute, cautioned that scammers like to use social engineering to make their victims jump to attention and get hearts racing.
“The most common tactic cyber attackers use is creating a sense of urgency, pressuring or rushing people into making a mistake,” Spitzner said. “This can be a phone call where the attacker pretends to be the IRS stating your taxes are overdue and demanding you pay them right away, or pretending to be your boss, sending you an urgent email tricking you into making a mistake.”
Research from Cofense, home to the PhishMe simulation program, shows that workers tend to lower their guard when money is involved.
During the first half of 2018, the company’s active threat simulations revealed that that ‘attached invoices’ requesting payment, ‘payment confirmation’ and ‘document sharing’ remain difficult for users to avoid, said John “Lex” Robinson, anti-phishing and information security strategist at Cofense. “All these models involve the exchange of money, an emotionally charged topic that elicits strong responses,” he said.
Some attackers don’t care much for stealing valuable information. Instead, they use malware that encrypts a victim’s files and holds them hostage without ever transferring the data. They demand a ransom for the encryption key that restores access to those files, hence the term ransomware.
More than a quarter (26 percent) of ransomware attacks hit business users in 2017, according to a report from Kaspersky Lab. Between the second quarter of 2016 and second quarter of 2017, small and midsized businesses paid over $300 million to ransomware attackers, according to a survey from data backup specialist Datto.
“Ransomware and phishing continue to be the most common attacks users are falling for,” observed Rob Clyde, chair of ISACA and executive chair of White Cloud Security. “Moreover, attackers often find that it is easier to make money using ransomware attacks.”
Good data protection practices, particularly maintaining regular backups, makes ransomware more of an inconvenience than a cripplingly expensive cyber-security incident, although IT security teams and administrators will likely have their hands full sanitising affected systems.