Phishing: Why your employees click everything and what to do about it

Cyber criminals impersonating trustworthy sources in order to steal employee credentials or place malware within a system are now becoming a very common and popular tactic to attack organizations. The bad news is your employees may be the weakest link in the chain. According to a report by Software Advice, the numbers don’t look so good:

• Only 24% of employees surveyed said they “never” accept social media invites from strangers
• 39% of employees admit to opening e-mails that they suspected may have been scams, fraudulent or contained malware
• Only 36% of employees believe that they could confidently recognize and withstand a phishing attack
• 53% of employees don’t believe their colleagues could resist a phishing attack

What to look for

Worrying whether one of the hundreds of URLs or e-mails an employee has to open during the course of the work is going to be malicious is not the top priority for many individuals. In addition, phishing scams have come a long way from amateur hacking attempts to the skilled attempts of multi-million dollar criminal scamming enterprises. Phishing attacks have become so effective that 91% of all cyberattacks are believed to have been instigated by a “spear-phishing” e-mail that was targeted at an individual within an organization.

There are various types of phishing attacks that are commonly used by cyber criminals:

• Links are embedded into e-mails that redirect employees to insecure websites that request sensitive information
• Installing a Trojan through a malicious e-mail attachment or advertisement, allowing the intruder to gain access to information
• Mimicking a reputable sender address in an e-mail to convince the viewer to give sensitive information
• Obtaining sensitive company information via phone by impersonating a vendor or IT department

Don’t click that!

While it is hard to prevent employees from clicking on malicious links and e-mails 100% of the time, there are steps that can be taken to educate employees and lower the risks of being attacked.

• Train employees on how to properly check and accept social media invites
• Updates to sensitive information or personal account details should be made directly to your employer’s website, never via an e-mail link
• Educate employees with training sessions and mock phishing scenarios
• Place virus and spam filters on your system e-mails to detect viruses, blank senders and more
• Keep all security patches and updates current
• Place web filters to block malicious websites and links
• Encrypt sensitive company information

Phishing attacks are one of the most common security challenges that companies and employees face, but with education and training, companies can reduce the risks of valuable information being stolen.