If the threat of malware, bots and phishing is not a priority for your business, you may want to consider the potential damage that could be done by just a single attack. The insurance industry has access to endless sensitive data – how would you feel about telling your customers their information has been compromised?
More than half of the data breaches that occurred last year included malware, according to Verizon’s 2017 Data Breach Investigations Report, which analyzes more than 40,000 incidents, including 1,935 confirmed data breaches, at organizations world-wide. Two-thirds of that malware was installed via malicious email attachments.
Do your employees and coworkers recognize and report phishing emails with a malicious link or attachment every time they see them? If not, the scenario below may be happening as you read this:
- An email with a malicious attachment or link is sent to your employees or coworkers, and they click on it.
- Malware installs on the device, and one or all of the following may occur:
- Keyloggers capture user credentials to be reused fraudulently.
- The person is redirected to a fake site where his or her credentials can be captured.
- Affected computers at your company can become part of a botnet (a network of computers that have been compromised and taken over by a cybercriminal using a Trojan virus).
- Your company’s sensitive data (e.g., customer information, bank accounts, intellectual property) can be stolen by cybercriminals.
The human factor
In addition to the tried-and-true method of sending legitimate-looking emails to unsuspecting victims, cybercriminals are now using social media and other popular platforms to launch their attacks. With many of these phishing schemes targeting employees, business leaders should be aware of the risks that social engineering can pose to their operations, reputation and customers.
Installing anti-malware software can help to protect your computer against viruses and other threats. However, this measure may not be adequate for mitigating the risk of social engineering attacks. If you want to protect your company from cyber threats, do not underestimate the importance of the human factor.
Social engineering, or the act of attacking the human element of information security, poses a significant risk to businesses. With the level of sophistication of cyber threats increasing by the day, many organizations can greatly improve the steps they take to defend against these types of attacks.
Phishing attacks on the rise
The 2017 Verizon study found that about 1 in 14 users were tricked into following a malicious link or opening an attachment — and 15% of those users went on to be duped more than once — an unsettling number, especially for businesses with hundreds or thousands of employees.
Once the phishing attack was complete, malware was then used to capture and export data or take control of their computers, putting their companies at risk.
And phishing is on the rise, according to APWG, a nonprofit organization founded in 2003 as the Anti-Phishing Working Group. APWG tracks worldwide information about phishing attacks. More than 1,220,523 unique phishing reports were submitted to APWG during 2016, a 65% increase over 2015.
Examples of social engineering attacks
Spearphishing is a specific type of phishing attack in which the attacker uses a fake email address to deceive an individual in an attempt to gain unauthorized access to personal information. This is a highly targeted operation in which the hacker has at least some information that he can use to make himself seem familiar to the intended victim.
Social networks are increasingly being used to perform spearphishing attacks. Cybercriminals can also use crawling sites to gather information from social media. And some are even using Google Docs to stage phishing attacks.
Here are just a couple of examples of the types of phishing attacks that you, your employees or your coworkers could fall victim to:
- Via email attachment: An employee within the targeted organization receives an email with an attachment (e.g., fake invoice or report) for review. The attachment could look like a .zip file with an embedded PDF file icon, although it is actually an .exe (an executable file that runs a program). The downloaded malware file is installed on the business network where it has access to sensitive data, putting the company and its clients at risk.
- Via email link: A victim receives an email pretending to be from a financial institution or other trusted source. The email contains a fake link to a fake website where the victim’s computer becomes infected with malware, allowing the hacker to access the computer remotely and steal personal information, passwords, user IDs and online transaction information.
How to boost your cyber security
In addition to establishing an information security program and using firewalls and/or content filtering to restrict access to potentially malicious information, it is critical to train your employees on cyber security awareness.
Phishing training and testing can help you to identify vulnerabilities and monitor the effectiveness of information security policies, procedures and training at your company.
In these tests, an email with a fake link is sent to targeted employees. Employees who click on the link will be taken to a website with training resources about phishing, and test performance is measured and reported to management. A qualified consulting firm can assist your company by performing this testing quarterly or semiannually.
The greater an employee’s awareness, the less likely that he or she will fall victim to social engineering attacks. In addition to conducting phishing tests, you can train employees on email and browser security best practices, including these tips:
- Resist the urge to click links in a suspicious email.
- Check the Web address of a link (by placing your mouse cursor over the link) and the sender’s email address before visiting the destination website.
- Visit websites directly rather than clicking links in emails.
- Be cautious of email attachments, even if it looks like it’s from a familiar sender.
- Check for signs such as poor quality of the logo or email, poor grammar or misspellings.
Your employees and coworkers can be one of your company’s greatest vulnerabilities in the face of growing cyber threats like malware, bots and phishing. However, with proper training, they could also be one of your best defenses.
Alejandro Mijares, CISA, CRISC, MSMIS, is a risk advisory services IT manager in Kaufman Rossin’s Miami office and provides IT security consulting services to businesses and financial institutions. You can reach Alejandro at firstname.lastname@example.org.
Roberto Valdez, CPA, is a risk advisory services professional in Kaufman Rossin’s Boca Raton, Florida, office and provides IT security consulting services to businesses in a variety of industries. Roberto can be reached at email@example.com.