Cyber criminals have always targeted users, finding it easier to trick unsuspecting employees than to bypass complex technical security measures – and this trend has been growing steadily the last few years. Identify fraud, where criminals impersonate someone else in order to steal their money or use their account to manipulate others, is now one of the most common types of cyber crime there is. Account takeover attacks, where criminals gain access to a user’s account and use it to send spam or phishing emails, is also on the rise, often allowing malicious emails to bypass email security filters.
Phishing remains one of the most common attack vectors for criminals – one study alarmingly found that 93% of phishing emails contained ransomware
In the internet age, business is increasingly taking place over email and other forms of electronic communication – where if your boss or colleague asks you to undertake an action, you don’t necessarily hear their voice and see their face, meaning you mightn’t recognise if someone else was on the other end of your screen controlling their account.
A recent study of over 50 organisations by IT security firm Barracuda Networks revealed that account takeover attacks were much less likely to be blocked by email security filters for criteria such as domain, sender or IP reputation – factors which would usually prevent these malicious emails from coming through to a user’s inbox.
These attacks frequently utilise phishing to infect additional email accounts, growing the network of email addresses that the criminals can use to send out malicious emails or perpetrate fraud and impersonation. Users see an email from a trusted colleague asking them to open an attachment such as a Word document or Excel file, and this can download malware onto their PC. Email systems will often protect users from malware in attachments if they are sent from outside the organisation, but many of these systems do not scan internal communication for such files, making these attacks extra deadly.
According to the report, 22% of account takeover incidents happened to employees in sensitive departments such as HR or finance, and 6% were executives. Often, when an executive or high-level employee’s account is hacked, they are used for CEO fraud. This is where the hacker will send an email from the CEO, CFO or similarly important person’s account to someone in finance and request an urgent transfer to a new account. The unsuspecting employee may not recognise the warning signs, and comply with the instructions issued to them, even though the money they are transferring will be going directly to a cyber criminal’s account, where it is often immediately moved offshore and out of reach of authorities.
In fact, it is reported that lower-level employees often make lucrative targets to gain entry to an organisation, as they tend to have less cyber security training, as many companies only selectively train staff in how to detect phishing emails – allowing cyber criminals an easy entry point to their business.
Cyber security can be tricky business, as it is always evolving and best practice changes regularly as cyber criminals and cyber security professionals become wise to each others’ tactics and attempt to stay one step ahead of the other. However, it is crucial to understand that when it comes to cyber security, like any other form of security, you are only as secure as your weakest link. You can have the strongest walls in the world, but one unlocked back door is enough to lead to a breach. Similarly, you can have the latest antivirus and firewalls and complex email security, but if you’re only training high-level staff and neglecting the cyber education of staff members – they will be the back door that allows the hackers in.
At Tech Guard, we know training, and we know users. Training is most effective when it is rolled out to all users, whether they are the CFO or the secretary, and we recommend that training be issued on at least a quarterly basis, even if it’s just a quick 15 minute module, as it helps keep security top-of-mind for staff, so they are alert and on the lookout for threats.
Another tactic that we employ when training users that is fast becoming industry standard when it comes to cyber security awareness training is to phish your own users – each user receives a simulated (non-malicious) phishing email on a regular basis, which allows organisations to quantify their risk and roll out remedial training to users which are repeatedly falling for common phishing tactics.
Regular training and regular phishing is a proven, quantifiable method of educating users and reducing the risk of a cyber attack – as well as demonstrating to data protection authorities that they are being proactive about security should a data breach ever occur.
For more information on how training and phishing could help your organisation, contact Tech Guard today for a quote or a demo.