Here are just a few examples of the types of phishing attacks that you or your employees could fall victim to:
- Via LinkedIn: A hacker creates a fake LinkedIn profile in order to target employees at a specific company. He uses the fake profile to access information about the targets’ current and past employers, job titles, email address and connections. This information could enable him to design a more effective spear phishing attack.
- Via LinkedIn email: A hacker sends a fake email that looks like it is coming from LinkedIn. When the victim clicks on the link in the email to “accept connection request,” it takes him to a fake LinkedIn login page. If the user logs in, his login information will be compromised.
- Via email attachment: An employee within the targeted organization receives an email with an attachment (e.g., fake invoice or report) for review. The attachment could look like a .zip file with an embedded PDF file icon, although it is actually an .exe (an executable file that runs a program). The downloaded malware file is installed on the business network where it has access to sensitive data, putting the company and its clients at risk.
- Via email link: A victim receives an email pretending to be from a financial institution or other trusted source. The email contains a fake link to a fake website where the victim’s computer becomes infected with malware, allowing the hacker to access the computer remotely and steal personal information, passwords, user IDs and online transaction information.
How to boost your employees’ ‘hacker IQ’
In addition to establishing an information security program and using firewalls and/or content filtering to restrict access to potentially malicious information, it is important to train your employees.
Social engineering phishing testing can help you identify vulnerabilities and monitor the effectiveness of information security policies, procedures and training at your company. In these tests, an email with a fake link is sent to targeted employees. Employees who click on the link will be taken to a website with training resources about phishing, and test performance is measured and reported to management. A qualified consulting firm can assist your company by performing this testingquarterly or semiannually.
The greater an employee’s awareness, the less likely he or she will fall victim to social engineering attacks. In addition to conducting phishing tests, you can train employees on email and browser security best practices, including these tips:
- Resist the urge to click links in a suspicious email.
- Check the Web address of a link (by placing your mouse cursor over the link) and the sender’s email address before visiting the destination website.
- Visit websites directly rather than clicking links in emails.
- Be cautious of email attachments, even if it looks like it’s from a familiar sender.
- Check for signs such as poor quality of the logo or email, poor grammar or misspellings.
Your employees can also be one of your company’s greatest vulnerabilities in the face of growing cyberthreats. However, with proper training, they could also be one of your best defenses against social engineering attacks.
Sign up for CIO Asia eNewsletters.