You’ve trained them. You’ve deployed simulated phishing tests. You’ve reminded your employees countless times with posters and games and emails about avoiding phishing scams. Still, they keep falling for the same ploys they’ve been warned about for years. It’s enough to drive security teams to madness.
According to Verizon’s 2016 Data Breach Investigation Report, 30 percent of phishing messages were opened by their intended target, and about 12 percent of recipients went on to click the malicious attachment or link that enabled the attack to succeed. A year earlier, only 23 percent of users opened the email, which suggests that employees are getting worse at identifying phishing emails -- or the bad guys are finding more creative ways to outsmart users.
The consequences of a security breach caused by human error are bigger than ever. For starters, the No. 1 inflection point for ransomware is through phishing attacks, says Stu Sjouwerman, founder and CEO of KnowBe4. What’s more, a handful of competing cyber mafias “are casting their nets wider and wider,” with more scams to more users, to attract more hits, he says.
A single ransomware cyber mafia was able to collect $121 million in ransomware payments during the first half of this year, netting $94 million after expenses, according to McAfee Labs’ September 2016 Threats Report. Total ransomware increased by 128 percent during the first half of 2016 compared to the same period last year. There were 1.3 million new ransomware samples recorded, the highest number since McAfee began tracking it.
One look at the top five social engineering scams that employees still fall for, and it’s not hard to see their appeal. Sjouwerman calls them the seven deadly social engineering vices that most employees share: Curiosity, courtesy, gullibility, greed, thoughtlessness, shyness and apathy.
Human nature may be to blame for many security breaches, but there are ways to help employees shed their bad habits and avoid these scams.
1.‘Well it looked official’
Official-looking emails that appear to be work related – with subject lines such as “Invoice Attached,” “Here’s the file you needed,” or “Look at this resume” -- still have employees stumped, experts say.
A survey by Wombat Technologies found that employees were more cautious when receiving “consumer” emails regarding topics like gift card notifications, or social networking accounts, than they were with seemingly work-related emails. A subject line that read, “urgent email password change request,” had a 28 percent average click rate, according to the report.
“Most people are not going to look really closely to know where that email came from, and they click on it and their machine may be taken over by somebody, or infected,” says Ronald Nutter, online security expert and author of The Hackers Are Coming, How to Safely Surf the Internet.
Sign up for CIO Asia eNewsletters.