‘Tis the Season for Cyber Criminals to Infiltrate Companies with Phishing Scams

By Lewis Howell, CISSP,
Founder & CEO, Hueya, Inc.

Who knew that getting a great deal on snowflake socks or yoga mats could put your organization at risk? It’s that time of year when the shopping frenzy is upon us. The holidays put everyone at a heightened risk for online scams, scareware, and phishing attempts. Your employees could be the perfect targets for cyber criminals to use phishing scams to infiltrate your company with malware or worse. Up to 95 percent of all attacks on enterprise networks are the result of successful spear phishing, according to a study by SANS.

Cyber criminals are lurking in the wings, and will strike and scam and spoof consumers via phishing techniques, because your employees are abuzz with high cheer and low guard—and are likely clicking and shopping during work hours. More than 75 percent of organizations allow access to social networking sites and apps on business devices, based on research by Wombat Security.

Social platforms enable humans to share and interact, but oversharing can make people—your employees—vulnerable to online crime. Attackers prey on human weaknesses such as fear, trust, carelessness. Driven by rampant oversharing on social media, the human has emerged as the primary target for cyber criminals who use imposter scams and social engineering techniques to easily break through their defenses.

Phishing: The most likely targets

When it comes to phishing, who are the most likely targets? Everyone. Cyber criminals use trickery to fool their targets, relying on people’s unsuspecting nature and willingness to be helpful. Take, for example, phishing. Phishing is when a malicious party pretends to be from a reputable entity in order to scam your employees out of logins, personal information, or even sensitive customer information! They often set up a fraudulent website that mirrors a legitimate one or send a fraudulent email disguised as a typical communication from the reputable entity. The message is meant to trick the recipient into sharing personal or financial information or clicking on a link that installs malware. Malware is malicious software that is intended to harm or damage a computer or computer system. Malware can steal or delete your sensitive data, alter or hijack core computing functions, and monitor your computer activity without your permission.

“Phishing scammers lure their targets into a false sense of security by spoofing the familiar, trusted logos of established, legitimate companies … Phishing scammers make it seem like they need your information or someone else’s, quickly—or something bad will happen,” according to the Federal Trade Commission.

Lax use of social media is spilling over to the workplace

Clicking can be a minefield. According to the Symantec 2017 Internet Security Threat Report (ISTR), three out of four companies fell victim to phishing last year. Additionally, one in 131 emails contain malware.

Using information readily available from search engines and social media, cyber attackers are able to pull off a wide range of imposter and social engineering scams. According to the Identity Theft Resource Center, the human factor plays a role in 73.4 percent of all data breaches, including 55 percent from hacking, skimming or phishing breaches.

The bait

Very common phishing lures are email requests from HR or IT (Change of Password Required Immediately), fake delivery notices (UPS Label Delivery 1ZBE314TNY00023011), fake invoices, bills, account notifications that trick users into opening phishing emails and taking the bait. Other popular disguises include email delivery failure messages, payment confirmations, and flight confirmations.

Employee security training and awareness

Basically, all of us are at risk. As a result, employee security training—including phishing training with real-world scenarios—is more important that you think. Training your employees to spot and respond to (or not to respond to) phishing emails is critical. Since we tend to be so communicative, social, and trusting, we are too willing to help, making life far too easy for cyber criminals. People tend to have a lax attitude toward their personal online security and the vast amounts of personal data they are willing to share—information that can be accessed by anyone, anywhere in the world—including the office. Including accidentally sharing your organization’s sensitive information.

Engage your employees about the sensitive information they handle, increase their awareness about the potential security threats they will encounter, and teach them through hands-on, immersive training, such as real examples of phishing emails. Even an out-of-office email is a criminal jackpot. By stating the exact dates when an employee is out and the name of the person to contact, gives criminals ample information to use via a phishing email.

According to Symantec, the best security technology in the world can’t help you unless employees understand their roles and responsibilities in safeguarding sensitive data and protecting company resources. Employees need to understand the value of protecting sensitive information and their role to keep it safe. They also need to know the policies and practices regarding Internet safety.

Don’t be the target

Now is a time for good cheer…and good scams. A recent report and survey, the Hueya Report 2017: Cyber Abuse and the Human Factor, outlines findings about cyber abuse and personal online security, including phishing tactics and tips for people to empower themselves. Here are four cautionary tips for your employees to stop phishing scams before they happen:

1. Be leery of websites and links—To protect yourself, it’s best to be paranoid about every website and every link. A bogus website can simply be one letter off, and bam, you’re in scary territory. For example: waimart.com. Did you catch the “i” instead of the “l”?
2. Distrust and verify—Be suspicious of emails and attachments asking you for information or asking you to click.
3. Don’t ever share your financial information—Phishers and scammers want your bank account information, financial information, your Social Security numbers. Don’t ever share any of it. These can be used to steal your identity or used as the basis for fraud and social engineering attacks.
4. Post information with care—Photos and videos can reveal locations, relationships, personal information, dates, and times. Be mindful when posting pictures as they inadvertently reveal personal information you may not want exposed to the whole wide world.

Your employees hold the key to a safer digital world by practicing smarter online habits, especially this time of year, when everyone is communicating, reaching out to others, shopping, and maybe a little careless.

Lewis Howell, CISSP, is founder and CEO of Hueya, Inc. an Oregon-based company that helps empower people to proactively take control of their digital identity and secure their online world. Hueya protects individuals and families, employees, businesses, and their missions against identity theft, identity fraud, and cyber crime. Years of extensive security research experience have made Lewis a thought leader in cybersecurity and how humans intersect with technology. Inspired by his desire to protect his own family online, Lewis is passionate about exploring new paradigms for personal digital health and safety. He believes that educating and protecting the individual will help reduce the bigger cybersecurity issues that are threatening companies.