Phishing never goes out of season. For hackers, it’s a year-round effort.
Professionals checking their email first thing in the morning will find the messages stacked up: “Attention My Dear, Your first payment of 5000 is about to ….” “Dear Friend Acknowledge I have a potential business offer ….”
Poor spelling and grammar, a salutation addressing no one in particular and the prospect of getting something for nothing are all warning signs that a suspicious email has arrived. What appears to be a note from a friend turns out, on closer inspection, to have an email address from an obscure corner of the world.
The intent, of course, is to get curious recipients to click on a link. That lets a hacker get past a network’s defenses and get access to a computer system.
A Common Root to Many Troubles
Phishing attacks account for more than 80% of reported cybersecurity incidents, according to the National Cyber Security Alliance. The alliance recommends being suspicious of emails, text messages or chat boxes coming from strangers, and thinking before you click on a link.
One of the biggest challenges for CISOs — that is, chief information security officers — is the human element, said Tony Anscombe, chief security evangelist for ESET, an antivirus software maker with its North American headquarters in downtown San Diego.
“People have a propensity to click, unfortunately,” Anscombe said. “Human behavior is a huge problem. We are the weakest link.”
Phishing is growing more insidious, he said, as hackers get increasingly clever at personalizing their emails. The best course, Anscombe said, is to never click on a link, and go to a company website instead.
The Push to Educate
Businesses try to stay ahead of the danger by educating their employees.
“I always say you can never do enough privacy awareness training,” said Elissa Doroff, managing director and cyber product leader for Lockton Financial Services. Lockton offers insurance, including coverage for cyber breaches.
Several cybersecurity vendors offer curriculum in good cybersecurity practices.
ESET offers a “phishing derby,” basically an online quiz that challenges users to spot phishing emails. The derby lets ESET’s channel partners customize the game before sending it out to existing and potential customers. The end of the game offers customers access to additional cybersecurity resources, trials, demos and trainings.
“We ran the phishing derby for consumers in Canada recently. Sixty-eight percent [of participants] failed to identify all four phishing images,” Anscombe said.
Managed Solution is a San Diego managed service provider that will perform phony phishing campaigns for its customers. Emails may look like they come from a known source, such as a co-worker, but they will contain deliberate misspellings. Behind the scenes, the company tracks who clicks on the email’s attachments. That lets managers know who needs further education.
The after-action report that Managed Solution prepares for its customers offers a score similar to a credit score, said Sean Ferrel, chairman and founder of the company.
Doroff, the representative from Lockton, recommends companies conduct social engineering and phishing campaigns at least quarterly. Such emails need to look suspicious, she said. Employers should be getting a click-through rate and following up with targeted privacy awareness training.
Increasingly, insurers are consulting with their customers on many details of cybersecurity.
ESET reported earlier this month that its online ESET Cybersecurity Awareness Training had sold more than 30,000 seats, most coming from small and medium-sized businesses. More than 60 ESET partners had taken advantage of a free training.
Ferrel, of Managed Solution, said his company offers customer immersion experiences as well as programs for top managers regarding good security practices.
CEO: Richard Marko; Brent McCarty is president of ESET North America
HEADQUARTERS: Bratislava, Slovak Republic; ESET North America is based in Little Italy
BUSINESS: Developer of IT security software and services
EMPLOYEES: 1,800 globally; 200 in North America
NOTABLE: ESET’s founders created the company’s first antivirus code in 1987
CONTACT: (619) 876-5400