While there have been a number of stories recently about executives being specifically targeted by phishing scams, we have also noticed a significant uptick in these same sorts of scams targeting general users. Scammers use programs to harvest e-mail addresses of all levels of employees from the company’s Web site. This affords scammers the ability to send personalized e-mails throughout the company. I certainly understand the risk of an executive falling victim to one of these phishing attacks, but I believe the more likely scenario will be a rank-and-file employee opening an attachment or clicking a hyperlink in one of these fake e-mails. My point is not that executives are necessarily smarter or more sophisticated about these issues than rank-and-file employees, but rather that there are simply far more rank-and-file employees than executives. The odds favor that if there is going to be a compromise, it will come from the larger group: the rank-and-file employees.
While this doesn’t mean executives should not receive the same training any other employee would receive regarding these threats, we should certainly include the entire population of the company in conducting that training. My point is that when the popularity of these personalized scams increased in the last few months, the focus was on the threat to executives. Companies started circulating warnings to their officers and directors. This is certainly all well and good, but businesses should also be educating the remainder of their employees about these scams.
We have recently seen e-mails targeted specifically at lower level employees. One such personalized e-mail purported to be from the company’s HR manager, who was identified by name (a name that was readily available on the company’s Web site), requesting the employee review a PDF attachment (of course, an executable file containing harmful code) to confirm their current vacation time accruals. It’s hard to imagine an employee that wouldn’t consider opening such an attachment. Fortunately, many of these types of e-mails are blocked by anti-virus/anti-spam software, but some do get through. Given the risk presented by even one of these e-mail being opened, I suggest every business consider sending warnings to their personnel putting them on the lookout for these types of scams. The best approach to minimizing the risk of these attacks is to properly educate the employees. Business that fail to provide that education risk not only the compromise of their systems, but potential damage claims from customers, business partners, investors, and others who suffer harm resulting from the compromise.
Post a comment
E-GUIDE
Log Management in a Cyber World
With so many potential cyber villains poking around the gates, enterprises must have strong protections and pristine visibility into what's happening on the network. Explore the increasing importance of log management as cybercrime and other malicious threats grow.
WHITE PAPER
Comparing Research in Motion and Microsoft Mobile Solutions
Organizations must look carefully at the requirements of mobile devices and accompanying middleware that can increase cost, complexity and administrative overhead. This white paper provides an independent analysis and detailed comparison of RIM and Microsoft's mobile solution.
