It looks like it is going to be a very busy year for cyber security people. Phishing (email solicitations with malicious content) , smishing (text SMS solicitations with malicious content) and vishing (voice/phone call solicitations with malicious intent) efforts by the bad guys are continually on the rise. Most result in some sort of ransomware getting on your devices or some scheme to get you to give your money away. The threat reports indicate that millennial’s who seem very cyber-savvy would have a better understanding of cyber-security but that is not the case. Only 47% of millennial’s know what phishing while 73% of age 54+ know what it is. This probably because most schemes target the older population because they have more disposable income. The trend over the last few years is for double digit growth in phishing attacks, voice phishing (vishing), and spear phishing with resulting similar increases in compromised accounts, malware infections and loss of data.
What do we do about it? Our weakest link continues to be on the human side. We can have the best policies and the best security tools but if our workforce does not understand the consequences of their actions or errors we can still end up with negative results. For many years cybersecurity controls have focused on once-a-year cybersecurity education programs, but they do not seem to drive the knowledge retention or change end-user behaviors. The new trend is towards monthly or quarterly training, but more may not be the silver bullet. We must strike the right balance between quality and quantity. Using mechanisms for re-enforcement and repetition can be key components of an effective education program. However too much and repetition can leave employees feeling like cybersecurity is a waste of their time. Another more effective mechanism is periodic internal pen testing with phishing attacks on employees to see what types of attacks they are susceptible to and whether they report the attacks. Studies have shown that there is a 9% average failure rate across all internal phishing campaigns. With the number remaining steady since 2017. Link based phishing attacks are the most likely type of attack and they experience the highest click through by end users, although only 5% of those tested submitted credentials or other requested data.
One recent trend is the targeting of company retirement and spending accounts as a phishing target. Cyber criminals are creating new accounts or accessing existing online accounts to gain access to a variety of victim retirement and health spending accounts. Examples of accounts targeted are 401(k), pension, health savings, and flexible spending accounts. These accounts might be compromised by inadvertent disclosure of personally identifiable information (PII) during a phishing attack or previous theft of PII. Once gaining credentials and access to these system cyber criminals also attempt to leverage their positions to gain elevated privileges and gain control of the entire system. Once in these systems criminals try to initiate loans from accounts, transfer/withdraw funds, initiate distribution of retirement funds, re-direct ongoing deposits into other accounts, divert existing 401(k) payments or pension payments, or submit fraudulent claims for health spending account payments/reimbursements.
So, what else can we do? Information is knowledge and an informed workforce can help limit the impact of these types of attacks. Some recommendations are:
- Alert your workforce to the above schemes and have them actively monitor their accounts for unauthorized access, modification and malicious activities,
- Continue education programs that help employees better scrutinize links contained in emails.
- Do not click on links or open attachments, in unsolicited emails, always confirm any communication by going directly to the sender using known good web sites or phone numbers,
- Ensure employees are made aware of social engineering and phishing attack threats (not only through email but texts, and voice), use your newsletters and other company communications to inform,
- Have employees be vary wary of any attempts to obtain user credentials or other PII from them
- Direct employees on who to inform if they encounter any suspicious activity or requests,
- Establish company policies to contact the owner of an account to verify any changes to existing account information,
- Apply heightened scrutiny to bank information changes, and
- Establish mult-factor authentication for creating new online accounts and form making account changes, such as password or bank account information.