Twenty years ago, hackers breached organizations by finding and exploiting holes at the network perimeter. To stop them, security teams focused on locking that perimeter down, creating a “hard, crunchy outside,” but they did much less to strengthen internal users, systems and networks.
Modern attackers have evolved, moving to easier targets, at the organization's “soft, chewy, center” -- the users and their systems. Phishing, hacking campaigns that send fraudulent email disguised as legitimate traffic, is the primary technique. Over time, we have learned that users are susceptible to all types of phishing cons, from free software to fake websites and unsolicited ads that show up in their email boxes. Trusting souls unwittingly type credentials into forged screens and click on malicious links that surreptitiously install system eavesdroppers, ransomware and even backdoors. When that email appears to come from a friend or high-level executive, it’s even more natural for the employee to trust it and get hooked by the phishing attack. After all, who says “no” to the boss?
The total cost of these attacks is in the billions of dollars. This profitability encourages new criminals and finances the development of sophisticated new tools. What’s more, hackers have identified the best methods of targeting users based on their job function and seniority. Preventing these losses begins and ends with supporting the users -- protecting them from themselves and helping them to develop better habits that will ultimately safeguard the entire organization.
Like real fishes, different kinds of phishing victims usually see different lures and techniques used to land them. Let’s take a closer look at the behaviors of some employees that are most likely to find themselves the target of a phishing attack and how to protect them.
CEOs, CFOs, and other top executives are some of the most popular phishing targets. As high-ranking decision-makers, their access to sensitive information, as well as their authority to sign-off on things such as wire transfers makes them extremely attractive “trophies.” So, what does a phishing attacks look like for an executive? Typically, they take the form of sensitive information requests from a trusted source. By spoofing an email so that it carries a credible sender, attackers can make requests to other executives that are far less likely to be denied. The FBI reports that there have been more than $2 billion in losses to scams such as this in the last three years alone.
How to protect them: Make additional authentication or verification steps a requirement for any sensitive requests like wire transfers. Additionally, encourage execs to limit what they share and who they connect with on social networks.
2. Administrative assistants.
Masters of multitasking, administrative assistants are the unsung heroes in the corporate word. Between handling all the behind-the-scenes scheduling and screening phone calls, they often have access to company and individual executive accounts. Their frontline role and privileged relationships encourage attackers to view them as accessible targets who can give up the keys to the kingdom. Attacks on assistants often come in the form of a request from another executive, commonly asking to review an attachment or send along financial information. Eavesdropping software, when installed on an assistant’s system, can see all the privileged communications that the assistant is called upon to handle.
How to protect them: Provide admin assistants with a clear procedure for how to deal with suspicious emails and make sure you have a good spam filter in place. If the assistant comes across a disreputable email, they should know exactly how to report it to the IT department (and feel actively encouraged to do so).
Always on the hunt for the next big deal, business development managers, account executives, and inside sales people constantly interact with prospective and existing clients in person, over the phone, and via email. As a result, they’re eager for emails from potential customers and want to be as responsive as possible. Phishers can typically find their name, phone number and email address online and can be reasonably confident that any message they send will be opened. A credential theft from these users would provide access to customer lists, pricing sheets, and confidential deal information. Stealing their accounts will also allow for a new phishing attack vector to members of the finance, management, and account teams, who would trust messages from the salesperson user.
How to protect them: Have a conversation with your purchasing department about how to transfer invoices through additional methods other than email. Remind salespeople to double-check any linked text they receive in an email and discourage them from opening attachments from sources they don’t know.
4. Human resources.
Their roles can vary, but human resources professionals are generally some of the most highly connected people in an organization. Since they communicate regularly with current and potential employees, phishers posing as a potential employees will send malicious payloads disguised as resumes, or will impersonate a high-level executive asking for personnel information. During the 2016 tax season alone, over 50 organizations were tricked into leaking employees’ W-2 forms by phishing emails impersonating requests from CEOs.
How to protect them: Investing in benefits software and employee portals can help reduce the scenarios where employees send confidential documents via email. HR should also be reminded that that any requests they receive from an employee asking for sensitive information should be verified either over the phone or face to face.
5. Any employee.
The truth of the matter is that mass phishing attacks are just as popular as ever. Anyone at your company with access to a device -- from the CEO to entry-level assistants -- can be the subject of a phishing attack. Training programs and security measures need to be addressed with everybody, even the IT folks who are keeping it all up and running. The more people who are involved and the easier you can make it for them to participate in security efforts, the better success you will have in preventing attacks.
How to protect them: Utilizing spam email filtering solutions along with additional endpoint security will help cover the gaps in antivirus protection. Having security policies for responding to suspicious emails and a company-wide backup strategy will also reduce the risk of attacks.
Understanding these users and the likely lures attackers use makes security awareness and education more targeted, interesting, and effective. Users will learn how to recognize and ignore malicious behaviors, eliminating a prime source of risk. Making the organization’s center less soft and chewy also requires that their systems recognize and block malicious behaviors in the same way, catching those new attacks that slip by even the most conscientious user. By taking this layered approach, organizations will have the right protections to keep employees off the hook, even in the most tempting phishing attack.