Why it is time to intensify employee education on phishing

Companies should consider intensifying employee training to combat the increasing craftiness of phishers who are working harder to obtain personal details on targets in order to trap them in scams.

Among the latest examples of phisher creativity is a hustle in which the scammers contacted people who were planning vacations and had booked hotel rooms through Booking.com.

In two cases, the would-be victims had booked a room at two separate London hotels. In a third incident, the booking was done at a Spanish hotel.

The scammers, pretending to be from Booking.com, sent email asking for payments in full via wire transfers, because of problems with the credit-card transactions.

The emails included account details on the Polish bank where the money should be sent, as well as information on the would-be victims, such as the booking number, their full name, the dates of their stay and home address.

The tech site The Register reported one of the scams earlier this month, while the other two were on the London forum of TripAdvisor.

Experts believe the information used to make the emails seem real likely came from the hotels, but how the crooks got the details is up for speculation.

The information could have come from a computer hack or could also have been obtained from someone working for the hotel. That person may have been involved in the scam or tricked into providing the information over the phone.

"There are a number of different pretexts that would allow an intelligent attacker to not have to go through hacking," said Michele Fincher, chief influencing agent at Social-Engineer Inc., which provides corporate training for avoiding phishing attacks.

Phishers are getting much better at creating convincing emails, which are sometimes followed by a phone call in which the scammer pretends to be a business associate asking the recipient to open the malicious attachment in the messages, experts say.

In the first quarter, the number of phishing sites grew by almost 11 percent from the fourth quarter of 2013, according to the latest report by the Anti-Phishing Working Group. The latest number was the second highest since the first quarter of 2012.

In addition, the number of phishing reports increased by almost 7 percent from the previous quarter.

Because the first quarter is typically slower than the rest of the year, the APWG expects this year to be a "very active year for phishers worldwide."

"The number and diversity of phishing targets is increasing," Greg Aaron, a senior research fellow at the APWG said in the report. "Almost any enterprise that takes in personal data via the Web is a potential target."

The sophisticated tactics used by phishers means companies need to ratchet up employee education to reduce the number fooled by slick conmen.

Social-Engineer advocates a "culture change" in which employees are encouraged to think before clicking on attachments or links within every email they receive.

They should also be trained to look closely at the URLs in email and senders' addresses.

"Adding a couple of seconds on to what you normally do when you receive an email will go a long way (toward safety)," Fincher said.

Also, education has to be relevant and consistent and not comprise sessions in which bored attendees are fulfilling a requirement.

"The training has to be something that makes sense," Fincher said. "It has to be all the time and it has to make people think about what they do in a different way."

Join the CSO newsletter!

Error: Please check your email address.

Tags scams and hoaxesapplicationstripadvisorsoftwaresocial engineering attacksdata protectionphishing attacks

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts