Why it is time to intensify employee education on phishing

Companies should consider intensifying employee training to combat the increasing craftiness of phishers who are working harder to obtain personal details on targets in order to trap them in scams.

Among the latest examples of phisher creativity is a hustle in which the scammers contacted people who were planning vacations and had booked hotel rooms through Booking.com.

In two cases, the would-be victims had booked a room at two separate London hotels. In a third incident, the booking was done at a Spanish hotel.

The scammers, pretending to be from Booking.com, sent email asking for payments in full via wire transfers, because of problems with the credit-card transactions.

The emails included account details on the Polish bank where the money should be sent, as well as information on the would-be victims, such as the booking number, their full name, the dates of their stay and home address.

The tech site The Register reported one of the scams earlier this month, while the other two were on the London forum of TripAdvisor.

Experts believe the information used to make the emails seem real likely came from the hotels, but how the crooks got the details is up for speculation.

The information could have come from a computer hack or could also have been obtained from someone working for the hotel. That person may have been involved in the scam or tricked into providing the information over the phone.

"There are a number of different pretexts that would allow an intelligent attacker to not have to go through hacking," said Michele Fincher, chief influencing agent at Social-Engineer Inc., which provides corporate training for avoiding phishing attacks.

Phishers are getting much better at creating convincing emails, which are sometimes followed by a phone call in which the scammer pretends to be a business associate asking the recipient to open the malicious attachment in the messages, experts say.

In the first quarter, the number of phishing sites grew by almost 11 percent from the fourth quarter of 2013, according to the latest report by the Anti-Phishing Working Group. The latest number was the second highest since the first quarter of 2012.

In addition, the number of phishing reports increased by almost 7 percent from the previous quarter.

Because the first quarter is typically slower than the rest of the year, the APWG expects this year to be a "very active year for phishers worldwide."

"The number and diversity of phishing targets is increasing," Greg Aaron, a senior research fellow at the APWG said in the report. "Almost any enterprise that takes in personal data via the Web is a potential target."

The sophisticated tactics used by phishers means companies need to ratchet up employee education to reduce the number fooled by slick conmen.

Social-Engineer advocates a "culture change" in which employees are encouraged to think before clicking on attachments or links within every email they receive.

They should also be trained to look closely at the URLs in email and senders' addresses.

"Adding a couple of seconds on to what you normally do when you receive an email will go a long way (toward safety)," Fincher said.

Also, education has to be relevant and consistent and not comprise sessions in which bored attendees are fulfilling a requirement.

"The training has to be something that makes sense," Fincher said. "It has to be all the time and it has to make people think about what they do in a different way."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags softwaredata protectionapplicationsphishing attacksscams and hoaxestripadvisorsocial engineering attacks

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Brand Page

Stories by Antone Gonsalves

Latest Videos

More videos

Blog Posts