The Situation Today

To be clear, electronic scams and threats have been with us about one second less than electronic communication and the Internet. We’ve all received those emails from Nigerian princes, or wealthy matrons in other countries, who seem to have a surplus of cash and are willing to give it to us in exchange for a little bit of help. Those are pretty obvious scams (but people still fall for them). Today’s attackers are much more sophisticated and use advanced phishing attacks to trick unsuspecting employees into giving away vital data. Phishing and all its myriad permutations (whaling, spear-phishing, etc.) are alive and well. In fact, it’s on the rise, and more and more businesses are finding themselves placed squarely in the crosshairs of attackers. It has become absolutely essential that business owners and decision makers invest in employee training as well as in robust electronic security solutions. Firewalls, BYOD policies, antivirus programs, malware scanners, and the rest of the toolbox do little good if an employee can be tricked into handing over company financial data or personal information on workers through a simple email. You’d think that sort of threat would be less than adequate in today’s world, when people are so much more technology-savvy and training options exist, such as a phishing test for employees. And yet the number of people falling for these scams is actually increasing. That applies to all companies and organizations of all sizes, from Fortune 500 firms all the way down to “mom and pop” businesses. Not convinced? Let’s consider some real life examples.  

Snapchat

Even if you don’t use the messaging app, chances are good that you’ve heard of it. It’s become rather infamous in the last few years, although there are plenty of legitimate uses for it. In late February 2016, the company became yet another victim of phishing. It should be noted that this isn’t the first go-round for the firm, either. They’ve been hacked in the past. You would expect that in response to those previous attacks, they would have stepped up their training program but, if they did, it doesn’t seem to have been enough. The most recent attack against Snapchat netted attackers the personal, financial and employment information for an undisclosed number of employees. What was taken? While the company hasn’t been particularly specific, we do know that thieves made off with the following data:

Social Security numbers Payroll information Full names Physical addresses Banking information Email addresses Personal IDs Salary data

So, how did it happen? In the simplest way possible. Attackers sent an email to the HR department impersonating the company’s CEO. In that email, the supposed CEO asked for employee payroll information. The employees missed the fact that the email was a scam, and forwarded all of the details requested. After the breach, Snapchat alerted the FBI to the crime, and will be providing identity theft insurance for two years.  

Seagate

Snapchat isn’t the only company to fall victim to phishing emails. The HR department of hard drive manufacturer and data storage firm Seagate also received phishing emails. The letter was ostensibly sent from the company’s CEO and asked to be sent all employee W-2 forms. Someone in the HR department fell for it. The same information stolen from Snapchat was targeted here. All told, almost 10,000 people who worked for Seagate in 2015 and 2014 had their personal and financial information stolen. In the hands of thieves, this information can be used to file fraudulent tax returns, or even to set up new identities. Seagate immediately notified the FBI and has enacted “aggressive analysis of process changes,” as well as providing employees whose information was compromised with a minimum of two years of identity protection.  

The Milwaukee Bucks

It’s not just traditional businesses that are being targeted by phishing scams, or that can benefit from the training offered by advanced options available, such as a phishing test for employees. The Milwaukee Bucks recently found themselves the target of a phishing scam. The email seemed to come from the team’s president, and asked to be forwarded all of the tax data for every employee of the Bucks. This included not just earnings information, but Social Security numbers, full names, the names of dependents and spouses, and more. Every single employee, from star players down to new accounting team members, now has to worry that their information will be used against them.  

San Francisco City College

Attackers aren’t just after employee data. They’ll take whatever information they can get their hands on, a fact that the City College of San Francisco learned to their chagrin. In early 2016, an employee received an email that seemed to be a “legitimate request for student information” from a higher-up within the college. The recipient, believing that they were responding to an actual, authentic request, forwarded the information without a second thought. In all, the information for over 7,500 students was compromised. Thieves managed to steal:

Financial aid information Full names Social Security numbers Physical addresses

To date, none of that information seems to have been used by thieves, but it is still out there, waiting to bite students at some future date. Affected students will receive a year of identity theft protection, and the FBI has been notified of the breach, although that is likely cold comfort for affected students and their families.  

Pivotal

In March 2016, Pivotal also experienced a data breach. Like Snapchat, the Bucks, and the City College of San Francisco, the phishing email purported to be from a higher-up (the company’s CEO in this instance) and was directed to junior employees in the payroll and accounting department. One employee believed that the email was legitimate, and forwarded all the tax information for every single Pivotal employee in the US. No customer information was compromised, but that doesn’t provide much help to the employees who now must face the prospect of stolen Social Security numbers, financial information, email and physical addresses, and more. Employees of Pivotal will receive three years of identity theft protection. Law enforcement was also notified.  

Alpha Payroll Services

This one should definitely make business owners sit up and take notice. Not only is your business at risk of being targeted by phishing scams, but your outsource service providers can be as well. As an example, consider Alpha Payroll Services, a company located in Pennsylvania but with offices across the country, offering outsourced payroll solutions for a wide range of clients. In March 2016, a company employee received an email that seemed to be from Alpha’s CEO requesting the W-2 information for all of the company’s client firms. That information was forwarded because the employee thought the request was legitimate. It wasn’t. The phishing scam was uncovered about a month later, when one of Alpha’s client companies found that several of their employees had experienced identity theft. The full extent of the breach has not been made public, but it could be that tens of thousands of individuals were victimized. Alpha fired the employee responsible for the breach and is now working with law enforcement, as well as providing more advanced employee training, including a mandatory phishing test for employees.  

Main Line Health

In mid-February 2016, a Main Line Health employee received an email that seemed to come from the company’s CEO requesting W-2 information about all employees. Not realizing that the email was fraudulent, the employee forwarded the data. In the end, the personal and employment information for every single Main Line Health employee ended up in the hands of thieves. It should be noted that once again, attackers were more interested in employee information – no patient data was compromised. Main Line Health reported the crime and continues to work with the FBI, as well as investigating how to train their employees in how to recognize phishing emails and other scams. However, it’s another example of “a day late and a dollar short,” and it shows just how vital it is that companies provide a phishing test for employees to help safeguard against this rapidly escalating threat.

In Conclusion

It’s shaping up to be a banner year for phishing scams, with dozens of companies already becoming victimized. In fact, the IRS actually sent a notice to consumers and businesses, noting a 400% increase in phishing-related fraudulent activity—and that involves only fake tax returns. Up to half a billion personal records were lost or stolen in 2015 alone. Spear-phishing attacks in general increased by 55% in 2015, and are even more of a threat in 2016. Combine that with the fact that almost 30% of phishing attacks get through even the strictest security infrastructures. There are several key takeaways from the examples described above that are pertinent to all businesses and organizations:

No industry or business/organization type is safe. The incidence of successful phishing scams is only increasing. Any employee could be the weak link that puts crucial information in the hands of thieves. Attackers are after more than just business data, and will happily steal employee information, customer information and more. Phishing has moved to target employee gullibility, rather than infrastructure exploits. Phishing scams have become very advanced, and can seem 100% authentic. Employee training and conducting a phishing test for employees helps ensure that they know what to look for in these instances.

So, where does that leave businesses and organizations hoping to guard against phishing scams? Is there any defense available? While there is little you can do to stop phishing emails from reaching your employees, there are things that can be done to educate and train staff members so they know a scam when they see it.  

The Need for Security Awareness Training for Employees

Have you thought of providing an employee phishing test for your staff? If you said yes, but haven’t gotten around to it, or if you’ve never thought about it at all, you’re in the majority. Interestingly, according to a recent report released by Experian and the Ponemon Institute, while 66% of CEOs and other C-level executives feel that their employees are the weakest link in their defense against phishing and other cybersecurity threats, 65% of respondents have yet to implement any sort of security awareness training within their businesses. In addition, many businesses exclude contract workers, part-time workers, and C-level executives from taking any training. Of those that have taken any steps at all, 43% of the cybersecurity training programs for employees consist of only a single basic course, and these often ignore risks that lead to breaches in the first place. There are better solutions. In addition to taking a proactive stance about educating employees about threats, cutting-edge security awareness training is available. A prime example of this is InfoSec Institute’s PhishSim software. This is an ideal option for businesses large or small; it includes a realistic phishing test for employees featuring crowd-sourced and customer-contributed phishing messages that show you just how easy it is for these emails to bypass the spam filter and land squarely in an unsuspecting employee’s inbox. These messages are well written, use correct grammar, and seem incredibly authentic. In addition, our PhishSim software includes custom templates that allow your organization to begin crafting your own messages to create phishing tests that are tailored to your specific needs. Finally, any employee who is successfully “phished” is automatically started in an anti-phishing education program to teach them exactly where they went wrong and how to prevent it in the future. The software comes with comprehensive reporting capabilities that allow businesses to track the number of emails delivered and opened and how many employees (and which ones, specifically) were phished. We invite you to learn more about how our phishing test for employees can help safeguard your organization in this day of growing threats.

Sources

http://www.scmagazine.com/city-college-of-san-francisco-student-data-compromised-in-phishing-attack/article/496581/ http://krebsonsecurity.com/2016/03/seagate-phish-exposes-all-employee-w-2s/ https://techcrunch.com/2016/02/29/snapchat-employee-data-leaks-out-following-phishing-attack/ http://fortune.com/2016/03/25/pivotal-phishing-attack/ https://www.engadget.com/2016/05/21/milwaukee-bucks-fall-to-phishing-scam/ http://www.csoonline.com/article/3064675/security/alpha-payroll-fires-employee-victimized-by-w-2-phishing-scam.html http://www.nbcphiladelphia.com/news/local/Spear-Phishing-Main-Line-Health-Employees-Pennsylvania-Philadelphia–370867511.html http://www.marketwired.com/press-release/wombat-security-offers-advice-improving-efficacy-cyber-security-education-programs-2140589.htm