Why it is time to intensify employee education on phishing

Phishing key
Credit: Thinkstock

Phishers are getting craftier at creating convincing email to dupe recipients

Companies should consider intensifying employee training to combat the increasing craftiness of phishers who are working harder to obtain personal details on targets in order to trap them in scams.

Among the latest examples of phisher creativity is a hustle in which the scammers contacted people who were planning vacations and had booked hotel rooms through Booking.com.

In two cases, the would-be victims had booked a room at two separate London hotels. In a third incident, the booking was done at a Spanish hotel.

The scammers, pretending to be from Booking.com, sent email asking for payments in full via wire transfers, because of problems with the credit-card transactions.

The emails included account details on the Polish bank where the money should be sent, as well as information on the would-be victims, such as the booking number, their full name, the dates of their stay and home address.

The tech site The Register reported one of the scams earlier this month, while the other two were on the London forum of TripAdvisor.

Experts believe the information used to make the emails seem real likely came from the hotels, but how the crooks got the details is up for speculation.

The information could have come from a computer hack or could also have been obtained from someone working for the hotel. That person may have been involved in the scam or tricked into providing the information over the phone.

"There are a number of different pretexts that would allow an intelligent attacker to not have to go through hacking," said Michele Fincher, chief influencing agent at Social-Engineer Inc., which provides corporate training for avoiding phishing attacks.

Phishers are getting much better at creating convincing emails, which are sometimes followed by a phone call in which the scammer pretends to be a business associate asking the recipient to open the malicious attachment in the messages, experts say.

In the first quarter, the number of phishing sites grew by almost 11 percent from the fourth quarter of 2013, according to the latest report by the Anti-Phishing Working Group. The latest number was the second highest since the first quarter of 2012.

In addition, the number of phishing reports increased by almost 7 percent from the previous quarter.

Because the first quarter is typically slower than the rest of the year, the APWG expects this year to be a "very active year for phishers worldwide."

"The number and diversity of phishing targets is increasing," Greg Aaron, a senior research fellow at the APWG said in the report. "Almost any enterprise that takes in personal data via the Web is a potential target."

The sophisticated tactics used by phishers means companies need to ratchet up employee education to reduce the number fooled by slick conmen.

Social-Engineer advocates a "culture change" in which employees are encouraged to think before clicking on attachments or links within every email they receive.

They should also be trained to look closely at the URLs in email and senders' addresses.

"Adding a couple of seconds on to what you normally do when you receive an email will go a long way (toward safety)," Fincher said.

Also, education has to be relevant and consistent and not comprise sessions in which bored attendees are fulfilling a requirement.

"The training has to be something that makes sense," Fincher said. "It has to be all the time and it has to make people think about what they do in a different way."

This story, "Why it is time to intensify employee education on phishing" was originally published by CSO.

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies