Phishing – do employees recognise it when they see it?
In the last week I have received around twenty phishing emails. These have varied from Linkedin connection requests, to Bank Account reset instructions and Paypal alerts that my security had been compromised…the irony of the last one did not escape me. In this period, I also took a worried phone call from a friend who had been called by someone who said they were working on behalf of Windows and that his PC needed to be remote cleansed and could they have access to it please…. they gave him a fake website address and refused a phone number for call back, then hung up. Its a scam that has been doing the rounds since about 2008 ( I’m sure you’ll correct me if I’m wrong!) He was working from home at the time and connected to his businesses network.
So in the first cases of the emails, it was fairly clear to me that these were phishing attempts. They were not targeted at me or at Advent IM specifically, just chancers doing what chancers do. The Paypal email was the most disturbing because it was better designed than the others. In all cases though, a brief visit to my Linkedin inbox, online bank account and paypal account respectively (and not through the ‘helpful’ links offered in the phishing emails) proved that each were fake and I reported them. It made me wonder how many businesses actually train their staff in recognising them as security threats and how to subsequently deal with them. I saw a debate on Linkedin recently about holding individual employees responsible for security breaches and terminating their employment as a result. It included a poll. Many felt that if adequate (no definition included, sorry) training were supplied and a properly enforced and educated policy were in place, the breach was felt to be a result of employee negligence and therefore they should be held accountable. ‘Adequate’ is a relative term I appreciate, I do feel however that it should include ‘regular refresh and update’ within it as well as regular review of the scope – threat changes.
The other part of the example I mentioned at the start was altogether more sinister. This was an individual actually picking up the phone and posing as an IT expert, offering a free service on behalf of a household name. It is easy to see how many people could be duped by this. Working at home in this case, means that the person was connected to their company’s email systems and information network. Luckily, the person concerned smelled a rat and asked awkward questions which resulted in the phishers exiting as quickly as possible. Not everyone might realise this was actually an attack and the result could be not only the loss of their personal information or even financial compromise but also potential compromise of their employers network. In this case, no training had been given in spotting an attack of this kind. If the individual involved had not realised this was nefarious, would it be fair to penalise them? After all this kind of attack was not included in the ‘adequate’ security awareness training they received.
This IT support approach was also employed in the recent attacks on Barclays and Santander, when an individual actually entered branches of those banks and installed or attempted to install desktop cameras to enable a hack. The individual was posing as an IT repair engineer in both cases. It is far more targeted and part of a concerted campaign. Phishing emails are also sometimes targeted toward individuals, again normally part of a broader campaign and not a scatter-gun phishing expedition to see who bites. This is more aligned to the Social Engineering approach. Specific information or access will be the target and so it differs from the mainstream approach and by definition makes it far more difficult to quantify and therefore provide training for awareness. That doesn’t mean that we shouldn’t do it. Particularly if we are keen to move down the road toward individual accountability.
Incidentally if anyone is interested in watching a video in which the ‘Windows/Microsoft” scammer tries it on the wrong person…..click here