Cyber Risk Aware Blog

Spear Phishing and the Threat to Staff

[fa icon="calendar"] Apr 14, 2017 10:59:38 AM / by Stephen Burke

Stephen Burke

Most of us would like to think we are cyber aware and know better than to respond to a phishing email from our bank, asking us for account details, passwords and other personal details. But what happens in your organisation if the email and links appear to come from a trusted sender, or a known person in authority?

Think Your Company is Safe?

Dangers of Spear Phishing and the “Colonel Effect”

Dr. Aaron Ferguson, Technical Director of the Cyber and Information Analytics Office at the National Security Agency (NSA), calls it the "Colonel effect". Ferguson sent an email that appeared to come from a Col. Robert Melville of West Point out to 500 cadets, asking them to click a link to verify grades. Alarmingly over 80% of recipients clicked the link in the message.

In this instance, recipients received a notice that they'd been tricked and a warning that their behaviour could have resulted in downloads of spyware, malware, or even ransomware. Imagine the impact for your company.

Tech companies are not even immune.

In 2016, Snapchat’s payroll department handed over confidential employee information to a scammer impersonating the CEO. Executives are just as likely to be targeted as employees, so awareness of the risks must start from the top down.

Is Your Organisation Phish Prone?

Without proper awareness and education, no organization is safe. What you need to decide is how best to deliver phishing awareness and test your employees' readiness over time, but at least once a month.

Employees throughout the organisation need to know what the expected response is to requests for sensitive data or actions that don't make sense. For example:

  1. Question email requests for confidential data, whoever the apparent source is
  2. Require verification of any email requests and alert key people if the request appears at all suspicious.

Check employee responses and benchmark your organisation’s phishing awareness, using our cyber security user education and phishing simulation platform

We can deliver specialist and phishing training to reduce risky employee behaviour, with "real time" security reports and phishing tests. Wouldn't it be great to show your executives how effective an awareness program can be like below

phish-report.jpg

Topics: Spear Phishing, Staff Awareness, Phishing Simulation, Security awareness

Stephen Burke

Written by Stephen Burke