Page 58 - index
P. 58
Risky Business: Phishing and Smishing
By Joe Ferrara, President and CEO of Wombat.
Phishing and smishing (text message phishing) attacks are pummeling email accounts
worldwide, and it’s foolish to believe that all are as transparent as the Nigerian prince scam
(which continues to bear fruit, by the way, in old and new forms). A good many of these
messages are extremely sophisticated and difficult to spot — and they’re winning at a high-
stakes game. A recent Kaspersky Lab study, Financial Cyberthreats in 2014, revealed that just
under 30% of the phishing attacks the company identified in 2014 were designed to steal users’
financial data. An even greater threat to organizations are the fraudsters who want to gain
access in order to steal intellectual property (IP), amass customer data, acquire insider
knowledge, or wreak havoc on networks and systems. Case in point is the recent attack on the
White House, in which Russian hackers allegedly gained access to the unclassified (but still
highly sensitive) “Executive Office of the President” network by way of a compromised State
Department email account.
How to fight these pervasive threats? As Andrew Walls, a vice president at Gartner, Inc., told
TechTarget, “Employees can play a major role in detecting and responding effectively to social
engineering threats, but the most effective approach is to combine employee-based risk
management with automated, infrastructure-based risk management.”
We agree; but as we’ve noted before, not all security awareness and training programs deliver
the same level of risk reduction. The White House compromise is an excellent case in point;
as Nextgov reported, a phishing email workshop had been offered to personnel in March as part
of a yearly training series, Cybersecurity Online Learning. According to the Nextgov article,
“All federal security employees were invited to participate in the 90-minute online training
session. But no one from the White House watched.”
Clearly, providing training that end users don’t see is akin to providing no training at all. But we
can’t say we’re surprised to know that people who were given the option of attending a 90-
minute session chose to decline the invitation.
58 Cyber Warnings E-Magazine – May 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
