Employee training is essential to preventing phishing attacks and other malware in the workplace.
Despite constant warning from IT business leaders to never open an email or to click on a link sent from an unknown source with “important” delivery information, executive file or report, legions of employees still do it, and IT is still left to prevent further infiltration. As quickly as employees get wise to some of the more basic tricks of the game, the rules of the game seem to change.
We have recently seen a rise in malicious emails masquerading as business correspondence with a great degree of authenticity. This has made it much more difficult to prevent the spread of these spammers as the notes now match company logos, business writing style and auto signatures. Combine this with the fact that more and more of these emails are now being accessed through mobile devices, with smaller screens and a heightened trust factor, and this trend will only accelerate.
As mobile devices continue to capture a larger share of internet access so will cybercrime continue to focus on these devices for their attacks. While the infection rate still remains low across all mobile devices, the rate of infection is cause for concern. Nokia, in their Threat Intelligence Report (2016) indicated an increase of 83% in 2H 2016, following an increase of 96% for 1H 2016. As these statistics continue to be updated one can only watch these figures accelerate and a precipitous rate – especially as the internet moves beyond just phones.
According to BI Intelligence’s The Internet of Things Report, there will be over 22.5 billion IoT devices by 2021, up from 6.6 billion in 2016. For many businesses, the proliferation of mobile and connected devices is transforming how teams interact and work together, making business processes efficient. However, for IT teams this development brings many complexities around security and managing these devices as businesses are dealing with more malware threats than ever before.
A move away from email Phishing to mobile
Mobile phones feel more personal in nature than computers or even tablets do, whether they are personal or corporate owned and people use them differently as a result. Phones are better trusted, which makes them a natural breeding ground for phishing attacks.
In addition, mobile web traffic has increased in volume in comparison to web traffic to desktops. It is not surprising that mobile phishing attacks are the biggest security risk to organisations going into 2018. As indicated by a report from Wandera, 85% of organisations have suffered phishing attacks whether they were aware of it or not, with increased mobile access to social media accounts being one of the major factors.
Organisations have been caught somewhat blind due to the focus on preventing traditional computer email phishing, and are leaving their company open to mobile phishing, which is often much harder to detect. Another stat by Wandera has 81% of phishing attacks that occur on a mobile taking place outside of email.
Prevention is better than cure: getting ahead of the phishers
Phishing, Smishing and other types of Malware are not going anywhere and the risks are only going to rise as mobile becomes a primary device for employees. Therefore, companies need to get ahead of the issue rather than responding to the threat once it is inside their network.
To avoid these types of mobile attacks, the first few steps IT teams can take are the same as those used for PC protection. These steps include updating to the latest secure email gateway, deploying URL filtering and attachment sandboxing. These actions can be deployed through the proper configuration of any leading MDM stack, as most are compatible with a lot of email infrastructures and can be tightly integrated into existing networks. The key factor is ensuring the configuration matches the security needs of your organization. Having an MDM therefore is a key factor in preventing mobile phishing.
We’ve also noticed, and heard much in the news, about the increase in SMiShing attacks – SMS text phishing. These aren’t as easy to combat through an MDM, but steps can be taken both on the device and through your carrier.
Most SMiShing attacks hide their identity through internet text relay services. Most carriers will allow users to block texts that come in from the internet, thus preventing the spammers required relay service technique.
You can also suggest your corporate end-users create aliases. They can still send and receive texts from the devices but outgoing texts will not attach their mobile numbers – something required for a SMiShing attack. Instead your Alias is attached to your text without a simple way to uncover your actual number. Users can then block any incoming text that comes in on their actual number.
“Old” methods still apply
IT leaders and CISOs also need to identify the possible types of threats they could face, both now and in the future, to plan accordingly. This is a difficult exercise as scammers are constantly changing their approaches to reduce the chance of detection. However, providing up to date training, not only for security teams but also for the broader workforce on the latest phishing techniques is the best way for preventing an infection, so trying to stay one step ahead is critical to educate the workforce appropriately. Although no one can prevent the attacks, all organisations can put training in place to minimise the risks.
Areas of training to focus on, for example, include educating end-users about how to access accounts- directly from the source site and never from a text message. This is true even if that message looks legitimate. Accounts should also be checked on a regular basis. Stagnant accounts are a key tool for successful phishing. If you or your end-users are not keeping accounts up to date, there is a good chance someone else is using them to reach out to your company’s contact list.
It is important that any training provides an easy feedback loop so that employees become your first line of defence and can easily report any suspicious emails, texts, links and contacts. One of the key identifiers is still the generic introduction: “Dear Customer.” Train your employees to report back on these communications and you will be well on your way to preventing an attack.
Craig Riegelhaupt, Director, Product Marketing, Mobile Solutions at Tangoe
Article appeared on IT Portal.