Share & Connect
Internet Security Awareness Training (ISAT) firm KnowBe4 is alerting small and medium enterprises (SMEs) to yet another emerging security threat – cybercriminals are baiting employees to click on phishing links through phony social media posts.
Some are using email spoofing to send fake Twitter and Facebook updates to recipients, while others are sending direct messages from legitimate user accounts that have been hacked. In both instances, the sender will post a short note with phishing link.
“Given America’s widespread participation in social media, SMEs can assume that most employees have either a Twitter or Facebook account, or both,” noted Stu Sjouwerman (pronounced “shower-man”), founder and CEO of KnowBe4. “The perpetrators of this latest phishing scam are counting on users’ curiosity and trust in their social networks.
The cybercriminals send a brief note – something along the lines of ‘I Googled your name and found this’ or ‘This photo of you is hysterical’ – followed by a link. Using a common link shortener, such as bit.ly, the sender is able to mask the identity of the website the link is directing to. Many recipients let their guard down and click the link if it appears to be sent by someone they know.
However, these malicious links will often initiate a malware download or prompt the user to enter their personal login information; and in that instant, the company’s network is compromised.”
A recent Wall Street Journal article emphasized that employees are a company’s greatest security risk, citing the results of KnowBe4′s own phishing experiment. KnowBe4 found that employees at 43% of companies clicked the link in a simulated phishing email sent from a reputable and trusted server. Even when the email was sent from an unknown and untrusted server, 15% of organizations still had one or more employees who clicked.
When analyzing the results by business sector, KnowBe4 discovered an alarming fact – some of the most Phish-prone industries happen to be those likely to store users’ personal and financial information on their networks. In each of the following industries, approximately 1 in 5 companies had at least one employee who clicked on KnowBe4′s simulated phishing email: financial services (22.69%), government services (21.23%), insurance (18.37%) and healthcare (17.99%).
“Many SMEs don’t realize just how susceptible their employees are to phishing attacks, or they think their existing security measures are sufficient to handle external threats. But the fact is that security breaches can and do happen every day, and the consequences can be devastating to a company’s reputation and finances,” warned Sjouwerman.
“If your employees have access to the Internet, security awareness training will arm them against cybercriminals’ cunning attacks. Our system trains users to identify and avoid phishing scams like email spoofing and fake Twitter posts. Based on our clients’ results, we found that employees’ Phish-prone percentage dropped 75% after the first training session, and shrank to near 0% after two months of further testing and training.”
KnowBe4 offers several complimentary tools to SMEs, including a free phishing security test to identify the Phish-prone percentage of a company’s workforce, as well as a free email exposure check (EEC) to reveal a company’s “attack footprint” in terms of its publicly available email addresses. KnowBe4 sends regular EEC updates to all customers, and will provide a complimentary one-time EEC service to any company that requests it.
For more information on KnowBe4′s Internet Security Awareness Training (ISAT) programs, or to request a free email exposure check (EEC) or phishing security test, visit http://www.knowbe4.com.