I just fell for a phishing attempt. The email was from our CEO with the subject line “quick reply please”, so of course I jumped on it immediately. I replied back and gave my cell number. I received a couple text message replies that were obviously not from my CEO which made me raise a red flag. I went back and looked at the email again and I noticed the email address was clearly a fake. I blocked the cell phone number and made sure not to click on any links that were sent to me.
– Service Director of a Transportation Provider
The victim speaking above holds admin access to several accounts. If her credentials were to be compromised, there would be a disastrous chain reaction of compromise for her company as well as her client companies. She receives regular cyber awareness training on a biannual basis to prevent such events. But, even those who are well seasoned in avoiding scams can fall for new tricks if they are not paying attention to the details. This is how simple it is to become victim of a common, every day cyber attack.
Attacks on the Rise
While most are familiar with the term “phishing”, there are recent attacks on the rise including “smishing” (phishing via SMS) and “vishing” (phishing by voice call). Cyber criminals have certainly exploited the remote-working arrangements throughout the COVID-19 pandemic to advance their vishing and smishing campaigns. In fact, the FBI and CISA issued a statement warning businesses about an ongoing vishing campaign whereby hackers spoof login pages for corporate VPNs, to steal credentials and access personal information about the employees. The attackers can use unattributed VoIP numbers to call their targets on their personal mobile phones. They then pose as IT help desk agents and use a fake verification process with the stolen credentials to gain the employee’s trust. Once their target has shared login details over the phone, hackers can access the company’s networks and systems to cause serious damage.
This is just one example out of 135 million attempted attacks every day.
Is Training the Key to Fight These Threats?
Cyber awareness training for employees across the entire organization is really important in any industry. In fact, it is a requirement for employers to provide all employees with cyber awareness training for data security laws, such as the General Data Protection Regulation (GDPR) and the New York SHIELD Act.
Cyber criminals try take advantage of human error. The best way to try to defend against cyber criminals is to think like one. Your employees should be aware of new and evolving scams and be trained on what to do once they identify a scam. The key is to provide REGULAR cyber awareness training.
However, training is only half the battle. There will always be room for human error even for the most well prepared employees. We are all only human after all and it only takes one mistake to permanently damage a company’s financials, reputation and relationships. The only realistic way to mitigate this growing risk is through a combination of training and technology that can detect social engineering scams and warn people of the threat.