The 5 Types Of Employees Phishing Emails Love To Target
16 August 2017 16:16
Times have changed since the (not so) good old days of breaching an organisation by exploiting vulnerabilities at the network perimeter. Nowadays, cyber criminals are using much more sophisticated techniques, and on a much easier target -- the human.
So, if humans are the target, what's the weapon of choice? Well, there's more of an arsenal of weapons, but the most popular is without a doubt the simple (yet agonisingly effective) phishing email. The process of a phishing attempt might seem straightforward, but these fraudulent emails waiting patiently for an unsuspecting user to take the bait can have disastrous effects on a business.
A simple click or downloading of a file, and the door is flung wide open for cyber criminals to compromise the company's network and systems. But as for the danger of the ever-evolving threat landscape, you have to also consider that the average user is still susceptible to all types of scams. From fake websites to unsolicited ads in their mailbox, trusting users unwittingly type their credentials into forged screens on a daily basis.
Different victims of phishing attacks can fall for different techniques. So let's take a look at some of the employees that are most likely to be lured into the bait of a phisher, and how we can protect them from the hook.
High ranking officials, such as CEOs and CFOs, are extremely attractive targets. Their access to sensitive information and authority to sign-off on high-value transfers gives cyber criminal a host of incentives. Phishing emails that target executives typically takes the form of sensitive information requests from a legitimate looking source. By creating a spoof email so that a credible sender appears, the attacker can make requests to executives that are far less likely to be denied.
How to protect the Execs:
Make additional authentication or verification steps a requirement for any sensitive requests (such as wire transfers). Also, encourage executives to limit both what they are sharing and who they are connecting with on social media.
With their ability to multitask, administrative assistant's behind the scenes work contributes to the business considerably. From scheduling to screening phone calls, they often have access to company and individual executive accounts. Their role in the frontline and their privileged relationships makes them an attractive target for attackers. They are seen as a more accessible target who might just give up the keys to the kingdom a little easier than their counterparts.
Phishing emails targeting these assistants often come as a request from another executive, usually asking to review an attachment or to send across financial information. If the phishing attempt is successful, then eavesdropping software can be installed, meaning that the assistant's privileged information can be leaked.
How to protect the Admin Assistants:
Provide them with a clear procedure for dealing with phishing emails and make sure that there is a good spam filter set up. If the admin assistants come across a non-legitimate looking email, they should feel actively encouraged to report it to IT support and know exactly how to do so.
Similar read: 3 reasons why you should phish your employees
Sales Team Members
Business development managers, account managers, and internal salespeople constantly interact with prospective and existing clients. In person, over the phone, or via email, they’re eager for emails from potential customers and want to be as responsive as possible. An attacker can easily locate their name, phone number, and email address online, and the chances that the messages will be opened is high.
Stealing credentials from these salespeople can provide access to customer lists, pricing sheets, and confidential deal information. Stealing their information will also allow for a new phishing attack catered towards members of the finance and account teams.
How to protect the sales team:
Consider email-alternative methods with your purchasing department on how to transfer invoices. Ensure that your sales team are encouraged to double-check any linked text they receive in emails. Also, discourage them from opening attachments from unknown sources.
HR professionals are usually some of the most highly connected people in any business. They regularly communicate with existing and potential employees, and phishers now this. That's why cyber criminals often pose as potential employees by sending malicious payloads disguised as resumes, or will even impersonate a high-level exec and ask for information regarding personnel. The tax season especially is full of phishing attempts on HR, with employee tax information being a big target.
How to protect HR:
By investing in benefits software and employee portals, you can reduce the number of confidential documents that employees send via email. Your HR department should also be reminded that requests from an employee asking for sensitive information should be verified either face-to-face or over the phone.
The inconvenient truth is that anyone in your organisation can be targeted by a phishing attack. Awareness programs, mock phishing exercises, and security measures need to be addressed with everyone in the business, no matter what position or level they may be at. The more that employees are involved in security efforts will only strengthen your security measures.
Of course, time and cost are two factors that need to be taken into account, but so does the inconvenience and huge financial loss of a data breach. Even cyber security fatigue can be can have a negative impact on your employees, but there are many ways in which this can be avoided.
How to protect your workforce:
Creating a security-minded culture through an effective user awareness programme can help decrease the human element threat of phishing emails. Don't believe us? Try our free phishing simulation trial here.
Also, utilising spam filtering solutions along with additional endpoint security will help cover the gaps in antivirus protection. Having security policies for responding to phishing emails and a company backup strategy can also reduce the risk of attacks.