As cyber criminals become more and more aware that targeting middle managers using social engineering tactics actually works, they will do so more often. Attackers are moving away from large scale consumer attacks and opting for more sophisticated attacks that take advantage of middle managers in businesses who are overloaded with emails and other forms of electronic messaging. As a result, it’s important that your employees are aware of this new style of cyber attack.
According to ‘The Human Factor Report 2015’, middle managers click on every 25th malicious email that they receive, and this figure doubles year after year! The report found that those working in sales, finance and procurement were the employees most likely to click on these emails- they clicked on up to 80% more emails than people working in other departments.
Attackers are also fully aware of how and when to best target these users. Most of the clicks on malicious links occurred during business hours, and figures peaked on Tuesday and Thursday mornings, which is typically the busiest time when it comes to receiving business emails. This shows that, when in the midst of checking important business emails, employees may accidentally click on a malicious link. It is clicking these links that leaves confidential company data vulnerable.
However, you can’t just blame your employees for not taking enough care, as the criminal’s techniques develop far quicker than employees can be educated about the previous ones. The criminals know that suing rogue links in emails aren’t as successful anymore, so instead they lure victims in with fake message notifications and corporate financial alerts.
Even Richard De Vere, Antisocial Engineer’s principal consultant admits that he is ‘yet to see a client completely resist a determined attack.’ He says that even though ‘many have come close…they all give away sensitive access, credentials or control in some way.’
De Vere suggests that ‘the only effective defence is training’. He believes that it is only educating employees about what a malicious email looks like and how they should go about dealing with an email they believe to be suspicious. Of course, nearly all of the time, employees would never open an email if they thought it could put their job, or the business they work for, in jeopardy.
According to De Vere, the reality is that ‘attacks will occur and organisations will get compromised’. However, what is most important is that your employees are aware of the path they should take and strategy they should follow if they do come into contact with deceptive emails. It is also important that everyone in the company has access to training so they can learn how to avoid falling victim to these attacks.
[Photo Credit: n0comment]