Practicing Cyber Safety

Risky Business: Phishing and Smishing Attacks

Online-Invasion, usually through e-mail and text, can actually be easy to detect

PITTSBURGH, PA–(Marketwired – April 20, 2015) – Phishing and smishing (text message phishing) attacks are pummeling email accounts worldwide, and it's foolish to believe that all are as transparent as the Nigerian prince scam (which continues to bear fruit, by the way, in old and new forms).

A good many of these messages are extremely sophisticated and difficult to spot — and they're winning at a high-stakes game. A recent Kaspersky Lab study, Financial Cyberthreats in 2014, revealed that just under 30% of the phishing attacks the company identified in 2014 were designed to steal users' financial data.

Target: Data

An even greater threat to organizations are the fraudsters who want to gain access in order to steal intellectual property (IP), amass customer data, acquire insider knowledge, or wreak havoc on networks and systems. Case in point is the recent attack on the White House, in which Russian hackers allegedly gained access to the unclassified (but still highly sensitive) "Executive Office of the President" network by way of a compromised State Department email account. How to fight these pervasive threats?

As Andrew Walls, a vice president at Gartner, Inc., told TechTarget, "Employees can play a major role in detecting and responding effectively to social engineering threats, but the most effective approach is to combine employee-based risk management with automated, infrastructure-based risk management."

We agree; but as we've noted before, not all security awareness and training programs deliver the same level of risk reduction. The White House compromise is an excellent case in point; as Nextgov reported, a phishing email workshop had been offered to personnel in March as part of a yearly training series, Cybersecurity Online Learning. According to the Nextgov article, "All federal security employees were invited to participate in the 90-minute online training session. But no one from the White House watched."

Clearly, providing training that end users don't see is akin to providing no training at all. But we can't say we're surprised to know that people who were given the option of attending a 90-minute session chose to decline the invitation.

Three Tips for Reducing Risk

Phishing and smishing threats are likely to persist for years — if not decades — to come. But the risk you face from these threats depends on your infrastructure and your employees.

Our Continuous Training Methodology takes a unique, 360-degree view cyber security education. One-and-done methods and once-a-year mammoth videos and presentations aren't as effective as our interactive approach, which delivers "bite-sized" training about specific topics. Education that is delivered at regular intervals and in digestible chunks builds a culture of awareness, changes user behaviors, and keeps cyber security top-of-mind for employees year round.

a targeted training goal was to have their employees pause before they interacted ... Maybe this isn't safe. Maybe I shouldn't do this.

Consider this: If you aren't helping your employees identify the hallmarks of suspicious email and text messages, they are almost certainly putting their personal information and your systems at risk. As you weigh the benefits of effective security education, use these three tips to get on the path to risk reduction:

  • Think before you click
    One of our customers' IT security officers told us that a targeted training goal was to have their employees pause before they interacted with a new message. "We felt that if we could gain a second or even a half of a second pause between the moment when an employee sees a link or a file and the moment when he clicks, in that gap lies the opportunity for a thought process in which the user ultimately decides, 'Maybe this isn't safe. Maybe I shouldn't do this.'" The customer gained that advantage and then some, reducing malware infections by 42% using our methodology.
  • Don't be afraid to follow up
    A message can look and even sound legitimate but still set off a warning bell. For example, an email that comes from a corporate IT address and tells you to download new security software can seem trustworthy; it appears real and is on topic. But would that really be the process your IT department would follow? It takes just a minute to confirm a questionable message with the sender, whether it's a coworker, internal department, or financial institution.
  • Report suspicious messages
    Fraudsters will often send the same message to hundreds or even thousands of accounts. It's not uncommon for numerous people in a company to be included in a single attack. If you suspect an email or text is malicious and is targeting corporate or personal information, report it to your IT department. This could help identify a problem early, before unsuspecting users expose themselves and your organization to dangers.

Our Anti-Phishing Training Suite combines assessments, training, and reporting to deliver a balanced, effective approach to educating employees about the dangers associated with malicious emails and other social engineering attacks.

Research from the Aberdeen Group shows that the Wombat Continuous Training Methodology can help change behaviors of your end users and reduce risk and business impact by up to 60%. Schedule a demo with us at RSA 2015 to see firsthand what this could mean for your organization.

Wombat Security brings you the latest in Risky Business, a series highlighting how employee behavior can lead to increased organizational risk. Visit