We often hear that employees are the weakest link in the cybersecurity chain, and we can see why. Social engineering attacks on end users are a common tactic used by hackers to bypass traditional network defences because tricking an employee into installing a backdoor into the network is often easier than directly attacking that network from the internet.
Although phishing is not new, cyber criminals are continuing to capitalise on such opportunities in the market. This week, we saw mobile messaging app Snapchat admit that sensitive financial information about some of its employees was phished after a member of staff fell for an email scam. In this case, the phishing attack was an isolated incident that was handled swiftly, but we are certain to see similar attacks to businesses in the future – and the consequences could be greater.
With phishing attacks predicted to rise, organisations should look to implement social engineering testing for its employees in order to confirm their ability to detect and respond to genuine phishing scenarios. Standard security awareness training alone is not adequate enough for organisations – especially those that maintain or access highly sensitive data – and this is why social engineering (phishing) training should form part of every information security and risk management strategy.
“Last Friday, Snapchat’s payroll department was targeted by an isolated email phishing scam in which a scammer impersonated our Chief Executive Officer and asked for employee payroll information,” it revealed. “Unfortunately, the phishing email wasn’t recognized for what it was–a scam–and payroll information about some current and former employees was disclosed externally. To be perfectly clear though: None of our internal systems were breached, and no user information was accessed.”