With the summer months in full swing, people are taking time off to travel and relax. However, don’t let your guard down against a number of common phishing scams that will look to lure unsuspecting victims.
While folks around the world continue to take time away from work and school, hackers remain in session full time. In fact, they take advantage of our vulnerabilities, leisure plans and the fact that we spend more time on-the-go, forging specific messages and techniques to target us when we least expect it.
The Impossible Deal
A common phishing scam involves announcing a win of the desired prize, cruise, or special deals for concert tickets.
One of the biggest cyber scams of 2018 happened last summer during the World Cup when fans from around the world flocked to Russia in support of their favorite Soccer teams. While most already bought their tickets, many were still hoping to come across an unbeatable deal that will get them to the Cup. When phishing emails announcing FREE World Cup tickets ended up being calculated hack, the Federal Trade Commission (FTC), posted on its website: “The offer may seem promising, but the truth is, scammers are simply phishing for your personal information. Never open files or click links sent by strangers. And never pay a fee to claim a prize.”
Hackers often utilize a similar strategy targeting HR executives in organizations with “free offers” they could allegedly extend to the company’s employees, HR Managers, excited to save company funds and delight their colleagues, click on malicious emails or even provide personal or payment information which of course, ends up in the wrong hands.
The rule of thumb when it comes to free tickets and prizes, or any other free offer, is that if something sounds too good to be true, it probably is.
Click Here for Your Vacation
When we finalize our travel plans, we expect to receive email confirmations and updates from airlines and hotel representatives. Hackers know that and craft phishing emails pretending to be our hospitality rep, with instructions to finalize a reservation or reset our password. Phishing emails often target accounts, such as credit cards and frequent flyer logins, where valuable financial information can be harvested.
Last summer, hackers launched a phishing attack posing as Delta Airlines, designed to steal consumers’ information. The email had the subject line “Your Delta SkyMiles Account will be closed,” and it asked the receiver to follow a link to “update your Delta SkyMiles account information.” Apparently, the hackers were hoping that recipients will provide them with their personal data.
Phishing emails often use an urging language to pressure recipients (your account will be shut down, the offer will expire in 3 hours) to prompt people to click on a link quickly.
According to the FTC’s consumer arm, a good rule to follow is to avoid clicking links in emails from companies or organizations. Instead, it’s better to go to the company’s home page in a new browser tab and login from there. That way, you know it’s secure.
During the summer months, people spend more time on-the-go. They travel, entertain, hike or BBQ outdoors, and check more emails on their mobile devices.
The rate at which victims are falling for phishing attacks on mobile has increased an average of 85 percent every year since 2011, according to new research from the mobile security company Lookout.
“Mobile devices have opened a profitable new window of opportunity for criminals executing phishing attacks,” the researchers wrote. “Attackers are successfully circumventing existing phishing protection to target the mobile device. These attacks are highlighting security shortcomings and exposing sensitive data and personal information at an alarming rate.”
Phishing attacks are a growing risk for everyone, but for employees who plan their vacation or try to stay in the loop while out-of-office there’s a broader risk: clicking on a phishing email from their mobile device may put their entire organization at risk and cost the company financial damages, while it may also cost employees their jobs.
Changing Our Behaviors
When it comes to security awareness training, many organizations opt for phishing testing to gauge the state of their employee awareness. Others choose to phish and then teach via follow-up educational awareness content. Unfortunately, neither strategies are effective if your end goal is to change employee behavior towards phishing attacks.
When it comes to changing behavior, there’s a need to train. Training helps to improve reflexes and sharpen intuitions, and builds our memory muscles so we automatically respond to a certain trigger in the desired manner. In order to change behavior, there’s a need to re-shape the learning experience itself and keep it dynamic, customized and continuous. This may become a complex and resource-consuming task for CISOs to try to implement themselves.
Moving forward, the best way to mitigate phishing risk will be to provide employees with continuous, data-driven training that integrates real-life attack simulations with on-the-job training, and truly changes employee behavior towards phishing attacks.