Employees Are Getting Phished, And You Can't Stop It

Schemes toward employees to click on malware or ransomware via email continues to grow, while IT executives admit they’re ill-prepared to fight the security issue and say their response processes are weak.

The practice is called phishing, the act of attempting to hack or send malicious viruses to users through email messages. According to a new study, it’s only getting worse, and IT and security administrators are far, far behind in the battle to prevent the act as well as remediate what often becomes broken.

The US Phishing Response Trends Report surveyed 200 senior IT security decision-makers across all industries, and some of the statistics were staggering.

Among them:

  • One-third of respondents come across more than 500 suspicious emails each week
  • Slightly more than a quarter – 26% –  of surveyed IT executives have a dedicated inbox for suspicious emails
  • Two-thirds have dealt with a security incident that originated with a deceptive email
  • Nine out of 10 respondents said email-related threats are their biggest security concern

A glaring data point came in the form of targets, as more than half of respondents said their company’s revenue exceeds $1.5 billion annual. Hackers are going after the big organizations, as there’s more data and financials to be had.

As previously reported by Enterprise Mobility Exchange, self-phishing is being conducted by a variety of organizations to help raise employee awareness and strengthen security hygiene. For the employees at the Henry M. Jackson Foundation for military medicine research, Chief Information Security Officer Rizwan Jan has been testing his employees for months, and won’t stop until the workforce understands the severity of phishing.

“It’s about continuing the education and making sure everyone knows what’s out there and how it can impact them and our organization,” Jan said.

Using a solution provider that specializes in the practice and offers thousands of campaigns and templates to choose from, Jan’s security team has been deploying phishing emails year-round, some of which are framed as internal messages while others look to be coming from outside parties.

“The process is a slow drip,” Jan said. “The campaign is sent out to employees during the course of two weeks; the entire staff isn’t hit at once. When someone clicks on the email, they’re immediately alerted that it’s a phishing scam and given information to avoid it next time.”

While phishing is continuing to proliferate, especially in larger organization, its equally disruptive digital cousin has begun to worry IT administrators, specifically in enterprises that have gone mobile with smartphones.

That scam is called smishing, and focuses on targeting users text message inbox. Smishing is the text message version of phishing, where hackers will send a text posing as a company or person asking the recipient to take action on any number of seemingly mundane activities, i.e., the user’s bank claiming it has detected unusual activity or a congratulatory notice saying the person has won a prize from their favorite store.

This is clearly going to hinder just about any organization that mobile enables its workforce with smartphones, doubling down on the threats added to phishing on those same devices. Additionally, the phishing study showed key targets were employees in finance or accounting departments, often times impersonating chief-executives or finance officers seeking the release of funds or deploying a virus into that department’s database.

So, what’s keeping the security executive awake at night? A funny word with serious consequences.

Get industry insight and thought leadership news from Enterprise Mobility Exchange by registering for our weekly newsletters here.