You’ve trained them. You’ve deployed simulated phishing tests. You’ve reminded your employees countless times with posters and games and emails aboutavoiding phishing scams.尽管如此,他们仍然落在几年后他们被警告的同一德。这足以让安全团队送到疯狂。
According toVerizon 2016年数据泄露调查报告,30%的网络钓鱼消息由他们的预期目标打开,大约12%的收件人继续单击恶意附件或链接,使能攻击成功。一年同期,只有23%的用户开设了电子邮件,这表明员工在识别网络钓鱼电子邮件时越来越差 - 或者坏人正在寻找更广泛的用户的创造性方式。
The consequences of a security breach caused by human error are bigger than ever. For starters, the No. 1 inflection point for ransomware is through phishing attacks, says Stu Sjouwerman, founder and CEO of知识4.. What’s more, a handful of competing cyber mafias “are casting their nets wider and wider,” with more scams to more users, to attract more hits, he says.
A single勒索制造器根据2016年9月的威胁报告,Cyber Mafia能够在今年上半年收取12100万美元的赎金仓支付,净额为9400万美元的威胁报告。与去年同期相比,2016年上半年总赎金瓶增加了128%。记录了130万枚赎金软件样本,自McAfee开始跟踪以来的最高数量。
One look at the top five social engineering scams that employees still fall for, and it’s not hard to see their appeal. Sjouwerman calls them the seven deadly social engineering vices that most employees share: Curiosity, courtesy, gullibility, greed, thoughtlessness, shyness and apathy.
Human nature may be to blame for many security breaches, but there are ways to help employees shed their bad habits and avoid these scams.
1.‘Well it看着official’
专家说,似乎与“附加发票”等主题线相关的电子邮件相关 - 与“附加发票”等主题行,“这是您需要的文件” - 仍然让员工陷入困境,专家们说。
袋熊技术的一项调查发现,当员工接收有关礼品卡通知或社交网络账户等主题的“消费者”电子邮件时,员工比与看似有效的电子邮件相比,员工更加谨慎。根据报告,读取“紧急电子邮件密码更改请求”的主题行均为28%的平均点击率。
“大多数人不会真正地看待那封电子邮件来自哪里,他们点击它,他们的机器可能被某人或感染者接管,”在线安全专家和作者罗纳德·斯特纳说黑客是如何Safely Surf the Internet.
“Especially when you’re exchanging files with subcontractors or partners on a project, you really should be using a secure file transfer system so you know where the file came from and that it’s been vetted.” He also cautions recipients to be wary of any file that asks the user to enable macros, which can lead to a system takeover.
In the absence of a secure file transfer system, users should hover their cursor over email addresses and links before they click to see if the sender and type of file are legitimate, he adds.
2. ‘You missed a voicemail!’
诈骗者一直在尝试通过电子邮件安装恶意软件,该电子邮件从2014年开始看起来像内部语音邮件服务消息。企业通常会让系统设置为向员工转发音频文件和消息,这方便用户辨别为网络钓鱼恶作剧。
Today, “The voicemail is a spoofed Microsoft or Cisco kind of voicemail,” Sjouwerman says. “They go to their in-box and there is a voicemail, but they missed it and then open the attachment. [Spoofers] can catch practically anyone with that,” and not just the accounting department where invoice scams are sent, he adds.
3.免费的东西
大多数员工无法拒绝免费的东西 - 从披萨到事件门票到软件下载 - 他们将点击几乎任何链接以获得它,网络钓鱼专家说。
“没有什么是完全没有自由的,”疯狂说。“We’re starting to see again where you’ll get a link saying, ‘Here’s free software.’ It could be something that’s actually out there already for free, but they’re sending you through their website, which means you may be getting infected or compromised software.”
添加到危险,“很多这些下载网站都捆绑[软件],您也必须下载您甚至不想要的其他东西,”疯狂添加。“如果它妥协了您的安全设置,现在您刚刚打开了Pandora的盒子。”
He recommends first checking to see if your organization has already licensed the software, or if it’s truly free software, then go directly to the software vendor’s website to download.
4.Fake LinkedIn invitations和Inmail
One of the commonly repeated scams that Proofpoint is seeing involves fraudulent employee accounts on LinkedIn that are being used for information gathering, says Devin Redmond, vice president and general manager of digital security and compliance.
例如,有人创建一个假的LinkedIn帐户,作为项目团队甚至公司执行官的已知成员。“它看起来非常合法,该人为该组织工作。[冒名顶替]与您联系,您接受并开始与您沟通,“Redmond说。“作为员工,如果是一个你所关联的执行账户,你很高兴,很高兴这位高管正在与你沟通,你开始,在不知不觉中,给予组织的敏感或私立的信息。”同时,该信息被用作收集公司敏感信息的更广泛的广告系列。
Redmond suggests that if a colleague asks to connect on any social network, then email their legitimate work address and ask if they’ve requested to connect with you. “It’s an easy way to keep yourself out of hot water,” he adds.
5. Social media surfing at work
Employees who surf Facebook, Twitter and a host of other social media sites can potentially open the door for cyber thieves because the scams require less work for them, and it’s also a relatively new area of意识培训员工。
“从糟糕的演员的角度看,从糟糕的演员的角度看,”雷德蒙德说。“而不是必须发送1,000封电子邮件(才能获得一次),我可以用一篇文章来获取我的页面。”
Social media’s cyber risk is still a topic that employees understand the least – with an average of 31 percent of questions missed regarding security awareness on the topic, according to Wombat. However, 76 percent of organizations surveyed enable employees to use social media on their work devices. This puts organizations at significant risk considering the lack of understanding in the area.
“I speculate the reasons why organizations are doing so poorly is it’s still fairly relatively new,” says CTO Trevor Hawthorn. “We’re also seeing a younger workforce. There is a belief in the industry that those employees will just click on anything. I think there is something to that.”
相关视频:
This story, "Five social engineering scams employees still fall for" was originally published byCSO .