Speared While Pretending To Phish
is an executive’s nightmare: a successful spear phishing attack that opens up your network or system to hackers, due to one ill-advised click. The scenario is bad enough for your personal computer, but potentially much worse for your organization or business. 몸캠피씽
By now, most business owners probably hope their employees know enough not to fall for such tricks. But then again, you would hope most employees know what to do in a fire. That doesn’t stop companies from conducting fire drills.
A U.S. Army combat commander recently caused a small panic by conducting such a spear phishing drill on his own initiative. (1) The dummy phishing attempt warned of a security breach in Army employees’ Thrift Savings Plan (a retirement plan widely used in the federal government) without any prior agreement with, or warning to, the thrift plan’s managers. The targeted workers were directed to a dummy site and told to log in and reset their passwords. This is spear phishing, an approach popular among hackers who want to steal website credentials.
In this instance, the small group of Army workers who received the bogus message forwarded it to others. Alarm about the fictional security breach quickly spread to multiple federal departments. It took weeks to clear up the resulting confusion.
Though the execution was flawed, the idea of simulating a spear fishing attempt has a lot of merit. The more often you test your employees with decent bait, the smaller the odds that they will fall for a truly malicious attack. If someone is going to make a mistake, such a test gives them a harmless place to make it. That’s good employee training. In effect, you are crying wolf to teach people to ignore wolves.
Phishing is not the only type of network attack employers need to worry about, but it is an enduring one; it has troubled companies and governments, as well as individuals, for the past decade in one form or another. Three years ago, security firm RSA (whose employees presumably should have known better, if any employees should) suffered a spear phishing attack when an employee removed a suspect message from the system’s junk folder and opened a compromised attachment. More recently, an attack focused on Forbes. A senior executive opened what she thought was a time-sensitive link on her iPad, allowing the Syrian Electronic Army access to the news organization’s website and backend data. The costly security breach at Target last year is reported to have begun with a phishing attack.
Phishing exploits the human element in an organization’s technology. Though all employees should know by now to be suspicious