No surprises about where cyberattacks are focused as reported recently that about 45% of IT security decision makers are worried about “phishing attacks, and employees clicking on links within email which download malware and email attachments which download malware.” In April 2015 Osterman Research issued its “Best Practices for Dealing with Phishing and Next-Generation Malware” that started with these terrible stories about two law firms:
An attorney in the greater San Diego area opened an attachment in a phishing email that he thought was sent to him by the US Postal Service. The attachment installed malware on his computer, and shortly thereafter he found that $289,000 had been transferred from his firm’s account to a bank in China.
A law firm in Charlotte, NC transferred $387,000 to a bank in Virginia Beach, VA after it closed a deal. Shortly thereafter, cybercriminals transferred most of this amount to the law firm’s bank in Charlotte, which transferred the funds to a bank in New York and then to a bank in Moscow. The victim organization believes it had been infected with keystroke logging software from a phishing email that captured all of the critical information necessary to initiate the wire transfer.
Of course the advice in Osterman’s Report is not limited to lawyers, these phishing and malware scams affect all industries. Here a 3 of the 8 key takeaways:
- Cybercriminals are getting better, users are sharing more information through social media, and some anti-phishing solutions’ threat intelligence is not adequate. This makes organizations more vulnerable to phishing attacks and other threats.
- Users should be considered the first line of defense in any security infrastructure, and so organizations should implement a robust training program that will heighten users’ sensitivity to phishing attempts and other exploits.
- IT and business decision makers should implement best practices to help users more carefully screen their electronic communication and collaboration for phishing and other social engineering attacks.
Without question these cyberattacks will not abate anytime soon, so every employer should be training employees continuously.