It sounds harsh, but unfortunately, it’s true: humans are at most significant risk when it comes to phishing. Once unfocused or distracted, you fall for a phishing email. The only thing that helps is awareness and exercises to recognize phishing emails better.
The current situation during the Corona crisis offers fraudsters an easy game. They send out COVID-19-related phishing emails that concerned people open and fall for the tricks. According to the threat analysis by G DATA Cyber Defense, the number of attacks prevented rose significantly in March 2020 – by around 30 percent compared to the previous month.
Working from home was an additional factor because many companies were unable to provide their employees with a sufficiently secure infrastructure in the short time available. The fraudsters are particularly interested in critical company data such as account data: the fraudsters have repeatedly tried to obtain state financial aid with stolen data.
Phishing: Stress And Routine Are Bad Companions
How can it happen that trained employees fall for fake emails? Because while more and more powerful technologies are being developed to detect attacks better and faster, human behavior can only be influenced slowly and with difficulty. The scammers take advantage of employees’ inattentiveness and often lack of knowledge combined with stress or routine.
In addition, it is becoming increasingly difficult to distinguish phishing emails from real emails these days. They often look like everyday business transactions – they usually even refer to existing email traffic or a current event. In addition, scammers send mass emails and consciously choose a victim. The person is observed via their social media channels or company website, and then a customized phishing email is sent to them.
The scammers want to use phishing emails to gain easy access to the system to distribute malware such as Trojans or ransomware. Or to get personal information such as login data. Emails are the most significant vector for cyber attacks.
Attentive Employees Make The Difference
How can companies ensure that employees recognize fraudulent emails directly? A simple explanation about phishing emails with a training video alone does not help. Companies must take a holistic view of IT security. And that is a long process to continuously improve employee awareness.
Because it is not helpful if suspicious mails are deleted, it is much better if the emails are forwarded to an internal office. For example, the phishing filters can be adjusted so that employees do not even receive these emails. In addition, the existing website block lists should be supplemented to prevent direct access to the links contained in the phishing email. However, the basis for this is a corporate culture that protects employees who accidentally click on a phishing email.
Phishing Simulation: Raising Awareness Through Training
Therefore, companies should consider training to educate their employees on dealing with fake emails. This requires an extensive phishing simulation that realistically depicts the sophisticated approach of the attackers. One possibility is, for example, that the employees receive several emails of different degrees of difficulty over a specified period.
Some of the emails are recognizable at first glance due to gross spelling mistakes and a lack of direct salutation. For example, with other messages, the addressee is addressed directly so that the danger is only recognizable at a second glance. The results can then be evaluated.
But the most important thing is that the behavior of the employees must be refreshed regularly, otherwise routine creeps back into everyday work.