{"id":6991,"date":"2017-03-15T11:50:02","date_gmt":"2017-03-15T19:50:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/15\/news-782\/"},"modified":"2017-03-15T11:50:02","modified_gmt":"2017-03-15T19:50:02","slug":"news-782","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/03\/15\/news-782\/","title":{"rendered":"Why you should put your staff to the test with phishing drills"},"content":{"rendered":"

Credit to Author: Bill Brenner| Date: Wed, 15 Mar 2017 18:56:42 +0000<\/strong><\/p>\n

\"\"When Sophos Phish Threat<\/a> was released in January,\u00a0we pointed out that:<\/p>\n

    \n
  1. Email remains one of the most problematic sources of infection; and<\/li>\n
  2. It\u2019s the ordinary, well-meaning people who often let poisonous emails into their organizations.<\/li>\n<\/ol>\n

    <\/span><\/p>\n

    Phishing\u00a0is an old problem, but news stories continue to show that\u00a0people remain easy prey.<\/p>\n

    New attacks, old tactics<\/strong><\/p>\n

    A recent Naked Security article outlined the bad guys\u2019 efforts to infect their prey using scams centered around\u00a0tax season<\/a>, with the\u00a0Internal Revenue Service (IRS) warning of fresh\u00a0email schemes targeting tax professionals, payroll staff, human resources personnel, schools and average taxpayers.\u00a0In another scam, attackers polluted Amazon listings<\/a> with links that\u00a0redirected victims to a very convincing Amazon-looking payment site.<\/p>\n

    Now come fresh reports that attackers are using malicious PDF attachments and messages that appear to be from their company’s HR departments, as well as bogus Facebook friend requests. [For the full story, read Latest phishing tactics: infected PDFs, bogus friend requests, fake HR emails<\/a>.]<\/p>\n

    Microsoft Malware Protection Center team member\u00a0Alden Pornasdoro warned of the malicious PDF files<\/a>. Unlike in other spam campaigns, he wrote, the PDF attachments in question\u00a0don’t contain malware or exploit code. Instead, they rely on social engineering to lead people\u00a0to phishing pages where they are\u00a0asked to divulge sensitive information.<\/p>\n

    In another case, ZDNet reported that\u00a0sending a bogus friend request<\/a> was the best way to get someone to click on a link \u2013 even when the email was being sent to a work email address.<\/p>\n

    In one simulation conducted by\u00a0MWR Infosecurity, a quarter of users who were tested clicked the link to be taken through to a fake login screen, with more than half going on to provide a username and password. Four out of five then downloaded the sinister file. Meanwhile, a spoof email claiming to be from the HR department referring to an appraisal system also proved\u00a0effective.<\/p>\n

    Successful attacks through social engineering<\/strong><\/p>\n

    Recent\u00a0developments show that the ancient technique of social engineering<\/a> is alive and well. Understanding it is the first step in mounting a better defense. We previously wrote:<\/p>\n

    Social engineering is the act of manipulating people into taking a specific action for an attacker\u2019s benefit. You might think it sounds like the work of a con artist \u2013 and you\u2019d be right. Since social engineering preys on the weaknesses inherent in all of us, it can be quite effective. And without proper training it\u2019s tricky to prevent. If you\u2019ve ever received a phishy email, you\u2019ve seen social engineering at work. The social engineering aspect of a phishing attack is the crucial first step \u2013 getting the victim to open a dodgy attachment or visit a malicious website.<\/em><\/p>\n

    As the blog post noted, phishing can\u2019t work unless the first step \u2013 the social engineering \u2013 convinces you to take an action.<\/p>\n

    To help raise awareness, security vendors have offered a number of products and services companies can use to launch simulations \u2013 essentially phishing fire drills \u2014 which can show employees up close how easy it is to be duped by social engineering.<\/p>\n

    For Sophos customers, that product is\u00a0Phish Threat<\/a>.<\/p>\n

    How it works<\/strong><\/p>\n

    With Phish Threat, users choose a campaign type, select one or more training modules, pick a simulated phishing message, and decide which users to test. Reporting tells you how many messages have been sent out, who\u2019s clicked, and, of those, who\u2019s gone through the required modules.<\/p>\n

    \"screen-shot-2017-01-25-at-18-34-46\"<\/a><\/p>\n

    Security awareness programs are not new, and some security experts have questioned their effectiveness<\/a>, since users continue to make the same mistakes.<\/p>\n

    In our opinion, simulations give awareness programs more teeth. The more employees get caught on the phishing hook during a simulation, the less likely they are to forget the lesson.<\/p>\n

    That may sound like\u00a0a self-serving statement. But the proof is in the never-ending avalanche of news headlines.<\/p>\n

    Filed under: Corporate<\/a>, Enduser<\/a> Tagged: security tips<\/a>, Social engineering<\/a>, Sophos Phish Threat<\/a>
    http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

    Credit to Author: Bill Brenner| Date: Wed, 15 Mar 2017 18:56:42 +0000<\/strong><\/p>\n

    When Sophos Phish Threat was released in January,\u00a0we pointed out that: Email remains one of the most problematic sources of infection; and It\u2019s the ordinary, well-meaning people who often let poisonous emails into their organizations. Phishing\u00a0is an old problem, but news stories continue to show that\u00a0people remain easy prey. New attacks, old tactics A recent […]\"\"<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[10379,10401,10406,10510,11061],"class_list":["post-6991","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-corporate","tag-enduser","tag-security-tips","tag-social-engineering","tag-sophos-phish-threat"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6991","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6991"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6991\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6991"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6991"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6991"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}