How to
Ryan Harnedy
Jul 2016

Why Phishing Employees is a Lot Like Pokemon Go

Chances are if you’re reading this it is through the lens of your phone and there is a Zubat flying around next to the screen.

Since its launch earlier this month, Pokemon Go has become an international sensation. Over 21 million people in the United States alone have taken to the streets, the parks, and some much stranger places, so they can be one of those lucky few who caught’em all.

While this behavior may seem strange to some people, finding a target, figuring out its weak points, and then taking it down for personal gain is right in a spear phisher’s wheelhouse.

To someone making a phishing attack on your company, your office can start to look a lot like a Pokemon Go gym — there are plenty of prized employee types to target. They just need to know which pokeballs (read: phishing emails) to use.

Here are four types of employees criminals love to catch with spear phishing attacks, plus tips for how you can protect them:

1) Employees who move fast and don’t have time to double-check things

pikachu_phishing_attacks.jpg

Ex: Salespeople.

Phishers love to target people who communicate frequently through email since it’s less likely that they will double check a link or worry about downloading a document that requires them to enable macros.

Tips for protecting them:

Talk with your purchasing department about how to transfer POs and invoices through methods other than email. That way they won’t be tempted to download a malicious attachment that a phisher may disguise as an order or RFP. You can also use salespeople’s need for speed to help convince them to slow down. Remind them about the downtime a successful phishing attack can cost them. If their computer or phone needs to be cleaned and restored that’s potentially hours or even days of calls, demos, and closes they’re going to miss out on. That’s a very good reason to pause and double-check an email before opening an attachment.

2) Employees who have access to financial accounts

meowth_phishing_attacks.jpg

Ex: CFOs and other executives.

Executives are a huge prize for cyber criminals. They have access to confidential corporate information, they have a huge network of important contacts, and they receive so many emails that they’re less likely to check for a suspicious email, especially if the phisher can make the email appear like it’s from another executive.

Tips for protecting them:

Make additional authentication or verification steps required for any sensitive requests like wire transfers.

Nothing gets executives’ attention like reminding them how important they are. Explain why they’re such prized targets. Underscore the havoc it can wreak on the company if they personally get compromised.

3) Employees who have access to sensitive employee information

charmander_phishing_attacks.jpg

Ex: HR professionals.

By their very nature, members of the HR team are people people. Their role is often built around sharing information, and they have access to a lot of it. Payroll data, W-2s, employee bene ts information, the list goes on.

Phishers can take advantage of this by posing as an employee looking for help accessing their own info, or a high-level executive asking for larger amounts of information. During the 2016 tax season alone, over 50 organizations were tricked into leaking their employees’ W-2 forms by phishing emails impersonating requests from CEOs.

Tips for protecting them:

Most people got into HR because they want to help their fellow employees. Reminding them of the potential damage they could do, and the accompanying headache is an effective way to get them to see the time the seconds they save by not checking for a phishing attack can mean hours of pain for their co-workers.

4) Employees who just don't think before they click

squirtle_phishing_attacks.jpg

Ex: Potentially anyone in a rush.

It’s easy to pass the blame off on users and say they’re dumb for making mistakes, but the truth is many phishing attacks have evolved to become remarkably convincing. It’s common for attackers to use info they find online and in employees’ social profiles to craft credible, personalized messages. In some cases, criminals are even able to pose as the company CEO.

Tips for protecting them:

Actively encourage employees to contact IT anytime they run across an email that looks suspicious, and provide a clear policy for doing so.

Remember, positive reinforcement works. A company-wide thank-you email praising employees who report suspicious emails can be more powerful than 10 email reminders about not downloading .exe files.

Want to learn more ways to keep your employees safe?

Download our Phishing Field Guide: How to Keep Your Users Off the Hook.

Ryan Harnedy

Ryan Harnedy

Ryan writes about how to make cybersecurity make sense to end users and keep employees safe from ransomware, malware, and phishing attacks. He enjoys decoding buzzwords and sharing security tips that users might actually follow.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.