Phishing messages plague office workers and social networks

News by Dan Raywood

Phishing messages continue to plague corporate workers, with an average of six messages received every day.

Phishing messages continue to plague corporate workers, with an average of six messages received every day.

A survey of 1,000 office workers by PhishMe found that 60 per cent of people fall for the messages and Aaron Higbee, CTO of PhishMe, said that people have a lot to lose if they fall for emails both at home and at work.

Higbee said: “Spear phishing is the criminals' preferred method of choice if they want to get inside an organisation. Some employees falsely believe that their role isn't important enough for a hacker to attempt to spear phish them. If the attacker's main goal is to simply obtain access to an internal network, they won't discriminate. Everyone is a potential target. Their methods are increasingly more sophisticated and use social media more and more to tailor-make emails that trick people into opening them.

“We have found that workers are not connected to protecting their corporate assets. They believe it's the security team's job to protect them from all outside threats, and that security products alone can protect the ‘corporate crown jewels'.

“However, it's a different case when it comes to people protecting their own data on their mobile devices or home computers — our experience shows that people are far more likely to be on their guard when looking at emails at home because they have far more to lose than at work.”

A year ago, the anti phishing working group (APWG) announced that February 2012 saw record amounts of phishing emails detected, while research from Trend Micro found that 91 per cent of targeted attacks begin with a spear phishing message. 

GFI Software's VIPRE report for January 2013 found that phishing campaigns were particularly rampant on social networks last month. It said that a number of social network-based cyber crime attacks, including phishing messages on Twitter and Facebook, as well as malicious spam messages disguised as event invites on LinkedIn.

The Twitter campaign was especially prominent, as after the attack cyber criminals stepped up their efforts, according to research by Websense.

GFI Software said that similar messages were seen on Facebook and LinkedIn, with Facebook users receiving messages claiming that the victims had violated the social network's policies by ‘annoying or insulting' other users, and ordering them to reconfirm their accounts to avoid being banned from the site.

Clicking on the link took them to a page where they had to complete a ‘security check' by entering personally identifiable information, their Facebook login credentials, which webmail service was linked with their Facebook accounts and the first six digits of their credit card, regardless of whether or not they had purchased Facebook credits in the past.

The LinkedIn scam saw members who identified themselves as business owners receiving spam emails notifying them that an employee had sent them an event invitation. Clicking on the links in the email directed the victims to malicious sites containing malware that exploited unpatched vulnerabilities on their systems.

Christopher Boyd, senior threat researcher at GFI Software, said: “More and more young people entering the workforce think of social networking as a standard part of everyday life. By focusing their efforts on these sites, cyber criminals can increase their chances of fooling a larger number of users to unknowingly download malware onto their PCs and mobile devices. As a result, these users end up providing social network account information that can be used to reach even more potential victims.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews