Employees can still assist the bad guys in compromising the overall safety of your organization. Over the years, we’ve reinforced these security ideas in our blogs and social media with the idea that clicking or interacting with these criminals only continues to broaden your vulnerability, making your risk of attack that much greater. These criminals are constantly adapting with every failed attempt. The criminals appear to have wised up again, as they have begun focusing more on getting employees to reply.
By drawing people into some form of back and forth email exchanges, employees begin unwittingly training these criminals, through what warrants a potential reply. One of the ways they learn to phish companies is by learning how your employees work.
Here’s the key: even if your employees or users don’t take the bait, and click on the links/files, they can still do damage to your organization’s security, when engaging with malicious actors behind email.
Recently we were reminded of this hard lesson by a client of ours whose Human Resources and Payroll departments recently dealt with a well-executed payroll phishing scam. This customer found the experience of dealing with this phishing attempt eye-opening, so much so they sent a company-wide email to address concerns. Payroll and Human resources are the most common attacks – because that’s historically been where the money is.
One of those key takeaways found in their email is worth repeating:
“As the ‘Phisher’ received reply emails from our staff, the phisher incorporated staff names into future emails to make the email look more authentic…This was all done by tricking our staff to answer simple questions and unwittingly provide information that can lead to financial fraud as in this situation.”
Even simple email conversations that seem innocent and routine provide malicious actors with information that can be weaponized and used against your organization. We ask your teams to think before you click. If your employees are engaged in an email exchange that seems off or suspicious, STOP – and notify your manager or IT Department.
Not feeling prepared to handle cybersecurity yourself? – Let our experts help!