Phishers are coming up with increasingly sophisticated ways to encourage corporate users to open emails. Two recent incidents using two different attack methods help illustrate the increased threat.
In the first, a large retail grocery chain narrowly escaped a $10 million loss when employees were instructed via email to begin depositing funds to a new bank account for two existing vendors. In this case of very narrow “spear phishing” the attackers clearly had specialized knowledge about the company operations that made the emails seem legitimate. They targeted specific individuals within one organization, making detection more difficult.
Another recent phishing attack involves fake email messages claiming to come from the Equal Employment Opportunity Comm (EEOC). In this attack, the fake emails claim to be notifying the company of an employee complaint made against the organization. This is one of the many examples of phishers playing on the desire of employees to comply with state and federal legislation. In these attacks, many organizations are targeted but with a more credible-sounding business message. In both the narrow and broad approaches, attacks are getting more sophisticated and often contain logos and content that is stolen directly from the organization being spoofed in the emails.
Does your organization have a formal policy on how your employees and contractors should respond to external requests for sensitive information? Are employees educated on the various types of phishing attacks, including where and how to report a suspected attack?
(Note: For organizations that wish to include phishing attacks in their formal training and awareness programs, the January 2008 issue of Protecting Information will cover social engineering in more detail.)
Monday, October 29, 2007
Subscribe to:
Posts (Atom)
Posts
