Phishing Scams Hidden in Plain Sight
While current phishing efforts still bear fruit, hackers keep improving their tactics.
Cybersecurity experts note that three new attack types have been making the rounds as malicious actors attempt to circumvent security: calendar invitation, image-based attacks and special character attacks.
In calendar invite attacks, cybercriminals send meeting invitations to their targets, often containing attachments. The title and sender of the meeting may seem familiar, encouraging users to click through and compromise themselves. Image-based attacks, meanwhile, use emails that contain only images and links but no text. This allows them to circumvent many phishing detection tools and make their way into employee inboxes. Finally, special character attacks may use characters such as zero-width Unicode, which is not visible to recipients and makes it seem as if links or attachments are legitimate.
WATCH: Find out what’s needed to create effective cybersecurity training for employees.
How to Detect a Phishing Attack
The best way to defend against phishing attacks is to detect them before they reach inboxes. As noted above, however, this isn’t always possible, so it’s critical to evaluate staff response when phishing emails arrive.
According to the Mimecast survey, 80 percent of companies say that they are at risk due to inadvertent data leaks by careless or negligent employees. This speaks to the critical nature of employee training: If employees know what to look for, they can avoid common phishing hooks.
The benefits of training, however, aren’t guaranteed or permanent. According to one survey, 27 percent of companies reported no improvement in phishing success rates even after they’d implemented training programs. Employee training must be engaging for it to be effective, says Lisa Plaggemier, executive director of the National Cybersecurity Alliance.
“Does it get and hold their attention? Does it make them curious for more?” said Plaggmier, speaking recently at the RSA Conference cybersecurity event. “Have you ever had anyone come to you after taking your security training and ask for more? It very rarely happens.”
Training must also be repeated so employees don’t forget what they’ve learned, and updated so they can be told about cybercriminals’ latest dark innovations. As attacks evolve and new employees come on board, companies should conduct regular security training to ensure staff are up to speed.
Solutions such as Mimecast’s security awareness training kit can help. With continuous, engaging, video-based microlessons, employees can both acquire and keep the security skills they need to keep attackers at bay.
Brought to you by:
