With summer vacations leaving employees out of the office, phishing attacks are on the rise. Here are three ways businesses can stay prepared.
With summer just around the corner, it seems like everyone is on vacation. Just look at the number of OOO (out of office) replies piling up in your inbox.
While the organization must adapt to continue operating normally with 75% of its workforce, it is now even more susceptible to phishing attacks.
In the ever-evolving war between hackers and organizations, we rain down 3.4 billion phishing attacks every day. Each attack is better than the last, and the art of deception progresses quickly. With summer vacations on the rise, OOO responses are also on the rise, turning summer into Christmas time for the hackers. That’s because OOO replies provide these bandits with information to generate targeted phishing attacks.
While employees really want to stay diligent and not miss emails while they’re away, every OOO reply inadvertently provides information about the mailbox owner, such as dates, forward contacts, alternate emails, phone numbers, titles, and possibly even details about the holiday location. Such information is “hacker heaven” as there are plenty of details to create sophisticated and personalized phishing attacks that can hit employees as soon as they get back from vacation.
TO SEE: Cybercriminals’ phishing kits make credential theft easier than ever (TechRepublic)
For example, a phishing attack might look like this:
Hi Joe,
Glad you’re back from your vacation. I hope you enjoyed it.
I just wanted to remind you to update your security information.
Click here to complete your process.
The SOC team
The above example is just one of thousands showing how a personalized email can get employees who haven’t been trained in phishing attacks in a while to click on a link that will cause a significant data breach. With the current average cost of attacks rising to $14.8 million USD, up from $3.8 million USD in 2015, organizations are suggested to increase their security awareness, especially now during the summer.
3 protective measures for the summer
The guidelines below assume that a security awareness program is already in place. If employees are trained monthly to detect phishing attacks, this practice would prove itself once they get back from vacation and search their inboxes.
Provide employees with guidelines on what they should and should not write in the OOO notification
Information shared in the OOO responses can increase the likelihood of personalized phishing attacks. Therefore, set up policies and guidelines about what an OOO response should be.
While each organization has its own policies when it comes to cyber hygiene, it is recommended that OOO replies do not include personalized forwarding emails, phone numbers, or names. If it is necessary to use a forwarding email, consider using a dedicated mailbox address that can be deactivated shortly after. Do not state the reason for OOO or location of travel. Keep it short. Keep it safe.
Provide employees with summer guidelines for corporate device security
Employees traveling abroad, especially for a long vacation, can take their laptops or other business devices with them. Laptops can be stolen or forgotten in any coffee shop, and even without that risk, working conditions that lack safety hygiene expose employees to unprotected public Wi-Fi networks more than usual, with a higher chance of installing malware.
TO SEE: Mobile Device Security Policy (Tech Republic Premium)
We recommend informing employees about your laptop security policies, using public Wi-Fi and which systems can be accessed over public Wi-Fi, and how to check emails on non-personal devices just prior to departure.
Install anti-phishing software
To reduce the burden of phishing detection on employees, anti-phishing software can help. This software inspects the content of emails, websites and other means of accessing data over the Internet and then warns the user about a threat. This safety net can also block likely phishing emails before they reach a person’s inbox.
Why it’s important to run phishing simulations every month
Running phishing simulations continuously, at least once a month, provides hands-on experience that is invaluable for learning and maintaining good cyber habits.
Phishing simulations, especially personalized simulations, teach employees how to deal with phishing attacks through hands-on exercises, enabling greater retention. Such awareness training programs are most effective when they occur regularly and with greater frequency and target threats that employees are most likely to face based on their job title, department, or location.
Organizations that train their employees before the holiday season can rest assured that this knowledge will be retained throughout the summer.
When dealing with hackers, we must not forget that they are making progress every day. Only consistent training of your employees is the remedy to keep your organization safe.
Omer Taran is the co-founder and CTO of CybeReady. As a co-founder, Omer serves as the company’s resident technologist. His vision for CybeReady drives him to create a product roadmap that serves a variety of enterprise customers by combining learning best practices with innovation. He is known for bringing ideas to life quickly and precisely. Omer’s huge technical chops are matched only by his pun making skills.
