What do the likes of Yahoo, American Express, PayPal and Target (US) have in common? They were all victims of brutally efficient phishing scams that ended up costing millions of dollars and in some cases tarnished reputations.

Traditionally, phishing scams have been associated with email communication. Common attacks include the Nigerian Letter or ‘419’ fraud which promises reimbursement of funds or unclaimed monies, in exchange for banking details. However, attackers are becoming increasingly savvy and have started looking to platforms such as social media and smart phone apps to exploit users.

Case studies

In 2016, PayPal users were targeted after a number of fake support accounts appeared on Twitter. The accounts monitored individuals who tweeted the verified @PayPal account for support, and then replied to those messages with a link to a compromised website.

Domestically, a number of recent phishing attacks have been designed to maximise their effect in Australia. Examples of credible local attacks involve the Australia Post and Telstra brands. The attacks are designed to not only look real, but play on a person’s inquisitive nature and desire to take a closer look at the email.

Safety and awareness training

One of the best defence mechanisms for this type of attack is awareness and vigilance of people. Employees, especially those involved in financial support roles for transactions and as part of payment processing teams, can be a critical detection element in a modern cybersecurity defence program.

Targeted approaches from would be cyber criminals evolve daily, so an annual eLearning module and confirmation is not sufficient.

Email phishing campaigns designed to train and test your employees are a good example of effective strategies for building awareness in a safe and controlled manner. Ideally, these should evolve and adapt as threats change and they should take account of more complex threats should these become more apparent.

What is the purpose of such a campaign?

According to the most recent data breach reports, phishing emails and social engineering are of the most common forms of cyber-attack that organisations must manage. Some statistics suggest that almost 30% of phishing messages are opened, but only 3% of those users reported the messages to management.

Phishing exercises provide regular opportunities for real time teaching, and if conducted in the spirit of the intent (e.g. raising collective awareness and helping each other out, as opposed to picking on people who are perceived the weakest link) then they are also a great way of measuring the success of regular engagement with your workforce.