Understanding why employees fall for more phishing attacks during the holiday season and training them to resist the ‘urge to click’ can empower enterprises to navigate safely through this high-risk time a year.
The holiday season is definitely here: house fronts and businesses all over the world are getting adorned with festive ornaments; holiday party plans are shifting gears and shoppers are hard at work picking out gifts for family, friends and colleagues.
But among those uplifting moments lurks a growing threat. Hackers around the world are constructing new phishing attacks that are meticulously planned to target employees at their most vulnerable mindset. Threat reports indicate that global organizations encountered a 57.5% increase in cyber attacks during the 2017 holiday shopping season and expect this trend to continue during the 2018 holiday shopping season.
Just last week the FBI issued a warning about new cyber fraud vectors. During the holiday season the FBI alerts the public “to beware of bargain emails advertising ‘one day only’ promotions for recognized brands or websites”. In addition the FBI advises “to not respond to unsolicited (spam) email, avoid filling out email forms that ask for personal information and remain cautious of emails claiming to contain pictures or attached files, unless they come from an identified source”.
What makes employees and organizations vulnerable to phishing attacks, especially during this festive season?
When sending social engineered attacks, hackers use context, timing and psychological motivations to their advantage. Holiday season vectors are just one example of how real-life events inspire phishing attacks, similar to global sports events, natural disasters, or even terrorist attacks – where the combination of context and timing increases the risk of potential security breaches.
One common holiday season attack targets busy office managers, who are under pressure and budget constraints to find the right holiday gift for the company employees, customers or partners. This makes them more likely to click on a phishing email that offers a special deal on a hot ticket item; Since they are already searching for that type of information, these employees are “ripe” for that targeted phishing attack.
Another common example is a phishing attack featuring “The company holiday party pictures” which typically targets multiple functions in the organization. CybeReady’s phishing simulation data, which was collected from over 100 enterprise customers, shows high click rates (up to 43%) when using this real-life message to train employees. The context and psychological manipulation here are pretty straightforward: almost every company throws a holiday event and employees are curious to relive those fun moments and share experiences on social platforms. Hackers carefully plan these types of attacks and entice employees to click on the “photo link”, which triggers an attack on the employee’s file drive. The results of such hasty human errors can be destructive and turn a joyous season into an organizational catastrophe in an instant.
The growing complexity of phishing attacks requires security teams to implement a smart, continuous anti-phishing training that truly changes employees’ behavior. CybeReady’s autonomous simulation platform reduces organizational security risk via a machine learning powered engine. Utilizing real-life attack vectors, it assigns and adapts email simulation content based on employee’s professional profile, region, language and behavior – all with nearly zero effort from security teams.