OK, here is great ammo to get more IT security budget. Why? This article and infographic make it real to the C-suite that they themselves have a big phishing target on their back.
You all know that spear-phishing is very effective. Cloudmark calls it “The Secret Weapon Behind the Worst Cyber Attacks”, and created an infographic of 10 recent major breaches (below), from Target to OPM, that started with a successful spear-phish.
Since January 2016, we have seen a massive rise in CEO Fraud, which you could call a spear-phish derivative. The FBI calls it "BEC" (Business Email Compromise), and like spear-phishing it uses social engineering and spoofed CEO emails to manipulate senior executives, HR and Accounting into damaging actions. Good example is the recent spate of W-2 scams where all tax information of all employees gets emails to the bad guys.
Cloudmark's Tom Landesman has compiled a list of 55 companies that were taken in by these W-2 attacks, and comments, "It's likely that even more have been compromised, but have not come forward." Obviously it is tailing off now that the tax season ends, but will be back in full force next year.
Just last week it surfaced that a Mattel finance officer sent over $3 million to the Bank of Wenzhou, in China. The bad guys are not just targeting America, in January the BBC warned that the "fraude au president" is widespread across France.
The FBI has been on full alert, warning people there are more than 17,000 victims and 2.3 billion dollars lost in the last two years, and instructing people to verify transactions by "picking up the phone".
Despite all that, CEO frauds are even more successful than spear-phishing. Kevin Townsend at SecurityWeek suggested two major reasons: "firstly, few companies deliver security awareness training (such as simulated phishing attacks) against their own C-suite; and secondly, many senior executives still don't believe that security is their personal concern."
"More than 90 percent of corporate executives said they cannot read a cybersecurity report and are not prepared to handle a major attack, according to a new survey.
More distressing is that 40 percent of executives said they don't feel responsible for the repercussions of hackings, said Dave Damato, chief security officer at Tanium, which commissioned the survey with the NASDAQ.
Here is the infographic - an interesting summary of the recent attacks which all could have been prevented with effective security awareness training.
Sending frequent simulated phishing attacks to your users is a great way to keep them on their toes with security top of mind. Also, it's fun. Here is a quote from a KnowBe4 customer:
Don't like to click on redirected buttons? Cut/Paste this link instead: