Archive

Businesses use fake scam emails to root out security issues | TribLIVE.com
U.S./World

Businesses use fake scam emails to root out security issues

The Associated Press
StepAwayFromThatEmailJPEG09802
Users browse the Internet in an underground station in Hong Kong. As hacks abound, some companies are testing workers' security-savvy by sending spoof phishing emails to see who bites. Photo taken June 16, 2013.

NEW YORK — The next phishing email you get could be from your boss.

With high-profile security breaches on the rise, from Sony Pictures to Anthem, companies are on the defensive. And they want to make sure their employees are not a hack waiting to happen.

Data show phishing emails are more and more common as entry points for hackers. Unwittingly clicking on a link in a scam email could unleash malware into a network or provide other access to cyberthieves.

So a growing number of companies, including Twitter Inc., are giving their workers a pop quiz, testing security savvy by sending spoof phishing emails to see who bites.

“New employees fall for it all the time,” said Josh Aberant, postmaster at Twitter, during a data privacy town hall meeting recently in New York City.

Falling for the fake scam offers a teachable moment that businesses hope will ensure employees won’t succumb to a real threat. It’s even a niche industry: companies such as Wombat Security and PhishMe offer the service for a fee.

Phishing is very effective, according to Verizon’s 2014 data breach investigations report, one of the most comprehensive in the industry. Eighteen percent of users will visit a link in a phishing email which could compromise data, the report found.

Not only is phishing on the rise, the phish are getting smarter. Criminals are “getting clever about social engineering,” said Patrick Peterson, CEO of email security company Agari. As more people wise up to age-old PayPal and bank scams, for example, phishing emails are evolving. You might see a Walgreens gift card offer or a notice about President Obama warning you about Ebola.

The phishing tests recognize that many security breaches are the result of human error. A recent study by the nonprofit Online Trust Alliance found that of more than 1,000 breaches in the first half of 2014, 90 percent were preventable and more than 1 in 4 were caused by employees, many by accident.

Fake phishing emails are indistinguishable from the real ones. That’s the point. In one sent out by Wombat, the subject reads “Email Account Security Report — Unusual Activity.” The email informs the recipient that his or her account will be locked for unusual activity, such as sending a large number of undeliverable messages. At the bottom, there’s a link that, were this a real phishing email, would infect the recipient’s computer with malicious software or steal password and login information.

If you click?

Up pops a web page: “Oops! The email you just responded to was a fake phishing email. Don’t worry! It was sent to you to help you learn how to avoid real attacks. Please do not share your experience with colleagues, so they can learn too.” It offers tips on recognizing suspicious messages.

In the 14 years since PhishMe CEO and co-founder Rohyt Belani has been in information security, he said the industry has changed from something a “geek in the back room” was supposed to take care of to something companies now handle at the highest level of management. The nature of the intruder has changed, too, from pranksters to criminal organizations and nation-states.

As the security industry developed, he said, so did the idea of the user as “stupid” and the “weakest link,” destined to continue to fall for phishing attempts and other scams. Belani disagrees with that, faulting the security industry for not better training workers.

“We posted posters in hallways, gave out squishy balls, (made) screen savers,” he said. “When was the last time you changed your password because of a squishy ball?”

While phishing training emails are a “good cautionary measure,” they aren’t “actually going to strike at the core of the issue,” believes Agari’s Peterson. He, along with large Internet companies such as Facebook Inc., Google Inc. and Microsoft Corp., support establishing a standard that makes it impossible for scammers to impersonate a bank, social network or other business in an email. Think of it as a verification system for emails. For now, though, this seems a long way off.

So, at Pinnacle Financial Partners in Nashville employees will continue to receive fake phishing emails, about one a quarter. The results are reported to the company’s audit committee and board of directors, said Chief Information Officer Randy Withrow. Since the 800-employee company started the Wombat program, Withrow said it has seen a 25 percent drop in successful phishing attempts.

Workers “take it very personally” when they fall for it, he said. “They become apologetic and wonder, ‘How did I miss it?’”

Luckily for Pinnacle, it was only a test.

TribLIVE commenting policy

You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.