ADP, one of the nation’s largest HR-related data processors, last year saw a 230 percent increase in questions clients posed about their data protection policies. Perhaps more alarming is that these questions are coming from not only large organizations, but smaller organizations as well. While protecting data is important for ADP, protecting personal employee data needs to start internally, at the organization itself.
According to the TechTarget article – Phishing Attacks are the Top Employee Data Breach Threat for HR – HR departments are seeing first-hand the dangers of sophisticated phishing attacks.
The IRS issued a warning to HR and payroll professionals about the risk that phishing poses. Last January, it renewed its warning and said phishing schemes seeking W-2 forms had victimized “hundreds of organizations and thousands of employees.” And the problem for HR departments may be getting worse.
In a recent SlashNext sponsored whitepaper – Addressing the Key Cybersecurity Issues Organizations Face – Osterman Research found that 51 percent of survey respondents said email-based spear phishing was a concern or major concern. CEO Fraud/Business Email Compromise (BEC), is a more targeted phishing attack, generally aimed at convincing just one or a very small group of individuals to perform a task, such as a CFO or someone in HR with access to sensitive and valuable information.
The attacker normally requests a specific action, for example wiring funds or sharing confidential information, such as W-2 data. Spear phishing attacks are difficult for conventional security defenses to recognize, since they virtually never contain a malicious payload or link. These types of attacks are enabled by the stealthy nature of more sophisticated cybercriminal activity: an infiltration will occur and the criminal will search for things like wire transfer timing, amounts of these transfers and their recipients; executives’ travel schedules; etc. and then craft a CEO Fraud/BEC attempt with the goal of tricking a victim into transferring money or data.
One of the reasons spear phishing attacks are so successful is simply human nature. Afterall, how many people would question a legitimate-looking email from a senior executive? Answer… not many!
Another reason for spear phishing success is that a targeted attack will often bypass an organization’s security defenses using sophisticated malware to gain access to endpoints or other resources. The goal of the attack might include just poking around a corporate network, stealing intellectual property, or stealing login credentials for corporate financial accounts attack. There are a lot of reasons why cybercrime – including phishing and spear phishing – are successful but as we’ve blogged about before, people are the weak link in the security chain; the blind spot as we say.
Osterman found that most corporate users are not adequately trained on security issues. The survey for the above referenced whitepaper found that three percent of users are never trained on these issues, 30 percent receive training only once per year, and another 21 percent are trained only twice per year. That means that more than one-half of users receive minimal or no training on how to deal with the variety of security threats that they encounter on a regular basis.
To tackle these sophisticated phishing and spear phishing attacks, a new approach is needed! SlashNext is the industry’s first purpose-built solution for definitive real-time detection and protection against zero-hour phishing threats on the Web. We use live Session Emulation and patent-pending SEER™ detection technology to detect malicious sites in real-time. This allows us to detect previously unknown phishing threats in just seconds – threats that fall outside of mass email scams and malicious attachments.