image
Patrick Domingues
Data Breach

Facebook Exposed 267M Users Phone Numbers

Researchers have found a database which exposes the names, phone numbers and Facebook user IDs of 267M of the Facebook users. This database was left unsecured on the web for nearly two weeks before it was removed.

The Data Exposed

In total 267,140,436 records were exposed. Most of the affected users were from the United States. Diachenko says all of them seem to be valid. Each contained:

  • A unique Facebook ID
  • A phone number
  • A full name
  • A timestamp

“A database this big is likely to be used for phishing and spam, particularly via SMS,” according to the Thursday report. “Facebook users should be on the lookout for suspicious text messages. Even if the sender knows your name or some basic information about you, be skeptical of any unsolicited messages.”

Facebook users can make some changes in their profiles from being scraped by strangers by adjusting their account privacy settings:

  1. Open Facebook and go to **Settings**
  2. Click **Privacy**
  3. Set all relevant fields to **Friends** or **Only me**
  4. Set **”Do you want search engines outside of Facebook to link to your profile** to **No**

This will reduce the chances of your profile being scraped by third parties, but the only way to ensure it never happens again is to completely deactivate or delete your Facebook account.

Leave a Comment

9 × = 27

Available On Amazon

Polls

What Content Do You Want To See?

View Results

Loading ... Loading ...

g

In this new Internet age, consumers are spending more and more time online. Every time you sign up for a social media account, post a picture, or update your status, you are sharing information about yourself. How can you be proactive and “Do Your Part. #BeCyberSmart”? These simple steps will help you connect with confidence and safely navigate the social media world.

Common Red Flags

 

Someone you don’t know following you or your co-workers inside the office.

Actions to Stay Safe

Contact security about unknown individuals.

 

Someone looking at your screen or watching what you type.

Pay attention to your surroundings and safeguard organizational information.

 

Someone you don’t recognize looking through a desk.

Keep confidential information and devices locked-up/secured when not in use.

 

Social media connection requests from someone you don’t recognize.

Don’t accept unsolicited requests; report them to the service.

 

Receiving an unusual request from someone you know.

Contact the person directly to verify it’s legitimate.

 

Requests that offer you something in exchange for private organizational information.

Be cautious before sharing any personal or organizational information.

 

Unexpected emails, phone calls, and voice or text messages.

Follow your organization’s security policies for handling suspicious correspondences.

 

Urgent requests to take an action.

Never act on emotion and take the time to verify the request is legitimate.

Always stop, look, and think before you click on a link, open an attachment, or take any action!

I hope this article was helpful, if you have any questions please feel free to contact me. If you would like to be notified of when I create a new post you can subscribe to my blog alert.

Cyber security is a big deal. If you’re not taking it seriously, you’re probably going to get hacked. Cyber criminals can trick employees into giving them access to sensitive information. For example, 90% of all cyber attacks are caused by human error. That’s why companies need to make sure employees know about how to protect themselves and their company on the internet.
 
To protect your company from cyber threats, you must educate and empower your employees. You can achieve this by taking the right steps to improve their cyber security awareness.
 
In this article, I share 10 ways to help you improve your cyber security awareness program.
 
 

Achieve CEO and Leadership Buy-in

 
The recent rise of cybercrime has led to an emphasis on cyber security in the boardroom. As companies realize how much data is at risk, they’re now forced to manage their cyber risks. The number of data breaches is growing, so businesses now need to take more measures to reduce the chance of attacks.
 
Cyber security is everyone’s responsibility. If a CEO is not concerned about cyber security, it will not be a priority for anyone else in the business. A resilient business needs a strong leader, and this leader must take cyber security seriously. If a CEO is taking cyber security seriously, this will permeate throughout the company and create a culture of cyber resilience.
 
 

Know Your Organizational Tolerances

 
When creating an effective security awareness program, you must first evaluate the threat landscape and identify your top risks. Understanding the real world threats that could compromise your organization’s security gives you a better understanding of what to teach employees.
 
Once you know what you’re dealing with, you can make the right security decisions. If a threat is unlikely to occur or won’t have a large impact on your business, it’s a waste of time and money to focus your efforts on it.
 
 

Defend Your IT Assets

 
To develop a strong cyber security strategy, you need to audit your organization’s information assets. To effectively identify risks, you need to conduct a thorough audit of your organization’s information assets.
 
PII (personally identifiable information) is a valuable asset to your business. Intellectual property, financial information, or any other piece of information that is significant to your company is also important.
 
First, you need to figure out what information is most valuable to your business. Next, you need to identify where it is and who has access to it. You must classify each asset by its value. Then, you can determine which assets are at most risk of being stolen by hackers, and you can protect them accordingly.
 
 

Focus on High-Risk Employees

 
The most important part of an effective security awareness program is to target the right employees. Because everyone is susceptible to cyber threats, it’s important to ensure that any training is relevant. However, certain employees have a higher threat profile than others. For example, your HR and finance departments will be targeted because they have access to sensitive data.
 
Your company’s executives are popular targets for sophisticated cyber attacks. It’s important to know the warning signs of a scam so your CEO, CFO, and other executives don’t fall prey to these schemes. If they do, it could be catastrophic for your entire organization.
 
 

Provide An Engaging And Effective Storytelling Security Awareness Program

 
Cyber security can be a boring topic, but it is a critical one. Cyber attacks are increasing in frequency and you need your staff to take it seriously. One of the most effective ways to get this message across is through storytelling. Each of your employees is unique and has a unique background. Find out what makes them tick and tell a story about a person with their exact same problem. This will be much more effective than dry corporate communications.
 
Stories are fundamental to learning. Stories create an emotional response that makes it easier to remember what’s being taught. Stories are more likely to stick with people if they are relevant to them. This is especially important in cybersecurity, where the story can help users remember security measures for the future.
 
 

Update Your Policy Management 

 
It’s important to have policies that clearly define the boundaries of behaviour for the individuals, processes, relationships, and transactions that exist within your business. Policies also provide a framework for governance, which identifies risk and helps define compliance. This is incredibly important because today’s regulatory landscape has become increasingly complex.
 
A policy management system is an effective way to create policies, add structure to procedures, and track attestation and staff responses. Such a system can streamline internal processes, demonstrate compliance with legislative requirements, and effectively target the areas that present the highest risk to data security.
 
 

Be Prepared For A Data Breach 

 
If you’re not preparing for a data breach, you really should be. Data breaches have been everywhere lately. In fact, IBM says the average cost of a breach is now $3.92 million. What’s even more worrisome is that the global average cost of a data breach has risen to $3.92 million.
 
In this digital world, any business is at risk of being attacked. The question isn’t if, it’s when. You must prepare for the inevitable. Start by putting a plan in place that ensures appropriate action when security is breached. Set up a response plan that educates and informs staff, improves your business structure, strengthens customer and stakeholder confidence, and reduces potential financial losses.
 
 

Enlist Cyber Security Champions

 
Cyber security is not just about your technology. Your people are just as important as your firewall or anti-virus software. Appointing cyber security champions is a good way to empower staff and give them the skills to prevent an attack.
 
Do you want to be a cyber security champion? You don’t need to be an expert. Enlisting human touch is about adding the human touch to your security strategy. How? By tapping into people who are committed to raising awareness and implementing good cyber security practices.
 
 

Consider Your Vendors

 
Cybercriminals are always looking for the weakest link in your cyber security. They will try to hack your company by getting into your vendors. If you want to avoid being hacked, make sure that your vendors are also secure.
 
Vendors are a critical part of business operations, but they can be difficult to manage. In fact, many vendors span a number of different countries. All of which have different levels of cyber security. For this reason, cybercriminals can easily exploit these weak points for their own gain.
 
 

Implement Proper Oversight  and Regular Reviews

 
The threat of cyber-attacks is constantly changing, so you must constantly update your cyber-security awareness program. You need to perform regular reviews of your employees’ knowledge and awareness, identify their areas of weakness, and determine whether they need more training.
 
To make sure you are in compliance with regulators, it is important to document the results of all security reviews and act upon any recommendations for risk remediation. This way, your cyber security awareness program will accurately reflect the threat landscape and keep your organization secure from attack.
 

I hope this article was helpful, if you have any questions please feel free to contact me. If you would like to be notified of when I create a new post you can subscribe to my blog alert.

According to the Data Security Report, information security incidents are more prevalent than ever, especially for businesses. Security breaches are no longer the fault of the careless employee, but rather attackers who specifically target companies, looking for vulnerabilities that they can exploit.

In a survey of over 900 employees, the top three security threats identified were: increasingly severe ransomware attacks, more effective phishing schemes, and rampant reusing of passwords.

  • Respondents reported a significant increase in the effectiveness of phishing emails. In surveys, they said that these emails are now much harder to spot, and thus much more dangerous.
  • Ransomware attacks have increased by 25% over the past year. This is especially true for businesses in the banking, financial services, and construction industries. Receiving a ransom demand was significantly higher than average for these businesses.
  • What was revealed in a report is something everyone should know. The study showed that people who reuse passwords are more likely to be victims of hacks, cybercrime, and identity theft. This is because they use the same password for multiple sites.

 

According to Getapp, in the “new era” security threats are getting more sophisticated. It can be in the form of a phishing scheme or ransomware. Companies must train their employees better to protect against the increasingly sophisticated cybercriminals.

In a recent survey, it was found that 23% of IT security managers have no protocols for reporting a cyberattack and 33% have no formal cybersecurity incident response plan.

I hope this article was helpful, if you have any questions please feel free to contact me. If you would like to be notified of when I create a new post you can subscribe to my blog alert.

According to a recent report, almost all companies have experienced at least one cloud data breach. The report also found that companies were more aware of the cloud security threats and that 60% of them considered lack of visibility and inadequate identity and access management as a major threat.
 
 
Cyber-attacks are not rare anymore. They’re happening all across the world. The bad guys are getting smarter and sneakier. Their attacks are well-planned and devastating. And the victims of these attacks? They’re not just big companies. They’re small businesses, too. Whether you know it or not, you, too, could be a victim of cybercrime at any time. But don’t worry! There’s a solution to this online security epidemic. See if you can guess what it
 
 
Now more than ever, organizations must protect themselves against hackers. They’re clever. They know how to access accounts with weak passwords. Or they know how to use the same password across different websites. In this new era, businesses must build up their defenses against persistent attackers who have for instance skillfully mastered the art of abusing weak credentials.
 
 

My 7 Step Incident Response Plan Checklist

You don’t want to be unprepared for a cyber attack. If you’re worried about the possibility of an incident, follow this incident response checklist to minimize damage and get back up quickly after your site or network is taken down.

  1. Ownership and Responsibility – The first step in creating a good incident response plan is to determine the people and teams that will be responsible for making and executing it. This includes identifying and training your team on the plan, tools, and technology in place. The plan should also be updated if there are any changes in your organization. It’s a good idea to consult with executives and other senior staff when you create the plan.

  2. Roles and Contacts – In the case of a cyberattack, a business can expect a lot of people to be affected. These people include executives, the C-suite, legal, HR, finance, marketing and sales. Businesses need to make sure that these groups know how they will be affected by a cyberattack and what their roles will be in recovering from it.

  3. Communication Methods and Contact List – During an incident, you may have no access to email or the phone. To ensure proper and timely communication with customers and employees during a crisis, you need to have contact details and alternative methods of communication prepared. You also need to make sure everyone knows what information will be communicated to whom and when.

  4. Recording and Identifying – Once an issue has occurred, you must document everything. When did it occur? Who noticed it first? What steps did the security and IT teams take to fix it? What was the type of incident? Was it confirmed as an actual incident?

  5. Containment – It is vital that you contain the threat and stop the attack. Containment is an important step in your security plan, because it enables you to learn how the attack happened. If you do not contain the threat, it will continue to spread, and you will have no idea where it originated or how it spread so far. Additionally, the scope of the attack is extremely important. If you have a major breach, you must know exactly how many people were affected.

  6. Eradication and Recovery – The final step of any hack attack is to restore your systems and software to their original state. To protect your business, security and IT teams should collect evidence to ensure proper digital forensic purposes. This step includes taking inventory of logs, memory, audits, network traffic and disk images, while patching systems, cleaning memory, and restoring data.

  7. Lessons Learned – It’s important to reflect on the cyber-incident. What went well? What can be improved? Taking the time to carefully reflect on the incident will help you better prepare for the next one. Learning from the incident will also spark change within your organization, allowing it to further invest in security training and technology, thereby improving its security posture.
     
     
Creating an incident plan is a difficult task. Your company is invincible against attacks, right? But the fact is, with the ever-increasing size of the cyber-threat landscape, and the potential for human error, it is becoming more likely that your organization will become a victim.
 
If you are not prepared for an incident, the overall impact on your business will be much larger, you’ll have to work harder to recover, and you’ll have a lot of extra stress. To reduce the risk and impact of a cyber attack, you should have a solid plan in place for how to respond.

I hope this article was helpful, if you have any questions please feel free to contact me. If you would like to be notified of when I create a new post you can subscribe to my blog alert.

Google has released an emergency update Chrome 94.0.4606.71 that fixes two zero-day vulnerabilities being exploited in the wild. These are the second and third zero-day vulnerabilities found this year. A total of twelve zero-days have been found in the browser since January. The new version will be released on all three platforms, Windows, Mac, Linux, to fix these issues.
 

Google stated the following:

“Google is aware the exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild,”
 
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” the company said in Thursday’s security update. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
 
 

Here are details on the two zero-days:

  • CVE-2021-37976 Google Project Zero found a bug in a critical component of Chrome. The bug was rated as a Medium severity issue and was assigned a CVE designation. Google TAG researcher Clément Lecigne reported the bug on September 21, 2016. He received assistance from Sergei Glazunov and Mark Brand from Google Project Zero.
  • CVE-2021-37975 An anonymous contributor reported a bug in V8, Google’s open-source, high-performance JavaScript engine. The bug was rated one of two high-severity flaws in Google’s Sept. 26 update. V8 translates JavaScript code into machine code instead of using an interpreter. On Sunday, the bug was reported by an anonymous contributor. It is one of two flaws in Google’s Sept. 26 update (the other rated high-severity).

 

Update Google Chrome

Google has a task schedule that should auto update your google chrome but for some may not be so lucky. Either you can download Google Chrome from their website or run Patch My PC this will also patch other 3rd party software you may have on your computer.
 
If your a MSP using Kaseya I have a Patch MY PC Script that you can deploy to all your systems that can be scheduled to run on a weekly basis.

I hope this article was helpful, if you have any questions please feel free to contact me. If you would like to be notified of when I create a new post you can subscribe to my blog alert.

Cyber Security risk management shouldn’t be tedious or painful, but instead an easy-to-understand process that is similar to choosing the right insurance plan. Just as you might choose a certain plan because it offers better coverage for your family, you should choose a certain cyber risk management policy because it prevents cyberattacks from occurring in the first place.

You can’t avoid bad days or negative events, but you can plan for them. Policies that protect against bad days are analogous to cybersecurity risk management. These policies help people recover from negative events.

In today’s competitive business landscape, cybersecurity is a necessary topic for all companies. Whether you are just getting started or already have a lot of experience, there are several critical tips that will help you defend your business against cyberattacks.

 
 

1.  Deploy Cyber Security Frameworks

Did you know that ISO 27001, a well-known cybersecurity framework that defines best practices for an information security management system (ISMS), can help companies prevent cyberattacks and minimize business risk?

In addition to ISO 27001, there are several frameworks and methodologies that can support and increase cybersecurity. For example, NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) offers a framework for identifying and decreasing risk.

The Center for Internet Security (CIS) also has a product called CIS Critical Security Controls (CSC). CIS CSC is made up of 20 security controls that companies can use to help protect themselves. The CIS CSC is broken into key recommendations and best practices.

 

2. Create A Risk Assessment Checklist

When running a business, it is essential to understand potential risks that may arise. For instance, you can develop a risk-assessment process that clearly defines how the company will prepare for, conduct and convey key findings from a risk assessment.

It is vital for organizations to stay on top of their IT systems. Networks are always changing, software applications are regularly updated, new users are added and existing ones removed. All of this activity encourages the emergence of new vulnerabilities.

When preparing for a risk assessment, organizations should follow this checklist:

  • Create a Strategically outline which would have the scope of the evaluation, including any significant up-front assumptions or expected constraints;
  • Elaborate on specific informative sources that will be used.
  • Describe the risk calculations and methodology that will be used;
  • Remember to include compliance regulations like HIPAA or FERPA. Each regulation has is own set of requirements for risk assessment and reporting.

3. Identify Potential Threats For Risk Prioritization

An effective threat-intelligence program can provide your business with the raw data you need to deflect cyberattacks. Threat intelligence helps businesses make crucial modifications to their risk assessment for cyber attacks. Threat-intelligence data can empower security teams to prevent new and developing threats from taking hold.

 
Security teams need to make quick decisions about threats. The process for gathering, evaluating, investigating, and sharing threat intelligence data is rooted in data. For example, security teams can learn about the latest attack tactics, techniques, and procedures (TTPs). They can also learn which attack vectors are being used by threat groups. Indicators of compromise (IoCs) are the latest known pieces of malicious code or other elements that can be used to identify a cyber-attack.
 
 

4. Penetration Testing and Vulnerability Insights

To defend from cyber attacks, you need to know what a hacker knows. Vulnerability scanners are a good way to check for holes in your security. But they can’t detect complex threats. In fact, hackers can use them against you. To stay one step ahead, you need a team of hackers who can think like a hacker and predict future vulnerabilities.

When it comes to exposing your company’s vulnerabilities, you need a human touch. This is why businesses are increasingly turning to penetration testing. Penetration testers are highly specialized security researchers who search for some of the most common vulnerabilities in a network or system. These individuals get approval from the company before they begin their search, and they work with the company to find vulnerabilities that can ultimately improve overall security.

 

5. Identify Security Holes

Cyber security is vital for businesses of all sizes. Cyber-risk management means companies can identify gaps in their cyber security and eliminate redundant security controls. As companies implement the cyber-risk-management process, they should realize that cyber security is more than just firewalls, antivirus software, and other software.

Businesses must set a target security posture and then evaluate how close they are to that objective. Every dollar allocated to security must provide the protection that the company needs. If your security tools don’t help you reach your goals, you should look for tools that do. Redundant security tools can be combined or removed.

I hope this article was helpful, if you have any questions please feel free to contact me. If you would like to be notified of when I create a new post you can subscribe to my blog alert.

Hackers are getting savvier and so are these Crossword Puzzles. Hackers are constantly finding new ways to abuse system vulnerabilities and sneak into our networks. In the digital age, protecting networks from hackers have become a top priority. 

 

Click on the link to read Understanding Hacker Motives it will also help you with this Crossword Puzzle.

 

Vertical

1. Cybersecurity training can protect you from _____ attacks.
2. _____ can leverage your credit score to open accounts,
3. _____ can cripple a network from functioning.
5. What do Investigators spend alot of _____ ?
9. Identity _____ ranks near the top as one of the most common crimes worldwide.

Horizontal

1. _____ for example consists of full names, addresses and ID numbers.
4. _____ networks from hackers have become a top priority.
6. Criminals _____ crimes.
7. Hacking is a big _____ business.
8. Unprotected _____ is a huge risk.
10. Hackers want your _____.
11. Hackers like to _____ Data.

I hope this article was helpful, if you have any questions please feel free to contact me. If you would like to be notified of when I create a new post you can subscribe to my blog alert.

Phishing has always been an issue and quite of an annoyance and now with phishing leveling up to Phishing As A Service gives criminals the ability to subscribe to working phishing templates that are sure to trick every day regular people. 

Microsoft found a service that makes it easy to create phishing attacks. It’s called PhaaS, or Phishing-as-a-Service. The service is mostly used by hackers to create quick phishing attacks. Microsoft discovered the service is responsible for many recent phishing attacks against corporations.

 

The group of cyber criminals started this phishing service, and it even offers an email delivery service. The group’s name is BulletProofLink (or Anthrax). It sells phishing kits and templates under a subscription or single payment-based business model. In addition, it offers credential theft and hosting services and says that its links to websites will not be detected by search engines.

 

Why I’m Worried

In the past, phishing sites only targeted banks, but today’s criminals can impersonate any business. This PHaaS company provides about 120 frequently updated templates to help the cyber criminal. If someone is willing to pay a little extra, a phishing site can be set up in a day. This means that the service operator can steal your credentials and sell them to other people. This combination of stealing and reselling credentials is called double theft .

 

A new technique for phishing has emerged on the dark web, this technique makes it possible to have unique phishing pages for every person you target. If you can hack the DNS (Domain Name System), you can use it. This tactic has become more popular as it takes less effort to send out phishing pages and increases your chances of successful phishing.

 

What we can do

To avoid these attacks that aim to steal data, Microsoft recommends that organizations employ anti-phishing policies that will keep the data safe. As a reminder PhaaS is a service that can help malicious hackers deploy ransomware on compromised networks

 

I hope this article was helpful, if you have any questions please feel free to contact me. If you would like to be notified of when I create a new post you can subscribe to my blog alert.

FERPA stands for the Family Educational Rights and Privacy Act. It was designed to protect both the privacy and security of certain kinds of educational records. It gives students, former students, auditing students, and others, certain privacy rights with respect to personally identifiable educational records.

 

What are Educational Records?

FERPA defines educational records as any records maintained by an educational agency, institution, or person acting for such that can identify a student on an individual level.

 

What is Directory Information?

Directory information refers to information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed (such as grade level or field of study). Grades, student IDs, social security numbers, disciplinary records, GPAs, and the like should not be considered “directory information,” and therefore, should not be disclosed.

 

What rights do parents have under FERPA?

For kids under 18, the parents generally have a right of both access to the student records and to exercise FERPA rights on behalf of the student. After age 18, these rights devolve to the students themselves. The parents may obtain directory information at the discretion of the institution, and non-directory information only with either the consent of the student in writing or by demonstrating legal authority and that the child is a dependent.

 

What rights do students have under FERPA?

FERPA requires that students be informed that they have the right to opt out of inclusion in any directory listing, and the institution must provide a mechanism for students to easily do so.

 

What’s your role in all of this?

Treat all sensitive data with the highest level of care so that it never gets inappropriately disclosed or accessed by unauthorized individuals. Stay alert, think before you click, and whenever you have a question about policies, practices, or what you should do in any individual situation, don’t guess! Contact the relevant FERPA compliance office.

I hope this article was helpful, if you have any questions please feel free to contact me. If you would like to be notified of when I create a new post you can subscribe to my blog alert.

Even if your company secures its website and business network, it is still vulnerable to phishing attacks. This is because humans are the weakest link in security. Cybercriminals know that humans are much easier to manipulate than to hack into technology. The situation becomes even graver as the COVID-19 crisis continues. Everyone is worried about cyberattacks, and that gives hackers more advantage over businesses and individuals.

In a recent report by the Anti-Phishing Working Group, the number of reported phishing attacks doubled from 2018 to 2020. In business email compromise scams, the average fraudulent wire transfer request increased from $48,000 in Q3 to $75,000 in Q4 of 2020. Verizon says 36% of all confirmed breaches in 2021 involved phishing.

A strong defense is the best offense. The most reliable way to build defenses is to learn about phishing attacks. Penetration testing gives you specific actionable insight into how phishers trick users, and this knowledge forms the foundation for security awareness training that works. Here’s a summary of phishing email elements that help make users slip up, but keep in mind that no two phishing emails are the same.

 

Pentesting Insight

When you’re attacking a business, you send out fake emails with links or attachments that lead to fake login pages or Microsoft Office documents with viruses. In a classic pentesting exercise, security professionals send employees messages from a fake person asking for account credentials or information about the company.

Sometimes, the bait is just a simple link or file attachment, and only white-hat security researchers can see what is happening. But in most cases, the attack will be true-to-life and the macro-based payload will give researchers complete access to a target computer. This gives pentesters an idea of how reliable security defenses are and also helps them see how hackers work.

A key component of the phisher’s work is to make the fraudulent email feel as real as possible. It has to fit the context of the phishing scheme. The ideal message will pretend to be someone who is highly ranked in your business. The attacker will want to send this message to higher-ranked employees or partners, to make them feel important or trusted.

If your goal is to hack a computer it would be best to target someone in accounting, then you would send an email that looks like it’s from their boss. It will probably say something like “Please check the wire transfer credentials.”

In most cases, phishing emails try to pressure users into taking action immediately. In order to achieve this goal, scammers often force their targets into a false sense of urgency. However, it’s important that the email is written well. Misspellings and other errors can cause an employee to be suspicious, and this can ruin a phishing campaign.

 

The Pentesting Findings

In most phishing tests, employees are more likely to open an email attachment than fill out a web form. They’re even more likely to do so mere moments after receiving the message.

The best email subjects are related to corporate perks such as employee discounts and bonus programs from affiliated businesses. About a third of recipients engage with messages like that in some way. Emails that instruct staff to read new corporate policies and other documents associated with enterprise culture come second.

Scammers like to attack during bad news, like terror attacks and natural disasters. They also like to advertise fake promos and freebies around the holidays. The holidays are known for massive phishing scams.

When you’re crafting a targeted email, the likelihood of success increases. Using open-source intelligence, you can find all sorts of details that can help you craft a spear-phishing message that will hit the right key. In pentests, I’ve seen that personalized emails that zero in on one to three employees have a 100% success rate. But as soon as the number of potential targets grows, so does the subject line.

Despite the growing risks of phishing, most employees remain ignorant when it comes to online threats. They often ignore red flags such as unfamiliar senders, requests to disclose credentials, and typos in the domain names of impersonated companies.

 

Staying Safe From Phishing

In the vast majority of cases, spear phishing attacks are easy to spot. If you have an attack that is too sophisticated for you, you may need to bring in the pros. In any case, remember these things:
  • Employees need to be aware of the dangers of email security. They should be extremely careful when opening attachments or clicking on links, even if they seem trustworthy.
  • A reliable Secure Email Gateway solution is the best way to prevent phishing emails from being sent out, identifying them and stopping them before they reach your users.
  • Use a cyber security awareness tool to teach and test employees.
  • Tech staff should inform employees about latest phishing tactics.
 
 
 
 

I hope this article was helpful, if you have any questions please feel free to contact me. If you would like to be notified of when I create a new post you can subscribe to my blog alert.

Categories

Archives

RSS Feed RSS - Posts