School’s Back But Phishing Season's Still Open

It’s that time of year again, school’s back in session. For many, that means putting down the fishing rod and picking up the books. However, not for cybercriminals whose phishing season never ends.

In a recent example, Macleans reported MacEwan University got “duped out of $11.8 million” in an apparent spear phishing incident. They explain how the criminals were extremely persistent, communicating for months with the finance department. Ultimately, officials were tricked by hackers into changing payments to go to what seemed like their vendor’s new bank.

It’s more proof that hackers don’t discriminate, like jumping in at an opportune time for a busy school system readying for the new academic year.

Today’s phishing emails are rampant and target all industries and organizations of all sizes. Hackers are getting better each day, carefully crafting seemingly authentic emails that seduce employees into clicking links, opening files, sending confidential information, or transferring money.

They’ve got a lot of tricks up their sleeves, and acting as a key vendor or customer are common ones.

Don’t be fooled, many of these cybercriminals are well schooled in their trade. They are methodical and patient, taking time to understand business relationships in preparation of an attack—something they can do by simply researching websites, social media channels, and news outlets.

So how does an employee get “schooled” by a hacker?

The business world is fast and furious, with deadlines and goals to be met. Cybercriminals know that and that’s where mistakes can be made. For example, we all encourage our teams to provide exceptional support and service. When a customer asks for something to be done, employees move quickly to facilitate, answering emails and phone calls with the end goal of keeping that customer happy. It makes sense. At the same time, it’s that same urgency that leaves us prone to errors, including not taking the time to verify details every step of the way—like an account number that’s changed in an email thread or a link that goes to a web page that has one character off.

We all need to slow down and business leaders need to build a culture of cyber awareness.

The ultimate goal should be to make every team member a defender of the organization and have clearly defined, tested, and trained procedures in place. This goes well beyond the finance department.  Imagine how much sensitive data your sales, operations, or engineering teams have as well. 

To develop a culture of cybersecurity, establish an ongoing cybersecurity program that includes regular awareness training, phishing simulations, and threat notifications. Prioritize education and testing so the next time your team gets phished, the hackers are the ones getting “schooled.”

Stay Safe,
Your Friends @ Launch Security

Subscribe to the Launch Security Blog: Cybersecurity in 60 Seconds