Fraudsters prey on busy
execs’ impulsive email behaviour
Few people these days fall for unsolicited
emails from Nigerian princes offering juicy commission to transfer funds from a
multimillion-dollar inheritance. But still plenty of Kiwis are being sucked in
by a rising number of email phishing scams – and you can blame their impulsive
CCL’s security awareness service,
which each week sends phishing look-a-like emails to thousands of employees working
in organisations across the country, is registering a phishing success rate of 20-to-30
per cent among participating employees presented with their first duplicitous
CCL’s Head of Security, Tim
Sewell, said analysis showed that while people in all job roles fell victim to
phishing attacks, certain personality types, especially Type-A personalities, often
found working in sales and leadership roles, appear more inclined to click duplicitous
links and attachments.
However, personality type wasn’t
the only factor to determine susceptibility, he said. “Personal workloads,
stress, timing and context also influence the success rates of phishing attacks.
For example, receiving a phishing email that looks like a courier company when you’re
expecting to receive a parcel – bingo.”
CCL’s training and education programme had reduced phishing success rates to around
five per cent, with well-trained employees now regularly reporting phishing scams and
being part of the solution.
meantime, real-life phishing incidents were likely to remain high as phishermen
got more sophisticated, launching scams from previously compromised email
accounts and impersonating trusted providers, such as Microsoft Office 365,
Amazon, Google, even the IRD and NZ Post, he said.
“More people are working in the
cloud and using browser-based logins to access services. As this behaviour
becomes routine, people tend to let their guard down, providing an easy in for
fraudsters to steal user login credentials,” said Sewell.
A report published by
cloud security firm Avanan shows one in every 99 emails is a phishing attack, using malicious links and attachments as the main vector.
Closer to home, CERT NZ figures show
the number of malware reports from Kiwi organisations more than doubled to 43
in the three months ended 31 December.
containing malware and targeting business customers of some New Zealand banks
contributed to the increase. And in three incidents reported to the NCSC this year, New Zealand organisations lost nearly
NZD$800,000 to ‘successful’ fraudulent invoice emails.
Sewell said multi-factor authentication (also known as MFA) helped
reduce credential theft – one of the main prizes from phishing attacks – by requiring
users to authenticate themselves to a website by another method, in
addition to the standard username and password login procedure.
he said the additional cost of MFA and the inconvenience to users who are quick
to moan about laboured access discouraged adoption, increasing the “attack
surface” for criminals.
that’s a big problem, because once the bad guys have captured a user’s
credentials their behaviour goes largely unnoticed – because there isn’t
anything to trigger a security alert,” said Sewell. “That gives the crims time
to watch and learn, email customers with revised payment details, send out
mocked-up invoices, gain the trust of contacts linked to the compromised email
account, and reply to existing emails.”
regular, friendly phishing exercises, multi-factor
authentication, and anti-phishing technology were essential steps in the
current cybersecurity landscape, though tweaking existing policies in some cases
was the fastest way to bolster defences, he said.
“For example, financial policies
should ensure requests to change payment details are authorised and properly
validated, without relying on email. Don’t accept emails as authorisation of
payment method. And if someone keeps taking the phishing bait, maybe they’re in
the wrong job,” said Sewell.