Misspelled words and bad grammar are tell-tale signs of phishing. Why don’t phishers learn spelling and grammar? Can’t they afford a copy of Strunk and White?
Phishers don’t need to spell better because their poorly-written schemes still fool enough people. It’s just math for the phishers — a numbers game. If you handle IT security at your organization, don’t assume that people won’t fall for obvious phishing scams — they do. That’s why it is essential to train people — again and again.
Why do phishers waste their time with such obvious phishing scams when they can do so much better?
One possible answer: They don’t have to do better. They send out so many emails that they only need a very low percentage of people to click. And people always do. In fact, if phishing emails became more effective, phishers might get too many clicks and might not be able to process it all!
To break into an organization, all the phishers need to do is to catch just one person. They don’t need to overphish the seas. Victims are plentiful enough!
Don’t assume that people won’t fall for obvious phishing scams — they do. That’s why it is essential to train people. I am pleased to announce that TeachPrivacy now is offering a phishing simulator service. We’ve teamed up with QuickPhish to provide a platform where organizations can conduct simulated phishing exercises for their workforce. A great way to teach people not to fall for phishing emails is through direct experience. When people wrongly click, our training can follow to teach them how to improve.
A popular way some organizations are raising awareness about phishing is by engaging in simulated phishing exercises of their workforce. Such simulated phishing can be beneficial, but there are some potential pitfalls and also important things to do to ensure that it is effective.
1. Be careful about data collection and discipline
Think about the data that you gather about employee performance on simulated phishing. It can be easy to overlook the implications of maintaining and using this data. I look at it through the lens of its privacy risks. This is personal data that can be quite embarrassing to people — and potentially have reputational and career consequences. How long will the data be kept? What will be done with it? How securely will it be kept? What if it were compromised and publicized online?
The Payment Card Industry (PCI) Security Standards Council recently released a helpful short guide to preventing phishing attacks. Merchants and any other organization that accepts payment cards most follow the PCI Data Security Standard (PCI DSS). One of the requirements of the PCI DSS is to train the workforce about how to properly collect, handle, and protect PCI data.
A major threat to PCI data is phishing, with almost a third targeted at stealing financial data.
According to a stat in the PCI Guide, Defending Against Social Engineering and Phishing Attacks,: “Every day 80,000 people fall victim to a phishing scam, 156 million phishing emails are sent globally, 16 million make it through spam filters, 8 million are opened.”
I am pleased to announce the launch of our new training program, Social Engineering: Spies and Sabotage. This course is a short module (~7 minutes long) that provides a general introduction to social engineering.
After discussing several types of social engineering (phishing, baiting, pretexting, and tailgaiting), the course provides advice for avoiding these tricks and scams. Key points are applied and reinforced with 4 scenario quiz questions.
A study recently revealed that nearly 25% of data breaches involve phishing, and it is the second most frequent data security threat companies face. Phishing is an enormous problem, and it is getting worse.
In a staggering statistic, on average, a company with 10,000 employees will spend $3.7 million per year handling phishing attacks.
by Daniel J. Solove
I’ve really been enjoying the new TV series Mr. Robot on USA. Network. It presents highly-engaging depictions of hacking and social engineering, and it is great entertainment for privacy and security geeks.
The protagonist is Elliot Alderson (played by Rami Malek), a tech who works at a cybersecurity firm in New York City. The show is narrated with voiceover by Elliot, and we get a glimpse into the mind of this reclusive and quiet person. Voiceover can often falter as a technique, but here it works wonderfully — and all the more impressive because Elliot speaks softly, often in monotone. But Elliot is such a fascinating character and Malek delivers Elliot’s monologue so effectively, that it becomes surprisingly engaging.
Elliot is very smart and clever, and he sees many around him as idiots. He suffers from severe bouts of depression, is a recluse who wants to be invisible, and he is very awkward around other people. He lives most of his life inside his head. The show presents the stark contrast between what he says to others and what he is thinking. In one scene, we see him speaking to his psychiatrist, telling her hardly anything. But we hear his thoughts and know that he is pondering quite a lot.
by Daniel J. Solove
A few days ago, I posted about how boards of directors must grapple with privacy and cybersecurity. Today, I came across a survey by NYSE Governance Services and Vericode of 200 directors in various industries.
According to the survey, about two-thirds of directors are less than confident about their company’s cybersecurity. This finding is not surprising given the frequency of data breaches these days. There is a growing sense of exasperation, as if we are living in an age of a great plague, with bodies piling up in the streets.
by Daniel J. Solove
Although we are seeing increasingly more sophisticated attempts at phishing, it appears as though many phishers still haven’t been able to get their hands on a program with spell check. Why are we still seeing the $10 million lottery winning emails? Or the long lost relative of yours living in Fiji who is leaving you $4 million?
A recent article explains that for the phishers, it is all a numbers game:
“So, if 97 per cent of phishing attempts are unsuccessful, why is it such a large issue? Because there are 156 million phishing emails sent worldwide daily. . . . Of the 156 million phishing emails sent daily, 16 million get through filters. Another eight million are opened by recipients. 800,000 click on the link provided, and 80,000 provide the information requested.”
By Daniel J. Solove
I produce computer-based privacy and data security training, so I’m often in the hunt for stock photos. One of the hardest things in the world to do is to find a stock photo of a hacker that doesn’t look absolutely ridiculous.
I’ve gone through hundreds of hacker stock photos, and I’ve discovered some that are so absurdly funny that they are true classics and deserve to be celebrated in a hall of fame. So I bought some of these gems to share them with you — because if there’s any sense of justice in the universe, when so much thought, creativity, and effort goes into a stock photo, it deserves to be sold.
by Daniel J. Solove
This post was co-authored with Professor Woodrow Hartzog.
This past Tuesday the Federal Trade Commission (FTC) filed a complaint against AT&T for allegedly throttling the Internet of its customers even though they paid for unlimited data plans. This complaint was surprising for many, who thought the Federal Communications Commission (FCC) was the agency that handled such telecommunications issues. Is the FTC supposed to be involved here?
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
Professor Solove’s LinkedIn Influencer blog
You can follow Professor Solove on his blog at LinkedIn, where he is an “LinkedIn Influencer.” He blogs about various privacy and data security issues. His blog has more than 600,000 followers.
* * * *
Professor Solove’s Twitter Feed
Professor Solove is active on Twitter and posts links to current privacy and data security stories and new scholarship, cases, and developments of note.
* * * *
Professor Solove’s Newsletter
Sign up for our newsletter where Professor Solove provides information about his recent writings and new training programs that he has created.
* * * *
Professor Solove’s LinkedIn Discussion Groups
Please join one or more of Professor Solove’s LinkedIn discussion groups, where you can follow new developments on privacy, data security, HIPAA, and education privacy issues. You can also participate in the discussion, share interesting news and articles, ask questions, or start new conversations:
Posted by Daniel J. Solove
According to a stat in SC Magazine, 90% of malware requires a human interaction to infect. One of the biggest data security threats isn’t technical – it’s the human factor. People click when they shouldn’t click, put data on portable devices when they shouldn’t, email sensitive information, and engage in a host of risky behaviors. A lot of hacking doesn’t involve technical wizardry but is essentially con artistry. I’m a fan of the ex-hacker Kevin Mitnick’s books where he relates some of his clever tricks. He didn’t need to hack in order to get access to a computer system – he could trick people into readily telling him their passwords.
There have been a number of good recent articles on data security and data security training. Robert O’Harrow, Jr.’s recent piece in the Washington Post discusses the human element to data security in his piece, “In Cyberattacks, Hacking Humans is Highly Effective Way to Access Systems.” The article describes the increasing sophistication of phishing. The old misspelled lottery scam emails are now your grandfather’s phishing. Today’s phishing is more personalized – and much more likely to trick people. According to O’Harrow’s article: “The explosive growth of cyberspace has created a fertile environment for hackers. Facing the flood of e-mail, instant messages and other digital communication, many people have a hard time judging whether notes or messages from friends, family or colleagues are real. Many don’t even try.” O’Harrow goes on to note that “Hackers are so confident about such permissiveness that they sometimes begin their attacks in social media three or four steps removed from their actual targets. The hackers count on the malicious code spreading to the proper company or government agency — passed along in photos, documents or Web pages.”