Phishing attacks are making a serious comeback, thanks in huge part to the COVID-19 pandemic. According to the 2020 Phishing Attack Landscape Report, commissioned by GreatHorn and conducted by Cybersecurity Insiders, companies are experiencing an average of 1,185 attacks every month, resulting in 15% of organizations having to spend around one to four days reversing the damage done by malicious attacks during this particularly uncertain time for businesses.
With phishing attacks, it’s different lures for different phishing targets. Employees’ specific behaviors are crucial to how they are targeted. Beyond that, their specific roles in their organizations determine how popular a target they are.
Here are the 4 types of employees who are the most likely to be targeted for phishing attacks and the ways to mitigate the risks specifically associated with them:
1. Executives
As high-ranking decision-makers, CEOs, CFOs, EVPs, and other top corporate executives are also top on cybercriminals’ list of targets. If they get phished, then all the sensitive, business-critical information they have access to is compromised.
To phish a top executive, cybercriminals would typically spoof an email so that it looks to be from a credible sender. This then makes it easy for the attacker to obtain critical information from other executives, who are not likely to think twice about obliging.
Risk-mitigating measures:
- Add authentication steps a requirement for any sensitive requests like wire transfers.
- Make sure that executives watch what they share and their connections on social networks.
- Require email security training.
- Establish secure funds transfer procedures in place.
2. Administrative assistants
These people not only handle behind-the-scenes scheduling, miscellaneous tasks, and screening phone calls, they also usually have access to company and individual executive accounts. This makes them highly attractive to cybercriminals, who attack by passing themselves off as another executive asking an admin assistant to do something that allows the attacker to install malware or eavesdropping software on the assistant system. All an admin assistant needs to do is open an attachment or send a file that was requested by the “executive.” Once in place, the eavesdropping software can see all the confidential communications that the assistant handles or has access to.
Risk-mitigating measures:
- Have a good spam filter in place.
- Set a well-defined procedure for how to deal with suspicious emails.
- Train your assistant to be vigilant and promptly report any disreputable email they encounter.
3. Salespeople
Everyone in any sales team—whether business development managers, account executives, or in-house sales agents—is in constant communication with prospective and existing clients in person, over the phone, and via email. This can make them relax their guard when it comes to emails in their eagerness to hear from potential customers and to respond as promptly as possible.
Cybercriminals won’t have much of a problem looking up salespeople’s phone numbers and e-mail addresses online, and can practically rest assured that their phishing e-mail messages will be opened.
Salespeople’s credentials can help cybercriminals steal customer lists, pricing sheets, and confidential deal information. Not only that, but cybercriminals can also use salespeople’s accounts to introduce a new phishing attack vector to personnel of teams like finance, management, and account, who normally would not think twice regarding messages from someone in the sales team.
Risk-mitigating measures:
- Coordinate with your purchasing department to establish a secure alternative to e-mail for the transfer of invoices.
- Train salespeople to be cautious: double-check any linked text in an email and refrain from opening attachments from unknown and unverifiable sources.
4. HR leaders and personnel
Human resources professionals typically have regular communication with both present and prospective employees. In this context, they’re less likely to think anything of a well-disguised resume or a request for personnel information coming from a top executive. Little do they know, the resume they opened is a malicious payload and the request for personnel info came from a malicious actor.
Risk-mitigating measures:
- Use benefits software and employee portals so employees no longer need to send confidential documents via email.
- Require the HR team to verify any requests they receive, whether in person or over the phone, from an employee asking for sensitive information.
Security upgrade through a stronger authentication sequence
Throw up stronger obstacles against stolen credentials by upgrading your authentication method. Still using passwords and tearing your hair over password management and cost woes?
Going passwordless is even more necessary now, not to mention easier. Adopt passwordless multifactor authentication (MFA) and passwordless single sign-on (SSO) for layered protection against a savvier bunch of cybercriminals.
Contact us today to learn more about how you can leverage our hassle-free plug-and-play passwordless authentication solution for the modern business.