We’d all like to think we’re online savvy and know all the tricks. We’ve seen our friends share some of the downright obvious phishing emails on Facebook, and we know we’d never fall for those scams. Or would we?
But scarily, as a whole new crop of school and university graduates enter the workforce, there’s even more to worry about. With phishing now responsible for 75% of security breaches, any employee who uses email as part of their job becomes the weakest link in your cyber defences.
The problem with new employees
So why are new employees more vulnerable? Surely, the younger generation is savvier than any other when it comes to cyber awareness? Well, it’s not about age. It’s about being new to the business, and your people and processes – coupled with a desire to impress you by acting quickly and efficiently.
But first, how do the cybercriminals know that an employee is new to the crew? The answer is social media (over)sharing. On LinkedIn, Facebook, Insta, and more.
For example, let’s take Wendy, who has just started her first full-time job as part-PA and part-AP assistant at Wattle Business Services. For the experienced hacker, Wendy’s social media is like a candy store. For not only does she excitedly share with the world that she has a new job, but where it is, and often what she’ll be doing (in her case – accounts payable, office procurement, running around after the boss, and more).
And it’s not difficult to mine a wealth of information about her. With a little time and minimal effort on LinkedIn, it’s easy to identify who Wendy answers to in the business. And therefore, who’s likely to email her and ask her to do something in a hurry.
Wendy becomes a specific, carefully researched target, not a random victim. And sadly, if she’s not fully trained, she’s fair game.
Watch out, Wendy!
So, what’s Wendy at Wattle likely to fall for, and why?
Now, Wendy’s not silly. Her problem is that she’s so new to the job that she can’t tell if an email has come from her new boss(es) or someone sitting in Siberia. So, when she’s only been at Wattle for three weeks and gets an email from Financial Controller Frank asking her to urgently pay the attached PDF invoice, or transfer cash from one account to a new one, she thinks she’s doing the right thing.
If Business Owner Brad emails her asking her to load $2000 from the cash account onto his Google Play gift card (link supplied) so he can buy Christmas presents for clients, she’s going to do it.
Wendy hasn’t been working at Wattle for long enough to know that Brad is a bit of a tightwad and only sends out eCards to his clients. And that Frank is a stickler for spelling, grammar, and processes. He would never ask a junior to do something well above her pay grade or outside of normal payment practices, let alone use text speak.
And even if she emails ‘Frank’ back with a question, the ‘not-the-real-Frank’ scammers will respond directly and stress the urgency of the request. They know that their best chance of success is by putting Wendy under pressure.
Whose fault is it when Wendy gets phished?
Sorry, but unless new joiner Wendy is complicit in the scam, the fault is yours. So, be honest, and ask yourself:
1. Did we train Wendy to recognise a spoofed email address? Cybercriminals are experts at tricking the unwary into believing that the email address is genuine and comes from a fellow staff member. Have we taught her even the basics of spotting a spoof?
2. Did we take Wendy through all the payment processes? Did she know that all invoices must be in the accounting system and approved before payment, and that Frank would never send one as an attachment? Did anyone tell her that there’s a form to be filled to change a payee’s bank account number?
3. Have we helped Wendy to recognise the logic behind responding to a request? For example, would Brad really be out shopping in person for client Christmas presents when he’s hired her as his PA?
4. Does Wendy know to look objectively at emails for both obvious and subtle grammatical mistakes? Would Frank honestly write ‘Plz do this urgently?’ or suddenly start using US spelling?
5. Did we teach Wendy to click with care? While a link text in an email might say “Go to my Google account,” the URL may well take her to a phishing page set up to look like the real thing. And does she know to not click on abbreviated links that look like they’ve come from Bitly but, in fact, are far more sinister? And if in doubt, does she know to check it out on IsItPhishing.AI? All phishing emails contain a link – but they can be hidden in an attached PDF or Word document to escape detection by your email security filter. So Wendy needs to know to hover over and verify those links too before clicking.
Keeping phishing training fresh
Cybercriminals never sleep, so neither should your approach to staff cybersecurity training. Think of Wendy as a learner driver. She may grasp the basics from using PlayStation, but with very little actual road time, she doesn’t know what potholes and detours to be wary of, and how to spot an accident waiting to happen.
And as phishing is a constantly evolving practice, new employees need to receive ongoing training. Socialise the most recent phishing scams in a regular all-staff email, or better still, set up a cybersecurity chat group in Microsoft Teams to share stories and examples. Awareness is everything, and it’s not just Wendy who will benefit.
While it may seem like we’ve picked on Wendy in this blog, in truth, we all need to be hyper-aware. There’s no room for complacency. And if you think you’re already good at spotting a phish, test your skills here – you may be surprised!