Do young employees present a phishing risk?
Spring. For some it signals rejuvenation, rebirth, everything blooming…but for security administrators it can mean new security risk. Spring means that the next round of college seniors will be entering the workforce soon, which for phishers means a fresh group of targets. Hopefully their college educations have prepared them for the majority of challenges they will face, but when it comes to phishing that is unlikely. The types of phishing emails students and consumers receive are quite different from what employees receive, and without training, young employees can’t be expected to avoid tactics they haven’t seen.
In the higher-education arena, hackers want to infiltrate universities for the purpose of stealing credentials, to gain access to user accounts to send spam from the accounts or use university resources. (Here is a recap of the phishing problems higher education faces: https://cofense.com/educause-2012-spc-quick-review/ ) Take this recent attack on the University of Illinois as an example. Consequently, the most common phishing tactics college students face is a simple solicitation of login credentials in the body of the email. Kansas State provides examples of phishing attacks sent to its users (see the image to the left). Slightly more capable attackers may provide a URL taking recipients to a phony landing page that appears to be from the IT department.
University-focused spear phishing attacks typically don’t employ a high level of sophistication. Attackers are not packing malware or setting up masked command and control to go after students and faculty. (At least we should say the incidents that are publicized. That doesn’t mean that there are not advanced threat actors targeting university grant based R&D, hospitals, fundraising and endowment investments.)
Enterprises face much more varied and dangerous risks, as cyber criminals, nation-states, and hacktivists are all targeting their intellectual property and sensitive information. In addition to the data entry tactics, employees at large organizations receive highly targeted and customized spear phishing emails containing malicious links and attachments. Adversaries use a variety of continually evolving social engineering techniques, such as conversational phishing, to trick recipients. A young employee who has never received a targeted phishing email may not realize how adversaries gather details to write emails tailored to the recipient and organization, nor understand the implications of clicking on a malicious link or attachment. They may think they know what spear phishing is based on university security awareness campaigns. Furthermore, this generation of new workers is extremely connected through social media, providing attackers with ample information to use in targeted emails.
Graduating students may think they know what spear phishing is based on university security awareness campaigns.
New employees – whether young or experienced – may also think their role is not significant enough to merit receiving a targeted email, or that security isn’t their responsibility. Last fall, PhishMe commissioned a poll that revealed almost half of all respondents were more concerned about being phished at home than at work. There is definitely a prevailing notion in the workforce that security is the IT department’s concern, a view some in our industry recklessly share. As they begin their jobs, this year’s graduating seniors will undergo a great deal of training, both formal and informal, so why shouldn’t security be part of that?
This post isn’t intended to pick on graduating seniors, as they are no different than any new employee in many respects. For instance, if you are defense contractor that is constantly bombarded with phishing emails, any new employee may require training, regardless of experience. This is why it’s important for security awareness to be a continuous process throughout the year. When security awareness is part of your organization’s culture, the security risk posed by new employees can be more easily mitigated.
One of the many pre-built training modules included in PhishMe focuses on educating new employees about the differences between the consumer focused phishing they are used to receiving, and the enterprise-focused spear phishes targeting employees. Typically this content is reserved for PhishMe customers, but we wanted to share an example in this case: