Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Kiwi workers still falling victim to old cyber tricks
Posted on 12-Aug-2019 20:47 | Filed under: News



Few people these days fall for unsolicited emails from Nigerian princes offering juicy commission to transfer funds from a multimillion-dollar inheritance. But still plenty of Kiwis are being sucked in by a rising number of email phishing scams – and you can blame their impulsive email behaviour.

 

CCL’s security awareness service, which each week sends phishing look-a-like emails to thousands of employees working in organisations across the country, is registering a phishing success rate of 20-to-30 per cent among participating employees presented with their first duplicitous email.

 

CCL’s Head of Security, Tim Sewell, said analysis showed that while people in all job roles fell victim to phishing attacks, certain personality types, especially Type-A personalities often found working in sales and leadership roles, appear more inclined to click duplicitous links and attachments.

 

However, personality type wasn’t the only factor to determine susceptibility, he said. “Personal workloads, stress, timing and context also influence the success rates of phising attacks. For example, receiving a phishing email that looks like a courier company when you’re expecting to receive a parcel – bingo.”

 

Sewell said CCL’s training and education programme had reduced phishing success rates to around five per cent, with well-trained employees now regularly reporting phishing scams and being part of the solution.

 

In the meantime, real-life phishing incidents were likely to remain high as phishermen got more sophisticated, launching scams from previously compromised email accounts and impersonating trusted providers, such as Microsoft Office 365, Amazon, Google, even the IRD and NZ Post, he said.

 

“More people are working in the cloud and using browser-based logins to access services. As this behaviour becomes routine, people tend to let their guard down, providing an easy in for fraudsters to steal user login credentials,” said Sewell.

 

A report published by cloud security firm Avanan shows one in every 99 emails is a phishing attack, using malicious links and attachments as the main vector.

 

Closer to home, CERT NZ figures show the number of malware reports from Kiwi organisations more than doubled to 43 in the three months ended 31 December.

 

Phishing campaigns containing malware and targeting business customers of some New Zealand banks contributed to the increase. And in three incidents reported to the NCSC this year, New Zealand organisations lost nearly NZD$800,000 to ‘successful’ fraudulent invoice emails.

 

Sewell said multi-factor authentication (also known as MFA) helped reduce credential theft – one of the main prizes from phishing attacks – by requiring users to authenticate themselves to a website by another method, in addition to the standard username and password login procedure.

 

However, he said the additional cost of MFA and the inconvenience to users who are quick to moan about laboured access discouraged adoption, increasing the “attack surface” for criminals.

 

“And that’s a big problem, because once the bad guys have captured a user’s credentials their behaviour goes largely unnoticed – because there isn’t anything to trigger a security alert,” said Sewell. “That gives the crims time to watch and learn, email customers with revised payment details, send out mocked-up invoices, gain the trust of contacts linked to the compromised email account, and reply to existing emails.”  

 

He said regular friendly phishing exercises, multi-factor authentication, and anti-phishing technology were essential steps in the current cybersecurity landscape, - though tweaking existing policies in some cases was the fastest way to bolster defences, he said.

 

“For example, financial policies should ensure requests to change payment details are authorised and properly validated, without relying on email. Don’t accept emails as authorisation of payment method. And if someone keeps taking the phishing bait, maybe they’re in the wrong job,” said Sewell.

 










Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Trending now »

Hot discussions in our forums right now:

Changes to IP Addresses (CGNAT)
Created by ethanbmnz, last reply by evilonenz on 25-Aug-2019 17:43 (80 replies)
Pages... 4 5 6


Sky Television writes off $670m of 'goodwill', suspends dividend
Created by JaseNZ, last reply by tdgeek on 23-Aug-2019 07:35 (37 replies)
Pages... 2 3


Best home 24 port POE swtich
Created by BigNige, last reply by Tinkerisk on 25-Aug-2019 20:21 (14 replies)

New computer - Auckland Recommendations
Created by turneg01, last reply by toejam316 on 25-Aug-2019 23:06 (27 replies)
Pages... 2


Just wondering about NZ iptv
Created by rb99, last reply by Apsattv on 22-Aug-2019 15:01 (12 replies)

Hamilton to Auckland rail service
Created by freitasm, last reply by hio77 on 25-Aug-2019 19:25 (33 replies)
Pages... 2 3


Unstable DSL Internet, dropouts while dsl still connected
Created by shawnybear, last reply by hio77 on 25-Aug-2019 19:33 (21 replies)
Pages... 2


Spark, Vodafone and 2degrees announce new rural broadband and mobile services in twenty locations
Created by freitasm, last reply by hio77 on 24-Aug-2019 17:56 (30 replies)
Pages... 2