How companies help cyber criminals conduct phishing attacks

Companies are increasingly being targeted by sophisticated spear phishing attacks that trick members of a chosen organization into downloading malware or surrendering sensitive data. And many businesses are helping criminals succeed. 

Businesses have to be careful about what information about them is posted online. One risk is that employees might accidentally post sensitive or confidential information for the public to see.

But beyond those obvious leaks of sensitive data, revealing too much on public webpages and social networking sites carries another danger: that cybercriminals might use that information to conduct highly targeted spear phishing attacks.

In those attacks, cyber criminals conduct research about an organization to craft their campaigns. And the more information that’s publicly available, the easier their job will be.

The Department of Homeland Security (DHS) recently sent out a warning about phishing attacks that use publicly available data to increase the likelihood that recipients will fall for them.

The warning was prompted by an attack last year in which 11 energy companies received sophisticated phishing emails.

The messages came seemingly from a known sender and purported to carry information about a change in the sender’s contact information. The link to retrieve that info, though, led to malware.

According to the DHS, the scam was made possible after one company listed on its website the names of several attendees of a recent energy conference, along with their email addresses.

Train users to guard against phishing

Fortunately, no breaches occurred as a result of that campaign. But the attempt does reveal the new ways hackers are conducting phishing scams.

Experts warn organizations to consider limiting the availability of information that might be harvested by cyber criminals to conduct phishing attacks, including:

  • Employee names and job titles
  • Email addresses
  • Internal project names, and
  • Organizational structures.

In addition, organizations should train users to spot those phishing attempts when they land in their inboxes. Here are some tips IT can pass along:

  1. Never send passwords, Social Security numbers, company or personal financial information, or other confidential data in an email message. Remember that financial institutions, government agencies and other organizations will typically never ask for sensitive information to be sent via email.
  2. Don’t click on any links — often a URL will be embedded in text with the address of a legitimate site but lead to a fake or malicious site. Navigate to the web page manually instead.
  3. Read the URL carefully — backwards and forwards. In many spear phishing emails and link that looks legitimate will actually be a slightly misspelled version of the true URL.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy