The waning months of the year bring more than New Year threat predictions; they also bring warnings about Cyber Monday and online shopping threats. A new study from SilverSky shows just how unprepared online shoppers are for phishing schemes. More importantly, the study shows how those email spoofs end up hurting a company’s security efforts.
It all comes down to over-confidence. Overwhelmingly, employees are positive that they know the difference between a real email and a phishing email, as the SilverSky blog pointed out:
A whopping 98 percent are confident they could spot a spoofed email, yet when presented with a blatantly fake email as part of our study, only 70 percent could say for sure that the FedEx email included in the survey was a fake.
On the plus side, 70 percent of those confident employees aren’t falling for a scam. However, the other 28 percent were sure that they knew the difference, but couldn’t tell. That’s still a pretty high percentage of employees who are putting your network at risk of a malware attack or potential breach.
Obviously, phishing schemes are a problem throughout the year, and new ones always pop up online this time of year. For example, I’ve seen a lot of WhatsApp phishing mails in my inbox lately, something I hadn’t seen before last month. But this is the time of year when the bad guys ramp up their efforts, taking advantage of the number of people who will be shopping online between now and December 25.
What makes this year’s holiday-related phishing scams more worrisome for companies is the increasing number of people who are using their personal devices for work. SilverSky found that the vast majority of IT departments have security policies in place that warn employees about phishing schemes and spoofed Web sites. However, it is a lot harder to tell the spoofed sites and phishing mail when using a mobile device. The tricks you learn to tell the difference when using your desktop or laptop computer don’t work as well on a phone or tablet.
Does your company have a policy in place or an education program that teaches employees how to protect themselves from being scammed on their mobile device? If not, perhaps it should.