When it comes to stealing valuable data, such as employee access credentials or customer financial information, cybercriminals' creativity seems to know no bounds, and email privacy systems are often forced into a reactive position. Here are two ways cyberattackers are getting past email privacy defenses in order to make off with your data—and how you can defend against them.
1. Social Media = A Social Engineering Jackpot
Facebook, Twitter, LinkedIn, Instagram and the like are fertile grounds for scammers to harvest the kind of information they need in order to launch a truly convincing spear phishing attack against your customers' employees. Too many users let their guard down on these sites, approving friend requests and collecting contacts at the click of a button, whether they know the people behind the profiles or not. And too many users post too much personal information on such sites.
Not only can scammers harvest information about their targets from social networking sites, but they also can use them as vectors to spread malicious software or to lure users to malicious websites. Once a profile is part of a user's social network, that profile automatically enjoys the user's trust. A tantalizingly titled video clip or news link posted to the profile's feed and shared with the malicious profile's connections can lead to compromised machines all over.
2. Spear Phishing: It's Not Just for Hawaiian Vacations
You've probably already heard of phishing, the practice of using emails that look as if they originate from a trusted sender, such as PayPal, but are set up to take recipients to a malicious website that will steal their login credentials. Most people are savvy enough to spot a phishing scam these days. Spear phishing is something more targeted and more insidious.
In a spear phishing attack, the cybercriminal has already gathered information about the target or the organization, usually from social networking sites like LinkedIn or Facebook. The scammer uses this information in order to impersonate some person or entity that the target knows in order to gain access to confidential information. For example, the scammer may pretend to be a member of the target’s IT department, requesting a login and password in order to perform some necessary upgrade.
What You Can Do to Minimize the Threat
User education is key to preventing social engineering and spear phishing scams from taking hold at your customers' organizations. As your customers' trusted security advisor, stress the importance of making sure that all workers with access to critical or confidential internal systems are able to identify and avoid common email and social media scams. Educating users on the importance of maintaining personal privacy on social media accounts is also vital. Of course, user education isn't an organization's only defense against cybercriminals out to steal corporate data. Technology also plays a role.
Are you ready to find out how state-of-the-art email privacy systems can help safeguard your customers' security? Speak to an Ingram Micro security expert today.