Email From a Friend Might Not Be What You Think


Thirty-seven percent of social media users don’t bother to research or check the identities of the people they connect with on sites such as LinkedIn or Facebook, according to a study published by the security firm Avecto. It’s called spear phishing, which typically results in 90% of cyberattacks and related data breaches.

Spear phishing is when an attacker targets someone within an organization and/or pretends to be someone in that or another organization in order to convince an otherwise trusting person into giving up sensitive or confidential information.

They often find what they need to start the scam by perusing social media. LinkedIn, for example, contains a wealth of information about the users. It often has the name of the users’ employers, but also their job titles and duties. Many times, even their managers’ names and vendors they do business with can be found in their profiles. This leaves the door wide open for a cybercrime.

Spear phishing is a growing trend and has successfully worked for cyberthieves in getting money transferred to their accounts and W-2 and payroll information sent to them, and helping them acquire enough information to cost companies over $3.1 billion in business email compromise and whaling scams, per the FBI. It isn’t going away any time soon.

Avecto contacted 1,000 daily internet users and found that while 65% were suspicious of clicking links sent in email by unknown senders, a whopping 68% had no concerns about doing the same when the message supposedly came from a colleague, friend, or vendor/supplier. This is frightening since it is very easy to send an email that appears to be from one person, but is in fact from another.

Once a cybercriminal has the information, it doesn’t take long for him or her to devise a scheme preying on the curiosity and trust of humans. It has worked on Seagate, Ubiquiti Networks, Sony, and many others. Humans will always be the organization’s weakest link, because we are curious and trusting.

Having a training and awareness program is an important step in protecting your company’s information. Include information on how to identify a potential phishing attack and what to do in case of accidental click. Once these have been stressed to everyone that connects to the network, testing it to ensure it is understood. After all, what good is providing the information if you don’t know it works?

A Today Show video shows you how easy it is to get fooled.