You’ve heard time and time again about phishing attacks. Nefarious characters send sophisticated-looking emails, hoping to entice recipients to click on a link or open an attachment. One small move allows the criminals to unleash havoc on an individual computer, a network, or even more.
Despite repeated warnings by employers, security experts and, no doubt, family members, we continue to fall victim to phishing. It’s apparently just too tempting to ignore a link or attachment, particularly one in an email that purports to come from a bank, credit card company or other business that we may actually do business with.
The US Postal Service provides a case in point. About a year ago, hackers used an email attack to breach USPS employee information. As the New York Times reported last November, the criminals gained access to names, birthdates, addresses and Social Security numbers for more than 800,000 current and past employees—from top executives to postal clerks.
Did Postal Service employees learn from the attack? Apparently, some did not.
Just a few months after the breach, the USPS Office of Inspector General performed a test to see what would happen. Nextgov reports this week that the office sent bogus emails to a sample population of more than 3,000 USPS employees. And guess what? 25 percent of them clicked on a phony link in the faux-phishing email.
And whether they clicked or not, hardly anyone—only seven percent—reported the incident, as they’re required to do.
Why? According to the Office of Inspector General, “of 3,125 employees in our sample, 2,986 (96 percent) did not complete the annual information security awareness training…In addition, 750 of 789 employees in our sample who clicked on the link in the phishing email (95 percent) did not complete the training.”
What this tells me is that the employee security training that so many corporate and government employees are required to complete may actually provide value.
It’s worth noting that a phishing email can be made to look like it came from a colleague. Hackers can simply go online to figure out a company’s email address protocols, such as email@example.com. With this info, the hacker can send a legitimately appearing email to a specific employee who, understandably, may think it originated from within the company. Such personalized attacks are called spear phishing. One innocent click later, trouble ensues.
None of us is immune to phishing schemes. Stay on guard. Even if you receive an email that appears to originate from a business with which you have an account or relationship, don’t assume it’s legitimate. Rather than clicking the link in an email, type the URL into your Internet browser yourself. It takes only one false step—or click—to expose yourself, your family or your company to a breach or other type of cyberattack. You don’t want to be the one to do it.