Employees Largely Fail in Recognizing Phishing E-mails

According to e-mail security specialists at Redspin Inc., large organizations' network security doesn't quite give encouraging news as the company's social engineering examinations indicated that corporate workforce replied to scam e-mails particularly phishing e-mails and quantitatively failed in maintaining security at a high percentage.

An information security assessment firm 'Redspin' states that it carried out several hundred assessments on social engineering for big organizations and financial institutions that included e-mail based online phishing. Consequently, it found that 94% of the organizations assessed for attacks via social engineering contained a minimum of one staff member who succumbed to phishing e-mail, implying that a failure percentage of 22% prevailed among the employees.

The company further reported that one organization suffered a failure percentage beyond 100%, as its employees in their zest to cooperate even sent over the hoax messages to other co-workers.

An e-mail test conducted by Redspin typically includes spoofing an e-mail of the IT division and then transmitting a fake web-link to employees that would relate to a new web-based e-mail scheme. In this scheme, the web-page would ask for the log-in details of the user. In case the employees supplied personal usernames and passwords, it would indicate that they failed security-wise. Indeed, one employee excitedly returned a reply to Redspin, believing the e-mail was from his IT division, expressing gratitude for the supposed web-mail.

Moreover, another social engineering examination that Redspin conducts includes the distribution of thumb drives freely that hackers could utilize for disseminating spyware and malware. In one instance during August 2009, the NCUA (National Credit Union Administration) complained that member CUs were getting parcels supposedly from NCUA having CD-ROMS containing malicious programs.

Actually, the CD-ROMS were dispatched from Microserved a company that was authorized for testing CUs on how they would respond towards a similar attack in reality.

Redspin stated that following its hand over of the test results about employees' response to the respective organizations, it recommended the organizations that they must initiate a scheme to raise awareness among their employees about fundamental security and strictly enforce an easy-to-understand and well-written security policy.

Related article: Employees Pose Internal Risk in European Businesses

» SPAMfighter News - 10/5/2009