Identify and protect your “very attacked people” (VAP) as attackers look for high value targets.
Speaking at Infosecurity Europe in London, Paul Down, senior director of Proofpoint said that when attackers look to get information or money, a year ago they would do a mass email campaign and use automated bots. However this year they are not, and instead of emailing “info@” addresses, campaigns are now more well researched and targeted.
Down said that VAPs are typically “high value executives” such as the CEO who do not have high levels of account privilege, but do have access to financial information. Meanwhile a “high access user” has sign off on accounts and information, and a target for value or information for the attacker.
The top 20 email addresses for a VAP are typically led by a PR manager, as they are very public and listed on every website. “They go for PR@, or accounts@, or sales@ as they have a wide distribution list, and we typically see a 40% click rate on threats delivered to untrained people, so why not do mass email to info@ as many will see it,” he said.
Down said that the CEO is “a lot less targeted” but be more likely sent a business email compromise email or banking Trojan. “The attackers are not looking to compromise the endpoint or perimeter, but target a person,” he said.
Pointing at their State of Phish research, Down said that 30-40% of respondents knew what phishing is, and people aged 22-37 (millennials) are more likely to click.
Research also showed that people in commercial positions (19%) are more likely to fail at detecting a phishing email, followed by purchasing (14%), communication (13%) and sales (13%).
Down concluded by saying that a focus on “people-centric risk reduction” will enable you to determine your level of risk in the organization, identify your VARs and high risk people.
“Think on changing behavior and risks,” he said, explaining that simulated phishing exercises can be sourced for free and if a user fails, reply with an exercise that states “you shouldn’t click that, it was a simulated phish, we will send you some training now” as they will not remember the email the following week.
“Once an employee is phished and trained, they become the last line of defense and the best format to report phishes that do come through.”