The sophisticated attacks all follow a similar pattern – using webmail addresses with a LinkedIn display name – while the phishing emails are sent from separate webmail accounts that have zero correlation to each other. They also use subject lines similar to those used by the social networking site, including: ‘You appeared in 4 searches this week,’ ‘You have 1 new message,’ ‘Your profile matches this job’ and ‘Who’s searching for you online.’

In addition, the attackers are using multiple stylized HTML templates to make them appear genuine, such as the LinkedIn logo, brand colors and icons. The bottom of the message accurately mimics LinkedIn’s genuine email footer, with its global HQ address, hyperlinks to unsubscribe and to its support section and the recipient’s information.

Within the body of the email, other well-known organizations’ names are used, including American Express and CVS Carepoint. When the links are clicked, the victim is taken to a website that harvests their LinkedIn log-in credentials.

Egress said the attacks successfully bypass traditional email security defenses to reach people’s inboxes. Currently, it is unknown whether the attacks are being conducted by a single cyber-criminal or a gang operating together.

Egress VP of threat intelligence Jack Chapman explained: “Current employment trends help to make this attack more convincing. ‘The Great Resignation’ continues to dominate headlines, and a record number of Americans left their jobs in 2021 for new opportunities. It is likely these phishing attacks aim to capitalize on jobseekers (plus curious individuals) by flattering them into believing their profile is being viewed and their experience is relevant to household brands. While the display name is always LinkedIn and the emails all follow a similar pattern, the phishing attacks are sent from different webmail addresses that have zero correlation with each other. Currently, it is unknown whether these attacks are the work of one cybercriminal or a gang operating together.

“The targets vary, covering companies in both North America and the UK, and operating within different industries. LinkedIn states it has over 810 million members in more than 200 countries, which provides an extensive victim pool for cyber-criminals. Many professionals choose to include their corporate email address within their profile, and many regularly receive update communications from LinkedIn. Consequently, they could be more trusting of a stylized phishing email. The cyber-criminal(s) involved has likely used a legitimate LinkedIn email as their starting point for these attacks. They have used branded elements, including the current LinkedIn logo, to make the phishes more convincing.”

Responding to the findings, a LinkedIn spokesperson highlighted measures the firm have put in place to protect its members from such impersonation attacks: “Our internal teams work to take action against those who attempt to harm LinkedIn members through phishing. We encourage members to report suspicious messages and help them learn more about what they can do to protect themselves, including turning on two-step verification. To learn more about how members can identify phishing messages, see our Help Center here.”

Yesterday, Barclays released new research on scams, which found nearly two-thirds (64%) of Brits would be more likely to comply with a request if it came from a high-profile institution.

This article was originally published on infosecurity-magazine.com on February 16, 2022. Written by James Coker.

While the default behavior when a user attempts to sign in via these methods is to be greeted by a pop-up window to complete the authentication process, the BitB attack aims to replicate this entire process using a mix of HTML and CSS code to create an entirely fabricated browser window.

“Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and it’s basically indistinguishable,” mrd0x said in a technical write-up published last week. “JavaScript can be easily used to make the window appear on a link or button click, on the page loading etc.”

Interestingly, the technique has been abused in the wild at least once before. In February 2020, Zscaler disclosed details of a campaign that leveraged the BitB trick to siphon credentials for video game digital distribution service Steam by means of fake Counter-Strike: Global Offensive (CS: GO) websites.

“Normally, the measures taken by a user to detect a phishing site include checking to see if the URL is legitimate, whether the website is using HTTPS, and whether there is any kind of homograph in the domain, among others,” Zscaler researcher Prakhar Shrotriya said at the time.

“In this case, everything looks fine as the domain is steamcommunity[.]com, which is legitimate and is using HTTPS. But when we try to drag this prompt from the currently used window, it disappears beyond the edge of the window as it is not a legitimate browser pop-up and is created using HTML in the current window.”

While this method significantly makes it easier to mount effective social engineering campaigns, it’s worth noting that potential victims need to be redirected to a phishing domain that can display such a fake authentication window for credential harvesting.

“But once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website (because the trustworthy URL says so),” mrd0x added.

This article was originally published on thehackernews.com on March 21, 2022. Written by Ravie Lakshmanan.

Nearly half (45%) said the most significant security breach they had experienced in the previous twelve months was a phishing attack, while a further 17% named ransomware as their worst aggressor.

Asked about the cause of their most significant breach, more than half (57%) said phishing was to blame. Negligent insider activity was named by 7% of respondents as the cause of the most significant security incident.

While email-based phishing attacks accounted for most (71%) of the significant security breaches, 27% had suffered a significant vishing (voice phishing) incident and 21% said they had been the victim of a significant smishing (SMS phishing) attack.

In 15% of attacks, the initial point of compromise occurred through social engineering. However, the most common route into an organization for attackers was phishing, which accounted for 71% of attacks.

Other key findings were that human error was the cause of 19% of data breaches. A further 15% of breaches were pinned on the use of legacy software that is no longer supported.

Asked about the impact of security breaches, 32% said breaches disrupted systems that impacted business operations. More than a quarter (26%) said security breaches disrupted IT systems, and 22% said security breaches resulted in data breaches or data leakage.

Fewer respondents (21%) said security breaches impacted clinical care, and only 17% said the most significant security incident resulted in financial loss.

HIMSS said: “The findings of the 2021 HIMSS Healthcare Cybersecurity Survey suggest that healthcare organizations still have significant challenges to overcome.

“These barriers to progress include tight security budgets, growing legacy footprints and the growing volume of cyber-attacks and compromises.”

The society said that while basic security controls have not been fully implemented at many organizations, “perhaps the largest vulnerability is the human factor.”

This article was originally published on infosecurity-magazine.com on February 17, 2022. Written by Sarah Coble.

The discovery was made at Trustwave SpiderLabs. In its own telemetry it has found just the one sample, but Karl Sigler, manager of SpiderLabs’ threat intelligence notes that since the phishers have registered a series of domains for the process, it is likely to be part of a wider campaign.

The basic lure is the common failed DHL delivery, and the victim must still fall for this. But the victim is not immediately directed to the phishing site. Instead, the ‘please follow our instructions’ results in the delivery of a PDF with a ‘fix delivery’ button. So far, although there are red flags for the observant victim, there is nothing overtly dangerous.

If the victim clicks the button, he or she is sent to another website where the phishing chain begins with the introduction of a chatbot that promises to fix the delivery but really harvests personal data.

If the target accepts the chatbot, it continues the engagement by showing the victim a photo of the damaged package, and asks for details on how to deliver. If the victim asks to schedule delivery, a false CAPTCHA is presented to further increase confidence.

The next stage is to ask for a delivery address and time. An unspecified password is requested. It really doesn’t matter what password is entered – it could be a DHL account password or the user’s email account – the phisher steals it anyway along with the delivery address and the user’s email address (which he already has). The phishing has begun but is not complete.

The chatbot explains that the additional delivery attempt is an additional service that requires payment – so a credit card payment page is displayed. The amount is small. If the victim has been taken in so far, the payment is not unreasonable. Paying for the fake redelivery gives up the phisher’s real target – bank card details.

There then follows a strange procedure – the phisher says an OTP verification code has been sent to the victim. But the phisher hasn’t yet asked for the victim’s phone number, so this could not happen. “Putting in random characters will just redirect you to the same page stating that the security code is no longer valid,” write the researchers. “On the fifth try, however, the page redirects to another page saying that the submission was successfully received. This marks the end of the perpetrator’s phishing chain.”

We are left with a somewhat puzzling phishing attack. It seems sophisticated but lacking in some very easy detail that could improve it. It would be easy, indeed logical, to ask for the victim’s phone number for the OTP token. The fact that the chatbot is going to send a token to a phone number that hasn’t been given could be a serious red flag. At the same time, the phisher no longer really cares since he already has the details he was after.

However, an apparently functioning OTP would give the victim greater confidence in the validity of the process. With no concerns, the victim may easily give no further thought to the occurrence until non-delivery of the non-existent package (if ever) – giving the phisher ample time to collect the user details. The obviously flaky OTP process, could, however, spark sufficient concern for the victim to contact his or her bank.

This combination of sophistication with a certain level of incompleteness raises the question of whether this is really an attack methodology still in development. It is certainly possible that this sample will mark the beginning of a wider and more sophisticated use of chatbots in phishing campaigns. However, Trustwave’s Sigler has a slightly different view.

“Reading through the lines and with my experience,” he told SecurityWeek, “what this tells me is that this was a campaign first used for other purposes. They probably did have it more targeted; they probably did ask for the potential victim’s phone number and then sent them an OTP code to try and capture that. But what the phishers are doing here is they’re reusing the same infrastructure from a more targeted campaign for more general purposes. This could be some minor group that just bought this package from some malware-as-a-service or some dark web link and are trying their best to use it as they can, even though certain components of it don’t really make sense to the victims they’re targeting.”

This article was originally published on securityweek.com on May 19, 2022. Written by Kevin Townsend.

That’s according to a survey of business customers using Microsoft 365 for email commissioned by Cyren and conducted by Osterman Research, which examined concerns with phishing, business email compromise (BEC), and ransomware threats, attacks that became costly incidents, and preparedness to deal with attacks and incidents.

“Security team managers are most concerned that current email security solutions do not block serious inbound threats (particularly ransomware), which requires time for response and remediation by the security team before dangerous threats are triggered by users,” according to the report, released Wednesday.

Less than half of those surveyed said that their organizations can block delivery of email threats. And, correspondingly, less than half of organizations rank their currently deployed email security solutions as effective.

Protections against impersonation threats are viewed as least effective, followed by measures to detect and block mass-mailed phishing emails.

Thus, it’s perhaps no surprise that almost all of the organizations polled have experienced one or more types of email breaches.

In fact, 89 percent of organizations experienced one or more successful email breach types during the previous 12 months. And, the number of email breaches per year has almost doubled since 2019, according to the report, most of them due to successful phishing attacks that compromised Microsoft 365 credentials.

Overall, according to the survey, successful ransomware attacks have increased by 71 percent in the last three years, Microsoft 365 credential compromise increased by 49 percent and successful phishing attacks increased by 44 percent.

Ineffective Defensive Approaches

Digging into where email defense breaks down, the firms found that, surprisingly, use of email client plug-ins for users to report suspicious messages continues to increase. Half of organizations are now using an automated email client plug-in for users to report suspicious email messages for analysis by trained security professionals, up from 37 percent in a 2019 survey.

Security operations center analysts, email administrators, and an email security vendor or service provider are the groups most commonly handling these reports, although 78 percent of organizations notify two or more groups.

Also, user training on email threats is now offered in most companies, the survey found: More than 99 percent of organizations offer training at least annually, and one in seven organizations offer email security training monthly or more frequently.

“Training more frequently reduces a range of threat markers Among organizations offering training every 90 days or more frequently, the likelihood of employees falling for a phishing, BEC or ransomware threat is less than organizations only training once or twice a year,” according to the report.

Further, the survey found that more frequent training results in more messages being reported as suspicious, and a higher share of these suspicious messages proving to be malicious after analysis by a security professional.

So far so good. So where’s the breakdown? One concerning finding: Only about a fifth (22 percent) of organizations analyze all reported messages for maliciousness.

“How employees should determine the maliciousness of reported messages by themselves when they do not receive a verdict from security professionals is unclear,” according to the firms.

Across the board, the survey also showed that organizations using at least one additional security tool to complement the basic email protections offered in Microsoft 365. However, their implementation efficacy varies, the survey found.

“Additive tools include Microsoft 365 Defender, security awareness training technology, a third-party secure email gateway or a third-party specialized anti-phishing add-on,” the report explained. “There is a wide range of deployment patterns with the use of these tools.”

The firms concluded that these kinds of holes and ineffective defenses in general translate into major costs for organizations.

“Costs include post-incident remediation, manual removal of malicious messages from inboxes, and time wasted on triaging messages reported as suspicious that prove to be benign,” according to the report. “Organizations face a range of other costs too, including alert fatigue, cybersecurity analyst turnover and regulatory fines.”

This article was originally published on techtarget.com on May 2022 2022. Written by Isabella Harford

After an eight-day trial in Camden, California, Oyuntur was found guilty of conspiracy to commit wire, mail, and bank fraud, unauthorized device access, aggravated identity theft, and making false statements to federal law enforcement officers.

Phishing operation

According to the criminal complaint against Oyuntur in 2019, the damage from the phishing fraud occurred in September 2018.

Oyuntur and his conspirators registered the domain “dia-mil.com”, which is very similar to the legitimate “dla.mil, and used it to send phishing emails.

These emails were delivered to users of SAM (System for Award Management), which is a vendor database where companies that want to conduct business with the Federal Government register themselves.

The phishing messages contained links to a cloned “login.gov” website, where the victimized vendors entered their account details, unknowingly exposing them to Oyuntur.

In at least one confirmed case, Oyuntur logged onto one of the stolen accounts belonging to a corporation from Southeast Asia that had 11 active contracts of fuel provision for the United States military at the time.

One of them was a $23,453,350 contract with a pending payment for the provision of 10,080,000 gallons of jet fuel to the U.S. DoD.

By logging in onto the SAM database as the victimized corporation, Oyuntur changed the registered banking information, replacing the foreign account with one that he controlled.

Attempting to overcome safeguards

At the time, DoD’s EBS servers featured a security system that scanned the SAM database every 24 hours for bank account changes and blocked payments of outstanding invoices that met specific risk criteria.

The conspirators stumbled upon this problem following the bank account change and resorted to calling the DLA (Defense Logistics Agency), delivering false explanations, and requesting the manual approval of the financial information changes.

In October 2018, the payment went through. Oyuntur and his conspirators used falsified invoices of a dealership’s car sales to forge a seemingly legitimate source for the hefty sum.

“As part of his participation in the scheme, Oyuntur worked closely with another conspirator, Hurriyet Arslan, who owned a used car dealership, Deal Automotive Sales, in Florence, New Jersey.”

“Arslan opened a separate shell company based in New Jersey for use in the criminal scheme, obtained a cell phone number for the shell company, hired another person to pose as the shell company’s owner, and opened a bank account in the name of the shell company” – the U.S. Department of Justice

However, the dealership used in the scheme wasn’t a government contractor and wasn’t registered on SAM, so the transaction was still a mismatch for the automated checking systems in place.

As a result, an investigation was launched, gradually uncovering all of the steps in the fraud, identifying one of Oyuntur’s conspirators, Hurriyet Arslan, the owner of the car dealership, and reverting the transaction.

Arslan pleaded guilty to conspiracy, bank fraud, and money laundering in January 2020 and is scheduled to be sentenced this summer.

Oyuntur faces a maximum potential penalty of 30 years in prison and a maximum fine of $1,000,000 or twice the gross profits of loss resulting from his offenses. The date of the sentence has not been set yet.

This article was originally published on bleepingcomputer.com on May 2, 2022. Written by Bill Toulas.

That’s according to a survey of business customers using Microsoft 365 for email commissioned by Cyren and conducted by Osterman Research, which examined concerns with phishing, business email compromise (BEC), and ransomware threats, attacks that became costly incidents, and preparedness to deal with attacks and incidents.

“Security team managers are most concerned that current email security solutions do not block serious inbound threats (particularly ransomware), which requires time for response and remediation by the security team before dangerous threats are triggered by users,” according to the report, released Wednesday.

Less than half of those surveyed said that their organizations can block delivery of email threats. And, correspondingly, less than half of organizations rank their currently deployed email security solutions as effective.

Protections against impersonation threats are viewed as least effective, followed by measures to detect and block mass-mailed phishing emails.

Thus, it’s perhaps no surprise that almost all of the organizations polled have experienced one or more types of email breaches.

In fact, 89 percent of organizations experienced one or more successful email breach types during the previous 12 months. And, the number of email breaches per year has almost doubled since 2019, according to the report, most of them due to successful phishing attacks that compromised Microsoft 365 credentials.

Overall, according to the survey, successful ransomware attacks have increased by 71 percent in the last three years, Microsoft 365 credential compromise increased by 49 percent and successful phishing attacks increased by 44 percent.

Ineffective Defensive Approaches

Digging into where email defense breaks down, the firms found that, surprisingly, use of email client plug-ins for users to report suspicious messages continues to increase. Half of organizations are now using an automated email client plug-in for users to report suspicious email messages for analysis by trained security professionals, up from 37 percent in a 2019 survey.

Security operations center analysts, email administrators, and an email security vendor or service provider are the groups most commonly handling these reports, although 78 percent of organizations notify two or more groups.

Also, user training on email threats is now offered in most companies, the survey found: More than 99 percent of organizations offer training at least annually, and one in seven organizations offer email security training monthly or more frequently.

“Training more frequently reduces a range of threat markers Among organizations offering training every 90 days or more frequently, the likelihood of employees falling for a phishing, BEC or ransomware threat is less than organizations only training once or twice a year,” according to the report.

Further, the survey found that more frequent training results in more messages being reported as suspicious, and a higher share of these suspicious messages proving to be malicious after analysis by a security professional.

So far so good. So where’s the breakdown? One concerning finding: Only about a fifth (22 percent) of organizations analyze all reported messages for maliciousness.

“How employees should determine the maliciousness of reported messages by themselves when they do not receive a verdict from security professionals is unclear,” according to the firms.

Across the board, the survey also showed that organizations using at least one additional security tool to complement the basic email protections offered in Microsoft 365. However, their implementation efficacy varies, the survey found.

“Additive tools include Microsoft 365 Defender, security awareness training technology, a third-party secure email gateway or a third-party specialized anti-phishing add-on,” the report explained. “There is a wide range of deployment patterns with the use of these tools.”

The firms concluded that these kinds of holes and ineffective defenses in general translate into major costs for organizations.

“Costs include post-incident remediation, manual removal of malicious messages from inboxes, and time wasted on triaging messages reported as suspicious that prove to be benign,” according to the report. “Organizations face a range of other costs too, including alert fatigue, cybersecurity analyst turnover and regulatory fines.”

This article was originally published on threatpost.com on April 20, 2022. Written by Tara Seals.

According to cybersecurity researchers at Check Point, who analysed phishing emails sent during the first three months of this year, over half of all phishing attacks (52%) attempted to leverage LinkedIn.

The phishing emails are designed to look like they come from LinkedIn, but if the recipient clicks the link, they’re sent to a login page designed to look like LinkedIn, and if they enter their email address and password, they’ll be handing them to the attacker, who can use that information to log in to the victim’s LinkedIn account.

The attacks aren’t particularly sophisticated. But by targeting a commonly used service like LinkedIn, there’s a good chance that some of the recipients won’t spot that what they’re interacting with is a phishing attack.

“These phishing attempts are attacks of opportunity, plain and simple. Criminal groups orchestrate these phishing attempts on a grand scale, with a view to getting as many people to part with their personal data as possible. Some attacks will attempt to gain leverage over individuals or steal their information, such as those we’re seeing with LinkedIn,” said Omer Dembinsky, data research group manager at Check Point Software.

While LinkedIn was the most commonly spoofed brand for phishing attacks during the reporting period, it’s far from the only known company that cyber criminals are attempting to leverage in attacks. Some of the other brands cyber criminals spoof in phishing emails include DHL, Google, Microsoft, FedEx, WhatsApp, Amazon and Apple.

In many cases, the aim, like the LinkedIn attacks, is to steal usernames and passwords, although researchers warn that, in some cases, malicious links and attachments are used to deliver malware.

Cyber criminals send out mass-phishing campaigns because, unfortunately, they tend to work – people are clicking malicious links and downloading attachments. But there are often tell-tale signs that an email could be a malicious phishing message.

“Employees should be trained to spot suspicious anomalies such as misspelled domains, typos, incorrect dates and other details that can expose a malicious email or text message. LinkedIn users, in particular, should be extra vigilant over the course of the next few months,” said Dembinsky.

LinkedIn provides users with the ability to use multi-factor authentication, which, if applied, can provide an extra barrier against phishing attacks.

“Our internal teams work to take action against those who attempt to harm LinkedIn members through phishing. We encourage members to report suspicious messages and help them learn more about what they can do to protect themselves, including turning on two-step verification,” a LinkedIn spokesperson told ZDNet in an email.

“To learn more about how members can identify phishing messages, see our Help Center here,” they added.

Some of the warning signs that an email might be an attempted phishing attack can include the message containing bad spelling, grammar, and a message that isn’t addressed to you personally, or a message claiming to be urgent that needs to be acted upon immediately. Messages asking you to download an attachment to install a software update should also be treated with caution.

A common tactic used in phishing emails is to tell users that their account has been hacked. If you are worried that an email with a cybersecurity warning that says you need to change your password might be legitimate, the best course of action is to avoid the URL in the email and visit the website directly. If there really is an issue, the website will tell you and you can take the necessary action.

This article was originally published on zdnet.com on April 21, 2022. Written by Danny Palmer, Senior Reporter.

The Canadian cybersecurity company said it identified and disrupted four separate security incidents, three of which occurred at the end of March. Targeted entities include a U.S.-based aerospace company, an accounting business located in the U.K., a law firm, and a staffing agency, both based out of Canada.

The malware, suspected to be the handiwork of a threat actor called Golden Chickens (aka Venom Spider), is a stealthy, modular backdoor suite capable of stealing valuable information and conducting lateral movement across the compromised network.

“More_eggs achieves execution by passing malicious code to legitimate windows processes and letting those windows processes do the work for them,” Keplinger said. The goal is to leverage the resumes as a decoy to launch the malware and sidestep detection.

The role reversal in the modus operandi aside, it’s unclear what the attackers were after in light of the fact that the intrusions were stopped before they could bring their plans to fruition. But it’s worth pointing out that more_eggs, once deployed, could be used as a jumping off point for further attacks such as information theft and ransomware.

“The threat actors behind more_eggs use a scalable, spear-phishing approach that weaponizes expected communications, such as resumes, that match a hiring manager’s expectations or job offers, targeting hopeful candidates that match their current or past job titles,” Keplinger said.

This article was originally published on thehackernews.com on April 21, 2022. Written by Ravie Lakshmanan.

“It was scary. I remember asking our IT guy about it, like ‘Can I really get fired?’ and he was super serious about it,” said the former employee, who spoke on the condition of anonymity to discuss internal company policies. (Grid contacted Cooley on April 11, seeking comment. A Cooley spokesperson replied after publication and denied that the firm’s “training on avoiding phishing traps” included “threats of termination,” now or in 2017. “We do not believe in instilling fear as a training tool,” the person said.)

Security professionals say that such harsh policies like this aren’t limited to any one industry — and many of these experts are baffled that the practice continues. They say the idea that setting harsh penalties can prevent employees from clicking on a deceptive, dangerous link or file is misguided. Cybercriminals’ phishing attempts have grown more sophisticated, making it harder for a worker to recognize a scam email. And imposing harsh penalties for honest blunders can decrease employees’ loyalty, undermining a company’s culture and productivity.

“Sacking people for opening a link is vile and disgusting because it’s nobody’s fault for opening a deceptive link or download — it’s virtually impossible to stop a persistent targeted attack,” said Paul Walsh, CEO of the cybersecurity company MetaCert, which focuses on phishing.

Some companies take the shaming approach to extremes, even putting up signs in office kitchens naming employees who fall for a phishing attack, said Karen Renaud, a computer science professor at the University of Strathclyde in Scotland who studies cybersecurity behaviors. She and her colleagues published a study last year drawing on information from more than 100 people who personally experienced a cybersecurity incident at work or knew someone who had.

Renaud began studying how companies react to phishing attempts and attacks after hearing about a lawsuit in Edinburgh. A woman received an email, purportedly from her line manager, that instructed her to transfer almost £200,000 to pay an invoice. The woman emailed her line manager back to ask if she should proceed, and the attacker posing as her manager responded affirmatively. The woman transferred the funds. When her employer discovered what had happened, they fired her on the spot and took her to court for the money that was lost.

“What people were telling us, it really confirmed that companies really think that shame is a tool that they can wield here,” said Renaud of the survey she and her colleagues undertook, “not actually thinking about the long-term consequences of what they’re doing.”

A frowned-upon practice

Social engineering attacks, a category that includes phishing, seek to manipulate people to take actions that benefit the attacker — such as sending money or clicking on a link that surreptitiously installs malware. The results can be disastrous. In 2013, a phishing attack on an HVAC company led to a massive data breach at Target involving credit card and personal data from more than 100 million people. The breach began when an employee at the HVAC company, a Target contractor, clicked on a link that delivered malware.

Attackers also capitalize on events in the news. After the Colonial Pipeline ransomware attack, hackers sent phishing emails purporting to be from cybersecurity firms encouraging clients to update their ransomware protections. Anyone who clicked the link would inadvertently download ransomware.

Phishing attacks have increased steadily in recent years, particularly during the pandemic, as many sectors transitioned to remote work. A recent survey of 2,000 workers by cybersecurity firm Tessian said that 26 percent had fallen for a phishing scam at work in the past 12 months.

Grid viewed a set of training videos from the security company KnowBe4 that warn of potentially stark consequences for victims of phishing attacks. “A successful social engineering attempt could cost organizations millions of dollars in either theft, loss of production or damage to their reputation,” the videos’ narrator said in a voice-over. “What happens to the employees who fall for a social engineering attack? Well, they might get fired or have to pay for damages.”

Firing an employee for falling for a phishing scam is not illegal. But professionals say it can undermine trust between security teams and regular employees that can be counterproductive by reducing employees’ willingness to flag potential security risks or ask questions.

KnowBe4′s cybersecurity training options include versions with language about potential termination of employees and payment of monetary damages because some of its clients have such policies in place and need training that reflects that, said Perry Carpenter, KnowBe4′s chief evangelist and strategy officer.

“We know that there are companies out there that have that as a policy — even when our language and people like me, that represent [KnowBe4], can say over and over and over again that this should not be a punitive type of thing,” he said.

Walsh said that approach also ignores a key question: Why aren’t security vendors doing a better job keeping such emails from reaching clients’ inboxes?

“Draconian methods”

Organizations who attempt to increase compliance through fear and penalties will fail, said Parham Eftekhari, executive vice president at the CyberRisk Alliance, an organization for cyber professionals. “It’s absolutely not productive,” he said. Eftekhari said that developing a security-centric culture can be done only by encouraging trust between a company’s IT staff and broader workforce through continuous education, gamification of training and nonthreatening feedback.

In some cases, such policies may be designed to meet the requirements of insurers writing policies that cover damage from cyberattacks. Insurers will often seek to deny such claims if a breach or attack was caused by human error, Carpenter said.

“When you look at these draconian methods that some organizations use, where they try to put the employee on the hook for that, that’s for a recovery of funds,” he added.

Gabriel Friedlander, CEO of security-training firm Wizer, said that in his experience, companies that fire employees who fall for phishing attacks aren’t limited to any one industry. He has seen both large and small companies adopt such policies and said it’s a reflection of management style.

“Some people believe in the carrot-and-stick approach and have hard, hard policies,” said Friedlander. “It comes down to the person running the show, to be honest.”

That can sow distrust within companies. “Instead of the mindset of ‘It’s us against the bad guys,’ it becomes the employer against the employee, who is now the bad guy,” said Marc Dupuis, a professor of information science at the University of Washington and one of Renaud’s co-authors. “It really flips the script in a negative way that just isn’t fair and isn’t true.”

And employers run the risk of being sued, or held legally liable, for firing an employee over falling for a phishing scam. In these situations, Friedlander said, the victim is the person who was the subject of the attack, and firing them could be a form of retaliation.

“It’s like putting the victim of a car crash in jail,” he said.

This article has been updated. Thanks to Lillian Barkley for copy editing this article.

This article was originally published on grid.news on April 19 2022. Written by Benjamin Powers.