Although medium and large-sized organizations has taken proactive measures to train their employees on how to detect and protect themselves against phishing and spear-phishing scams, the article points out that they are still vulnerable. It reports that 41% of organizations survey have lost sensitive information on employee’s computers, and 24% have lost sensitive data from corporate network. It points out that the best way to mitigate phishing attacks is through employee training. It also provided a really good example of how social media can be used for reconnaissance to craft a sophisticated spear phishing attack against a victim.
The main points of this article is to ensure that your employees are trained and aware of phishing attacks, make yourself a harder target by reducing your digital footprint, or be careful of what you post online.
Article: http://www.darkreading.com/partner-perspectives/malwarebytes/phishing-threat-continues-to-loom-large/a/d-id/1327370?
My company obviously seems phishing as a huge concern, as they provide trainings on it. One of the methods they use in order to bring more awareness to the issue, is that they will test us by using phishing links. For example, the cyber team will send us an email claiming that we have just received a request for an invitation by somebody on Linkedin. There will be a link in the email supposedly to accept the request. After clicking it, it will navigate to a different page explaining the dangers of phishing attempts. Its a very interesting training method which is working.
Our company does the same thing Ahmed and it is very effective. We have seen the click rates on these phishing simulations decline significantly over the past several rounds of these exercises. We also have effective phishing take down capabilities that help to identify fake sites impersonating our company and trying to trick our customers.
These are strong controls but the battle continues as these phishing attacks and user errors still persist.