This article dives into social engineering and what we discussed in last week’s lecture. It shows how most companies underestimate how effective social engineering can still be, despite excessive training. Markus Jakobsson, Chief Scientist at Agari, said it best: “What I am continuously surprised by is that people believe you can teach end-users to watch out,” Jakobsson, said.
“Because my experience is that you can teach people about one particular attack but when the attack changes just a little bit they will be absolutely be unaware of this being an attack. I am not saying people are dumb I’m saying this is a complex topic.”
The article continues by pointing out that many credit union banks do not have any defenses against these type of email / phishing attacks, stating that the top five credit unions in the U.S. have no active protection against email attacks that use identity deception (e.g. spoofs, look-alike domains, display name deception); three have adopted a domain-based message authentication, reporting and conformance strategy, an email authentication protocol, but haven’t fully implemented it (no quarantine or reject policy in place); and two haven’t yet adopted DMARC at all.