Phishing: Why remote working is making it harder for you to spot phoney emails

The threat of phishing and other email attacks continues to rise - so why aren't businesses training employees to recognise attacks?
Written by Danny Palmer, Senior Writer

The number of phishing attacks and other email-based cyber-criminal campaigns continues to rise, with most organisations having witnessed an increase over the past year – but despite this, under half of businesses provide awareness training about cyber threats on a frequent basis.

Phishing attacks continue to pose problems for businesses around the world and, according to The State of Email Security 2020 report from cybersecurity company Mimecast, 60% of organisations believe it's inevitable that they'll fall victim to an email-based attack over the course of the next year.

This could range from simple phishing, where an employee could be tricked into opening a malicious attachment or clicking on a bad link, to business email compromise  (BEC), where attackers impersonate execs to eventually make off with large payments as a result of fraudulent financial transfers.

SEE: Information security policy (TechRepublic Premium)

According to Mimecast, impersonation fraud jumped by almost a third during the first 100 days of the coronavirus pandemic, as cyber criminals looked to take advantage of how many people are suddenly working remotely.

In an office, it would be relatively simple to check if a colleague had sent a request for a business bank transfer by walking over and asking if they'd sent the message – but with people suddenly working from home, making those checks isn't so simple.

This means that they are more susceptible to impersonation attacks that encourage individuals to perform an action such as carrying out wire transfer or sharing sensitive data.

"Whereas beforehand individuals had the ability to check via other means when uncertain about something – e.g. a face-to-face conversation in the office – now there is certainly an argument that people have become so inclined to communicating via email that they don't realise to check with colleagues via other channels," Kiri Addison, head of data science for threat intelligence and overwatch at Mimecast, told ZDNet.

That failure, combined with people working outside the company network and often with their own laptops and computers – which might not be subject to stringent security measures, means attackers are looking to take advantage.

SEE: This new ransomware is targeting Windows and Linux PCs with a 'unique' attack

But despite the known threat posed by phishing and other email attacks, over half of organisations – 55% – don't provide any sort of email security training on a frequent basis. That's something that could be leaving the network and the people who use it vulnerable to cyberattacks – and organisations must ensure that people are properly informed about online risks.

"Regular awareness training based on current threats is a must. By educating staff from the board level down, security decision makers can ensure that employees can spot suspicious activity when it occurs, understand the risk of the malicious activity and manage their company-issued devices appropriately," said Addison.


Editorial standards