CLEARWATER, Fla. (Press Release – December 19, 2011) – Internet Security Awareness Training (ISAT) firm KnowBe4 is alerting small and medium enterprises (SMEs) to yet another emerging security threat – cybercriminals are baiting employees to click on phishing links through phony social media posts. Some are using email spoofing to send fake Twitter and Facebook updates to recipients, while others are sending direct messages from legitimate user accounts that have been hacked. In both instances, the sender will post a short note with phishing link.
“Given America’s widespread participation in social media, SMEs can assume that most employees have either a Twitter or Facebook account, or both,” noted Stu Sjouwerman (pronounced “shower-man”), founder and CEO of KnowBe4. “The perpetrators of this latest phishing scam are counting on users’ curiosity and trust in their social networks. The cybercriminals send a brief note – something along the lines of ‘I Googled your name and found this’ or ‘This photo of you is hysterical’ – followed by a link. Using a common link shortener, such as bit.ly, the sender is able to mask the identity of the website the link is directing to. Many recipients let their guard down and click the link if it appears to be sent by someone they know. However, these malicious links will often initiate a malware download or prompt the user to enter their personal login information; and in that instant, the company’s network is compromised.”
A recent Wall Street Journal article emphasized that employees are a company’s greatest security risk, citing the results of KnowBe4’s own phishing experiment. KnowBe4 found that employees at 43% of companies clicked the link in a simulated phishing email sent from a reputable and trusted server. Even when the email was sent from an unknown and untrusted server, 15% of organizations still had one or more employees who clicked.
When analyzing the results by business sector, KnowBe4 discovered an alarming fact – some of the most Phish-prone industries happen to be those likely to store users’ personal and financial information on their networks. In each of the following industries, approximately 1 in 5 companies had at least one employee who clicked on KnowBe4’s simulated phishing email: financial services (22.69%), government services (21.23%), insurance (18.37%) and healthcare (17.99%).
“Many SMEs don’t realize just how susceptible their employees are to phishing attacks, or they think their existing security measures are sufficient to handle external threats. But the fact is that security breaches can and do happen every day, and the consequences can be devastating to a company’s reputation and finances,” warned Sjouwerman. “If your employees have access to the Internet, security awareness training will arm them against cybercriminals’ cunning attacks. Our system trains users to identify and avoid phishing scams like email spoofing and fake Twitter posts. Based on our clients’ results, we found that employees’ Phish-prone percentage dropped 75% after the first training session, and shrank to near 0% after two months of further testing and training.”
KnowBe4 offers several complimentary tools to SMEs, including a free phishing security test to identify the Phish-prone percentage of a company’s workforce, as well as a free email exposure check (EEC) to reveal a company’s “attack footprint” in terms of its publicly available email addresses. KnowBe4 sends regular EEC updates to all customers, and will provide a complimentary one-time EEC service to any company that requests it.
For more information on KnowBe4’s Internet Security Awareness Training (ISAT) programs, or to request a free email exposure check (EEC) or phishing security test, visit http://www.knowbe4.com.
About Stu Sjouwerman and KnowBe4
Stu Sjouwerman is the founder and CEO of KnowBe4, LLC, which provides web-based Internet Security Awareness Training (ISAT) to small and medium enterprises. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Sunbelt Software, an award-winning anti-malware software company that he and his partner sold to GFI Software in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime tactics through advanced Internet security awareness training. He and his colleagues work with companies in many different industries, including highly regulated field such as healthcare, finance and insurance. Sjouwerman is the author of four books; his latest is Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008.