IT Security Dec 7, 2020

The weak link – Increasing employee awareness of malware.

Companies are increasingly being targeted by sophisticated phishing attacks during which users receive legitimate looking e-mails or end up on authentic looking websites and are persuaded to hand over access data or other sensitive information, thus opening the corporate network up to the risk of attack. The result? Encrypted data and a ransom demand.

Share article

Udo Stiefvater
Managing Director

How can we protect ourselves?

While the introduction of technical measures and a workable security strategy are absolutely necessary, raising user awareness of the dangers is the most important link in the security chain. However, it’s not enough to have employees sit through a one-off training. To create a culture of security, continuous training needs to be set up that runs in parallel with the publication of new updates and patches.

We know that repeating phishing simulations and targeted e-learning to raise awareness have proven very successful. Working with our partner, KnowBe4, we have set up a convenient web platform that includes over 1,000 interactive modules and videos in 35 languages, including in the style of well-known series we all know from our favourite streaming providers. It’s also home to a comprehensive template library for use with phishing simulations. If you’d like to learn more, simply get in touch!

Please note our privacy policy, which informs you comprehensively about our data processing and your privacy rights.

Types of phishing attacks.

Classic phishing.

The granddaddy of phishing attacks sees huge volumes of identical e-mails being sent to a large number of people. We all know the story. A wealthy businessman urgently needs our help to transfer a large sum of money. These kind of phishing e-mails used to be very easy to pick up on, but these days, the e-mails are much more sophisticated in terms of language and design and tend to reference current topics, i.e. the coronavirus.

Spear phishing.

Spear phishing attacks target specific people and organisations. The attacker first collects information that is freely accessible, for example, on social media platforms, which is then used to target the victim, who receives what looks like a legitimate e-mail. If, for example, the victim has posted on social media that they are taking part in an event, the phishing e-mail could look like it is coming from the event organiser and include a malicious attachment.

Dynamite phishing.

As with spear phishing, dynamite phishing targets people based on information that has previously been collected, but in this instance, the information comes from within the company thanks to malware that has managed to make its way onto the network. This malware reads contact information and e-mail content over a long period of time before suddenly sending out a mass of perfectly tailored phishing e-mails within a very short space of time. In contrast to spear phishing, this is done automatically. The recipients receive e-mails supposedly from people they were recently in contact with, when in fact the sender is completely bogus.

Vishing (aka. voice or phone phishing).

In this example, the attack happens over the phone. The caller gives a fake identity, e.g. a high-ranking employee at the company, tax office, etc. and spins a story to encourage the victim to do something in particular or share information. This is particularly dangerous when deep fakes are employed to imitate the voice of real people.