The threat of email phishing – masquerading as a trustworthy source in an attempt to obtain sensitive information – has grown with the popularity of social media sites like Facebook and LinkedIn. With these sites, attackers have access to more information than ever and it’s easier for them to target specific individuals at organizations.
In the most recent phishing attack, targeted individuals were sent an email that appeared to be an invitation to connect on LinkedIn. The link was actually to a server based in Russia, which installed the Zeus2 Trojan on the individual’s computer. This malware was designed to transmit stolen data – no doubt including sensitive corporate information – to a server in China.
Although social media provides new ways for companies to promote their brand and products and connect with customers, these opportunities come with unique, constantly evolving risks. Those sharing information on social media sites often consider the data innocuous, which increases the difficulty of mitigating the risks.
Organizations can, however, reduce the risk of successful attacks via social media by:
- Create policies for the appropriate use of social media.
- Conduct a social media risk assessment to fully understand the risks of both professional and personal use of social media by employees.
- Perform social engineering testing – in which testers attempt to access sensitive information from personnel via phone and email – to assess how employees would respond to an attack. The results will reveal the organization’s strengths and weaknesses and provide a unique tool for training personnel.
- Provide ongoing user training that addresses phishing and other such threats.
Social media use will continue to grow. By being proactive, organizations can manage social media’s evolving risks and reduce the chance of receiving the wrong type of media coverage.
For more information, please contact Raj Chaudhary at 312.899.7008 or [email protected].