Posted by Tom Foremski - March 24, 2016
The challenge of protecting the enterprise from simple email phishing scams.
There’s no need to use advanced Black Hat technologies to get access to sensitive corporate data if you have a copy of a staff directory — as more than 21,000 employees of Sprouts supermarket chain found out recently. All had their social security numbers and other personal details exposed after an employee in the payroll department responded to an email from what looked like a senior executive asking for a copy of every employee’s W2.
All of the Sprouts employees now face many years of anxiety over hackers patiently waiting to use and abuse their illicit data haul of taxpayer identities.
Doug Oleic, at SC Magazine says that many others have fallen for a similar trick,
Sprouts joins Seagate, Snapchat and several other high profile firms that have been hit with a similar attack. Security executives all pointed out the difficulty of preventing socially engineered phishing attacks…
At first look it would seem that there is no technical solution to such socially engineered data breaches beyond educating staff about such nefarious techniques. Even then, phishing has becoming a lot more sophisticated, making it even harder to distinguish a scam from the real thing.
Here’s some views from two security experts:
Jonathan Sander, vice president at Lieberman Software:
"You will never stop phishing, nor will you make perfect humans who are never fooled by bad guys in some way. What you can do is say that when systems are asked to give people extraordinary privilege to access sensitive information, those systems should be made smart enough to put a check on that power.”
Brad Bussie, director of product management at STEALTHbits Technologies:
“As a best practice, personal identifiable information should never be transmitted in an un-encrypted format. You want to ensure the integrity and confidentiality of the data related to employees at all times.”
Bussie warns that Sprouts employees will likely face years of problems from the “Dark Web.”
"Studies show that the dark web will often light up initially when a company has been compromised, but will then go dormant for a year or more. You will then see a massive resurgence of global hackers buying leaked data under the assumption that a year of scrutiny has expired and they can get to work capitalizing on the stolen information."
The IRS recently reported a massive 400% jump in phishing and malware disguised as its own official communications. It estimates tax fraud will reach a record $21 billion in 2016 - compared with $6 billion in 2014.
Digital data plus online tax returns enables criminals to engage in fraud on a national scale compared to filing individual paper based tax returns.Tweet this story Follow @tomforemski