An audit at the Federal Housing Finance Agency found more than one third of employees subjected to a fake phishing attack failed to follow the proper response protocols, along with a number of other vulnerabilities present at the agency’s network perimeter.
According to the audit, just three of the 50 employees tested reported the suspicious emails to their superiors.
Corin Imai, Sr. Security Advisor at Domaintools:
“Although the sample size taking part in this audit isn’t big enough to generalise the findings to an overall trend, it is enough to show that organisations – even those that invest in auditing – are still exposed. As the adversary becomes more sophisticated and the speed of day-to-day business continues to increase, fooling an employee becomes easier.
Educating the workforce on what to look for in a phishing email and the proper steps for internal communication if a malicious link is clicked on is paramount to organisations. Additionally, regular audits should be adopted in order to assess their risks and implement the appropriate defensive measures. This is particularly relevant for financial organisation, where the data stored could have serious implications for both individuals and businesses.”
Tim Sadler, CEO and Co-founder at Tessian:
“The number of global phishing attacks increased quarter-on-quarter last year. The finance sector was targeted most frequently with more than a third of all phishing attacks in Q3 being directed at banks, payment systems and e-commerce businesses as BEC (business email compromise) scams increased in popularity among attackers.
However, the recent audit at the Federal Housing Finance Agency (FHFA) suggests that many workers in the sector remain unaware of the risks of phishing. Although end user phishing email training is an important exercise for increasing awareness and vigilance among employees – particularly for those that manage and control company funds and are more likely to be targeted – malicious actors will always strive to exploit and profit from human error as long as it is vulnerable and unprotected.
The only true way of protecting finance workers and company funds is to apply a machine intelligent solution that comprehensively and automatically prevents attacks by analysing the context and content of inbound emails. This eradicates the issue of human error and vulnerability.”