Wombat Security has released its fourth annual State of the Phish report (registration required).
· The most successful phishing attacks are now consumer focused, instead of business focused. The merging of business and personal email accounts is a major threat to corporate security.
· IT professionals need to enforce segregation of personal and business email. Doing so can greatly reduce the risk of a successful phishing attack.
The kinds of bait to watch out for
Wombat breaks phishing messages into four categories:
· Consumer: The types of phishing messages the average person gets. E.g., fake social network notifications, account compromise spoofs, frequent flyer miles, photo tagging, etc.
· Corporate: These try to mimic official communications, such as invoices, HR messages, email quarantine messages, benefit enrolment messages, etc.
· Commercial: Business-related phishing that is not organization specific. These include shipment notifications, wire transfer requests, etc.
· Cloud: Fake notifications tricking users into downloading files from a public cloud site, edit a cloud-hosted document, etc
Looking forward into 2018, it’s important for infosec professionals and IT teams to ensure users aren’t being casual in their use of business email accounts. Managed email should only be used for business purposes, and personal accounts and messages should be strictly separated. IT teams should also encourage users to access personal email only on personal devices, such as smartphones, to reduce the risk of consumer phishing to business networks.