Follow NCC Group Newsroom

Sounds phishy? Be mindful #BeRemoteReady

News   •   Apr 07, 2020 21:28 BST

Shutterstock ID: 1308385402

Phishing attacks aren’t going away, and this fact, combined with a significant increase in people working from home, means that employers and employees need to be more mindful than ever.

The risk can increase when it comes to employees that work in a high-pressure environment, as they may find it more difficult to distinguish between a genuine communication from a colleague or third party and a phishing scam.

For the most part, employees will be vigilant about how they’re using their work devices from home and will be wary of messages or emails that ask them to click on a link or share sensitive information, but there is still a small chance that they could be caught out by emails – particularly those that claim to include important announcements or messages from the government or other authoritative sources.

In our latest research, we analysed 1,300 phishing campaigns from our phishing simulation service, Piranha, used to help our customers learn more about phishing attempts.

360,000 emails were analysed, which contained a fake link where users were asked to submit their credentials.

Some of the main findings included:

  • Charities, IT services, and local public sector had the highest click rate
  • Retail, health, and financial services had the lowest click rate
  • Once clicking through, half of all targets were likely to supply credentials, regardless of sector

Apart from the surprising finding that users from IT services had a high click rate, our research showed that phishing attempts are becoming more sophisticated, and highlights how it’s not so easy to spot them.

It reminds us about the importance of being mindful, continuously educating users about how they might be targeted by threat actors and building remote ready cyber resilience organisations – especially in these uncertain times.

To ensure that your workforce remains resilient, it’s important to implement:

  • Controls such as two-factor or multi-factor authentication
  • Account misuse detection through monitoring and analytics
  • Campaign detection and blocking via controls, operations and end-user reporting
  • Encourage employees to be wary of emails from organisations or individuals that may seem out of the ordinary, and ask them to check the sender or confirm any requests by phone.  

If you’d like to find out more about what we uncovered in our latest research, head over to our technical blog here.

And if you’d like some further insight into how you and your workforce can #BeRemoteReady, head over to the Q&A that we did with our own CISO, Dominic Beecher.