Your social network profiles are like catnip to cyber crooks

Spear phishing scammers are using photos of adorable kittens -- and information scraped from your Facebook profile -- to target you.


cute kittens

Image credit: flickr/London Looks

Could you say no to these adorable kittens? Apparently, you’re not alone. Nearly half of all people who receive an email containing an image of a cute cat will automatically open it, according to security training firm PhishMe. But behind those fallacious felines lies danger – or at least, the potential for it.

The Wall Street Journal’s Geoffrey A. Fowler has a fascinating story today about how companies are using faux phishing attacks – including links to bogus cat videos -- to teach employees how to handle real ones. Per Fowler:

Many big network breaches begin not with brainy hacker code but with workers who are tricked by so-called social engineering, which manipulates people into revealing sensitive information. So companies are trying to get workers to act badly before the bad guys do.

Interestingly, last week I interviewed the CEO of a company that does just that. Stu Sjouwerman is CEO of KnowBe4, which trains employees at mostly small and medium size businesses to detect cyber attacks before they do any damage. Sjouwerman knows of what he speaks; he’s the founder of security software firm Sunbelt Software (now called ThreatTrack Security).

For months, Sjouwerman worked with famed hacker-turned-journalist Kevin Mitnick to devise phishing tricks that would fool all but the savviest users. He then sends these bogus emails to employees using a fake return address, and notes which ones take the bait.

Sjouwerman’s tests are tough. They’ll sometimes look like they came from the company’s HR department and contain information about employee benefits. But when employees click the link inside the message, they'll see something that looks like this:

Typically 20 to 30 percent of users automatically click on links and attachments in his test emails, says Sjouwerman. Those “phish prone” users are the ones companies need to focus on training. KnowBe4 charges $15 to $20 per user annually to teach them how not to become victims. He says that after a few weeks of training the rate of people who reflexively click on potential phishing links drops by 70 to 80 percent.

Join us:






Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.


    Learn more

IT ManagementWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question