Phishers think new employees are easy targets. Here’s how to prove them wrong

Want to avoid making a rookie mistake on your first day at a new job? For one, don’t microwave fish in the office. Secondly, avoid clicking that link from your new CEO offering a $500 Amazon gift card as a hiring bonus.

Email is the “most exploited business function” and the “primary initial attack vector for cybersecurity incidents,” according to Cloudflare’s Phishing Threats report, released Tuesday Aug. 15.

Deceptive links, such as dangerous attachments and messages impersonating a brand you might expect to interact with, far outpaced other methods of entrapment in email phishing scams, the report found. Such links represented more than one-third of all threat indicators Cloudflare analyzed across 13 billion messages in the last year.

Phishing “continues to be the No. 1 IT security problem,” Cloudflare CEO Matthew Prince told IT Brew. “And it’s not because the phishers are standing still. They’re doing more and more to create smarter versions of the threats.”

New employees are particularly vulnerable to clicking links or otherwise engaging with phishing attempts because their devices may not be properly configured yet and they’re likely to be distracted, Prince said.

“Starting a new job sucks. It’s incredibly stressful. You feel like you have to learn a ton of things,” Prince said. “When people are anxious, it’s one of the most effective times when attackers can take advantage of people.”

It’s also becoming cheaper and easier for bad actors to engineer targeted attacks that leverage those “personal news” announcements on LinkedIn, and use that information to find an individual in their new job, he said.

“Those are the sorts of attacks that we used to see five, ten years ago, just from nation state actors where they would have very targeted attacks going after some particular individual,” Prince said, noting that journalists and human rights workers were typically on the receiving end. “That sophistication has become, effectively, commoditized.”

Companies can help employees evade phishing attempts by implementing a zero-trust security strategy, which assumes that messages even from seemingly trusted senders could be compromised. Fostering a “paranoid, blame-free culture” is another important building block, Prince said.

“That means acknowledging people are going to make mistakes. And when they do, they shouldn’t get in trouble for making it and they should be encouraged to report it,” he said. “The vast majority of things that get reported to our own team turned out not to be threats at all, but you want to be able to do that. You want to actually encourage that…I think that’s how you create a very healthy security environment across your organization.”