WARNING: Fake Facebook Messages Serve As Phish Bait

Employees of 43 percent of companies that received a simulated phishing email with fake Facebook or Twitter updates from a reputable and trusted server clicked on it.



Employees of 43 percent of companies that received a simulated phishing email with fake Facebook or Twitter updates from a reputable and trusted server clicked on it.

That phishing finding comes from KnowBe4, which found that even when the email came from an unknown and untrusted server, employees of 15 percent of companies still clicked on it.

Focusing on industries where personal and financial information is likely to be stored on networks, KnowBe4 found that at least one employee of firms in the following sectors clicked on the simulated phishing email:

  • Financial services: 212.69 percent
  • Government services: 21.23 percent
  • Insurance: 18.37 percent
  • Healthcare: 17.99 percent

KnowBe4 founder and Chief Executive Officer Stu Sjouwerman said:

Given America’s widespread participation in social media, small and medium enterprises can assume that most employees have either a Twitter or Facebook account, or both. The perpetrators of this latest phishing scam are counting on users’ curiosity and trust in their social networks. The cybercriminals send a brief note — something along the lines of, “I Googled your name and found this,” or, “This photo of you is hysterical” — followed by a link.

Using a common link shortener, such as bit.ly, the sender is able to mask the identity of the website the link is directing to. Many recipients let their guard down and click the link if it appears to be sent by someone they know. However, these malicious links will often initiate a malware download or prompt the user to enter their personal login information; and in that instant, the company’s network is compromised.

Many [small businesses] don’t realize just how susceptible their employees are to phishing attacks, or they think their existing security measures are sufficient to handle external threats. But the fact is that security breaches can and do happen every day, and the consequences can be devastating to a company’s reputation and finances.

Readers: What steps has your company taken to combat phishing?