One of the latest high profile phishing attacks affecting the UK has seen a new social engineering scam impersonating HM’s Revenue & Customs (HMRC) to trick victims into downloading malware.
This time, the phishing attack is disguised as an HMRC VAT return document which contains links to JRAT malware. The email was even sent using a HMRC-like domain hmirc-gov.co.uk
In response to this, Amy Baker, VP at Wombat Security Technologies suggests that relying on cyber-security technology could be one of the reasons that people keep on falling for these kinds of attacks. Amy Baker, VP at Wombat Security Technologies commented below.
Amy Baker, VP at Wombat Security Technologies:
“This latest HMRC phishing scam is a case and point of how sophisticated social engineering attacks are getting. It uses a slightly different method to convince people to click (an embedded image of a PDF) rather than the standard attachment or link based “bait”. Experts are far too quick to dismiss the importance of users in cases like this, but an in-depth cyber-security defence strategy should never rely solely on technology because, ultimately, some attacks are going to get in and then it is down to your users to be your very last line of defence.
Recent research we conducted found that 3 out of 10 employees in the UK and US don’t know what phishing is, and 6 out of 10 don’t know what ransomware is. Educating your employees will help you protect against attacks like these. Even though phishing has been around for several years, employers still have work to do to educate employees about these threats. The ideal strategy is a proactive comprehensive training program with knowledge assessments and interactive training supported by an integrated solution where technology is able to detect risky behaviour and automatically deliver users some relevant ‘Just in Time’ training.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.