4 tips for phishing field employees [Updated 2020]

Phishing is easy. Let’s just get that out of the way. It’s easy for an attacker, and, if you have the right tools (such as InfoSec Institute’s PhishSim), it is easy for a cybersecurity professional who wants to test the company employees using simulated phishing campaigns. With an average of 90 messages being delivered to a business email address per day [1], phishing is like, well, shooting fish in a barrel. 60% of work email accounts get checked at least once a day [2]. But what about the other 40%? What about employees whose responsibilities do not include a lot of, or any, email communication? Most organizations have employees working in the field. From drivers to technicians, to visiting nurses and field engineers, there is a significant percentage of workers that never set a foot in your main office and, while having a company email address, never have to use it to perform their duties. Add to that number your custodial crew, cafeteria and on-premises daycare employees, and all of a sudden you have a small army of email “non-users”. Even if they use their company email only to receive their paycheck deposit notifications, just by having an active account their present a possible attack avenue for cybercriminals. From ransomware to establishing foothold via a compromised internal account, attackers can use phishing in any number of ways against any business email account, regardless of its usage frequency or the owner’s role. Remember, all is needed for a successful compromise is one click.

An additional risk here is in that field employees are often not subjected to the same amount of security awareness training as the rest of the staff. The logistics of delivering the training materials to employees who hardly ever set foot in the main building are sometimes too (Read more...)