A recent study at Carnegie Mellon University found the 18 – 25 year old population is most susceptible to spear phishing attacks and fraud.  This sounds counterintuitive as this group is assumed to be particularly computer literate.  Even more on point, the test group were university students and staff members.  For more information please see the article in the RSS feed at www.ere-security.ca entitled “Younger Users Reveal Risky Details”, May 4, 2010.

So what can we learn from this study?

Everybody needs to be trained about phishing by “experience”.  The article discusses a tool to simulate attacks and the target web site explains how the simulated attack could have resulted in fraud and how to guard against phishing.

I believe this sort of solution could be effective if sponsored and paid for by an institution that has a vested interest in the cyber security of its user base.  Corporations, educational institutions including grade schools, and government agencies could all benefit from this type of cyber education by experience, particularly if the web site kept statistics about those entrapped and determined the level of success of the service over time.

However, spear phishing can still be effective in situations involving coincidence of timing, where the victim is expecting a transaction to occur and coincidentally receives a fraudulent email about that subject.  For instance, someone expecting a delivery, email receipt, confirmation of a transaction, may have an irresistable urge to open a phishing email that seems relevant to their transaction.

In these situations it is important to:

1. Ensure an anti-virus and anti-malware program first screens these announcement emails.
2. The user verify that any attached URL is bone fide, by first searching for the legitimate URL and then comparing with the URL in the announcement email.
3. Never include any additional personal information requested by an announcement email.
4. Do not open unexpected or unknown attachments in email.

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSPERE Information Security and Privacy Compliance Auditors. www.ere-security.ca

Tags: Carnegie Mellon University, Information Security, IT Security, Phishing

This entry was posted on Wednesday, May 19th, 2010 at 4:21 pm and is filed under Internet Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.