However, Roger Grimes, data-driven defense CISO advisor at KnowBe4, said it’s “far from” the oddest phishing lure he’s seen; social engineering is involved in up to 90% of all successful hacks, he said in an email.
“In this case, the social engineering hack was in convincing the user to download malware,” he said. “That’s a tricky one to prevent. I always tell people to learn the following and practice it religiously: If you receive an unexpected message asking you to do something you’ve never done before, at least for that sender, research the request using known trusted methods before performing. That will save you in 99% of social engineering scams, including this one.”
Staff should be using MFA
CSOs and IT managers should ensure that any password managers their employees use have phishing-resistant multifactor authentication or require an additional login factor, so if staff fall for a scam like this, the scammer can’t log in just using stolen credentials, Grimes said.
This story originally appeared on Computerworld
