Whoever was running HHonors’ email campaign last month had clearly checked out — at least mentally. The Hilton hotels’ loyalty program sent a message asking members to confirm their contact details by logging into their accounts and updating the information. While the intentions were honest, the premise smelled… “phishy”.
The set-up of a phishing email is familiar to even those working outside IT and cybersecurity: simply click a link to update or provide personal information. Many a non-vigilant email user has taken the bait and been reeled into a hack, malware and data breach. In this case, members took to social media to inform Hilton of their concerns, but the email was so effectively ‘faux fraudulent’ that HHonors’ own Twitter claimed it was a fake and advised customers not to open it. Cue: cringe.
In hindsight, the person’s first name, Hilton HHonors membership tier and number of the loyalty points acquired at the top of the email were an indication it was authentic. However, as cybersecurity expert Lenny Zeltser points out, it’s relatively easy to acquire first names; to a hacker with a little time to research, the membership tier can be guessed with a high degree of success; and the recipient is unlikely to know his or her number of points off-hand to quickly verify the stated amount.
More detailed, personalized phishing schemes are also on the rise. Known as spear phishing, these highly targeted emails usually appear to come from someone the recipient knows, or a person or company that they trust (as opposed to regular phishing attacks, which cast a wide net with multiple targets and hope to catch one). Spear phishing attacks increased by 55% in 2015, largely targeting the financial services sector and small businesses.
However, the bigger issue with the HHonors incident is that legitimate organizations sending out (mis)communications like this teaches customers to accept fraudulent-looking emails. In turn, it further blurs the line between authentic and attack — essentially paddling out the boat, casting the line and cracking a beer for phishing hackers.
While members were vigilant and diligent enough to flag the emails to Hilton, this is not always the case. One figure by Duo Security shows that in the workplace, one-third of employees will still likely fall prey to phish attacks — opening their company up to massive harm.
A highly publicized recent study by Friedrich-Alexander University (FAU) also shows that over 50% of people will click on an unknown link out of curiosity. The research group simulated a phishing scam by sending 1,700 messages via Facebook and email to participants. Around half clicked on the link despite being unfamiliar with the sender, include those claiming to be aware of the danger.
“The overall results surprised us as 78 percent of participants stated in the questionnaire that they were aware of the risks of unknown links,” said Zinaida Benenson, who led the study.
No word on the cat, but curiosity may certainly kill your company.
According to Bloomberg, the massive Sony attack of 2014, the recent fiasco surrounding the U.S. Democratic National Committee’s email system and, most likely, the $81 million Bangladesh Bank heist that shone a light on security flaws in the SWIFT bank transfer data network were all the result of phishing attacks. Likely, an unsuspecting user clicked a link and hackers instantly gained access to their network to infect them with malware.
Thanks to their social and human error-based nature, phishing hacks are often able to circumvent many AV programs. Ultimately, the greatest tool available in fighting them is education — to train employees or users to recognize and minimize risks. And it’s not easy. Last December, a fake phishing e-mail was sent to 466 Berlin police officers asking for their passwords in a “secure password storage of the Berlin police.” More than 250 clicked the link and 35 of them provided their credentials.
When legitimate organizations such as Hilton irresponsibly send out emails that look fraudulent, it counters any education people may have received, and further opens them up phishing —and spear phishing— attacks. Perhaps the next step is not only a matter of training employees and users to recognize risks, but also teaching communications and marketing professionals not to perpetuate them.
Leave a Comment