Which Employees Are Most at Risk of Phishing Attacks?

By Devin Partida, Editor-in-Chief, ReHack.com

There are plenty of fish in the sea, but some of them are hardly worth catching. Why are some employees bombarded with phishing emails while others seem to escape the issue altogether? Here is what hackers look for in a target. 

High-Ranking Executives

Perhaps unsurprisingly, hackers often target people at the top of the organizational ladder. This phishing technique is so common that it even has a name — whaling. One survey found that 34% of organizations that fell for a payment scam were victims of whaling attacks. 

C-suite-level executives have greater power to approve payment requests, access sensitive systems and provide company data to scammers. They are used to getting emails asking for spending approval or making other high-level company decisions. They’re also usually so busy that they may overlook a phishing attempt by mistake. 

To carry out this phishing method successfully, hackers use polished, well-crafted emails mimicking the language used in business correspondence. The emails may appear to come from business partners or clients. 

IT Teams

According to a 2019 report, the average cost of a cybercrime was $2.4 million, and it’s the IT department’s job to prevent such incidents. Ironically, tech support and security teams are favored targets of scammers.

IT workers have direct access to administrative accounts. They can see usernames, passwords and financial information, and they can remotely view and control other employees’ computers. An IT employee’s account is a gold mine for hackers — it lets them directly target infrastructure, putting them right at the heart of a company’s network. 

Hackers have to be particularly savvy to phish their way past an IT worker, but that doesn’t mean they won’t try. 

New Hires

When phishing scammers target a specific person, the technique is called spear phishing. Threat actors may impersonate a top-ranking executive or reputable company to sway people into divulging sensitive information. For example, in the first quarter of 2020, 4% of all spear-phishing attacks mimicked Google to appear credible. 

Junior employees — especially those in administrative roles — are prime targets for spear phishers. They are less familiar with company processes and chains of command, making it easier for them to fall for impersonations. 

Scammers trawl social media or LinkedIn to find people just starting a role. People with new jobs are usually eager to share the news, and they may unwittingly reveal where they work, their closest contacts or their schedule.

Scammers then send the employee an email impersonating a manager or co-worker. Because junior employees want to make a good impression and impress their superiors, they may comply with requests to buy the team gift cards or wire someone money. They are less likely to question these requests because they do not realize how out of character they are.

Finance and Accounting Workers

For the same reason scammers target the IT department, the accounting sector is uniquely vulnerable to phishing attacks. Cybercriminals go after workers with the authority to authorize payments or disclose financial data. Even a single successful phishing attempt could give scammers a wealth of information — or wealth itself. 

For this type of attack, hackers may break into legitimate accounts to try and get someone to pay a fraudulent invoice. They may send an urgent message that appears to come from a vendor or senior executive asking for immediate payment. Or, they might say a company credit card expired or did not work, asking accountants to provide the credit card number again.

Anyone receiving this email should double-check with a supervisor before authorizing anything. Few situations really require immediate payment. 

Remote Employees

The shift to remote work has led to increased cyberattacks in many sectors. People use their home computers and laptops for more than just work, meaning they may click on malicious links or inadvertently download a virus while browsing. Remote workers do not have the benefit of an IT department regularly servicing their computers, nor do they always have firewalls, antivirus software and other safeguards in place. 

Remote employees need just as much cybersecurity training — if not more — than in-person office workers. Companies should brief them on proper password generation and protection, safe browsing habits and how to spot phishing attempts. 

Staying One Step Ahead

Scammers often target new employees, top-level executives, IT professionals and accounting staff. Businesses have also seen an uptick in phishing attacks among remote workers.

This type of scam may be common, but organizations can protect themselves by keeping employees — from all departments and skill levels — up to date on their cybersecurity training. It’s a simple but highly effective way to improve any company’s online safety.

Devin Partida is an industrial tech writer and the Editor-in-Chief of ReHack.com, a digital magazine for all things technology, big data, cryptocurrency, and more. To read more from Devin, please check out the site.



Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.