This week #phishing was in the headlines again as we learned
over one million Gmail users had received a fraudulent Google docs sharing
request: https://threatpost.com/1-million-gmail-users-impacted-by-google-docs-phishing-attack/125436/
.
While #InfoSec professionals generally agree that employee
training is one way to raise awareness of this type of attack, there is still a
lot of room to learn with regard to phishing education best practices, with one
EU based study asserting: “There is a lack of empirical data on the
consequences of using deception in organizational phishing studies.”(https://ethicalencountershci.files.wordpress.com/2016/03/chi2016_workshop_ethicalphishing_cameraready_final.pdf
)
We know that email users are sometimes tempted by the lure
of easy money, as in the now ubiquitous “I’m a prince & I won the lottery!”
type scams. Others may have their cognitive judgment impaired by the use of
emotionally loaded words. Here is a link to a list of words that are considered
to be emotionally persuasive: http://www.thepersuasionrevolution.com/380-high-emotion-persuasive-words/
Some legal professionals focus on bringing or defending
suits for pecuniary losses associated with, for example, identity theft that
sometimes follows from a data breach, or on complying with data protection
regulations generally. There is implicit in these types of legal actions some
type of culpability on the part of the hacked entity (“failure
to exercise reasonable care in protecting… information”).
However, phishers often use well-known brand names without
authorization. The perpetrator of the latest news grabbing phishing attack is
unlikely to have a licensing agreement with the brand they are purporting to
be. Phishing attacks, thus may also, at least tangentially, be diminishing the
value of said brands with no fault at all
attributable to the damaged brand.
What do you think is the best way to address a method of
redress for the copyright and trademark holders who are harmed when the value
of a global brand is affected by a criminal phishing spree?
No comments:
Post a Comment