Whether it’s a shadowy foreign gang seeking digital back channels into nuclear facilities or a lone hacker digging for a database of consumer passwords, the cybercriminals responsible for this year’s most high-profile attacks shared a common goal: getting unsuspecting users to click the wrong link.
“Emails about the Nigerian prince needing money, those kinds of very broad-based phishing attacks, I think they’re still occurring but are much less effective because people have some level of awareness of phishing,” said Amy Baker, vice president of marketing for Strip District information security training company Wombat Security Technologies.
“However, these more targeted attacks require a specific eye and a specific understanding of what to look for. They really cause us to want to make sure employees, as well as individuals and consumers, have the right behaviors in place that cause us to stop and pause before we take an action that could be detrimental.”
The swelling number of companies seeking to shore up their defenses against cyberattacks has helped Wombat, a Carnegie Mellon University upstart, thrive in only a few short years.
The company launched in 2011 has grown from a one-person shop to a firm of more than 40 employees. Last year, it tripled both its customer base and its revenues, according to Ms. Baker, who did not release specific numbers.
In April, the firm relocated from its Oakland headquarters to an 8,500-square-foot Strip District space, a move anticipated shortly after the company’s founding, said CEO Joe Ferrara. “As far back as 18 months to two years ago, we knew at some point soon we would likely hit maximum capacity in our previous space,“ he said.
The cybersecurity sector globally has been growing dramatically. It is estimated to reach $95.6 billion this year and to grow to $155.7 billion by 2019, according to Dallas research firm MarketsandMarkets.
Wombat’s expertise in anti-phishing and anti-virus software, as well as its PhishGuru interactive mock phishing attack program that alerts employees when their actions could spark a phishing attack, has helped the company snag 10 Fortune 50 companies and dozens of Fortune 1,000 companies as customers.
And no wonder. Instances of phishing — a technique where cybercriminals bait users with fake emails from familiar sources, malicious links to dummy websites and other techniques designed to siphon cash or infiltrate computer networks — exploded last year, according to Mountain View, Calif.-based Symantec Corp.’s Internet Security Threat Report 2014.
Dubbing 2013 as “the year of the mega breach,” the report found a 91 percent increase in phishing attacks last year. One in every 392 emails sent last year was designed to phish information out of users.
Considering that successful attacks exposed financial information of 110 million of Target customers as well as the passwords and usernames of all 145 million of Ebay users, the end doesn’t appear to be anywhere in sight for hackers sharpening the tools in their arsenal by the day.
Whether providing guidance to companies online or off, Ms. Baker said Wombat makes it a point to hammer in the notion that a degree of privacy is critical for computer security.
Public social media profiles that discuss the workplace and biographies listing personal details about managers are treasure chests of information for hackers who only need a few pieces of information to create emails convincing enough to make employees believe they have been contacted by one of their bosses.
There are tactics that can help people avoid taking the bait.
Ms. Baker said checking with supervisors in person to follow up on unusual email requests; hovering over emailed links to make sure they connect to legitimate websites; and using common sense about whether the person who appears to be sending the email would request information such as login credentials are the first steps toward steering clear of cybercriminals.
For those hoping to keep criminals from sinking a line into their company pool in the first place, Ms. Baker said mum’s the word.
“Criminals have gotten more sophisticated and we have made it really easy for them because we overshare our information,” she said. “They can easily get all of the information they need to form a targeted phishing attack from what we share on social media and in public places. We make it very easy for them to create a very believable phishing attack.”
Deborah M. Todd: firstname.lastname@example.org, 412-263-1652 or on Twitter @deborahtodd.