A new research experiment conducted by Web security firm Trusteer found that even educated email users click on links that can potentially lead to websites containing malware, the company said.

New York-based Trusteer’s findings shed light on the potential consequences of the recent security breach at marketing firm Epsilon, a subsidiary of Alliance Data Systems Corp., which reported this month that an unauthorized entry into its email system resulted in the compromise of approximately 2% of its clients’ customer names and email addresses.

The marketing firm manages customer email databases for more than 2,500 clients including large financial institutions and retailers.

Security experts say they expect the breach to result in targeted email phishing attacks, and while credit unions were not among the reportedly affected Epsilon clients, several CUs posted messages on their websites warning members that they could be targeted if they opted in to an Epsilon client email marketing list.

The Trusteer experiment entailed sending emails that listed the social networking site LinkedIn as the sender to 100 friends and family members of Trustee researchers. The emails contained a link that claimed to lead users to a new job alert, but instead directed them to an outside website – a common strategy used by attackers, Boodaei said. Within seven days, Trusteer found that 68 of the 100 subjects had followed the link.

The company posted a blog detailing the experiment on its website, which states, “This research clearly demonstrates that social engineering makes it easy to drive corporate users to fake websites that could potentially download malware onto their computer. Education is always recommended and can certainly help, but in this case education did not prevent the attack.”

Trusteer customized the emails crafted for the experiment by creating a new identity on LinkedIn and gathering information about recipients’ LinkedIn connections and their connections’ profiles, the company said. Researchers used Gmail to create the fake LinkedIn email account and included photos of victims’ connections downloaded from LinkedIn.

Since mail programs typically only display the name of the sender – not the sender’s full email address – fooling recipients was simple, Trusteer CEO Mickey Boodaei said.

“It’s very easy to create a convincing email and attack an employee’s desktop,” Boodaei said. “Since it is so easy to execute, I believe this will be the No. 1 attack vector in the next couple of years.”

The lesson learned from the experiment, Boodaei said, is that companies should concentrate on implementing technology that can prevent malware installation, not educating employees about how to spot malicious emails.

“Enterprises should assume employees will click on the links,” he said. “Then they should focus on how to prevent the links from infecting the software, and that comes down to technology.”

Todd Thiemann, senior director of product marketing for San Jose, Calif.-based data security provider Vormetric, said he agrees educated email users can be tricked.

“Human beings are fallible,” he said. “Even a savvy person can make a mistake.”

Thiemann added credit unions can draw two lessons from the Epsilon breach: First, to implement an in-depth data defense strategy, and second, to re-think the definition of “sensitive data.”

“Data is considered sensitive when you’re talking about thousands of client names and email addresses,” Thiemann said. “There’s a high probability of success for the fraudster who has that information.”

An “in-depth” defense strategy should include the following actions, Thiemann said: Only allow certain individuals access to sensitive data and then only via proper encryption, perform database activity monitoring, develop a strong system for security information management, implement a host intrusion prevention system, and run up-to-date antivirus software from a reputable vendor.

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Natasha Chilingerian

Natasha Chilingerian has been immersed in the credit union industry for over a decade. She first joined CU Times in 2011 as a freelance writer, and following a two-year hiatus from 2013-2015, during which time she served as a communications specialist for Xceed Financial Credit Union (now Kinecta Federal Credit Union), she re-joined the CU Times team full-time as managing editor. She was promoted to executive editor in 2019. In the earlier days of her career, Chilingerian focused on news and lifestyle journalism, serving as a writer and editor for numerous regional publications in Oregon, Louisiana, South Carolina and the San Francisco Bay Area. In addition, she holds experience in marketing copywriting for companies in the finance and technology space. At CU Times, she covers People and Community news, cybersecurity, fintech partnerships, marketing, workplace culture, leadership, DEI, branch strategies, digital banking and more. She currently works remotely and splits her time between Southern California and Portland, Ore.