L’hameçon auquel il ne faut vraiment pas mordre (en anglais)

Version imprimable, PDF et e-mail

Exposing users to the latest social engineering attacks is a key feature of any security awareness training program. Barracuda Security Awareness Training offers customers real-world phishing simulation templates to evaluate whether their employees can successfully identify spear-phishing attacks and determine how likely they are to interact with them. Subsequently, Barracuda Security Awareness Training has been tracking the click-rate data related to these simulation templates for years. A clear trend has emerged among users from a variety of industries:  Emails that impersonate internal departments or applications are the most likely to bait user interaction.

Ice phishing (internal communication emulation) is successful because workers tend to get flooded with these types of emails on a daily basis. Password reset requests, storage alerts, HR notifications, and service ticket updates are all examples of these messages. The frequency and volume of these emails lead people to click without careful analysis. Ice phishing attacks can also be baited with emotional triggers like “you’re about to run out of email storage” or “your web browsing is in violation of company policy.” Emotional reactions like anger, fear, or frustration tend to drive a lot of clicks, regardless of the type of email.

Out of the hundreds of phishing simulation templates we provide, 9 out of 10 of them were ice phishing:

Nom du modèle / Description Taux de clic Ice Phish ?
FAX Internet 50% Oui
Confirmation de salaire 43 % Oui
Mise à jour de la politique de voyage 40% Oui
Mises à jour RH sur les congés 31% Oui
Mise à jour de la politique de voyage 30% Oui
Nouvel annuaire de l’entreprise 30% Oui
Document MFP (imprimante multi-fonction) 29% Oui
Partage de fichier Google 28% Non
Document MFP (imprimante multi-fonction), v2 28% Oui
Tâche d’impression trouvée 28% Oui

Detecting these types of attacks takes careful analysis on behalf of the recipient, but technical controls can help. For instance, you can place warning banners on external emails by using something like the External Sender Warning function on the Barracuda Email Security Gateway.

Procedural controls can also help to mitigate the risks of ice phishing. One major medical institution we worked with now mandates that all internal communication should direct users to the intranet and that links to external sites are strongly discouraged. More importantly, users were educated about the danger of ice phishing attacks.

When hackers leverage ice phishing internally after a successful account takeover, these attacks are even more difficult to identify. See our recent report on lateral phishing for more information on what you can do to prevent account takeover.

Combattez les menaces à la sécurité grâce à une formation de sensibilisation à la sécurité.

Remonter en haut de page