Meet David. David works in sales and is out on the road at coffee shops and customer sites a lot. He receives an email from his IT team telling him his account is about to expire and to click on the link to ensure his access continues.
The information in the email looks bonafide and all seems above board. David clicks on the link, enters in his credentials and thinks no more of it. Little did David know that a hacker was behind the email and had he taken a little more care with looking at the email, and thinking back to the education and emails his company provides
Unbeknownst to David, as soon as he entered is credentials, a malicious script was activated in the background, which hijacked his session.
Ian doesn’t mean any harm. He’s trying his best. But his best isn’t good enough, because this year Ian singlehandedly caused a data breach that cost his company more than £20,000.
Back in February, Ian fell foul of a phishing attack when a seemingly innocuous email from that well-loved search engine ‘Gloogle’ landed in his inbox.
Ian knew to avoid malicious emails – after all, he’d yawned through his organisation’s mandatory staff awareness training when he joined two years ago.
But this email was from Trish in HR (via Gloogle), and Ian could trust Trish. Or so he thought. So, no alarm bells rang when, upon clicking to view the ‘project management folder’, he was prompted to re-enter his login details.
Unbeknown to Ian, this email wasn’t from Trish. This email was from a hacker, and as Ian entered his user credentials into ‘Gloogle Docs’, a malicious script activated in the background – hijacking his user session cookie, resulting in a reflected XSS attack.
In one fell swoop, the hacker gained access to all of Ian’s user data, including login credentials and company credit card numbers.
Unfortunately for Ian’s employer, the breach wasn’t immediately detected, and it took six weeks before the finance department noticed the influx of fraudulent transactions.
