Here are some tips and statistics to help employers protect their staff from phishing attacks while maintaining productivity and socialization

Employees of many small and medium-sized businesses most frequently access YouTube, Facebook, Google services and WhatsApp, usually limited to personal devices in corporations that prohibit their use on corporate devices.

However, with remote-working being so common, some of the protective measures in office environments are now not so clearly defined or enforceable. While organizations can have different priorities and permissions for what web services can be used by their employees working from home or at the office, it is still important to make sure they stay protected from any cyber-risks, according to Kaspersky researchers.

According to anonymized statistics of events captured in one of the firm’s products being tested in beta stages and voluntarily provided by testers, the popular web services in frequent use were being exploited for phishing and other malicious actions. For the period between Apr and Sep 2020, depersonalized metadata voluntarily provided by users of the firm’s distributed antivirus network revealed the top five applications where phishing attempts were found most often:

  1. Facebook (4.5m phishing attempts)
  2. WhatsApp (3.7m)
  3. Amazon (3.3m)
  4. Apple (3.1m)
  5. Netflix (2.7m)

Coming in at No.6 were Google’s offerings YouTube, Gmail and Google Drive at 1.5m phishing attempts. According to Kaspersky, these results only confirm the trend that popular applications have become valuable platforms for fraudsters’ malicious actions.

Balancing productivity with web blocking
Product statistics also showed what web applications were most likely to be limited on organizations’ corporate devices. The top five most blocked applications only included social networks: Facebook, Twitter, Pinterest, Instagram and LinkedIn.

These decisions do not include messengers apps, file sharing or mail services, probably because they are often used for working purposes as well as for personal needs.

Other less popular web services may turn into attractive scammer lairs once they become popular. For example, the TikTok app has gained enormous popularity over the past few years and now appeared to be flooded with fake accounts and scammers who are gradually improving their skills as the service rises in popularity. Protection from such scams and phishing attempts is crucial to ensure both personal user accounts and corporate data and devices remain safe.

Most used servicesMost commonly blocked servicesTop services, by phishing attempts
Google DrivePinterestAmazon (all services)
GmailInstagramApple (all services, including iCloud)

Said Tatyana Sidorina, a security expert at the firm: “It is important for any organization to understand where threats may come from and what technology and awareness measures are needed to prevent them. Businesses also need to provide their employees with comfortable use of services they require, so it is crucial to get the balance right.”

With this in mind, Kaspersky suggests that businesses follow four steps to ensure their employees use web services safely and securely:

  • Show employees how to recognize fake or insecure websites and phishing messages. Encourage them to never enter their credentials before checking a website’s credibility, or open and download files from unknown senders.
  • Conduct basic security awareness training for your employees. This can be done online and should cover essential practices including those that protect against phishing, such as account and password management, email security, endpoint security and web browsing.
  • Adopt a proven endpoint security product with web, network and mail threat protection.
  • It is also important to enhance IT managers’ expertise on relevant cyberthreats and how to prevent them.

Good training allows all staff to learn how to classify malware and how to recognize malicious and suspicious behavior in software.