According to the 2016 Verizon Data Breach Investigation Report, phishing email attacks are still one of the most popular attack vectors. And, maybe more importantly, the continued rise of organized crime syndicates as the threat actors means there are more resources to carry out attacks, more sophisticated attacks being executed and bigger goals.
In all of my training, research and customer interactions, I continually hear that people are an organization’s weakest link. Attackers know people generally don’t “get” technology and rely heavily on IT to figure computer stuff out. So I propose we instead empower people with knowledge of how they are being targeted and turn them into, instead, our greatest strength.
I spent some time in a previous post on tips to help figure out how to tell if the sender of an email is legit and now I want to move into the body of the email.
When an attacker sends out a phishing email, they are typically looking to have you do one of three things (depending on their motive): click on an link, open an attachment or send them something valuable like unknowingly wiring funds to them or forwarding them all of your company personnel W2s. So let’s focus on those activities.
Here are 5 tips to help your users learn to pick out the scams from the legitimate messages:
- Verify where a link is going: Training experts will tell you to give users a mantra or some sort of catchy take-away to remember a key point – so let’s try one for verifying links… Look quick before you click! Basically, one of your best defenses is to look at where the link in the email is taking you before you actually click on the link. Hover over the link to see what the actual URL address is – do not blindly trust the words that are hyperlinked in the message. And be extra watchful for those slight-of-hand tricks attackers commonly employ like switching out, adding or replacing characters (commonly known as substitution and transposition like an “m” replaced with an “rn”, a lower case “L” switched out with the number “1” or a .com email reading as .co instead.)
- Check those shortened URLs before clicking: Full URLs are ugly, especially if you are a marketer or a Twitterer (Tweeter? Twitterian? Twitterite?). You can save so much valuable real estate by turning something like this: https://frsecure.com/blog/10-security-principles-live-or-die-by/ into something like this: http://bit.ly/1r1CqEg. But you know who else loves URL shorteners? Attackers. URL shorteners make their job SO. MUCH. EASIER. Why bother trying to trick you into thinking their fake site is a legitimate one when they can simply create a shortened URL and attach some cleaver subject/headline to it and we’ll click away! But an empowered user will un-shorten the URL before deciding whether or not to trust it. A few cool sites that help with this include CheckShortURL.com, KnowURL.com, and URLUncoverpro.com.
- Don’t open the attachment if you aren’t expecting it: I mentioned this in a post on verifying who the sender of an email is, but it bears repeating. Question emails from people you think you know that send you attachments you aren’t expecting. And what I mean by not expecting: if you are used to getting invoices from a vendor on the first of the month but get one in the middle of the month, it’s worth questioning. Or, if you have a client who consistently emails you only from 8-5 but suddenly sends you a message in the middle of the night, it’s worth questioning. And if you never get attachments from a particular contact but he suddenly starts sending them, it’s worth questioning.
- Verify the URL or file isn’t a known troublemaker: There is a super awesome site called VirusTotal (a Google subsidiary) that will analyze files and URLs that you submit for viruses, worms, trojans or other malicious content. If you receive an email with a link or attachment that raises your suspicions, run it against this site to see if it comes up as dangerous. (And as a reminder, no tool is 100% effective at catching all the bad things.)
- Implement stronger controls for any sensitive process: This is a classic example of why information security is MUCH BIGGER than IT. You know who has spent much of Q1 falling for fraudulent W2 requests and wire transfer requests? I’ll give you a hint, it’s not IT… Attackers look for known weak spots in organizations and then go after them. What processes do you currently have that are ripe for exposing you to harm because you don’t have proper segregation of duties, effective ways to verify requests or maybe even solid processes that just aren’t being consistently followed? W2 requests, wire transfer requests, new customer purchase orders, customer fund transfer requests, invoices, and resumes are all processes that are managed by various parts of organizations and are all actively being exploited by attackers with great success. Look at these and other potential weak spots in your organization and make them stronger: make sure any request for transfer of sensitive information or money has a second method for verification (that does not include replying to the potential attacker!), consider adding a custom code to incoming resume or invoice emails to help your staff pick out legitimate ones from fake ones (or funnel them all through a portal instead to take email out of the equation), and review other processes specific to your industry or organization and build in fail-safes or additional verification steps to catch potential fraud.
It is worth mentioning that while I’m addressing email specifically, these attacks (and many others) are not limited to your email inbox. Attackers use these same methods to harm you on social media (both your inbox and links in your feed), your text messages and your instant messages. If you are interacting online, you can safely assume some attacker has figured out ways to try to take advantage of you – knowing that and preparing for potential danger will make you safer.