I am addicted to fishing.
Being on the water is therapeutic for me. It’s like tending to a sickness. I call it hydrotherapy (even though it’s just fishing). My free time is filled chasing walleye, northern p
Saturdays come, and I am up at 4:30am heading out to get on the water with my buddy. We make it an intensive effort, and if we could get paid for it, we would take that job in a heartbeat– all the cool gear, being paid well, wearing cool clothes, and driving a new truck and boat would be the coolest things ever. We unfortunately aren’t paid for our efforts, but that doesn’t stop us from treating it like we do.
The whole way there we chat about the upcoming day. We share what we have learned about the water temp, the barometric pressure, the clarity of the water, the wind, and many other things. I spend hours studying tactics, learning about new lures, tackle, technique, and studying how my intended targets think and react.
A Different Kind of Fishing
There is another activity that takes a similar approach but has much more dire consequences— p
Cyber attackers who phish use a seemingly innocuous email to get your employees to click on a link that looks like it comes from a reputable entity. This is the
The phisher’s communication looks simple and innocent. It hides mayhem behind an email from the HR department, or the boss, or a vendor that you do business with. It might ask you for sensitive information, ask you to confirm your account, ask you to log in somewhere, etc.
In a rush to complete whatever task was asked of you by the higher-ups, you’re quick to comply. That’s just what the attacker is hoping for. The email may contain a link or an executable file that can take over your network, install ransomware, or begin copying and exporting sensitive data. Soon after, your company is on the hook.
Phishing happens every day and the phishers are becoming more and more sophisticated. The days of the poorly worded Nigerian lottery winner email are waning, and now phishing attackers are making it difficult to quickly distinguish between a valid email request or one that will take over your network. Speed is the critical breaking point. When people are in a huge hurry, are trying to make sure that they have a high level of performance, and are trying to please everyone, they stop thinking critically and the phisher catches their trophy.
Phishing scams can run the gamut from a broadly cast net sent to your entire company with the hopes that someone won’t exercise wise judgement and just clicks on something, to the very directed “spear phishing” and “whaling,” where specific individuals are targeted or impersonated, and the emails are then sent out to compromise the network.
Someone creates an email in the name of your boss Ellen Simonsen, they spell it instead Ellen Simonson and are going to hope that you don’t notice the subtle difference and that you will open the email. You follow the link to what the fake Ellen is saying is a great new app that she wants your department to evaluate. The link they clicked rather than taking them to the app they are supposed to evaluate installs a piece of malware onto their computer and then begins working its way into the corporate network. The result could be that the installed software is now soaking up proprietary data or is about to launch a piece of ransom ware that locks everything up tighter than a drum until the ransom is paid in cryptocurrency.
People rarely notice the subtle differences because they are in a rush. They will click on the link because they don’t want to let Ellen down. But once they click that link, bad things happen.
A Sr. Vice President of your company, we’ll call him Steve, is active on social media and is a well-known classic car nut. There are pictures of him at many events and car rallies with beautiful classic cars and cars he’s purchased to restore. This one piece of information can be a great vector of attack. Because Steve is likely to open an email about classic cars, that is what he is sent— an email inviting him to enter one of his sweet cars in a well-known car show that is coming up in a few months. The link to register looks like it should go to the actual car show. But it doesn’t. Instead, it unleashes hell into the company network and takes the system hostage.
Steve was excited for an opportunity to show off one of the cars that he is proud of. Tantalized by something that he was known to be interested in, Steve was an easy target. The attackers chose him specifically, researched and played to his weaknesses, and compromised him accordingly.
How to Avoid Being Phished
Examples like these are not far fetched at all. Every day, phishing campaigns like these are launched across the globe. They can be challenging to detect, especially in a rushed state. Thankfully, taking a few steps with your emails can go a long way. Here are some ways you can avoid falling victim to one of these attacks and compromising you and your company’s sensitive data.
- Slow down and be skeptical: Email attacks are often predicated on you being in a hurry and being a trusting individual. Stop that! Take your time when reading emails that ask you to click on anything.
- Check the credentials: Hovering your mouse over the email address, or expand the sender line on the email. If the email is not in the same configuration as your own email, it is not from your company. Delete that crap.
- Hover over that link: Take your mouse, hover over the link, and see if it goes to the right domain or if it is going so some long drawn out URL that takes you to some malicious site. The organization’s name should be in the domain. If there’s too much more than that, you should be skeptical.
- DON’T fill out anything asking for your password: This is very important, and I will be a little blunt here. PayPal, Visa, your bank, an airline, or your controller will not be sending you an email asking you to confirm your password. They will not send you a link asking you to re-enter your username and password. They just won’t. If you think that there is an action-item for you in that email, go directly to the sender’s website instead of taking action from the email link. If there is something you need to do, you will likely be able to find it in the customer information center.
- Assume every email is infected: Your company is getting probed every day via email and other vectors of attack. Various software programs are running in the background, but stuff slips through. With email, you are the last line of defense. If you understand that these risks are out there and go through the proper precautions before acting, you can make sure your company’s data stays safe.
We are often engaged to see if we can get people to fall prey to an email phishing attack, and we would offer you the chance to get that same security awareness training for your organization. In engagements where we have been hired to compromise a network via a phishing attack, we are successful in getting someone to click on the link EVERY TIME! While people continue to be our greatest weaknesses in security, they can also be a great strength. We have seen a significant reduction in successful phishing attempts once we have been able to hold