First, it was bad guys pretending to be your boss, asking you to wire money to a needy orphanage right away. The bad guys figured out how to make an email look like it really came from your boss…complete with your boss’s email address and using your boss’s first name. Our firm issued a Red Alert that practice early on, and we learned that many organizations have been targeted; some have fallen prey.
Then, it was bad guys using similar tactics (like pretending to be your boss), asking you to send them employee identity information (such as W-2 forms and payroll records). Many companies and nonprofit organizations have fallen prey to that scam as well.
And now, it’s “Katie, bar the door!” as the bad guys keep coming up with new ways to fool you with emails that look increasingly genuine. Maybe it’s an email that appears to be from Microsoft, stating that your account has been breached and you need to reset your password immediately. Maybe it’s an email that looks like it came from a colleague, asking you to take a look at the spreadsheet she has put together related to a project on which she has been working. Or maybe it’s an email that appears to be from American Express, showing the correct last four digits of your card number and asking you to tell American Express whether the recent charge of $358.67 to Amazon is legitimate. It’s no longer the widow of a deceased Nigerian government leader who says in an email, replete with misspellings, that she wants to deposit $3 million in your bank account.
The bad guys are employing research, ingenuity, and cunning to get you to take the bait. They will study you and your organization on the web. They will find publicly available information about you. They will find out who your friends and contacts are through social media. They will determine your home address. They will learn the names of your children. They may even obtain your date of birth, which is sometimes readily available on the web. In some cases, they will obtain (on the black market or “dark web”) your account numbers. Then, they will plan their attack…casting the bait with the hook. The “WannaCry” malware that recently circulated the world is just a new example of many.
“Smart phishing” is the term I use to describe the activity of bad guys attempting to lure users to make a mistake (like opening a file that contains malware or providing login credentials) by using correct information about the user. The term used by many in the technology sector is “social engineering.” I have to confess that I do not understand the choice of that term for such activity. The term “social engineering” makes it sound like something with a positive purpose. It’s not positive. Regardless of what you call it, it is bad news and it is catching more sophisticated computer users every day.
A February 2017 article in the Wall Street Journal is entitled, “Your Biggest Online Security Risk Is You.” The article states that former Hillary Clinton campaign chairman John Podesta, whose emails were hacked and leaked publicly, gave hackers access by falling prey to a smart phishing email, appearing to be from Google, asking him to reset his account. Citing a data security expert, the article alarmingly notes that “about 97% of all cyberattacks start with phishing.” While email remains the medium of choice for most phishing expeditions, the bad guys also use text messages and social media communications. Smart phishing is increasingly pervasive.
The “bait” used by the bad guys is becoming much more difficult to distinguish from legitimate communications. Even careful and sophisticated computer users are often caught off-guard; it only takes one mistake to cause problems. Problems are often caused when someone opens a file that, unknown to the user, installs malware on the user’s computer or network. Malware can do any number of detrimental things, such as sending copies of files from your network to the bad guys, monitoring key strokes to obtain login credentials, or freezing the computer or network server data and requiring a ransom payment to unencrypt or release the frozen data. Problems also arise when a user is tricked into entering login credentials on an imitation website, giving the bad guys the user’s login credentials.
What can you do to reduce the risk in your organization? The best advice boils down to your users having a healthy awareness and skepticism when dealing with emails. So, ensuring that your team is educated about these risks is essential. Help them to understand the risks and to be aware of the issues addressed in this article.
A favorite ploy of the bad guys is to create a sense of urgency to address something. It may look like the boss asking you to do something right away, your bank asking you about a suspicious charge on your account that must be addressed immediately, or a company with which you have an account telling you that your account has been breached and you need to reset your password. Even when the email appears legitimate, be skeptical. Hover over links with your cursor to see where they point. Many times, such a strategy will reveal that the links do not go to the places they say they go. If you believe an email may be legitimate, but you are not completely sure, and it is raising an issue that is a cause for concern, verify the identity of the sender in some other way than by responding to or clicking on links in the email. Contact the bank. Call the boss. Log in to the company’s website by starting at the company’s known web address.
Bob Wagner, IT Advisory Service Practice Leader for ION247, a managed security services provider, noted additional strategies that organizations can employ. “Some tactical examples of how organizations might address these areas of risk are naming a program owner to drive the awareness/training activities (not always your IT person) and utilizing a third party managed security services provider (MSSP),” suggested Wagner. Wagner further noted that an MSSP can simulate phishing and probing to see how workers respond and to identify other vulnerabilities.
It is also important to have a clear understanding with your IT service provider, whether internal or external, regarding its role with respect to your organization’s data security. For example, the job description (if IT support is internal) or the vendor contract (if IT support is external) may include language along the lines of the following:
Service provider [or Employee] acknowledges its [or his/her] responsibility to proactively address the security of [Organization’s] data maintained in any and all of [Organization’s] systems. Such responsibility includes, but is not limited to, proactively and timely:
• assessing [Organization’s] data security condition, policies, and practices;
• identifying vulnerabilities and threats;
• recommending actions and solutions to address vulnerabilities and threats identified; and
• implementing actions and solutions approved by [Organization].
[This is merely a suggestion for language that an organization, together with its legal counsel, may wish to consider.]
Technology will continue to change. Security measures are being added to email and other communications applications to help filter out the bad guys. And the bad guys will continue to develop new ways to pillage, rob, and steal. It is important for any organization to employ, with the help of IT experts, robust data security training, policies, and technology to reduce the risk.
The big fish in the lake didn’t become big fish by biting bait on a hook. With adequate awareness and skepticism, we can thwart the smart phishing expeditions that, according to the Wall Street Journal, cause 97% of cyberattacks. Don’t take the bait.