Security Awareness: Phishing up the weakest links!

Who (in their right mind) would like to appear as the corporate dunce who infected their company network (by clicking on an email attachment or url)? Not you, not me, and certainly not the PR department or the company CEO’s administrative assistant, or even the CEO himself.

phishing security awareness

Phishing is an activity that cybercriminals utilize to acquire personal and sensitive information. Whether it is an account username and password, credit card details, a social security number, or other personal data — it is designed to coax you into giving up your personal information for criminal gain. For those of us who have been unfortunate enough to click on a deceptive phishing link or email attachment, it is an event that most of us would probably rather forget.

Phishing it up

Most of us are aware that if an email arrives unsolicited and includes grammatical errors, we should just delete it and continue on with our day. Not all phishing emails contain bad grammar, unsolicited attachments, or immediately request sensitive information. Last summer I received an email that appeared quite genuine, so genuine in fact  that I almost became victim to a very clever phishing scheme.

The email arrived from a fraudulent xyz company with a domain name that was similar to the official xyz company (official company name redacted) and was comprised of the whole enchilada — the language was not pitted with obscure and difficult-to-read ramblings, the brand name and logo appeared kosher, the content exhibited exemplary grammar that featured impeccable spelling, and the signature itself went directly to the official xyz company page. This email was so exceptionally well-crafted, that it did not raise any red flags in my mind.

I planned to email xyz company at the end of the work day to see what their special projects and negotiable rates entailed. Approximately one hour after receiving this email from the fake xyz company, I received a phone call on my personal phone line. For the record: last year I specifically used my business line for vendor call backs and never used my personal line. My communication history with the official xyz company had always been via email correspondence, LinkedIn, or GoToMeeting. This specific outlier form of communication immediately raised a big red flag in this gals mind.

The phone call itself was quite interesting. There was no thick throaty accent or broken English  the voice on the other end of the line was obviously masculine, deep-voiced, and quite articulate.  He said his name was Jay Stoddard (director of something or other) and that guy had charisma too. I could have easily fallen under his modulated sing-song voice if that big red flag did not stand between the two of us.

What special project was he willing to offer me and what personal information did he need from me? The deal was juicy-sounding: an exclusive contract to manage WordPress blogs (I love WordPress), but there was one catch my EIN number did not clear with the IRS and they needed my social security number. The previously planted big red flag, grew into a colossal red flag. Not only did he want my social security number he also asked me to verify my birthday and to answer security questions (such as my Grandmother’s first name and who my best friend in college was). Of course I did not give him any answers and told him that I would call him back later that day and hung up.

 Attack Techniques

Phishing attack techniques often use a combination of email spoofing and attachments or inline URLs that impersonate popular brands and companies.Then there are some campaigns that utilize atypical phishing techniques such as the example I listed above.

Internet security and mobile brand, BullGuard stated at their blog recently stated at their blog that “In 2004 phishing was officially recognized as a global, industrial-scale problem. Since then it has become even more entrenched with scammers all over the world…But today, it is also mutating into spear phishing, precise attacks aimed at specific and lucrative targets.”

According to Stephen Bonner of KPMG: “This time it’s personal”will become the motto of 2015, as cybercriminals are predicted to become more selective in the way that they target victims. Bonner also stated that “…the next twelve months will see criminals move away from mass spear-fishing tactics in favour of highly targeted ‘campaigns’, based on the data trail people leave in their online lives.”

Spear Phishing

Cybercriminals are finding out that employees are easy targets. Targeting email to specific employees within an organization is more lucrative than going after thousands of random people. Fraudsters can tailor an email to appear as though it is coming from a company executive, a vendor, partner, or even a current client or customer. Some of these emails may be followed up with a phone call which makes it much easier to socially engineer a victim.

Cybercriminals also spend due diligence researching their targets too. LinkedIn contains a goldmine of employee and company connections, as does other social media platforms, such as Google +, Facebook, and Twitter. Once they build a target portfolio they can personalize and craft each email and often use one or more of 22 social engineering red flags to convince the target to open the attachment or click on the inline link. How convenient is this scenario for an attacker?

Become Proactive

Spear phishing your own employees is perhaps one of the best training mechanisms that you can utilize in order to pinpoint the weakest links (end-users) within your organization. If employees have never been trained or have minimal training in security awareness  — your company network could become the next big data breach.

More Phishing Tips

KnowBe4: offers 3 tactics that your company can utilize now in order to prevent successful spear phishing attacks:

  1. Do not have a list of all email addresses of all employees on your website, use a web form instead.
  2. Regularly scan the Internet for exposed email addresses and/or credentials.
  3. Enlighten your users about the dangers of leaving all kinds of personal information on social media sites.

The Dell TechCenter offers 9 tips on how to avoid phishing exploits. Though this is not a comprehensive list, the Dell Tech Community advises that vigilance in safeguarding sensitive data is applicable to all avenues of contact [including text messages  and phone]:

  1.  Don’t respond to an e-mails that request personal and financial information. Contact the company directly if you are suspicious of an e-mail.
  2. Visit Web sites directly through the URL bar, not links in email.
  3. Keep a regular check on your accounts and don’t recycle passwords.
  4. Make sure any web site requesting personal information is secure. https should be at the beginning of the Web site address where you enter personal information. The “s” stands for secure. If you don’t see https, it is not a secure, and you should not enter personal information.
  5. Help keep your computer secure by using up-to-date security and anti-virus software.
  6. Don’t enter personal or financial information into pop-up windows since they are not always secure.
  7. Keep your Microsoft® Windows® software up to date with automatic Windows Update.
  8. Don’t open unexpected file attachments received in e-mail. Like fake links, attachments are often used in fraudulent e-mails and can be dangerous. Opening an attachment in a phishing e-mail could cause you to download spyware or a virus.
  9. If in doubt always request and check the credentials of the person/company that is contacting you. Again contact the company directly if you have concerns.

What Is Your Phishing IQ?

Take the OpenDNS Phishing Quiz. Can you spot the difference between a phishing email and a legitimate email. I missed one on this quiz because I thought a legitimate site was actually a phishing site. Feeling braver now? Check out the SonicWall Phishing IQ Test (I missed two), and McAfee’s Phishing Test (only 8% of the respondents scored in my range).

Do you think anti-phishing training should be implemented within all security awareness programs? What is your take on phishing employees? Yes? No? Why or why not?

 

 


This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit Tech Page One. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.


Leave a reply