Let's go phishing
By Laura Haight
Originally published by Upstate Business Journal as the Digital Maven on Sept. 3, 2015
There is an interesting dichotomy in our relationship with technology. We profess to crave simplicity and yet we are constantly looking for higher technology, more complex solutions. ‘It just can’t be that simple.’
This is one of the biggest challenges facing us as we try to combat the growing scourge of cycbercrime. In many, many cases, it is that simple.
Despite the prevalent news stories about hacks of our favorite stores (Target, Home Depot), our health providers (Anthem), and our government (SC, IRS, NORAD and so much more), it is worth noting that most all had very high tech infrastructures with much of the latest in technology. But they were exposed by this: an authenticated employee doing something they shouldn’t, either out of ignorance, carelessness or complicity. Billions of dollars are going into developing new hardware and software, but very little is focused on humanware - the education, training and conscription of our employees to be the first line of defense in this daily battle.
When I talk to business owners about a security review, they frequently say, “don’t just tell me it’s passwords” or spotting phishing or securing personal devices. Because, of course, “everyone knows that.” I beg to differ. If everyone knew that, everyone would be working smarter and many of the attacks on our institutions, our businesses and our charities would never have gained that first critical foothold.
There’s even statistical evidence: A few month’s ago Verizon’s annual report on data breaches and cybersecurity said the percentage of recipients who open phishing emails and click on attachments is actually going up — 23 percent in 2014 compared with 10-20 percent in recent years. A security test using 150,000 emails found it took less than an hour for 50 percent of users to open the emails and click on the links.
On the off-chance that maybe everyone doesn’t know how to identify phishing emails, here are some giveaways to look for in more sophisticated phishing attempts.
It is not hard to design an email that looks like it came from your bank, mortgage company or credit card provider. All I need are some cribbed logos (find those online) and a copy of the typical email formats those providers use. I confess that even though I consider myself fairly knowledgeable on this topic, I’ve been fooled once or twice.
Tip 1: Look first for mismatched URLs. You may get an email where its “friendly name” is Your Bank Customer Service. It’s not hard to create those. But before you do anything, check the actual URL that it came from. Do this by either hovering over the “To” field or right clicking on the name in the To field.
Tip 2: Once you see what the real email address is that the email is coming from (hackers assume you’ll not get this far), you should look for a mismatched domain - that’s the part of the email address after the @ symbol. The last two parts of the domain are the host, so anything coming from your bank will come from yourbank.com - not yourbankSC.com or yourbank2015.com. You should see the company’s valid domain name just before the .com. You may see a three part domain name like: yourbank.i’mscammingyou.com . Don’t be deceived by seeing the correct domain if it is not in the correct position. Note that companies do not usually have more than one domain name. So any variation on the name makes an email highly questionable.
Tip 3: If you aren’t sure, call the business purporting to send you the email (NOT from the number that might be in the suspicious email). They want to get these calls. Most large companies like banks, investment firms, credit card providers, etc., have large fraud operations. They want to catch and stop this and you can help.
Tip 4: Sometimes your heart overrules your head. Urgent messages are the most transparent. Companies don’t act like that.
Tip 5: Never click on anything in an email you are not certain of. Often the button click is tied to releasing and installing malware on your computer. In many cases this is the initial chink in the armor that lets the cybercriminal in the door. And it doesn’t matter if you are the mailroom clerk with little authority. Once in, they’ll get where they want to soon enough.
That’s where the solutions become more technical and more complex. But before we even get there, much can be stopped by employees who are informed and trained about how critical their actions are. They are the guardians of your business. It can be just that simple.