PhishMe Research claims that 91% of cyber attacks begin with a phishing e-mail! Cyber criminals use social engineering to manipulate users to release either sensitive information or provide access to company systems. The key here is that it take our own interaction to allow hackers to access our data. WE LET THEM IN!
Hackers use social engineering to induce an emotion in users so that our mind’s own cyber security radar moves far to the back of our minds. Years ago these messages were easier to identify, now they have become more personal as more of your information and behavior become available to these teams of criminals.
- “I am an African Prince who has inherited millions and would like to deposit one hundred thousand American dollars in your account to be followed by subsequent deposits…..” These e-mails were able to lure thousands of people to send their ATM and bank info to produce hundreds of millions of dollars for the hackers.
- “It’s your niece and I am stranded in a South American village with a health emergency, please wire $10,000 immediately for an emergency flight home. Please don’t tell anyone.”
I’m sure you’ve never received these e-mails ;). Fortunately, if you have, our e-mail providers have become more intelligent in preventing these types of messages from hitting your inbox.
Phishing E-mails are more sophisticated.
Today’s messages are very much more personal, as I originally posted in Cyber/Data Security – Every company needs to focus on it now., I received a message from what appeared to be an old friend who is a senior executive with a multi-billion dollar organization. Certainly working with him would springboard my sales goals. Of course I opened it! I even clicked on the file as I figured a pdf harmless and I’m the one writing about cyber security ?. These e-mails use familiarity and attempt to trigger emotion that places data security way in the back of your mind while they trick you into giving up your information.
I replied to this e-mail letting him know that this appeared “phishy” and may not have been intended for me. A well written response was received in minutes, ensuring me that it was for me and coaching me to enter my email login information to gain access to this super secure information.Social engineering exploits powerful emotions such as fear, urgency, curiosity, sympathy, or the strongest feels of them all: the desire for free stuff.
Criminals are leveraging what you’ve already told them.
Now that criminals have bits of information about you from previous attacks or the general Internet or social media, they are better equipped to provide you with a message that looks very legitimate. The messages appear to come from banks, your doctor, business associates, and could include full names, usernames, and other personal info. Criminals know that they reference information about your medical history that they have or a client relationship that you will likely open the email and even more so, likely believe it and click the one link required to infect you further. This “familiarity” with the “source” also prevents users from reporting the potential infection to their IT team or leaders for further investigation.
It appears to come from within.
A friend recently had a company wide spear phishing message from a representative who stated she was the HR rep for the company. She used the company logo, a domain in the message that appeared to be internal, and created a beautiful branded landing page for employees to submit their personal information for the purpose of updating company records “or else your benefits may be interrupted!” Naturally most corporate employees identified that person did not exist, however when there are over a hundred employees scattered throughout the country or even the world, many of them may have submitted their info before they get the memo from corporate IT to delete such messages.
So to sum up, we let them in, we click the link, we wait to report the issue. It’s the perfect recipe for the cyber-criminals to gain access and take what they want. Through the front door!
What should I do?
- Make sure you have anti-malware and anti-virus installed and up to date
- Communicate with employees about the existence of threats, share phishing e-mails with the team.
- Migrate from simple e-mail to Hosted Exchange Platforms.
- Eliminate in house e-mail servers and migrate to Hosted Exchange.
- Ensure your webmail is secured with TLS certificates.
- Implement dual level authentication where available. Examples are security questions asked after login.
- Force users to change passwords and use strong passwords.
What can users do?
- Never open attachments or click links from unknown senders.
- Change passwords regularly and don’t use the same password for everything.
- If something looks phishy, google it. You may find others who have experience it before.
- Never send passwords of login info via e-mail
- Never send sensitive documents via e-mail