I’m going to start this summary with some scary figures. 93% of phishing e-mails in Quarter 1 2016 have carried a Ransomware payload (source – PhishMe Q1 2016 Malware review). 30% of people that receive phishing e-mails open them and 12% of those that do, then open attachments or click on links (source – Verizon 2016 Data Breach Investigations Report).
Putting this into real figures – if you have 50 staff and they each receive phishing e-mail, 46 of them will have received Ransomware, 14 of them will look at the ransomware e-mail and 2 of them will open an attachment or click the link which will bring Ransomware into your business and cause mayhem. Even if you have followed Commandment IV to the letter.
This commandment is slightly different to the previous commandments, in that it requires you to do something to protect yourself (as opposed to installing/running something to protect yourself). But it is very simple one.
If you receive an e-mail or text message from somebody you do not know, then simply delete it and move on. This is particularly true if the message contains a Link (do NOT click) or an attachment (do NOT open) – Just delete the message already.
“But wait a minute!” I hear you cry “That message might be from a new employee at my biggest customer. I can’t go deleting that.”
Indeed, that might not be a great idea, but wouldn’t it look really good and professional of you if you picked up the phone (do not use e-mail) and verified that the sender (a) exists in your customer’s company and (b) they did just actually send you something. Both answers to these must be Yes, before you should contemplate opening the attachment or clicking the link (see the detail section below about checking Links).
“But wait a minute!” I hear others of you cry “I work in a big corporation and that message might be from somebody important in another location whom I don’t know. I can’t go deleting that.”
Do you know what? I have the same answer for you. Pick up the phone and verify (a) the person exists and (b) they just sent you something. If you don’t have Yes answers to these questions, then bin the message.
There is a corollary to this commandment: Thou shalt never open an unexpected file/link from thine family, friends or colleagues.
The important word here is “unexpected”. If your parent suddenly sends you what appears to be an invoice or remittance advice – that’s kind of unexpected, isn’t it? Perhaps you get daily reconciliation reports from a colleague at the start of a day. Suddenly you get a second such report at lunchtime – that’s a bit unexpected, isn’t it?
As with the previous examples – pick up the phone and verify that, whoever it was, just sent you something.
“I’m a busy business leader! I don’t have time to be calling people checking that they sent me messages!”
If you don’t have somebody who can screen your messages for you, and you insist on opening attachments, I’m afraid you will fall victim to some sort of Malware incident and potentially expose your business to a security breach. Can you afford that?
Sorry, this was a long summary, but the above needed saying. That’s all there is to it. I will continue below with some details on the subject of unexpected messages. So if you are not interested in such particulars, just make sure you delete messages from strangers and unexpected messages from family, friends and colleagues.
In all internet browsers and e-mail clients, if there is a Link contained in an e-mail, there is a very simple way of telling where the link wants to take you. Simply hover the mouse over the link. Then look down at the bottom of your browser window, you should see the actual destination. Hover your mouse over this link: http://www.Microsoft.com/ … it does NOT go to Microsoft, but somewhere nicer. J
SMS Texts can contain malware too:
I deliberately referred to messages as opposed to just e-mails in this commandment, as it is possible to receive malware links via SMS text messages on your mobile phone. This malware could cause your phone to text or call premium rate numbers, or it could blast all of your contacts with malware texts and e-mails.
Similarly, other smart phone messaging apps, like SnapChat, WhatsApp, etc. Treat messages with links and attachments in these the same way by simply deleting them.
Phishing is a social engineering technique where cyber attackers attempt to fool you into taking an action in response to a message. E-mails may appear to come from your bank, revenue commissioners, courier firms, etc. They nearly always are trying to rush you into taking the action (e.g.- “You must respond to this e-mail within 24 hours or your account will be deleted.”) They usually contain an attachment or instructions to click on a link to a website. As stated at the start of this post, most of those attachments or links now contain Ransomware.
The old-fashioned types of Phishing e-mails were referred to as the “Nigerian 419”. These were usually hideously misspelled, with awful grammar. They typically came from a “family member” of a recently deceased, insanely wealthy Nigerian business man or Prince. They were asking for you to allow them to move dozens of millions of dollars into your bank account, so they can hide it from the authorities. They will leave you keep several million dollars for your troubles. It’s all total nonsense of course. If you engaged them, they will eventually hit you up for a few thousand dollars for bribes or “facilitation fees” and you will never hear from them again.
A newer phenomenon is the message from a lonely soldier, looking for somebody to simply correspond with, like a really old fashioned Pen Pal. If you engage, they will strike up a friendly dialogue with you, telling you all about their lives in the army and how lonely they find it. This could go on for weeks, possibly months. Then suddenly you get an urgent e-mail. They were on a short holiday in … someplace, probably not with the best reputation for tourism … They’ve been mugged and all their cash and passports have been taken. They need money urgently to bribe the cops … can you wire them … blah blah blah! Just don’t engage with these people in the first place.
The other types of Phishing e-mails appear to come from legitimate businesses (banks, courier firms, etc.) They even have the correct logos and perhaps even some legitimate links to the company’s website – except of course for the one they want you to click on – that one will take you somewhere else to infect you with horrible Ransomware. I regularly get pretty convincing looking e-mails from NatWest (a UK Bank, which does not operate in Ireland K). The link they want me to click on goes to some weird address in Germany.
Phishing e-mails can catch out even the most careful of us, as a Phishing e-mail at the right time can fool you more easily. When I set-up my business I needed to register with the Irish Revenue Commissioners who do everything on-line, except all of the registration which is done by post. So I registered and got all the required secure access to my on-line tax affairs. A couple of weeks later I had a query that I filled in on an on-line form and submitted it. I was told that I would receive a response within 3 working days.
Now, I did not know what form that response would be. Would I get an e-mail? Would it be on the Revenue website under my log-in? I just didn’t know. Two days later I got an e-mail from “Revenue”, which was pretty plain looking but did suggest that I should click on a link that was in reference to my tax affairs. I had never had an e-mail from Revenue before, so I did not know what they looked like. I was sorely tempted, as I urgently needed that answer, but the voices in the back of my head kept shouting “Don’t do it!”. I did the “Link Check” – lo and behold, I was heading for Russia apparently. J
This is the thing – if you are expecting something and you get an e-mail about that something, then you are much more inclined to believe it is valid. That’s why the courier delivery e-mails are very successful – lots of people are waiting on deliveries from courier companies and they would only be delighted to open that attachment to find out where their delivery is. Just don’t do it!!! Go to the courier’s website and use their tracking feature.
Another aspect is that for certain employees, receiving an e-mail with a subject about something that they deal with every minute of every day, tends to make them want to seek a form of closure. The easiest example is an accountant receiving an e-mail about a reconciliation statement. This is the stuff accountants dream about (or so I’ve been led to believe J) so they are pre-disposed to opening the attachment, without checking who or where it has come from.
Everybody should take the time to critically assess each and every e-mail they receive. Yes we all receive lots of e-mail every day, but to take a few extra seconds to check it over and if you are really not sure, then ask somebody who might know. Your IT support provider would be a good place to check with.
Phishing can also happen on-line. I refer you to an earlier post of mine about a really sneaky Facebook phishing attack in April 2016.
Spear Phishing e-mails:
This is where things get a bit more personal. With Phishing e-mails, the bad guys send out an e-mail to tens of thousands of e-mail addresses. With Spear Phishing, they individually create an e-mail to target specific individuals.
The bad guys will target an organisation and find out who works there. Then using social networks, discover the names of friends and colleagues of those employees. They will then create a fake e-mail account in the name of one of those friends and send an e-mail containing a malware laden attachment or a link to an infectious website. This e-mail could be something as simple as:
I just got a new Canon camera and took a few shots, which you can see here. Can you tell me what you think of them?
Of course that link will cause the download and installation of any sort of nasty Malware on Dave’s computer, but most likely it will be a backdoor. It will probably even show a few photographs, so as not arouse suspicion. The bad guys now have a covert means of access into your company’s network. They can use this to slowly move around gaining access to other computers and servers, by exploiting unpatched vulnerabilities (see Commandment I) and slowly copying information back to the hacker’s servers (exfiltration). This can go on for weeks or months.
“Ahhhh here!” I hear you exclaim “How am I supposed to be able to recognise that sort of personalised e-mail attack?”
Just like I said in the summary above in respect to the Corollary to this commandment – That e-mail was “unexpected”, so Dave should pick up the phone and call Mike and ask him whether or not he just sent him a link to some photos.
Business E-mail Compromise:
Ransomware is making all the headlines these days as it targets people at all levels of an organisation. However something that has been costing companies millions of dollars every year has targeted the CEOs or MDs of companies. The FBI calls it Business E-mail Compromise (BEC). It is also known as the CEO E-mail scam and is a form of Spear Phishing. Between October 2013 and February 2016 there have been over 17,500 reports in nearly 80 countries amounting in losses of US$2.3 Billion.
The attackers will research the company, find out who their CEO/MD is and who is in charge of finance (CFO/Finance Director). They will then find out who their customers or trusted vendors are and then craft a very believable e-mail, purportedly from the CEO (but they are spoofing the address) to the head of finance requesting that they initiate a wire transfer of a believable amount of money to a vendor account to pay for “something”. Of course the something that is being paid for is the criminal’s lifestyle. This type of scam can have consequences for the individuals who have been targeted.
There is a very simple way to avoid this being an issue at your organisation. Have a policy that states the CEO/MD cannot request a wire transfer without first having made verbal contact with the head of finance. Also if the account to which the transfer is being made is not the “usual one”, then the customer or vendor finance people should be contacted to verify the account details. Make this your company policy now, enforce it and never bend the rules … ever.
If you have any comments, suggestions or questions on the above, please leave a comment below.
Do you have a Commandment for Cyber Security to add or any thoughts on those that I have listed, if so please let me know and I will do a follow up after I have completed the run through.