Gone ph/fishin’

Recently, I’ve noticed a significant uptick in the number of phishing emails being received by my coworkers. The content has varied in both content and language, but nonetheless, there’s been an uptick. How do you keep curious people from clicking on nefarious email links or attachments, especially those sent from what appear to be familiar email addresses?

It’s simple, you educate them. Ideally, we’d start with educating our younglings at home and raise them to be security-conscious and highly aware of their electronic footprints. For any number of reasons, that education is not happening. So we end up with waves of people arriving in the workplace with electronic devices embedded into their lives. Attached to their bodies and monitoring their heart rate and their steps, we have a generation who live their lives in a manner previously only understood to be science fiction. They speak light into existence, and arm or disarm security systems with the wave of a hand. Gone are the days of climbing into a frigid car and waiting for it to warm up – we have an app for that. People are intimately connected to their devices, and with the prevalence of social media being plugged into every one of these IoT conveniences, more and more we find ourselves, knowingly or not, at risk of being hacked.

Most are by now familiar with the Nigerian email scam. You know the one. A poorly written email shows up claiming to be from Joseph M Mbotowannai, the attorney of record for a recently deceased African billionaire… yada, yada, yada… onerous government regulations… needs you to help him move this money…. he trusts you because reasons…. you just need to send $1500 via Western Union…. you’ll be a quadrillionaire. They are so old we don’t think much about them anymore, and email spam filters have gotten pretty good at weeding these out. But what happens when you receive an email at work from your boss or a sheriff’s deputy telling you to do something? You’re at work, you have Outlook, you have an IT staff, the email says it’s from your boss and even written like one you’ve received in the past. It must be real, right? Right? Wrong.

Let’s take a trip to Scamville –

You’ve been working for 4 years now at Really Awesome Company and have moved up the ladder into middle management. You send and receive emails a dozen or more times daily, and it’s not uncommon to get a message from the CEO asking you to do something on her behalf. Ding you’ve received a new message from Jane Bosslady. Hrmm, you think, I thought Jane was on vacation. Well, no big deal, everyone’s always working these days, even when they aren’t. You click on it, recognize the familiar name and proceed to do exactly what Jane asks of you to do.

The next morning you arrive to work to learn you’ve been had. The email had been sent by someone who had purchased a domain name similar to the one used by your company. So similar, in fact, that three other people had fallen prey to it and, like you, had performed various tasks on behalf of Jane Bosslady. Unfortunately for Really Awesome Company, the real Jane Bosslady was on vacation and was not sending any emails at all. Had she sent any to you, they would have been seen coming from your company’s actual email server rather than the one set up by the scammers. You come to learn during the following hours and days that jane.bosslady@reallyawesomecompany.com while similar in appearance*, is not at all the same as jane.bosslady@reallyawesomcompany.com.

Each task undertaken by each employee was rather minor, but in their combined and unwitting totality, their actions cost Really Awesome Company several million dollars. The banks were unable to recover the money, and the insurance carriers declined to cover the loss as the actual acts were undertaken by employees of Really Awesome Company. You are now at home, clicking on job postings on Monster.com, hoping to hear back soon from one of your contacts in the industry about openings at their company.

This specific short story is, of course, a work of fiction. But the mashup of events that are detailed herein have all happened in real life to many people and many businesses. In fact, they are happening every day, all across the world. How do we stop it? Yeah, you guessed it, you educate yourself and you educate your employees. On a personal level, you educate your friends, your family, your neighbors, and the family dog. At a corporate level, you require and enforce security policies and standards and reward employees who report phishing, whaling, vishing, or smshing attempts.

Encourage people to be a part of the solution and be excited when they tell you about an email they got that looked weird. Start an information security awareness campaign for 2019 – the internet is awash in highly creative and brilliant websites to help you encourage your people to internet smarterly.

At a minimum, here are three quick bullet points you can send to your employees to help them recognize problems and act accordingly:

• If in doubt, throw it out – Links or attachments in email and online posts provide multiple avenues by which your computer or electronic device can be compromised.
• Be wary of hyperlinks – Avoid clicking on hyperlinks in emails; instead, type the URL directly into your browser’s address bar.
• Think before you act – Be wary of communications imploring you to act immediately, offer something that sounds too good to be true, or ask for personal information.

*Did you spot the difference? It’s only one letter, but that missing ‘e’ at the end of awesome sends you to a completely different place. This technique is called typosquatting – where an attacker buys and registers a domain name similar to the real one. In this case, Jane’s legitimate emails only originate from reallyawesomecompany.com, but the attackers purchased a domain name that appeared similar at a casual glance.

A quick and easy way to compare the real one to the fake one in this case is to line them up on top of one another:

reallyawesomecompany.com

reallyawesomcompany.com

As you can see, the fraudulent website is shorter than the legitimate website.