| The previous topic in this series discussed an important and often overlooked technique of preventing cyber criminals from successfully soliciting money from you or your business via ransomware – Creating and testing backups of critical data and systems. Knowing how to react and more importantly, being prepared for a ransomware attack can save your business thousands of dollars and days of downtime.
We covered that first, because both technical ransomware (a.k.a malware) prevention solutions and human awareness can fail, no matter how resolute.
Storytime: This concept brings me back to my childhood. Specifically, when our dog ate ALL of the freshly-baked, delicious chocolate-chip cookies. Hot out of the oven, my mom intentionally placed the cookies as far away from the counter’s edge as possible while they cooled. It seems this didn’t deter our dog from salivating while she hatched a plan to steal our cookies.
Mom went upstairs to do Mom-things, and The Ninja Turtles were on TV doing exciting and adventurous Ninja Turtle things. Our dog laid down on the floor, patiently, next to the couch I sat on and acting like an obedient dog.
While I watched cartoons, the dog lay there to establish a sense of comfort. Soon, I let my guard down and didn’t keep an eye on her as carefully. You can probably guess what happened next…
In the phishing attack narrative, this is akin to a familiar-looking email sitting in your inbox, designed to appear benign. It doesn’t matter how well-designed your technical prevention solution (your counter placement). Neither does it matter on the quality your recovery system(using the same recipe to make another batch of cookies). All it takes is for someone not wary enough to realize that the email is only pretending to be friendly. Before you know it, havoc unleashes in your network, losing your time and resources(Nooo! Not the cookies!). Lesson learned, the hard way.
Awareness is vital to prevent attacks, but someone cannot be adequately aware of
something they are not Knowledgeable.
Think of the adage “Knowledge is Power” and circle back to the cookie theft story. My dog lulled me into a false sense of security as she laid beside the couch. I didn’t know better then, but now I know enough to recognize the tactic as part of her plan.
Accordingly, we will focus on knowing about and understanding:
the indicators of malicious email,
the concept of “Trust, but Verify,”
and the importance of unwavering awareness.
As we begin, you should know that you’re up against sophisticated attackers with well-established resources. From the 2016 Verizon Data Breach Investigations Report, the main perpetrators of phishing attacks are organized crime syndicates (89%) and state-affiliated Actors (9%) . Attackers Armed with a wealth of both tricks in their toolbox, and subordinates to coordinate, do their best to establish an initial foothold in your network.
Often, attackers send a malicious email to intentionally trick users. Either into opening an attachment, clicking on a link, or doing something they wouldn’t typically agree to do. This technique is called phishing. These emails range from the classic Nigerian prince scam to the smooth and sophisticated spear-phishing email crafted to appear as if it was sent by someone you already know. We’re looking at you, Gmail Doc Invites.
Common Indicators of Malicious Email
Before opening: check everything visible – the display name, time-stamp, subject line, and maybe a few words from the email body are available to preview and scrutinize, even before opening.
- Display names – Faked “From” email addresses, such as <email@example.com> or <firstname.lastname@example.org>. Did we get you? It is a powerful form of deception and called spoofing. As you can see, spoofed addresses are difficult to detect. Even though the email looks like it’s from a co-worker or someone familiar, it could be a phishing email in disguise. Check below in Trust, but Verify for some tips to prove it’s trustworthy.
- Time-stamp – Emails delivered during hours outside of normal business operations should be more heavily examined, and held as suspicious.
- Subject Line – Does the subject line or first few lines of the email body seem to apply to you or your organization?
Use these as clues to help decide whether or not to open the email, since simply opening an email can give the attacker an advantage.
After opening: If an email passes your initial inspection(and most will), be sure to scrutinize the full email systematically, from top to bottom.
- Attachments/hyperlinks/clickable pictures and buttons – Consider these dangerous. See the next section for ideas on how to deal with them.
- The Body –
- Does the email formatting/structure/spelling and grammar appear professional?
- Are you being asked to communicate passwords or sensitive personal information (e.g., SSN, DOB, financial account numbers, etc.) via email? Word to the wise: never send those over email. If it’s legitimate, they should already know, or they will be willing to send a physical form to you via postal mail.
- Are there excessive amounts of any CAPITAL LETTERS, bold letters, or exclamation(!!!) points? Does the phrasing stir any emotions, or call you to action IMMEDIATELY? Attackers use threatening text to create a sense of fear or urgency because a confused and emotional user is easier to manipulate. There is a reason those kinds of headlines are called click bait.
Trust, but Verify.
The idea here is simple: Never rely on this concept! Just kidding… slightly.
As we said before: to be safe, do not inherently trust any email. Always consider attachments and hyperlinks in emails as though a threat.
When checking emails, pretend you’re in the Wild West, surrounded by bandits on a neighboring territory. Your inbox is like a well-defended home on a ranch, with bags of money in the basement. Emails are knocks on the door to your home. By opening attachments or clicking on hyperlinks, you are opening the door to whoever is knocking. Always check who is at the door, and exactly what they have with them before opening.
- Attachments – When in doubt about the legitimacy of an attachment, contact the sender directly to find out if they are the one who sent the email. If you weren’t expecting the attachment, or can’t verify the sender (maybe because they spoofed the address), do not open it.
- Hyperlinks – When in doubt about a hyperlink or a clickable picture or button, hover over the object with your mouse (or press and hold if using a mobile device). Practice on this link to get your technique down: www.bankofamerica.com. The actual destination will either appear near your mouse pointer or at the bottom of the window. Check before clicking, so you know where you’ll end up.
An actual phishing email may include tricky links to malicious websites where the internet bandits will enter your home, and take your bags of money. Oh, Joy. Isn’t technology wonderful?
Examples of tricky URLs:
- www.bonkofamerica.com (notice the misspelling)
- www.bankofamer1ca.com (see the number where the letter i should be)
- www.bankofamerica.weirdsite.com (weirdsite.com is the primary domain)
- www.123.456.789.12.com (IP addresses are sketchy)
- http://bit.ly/1dNVPAW (never click on a shortened URL)
- https://goo.gl/yym2Yc (use unFurler to reveal the actual URL)
The Importance of Vigilance.
This topic intends to feed your brain with the cookies of Knowledge, bringing your understanding of email-based threats against your business to a level where you stand a fighting chance against bandits, mafia members, Nigerian Princes, and even hungry doggies.
Make this knowledge count each time you check your email by being constantly vigilant and aware.
Letting your guard down in a business environment could be costly or devastating, as 60% of small businesses end up going out of business after being hit with ransomware .
Knowledge and Awareness: The Keys to Heighten your Security that Everyone can Hold.
 2016 Data Breach Investigations Report. available at http://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf
 The Need for Greater Focus on the Cybersecurity Challenges Facing Small and Midsize Businesses. available at https://www.sec.gov/news/statement/cybersecurity-challenges-for-small-midsize-businesses.html