It was an odd text message. “Did you really need me to pick up gift cards, and text the codes to that other number?” I texted back a question mark and immediately made a phone call. From initially thinking my e-mail was hacked, to understanding this unsophisticated, but clever attempt to defraud our company; this is the breakdown of a low tech phishing attempt.
Cybersecurity threats like these are very common. 64% of organizations have experienced a phishing attack in the past year. 1
It is no secret; most successful ‘data hacks’ target the user level. Over the last 20 years internet use has skyrocketed. In 2019 it is estimated that 4.39 billion people or approximately 57% of the world’s population are regularly on-line. 2 The way we access the internet has changed too. From personal computers and servers, to smartphones and devices connected to cloud hosted apps. Our lives are surrounded by our connectivity.
So with so many options why do Cyber-criminals phish e-mail?
The answers are somewhere between simplicity, and reach. E-mail is our personal key to the internet, and a direct connection to each of us. Beyond metadata, social marketing, and previous purchases; email contains our present voice. It is the catch all for what’s not automated behind the scenes. It ‘should be’ ideal for the non-standard request. This is especially true for business email; where 28% of all Phishing attempts target individuals. 3 Think about it-- you get an email with a request from a department head, one of the partners, or your boss; most of us are conditioned to act quickly, and at the “speed of business!”
From a PC running Microsoft Outlook it is easy to see the name associated with an email (alias), and then the underlying e-mail address. Simply hovering the mouse over the name will show the originating address. However, most smartphones and tablets are designed for touch-screen, and to efficiently tell us more in less space. A consequence, is that the email address behind the alias is often harder to identify. Although this feature is very helpful with sorting legitimate emails; it relies on the honesty of the sender. Cyber-criminals can easily exploit this efficiency to a nefarious end; which makes it a little easier to see how so many people, especially those replying quickly, regularly fall for these scams.
A regularly asked question is; how do phishing emails slip through e-mail security, and spam protection? There can be many reasons, but in this case the phishing e-mail did not look harmful. The phishing attempt mentioned above was individually targeted. There was one sender, and one intended recipient. The message fit a typical message format. It was not a forwarded chain, and it did contain text in the subject line. There were no embedded files, and no hyperlinks. From a spam block, and virus protection standpoint the e-mail was clean.
Another question is; how do phishing attempts target individuals? Unfortunately, this is less simple to identify. Depending on the level of specificity in the e-mail it may rely on a previous data breach, or it could be from legally purchased marketing lists. However; if your name, title, and email address are available via your company website, there is always the possibility that was the source. Anyone visiting your website can list your name as their e-mail alias, make assumptions about your company reporting structure, and ask someone else listed on-line for what they are after.
So what can we do?
1) Whenever you receive a request; especially one that seems out of the ordinary, check the underlying address. For official business nobody should use anything other than professional email addresses.
2) If your organization is large enough, recommend software that is required to make these transactions. It takes much more sophisticated work to mimic, or hack electronic routing, and ticketing systems. Those regularly processing the requests will thank you; taking risk out of the equation will help everyone sleep better at night.
3) When all else fails pick up the phone. Nothing foils a clever phishing e-mail faster than talking directly with the supposed sender.
Last thing, always remember common sense at the user level is the best deterrent. Phishing attacks result among the highest volume of reported Cybersecurity breaches. Any time money, financial information, or sensitive data are requested take the time to verify the request. If you uncover a phishing attempt notify your Chief Information Security officer, IT/Cybersecurity team, and communicate the threat throughout your organization.