Everything you ever wanted to know about phishing…
As if we actually needed reminding, the recent Sony hack once more raised the profile of “Phishing” and it’s more targeted sister threat, Spear Phishing, as a way for cybercriminals the world over to get their hands on your data.
While the posturing around this particular hack may have got itself blown out of all proportion (read this if you want to get the full story); if you’re running your own IT system in a small business this is something you need to take very seriously. (Err, actually it’s not just small businesses that need to take it seriously, is it!)
With employees sending huge amounts of emails every day and the vast majority of recipients not really thinking twice before they open them and click on their contents, this is the natural frontline of cyber criminality.
A side note:
If you’re reading this and don’t already know, Phishing scams are fraudulent email messages appearing to come from legitimate sources, which contain links to malicious websites that will download any variety of malware onto your system via one of the common security flaws in any number of third-party applications that frequently remain unpatched. Having said that, Phishing scams are normally fairly easily spotted as they are crude social engineering tools designed to induce panic in the reader.
Spear Phishing attacks, meanwhile, are typically directed at specific individuals. These attacks are usually crafted or seeded with specific personal or institutional information in the hope of making the attack more believable. As such they are often less easily dismissed, but still can be clocked with a small amount of effort.
A case in point
An email dropped into my inbox purporting to come from iTunes and referring to my recent purchase. It was early morning, I was commuting to work and my first thought was: “Oh no, what have my kids bought now." Fortunately, as I was about to hit the “Cancel your order” button, the red light went on: a) my kids haven’t worked out how to hack my iTunes password yet (although with a nine-year-old with Apsergers and a fascination with computers that probably can’t be far away); a quick look at the design rang further alarm bells; but the dead giveaway was the actual unmasked email it came from – a spurious Gmail account… not very Apple. So by a simple process of deduction a potential crisis was averted.
But it’s frightening to think that countless web users unknowingly help set these cybercrimes in motion. All it takes is an ill thought through fingertip tap on a bad link or attachment and “boom”… infection released.
And the pace of chance is accelerating in this area as criminals get more and more sophisticated.
“We’ve transitioned from the old days, when spam was designed just to get people to buy things,” says LOGICnow's Eric Schwab, who runs the MAX Mail product. “After that, email became a way to propagate malware, and that malware would turn your computer into part of a botnet used to send out large volumes of spam. Now, we’re seeing organized crime, governments, and other much more sophisticated players, using email-borne malware to extort money from people.”
Ian Trump, Security Lead at LOGICnow, paints an even darker picture: “Ransomware [one of the more popular pieces of malware delivered through Phishing scams] generates such significant sums of money that cybercriminals aren’t going to abandon the file-encrypting strategy anytime soon… They’re going to perfect it.”
There’s plenty of valuable discussion on this blog about the technicalities of how you can protect yourself against such infections, such as this. And instigating a layered security approach featuring antivirus, web protection and good backup is crucial.
Excuse me if I’m being naïve, but I still believe probably our single most effective weapon is awareness and education. Years ago I remember my head of IT saying to me: “If you’re not expecting it, don’t open it.” That’s always stuck with me – and is one of the reasons I allowed myself a smug smile when a friend of mine’s Gmail account got hacked recently after she clicked on a link in an email entitled “Open this” with nothing but a shortened link in it.
Surely, a simple policy of “think before you click” will make everyone’s lives easier. Maybe with a sub clause of “If you don’t we’ll just take the cost of getting the IT guys to recover lost data out of your wages”.
Sadly, I can’t see it catching on; so layered protection it is.
Want to know more about security? Then check out the videos serious by our security lead, Ian Trump…