No, no we are not talking about a wild attack between a fish and a man on a boat, we’re talking malicious email scams in attempt to steal your personal data phishing! Still confused, read our blog here before continuing below!
We have all heard these clichés: “Curiosity Killed the Cat,” “Nothing Bad Will Happen,” “Did You Know They Removed Gullible from the Dictionary?” and “It Can’t Happen to Me.” But as we have learned, phishing scams pray on these types of attitudes to invoke user behavior and perpetuate an attack. Let’s consider these four clichéd bad user attitudes one at a time, and then I will explain steps you can take to mitigate these risks.
Let’s say you receive a phishing email and it eludes your junk email box. Below is a perfect example of one I received recently. The payload is in the Word document and is typically ransomware (W97.Downloader in this case).
Hopefully, any experienced computer user would recognize this and just delete the email. However, for the typical non-technical user, especially someone in, say, the accounting department, they may not be expecting this type of email and just open the attachment to see what it is and if it is a bill that should be paid. Honest curiosity based on the job alone could completely infect their entire environment. This would be a targeted behavioral response based on the end user’s profession.
In all fairness, I think every security professional has done this at least once; even for testing purposes. You have a system (probably a virtual machine) built up, fully protected with every security tool you have or stripped down to bare basics, and you execute malware (known or unknown payload) to see what happens. Unfortunately, to our surprise, our best defenses crumble, the system is compromised and you end up pulling the network cable or hitting Power Off for the VM because things got out of control too quickly.
Phishing emails are no different. Consider the first time someone tested the file mentioned above with an Anti-Virus solution. Better yet, here are the current findings from Virus Total: Only 26% identified it as malware and if your protected VM contained the 74% of the other solutions, you may have been a victim of “nothing bad could happen if my security tools are fully up to date;” even today.
Phishing emails to security and technology professionals rarely succeed. However, the work we do in the lab is not always containable and the outcome potentially devastating if not properly controlled. If an overzealous actor within the organization executes the file and you are exposed to vulnerability, they may think nothing bad could happen but in realty the results can be very different as well.
This one is short and sweet. Remember when Apple launched a campaign that Macs do not get viruses? It’s scary that this actually was a real advertising campaign. But here is reality: 1989 saw the first Mac Malware and things have evolved for OS X just like for Windows (although not in the same quantity due to Apple market share). This article from Time explains a recent ransomware attack that proves the point. While the payload came from sharing files in Transmission, the torrent for sharing could have easily come in an email or webpage. For anyone that says Macs do not get Malware or are not susceptible to phishing attacks really thinks that a word like ‘gullible’ can be removed from the dictionary.
This phishing attack plays to every ego in the room from executives to hired expert contractors. Phishing emails do not discriminate and when they employ techniques to target specific individuals (i.e. spear phishing), the results can be financially disastrous. Recent attacks against executives and their team members to conduct fraudulent wire transfers have cost millions and their jobs. If any team member thinks they cannot be a victim of phishing due to the seniority or perceived importance, they are grossly mistaken.
The best way to prevent the potentially damaging effects of phishing attacks is enforcing basic education – just like putting on your seat belt when driving a car. Here are four steps to take to verify whether your email is a phishing scam:
Basic technology can stop an attack even if the end user makes a mistake since many of the phishing attacks leverage known weaknesses. Here are five best practices to mitigate the risks of phishing attacks:
If users can be educated on the concepts, and security and operations maintain these policies for safe computing, the risks to everyone would be much lower.
Connect with Secure Sense to protect data, your network, and systems 24/7, 365 days a year. If you have questions or want to learn more, please contact Secure Sense by calling 866-999-7506.