The email scam is one of the most common forms of cyber-attack. According to the Federal Bureau of Investigation, phishing email scams have cost billions of dollars in fraud losses over the last five years.
Duo, a cloud-based access protection company that provides a phishing campaign tool for organizations to help identify vulnerable end-users, shared an analysis of 7,483 phishing simulation campaigns conducted from mid-2017 to April 2018. Of more than 230,000 recipients, 44 percent opened phishing emails and 26 percent clicked links within the emails.
“Phishing” is the practice of pretending to be a friend, coworker, business partner, or other reputable source to gain private information. Although many of us know the signs of a typical email scam, multiple organizations are experiencing phishing scams that are harder to detect.
In a recent phishing attempt slipping through spam filters, scammers pretend to be your organization’s president. By pretending to be someone the recipient knows, the scammer lulls their target into a false sense of security, luring them into a response. Adding to the vulnerability, many of us check email on smartphones, where an incorrect email address is easy to miss.
Targeted phishing attacks like this have been continuing to rise across the globe, due to their effectiveness and difficulty to stop before they make it to an end user’s inbox.
Being proactive is the key to keeping organizations and individuals safeguarded. I recommend companies and/or individuals:
- Purchase domain names that are similar to your own domain, or that could be easily glanced over if a letter is replaced. If purchasing these domain names isn’t possible, you can block inbound emails from these domains.
- Add a spam filter that warns users if the message they’re receiving is originating from outside the organization. Seeing that warning can remind you to stop and think before responding.
- Call if you’re unsure. Scam emails usually sound urgent to get you to engage, asking things like, “Are you available for a quick task?” Making a phone call to the organization president or perceived sender will ensure that the email sender is who they say they are.
One final proactive measure I recommend is to regularly educate employees on spam and phishing email trends, as well as requesting that employees notify a supervisor or IT leader when a phishing email is seen.
Falling victim to phishing
If you find that a member at your organization has fallen for or responded to a targeted phishing email, do not panic. Begin handling the incident with a fact-finding mission to determine how large or widespread the event might be. Was this isolated to one individual, or is it possible that others responded to a similar message? Searching your email firewall logs could give you more insight into any other users that may have received or responded to the message. Often, similar messages will be sent to a wide variety of employee email addresses. The information is usually pulled from LinkedIn, where scammers search for companies and target users with specific job titles who are more likely to expect and respond to a message from the president of the organization.
If an end user sent an initial response, the criminal is now ready to begin the real work, trying to extract value out of the interaction. The “value” could be anything from critical or proprietary business information, information to help them further their attack, or in most cases, money. Luckily, many of these criminals aren’t very savvy in their techniques, and most employees will be able to spot the odd response they get, usually with poorly chosen words or strange requests.
So, what can or should you do if the attack has made it past this point and information or money has been exchanged? Depending on the criticality of the information lost or the specific dollar amount, some organizations choose not to share the incident publicly. In some cases, specifically the loss of a dollar amount, you should know your organization’s stance on attempting to recoup the loss. If you find yourself in a situation where serious harm to your organization could occur, I recommend contacting your local law enforcement agency as soon as possible.
A proactive approach is to know and keep regular contact with local members of your police force. Remain informed by getting involved with InfraGuard, a non-profit organization that serves as a public-private partner between U.S. businesses and the FBI.
As with any good information security program, there should be continued education and follow-up with employees that continue to fall for phishing emails. Building a culture of security throughout your organization is critical in today’s world.
Richard Kalinowski, Information Security Architecht at FNTS