Don’t get hooked with fraudulent emails – part 1

These days businesses can’t avoid being online. They would not be able to operate without email at the very least.

Unfortunately there are unscrupulous people around who have made a career in finding new and sneakier ways to cheat and steal through sending fraudulent emails. The names for these types of activities have a nautical flavour: Whaling and Phishing.

For the trivia buffs: The word phishing originated around 1996 by hackers stealing America Online accounts and passwords. By analogy, these Internet scammers were using e-mail lures, setting out hooks to “fish” for passwords and financial data from the “sea” of Internet users.

An attempt to steal sensitive information from a company through senior staff members who hold authority in companies like CEO or CFO (the “Big fish”). These people have access to extremely sensitive information and they can make decisions themselves without needing to check with anyone else.

People at this level of a business also have often undergone security awareness training so the usual spam tactics won’t work so easily with them. If you are in a high position in your company and have not undergone such training please do so as a matter of urgency. Read our blog on tips to protect yourself from cyber-attacks here.

An email that looks like it’s from a trusted source that tricks the target into divulging sensitive information. They are highly personalised and difficult to detect because they are sent to a specific person and include information that looks legitimate. This information is typically taken from social media profiles and information easily obtained online. The emails look like they come from business partners, banks or government agencies, even recreating the actual signature of the person they are impersonating. At Focus we have seen clients of ours receive these emails with correct signatures with logos included. Sometimes there is a slight difference, but nothing that is immediately obvious.

The people sending out these attacks spend so much time on them because the potential returns are so high. An infamous example often referred to online is when the head of Austrian aerospace parts maker FACC lost 42 Million Euros ($NZD70 Million) to a Whaling attack. You can read about that here. It didn’t end well for the CEO…

Phishing is similar to whaling in that it is an attempt to gather sensitive information such as usernames and passwords or financial information. The difference is that these are sent out to a large number of targets hoping that a small number will hit the mark for them.

This is whaling for anyone! Instead of a high ranking official, time and effort is put into targeting a specific individual who could be anybody. You could receive an email that appears to be from your CEO asking for bank account details or for a payment to be made for example.

You can’t avoid being targeted but you can minimise the likelihood the attacks will be successful.

• Education is key. In the event a fraudulent email gets through your security system, employees need trained on what to look for and how to identify fraudulent emails. Google “online phishing prevention courses” and you’ll find plenty to choose from.
• Practice is important. Kind of like a fire drill. We practice leaving a burning building so that if ever the building actually is burning we know what to do. Conduct mock whaling or phishing attacks to test employees and make sure they know what to do in the event of receiving a dodgy email. There is a lot at stake so this is well worth the effort.
  Just make sure that you don’t chastise staff if they get it wrong. Studies have shown this can be counterproductive and lead to fear of opening emails at all! It must be considered educational, not a means of trying to catch people out. There is also a “crying wolf” aspect to it which if done too often may mean that people get desensitised to it. So internal phishing tests need to be handled carefully for them to be effective.
  So in practicing, do not shame people – talk to them, show them, remind them. Encourage them to ask, make sure they know that there is no such thing as a silly question and especially if they think they have done something or if they actually have been hit to sing out immediately, if they cannot find someone to tell they need to keep screaming!!! The sooner support knows, the lesser the damage.
  Specialist IT providers will be able to provide this service for you to help your staff learn and practice in the hopes that if something does get through your defences that they will know how to recognise it and what to do.
• Consider an “I’m not sure” verification inbox. Set up a special shared inbox for security verification. Staff can then send emails to this inbox indicating that they aren’t sure about an email they have received where someone else with a higher level of training can verify the email instead of relying on staff to do the job. Another option is asking staff to verify emails they aren’t sure about by phoning the sender or texting them to check if they really did send the email.
• Minimise the occurrence. Put systems in place that minimise the likelihood of these emails getting through in the first place. This means your staff are more protected and can focus on their work without feeling like they are on the phishing front line. As in the case of a fire they will know what to do when an email comes in that doesn’t look quite right.
  The place to start is by having layers of security including a spam capable firewall and spam filter. Your IT provider can help you with this.
• Sort out your cyber security systems. It’s unreasonable to expect that there will be no chance of falling victim to a successful attack just through staff vigilance and training. Your systems need to be in place and robust. This is too important just to rely on anti-virus software, it’s safer to engage a company who will put multiple strategies in place.
• Backups backups backups! Make sure your backup regime is robust and restorable. If all else fails, restoring a backup of your system from before the link was clicked may mean you will lose a couple of days work but this is far more attractive than losing tens if not thousands of dollars in ransom or even potentially going out of business!

Again like the fire drill, backups need practice restores every now and then. They need to be tested and also off site. Cyber criminals can delete backups that are online. There is no end to their ingenuity and cunning. The last thing you want in an emergency is for the backup not to be accessible when you need it!

Contact us at Focus to find out how we can help keep your business and staff members safe from cyber-attacks. Call 0800 12 00 99 or email enquiries@focus.net.nz.