Gone Phishing

dc - Gone Phishing - graphic1Each day, some 347 billion emails are sent around the world. Every one of these messages has the potential to cause damage to a person or business.

That’s not hyperbole. According to some estimates, 3.4 billion of sent emails are from bad actors, most of them designed to mimic a trusted sender. And this activity, known as “phishing,” can have very real consequences.

Take, for example, the sophisticated attacks aimed at Facebook and Google between the years 2013 and 2015. The attacks, which involved a series of fake invoices disguised as coming from Taiwan-based company Quana, cost the two companies $100 million before the scam was discovered.

Keep in mind that the victims of these attacks were Facebook and Google, two of the biggest tech companies on the planet. If disguised emails can break through their security measures, what are small and mid-sized companies supposed to do to protect themselves?

The answer has two parts: good ol’ common sense and ever-evolving technical controls.

Be smart, be safe

In any security measure, the weakest link is always the human element.

Common mistakes are of passwords that are reused or stored in easily accessible locations. Credentials that are conned out of unsuspecting people over the phone. Badges that are stolen and duplicated. The list goes on and on.

Victims of successful phishing attacks often miss signs that an email they’ve received is fraudulent. Sometimes this can be chalked up to simple inattentiveness on the part of the recipient. But as scams have become more sophisticated, even the most vigilant can be bamboozled.

Here’s how phishing attacks commonly work:

  • An email is sent that appears to be from a well-known entity, such as Amazon, Facebook, or DocuSign
  • The subject line of the emails appears legit (e.g., spelled correctly) and warns of a potential breach that requires the recipient to reset their password or check that their credentials are correct
  • The body of the email is well-designed, complete with company logo and other graphics


Simply opening one of these scam emails is generally harmless. But should a recipient follow the instructions inside — say, logging into an account to verify their identity or check the activity on their account — the information they provide is easily captured.

So what should users be on the lookout for in these deceptive emails? Areas to check include:

  • URLs (the website address), specifically domains that don’t end in the expected .com you would expect from a major company
  • Misspellings within an email, since many of the attacks come from non-native English speakers
  • Senders that are someone — or some business — that you normally don’t interact with or may have interacted with a long time ago

But even if each of these areas appear legitimate, it’s still worth doing a little digging if something about an email feels off. 

For example, if an email from Amazon asks you to verify your name and password, go directly to the Amazon website and login there rather than through the email. If you have a legitimate issue, you’ll be prompted to fix it on the actual site.

dyn_email_banner_2

IT as first line of defense

Every email provider offers tools for protecting against phishing attacks.

Microsoft, for example, has a full suite of security measures both paid and unpaid that are available as part of its Office 365 SaaS offering.

  • Stop threats before they hit a corporate firewall
  • Filter based on active content, connection, and policy
  • Utilize real-time reporting and message trace
  • Separate outbound delivery pools for high-risk emails

As effective as these tools are, though, their usage is often beyond the capabilities of your average email user. 

That’s where IT comes in. Every professional IT department or organization has a list of best practices for email security. At Dynamic Computing, we focus on:

  • Education for employees on how to recognize the signs of a phishing attack
  • Implementing multi-factor authentication (MFA) to force users to have more than one way to sign into account
  • Installing protections to thwart attacks like spoofing and impersonation
  • Moving sensitive emails to authenticated systems

In addition to these steps, we have a “nuclear” option should a phishing scam successfully hit its mark. Upon discovering that credentials have been compromised, we immediately boot all connections to the account until new passwords have been created — effectively cutting off access for hackers before they can do any more damage.

While this response is certainly annoying for a user, it pales in comparison to the negative effects that compromised credentials can cause to a business or an individual. Not just financially, but reputationally as well.

dc - Gone Phishing - graphic2

Avoid costly mistakes

Humans may learn best from firsthand experience, but when it comes to email security, the last thing you want to do is learn from a mistake.

As email phishing attacks continue to evolve, it’s important to educate yourself and your employees on how not to fall for a scam. It’s also critical to fully leverage the tools and best practices provided by IT and email providers.

Bad actors are everywhere, and their means to conning unsuspecting people out of information is only getting more sophisticated. With the right guidance from IT professionals, you can have the security you need to keep every inbox scam free.

dc - Gone Phishing - cta

 

Russ is Vice President and CTO of Dynamic Computing. He sets the vision for our technical staff and provides the highest level of support with complex problems. Russ knows Dynamic Computing inside and out, and he’s helped build the company from a handful of clients with simple networks to a thriving, complex managed IT service. He sets the vision for our technical staff and provides the highest level of support for complex installations and any challenging issues that arise. He also relentlessly evaluates new technologies and security best practices and determines how and when to implement improvements for our clients. Russ holds a degree in Business Administration with an Information Systems concentration from the University of Washington. Outside the office, you’re most likely to encounter him skiing, playing sports, or spending time with his family.