Email Security: It’s Every Employee’s Business

April 4, 2013

Email security has become part of the job description for every employee. All it takes is one employee to cause a breach that opens up the entire company. For example, consider The New York Times: the recent breach by Chinese hackers was done via a phishing or spear phishing email. All that was necessary was that one email to be opened, and The New York Times network was accessible to the hackers. And once an attacker is behind the firewall, then the hacker can do anything.

Recently, hackers have been getting even more creative. One of the students in the information security class I teach showed me an email that she received. It contained a message about email phishing schemes and what to look for. The subject line was incorrect when compared with previous emails from the same organization. The body of the email had an incorrect logo and a slightly incorrect signature line. Also, there was a link with a call to action that requested my student to sign in to her account and learn more. She reported this email to the company who allegedly sent it. Had my student not been aware of phishing schemes, she might have clicked on the link and opened up her system to hackers.

Without proper training, it is easy for an employee to accidentally open and launch a window for a hacker. It is the duty of every personnel department to train new employees as to what to look for when receiving email messages. This information should be included in employee manuals and should also be posted on lunch room walls as reminders. With the volume of emails we all receive on a daily basis, it is very easy to forget that one of the emails could be a “Bomb” that could cause a breach. And a network breach can lead to data loss, loss of reputation, and denial of services for your employees and clients.

There are two types of phishing email messages: phishing and spear phishing. Phishing is a generic type of email that is sent to everyone in a company with the hope that someone will open the email and click on a link or open an attachment. There are no names attached to it, the subject line is generic, and the TO: line usually says recipients_not_disclosed. That’s a dead giveaway! Finally, the FROM line does not conform to corporate email standards.

The second form of phishing is called spear phishing. This type of email is more insidious. Someone or some organization has taken the time to find information about a specific employee and personalize an email message to make it look like it has been sent to that person from someone he or she knows. As a result, the email looks legitimate. This email is designed through a few methods. The attacker scours Facebook, LinkedIn, Twitter, and possibly financial information sites, such as, Hoovers. The hacker may make calls to a company’s receptionist to find other pertinent information regarding the email recipient, possibly email address and/or phone number. In bigger companies, they may even call the IT department and claim that they are the person of interest and forgot their email password and ask for it to be reset. Hopefully, there are policies in place with the IT department that make it impossible for someone to change a password without multifactor authentication (multiple types of ID must be given before the password can be changed – this is an issue for another post). Spear phishing emails are usually sent to management-level employees since they tend to have more network privileges.

Once again, even with spear phishing, the questions one must ask include: Are you expecting an email from this person and do you even know him or her? Is there a link in the body of the email? If yes, do not click on it. If you really must know what the link is, send it to the IT department or your security team and let them confirm if it is legitimate. Due to the speed of business these days, it may be difficult to remember what to look for, but it’s also difficult to recover from a breach. It can happen to anyone, don’t let it be you for your company’s sake.

Host computers should all have a good virus scanner to scan inbound emails and attachments. After that, here are some things to look for when determining if you’re looking at a phishing email. Does the email address in the FROM: line correspond to the corporate email layout? This may mean: last name first, or first name last. When a message is sent to you, are you expecting an email from that person or is the email coming from someone you don’t know? Look at the subject line of the email: Are there any misspellings in the subject line, and does it make sense?

Make it a policy to never click on live links within an email message. A live link (one that is colored and underlined) could look like a legitimate link but the actual link may send you somewhere else. If you really must know what the link is, copy and paste it into the notepad program. This will show where the link is actually pointing you to. Hovering the mouse over the link will reveal the actual URL. However, if the URL is embedded in an image within the email, you will have to retype the entire URL. There are two other options for shortened links (for example, bitly.com or goo.gl).

Sometimes emails arrive in your inbox under the guise of legitimacy. They appear to come from somewhere within your organization, but they’re not. An email arrives and asks to change your security credentials – but don’t be fooled. First of all, there should be a general announcement regarding this topic distributed company-wide to all users. It will be sent out by one person, not from “The Security Team.” Be aware of that. Emails regarding this sensitive issue must be sent by individuals, not groups, and an email sent by an internal employee will adhere to corporate email structure, fakes do not.

Many breaches come from an email that looks legitimate from an internal employee. So, look at the signature line at the bottom of the email. If it isn’t the standard signature line that your company uses for all emails, it’s probably suspect. I realize that checking an email to be sure that it’s real can be time-consuming, but the more you look for errors, the better you become at spotting them.

The larger a company is, the harder it is to remind employees about staying vigilant. But in the long run, what’s worse: reminders or hackers? You do the math.

______________________________________________________________

IBM

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

Related articles

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Number of phishing websites reach record high in 2012 while many phishing attacks go unreported

July 25, 2012

The number of phishing websites detected reached an all-time high earlier this year, a sign that the business of creating fake websites to spoof real ones is still lucrative for cybercriminals. In its recent report the Anti-Phishing Working Group (APWG) said 56,859 phishing sites were detected in February, this beat the previous record from August 2009 by nearly 1 percent.

The Anti-Phishing Working Group (APWG) is a non-profit global pan-industrial and law enforcement association focused on eliminating the fraud, crime and identity theft that result from phishing, malware and email spoofing of all types. In its report the APWG noted that the increase in the number of phishing websites was partly due to new technology it employed earlier this year to detect fraudulent sites.

Cybercriminals create thousands of phishing sites each week

Phishing sites are websites that look nearly identical to the legitimate ones, Cybercriminals are pushing out fake web sites branded as well known company’s like eBay, Amazon, banks, and other financial companies to the tune of tens of thousands every week. Oftentimes these sites mimic the well known brands very well and therefore leverage the trust users have in the legitimate companies. The new report showed the US hosted the most fake sites. With almost 50% of the phishing sites for the first quarter of 2012 using a know brand name in their URL, this is a well know trick often used by phishers.

On the bright side, though, phishing sites are being taken down faster than ever, one of the reasons is the ever increasing sophistication of email and web security solutions. In a SpamTitan survey from earlier this year 70% of companies reported incurring financial losses through not reporting spear phishing incidents to their IT department. The results showed that 70% of companies that believe their organisation have been a victim of a spear phishing attack are unsure that such attacks are reported to I.T. and dealt with appropriately. The lack of proactive measures to deal with the attacks can cost companies financially through the loss of data and system downtime. Spear phishing is a growing issue where a targeted false email that appears to be legitimate is sent to individuals or a company in order to access data.

Lack of proactive security measures can cost companies financially through the loss of data & system downtime

These findings highlight the importance of a company security policy and the importance of communicating this policy effectively so that all employees know how to deal with the myriad of security issues they are regularly faced with. This includes what actions to take if they receive a suspicious and unsolicited email, what to do if they receive an email requesting information but the sender is not known to them, what internet activity can they reasonably pursue within company policy, if their role requires them to access a site that is blocked company wide how do they request access?

Most people are now aware of various prevalent banking phishing scams or similar, spear phishing is another advanced attempt at a breach of security that appears legitimate and should therefore be highlighted even more as it is a much more sophisticated form of phishing. Educating employees around a range of security issues is an important step but crucially the most important step a company can take is to put in place robust and powerful security solutions. This doesn’t mean that companies can afford to ignore the ‘softer’ behavioural issues associated with security, it only takes one employee to open the wrong email to give access to sensitive company data bring a whole company’s IT systems to a halt.

Related articles

Leave a Comment » | Application Hosting, Marketing | Tagged: , , , , , , , , | Permalink
Posted by david ricketts

Why spear phishing attempts on SMBs are often successful | Email security

July 4, 2012

Every small business owner knows how computers and specifically email have transformed into critical business systems that businesses cannot function without. It is often easy for business owners to assume their computer systems are safe from attack because it “won’t happen to my business”. Complacency is a dangerous option when it comes to SMB security.

High profile attacks on large corporations get coverage but hackers are increasingly targeting small and medium businesses

Over the past year, there have been numerous high-profile data breach cases involving major corporations. Iin the past year compromised security at Sony, the global games company, allowed criminals 20 million accounts which including email addresses, phone numbers, passwords, and in some cases credit card numbers. It has been reported that some of this information is for sale in several cybercrime forums. Another high profile attack and possibly the biggest data breach in US history was the Epsilon attack earlier this year.

Epsilon a global provider of marketing services had their IT system hacked and the criminals gained access to the names and email addresses on their customer database which included some of the worlds largest companys across a variety of sectors. This successful attack gave criminals access to large amounts of information about individuals in these companies, details which will allow them to more effectively target each company more specifically.

This may give the perception that only large corporations are potential targets for hackers however the reality is that hackers are increasingly targeting small and medium sized business knowing that oftentimes they do not have the resources or technical knowledge that large corporations do.

Internet Crime unit inundated with complaints from small and medium sized businesses

At SpamTitan we see countless scenarios where small businesses come to us as a result of falling victim to threats similar to those suffered by these high profile companys. Any medium sized company that relies heavily on email to conduct business requires anti spam and anti phishing protection. Over 400,000 complaints were filed with the Internet crime complaint centre in 2011, a partnership between the National White Collar Crime Center and the FBI. These complaints came from small and medium sized businesses affected by online phishing scams and other Internet related crimes.

How to protect your business against phishing attacks

Visiting the Anti-Phishing Work Group will give you sound advice to safeguard your business against phishing scams and gives you beneficial information on how to avoid becoming a victim.

Some of their advice is

  • Employees should never respond to spam email with confidential or sensitive information, a legitimate companies will never ask for sensitive information via email.
  • Make employees aware of what a spear phishing attack is and to be on the look out for anything in their in-box that looks suspicious. The best way to avoid your company becoming a victim of a spear phishing attack is to improve awareness of what’s happening before anyone loses any personal information.
  • Never give out company financial information such as banking numbers to an email enquiry. Your bank does not need you to confirm your account information…they already have this information.
  • Make sure your network is protected with up-to-date virus, anti spam and malware protection. Ensure you update the software regularly and use a trusted and recommended solution.

A 2011 poll carried out by SpamTitan discovered that 70% of companies that believe their organisation had been a victim of a spear phishing attack are unsure that such attacks are reported to I.T. and dealt with appropriately. This lack of proactive measures to deal with the attacks can cost companies financially through the loss of data and system downtime. Educating employees around a range of security issues is an important step that many companies ignore. Yes, robust, powerful and updated security solutions are crucial but this doesn’t mean that companies can afford to ignore the ‘softer’ behavioural issues associated with security. It only takes one employee to open the wrong email to give access to senstitive company data bring a whole company’s IT systems to a halt.

1 Comment | Application Hosting, Managed Service Hosting, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Cyber attacks multiply in run up to the 2012 London Olympics

May 4, 2012

Cybercriminals are looking to capitalise on the growing interest and enthusiasm around the Olympic games with several phishing scams which aim to impersonate the Olympics official website or associated partners. The cyber criminals and malware writers know that just about any subject line with the word “Olympic” in it is likely to be opened by a large proportion of recipients.

Costly consequences of phishing attacks

No global event is more in the public eye at the moment than the 2012 London Olympic Games. Many of these scam emails will contain malicious code rather than cut price tickets or other Olympic-themed products. For a company a successful phishing can have far reaching and costly consequences resulting in financial loss and loss of customer data.

We have detected and blocked a number of these kinds of Olympic phishing messages whose goal is to entice users to submit their personal information. It is expected that these phishing attacks will grow in number and become more targeted. Spear phishing.

These kinds of attacks will continue to exist as long as it is profitable and with growing numbers of people on the internet spammers have a growing market of millions of people for their spam. It’s purely a numbers game, the greater the market for the spammers the greater chance of a response and therefore the greater the reward.

To prevent these attacks, organisations need to remain vigilant and follow proven guidelines such as not clicking on links or attachments in unsolicited emails.

To avoid becoming a victim of a phishing attack there are a few simple rules:

  • Don’t trust any unsolicited email, ever.
  • Never “unsubscribe” from a service you haven’t subscribed for in the first place. You are literally handing your email address to spammers to use for future and possibly more targeted attacks.
  • If you interested in an offer contacting the company behind the message by phone and verify that the message is genuine.
  • Keep your company security solutions valid and up to date so that you can secure your organisations network.
  • Employees and other insiders actions are responsible for the majority of security breaches, a culture of security awareness is an important factor in preventing these security failures.

Remember if you receive notice that you’ve won a free Olympic ticket the chances are you haven’t and as always if it sounds too good to be true, it probably is!.

1 Comment | Application Hosting, Managed Service Hosting, Retail IT Solutions | Tagged: , , , , , , , , | Permalink
Posted by david ricketts

Follow

Get every new post delivered to your Inbox.

Join 752 other followers