Authored by Paul Ducklin, Senior Technologist, Sophos
The word “Burisma” is all over the news at the moment – it’s a Ukranian energy company that, according to some claims, was broken into by Russian hackers looking for sensitive data to steal. As you can imagine, the way the hackers got in is supposed to have been by means of phishing attacks. Phishing, very briefly defined, is where a cybercriminal tricks you into revealing something electronically that you ought to have kept to yourself. The good news is that most of us have learned to spot obvious phishing attacks these days. The bad news is that you can’t reliably spot phishing attacks just by watching out for obvious mistakes, or by relying on the crooks saying “Dear Customer” rather than using your name.
You need to watch out for targeted phishing, often rather pointedly called spear-phishing, where the crooks make a genuine effort to tailor each phishing email, for example by customising it both to you and to your company.
Acquiring the specific data needed to come up with personalised phishing emails is easier than you might think, and much of the data gathering can be automated.
Tips for you
So here are our 5 tips for dealing with phishing attacks, especially if you’re facing a crook who’s willing to put in the time and effort to win your trust instead of just hammering you with those “Dear Customer” emails:
Don’t be swayed just because a correspondent seems to know a lot about you
Someone who has never met you, and never will, can nevertheless easily project themselves as an “insider” – a friend-of-a-friend, perhaps, or a colleague you’ve worked with electronically but never met face-to-face.
With a mixture of information collected from already-public data breaches, social media profiles and historical emails that you sent or received, even a modestly funded crook without much technical savvy can sound a lot more convincing than “Dear Customer.”
Don’t rush to send out data just because the other person tells you it’s urgent
A lot of email scams work because the crook wins your trust, or makes you think they are someone high up the organisational chart in your own company, and then stresses how urgent the task they’ve just given you is.
They will often resort to flattery, too, by explaining why they are asking you and not anyone else, and impress on you that the task is confidential and therefore must not be discussed with anyone else.
Never treat it as prudent that the other person is demanding total secrecy – treat it as suspicious instead.
Don’t rely on details provided by the sender when you check up on them
You’d think that scammers would try very hard to discourage you from checking up on them – but sometimes they’ll not only welcome it but actively urge you to call or message them back, or visit their website, as part of the scam.
If you call them back on the phone number they gave you, or message them via the website they provided, you are simply offering them an opportunity for them to tell you the very lies they want you to hear.
(That’s why financial institutions print their emergency contact numbers on the back of your bank card and put them on the welcome screens of their ATMs – those sources are much harder for crooks to tamper with.)
Don’t follow instructions on how to view an email that appear inside the email itself
A common ruse is for crooks to hide malicious content – such as data stealing software called macros – inside innocent-looking document files, and then to preface the “document” with instructions on how to view it “correctly” by changing various security settings.
Usually, the instructions sound quite plausible, but the crooks are in fact tricking you into turning off the very security features that would keep you safe.
Don’t be afraid to get a second opinion
If you’ve ever asked colleagues to proofread your documents or emails, they will often have found mistakes that you can’t believe you missed yourself.
That’s because a second opinion goes an awfully long way.
In fact, that’s the main reason why crooks urge you not to tell anyone what you are up to – to stop you getting a second opinion and thereby catching them out.
Tips for IT, too
While we’re about it, here are 3 bonus tips for IT staff and sysadmins, too:
Do set up a single point of contact for staff to report cybersecurity issues
Most spear-phishing works not because staff want to do the wrong thing but because they’re keen to do the right thing, and to be helpful at the same time by giving great customer service to everyone.
No one wants to risk being remembered as “the ex-colleague who got fired for telling our most important customer to take a hike”.
By providing a reporting point such as an internal address like security-report@example.org, you’re making it easy for your users to ask for security advice before they take risks, rather than afterwards.
The only thing worse than being scammed by a spear-phishing email is finding out that the person who fell for it wasn’t the first in the company to have encountered it and that with an early-warning system you would have headed off the attack altogether.
Do make cybersecurity a two-way street –listen to your users!
In the 1990s and 2000s, cybersecurity was often based on the idea that “IT knows best and will set all the rules, with no exceptions.”
But this approach tends to create a culture in which anything that isn’t blocked is blindly assumed to be safe.
Even legitimate, high-traffic websites sometimes get hacked, and if one of your users just happens to be the first person to notice, you want them to tell you, not to shrug if off and ignore the problem.
Do consider phishing simulations
Products like Sophos Phish Threat can expose your users to the sort of tricks that spear-phishers use, but in safety so that if they do fall for it, no real harm is done.
As long as you make it clear that your phishing tests are there to help users to learn, not to keep tabs on them simply to catch them out, then everyone benefits.
After all, some of your staff are probably already receiving dozens of real-world phishing and spear-phising emails every month – so even if you’re not testing your users then the crooks certainly are!
