Email is Still the Top Security Threat to Your Company
WHY WE FALL INTO THE TRAP –
CISOs (chief information security officers) consider email threats to be the number one security risk to their organizations. As a Cisco report states, the hacks “still rely on coercing the user into clicking on a link in an email first.” Why are so many complying?? Let’s look at the psychological tricks the hackers are using: guilt, greed and urgency!
Many of the facts and scenarios below come courtesy of the report, Cisco Cybersecurity Series 2019 –Email Security.
In a test conducted by a company called Duo Security, of all recipients almost 25% of them clicked on the phishing link in the email, and of those, 50% actually entered credentials onto the fake website!
The hackers are using trickery, but with a psychological twist.
Cisco outlines one scenario taking place in the wild:
Digital Extortion: An email arrives in your inbox with the subject “YOU SHOULD TAKE THIS VERY SERIOUSLY.” The sender of the email claims to have compromised an adult video web site and that you visited the site. He or she also claims to have recorded you over the webcam, alongside the videos they assert you have watched. …the sender claims to have gained access to your contacts and will send them all the footage, unless you pay them hundreds or thousands of dollars in Bitcoins.”
In reality, the claims are fabricated. But the hackers send this out to thousands of people, some whom no doubt have in fact visited such adult sites and do feel as though they are caught and have to cave in to the extortion scheme.
Is someone actually going to believe he or she is getting an email directly from the director of the FBI saying he has money that belongs to him/her. Apparently so based on the example Cisco highlights:
“Advance Fee Fraud: It’s not every day you receive an email from the FBI. It’s even less common to receive one informing you of a pending transfer of $10.5 million. All you need to do is reply to the email and they will instruct you on how to receive the payment.
This is a classic advance fee fraud scheme. As the name implies, the scammers will ask for a fee before they’ll send you the promised money – money that never appears.”
Of course, a variation of this could just be an enticement for you to click and enter data.
Advance fee fraud scams could involve loans, money exchanges, romance, credit repair/debt relief, investments and travel/vacation.
Every scam attempt seems to apply time pressure so you aren’t able to carefully analyze the situation. In the digital extortion case above “you have only 48 hours after reading this email to send payment.” The IRS director in that example says “we await your immediate compliance.”
In social engineering schemes the “deal” or the “transaction” is imminent and urgent and the “CEO” is telling you to wire the funds to a specified account without delay and without consulting anyone.
The number one tip in the Cisco report is to slow down. They report that the average person spends 8-10 seconds scanning an email before they take action. We need to slow down, think and look for clues that something is amiss.
In our work with our clients, all email scams/social engineering frauds were the result of lack of awareness or simply not paying attention (and rushing, of course). Training of employees and constant reminders of the high number, the types and persistence of these hacks is the number one line of defense. Remember, brute force attacks into the network or cloud account are not the major source of loss anymore; now the focus is on enlisting a company’s own employees to unwittingly assist in the hack.
Cisco outlines the types and methods of the scams (in addition to the ones discussed so far):
Office 365 Phishing
The email appears to come from Microsoft and says your account will be disconnected unless you verify your address at the link provided.
Similar phishing attempts involve Google’s email and cloud services. The emails feature a real -looking multi-colored Google logo.
Packaging and Invoice Scam: “ ‘ I don’t remember buying a subscription to this mobile app,’ you say to yourself…Hold on, the location in the invoice says it was purchased in Sri Lanka.” You then click the link to investigate the mistake.
A similar scam involves a package you didn’t order complete with a great- looking UPS logo and a handy tracking link.
Besides links, the opening of attachments can unleash some latent and potent malware. The harmful docs don’t have to be exotic either. Cisco reports that three of the top five malicious file types are Word, Zip and PDF.
Unsubcribing from spam? Careful!
Unsubscribe is just another link, no better or worse than any other one. If you do not know the source of the spam in the first place, you cannot safely click that link as the way to make the emails stop. Spam filters have to be the option; adding the url to the spam library should eliminate them.
Get the Cisco report from our website here.
[email protected]; 617.718.5901
Jul 13, 2019