Think Before You Click
It seems e-mail has been the venue for malicious activity since its inception. From bad attachments to Nigerian princes, the threats posed by e-mail have evolved drastically over time and are becoming more dangerous. In this post we will explore common attack strategies used and their implications for you and your company. We will also look at ways you can help protect yourself against this ever growing threat posed by scam e-mails.
The most common, and dangerous, threat that e-mail presents comes in the form of attachments. The dangers come in two fold: more convincing social engineering which makes e-mails look legitimate, and more dangerous consequences from opening those attachments. Many emails will now come preformatted to look like they are shipping or order confirmations from shipping companies like FEDEX or from retailers like Amazon. This can be dangerous if you are not paying attention to what you open up. All e-mail with attachments should warrant default additional skepticism; much the same as you would if a stranger walked up and offered you free candy. You would ask questions like: “Why are you giving me this?” “What is wrong with it?” “What is your angle?” E-mail attachments should garner the same sort of fear and respect. One bad click from an attachment without considering it first could warrant similar consequences for your computer and network as would accepting candy from strangers. Further compounding the danger is that these emails are often targeted to shipping departments within companies and businesses, so low level employees may be faced with the task of scrutinizing these emails. Let there be no mistake, these e-mails can look very authentic! They may take the time to gather basic address/location information about their intended target or even fill out bogus shipping/tracking information. There is no magic bullet to catching all of these emails, even with the best antivirus software and email filtration. Applying additional scrutiny is still the best practice to rooting out these emails; by all levels of employees within a company. “Think before you click.”
Links within e-mails can be just as bad as attachments. It is all too common these days to see e-mails with a link included or embedded within them. The problem is that, much like who the e-mail is coming from, the link can be modified to be malicious. Visiting the wrong webpage from one you intend can have serious consequences, especially depending on the site that is mistakenly visited. Hyperlinks can be made to have the “text display” of one address and in fact actually open up your browser to an entirely different address. This is used in a process known as “Phishing.” An example of a phishing e-mail would be where a bank (let’s use Wells Fargo as an example) sends you a message indicating that your bank card pin has expired. The e-mail rattles off some authentic sounding information of how your pin was somehow compromised or needs to be updated and then provides you a link within the e-mail to update it. The text of the link may say something to the effect of http://www.wellsfargo.com/resetpin, HOWEVER the actual link takes you somewhere entirely different. Where it takes you may even be tailored to look like Wells Fargo, but in fact is all just a ploy to trick you into entering your bank card information and basically handing the scammers your information. Phishing attacks are not just limited to data gathering however. Some of them can take you to websites programmed to infect your computer through your web browser; many times by displaying a page incorrectly and asking you to update your flash player (which they provide the link for in order to infect you). These attacks share a common theme: they originate from someone who is not who they claim, and they take you somewhere that you did not intend. This is precisely why we ask that you “Think before you click.”
As mentioned before, there is no magic bullet here. As software and practices are developed to root out these types of schemes, the schemers are developing ways around them just as fast (if not faster). The best option in order to prevent being fooled by such attacks is to “Think before you click,” and approach every attachment and hyperlink contained in an e-mail with skepticism and caution. A series of questions should be asked of every email:
- Is the person sending this message legitimate?
o Check the from line
- Do you know the sender?
- Were you expecting an attachment/link?
o A password reset link from a website which you requested, for example
- Does the link actually take me where I want to go?
o You can hover your mouse over a link without clicking it and preview its target in the bottom left of your window
- Why would I be sent this item in the form of an attachment?
o Usually a shipping company simply provides you a tracking number, not an actual attachment for example This may seem like giving your e-mails the third degree, and it should. You question when someone knocks on the door to your house, your e-mail should be no different.
Being e-mail savvy on your own is not simply enough for a company. Everyone needs to know the dangers and risks (and “Think before they click”). If someone in the shipping department accidentally clicks the attachment supposedly sent by UPS, they could potentially take down the network (a.k.a. Cryptolocker). Many infections seek a single point of entry, and then spiral outwards to anything that computer has access to. If the accountant checks their Gmail on a lunch break and clicks a link that infects their computer, what files could that machine compromise? Accounting? Sales? Inventory? The risks of not having everyone onboard can be steep. A good tool for finding out just how vulnerable your organization might be is to use a phishing test. KnowBe4 offers a free phishing test (http://www.knowbe4.com/phishing-security-test/). What this test will do is to intentionally send phishing e-mails to your organization in order to determine the percentage of people who would actually click a phishing link. The results may just surprise you. There is no foolproof software or filter system that can always prevent these types of e-mail attacks. Therefore the best approach for any company to take is through training. Be that during the onboarding process for new employees (when you discuss proper computer usage for company guidelines), a staff meeting, or even simply sharing this blog post. Sharing this knowledge will go a long way towards prevention of both Network threats and workstation viruses alike.