By Alex Konnaris,Group CIO, RMA Group
Over 50% of the World’s population use email to communicate and this amounts to almost 300 billion emails sent and received each day. Care should always be taken with any activities that use the Internet and email communications are no exception. Along with other well-known Cybersecurity issues, like Ransomware, Phishing is already a big problem, and growing. According to Google’s Transparency Report, Phishing websites have almost doubled in the last 12 months, whereas Malware websites have reduced by a factor of 8, in the same time. This shift, now means that around 90% of Cyberattacks come from Phishing alone. Through email, we are certainly swimming in shark infested waters, with a need for additional protection and a culture of “think before you click”.
There is a myth that individuals or small organizations are not vulnerable to Cybersecurity issues, the reality is, everyone is a target. It’s not just about avoiding the fraudsters behind the Phishing attacks, it is also about staying safe online, in general. With some awareness and a dose of healthy paranoia, the risks can be reduced.
Phishing threats come in all shapes and sizes, they all have a similar goal – to gain your trust and take advantage of you, eg by obtaining your usernames, passwords, financial information, credit card details or to make you perform some kind of action, eg make a payment or bank transfer. To help identify the different types of Phishing here are some examples:-
These threats come in various forms, here are a few examples, all of which, we should not react to:
- A message from a familiar website or online service will be impersonated, the intention is to get you to give away your credentials so that your account can be accessed.
- The fraudster pretends to know some sensitive information about you and claims that they have been recording activities through your web camera. The fraudster threatens to release the recording(s) unless you send them money through Bitcoin.
- Temptation can be a good weapon for the fraudster, they will send messages of potential inheritance, prizes and gifts; all of which are designed to get you to give away your credentials.
This is like Deceptive Phishing but a little more targeted. Often, publicly available information (eg from social media) will be used to make it look like the sender is familiar to you and gain your confidence; the goal is still the same, to get your credentials.
Whale Phishing and CEO Fraud
Both are types of Spear Phishing in business and are sometimes known as Business Email Compromise (BEC). With CEO Fraud, messages will appear to come from someone senior that you work with. Should you think it is a genuine communication and respond, you will be “groomed” over time to feel more and more comfortable with the dialogue and finally, you will be manipulated in to making a payment. In the case of Whale Phishing, the CEO or CFO will be the target, a very highly prized catch! The FBI estimates that BEC scams currently account for over $12 billion in global losses, per year.
In the case of Clone Phishing, the goal is the same, but the approach will use messages that look identical to those you have exchanged with your real contacts. The fraudster may have compromised an account of someone in the email chain, they observe for days or weeks and wait for the right moment to strike. They will clone a message, impersonate one of the participants in the email chain and resend it with altered information.
Now we know something about the types of Phishing threats, it can be useful to be aware of the methods used by the fraudsters:-
Spoofing (pretending to be someone else)
- Subtle changes with the email domain to look like another: firstname.lastname@example.org, looks like @yourdomain.net but the “m” has been replaced with “r n” to make “rn”, or perhaps email@example.com, where the “i” has been left out.
- The Display Name could initially look familiar; if we expect “Joe Bloggs” <firstname.lastname@example.org> we should make sure it is not “Joe Bloggs” <email@example.com>.
- The Display Name can be further altered to add a domain name, leaving the sender’s real domain obscured towards the end and sometimes not even visible, the example below looks like it is from firstname.lastname@example.org but it’s actually from email@example.com:
If you receive a message stating that urgent action is required, especially with financial information, do not allow this urgency to bypass any of your usual processes. It is important to maintain protocol, regardless of who the requester appears to be or how urgent the request is.
Email systems should of course be blocking dangerous attachments or attachment types but if one does slip through to your inbox, pay attention to the file extension, below is not a PDF. Also be aware of archive files (eg .zip) as they may contain files that have been renamed like below. Another tactic is to attach a normal looking document (eg .pdf) and put links inside the document that will take you to a Phishing website:
Images can be embedded at the top of the message that look like an attachment. Should you click it, you will be taken to a Phishing website, but if you hover over the image first, you will discover it is really a URL link:
Fake URL Links
The Display Text of a URL link can be used to obscure the real destination, but if you hover over the text, the real link will be revealed. There will be many genuine URL links with “friendly” Display Text, if the message appears to be from a familiar source but the link(s) appear unrelated, be cautious:
What Can We Do?
As awareness has a big impact on reducing the risks, we can help ourselves in many cases:-
Verify, Verify, Verify
Always verify who you are dealing with – even if you think the sender is a friend, colleague or senior manager. If the content of the message looks unusual or out of character, be cautious and check the validity of the message. If you think the email address looks strange, instead of clicking Reply, click Forward and enter the address from your Address Book or contact the sender though another channel, eg phone.
Our email provider(s) go to great lengths to deliver genuine messages and exclude the rest. Sometimes messages are tagged as [SPAM] or arrive in our Junk folder wrongly; known as false positives. We can become desensitized after seeing a number of false positives, but we really must stay vigilant by paying attention to all the warnings.
Don’t believe promises of easy money, gifts or business opportunities. First, assume that the sender wants something from you. This method is surprisingly common, approach with caution:
- You’ve inherited millions from a long-lost family member.
- I would like to donate my millions to someone honest, like you.
- You’ve won a prize.
- I desperately need help.
Attachments and Links
Beware of dangerous links and downloads – always question intentions. Never click if you have doubts, as it could lead to risk. Hopefully we are protected through our email servers, computers and web browsers but there are some free online tools that we can make use of too:
- Google Safe Browsing: URL link checker: https://transparencyreport.google.com/safe-browsing/search
- Norton Safe Web: URL link checker: https://safeweb.norton.com/
- Trend Micro Site Safety Center: URL link checker: https://global.sitesafety.trendmicro.com/
- VirusTotal: File and URL link checker: https://www.virustotal.com/
Always follow your standard protocols, do not allow shortcuts, even if it appears to be urgent.
If your email provider(s), bank(s) or other online services offer Multi-Factor Authentication (MFA), it will help reduce risk, significantly. MFA comes in the form of tokens, phone verification, text messages (SMS) or applications on our smart phones etc. The purpose of MFA is to bring together a combination of things that we know (eg password), things we have (eg smart phone), what we are (eg human), where we are (eg at the office). Look for MFA options with more of your online services.
What Can the IT Crowd Do?
There is already a lot of work going on behind the scenes to keep us and our inboxes safe, hopefully we only receive the occasional threat that needs us to apply our awareness. For those working in IT or have an IT Team, here are some examples of ways to reduce risk:-
If we have MFA options available with the services that we provide, they should be enforced. Whilst it can be inconvenient to have additional steps when connecting to services, it greatly reduces risk. It can be difficult to get people to adopt MFA, it’s good to start from the top (eg CEO) and others will follow.
Why not conduct a Phishing Drill in your organization? Without awareness, 30% of people are susceptible to Phishing attacks but once awareness campaigns are put in place, it can drop to 10% within weeks. With extensive awareness it can be brought down to 1-2%. Here are some free tools to help:
- Trend Micro has an easy to use service that is free for small batches: https://phishinsight.trendmicro.com/
- Gophish has a free tool that can be installed locally to handle all aspects of the process: https://getgophish.com/
The general process:
- The recipient receives a message that states their mailbox needs attention and they need to click the URL link to sign in.
- If the link is clicked, they will be led to a fake sign-in page that looks authentic.
- If credentials are entered on the fake sign-in page, they will receive a further message informing of their mistake and provide additional awareness.
- After the drill, reports are available to see who opened the message, who clicked the link and who entered credentials.
Add corporate branding (eg company logo) to any sign-in page that your business uses; this will help people to recognize when they land on a Phishing website.
Newly registered domains can be employed in Phishing. Look to detect messages with new domains (eg less than 60 days) and provide a warning to the recipient.
Block Similar Domains
Similar looking domain names can be employed in Phishing. If you own yourdomain.net, perhaps block the ones that look similar, eg yourdornain.net and yourdoman.net etc.
External Sender Warning
Look for ways of detecting external senders and provide a warning to the recipient. It is becoming common to put a banner at the top or the bottom of the message, stating that it is an external sender. This is a great way to quickly identify that a message is not in-fact internal to your organization:
External Recipient Warning
Like the previous example, when someone clicks Reply, some email systems have a feature to warn the sender, through Tooltips. This is a great way to quickly identify which recipient(s) are not, in-fact, internal to your organization:
There are checks that email systems can do to verify the sender, eg Sender Policy Framework (SPF). Use this, along with validation of From, Reply-To and Return-Path to provide the recipient with a warning that, who the message is From, may not actually be the sender:
This is a method that keeps track of sending servers, and upon the first request the: server, sender and recipient will be recorded, the sending server will then be asked to “try again later”. If the same server resends the message after the allotted time, it will continue through to other checks. The initial delay that is caused, has two benefits:
- If it is Spam, they may not resend as their servers might not have the capacity.
- By the time they do resend, their server may be Blacklisted and will be blocked.
These are a number of traditional methods that should always be employed, I will not go into details:
- Missing HELO/EHLO
- Missing Mail Exchanger (MX) Records
- DNS Blacklists eg SpamHaus
- Uniform Resource Identifier (URI) Lists eg Surbl
This has been around for many years but is not widely adopted. It is not practical for message senders to have a digital certificate that can be recognized by all recipients.
Phishing is real, on the increase and we can all be the target, which means we are at risk. To reduce the risks, there are things we can do ourselves and there are things that our email provider(s) can do too. Ultimately, we want to create a “think before you click” culture, but at the same time, we are also interested in automated ways to reduce the chances of the threats arriving in our inboxes.
An international Information Technology specialist working in technology for over 20 years. Based in Thailand for over 16 years and currently holding the position of Group CIO for RMA Group; a multinational company with headquarters in Bangkok, specializing in Automotive (Retail/Wholesale/Modifications), Infrastructure (Power & Heavy Equipment), Engineering Solutions and Hospitality (Food & Beverage), with over 7,500 employees and offices in 14 countries. Managing teams of IT professionals, supporting IT Operations and Business Systems across, overcoming the challenges of diverse business streams in mature and emerging markets. https://www.rmagroup.net/