One Phish, Two Phish, Spear Phish…Breach!

May 17, 2016 – A Familiar Tale

It’s 4:30 pm on a Friday, you’re mentally checked out eagerly waiting to leave for a weekend long camping trip. As you begin to tidy up your desk and power down your computer, a last minute email shows up which catches your eye. It appears to be the vendor invoice you have been waiting for.  You quickly scan through the body of the email, download the attachment titled “Invoice 2016”, open it up and then…“uh-oh”. Your monitor immediately goes black and then gibberish words and symbols appear on your screen.  Caught totally off guard, you panic and quickly pull the power cord from the computer in hopes of stopping a data breach.  As you casually close and lock the door to your office, you think to yourself, “thank heavens for my ninja-like reflexes” as you begin your long weekend.

It’s A Cruel Cyber World

Email spam is everywhere.  Electronic mailbox systems are flooded with it daily and depending on your IT safeguards, you are either protected from this onslaught as your network defenses are hard at work preventing you from seeing the garbage; or you as a user have to sift through these unwanted messages in hopes of responding to the legitimate ones.

According to the April 2016 Symantec Internet Security Threat Report, there are more than 430 million new unique pieces of malware in 2015, up 36% from the year before.  To top it off, global spam equated to 54%.

A little over 1 of every 2 emails you receive has the potential to be harmful.

Knowing the Bait

For starters we have to understand why is this happening.  To put it simply, others want what we are trying to protect.  Whether it’s access to your computer, your bank account, your credit cards, your identity, your trade secrets, your collection of family pictures, there is someone out there trying desperately to acquire access to your information.  Although the motives are the same, the method differs from complex masquerading techniques to elegant password cracking programs.

One of the more well-known but still highly devious methods to infiltrate your personal information involves Phishing (pronounced…fishing and unrelated to the improvisation and extended instrumental groove band Phish). Phishing includes Social Engineering, Link Manipulation and Web Site Forgery and is intended to lure the reader to either click on the malicious link in an email/web page or download an infected attachment. Either of these options may instantly create a pathway for hackers to steal data or plant malware (harmful computer programs) in your device.  Many of the great cyber security breaches of years past began with someone falling prey to a phishing scheme.  The recent Target breach unraveled when a third-party vendor of Target was caught by a phishing email which allowed the hacker to expose Target’s vulnerability.

A more sophisticated version of phishing has been coined “spear phishing”, which removes the randomness of the email, by crafting a more personalized message to the intended recipient.  This elevates the credibility of the email and increases the chances the victim will fall for the phish. Oftentimes the spear phish email will bypass your company’s spam filter because of the personalized nature of the message, which positions you as the last line of defense.

Common spear phishing emails come in the form of bank messages, package shipment delays, fraud notifications on your credit card and LinkedIn messages, just to name a few. This was the case to our poor fellow in the opening paragraph, which is based on a true event.  The story ended with the computer being rendered useless until a ransom was paid to the hacking organization to unencrypt the data.

Cutting the Line on Phishing

How can you reduce the risk? Here are some proven techniques:

  • Periodic employee education is the utmost priority. Merely sending out an email once a year on security awareness doesn’t cut it.  A much stronger option is crafting a security program that clearly defines employee expectations, examples of old and new threats, the organization’s security controls and consequences for violations.
  • When you open an email, slow down and think before you click on links or download attachments. Carefully examine the contents of the email and look for clues such as poor grammar or multiple misspelled words.
  • Examine the sender’s email address to ensure it’s from a trusted known source.
  • Do not respond to an email requesting personal information, passwords or user IDs. Banks and financial institutions will never ask for this information through email.
  • Ensure your anti-virus and firewall applications are current on updates and patches.

Need Help?

If you are unsure whether your business is adequately protected, our Information Security Baseline Review is an ideal starting point for answering these types of questions and many others which could potentially harm your organization. This review also provides you and your key managers with a basic education of both the threats your company’s information faces and what practical approaches you can take to protect it. Contact William Prohn at wprohn@dopkins.com to tackle your information security concerns.

Related blogs

About the Author

William Prohn CISSP, CISA, CGEIT, CRISC

Bill oversees all aspects of information technology for the firm, and provides consulting services to a wide spectrum of Dopkins’ clients. He has over 30 years of experience in accounting and business information systems. His specific interests include creating meaningful, practical management information using computer technologies, and the security of business information and systems.