A recent warning from the NZ Law society to its members to be vigilant against phishing scams and the shutdown of Hawera High School’s computer system a couple of weeks ago bring home the importance of vigilance and awareness around email scams and cyber security.
Phishing is when a criminal sends you an email that entices you to open a file or click a link designed to give them some access. More sophisticated scams may even involve a whole bogus email conversation before enticing you into dangerous behaviour.
The first phishing scams a decade ago often looked like they were alerts from your bank and led to what looked like your bank’s login screen. Of course, if you entered your account number and password, you’d have given the ‘phisher’ access to all your funds.
Such scams are still common, but now there are a wide variety of tricks in use. All involve you following instructions in what almost always seems an unusual email.
“Whenever you receive something odd through email, your ‘spidey sense’ will normally warn you,” CommArc security analyst Steve Brorens said.
“You just need to heed that warning, and take measures to confirm that the email is genuine before clicking any links, opening attachments or responding.”
For example, a recent spate of emails targeting large law and construction firms appeared to come from genuine staff members using WeTransfer as a file sharing site. A click on the link, however, opened the recipient and the company up to the whims of hackers.
Brorens said that while the emails looked convincing, the recipients hadn’t asked the sender for the files, so should have been immediately on guard.
“If an email is from someone you don’t know, or someone you do know but it’s out of character – you haven’t been having discussions about a new project but you’ve been sent plans for one – be very wary about clicking on it or opening any attachments,” Brorens said.
“If you have doubts, don’t reply to the original email but pick up the phone, walk down the corridor, or start a new email to whoever the original email was from. That puts you in control and should ensure your safety.
“Alternatively, forward the message to your IT support people for checking”.
Brorens said there are generally two goals for the hacker – to get your money or get control of your system so you have to pay them money.
“If the target runs an application, typically something bad will happen. It’s likely it will be ransomware which will look at all the documents the target has access to – which in many businesses will be all of them – and it will encrypt them. You won’t be able to get them back unless you pay the ransom.”
While well-maintained systems will have good backups, Brorens said, restoring from these typically takes a minimum of half a day.
“Although it may cost less to simply pay the ransom, you just wouldn’t go down that track. It’s a pain and expensive to do, and no-one wants to be rewarding criminals”.
Getting tricked by a ‘phishing’ email can be an expensive mistake in other ways too. If a senior staff member has their password stolen, in the absence of two-factor authentication (2FA) the hacker can log in from anywhere in the world and have complete access to every document they have access to.
If accounting staff get their credentials captured, the criminal hacker can impersonate them and change payment instructions to send funds to the fraudster’s account instead of the legitimate recipient.
Brorens said even the best email firewall, antispam, and antivirus products will still let a small proportion of email scams through.
“Really the only water-tight solution is to restrict most staff so that they can’t receive email from the Internet – something which is unrealistic for most companies.
“So, the only other alternative is to train people to be a more careful.”
“To help with this, CommArc offers ‘simulated phishing’ training campaigns to clients. This teaches staff how to spot dodgy emails – and gives management a measure of how cautious staff currently are.
“Clearly if 50% are fooled by our test emails then the business is at grave risk, and staff urgently need training. Our experience is that running such tests every six months or so soon pushes such rates down drastically.”
So be wary when opening your emails. If your “spidey senses” go off and you suspect there’s something wrong, or the email is completely unexpected or out of character, hit the delete button.