Email security has become part of the job description for every employee. All it takes is one employee to cause a breach that opens up the entire company. For example, consider The New York Times: the recent breach by Chinese hackers was done via a phishing or spear phishing email. All that was necessary was that one email to be opened, and The New York Times network was accessible to the hackers. And once an attacker is behind the firewall, then the hacker can do anything.
Recently, hackers have been getting even more creative. One of the students in the information security class I teach showed me an email that she received. It contained a message about email phishing schemes and what to look for. The subject line was incorrect when compared with previous emails from the same organization. The body of the email had an incorrect logo and a slightly incorrect signature line. Also, there was a link with a call to action that requested my student to sign in to her account and learn more. She reported this email to the company who allegedly sent it. Had my student not been aware of phishing schemes, she might have clicked on the link and opened up her system to hackers.
Without proper training, it is easy for an employee to accidentally open and launch a window for a hacker. It is the duty of every personnel department to train new employees as to what to look for when receiving email messages. This information should be included in employee manuals and should also be posted on lunch room walls as reminders. With the volume of emails we all receive on a daily basis, it is very easy to forget that one of the emails could be a “Bomb” that could cause a breach. And a network breach can lead to data loss, loss of reputation, and denial of services for your employees and clients.
There are two types of phishing email messages: phishing and spear phishing. Phishing is a generic type of email that is sent to everyone in a company with the hope that someone will open the email and click on a link or open an attachment. There are no names attached to it, the subject line is generic, and the TO: line usually says recipients_not_disclosed. That’s a dead giveaway! Finally, the FROM line does not conform to corporate email standards.
The second form of phishing is called spear phishing. This type of email is more insidious. Someone or some organization has taken the time to find information about a specific employee and personalize an email message to make it look like it has been sent to that person from someone he or she knows. As a result, the email looks legitimate. This email is designed through a few methods. The attacker scours Facebook, LinkedIn, Twitter, and possibly financial information sites, such as, Hoovers. The hacker may make calls to a company’s receptionist to find other pertinent information regarding the email recipient, possibly email address and/or phone number. In bigger companies, they may even call the IT department and claim that they are the person of interest and forgot their email password and ask for it to be reset. Hopefully, there are policies in place with the IT department that make it impossible for someone to change a password without multifactor authentication (multiple types of ID must be given before the password can be changed – this is an issue for another post). Spear phishing emails are usually sent to management-level employees since they tend to have more network privileges.
Once again, even with spear phishing, the questions one must ask include: Are you expecting an email from this person and do you even know him or her? Is there a link in the body of the email? If yes, do not click on it. If you really must know what the link is, send it to the IT department or your security team and let them confirm if it is legitimate. Due to the speed of business these days, it may be difficult to remember what to look for, but it’s also difficult to recover from a breach. It can happen to anyone, don’t let it be you for your company’s sake.
Host computers should all have a good virus scanner to scan inbound emails and attachments. After that, here are some things to look for when determining if you’re looking at a phishing email. Does the email address in the FROM: line correspond to the corporate email layout? This may mean: last name first, or first name last. When a message is sent to you, are you expecting an email from that person or is the email coming from someone you don’t know? Look at the subject line of the email: Are there any misspellings in the subject line, and does it make sense?
Make it a policy to never click on live links within an email message. A live link (one that is colored and underlined) could look like a legitimate link but the actual link may send you somewhere else. If you really must know what the link is, copy and paste it into the notepad program. This will show where the link is actually pointing you to. Hovering the mouse over the link will reveal the actual URL. However, if the URL is embedded in an image within the email, you will have to retype the entire URL. There are two other options for shortened links (for example, bitly.com or goo.gl). All you need to do is visit either http://checkshorturl.com or http://urlxray.com. These two sites will allow you to view the entire URL so that you can determine if it’s safe to click and view.
Sometimes emails arrive in your inbox under the guise of legitimacy. They appear to come from somewhere within your organization, but they’re not. An email arrives and asks to change your security credentials – but don’t be fooled. First of all, there should be a general announcement regarding this topic distributed company-wide to all users. It will be sent out by one person, not from “The Security Team.” Be aware of that. Emails regarding this sensitive issue must be sent by individuals, not groups, and an email sent by an internal employee will adhere to corporate email structure, fakes do not.
Many breaches come from an email that looks legitimate from an internal employee. So, look at the signature line at the bottom of the email. If it isn’t the standard signature line that your company uses for all emails, it’s probably suspect. I realize that checking an email to be sure that it’s real can be time-consuming, but the more you look for errors, the better you become at spotting them.
The larger a company is, the harder it is to remind employees about staying vigilant. But in the long run, what’s worse: reminders or hackers? You do the math.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.