In a this episode of 60 Minutes, correspondent Scott Pelley reported on the growing cybersecurity threat known as ransomware. In the story, he reviewed a number of “cyber hygiene” best practices that every organization should enact in order to safeguard against hackers. Essentially, there are three forms of ransomware prevention. Policy-based preventative measures protect access to systems via multi-factor authentication and periodic password resets as well as account lockouts after multiple failed attempts. Technology-based measures or those enforced pre user interaction include firewalls, web filters, and administrative ounces of prevention such as IP address and domain whitelisting and blacklisting. But when all else fails, the last line of defense or third preventative measure is really behavioral. It depends on how end-users perceive and respond to risky emails. How we respond to potential data security threats still matters.
It all starts with an email. Using the many common examples cited on 60 Minutes, the telltale signs of a phishing expedition can be more sophisticated even as end-user becomes more suspicious. While everyone is aware of the classic Nigerian prince requesting bank account info email, how many are prepared for an email spoofed by their boss requesting urgent information?
Luckily, there are still a number of human-driven detection methods that may keep your organization ahead of the technology curve. As Tom Pance from Blackberry Cylance mentioned, there can be some subtle and not so subtle nuances that may help end-users identify a phishing email such as misspelled words, suspicious links or attachments, or unusual requests for critical data. The truth is even the most cynical of end users can be fooled if they’re not constantly updating their awareness of phishing modus operandi.
Trust Your Instincts
Despite all the technical countermeasures to cybersecurity threats, a substantial component to end-user threat detection remains intuitive. Luckily, the look and feel of the email itself, as well as the tone and content, can trigger a sense that something’s not quite kosher with the message. All it takes is a little time and scrutiny to separate the wheat from the chaff. Unfortunately, not all end users have the luxury of time before responding to urgent requests from someone purporting to be their boss. But it’s fair to say any requests for organizational “nuclear codes” such as proprietary data, financial records, should prompt end-users to do a procedural double-check.
Even though emailing and texting are becoming more and more the primary contact methods in our busy lives, an old-fashioned telephone call remains one of the best verification methods for suspicious requests. Let’s say you’ve received an email from the president of your company requesting the social security numbers of all of the employees. Given the nature of the request, recipients should reach out for a verbal confirmation no matter how high up the chain of command they must go.
Do Some Source Recon
While many cybercriminals go through the trouble of mimicking the corporate look and feel of the organization they’re spoofing, they don’t always stand up to research. For example, you may receive an email that looks like it’s from a representative of your bank. It has a corporate logo in the HTML, name and signature line, and something that looks like the corporate URL. What happens if you mouse off the link? Does it actually match the organization’s domain or is there some odd prefix?
The fact of the matter is, even the most carefully crafted phishing email will redirect you to the hacker’s web site. In other words, if you receive an email from Bank of America, asking for you to reset your password, but the link previews as a misspelled version of the site or a completely different URL altogether, it’s time to think twice about clicking the link. No matter how convincing the rest of the message may be, the source code doesn’t lie.
Similarly, with spoof emails pretending to be from internal contacts inviting us to click links or submit sensitive internal records, a little source code investigation goes a long way. As with fake URLs, recipients can check the originating email address no matter what it looks like on the surface. All it takes is a right-click on the email sender’s account to reveal the source domain and you’re likely to rule out who didn’t send the message. You may discover an alias for someone posing as an internal colleague. Maybe it doesn’t align with your company’s naming convention or comes from a different source email domain altogether. Either way, knowing how to expose the true source of suspect emails can be empowering to end-users.
Google is Your Friend
Most cybercriminals don’t take the time to compose a unique phishing email for each target organization. While they have personalized greetings, if the content of the message has been in circulation for any length of time, it might be worth some cyber sleuthing. Organizations should encourage recipients to research suspicious emails in Google, entering unique phrasing in quotes. If it’s been an email blast from the recent past, you’re likely to find repeat offenders listed somewhere on the web wall of shame or the end-user support forum. Although the internet creates the opportunity for cybercrime it can be an invaluable resource for broadcasting suspicious email behavior and expand end-user awareness.
No matter how sophisticated the email, end-users should remain on the lookout for the following phishing components:
- Request for financial information or access to critical data
- Urgent timelines (discouraging message scrutiny)
- Suspicious hyperlinks or file attachments
- Unprofessional content and informal language (misspellings, HTML and corporate CSS slightly off corporate brand)
- Sender identity out of character (not following email naming convention or domain)