Phishing: how it works and how to prevent it
With some 290 million potentially dodgy emails being sent every day, how do you safeguard your business and employees from the ‘Chummies’? Mark Norris, IT Security Manager, says the winning combination is clever technology and on-going staff training and awareness is key.
I must admire some of the Chummies out there for their inventiveness and audacity to trick people. Admire is probably a little bit of a strong word. More like impressed as in how impressed I am that cockroaches have been around for over 300 million years and can survive for a week without a head.
But rest assured that Chummies are only after money. Any way that they can trick you into parting with your hard-earned cash or giving them information that will lead to your hard-earned cash is all they are after. There are a lot of spam emails doing the rounds offering you software to install on your computer to protect you from the coronavirus to fake emails from Tesco offering a chance to shop for free this COVID-19 season.
Phishing in castles
We sit in our ivory castles and wonder how people fall for these fake emails. But the numbers favour the Chummies. Depending where you look the estimates are that 14.5 billion spam emails are sent every day. The majority of those are advertising emails and only about 2 per cent of all spam emails are fraudulent or scamming emails. That means 290 million potentially dodgy emails are sent every day.
And now for the biggie. Of those 290 million emails 75 per cent are phishing emails. Emails that are trying to steal your email address and/or password. That means every single day 211,700,000 phishing emails are distributed. Therefore, phishing emails work. Out of 211 million emails in a day someone somewhere will be distracted or expecting an email from Tesco and fall for the phishing attack.
Chummies look to exploit human nature to trick us into giving them the information they want. There are seven areas that they look to exploit and when two or three of these areas are combined, the possibility of a phishing campaign working is greatly increased.
These areas are: money, greed, curiosity, urgency, self-interest, fear and helpfulness.
Also, any email offering free pizza to an IT person is also guaranteed to work. I am sure we have all received an email saying that we are entitled to a refund from someone, but only if we click on the link within the next 48 hours. This email combines money and urgency. The latter is a common theme on phishing emails. We should all be suspicious of any email that has a sense of urgency or threatens us with dire consequences if we do not act upon the content of the email.
As I stated in my first blog, adopting an “if in doubt throw it out” philosophy is a good approach. I tend to immediately delete any email from my manager that is urgent or threatens dire trouble if I do not do something. That may explain why I am on first name terms with HR 😊
The power of Office 365
But what else can you do to prevent you becoming paranoid of every email you receive? If you are using Office 365 there are enhancements that can be made. O365 can be strengthened. There are rules to block auto forwarding of emails, blocking key words (nearly 50 per cent of spam emails will contain the word ‘free’) or blocking emails from countries you know will never be emailing you. Obviously, you cannot block emails containing the word ‘free’, but you can block emails with the words “Hacker, bitcoins, porn, beetroot” and so on.
O365 can be made stronger and, in most cases, it is enough. However, bear with me here, imagine you own a cricket team and you have the best allrounder available. Now, your allrounder will score you runs; they can bowl and get you wickets and they can field. That is what an allrounder does in a cricket team. It can do all the jobs you need from a cricket player. But at times is that enough?
At times you need an opening batsman who will knock the ball all over the field, score loads and loads of runs but bowl worse than a three-legged donkey. Or you need a bowler that can bowl a ball at the speed of light, make it swing in or out and claim wickets in the hundreds. But put a bat in his hands and the odds are the bat will travel further than any ball they may hit. The same applies to email security.
O365 is an all-rounder. But there comes a time when you need a specific email security tool. This is your super-duper bowler, your opening batsman or the fielder that can catch any ball that is in the air.
Block it to stop it!
Products like Mimecast offer that expertise. Their sole purpose is to block bad emails. These products will be block over 90 per cent of emails that an ‘out of the box’ O365 set up would let through. They are so good at what they do that they continue to test emails from people you may have added to your safe sender list. For example, I may tell Mimecast that Fred.firstname.lastname@example.org is a friend and to be trusted. Their name is on the exclusive access list, but their email account could be compromised.
Mimecast will still scan all their emails and if it finds something it does not like, it will block it. Companies need this extra help when it comes to email security because companies are no longer the targets: people are.
Chummies are targeting people specifically via spear phishing emails, but we are the targets and as companies spend their hard-earnt cash bolstering their defences, where are the weakest links? Companies install smart firewalls, create white and blacklists, create great ACLs, spend a fortune on network monitoring tools and SIEM products and get exploited because Steve in engineering clicked on a link in an email.
Training and awareness
Staff training is paramount. Ensuring staff know what the seven areas of a phishing email will look like, knowing to hover over links or to ask the questions:
- Who sent the email as it is not someone I ordinarily communicate with?
- Who are all these other people CC’ed into the email?
- They have spelt focusgroup.co.uk as focusgruop.co.uk
- Blimey, Sue was working late. She sent that email at 03:15 this morning.
- This sender is asking me to click on a link to avoid a negative consequence or to gain something of value with a short period of time.
These are questions that we should all be asking when we open any email. But how good are your staff at spotting phishing emails? How do you know where the weak areas are in your education of your staff? Even the ICO web site now states that phishing tests should be carried out internally.
You may start with over half of your staff failing but with a regular phishing schedule from, say InfoSecurity Cloud, you can reduce this to around 1 per cent of failures. Phishing tests are becoming as mandatory as firewalls these days. I run quarterly phishing tests and when I started, we had around about a 25 per cent failure rate. However, the last test in January this year was less than 1 per cent. They keep staff on their toes.
Eradicate the cockroaches!
I said above Chummies win as the numbers are in their favour, but timing also matters. Out of the 211 million emails sent out every day there will be someone who the subject line or the content is meaningful, and this is another reason why Chummies are successful. The estimates are that by the end of next year cyber criminals will making $3 trillion a year.
Am I in the wrong business? In fact, my poor grammar and spelling is probably a bonus, I could make a lot more money being a Chummy. A few £40,000 here and there would pay for that Aston Martin. But could I sit there in my DB7 knowing I had conned some company out of a lot of money? The answer is no and, though I do admire the effort by these people, they are without doubt the cockroaches of the computer world.
Don’t get caught out
I thought I would leave you with a story of why phishing tests work. Five years ago, a young, dashing security manager had his monthly 1:1 with his manager. Okay, he was not young nor dashing but he was a security manager with 15 years of experience in IT security and compliance. I had just finished my meeting with my manager when the conversation switched to a new replacement laptop as his was over four years old.
The manager gave him the link where he could order a new laptop. That afternoon, our ‘dashing’ security manager went to the website to order his new laptop. Imagine my surprise when getting to said website my two options were an HP laptop, or a MacBook Pro. IBM were offering HP or Macs as the only option.
MacBook Pro it was. Details were supplied and forms filled out. Our security manager received an email stating that his request for a MacBook Pro was approved and that he would receive an email when it was ready to be collected. Two days later, an email arrived saying your new laptop is ready to be collected. Click here to choose which location in the UK you want to collect it from. Imagine my surprise when a big red circle appeared saying you had just failed a phishing test. Looking back at the email I could then see that the links were wrong, but because the email was expected about a new laptop, this test worked. Timing.