Electronic Mail, otherwise known as email has revolutionised how we communicate with others. Like it or not, it’s become an absolute staple of professional communication. Whether it’s sending out a company wide communication, or the passive aggressive “As per my last email” with the cc (carbon copy for anybody ever wondering what that stood for) to the boss. There is no denying the impact it’s had on the world.
However, in the 49 years since the first email was sent people have seen an opportunity to use this medium (lets be honest, like they do all mediums) to exploit people for monetary gain with minimal effort or to just be annoying. Personally, I’d break these kinds of emails into two camps. Spam, and Phishing. It’s an over simplistic way of looking at it, but for the purposes of the blog, you’ll understand why.
First off: Spam. The naming of which references a Monty Python sketch of the same name. Spam is annoying, unrelenting and nigh unblockable. If you’ve ever had an email address, it’s definitely received spam. Good luck opening a Hotmail or Gmail you haven’t used in 10 years because it’ll all be spam and one legitimate email from somebody you no longer talk to. Think of it like the electronic version of the junk mail you’ll get in your letterbox at the front of your house. It’s mostly harmless outside of the mild annoyance.
The star of this blog: Phishing emails. They come in a few varieties and we’ll cover the main ones you’ll see. Their main purpose (as stated here on Wikipedia) is to fraudulently “attempt to obtain sensitive information or data, such as usernames, passwords and credit card details, by disguising oneself as a trustworthy entity in an electronic communication.”
Standard Phishing: The most famous of which was the classic Nigerian Prince email. No real target, broadly sent in the hopes of getting a bite. Believe it or not, these kind of Advanced Fee scams were believed to have raked in almost three quarters of a million dollars in the US last year alone.
Spear Phishing: Targeted emails. You’ll see these in increased frequency as these are ‘in vogue’. The main versions of Spear Phishing you’ll see will specify your password has expired, and provide a link to reset it. This link can often times look legitimate, and the web page it opens can often look like a flawless representation of the site it’s copying. Regardless of what you put in the password field, it will say it’s incorrect, at which point you’ll frustratingly think ‘I’m sure I put that in right’ and put it in again, each time you do this, it’s stores that information. Once you’ve done that a few times, the originator has your username, and your password. By doing it more than once, you’ve confirmed it’s your password. If the account they are trying to access is an email account, they will likely use your email as a trojan horse to send further phishing emails, as well as fake ‘invoices’ to be paid to the originators account.
Whaling: Whaling is essentially the same as spear phishing, but is specifically targeted at Executives and high level staff, in the hope that people will pay the invoices if it comes from their bosses email address.
So how do we protect against this? Why do these emails still get through? You may think email filters should be able to differentiate between legitimate and illegitimate email but it’s not quite that simple. They’ll generally do a half decent job in stopping the vast majority but the cunning scammers and spammers know how to word and structure the emails to get around these.
I’ve specified it this blog before, like any security, network security is only as strong as its weakest link, and the end user is usually the weakest link if everything else is configured to best practices.
Education is paramount. If you weren’t expecting an email with an attachment or a link, don’t open it before confirming, preferably on the phone, with the person who sent it (never via email, if it’s illegitimate, they’ve likely been hacked or successfully spear-phished themselves). If you get an email saying “your password has expired” check with your IT team. There isn’t too many services that send that kind of email.
We strongly advocate the use of Multi-Factor Authentication for any and all accounts that are internet accessible. Simply adding the extra layer of security will mitigate the majority of the risk.
At Bizpro IT Services, to help identify and mitigate risk, we also offer an additional service to our Managed Services Clients where we perform quarterly Phishing tests (randomly and without warning to strengthen the validity of the test). These tests work exactly like a normal spear-phishing email, but gives us an idea of the end users that may require additional education on what to, and not, do in regards to email security.
There is more to spam than we’ve gone over, and in fact, we’ve barely scratched the surface, for more information on our services give us a call on (03) 9136 8131 or send us an email at email@example.com, unless of course, you are a financially challenged royal that just needs to ‘move some money around with a little help’.