As like most things, when it comes to security many of the people responsible for companies think about things in terms of big ticket items. What I’ve seen too often is people wanting to address their security concerns spurred on by the latest headline they’ve read, quote they’ve heard at a seminar, or topic discussed at a cocktail party. The conversation usually starts by asking me about penetration tests or risk assessments. While these are certainly worthwhile topics to explore, all too often we see the most obvious things skipped over or minimized.
One of the most basic culprits when it comes to security breaches is NOT technical but, rather, our people. Specifically, people doing something on their computers that they shouldn’t be. More often than not, many of these instances are preventable through just a little bit of training. And the concept of “phishing” is just one of these low visibility, high ticket items.
Phishing campaigns come in so many different flavors these days. Beyond crude emails telling you you've won the Lottery or have a rich uncle in Nigeria who wants to transfer millions of dollars to your account, cyberattacks are now hijacking news events such as high-profile security breaches in order to steal your information. A phishing email may claim your account has been compromised in a breach and you must change your password. Many of these campaigns lead their victims to genuine looking but malicious websites that mirror legitimate companies. And once you’ve input your data, you’ve given cyber-criminals the keys to your kingdom.
What makes many phishing emails seem genuine is not only the campaigns that exploit current news events, but also the ability to tap into the irrational human emotion of panic. “What's going on with my credit card, account, or loan? I better click on this to find out!” Too often the need to respond to this urge prevents users from taking a step back and thinking before clicking on a link.
This is where training comes into play. Before clicking on anything, ALWAYS check the link and make sure it’s a valid link. It’s really quite easy. Simply hover your mouse over any link in an email and you will see a little box that comes up with the actual hyper-link that you will be going to. Make sure this link is for the actual website of the bank, credit card, or company you expect it to be. Often cyber-criminals register domain names that look so similar to the real company’s, that it’s hard to tell the difference. I’ve seen URLs that tell me I’m going to “American Express” only to see that the domain for it is “aexp.com”. This is NOT American Express’ domain! (check out this sample)
Also, another tidbit – the last part of the domain address (before the “.com”) is the most important part. This is the actual domain. Everything before this is called a “sub-domain”. If you see something that says “citibank.securrity.com”, it’s not Citibank’s domain. The actual domain in this case is “securrity.com”. At the same time, this is also another trick they use. These criminals buy domains that are close to the real domain name only with a slight spelling change or misspelling. In this case, “security” was misspelled. Because they registered it with it misspelled intentionally!
While this seems like such a simple thing, recognizing a phishing email actually has a HUGE impact on your company’s approach to security. Keep in mind, while phishing most often is looking to gather information it is also a method for allowing malware into your network. So knowing this and sharing this with all of your staff can make a real difference in how hardened your network and your virtual information is.
So, the bottom line is – don’t click on a link unless you absolutely, positively know exactly where it’s going. And then further - don’t enter information into a website without knowing it’s actually a valid website. Two easy ways to cure your vulnerability to phishing.
Yet again, a great lesson of where a little bit of knowledge really does go a long way!