Are you an easy target?
Not paranoid about phishing scams? You should be.
Phishing, and more specifically, spear phishing is a serious, growing problem. And we should be concerned, even paranoid about it. Based on our experience at The IT Guys, I’m not overstating things when I say spear phishing is the biggest threat to the average association and NPO today.
I make that judgment considering two factors; the likelihood of experiencing a spear phishing attack, and the difficulty in defending against it. Spear phishing is a growing problem and as a community, we’re lagging in our awareness of it.
If you’re not up to speed on the ins and outs of phishing and spear phishing, I’d encourage you to read a great article The IT Guys’ own Dallas Emerson wrote on the subject. The article was published in TSAE’s Leadership Today magazine and republished in our blog. It’s very enlightening.
I’m not going to re-plow the same ground Dallas has already tilled, but for our purposes here I’ll offer a concise working definition of terms.
A disclaimer before diving into the subject at hand. I have to say it; I absolutely hate the term “phishing.” It just sounds too clever and faux-cool to me. But that’s the accepted term so we’re stuck with it.
Phishing is the practice of sending fraudulent emails purporting to be from known or reputable parties with the aim of convincing the recipient to disclose sensitive information (i.e. give up your password) or perform tasks to criminally enrich the sender (send money) at the expense of the recipient.
Spear phishing takes garden-variety phishing to new levels of fraud. How? By assuming the identity of the sending (allegedly known) person so convincingly that it’s almost impossible for the recipient of the fraudulent message to discern that the sender is anyone but whom they claim to be. Again, for the general methods regarding how this works, check out Dallas’ article on the subject.
We're making it too easy
In this article, I’m going to get specific. We'll look at how we often hand the bad guys all the information they need to target us with incredibly sophisticated spear phishing attacks. We do this everyday and we're blissfully unaware. We don’t give it a second thought.
... the single greatest resource for spear phishing scammers is an organization’s own website.
In our experience, the single greatest resource for spear phishing scammers is an organization’s own website. Think about your site for a moment. If you’re like most agencies, your website is a treasure trove of information scammers need to implement their schemes.
What kind of information? The typical site has a “Contact Us” or “About Us” page. Or both. These pages usually contain the staff structure of the organization, with names, titles, phone numbers, and email addresses of the entire staff. There’s likely another page listing the board members. Some sites with email addresses for all. Some just have the President’s contact information listed,
If you think about it, what we have here is all the information any scammer needs to launch a spear phishing attack. The organization chart is readily discernable and easily scanned by software “bots” that scoop up all the names, title, and contact information for future use. Scammers connect the organizational dots and the attack begins.
Following are three spear fishing scenarios I’ve personally dealt with. I’m not mentioning any names, but these are “real world” spear phishing examples ranging from elementary, to sophisticated, to “OMG, do you see what they’ve done,” attacks.
Scenario #1 – The Amateurs
Too many of us have seen this one. Someone in an organization receives an email purporting to be from “Jane”, the ED. The message requests the recipient to purchase a number of gift cards and send their numbers back to Jane ASAP.
The email recipient sees what Jane is asking for, but it doesn’t make any sense. Jane’s never made any kind of request like this before. Plus, the recipient's in membership development. Why send this message there?
The immediate reaction? Panic. “Jane's email account has been hacked!”
Maybe it has, but it’s not likely. The far more probable situation is revealed with a cursory glance at “Jane’s” email address in the suspicious message. It’s not actually Jane’s email address at all. The email address is really firstname.lastname@example.org.
If only they were that clearly labeled. IT life would be a lot simpler.
Jane’s email account hasn’t been hacked, her name has been hijacked. From where? Most likely the agency’s web site is the source of Jane’s name on the bogus email. The scammers used a software scanner (a bot) to strip out the contact information they needed. The result is an email that sort of looks like it might kind of be legit.
The bad guys here are the lowest-level scammers. They’re either lazy or not too smart. Or both. They used Jane’s name, but nothing else remotely resembles a real email from her. These lazy or inexperienced would-be scammers count on the recipient of their phishing email to be too busy or careless to notice.
In addition to a halfhearted effort in disguising the true sender, the scammers just sent the email message to random staffers. No effort at targeting the recipient at all. Amateurs.
There is one thing the bad guys have in their favor. Even with these lame scams; many of us use our phones for email as much or more than a computer. Many mobile email clients display only the sender's name, making us work to see the email address. And most of us are too busy too look.
If you get a suspicious-looking email, the first thing to do is to verify the sender's email address.
If you get a suspicious-looking email, the first thing to do is to verify the sender's email address. If you will, other than causing momentary panic surrounding the possibility of hacked email accounts, these emails won’t accomplish a lot. They’re easy to see through as not being legit and no harm comes to you or the organization.
Scenario #2 – These Guys Are Good
This one takes the basics of the first scenario and ratchets it up several notches. The sender-to-recipient relationship causes the request in the message make more sense, yet still puzzling.
In this situation, the ED sends an urgent email to the CFO, Bob, requesting a wire transfer of $35,000 to a bank account contained in the message. These funds are to complete a transaction the ED has been “working on in secret” until the big announcement day.
Yes, this really happened.
This time, a cursory glance at the email address only makes the message look more valid. The address really is Jane’s, not some easily-spotted phony.
So, what does Bob do now? Fortunately, Bob takes the time to attempt contact with Jane to confirm the validity of the request. But, Jane’s at the annual conference and can’t be reached. The email specifically said it was urgent. Does Bob still take the time to track down Jane, or just follow the directive in the message? Most of the time, Bob is suspicious enough to take the time to verbally confirm “Jane’s” request, and he finds out it’s a scam.
But what if Bob caves from the pressure, swallows hard and follows instructions like the dutiful soldier he is? Despite Bob’s best intentions, the scammers make off with the cash.
What happened here?
First, the phishing message was highly targeted. The ED/CFO relationship was determined from job titles on the agency’s website. Along with the email addresses. The ED sending an email to the CFO regarding the agency’s finances would make sense in context.
Second, the scammers choose the time of the agency’s annual conference in order to take advantage of the usual frantic activity involved with hosting that event. The bad guys hope that scheduling their attack during an unusually busy time will increase its chances of success. They hope so because all too many times in the past, that’s proven to be the case. When we're busy and in a rush, we're also less cautious.
How did the bad guys know about the conference and its schedule? Probably from the giant banner at the top of every page in the organization’s website. Complete with dates when everyone would be at their busiest and most likely to be out of touch. More invaluable information given to the scammers from the organizations website.
Don't get me wrong regarding this last point. I'm not advocating we pull conference announcements and schedules from our websites. I'm simply saying that providing that is the icing on the information cake we've baked all our contact info into. The usefulness of the conference schedule to scammers would almost be nil without the the latter.
Another interesting aspect of this scenario is the increased technical sophistication as evidenced by the phishing email address used matching Jane’s valid one. So, how’d they do that?
If you know the inner-workings of the average email, it’s not hard. You just have to know what you’re doing. These scammers knew what they were doing.
There’s a lot of information encoded into an email that helps it get from the sender to the recipient. A number of these behind-the-scenes parameters can be tweaked to mask the true sender’s identity with another. In this case Jane’s. These bad guys knew how to tweak the message to get their phony email address to match Jane’s real one.
To add to another wrinkle to this scam, the bad guys make sure that if the recipient replies to the bogus message, the response is sent to them, not to the "real" person’s email address that’s showing on the email. They do so by further tweaking of the email message parameters.
The result is an email that looks totally legit and not easily spotted as a phony by just looking at the “froms” an “tos”. With this type of phishing message, the context of the message is important. Here, the recipient must evaluate the request being made to determine of it makes sense. The best way to do that is verbal communication.
Why verbal? See the last scenario to understand what can happen when a truly sophisticated phishing attack is in high gear.
Scenario #3 – You’ve Got to be Kidding
This scenario takes spear phishing to another level by adding a social engineering dimension to the already technically sophisticated email attack. Social engineering is the process of interacting with others in a more personal manner. Usually this means by telephone, but we’re going to use this term for purposes of our discussion here as well.
In this case, seeking confirmation of the suspicious request (send money), the recipient of a bogus email responds to the sender (who they believe is legit). Instead of being delivered to the alleged sender, the response is actually sent to the scammer.
Here’s where the social engineering comes in. The scammer responds to the recipient by impersonating the real ED, or whoever the recipient believes they are exchanging messages with.
So, the technical attack is supplemented by real people engaging in email exchanges between the would-be victim and the attacker. That lends an even greater aura of legitimacy to the process, increasing its chances of success.
This all takes a LOT of work! Fortunately, these types of attacks are in the minority. But, they are growing in frequency and sophistication.
Fortunately, the impersonation of the trusted email sender will come to a grinding halt if the scammer doesn’t react in a manner consistent with whoever is being impersonated. Either because they don’t respond with proper information when challenged or their non-native English grammar skills betray them. At that point the scammer will usually just vanish.
But, all too often the scammer can hide behind short responses, claiming to be too busy for a more in-depth exchange. That will often cover English grammar deficiencies, lending enough authenticity to the scammer to get by. Satisfied, the suspicious person being scammed ends up trusting the scammer and complies with the bogus (and costly) request.
Who are these guys?
Who are the bad guys? That's a very good question, Short answer? I don't know. Long answer? I have no idea. And that's a big part of the problem.
Scammers can be anywhere. The attacks come from all around the globe. I've endeavored to trace fraudulent emails numerous times. The process is painstakingly tedious. And it almost always ends up in a black hole somewhere. Russia, Eastern Europe, Asia, South Africa ... I've followed the trail of bad guys to all these locations and more.
Attempting to find and prosecute the scammers is a costly, frustrating, and pointless endeavor. Which is why spear phishing is on the rise. The cost is low and the chance of being caught is even lower. And it works way too often
So, what do we do? We defend ourselves. We get smarter. We make it harder for the bad guys to perpetrate their scams.
What do we do about it?
Let's get the obvious question out of the way. How can technology help? Unfortunately, there's not much traditional anti-spam systems can do to block phishing emails. Because, by their nature, these messages are designed to appear authentic, a software or hardware approach to combating them is limited in effectiveness. Anti-spam can work against phishing attacks, but not so often that I'd bet then farm on it.
It's up to us, people, to be the front line of defense. To protect ourselves from attack.
First, pay attention to details. If you get an email that looks fishy, do something. Question it. Challenge the sender. Make sure the message is legit.
It's a pain, I know. But, it's the price of admission to the Internet-connected world we operate in.
Next, consider this. There’s a simple rule at the core of spear phishing attacks; the more information the scammers possess, the more effective their attack will be. Given that, our first response to spear phishing is to reduce their chances of success by limiting the information they have to use against us.
Let’s at least make it a challenge.
The typical scammer is lazy. He's not inclined to do a lot of digging to target an organization that’s raised the level of effort required to pull off a scam. After all, there are plenty of others who’ve not done so. He'll go for the low-hanging fruit every time.
So don't be low-hagning fruit. The first step in raising the “effort bar” is to remove in-depth contact information from our websites. At least take a few minutes to do an elementary cost/risk evaluation. Is the potential risk of highly-target phishing attacks worth whatever perceived benefit that information provides? In my experience, the answer to that question is almost always “no”.
As alternative, consider having a single contact email address that’s forwarded to someone responsible for triage of inbound email message content and answering questions sent there.
Or, put complete contact information behind a membership wall, requiring a website visitor to sign in to view the in-depth information not visible to the general public.
By continuing to post names, titles and email addresses for everyone associated with an organization, we make the job of spear phishing easy. Handing would-be scammers the information to be used against us only increases the risk of sophisticated and potentially costly attacks against out organizations.
Let’s not make ourselves easy targets.