For the past few years, thanks to having an amazing little addition to my family, I have been reading a lot of Dr. Seuss books, and one of my favorites is “Fox in Socks.” If you haven’t read it to your kids, you should. Well…you can try. If you don’t have kids, it is an entertaining read anyway. It puts your tongue to the test when read out loud. The last story in the book talks about “tweetle beetles” and for some reason, it got me thinking about phishing.
Phishing these days comes in many forms and names, just like the tweetle beetles and their puddle paddle battles. We at SECOM perform all kinds of phishing simulations for our clients. When we send a phish to your entire company, that’s what we call a “general phish.” When attackers send you a phish purporting to send you a lot of money in exchange for a small amount of money, we call that a “Nigerian prince” or “419” scam. If we send phish to your top executives or other important individuals, we call that a “spear phish.” If attackers send a phish to your accounting department, posing as a company executive, we call that a “business email compromise” scam. When SECOM sends you a phish to your phone, we call that SMiShing. Attackers are also starting to send phishing-type messages via Twitter seeking bitcoin and other altcoins in what we call… a “Nigerian prince scam.” Wait, what? That old thing is back in a new form.
Handle With Care
No matter what you call a fraudulent email, it all should be handled the same way. Critically think about every email or text you get that requests you to perform some action. Click a link, open an attachment, reply with additional information. It is all calling the recipient to action, and these days we all must critically think about those emails specifically.
There is no need to be paranoid that every email you get is fake or an attack. The email from your mom wishing you a “happy birthday” is probably very safe to read. Now, if that same email comes with an e-card attached or a link to some picture or gift, stop and think about it. Your birthday is not that hard to find out without knowing you at all. We here at SECOM do open-source intelligence (OSINT) gathering on all our targets and, almost every single time, that includes finding birthdays, addresses, phone numbers, and alternate email addresses for the target, friends, and family members. All are things we can use to compose an email or text that looks like we know you, and you can trust us.
As real as these communications may seem, all of SECOM’s phishing emails request the target to take some action. This is also true for phishing emails from attackers. That is your “red flag” to stop, think about it, and verify it with the sender, out-of-band, meaning not in the same communication channel you received it in. I say that because you should not simply reply to a suspicious email asking for clarity or verification. An attacker can, and will, say “yes” to every form of verification they are asked about. Not only that, but any replies may give them additional information about you to continue the attack or devise a new one (I’m talking about email signatures and SMTP headers here). If you have questions about the validity of an email or text you receive from a friend, call them on a known good number, or ask them in person before acting. It is much harder for an attacker to gain your trust if they are sending an email from the hacked account of your friend you are having lunch with.
Educate the Masses
How do you get your employees or user base to get in the habit of critically thinking about emails? Test them, repeatedly, and train them based on the results of those tests. Adjust your training to the tests you most recently performed, and openly recognize and reward your users who perform the desired behavior of not clicking the links while still reporting them to your internal security teams.
The reporting part is more important than not clicking. That may sound counter-intuitive, but if all your users habitually report suspicious emails, your security and incident response teams will get the heads up that there may be other attacks happening. Even if the user clicks the link, but still reports it, they can get their machine cleaned up and the security and IR teams can be on the lookout for others that may have been affected or repair any damage that was done. Simply deleting suspicious emails without telling anyone is more of a risk to the company than the taking of the requested action.
And that’s what we call a tweetle-beetle-phishing-smishing-clicking-reporting-security-program.
Read the book, it’s totally worth it.