With the constant stream of news about password leaks and panic about identity theft, it is easy to feel overwhelmed with the idea of protecting your business and employees from the thieves trying to exploit well-intentioned staff and technology. However, the reality is that password leaks are almost entirely lower-value personal accounts, and are frequently stale information. Even the much hyped “Collection #1”, the 770 million password leak released last January, is almost entirely comprised of several collections of old passwords lists which were already released years ago. This collection is more like a “Greatest Hits” album of passwords – nothing new. Password leaks are dangerous and get a lot of press, but the real danger is phishing. We believe phishing to be the most significant threat to most businesses today (assuming decent IT practices are in place!).
Phishing is an attempt by a malicious outsider to get information from you or your employees by tricking you into thinking that they are entitled to the information, often by way of communicating some sort of fabricated emergency.
Sometimes a phishing message looks like it is from a company you trust, like Microsoft or your bank. You may have seen many examples of phony messages. Some of them are very good, but they can be easily identified once you know what to look for, because they tend to be common and generic. For a few easy rules to follow to identify these kinds of attacks, we’ve recently recorded a quick 5-minute video on the subject.
Another, much scarier type of attack is SpearPhishing. This name is based on the sporting term, and, like Spear Fishing, SpearPhishing attempts are MUCH more targeted attacks on specific, high value targets. These are attackers who are willing to invest time and money into learning about your business – often researching your staff names, titles, email addresses, and phone numbers. They will try to get to the “softer” targets who have access to sensitive information, and will employ some more sophisticated tactics to do it, like buying similar domain names and setting up email addresses on them. For example, the email domain “@1ighthouseit.us” looks a lot like “@lighthouseit.us”, but the first one is fake. A common attack might look like this:
From: Skip Carruth [firstname.lastname@example.org]
Sent: Thursday, January 31, 2019 9:27 AM
To: Eli Meier
Subject: 2019 W2s
I missed a calendar reminder to ask you this yesterday, so I am in a bit of a hurry. I need to send out our W2s by the end of the day, but I am out of the office and don’t have access to the PDF files. Could you export them from Intuit payroll, save them as a PDF file and send them over to me? Thanks for handling this right away.
Principal and Client Strategy Advisor
(254) 774-9035 | lighthouseit.us
This email looks like one that Skip could have generated. It has his correct name and title, as well as our company logo. The attacker could easily guess that we use QuickBooks, like many small businesses our size. If I was not on my guard, this might be a request I would quickly comply with because I don’t want to put Skip further behind schedule.
- Make sure that only people who really need to have sensitive information have access to it. Your team may be 100% trustworthy, but the more people who have access to information, the more targets are available to attackers. For example, there is no reason why I should have access to all the W2s in our company.
- Study the email address and the details in the sender fields and the signature. In this case, the email domain is similar, but not exact match to our real domain name.
- Anytime someone is asking for sensitive information, pick up the phone and call them on a known-good number (not whatever is in the email signature), and confirm with them verbally. It may slow things down a bit if it is a real emergency, but it is always easier to prevent a data loss than it is to try to repair it.
- Schedule regular trainings with your staff, especially those with access to sensitive information. Trainings should be held at least yearly, but having them more frequently and varying the content has been shown to be effective at combatting losses due to phishing attacks.
- Ask your IT team to implement an anti-phishing training program. These programs will send your people “test” phishing emails, teach them what to look out for, and tell you who needs more training. (Training is important. A recent study concluded that people are 70% less likely to fall for a phishing attempt after a year of training.)
- Consider adding anti-phishing protection to your email security. These are newer technologies which automatically block many phishing attempts by matching them against commonly used phishing patterns – such as similar domain names, known-malicious email servers, or text patterns that are used in other attacks.
Information security is an arms race with intelligent, motivated, and creative opponents. Every year, criminals introduce new strategies to bypass the protections designed for last year’s threats. The best protection is to layer the strategies above and to stay aware of the new threats. Enlisting an expert to help you focus on the strategies that make the most sense for your business can be invaluable. If we can help, please let us know.