Dissection of a Phishing Attack, Part 4

Created 5 years 117 days ago
by RitaP

Tags:
Categories: categoryTechnology
Views: 2828
by Scott M. Lewis

There were lots of red flags all over this transaction. In the end, it was not a breakdown in the technology. Both sides have confirmed that neither team had a security breach of their internal networks or the Office 365 systems. This phishing attack was focused on the human conditioning of the brain seeing what is expected and the lack of training. The bank questioned the transaction. Verbal conversations took place concerning the transfer. Internal verification processes by the humans involved were not adequately acted upon and documented. The money was transferred to the Mexican bank as requested. The Mexican bank accounts were closed, and the spoofed Gmail accounts were deleted.

We have learned a lot about phishing. There are typically red flags that warn you when you might be part of phishing attempt or someone is trying to make you a victim. However, what are those signs? According to Protected Trust here are some things to watch out for:

- Are you familiar with the sending address? Take time to read the email address. One way to help spot small subtle changes is to read the email address backward. It sounds funny, but it makes your brain stop and think about what you are reading verses using the human condition to understand what it expects to see. Other things to look out for are: Do you know this person? Have you ever exchanged emails with them before? Are they asking you to do something that was outside of the norm, or not expected? If it seems fishy, then don’t hit reply or reply all. Instead, type in the “To” or “CC” fields the actual email address again.

-Check for misspellings. It is widespread to see spelling errors in the email addresses and within the body of the email. One easy thing to do is turn on spell check in Outlook to ensure that the message is highlighting spelling errors.

- High sense of urgency. If the sender is changing things and you have to act now, this elevated sense of urgency should be a red flag. Remember the lifespan of a phishing site is only 15 hours. So things have to happen quickly. So, if you were to procrastinate on something this might be it.

-If the scammer is trying to direct you to a new URL and requests you put in your username and password, then that should be a red flag. Instead of clicking on the link, look up in Google the actual URL and type that in your browser where you type in the address of the website. You can also hover your mouse over the link, and it will show you the fully qualified address of where you would go if you clicked on it. On mobile devices, you can use a light touch to see the fully qualified address. The risk here is press too hard, and you will go there. Always remember your bank, the IRS, other government agencies don’t contact you directly via email so be very cautious when you see messages like that.

-Make sure that on the URL line, which is the line where you type in the website address, that you see the closed lock on that line. Or you should see HTTPS. Check for the “S” this is a sign that this is a secured website. If one or more of those are missing, do not trust the site as a legitimate website. Also, your browser may put a circle with a red x or hash through it. If you see that it is not secure, leave the site.

Securing the human is the key to any security initiative. Even more so when it comes to phishing attacks, it is easy to think that the technology is at fault when it comes to security preventions. However, the real weakness is in human conditioning. Scammers have become experts at human behavior and attacking the human condition. So, until we secure the human, all the technology in the world is going to have this one major flaw. What are some of the behavioral elements that can help us secure the human?
To be continued next month……

Scott Lewis is the President and CEO of Winning Technologies Group of Companies which includes Liberty One Software. Scott has more than 35 years of experience in the technology industry and is a nationally recognized speaker and author on technology subjects. Scott has worked with hundreds of large and small business to empower them to use technology to improve work processes, increase productivity, and reduce costs. Scott has designed thousands of systems for large, medium and small companies and Winning Technologies goal is to work with companies on the selection, implementation, management, and support of technology resources. Learn more about Winning Technologies at www.winningtech.com or call 877-379-8279.