By Peter Theobald | July 30, 2018
“Your bank account has been locked, click here to unlock”
“Your tax refund is due, click the attachment for details”
“You have received a remittance, click here to claim”
“Change of password required immediately”
“Invoice for Rs. 45,000 is payable now …”
I am sure you would have received emails on these lines every now and then. What exactly is going on? In technical terms, this is what is called a “Phishing” attack – where the attacker uses a disguised email as the entry point into your system or network. By “spoofing” the email id of a company or bank or person that you normally correspond or do business with, the attacker is trying to get you to download and open an attachment or click on a link in the email. Once you do that, one of the two things can happen – the attacker will try to get some confidential information from you – like your bank account number, password etc or the attacker will try to install some malicious software on your computer. This software could encrypt all the data on your system and offer to decrypt it for a “fee” (ransomware). It could also monitor your activities and thereafter, then spread to other systems in the network, or even send your confidential data to the attacker.
A variation of this is the “spear-phishing” attack, which is a targeted attack against your company. Here for example, you will get an email, supposedly from the CEO of your company, saying that he is travelling for a business meeting and he needs you to transfer money to a certain company immediately before the meeting starts. Needless to say, the CEO never sent this email. There are several examples of unsuspecting employees transferring money out based on such mails.
There are security products that provide some level of protection against the attacks – primarily email and web sandboxes that check out all attachments and links in the email, inside a virtual system, to see if they are malicious, in which case they can be blocked. But like any security product, these are not fool proof. The most important defence to protect against such attacks is an educated user.
You must train the user that unless he is expecting an email with an attachment from a person, never to click and open the attachment. Never to click on any link in any email – especially if the link is from your bank or some other financial organisation. It is always better to open a separate browser window, and type in the URL of the bank website that you wish to go to. Never to part with any sensitive information like account numbers, employee ids, passwords etc on the email. Never to remit any money based on an email, without checking on the phone with the concerned person first. One-time training is usually not sufficient it has to be repeated at regular intervals.
Hitachi Systems Micro Clinic offers a unique service to test the susceptibility of your team members to such attacks. With your prior permission, we will craft a unique email on the above lines, that seems to come from the IT or HR department of your organisation, asking the user to click on the link in the email and then provide some critical information. This mail will then be sent out to all team members and we will track how many people opened the email, how many clicked and how many provided the requested information – something they were not supposed to do. In our experience, anywhere from 30% to 50% of the users succumb to this kind of email. Some users even forward this mail to their colleagues to encourage them to send the information!!
This “Phishing Awareness Testing” service will give you an overall view of the vulnerability of your organisation to such attacks and give you an idea of the users who need additional training. Training material can also be provided if required.