‘Tis the Season for Phishing Attacks
Teach your staff to detect social engineering to keep them cyber safe over the Christmas break. Holidays bring with them frantic shopping, party planning, family arrangements, and, finally, taking a well-earned break and connecting with family and friends. However, criminals also look forward to this time of year, for a very different reason: they use our distraction against us, relying on us being even more in a hurry than normal. And when we’re distracted, we make mistakes.
The number of scams goes up exponentially at holiday times, with Christmas and New Year bringing a massive spike in online phishing attacks. The Australian Signals Directorate (ASD) has published useful advice for organisations to help explain the threat to users and help them protect themselves online.
Increased Phishing Attacks over Christmas and New Year
There are several scams that cyber criminals traditionally benefit from more over Christmas and New Year than any other time of year. Starting with fraudulent surveys, criminals use these to harvest user data, credentials and even bank details, so be on the lookout for anything that sounds too good to be true, and if you want to reduce the risk altogether, simply delete these emails and leave attachments unread.
Secondly, the volume of spam and phishing emails will go up, so it’s likely that your junk mail folder will be jammed full of items that your mail client has detected, but it’s as likely some will slip through. Especially at this time of year, when we all want to score a great online bargain, criminals bank on at least a percentage of the population’s greed outweighing sense. Emails that offer deals that are too good to be true are simply that – too good to be true and probably a scam.
Another popular rouse is that of bogus shipping status messages, such as from Australia Post, DHL or UPS. These scams rely on you being curious enough to click on the link to see who might have sent you a parcel – something that many of us will receive over Christmas. If you’re not expecting a parcel, then don’t click on it. If you are in any doubt at all, call the shipping company (not using the number in the email) and they’ll confirm whether it’s real or not.
Phishing Attacks – Advice from ASD
ASD acknowledges that scammers are getting much better at constructing convincing and highly-sophisticated phishing attacks. In many cases, this means there is no easy way (or at least superficial way) to tell whether it’s real or fake. But users can ask themselves a few questions, taking enough time to simply pause and reflect on the offer of the email, before they open it. This short pause will be just enough time for their brains to properly process the offer, evaluate the risk and stop those natural human impulses from seeing them duped.
ASD recommends reminding staff to challenge themselves with the following questions when reading emails:
- Do you really know who is sending you the email?
- Do you recognise the sender and their email address?
- Is the tone consistent with what you would expect from the sender?
- Is the sender asking you to open an attachment or access a website?
Furthermore, email scams are often tailored to appear as if they come from something or someone you trust; criminals harvest open-source data, such as from LinkedIn and Twitter, to appear as if they are one of your legitimate contacts. Others are tailored against a backdrop of current events, such as concerts, open air markets and festivals, to convince you they are real.
One very important point that ASD reminds us of is that if the content of the email is not relevant to work, then users should delete it. If it’s on a user’s personal email system, then it’s a personal risk (which of course is also something to protect them against) but keeping separation between work and home life provides an air gap that will give people time to think about whether they click on the link or open the attachment. A gift card from a hardware store sent to your work account is highly unlikely to be legitimate, since you should never register your work email address for personal services.
One way that users can quickly tell whether or not a URL is real is to hover their mouse over the link and see what address appears in the tool tip. If the address is the same as what the link reports, it’s likely real; if it’s not, it’s likely a scam. For example, an email from your bank that contains a link to an online pharmacy is likely a scam.
Calling senders to verify the legitimacy of an email is the best way to assure yourself that the email is real. Before you open any attachments or click on any links, having a verbal confirmation that this email was sent to you from the associated institution or business will likely save you a lot of hassle. But as we said earlier, don’t use the phone number contained in the email, since that will likely be a fake service desk set up by the criminals to again impersonate the real organisation. Cross check the phone number on the organisation’s website and if you can’t find a direct phone number, err on the side of caution and don’t open the email.
Security Awareness Training
There have been mixed reports over the years on the usefulness of security awareness training, with promoters suggesting organisations can’t live without it, while detractors suggest that people forget what they learn the minute they finish the course. Interestingly, both perspectives are right, so it’s essential you understand how your organisation works and how behavioural change is best communicated in your industry.
Make the consultation with staff inclusive and ask them directly how they respond to training. Some teams, such as desktop support engineers and sales executives see this kind of training as distracting, so look for more effective ways to engage them. Don’t look at all members of your workforce as equal – if they have busy operational jobs then training like this can come across as an inconvenient corporate overhead that gets in the way of their day job. Seek to integrate other more proactive means of raising awareness into the workforce, such as internal phishing campaigns, using free tools, like the Social Engineering Toolkit.
There are commercial tools that combine security awareness training and phishing, but they come at a cost, so test your organisation’s responsiveness to this kind of blended learning prior to investing in a commercial solution.
Cyber attacks – peace of mind for the festive season
At this very busy time of year, take heed of established trends to avoid phishing attack gifts that keep on giving. You should remind staff to ‘stop and think’ before opening links and attachments. Have a very Merry Christmas and an uninterrupted, peaceful New Year.