The FBI just released a public service announcement to warn computer users about the latest in cybercrime. Checking for “https” and the lock icon before opening a website link is not the gold standard of safety it once was.
Jeremy Girard, director of marketing at Envision Technology Advisors in Pawtucket, offers insight as to how businesses can work to prevent phishing and malware, now that hackers are mimicking what we were always told to look for as a sign of a site’s security.
PBN: The FBI PSA essentially says that hackers are imitating what secure websites look like, with the https designation and lock icon, for example, to fool users into thinking they’re safe sites. Will it always be a case of the hackers getting smarter and cybersecurity needing to be a step ahead?
GIRARD: As long as there is the possibility of a financial reward connected to an attack, there will be hackers out there looking to take advantage of vulnerable users. Those hackers will continue to evolve their methods, which means that to remain protected, companies also need to evolve. This is why we advocate so strongly for Employee Security Posture Training needing to be a key part of any cybersecurity strategy.
It’s important for a company’s IT department to be aware of the latest threats and to put protections in place as needed, but if that company’s employee population is not trained on what to look for when it comes to cyberattacks or how to respond to a possible threat, all those protections could be for nothing. The simple truth is that a company’s employees are its largest attack vector, which is why more and more attacks are targeting those employees with phishing emails, social engineering attacks and more. Staying ahead of those attacks means keeping an employee base educated and informed and creating a culture of shared responsibility with an organization when it comes to security.
PBN: Is it overkill to suggest that users never reply to emails from strangers or organizations they aren’t familiar with, but to start a new email or confirm their email over the phone? Or just emails that look a bit “not right?”
GIRARD: People are already wary about communications from organizations they are not familiar with, which is why hackers try to imitate accounts that they will be familiar with and will therefore be less suspicious of. This is what we mean when we talk about being aware of messages that seem “not right” in some way.
If you regularly communicate with a person or organization and they suddenly send a message with a very unusual request, that is a red flag. For example, if you received an email from a stranger asking you to go to the store, buy some prepaid gift cards and email the codes to them, you would never do so.
Now, what happens when an email looks like it comes from your boss saying she is at a conference and cannot get out of a meeting, but she needs you to do the same thing? This is actually a very common scam that people fall for. They see an email that they believe is from their boss and in an effort to be responsive to their request, they buy the gift cards and email over the codes, only to realize it was all a hoax when they seek reimbursement later and discover that the codes they sent went to a hacker and not to their boss.
Bottom line, if you receive an email from a trusted address that looks off or includes an unusual request, instead of replying directly to that email you should call that contact directly to confirm that they are indeed the one who made the request. This will ensure that if someone did hijack their email or if they are simply spoofing their address, you are not unwittingly providing sensitive information to a bad actor.
PBN: You say that phishing emails will often have misspellings in them. Why is that?
GIRARD: Many phishing emails originate in countries where English is not the native language. Translation tools are often used to compose those emails, which leads to misspellings and awkward phrasing and language. While a lone misspelling in an email is not a surefire sign that it is a phishing attempt, an email that sounds unusual and clunky is a warning sign.
PBN: Hackers, as you point out, can send a phishing email before an advanced persistent threat, or APT attack. In those cases, is it difficult to trace that initial email to the malware or information breach that results?
GIRARD: It really depends on the security tools that you have. If your company has deployed some of the next-generation security tools that are available today, you may be able to access really robust views of your company’s network and “rewind” those views to the point where the infection or compromise happened to show you the exact email that caused the breach. This kind of forensic analysis only happens if the right tools are in place before the attack, of course.
Having a comprehensive strategy for business continuity, which will include cybersecurity and disaster recovery planning, will help protect a company from threats while also giving them the resources they need to investigate the attack and recover quickly should their protections fail.
PBN: How would you categorize the FBI’s role in informing folks about these kinds of threats?
GIRARD: Employees tend to pay more attention to a security notification when it comes from someone outside of their organization. That is why we often advocate for employee security training to be conducted by an outside source rather than a company’s internal IT. Those lessons tend to carry more weight when a third-party expert is the one presenting them. As such, a security warning from the FBI certainly carries a sense of importance that many people will take notice of – an outside source that is also authoritative.
Ultimately, I think that private companies working alongside law enforcement is an important part of combating cybercrime. If you look at the work that the Rhode Island Joint Cyber Task Force has done here in the state, it is a perfect example of how law enforcement and private companies [such as] Envision can work together to make everyone safer from cyberattackers.
Susan Shalhoub is a PBN contributing writer.
