Wouldn’t it be great if technology could solve every problem for your workforce? In reality, every IT solution has its limitations, including security defenses. As I’ve written in previous articles, 100-percent security does not exist. The credibility of anyone who tells you a system can never be breached should immediately decline if they make this preposterous claim. Most likely, that person is claiming a specific attack or breach can be prevented with a certain solution, but no solution provides 100-percent security because the person using the system is the weakest link of the system. Armed with this knowledge and an amazing understanding of human psychology, cyber criminals target the person using the system with a variety of threat vectors. Phishing is a cyberattack that uses a disguised email as a weapon to provoke a response by the reader to perform some action desired by the attacker, such as wiring money. In a phishing attack (pronounced “fishing”), the attacker is masquerading as a person or company the user would already trust.
For example, imagine I am the billing person at BIC Magazine, and my email address is firstname.lastname@example.org. I’ve sent you invoices before, and we may have even spoken on the phone a few times or met at an event. One day, you receive an email from me stating we changed our bank, and I provide the bank information in the email. Since you know me, you don’t consider the topic all that unusual because companies do change banks, so you comply. Later, you discover you were not really communicating with me at all. Instead, the email address of the sender was email@example.com, which is a legitimate domain, but it isn’t owned by BIC at all. Instead, the domain name simply transposed two of the letters in the domain, which our brains do not always decipher. The attacker used the knowledge of your purchasing relationship with BIC to get you to change how you sent your payment. The email was legitimate in its style, substance and wording, so it was not blocked by any of your company’s email security systems. The reason the process worked is because a simple underlying assumption was not tested: “Am I really getting this email from who the sender claims to be?” Now, I know many of you are thinking, “Who would fall for such a simple sleight of hand?” The reality is many of the subscribers of this very magazine have wired money to someone claiming to be a vendor they trust. I know this for a fact because I’ve consulted for these companies on how these attacks can be prevented.
The issue is we are too friendly and cozy with our email, and we trust it because it doesn’t look unusual. If it looks like a duck, smells like a duck and quacks like a duck, then it must be legitimate. This psychology is exactly what the attacker is relying upon to get a person to act differently. But even if my email address was legitimate, many people would still have acted because their assumption would be my mailbox wasn’t compromised. How can you — as the reader of the email — ascertain the sender’s mailbox hasn’t been breached? In reality, you have absolutely no way to determine this information except to turn to your trusty telephone and call the sender to verify they actually sent the message. If the email has been breached, you certainly don’t want to email asking, “Is this request legitimate?” So call them. Does this sound like too much trouble? Well, I’ve seen $20,000 to several hundred thousand dollars transferred simply because the recipient of the email didn’t verify the message with a two-minute telephone call.
In most cases, if your organization actually falls victim to these attacks, your cyber insurance policy would cover some or all of the loss after your deductible. The real solution is to act like Ronald Reagan, who stated, “Trust, but verify.” “Trust, but verify” each email that is causing any change in your behavior, especially if money is changing hands. A quick voice call will confirm a legitimate request 99 percent of the time and give you a chance to chat with a colleague or vendor instead of costing your organization a lot of time and money.
For more information, visit www. omnipotech.com or call (281) 768-4308.