When in comes to finding the weak link in the security chain, you will find it in people. People are human and make mistakes. Hackers are great at exploiting vulnerabilities in software, but the easiest target area for them to exploit is people. People are sometimes too trusting which can lead to hacker easily gaining access to systems and information.
When people think about phishing awareness training, they usually think of front line employees. While this is a good start, the biggest target for hackers are the executives themselves. If your title is“chief executive,” “chief financial officer,” or “vice president” you need to be extra vigilant, as you are the prime target. This is also true for lawyers and anyone in finance.
Howard Solomon, in his IT World Canada podcast, spoke about a scam targeting senior executives. Solomon cited a research report by threat intelligence company Group-IB that claims at least 156 senior executives of financial, real estate and legal firms have been victimized by the attacks since the middle of last year. Why this attack works so well is that the hackers do detailed research on the victims and their companies. With this information, the hackers will send an executive an email from what looks like a partner firm and includes a PDF attachment or a Microsoft Office file. Once the executive clicks on the file they are sent to a website that looks like a Microsoft Outlook login page. “Victims who login give up their username and password to the crooks. Then they can log into the executive’s email and copy all messages. Then the attackers send phishing emails from the executive’s account to new victims, after which the sent message from the executive’s outbox is deleted to avoid detection. With the captured emails the criminals can search for and resell sensitive business information.”
Hackers rely on executives being too busy to look in close detail to the message for any signs of malice. They are counting on the executive to trust the sender, then trust the attachment. Solomon states that there were a few clues in these messages that they were malicious. In some, the sender and recipient shared the same name. Other messages had unusual formatting, like using plus signs instead of spaces between words. If you received such an email, do you think you would know how to tell if it was malicious?
If your organization is not utilizing a phishing awareness training campaign, then you need to start. At minimum, employing multifactor authentication on email logins can help with the type of attacks detailed above. If you don’t know where to start, contact Uzado today to help you get started.