Email - Fast, efficient and dangerous
Every day, on average, over 190 billion1 emails are sent throughout the world. That figure represents a huge challenge for information security professionals and organisations globally.
The cost of email
Just as email is the preferred method of communication for many businesses, it is also a popular vehicle for fraudsters, spammers and those wishing to distribute malicious software. To them, email represents a cheap, efficient and expedient method to target specific individuals, organisations or the masses.
Due to the sheer volume of email messages we receive on a daily basis, many users have to review, reply or action the email messages they receive with haste, lest inboxes become overwhelmed. This haste can result in reduced vigilance and indicators that suggest the email may not be all it seems are often overlooked.
What is considered phishing or spear phishing?
The use of email by those with the end goal of defrauding their targets leverages the inherent trust that people put in information they receive from people they know or respect; a concept known as social engineering. Perpetrators typically obfuscate the source address of their emails by using a trusted name, be it a work colleague, friend or authoritative figure in the hope that an unwary recipient will open the email and take action on the instructions contained therein; a process known as phishing or spear phishing. Phishing attacks are one of the most common methods used to first gain access to an organisation’s sensitive information.
While social networking sites such as LinkedIn and Facebook can be valuable tools to businesses, and an “About Us” or “Meet the Team” section on a website helps to personalise an organisation, they also offer a rich source of information which can be misused by fraudsters.
During 2014, EY has assisted a number of organisations respond to incidents where they have been targeted with fraudulent payment requests via email. During these campaigns, one or more staff members received emails purporting to be from senior executives in the target organisations, containing instructions to make urgent payments via wire transfer. In the majority of these incidents, the email address linked to the sender appeared to be from a recognized authorized email address at first glance but upon closer inspection, it was discovered that the email address had been spoofed, contained a single letter duplicated or a similarly shaped letter exchanged from the ‘original’.
Phishing and spear phishing emails may contain an attachment or a link to what may appear to be a legitimate website. The links often send the user to a malicious ‘copy’ of a legitimate website, such as a banking or social media website for example, which is designed to steal their login credentials.
We have also observed a significant increase in the number of organisations seeking our help in responding to ransomware incidents. A common delivery method for ransomware is via phishing emails where the perpetrator impersonates a reputable organisation; recent examples targeting Australian businesses have impersonated Australia Post and Energy Australia.
Minimising your exposure
One of the most important tools in the fight against phishing is vigilance. Employees must treat each and every email with a degree of caution, especially emails that contain links or attachments. While technology does assist in the prevention of phishing attacks, individual responsibility and awareness of social engineering tactics is the strongest line of defence.
A few tips for recognising fraudulent or phishing emails:
- Always be suspicious - treat every email with caution
- Check for poor spelling and grammar
- Hover over links to confirm their validity
- Don’t open attachments unless you are certain that the source can be trusted
- Read an email more than once - particularly when emails contain instructions or requests
- If in doubt, contact the sender to confirm that the email is valid, preferably in person or via telephone.
These tips are a good place to start, however, a comprehensive employee education and awareness program that is delivered regularly is perhaps the best defence.