Tuesday, 4 June 2019

From Spam to Phish – Cyber Crime on a Plate

Email – love or hate it as a form of communication, it touches most of us everyday and shows no signs of going away. But with email comes risk.

Email – love or hate it as a form of communication, it touches most of us everyday and shows no signs of going away. This is especially true in the workplace where it hasn’t yet been dislodged by the various messaging apps as the preferred medium to send information.

Email falls into several categories including: those that are way too long that you can’t be bothered to read them; those too short to the point of rude; those that have a million attachments that you’ll never open etc. etc. etc.; Oh, and spam, of course.

As soon as email became popular, so did spam. Before email filtering systems became more sophisticated, you were in danger of losing the messages you did want to read into a wonderfully bonkers (and sometimes disturbing) sea of those offering you discounted hair dye, a better love life, cleaner toe-nails etc. I could go on, but the censors would pull the plug. You know what I mean.

Head over to Wikipedia and it says of spam…"The name comes from Spam luncheon meat by way of a Month Python Sketch in which Spam is ubiquitous, unavoidable and repetitive".

Remember those last three words.

It wasn’t long before another kind of email began to appear amongst the nonsense we woke up to everyday. These were really interesting because you’d won something, usually money and all you had to do was reply with your address and bank details and…

Oh… Oh dear…

Not particularly sophisticated but send enough of them and someone will bite. Bite they did but then people became more aware of these primitive scams through the news and word of mouth and they even became a thing of some comedy value. Sure, they still get sent but we have filters and knowledge of what they are and that we should avoid them. We’re somewhat better educated.

So, the bad guys opened their laptops, pulled their hoodies further in front of their faces and had another think.

What if you could send an email to someone that, instead of coming from an instantly unrecognisable source, you could send one that looked like it came from a known sender? That could be an organisation like a bank, a colleague, or a relative.

And why stop there? How about you make it look even more authentic by including some information about the recipient in exchange for a bit more information until you had enough to really do some financial damage.

And so, phishing was born. And then the more sophisticated spear-phishing and onto whaling. I’m not talking about any kind of personal Captain Ahab revenge here – it’s widespread organised fraud – crime - that just happens to have fishy names.

Never heard of those names? Well, like those annoying spam messages you now know to ignore if you get them, they are also ubiquitous, unavoidable and repetitive. Well, certainly ubiquitous and repetitive. But you may not even notice them

Read on in order to find out how to drop ‘unavoidable’ as best you can.

Consider this. Someone going through a rubbish bin outside your house. If you just throw all your paperwork into it anyone going through that bin already has access to some criminally useful info about you. They have your address and access to lots of other details – potentially account numbers (back to those primitive emails!) and other personal information that is increasingly required to verify your identity.

If you haven’t already done so, you’ll probably want to stop doing that with your paperwork but what about your online life? There’s likely a lot of information about you across your social media accounts that the providers want to get off you to build their data set about you and often, by default, it’s shared with everyone else. You can also give a lot away by your posts with regards to where you are and what you’ve been doing.

Imagine someone having this info and the capability to message you from what looks like a known source asking you to do something plausible. This message could be an email, but it could also be one of those apps you use for messaging or even directly through a social media platform.

It’s powerful stuff and it is increasingly being used by people out to cause harm to individuals and businesses. These people are increasingly organised criminals.

The form of this kind of attempted crime is an ever-changing beast ranging from a route-one attempt to get you to log into what looks like a legitimate website to a slow-drip of gaining trust over a period of months by sharing and taking tiny pieces of what seem like insignificant information until you have enough of a picture to pull the trigger.

Sending 1000s of emails in the hope of getting a bite doesn’t work so well these days. Why not spend a bit of time gathering the information you need about and individual in order to take them or the organisation they work for literally £1000s of pounds instead? It’s better than robbing a bank.

Imagine a contact from an apparently trusted supplier building trust further through fake emails and even phone calls (called voice-phishing or vishing) over time.

Then, one day, they email you to inform you of a change to their bank details just prior to you paying one of their more chunky bills. Except, this new account doesn’t belong to the supplier at all. You learn this too late and the money is gone.

What are you or your employees sharing about themselves online that could be used to gain trust and/or put together a form of electronic communication that is so convincing it gets the same response as if it comes from a legitimate source?

Your business or personal email address, where you live, where you go, what car you have and the registration, names of your children and their age…etc.

Your Mother’s maiden name doesn’t sound like such a safe question now, does it?

Whilst the technology is improving to combat this type of crime, much like the improvement of Spam filters, it will also be reactive. Besides, the people attempting this kind of fraud are reliant on people rather than flaws in infrastructure most of the time. It’s the people who share much of the information they are after.

So how do we prevent this as best we can? Education and training.

Yet if you get someone in once a year to tell your staff about the dangers of phishing, the information will likely be out of date as soon as the trainer leaves the car park. How can you actually be sure if everyone attending has taken on the information and changed behaviours until it’s too late?

What if you could train people about this kind of cyber crime and measure the behaviour change easily and automatically? Even better, what if you could do this continually and keep everyone up to date about the new types of threats and how they can best protect themselves and your business?

All of the above is possible with a single, simple and inexpensive solution in the form of our security training and awareness product that does it all in one.

Too good to be true?

Unlike those dodgy emails, this service really is good, and the continuous training and testing cycle is improving awareness of all aspects of cyber or online hygiene – not just how to spot a phishing email.

For more information contact Grant McGregor on 0808 1664 4142.