Social Engineering techniques, including phishing attacks, are used in an effort to steal money, usernames, passwords and other sensitive data. Hackers using these techniques are becoming increasingly sophisticated and skilled at making their attacks look like legitimate emails and fooling victims.
For example, consider the following hypothetical email that could have been received by the controller of a company, seemingly from the company’s CEO –
At first glance, the email appears to be a reasonable request, but on closer inspection there are many things about the email that are suspicious –
The email was addressed to Steve Warren, who was the former controller at the company. All of Steve’s email was being forwarded to Alan Johnson (the new controller), so it’s reasonable that Alan would have received the email. However the CEO would know that Steve Warren no longer works for the company, and would have sent emails directly to Alan Johnson, not to Steve Warren.
If the CEO had issued instructions for wire transfers in the past, he would be expected to know what information was required. If he had not issued instructions for wire transfers before, why would he be doing so now?
The email had been caught in the spam filter, which checks emails originating from outside of the company. Internal emails from one company employee to another don’t go through the spam filters. Additionally any email blocked by a spam filter should be viewed with suspicion.
The email doesn’t “sound” like the way Bill James speaks or writes, and contains multiple spelling errors, capitalization errors, grammatical errors and punctuation errors, which collectively raise questions about the validity of the email.
When Steve clicked Reply to the email, he observed that the Reply Address was firstname.lastname@example.org despite the “From: Bill James [mailto:email@example.com]” that appeared within the text of the incoming message. This is an example of “spoofing” where the spammer presents a known address within the email yet establishes a false address for replies.
Fortunately Steve recognized the email as being suspicious and questioned it rather than responding to it. But it serves as a reminder that everyone needs to be careful and pay attention to proper safeguards –
Never open an email attachment that you weren’t specifically expecting to receive. If in doubt, call the sender on the phone, or create a new email (i.e. type in the recipient’s email address, don’t respond to the questionable email or copy/paste the reply address) to confirm that the attachment was legitimately sent.
Never click on a link within an email that you weren’t specifically expecting to receive. If in doubt, call the sender on the phone, or create a new email to confirm that the link was intentionally included in the email.
Never initiate a wire transfer or otherwise send money without calling the person who requested the transfer. Note that it’s important that you always call the requester on the phone, and that you never rely on a phone call from the requester (hackers will often call claiming to be someone else).
Never change shipping instructions based on an email or phone call you receive. Always call the customer or recipient on the phone, or create a new email to confirm the change in shipping instructions.
Consider establishing a unique secret word or phrase that you provide to each customer or person who may initiate wire transfer requests or changes, or who may provide order-specific shipping instructions. Provide the secret word or phrase to them verbally (never in an email), then call them on the phone and ask them to verbally provide to you the secret word or phrase each time before you act on any new or changed instructions.
Don’t be fooled by emails that “look” legitimate because they contain customer logos or customer names and titles. Do pay attention to misspellings in names, email addresses (especially in the part of the email address that follows the “@” sign), references to former employees or customers, unusual requests, spelling/grammatical/punctuation errors, etc.
Be especially careful with any emails that are blocked by the spam filtering, especially blocked emails from other company staff members. Remember that if the spam filtering blocked the message, it’s because the filtering software identified something “questionable” about the message.
Social engineering and phishing attacks don’t only arrive via email; hackers will also attempt to call you on the phone or send you materials through the postal service. Be suspicious. It’s better to be suspicious and cautious than to be the victim of a hacker and transfer money, goods or information to a criminal.
For more information about Citrin Cooperman Technology Consulting, please contact David Rosenbaum, Principal, at 914.693.7000 or firstname.lastname@example.org.