If ransomware hackers can infect me by sending fake e-mail messages from the company I work for, how am I supposed to do to protect myself?
As I discussed in a recent post, crypto ransomware is using a variety of methods to trick victims into clicking on malicious links or opening rigged file attachments.
One of those methods is referred to as “spear phishing” because the hackers are using information about you to make the message seem more legitimate.
These “social engineering” techniques, like spear phishing, continue to be a hacker’s preferred method of gaining unauthorized access to your computer. Why spend endless hours trying to hack in from the outside when it’s so much easier to trick a human into allowing them in?
We’ve all experienced and can identify the obvious phishing scams that are so common. Whether it’s an alert from a bank we don’t have an account with or a retailer that we’ve never purchased anything from, we tend to know better.
But spear phishing is a targeted scam message from a bank or organization that you actually do business with and, often in the case of ransomware, what appears to be the company you work for.
Hackers know you get e-mails from your company all day long, so sending you a message that appears to be from your HR department or a co-worker is more likely to get opened.
As an example, if you got a message from the owner or CEO of your company with news that the company was being acquired, wouldn’t that concern you? You would probably open the attached “announcement” document without even thinking about the dangers (this actually happened at one company).
Think about how much useful information exists about you, your work and the things you like to do from sites like LinkedIn, Facebook and Twitter. It wouldn’t be hard to craft a personalized message that appears to be relevant.
If you got an email message from what appears to be a co-worker saying they found an awesome viral video or a concert event for an artist you like, you’d probably click on the link without thinking twice.
Remember, with all of the things on your computer that can be exploited if you don’t keep it up to date, all it takes is one click of the mouse for a silent attack to occur.
Here are my suggestions for sniffing out company-based spear phishing attempts:
Read the entire message and pay attention to the salutation, grammar and punctuation before clicking or opening anything. When something seems different from regular communications, be suspicious.
Look for their standard signature at the bottom of the message. If it’s not there, be suspicious.
If the message came with a link, don’t click on it but hover your mouse over it to see if the displayed address and the actual destination match. When they don’t, you’ll know right away that something’s phishy.
Go old school and pick up the phone to ask the person listed as the sender to verify that they actually sent the message (don’t reply to ask as it could cause your co-worker to click on the malicious link!).
Your IT department should setup a Sender Policy Framework (SPF) on the company mail-server to detect email spoofing attempts from unauthorized outside domains.
Today’s clever e-mail scams require that you take the “guilty until proven innocent” approach to everything in your inbox.