One click is all it takes.
Once upon a time, a long time ago (say 2013) sorting the spam from the legitimate email wasn’t a hard task. When you got something like the example below, it was a simple analysis. ‘Please send me all your identifying information and we will send you money’. Or more likely empty your bank account if you were foolish enough to do what they asked.
As I have been teaching security awareness classes I have been updating clues about determining if you have received spam or not. The list used to include: Look for bad grammar or obvious spelling mistakes. Were you expecting this email? Is the attachment type one you normally get?
As time has passed that list has been updated to add things like:
- Social media companies allegedly implementing new login procedures
- Credit card companies asking the user to open an attachment and verify account details,
- Online merchants saying they’ve temporarily suspended an account
- Banks asking the user to “click here” to restore account access also duped a portion of respondents.
I always stress users NEVER EVER EVER EVER click on a link unless they hover over it first to assure that the destination is one that is what they expect. I also include the idea that if where they are going is going to require a login that HTTPS:// is a requirement. A recent article by Brian Krebs points out that phishers are taking the time to get certificates so they can host a malicious site with an HTTPS connection to appear legitimate. From the article:
In November, PhishLabs conducted a poll to see how many people actually knew the meaning of the green padlock that is associated with HTTPS websites.
“More than 80% of the respondents believed the green lock indicated that a website was either legitimate and/or safe, neither of which is true,”
If your users have the same misconception, then there is a serious security issue that needs to be addressed. Phishers can now get SSL certificates for free so there is no monetary barrier preventing them from making the website look more trustworthy.
I have taken to using this cartoon in my training. It highlights the fact that regardless of how many devices and pieces of software you have in place to protect your network, you still have to allow email in to your network. As long as that happens, the users have the last say as to what happens when spam comes in.
Considering the new wave of attacks with fileless malware, users need to be even more vigilant. In case you aren’t familiar with the so-called fileless attack it involves sending an attachment that runs a macro that downloads the malware in the form of a PowerShell script. The malware runs in memory and thus has no actual physical payload. Alternatively the user could be browsing a compromised website and a vulnerable application is exploited to get the PowerShell script to the victim. The script downloads encryption software and key and does the damage for a ransomware attack.
The threat landscape keeps evolving. Just as the inhabitants of any environment must adapt to changing conditions you and your users need to keep up with the threats or suffer the consequences. Last year businesses paid $1 BILLION in ransoms. They felt that was the best solution. Really, the best solution is to keep your users up to date, and just in case, have a tested, working backup procedure in place.