There is a battlefield, and it exists inside every organization, in fact, inside nearly every device. This war is waged within the email inbox. The defenders of this battlefield are your employees. They are protecting this sacred ground from faceless attackers who daily have their sights set on malice. And in many respects, these faceless attackers are winning.
Humans, we’re fallible. We make mistakes. That’s especially true when it comes to digital tools. A vast majority of cyberattacks are caused by human errors. For the most part, these errors are not malicious. They involve good people who make mistakes. These mistakes can be very costly.
We often forget that cyber criminals, or hackers, aren’t hoodie-wearing, keyboard-clicking malcontents or UV starved, Mountain Dew-guzzling, Cheetos-chomping deviants lighting their parents’ basement with the soft glow of computer screens. No, cyber criminals, or hackers, are students of human weakness. Many have learned, through much trial, how to exploit human vulnerabilities for gain. This is their work, they take it very seriously, they are very good at what they do, and they often get paid handsomely to do it. In many cases, they are part of a well-directed cyber criminal gang, or what we call Mafia 2.0, that acts much like a corporation, where everyone has a job to do and each job is marching toward the ultimate aim of stealing money, lots and lots of money.
One organized crime syndicate, known as Fin7, has a research and testing division. They have managers, money launderers, software developers and testers. They have been known to pull in as much as $50 million a month. In all, they’ve stolen over $1 billion from organizations and individuals. This is one cyber group. Granted, they’re a very successful cyber group.
According to the Department of Justice, this one group has stolen hundreds of millions of credit cards from popular franchises like Chipotle, Arby’s, Red Robin, Sonic, and Chili’s. They have been able to accomplish this by sending highly targeted spear phishing emails to specific employees, such as managers or those who handle reservations or catering requests. These are employees who for getting emails from strangers is not uncommon. The attackers at Fin7 know this, because they have done their homework.
The spear phishing emails they send are loaded with malware. When the targets take action on the email, such as downloading an attachment within the email, this malware gives Fin7 access to the network, where it can do its bidding, including stealing credentials and ultimately customer card information. Fin7 spends time scouting organizations while understanding their hierarchy and corporate language and culture. The point here is that the bad guys are using the information available to them to their advantage. Because there is a lot of information about companies and individuals freely available on the internet or which can be garnered from previous data breaches, cyber gangs like Fin7 have plenty of information to work with.
The passageway into an organization’s network is, as you can see, more often than not, the email inbox. It is the easiest and most effective way for cyber criminals to distribute malware or trick users into giving away valuable, sensitive, or personal information.
Let’s take a brief look at the most common techniques cyber criminals will use to get inside an email inbox.
Phishing / Spear phishing: These are emails crafted to look like legitimate correspondence from organizations like Google, Amazon, LinkedIn, UPS, Target, banks, and many others. While phishing is void of personalization, the fact that emails look highly similar to those of the organization in question can often prompt users to click on links, download attachments, or enter credentials.
Spear phishing emails do contain a level of personalization, meaning, in many cases, criminals have taken the time to scout out the target. Often, the information contained within the email is tailored for the target. So, while spear phishing campaigns are more intensive to create, their success rate is notably higher.
Vishing / Smishing: Smishing is essentially phishing attacks in text message form. They work because people are more trusting of correspondence that comes via their mobile device and they are in a greater hurry to respond to requests that come from these devices. Also, the content is smaller making discernment more difficult.
Roughly 30% of all mobile calls today are spam calls. In vishing, attackers use phone calls to try and get targets to cough up information. The key to these types of attacks are that people want to be helpful when there is a voice on the other end of the line; the bad guys use that to their advantage.
Whaling / Business Email Compromise: In whaling, you’re going after the big fish. That might be a CEO, a celebrity, or a cash cow. You are going to spend a lot more time crafting your attack, but the rewards could be worth the effort.
Business Email Compromise (BEC) is one attack vector that has grown is both prevalence and worry. In BEC scams, an attacker may spoof (fake) an email from a CEO to someone in the finance department requesting a wire transfer immediately. The unfortunate individual in finance, thinking he’s helping by fulfilling the request, wires out thousands of dollars to the bad guys. We’ve seen companies lose thousands, if not millions, of dollars to this scam. It’s heartbreaking.
The greatest tool to give your employees, so they will not fall for the above scams, is education. By understanding how these attacks work, employees are less likely to fall for them. Cybersecurity seems like a daunting world to many, but by understanding how the above attacks work, your team will begin to see the cadence in online scams. Then the world of cybersecurity feels a lot less overwhelming.
The two best ways to do this are training and testing.
Training: We don’t allow employees to drive a forklift without proper training. So, why is it that we allow people on to the network without proper training? It doesn’t make any sense. Thankfully, this is changing; companies are beginning to recognize the value of protecting the network and, what we call, the human firewall. The human firewall is how your team is able to protect your network from harm. Make no mistake, it is a critical as your physical network. The most hardened network is useless without knowledgeable humans behind it. It’s similar to a locked door, which is only as useful as a team member who opens the door and lets a stranger into the building.
Good training will equip your team with the tools to spot and avoid cyber-attacks and the most effective ways to keep the organization safe in both the cyber world and the physical world. Good training should also include ways the attendees can keep themselves safe personally in a world where more and more of our lives and sensitive information is being migrated to digital tools. Training is often done in a classroom environment or on an eLearning platform.
Testing: In testing, team members are sent social engineering (e.g. phishing / spear phishing) emails from an authorized third party. These emails resemble the types of emails your users might receive from attackers. The emails will prompt users to act in a certain way, such as clicking on a link, downloading an attachment, or entering credentials.
These emails allow your team to learn in a safe environment, so they are more prepared when the real thing comes across their inbox. It also helps stakeholders understand who needs more testing or closer monitoring. In the future, an employee’s ability to keep the network safe will become a requisite for employment. Testing is a way to ensure that your team has the skills to do just that, to keep your organization and its digital assets safe.
Your team are now soldiers on a front line in a battle to protect your assets from experienced criminals. The front line is your employees’ email inbox. The key is to give them tools to properly wage this battle. Training and testing are two important weapons in this fight. With threats increasing, not equipping your team with these tools can put your organization at a distinct disadvantage.
To learn more about TriCorps’ Training and Testing services, click here.