Safety in a sea of click bait
You’ve all heard this story before…. 10 steps to stay safe online, spot the phishers before they catch you … etc etc
We used to give people a list of basic things to check:
- Is the email from somebody you don’t know?
- Are they asking you to open an attachment, or go to an external link?
- Does the sender have poor English language skills?
- Is the email from an exiled billionaire prince?
Trouble is, phishing has come a long way since we first came up with this advice, it’s potentially a billion-dollar industry. The rise of ransomware laid the foundations for criminal organisations to build large and highly profitable businesses around encrypting your files.
These attacks are designed to execute malware that will encrypt certain files on your computer, making them completely unusable. After which, victims are prompted to make contact with the the attackers customer support agents, and make a payment using Bitcoin. In return the attackers promise to provide the decryption keys and possibly some support with the decryption process.
Many of these organisations have built very sophisticated systems for managing their attacks, and have a strong focus on customer service. Making the process of payment and remediation as simple and user friendly as possible. It’s even been suggested that some traditional organisations could learn a thing or two about customer service from ransomware gangs.
Organisations like this are going to be making less of the sloppy mistakes that we’re used to seeing in phishing campaigns. The spray-and-pray approach of sending out as many low effort emails as possible is still around, but the best money to be made is from the more targeted approach, also known as spear phishing. Attackers will do their research, and put a lot of effort into crafting an attack targeted and a specific individual, or small group of people.
Imagine a phishing email that was sent via an eSignature service. You might receive an email asking you to review a potentially malicious document, sent via a completely legitimate and reputable service. If they take the time to look over your social media profiles, they could even make it appear as if it came from somebody that might have a perfectly good reason for contacting you.
Using the same old approach to protect against these campaigns isn’t going to be enough. Targeted phishing messages won’t seem suspicious by many of the traditional metrics. To keep up with modern phishing threats, we need to focus more on the concepts behind phishing identification. So, what should we be looking out for?
- Unexpected messages
An email referring to a conversation you never had, or a project you’ve never been a part of. - Unexpected communication channel
Receiving an attachment, if you’d usually expect a SharePoint link, or receiving a message from a different account than you’re used to the sender using. If you suspect an attacker may be impersonating somebody you know, it’s never a bad idea to give them a call to check. - Call to action
Most phishing attacks will still need you to actually do something, like click on a link, visit an external site, or download and open a file. Phishing messages will often try to throw you off track by either pressuring or incentivising their call to action in some way.
However, perhaps the most important lesson to take away from the boom in ransomware is to have a plan and be prepared to recover. Some phishing attacks will still manage to get past even the most prepared people.
To make sure this doesn’t mean disaster:
- Keep backups
- Make sure everything you need to protect is actually backed up
- Set a decent retention period
- Test your backups regularly (they are no good if they don’t work)
If you’re not backing something up, then you should be pretty confident that you could happily live without it. Also keep in mind that there usually a delay between being attacked, and realizing what’s happened (sadly this is sometimes measured in months). If your backups are overwritten during this period, then all you’re going end up with is encrypted backups, as a certain police department recently learned the hard way.
