One of the weakest points in any security system, whether it be an IT system, or other system, is usually the human operators of that system. There is a whole subset of “hacking Techniques” dubbed “social engineering” where the goal is not to find weaknesses in the technological level of the system, it is to glean information from the end users to enable increased access, or to trick the end user into performing some task on their behalf, we have covered a couple of the methods used here and there.
Read our blog post on phishing emails which form the first wave of many social engineering hacking attempts. They are often well written, and designed to evade spam filtration systems, passing many SPF, RBL and SMTP control tests. From the point at which one of these emails lands in a users mailbox, it is down to the vigilance of the employee to recognize a threat, and to act on it accordingly.
Some traits to be aware of:-
Urgent Action required – often in a bid to force their way through, phishing emails will rush you to make decisions and take action.
Poor language and grammar – Spell checkers can also be employed by attackers, they are not only available so you spell things correctly. So spelling isn’t the great indication it used to be, but poor sentence construction and grammar should raise suspicions, including correctly spelt but inappropriately used words.
Unexpected levels of familiarity, for instance, an email pretending to be from someone you work with starting with “Dear XXXX” rather that a format you would usually expect that person to use.
Suspicious attachments, Unexpected Zip files should instantly raise alarm flags and questions about the legitimacy of the email
Links to and emails from incorrect domain names – maybe there is a “1” instead f a “l” or the name is slightly different to what you would normally expect
Asking for Login Credentials, Payment details or directing you to a website that does. A recent spate of emails are currently doing the rounds trying to glean your Office 365 passwords Detailed here , but this is just the latest wave, there are always emails requesting details that you should not give out. Do not deviate from your companies proceedures following a request via email.
Unless you are 100% on the validity of the source – NEVER open an attachment that you are not 100% is legitimate, NEVER reply to an email giving out sensitive details such as user names or passwords, NEVER input your details into a website linked from an email
“If You See Something, Say Something”
Training your staff to use best practices when dealing with email should be an organisation-wide exercise. If one user is receiveing these sorts of email, it is more than likely that other members of staff are too. Raise awareness of the threat that these emails pose, and keep it in peoples minds by encouraging them to say something if they see something drop into their mailbox. It is essential that employers support their staff in the reporting of these threats – even if the employee has acted upon them and may have released information.
A supportive process will prevent the scenario in which a member of staff is concerned about the consequences of any actions they have taken, and avoids reporting it.
Fast reporting enables IT personnel to implement measures that will protect the network, the integrity of data, and limit the impact of infiltration by an attacker. If you do think that you, or a member of staff has acted upon a phishing email, then timely notification to your support staff, and complete honesty in what has, or has not been done will enable corrective action to be taken in the best possible way.
Need IT Support?
As always, if you would like to discuss any aspects of this article, please feel free to get in touch with us. Check out our other blog articles for up to date industry news. And if you feel your team would benefit from IT support, get in touch with us today, our friendly, helpful team are on-hand to solve your IT problems.