We do a lot of cybersecurity training at Ekaru and one of things we tell people is to "THINK BEFORE YOU CLICK". But what do we need to look out for?
Here's an example of an email received today. It sounds pretty important. The message is saying that there is a security alert for your account, and there's a sense of urgency around clicking on the link to make sure you're protected. Sounds like something to act fast on, right? Actually, its just a fake message designed to get you to click on the link which could be a link to "phish" your email credentials, or to trick you into installing malware. In either case, danger lurks ahead.
One of questions we get a lot, is "how do I know the message is a fake?". First, assume if you have any doubt whatsoever, this is probably a good "gut" reaction that you shouldn't proceed.
In this case, the email was sent to an "alias", not an actual mailbox, so that was a big giveaway, but perhaps subtle for many users. An alias is an address that may be used to go to a particular role in your company or to a group of users (like sales, info, techsupport, etc...) That was the first warning that it's not even an actual mailbox.
The second warning is that if you were to hover over the link, you'll see the link goes somewhere unexpected. This is also somewhat subtle because many users don't know that what you print in the email, and the actual link can be completely different. Also, great care must be taken to not actually slip with your mouse and click through.
The third warning is that if you look at the "properties" of the email, the "path" of the email can be revealed in the technical header of the email. This is also something that would be simple for an advanced user, but most users aren't aware that the "from" address can be easily faked.
With all your security protection in place, all it takes is ONE user clicking on ONE wrong link to do a LOT of damage to your business.
Given that your team probably isn't composed of a team of tech experts, what should you tell your team?
- Bring examples of fake messages to your staff meetings and SHOW your team what a spoofed (fake) email looks like. Years ago they were fully of typos and obviously fake. Today's messages can look VERY real.
- Educate users to trust their gut. If you have ANY doubt about the email, listen to your instincts. CALL your tech support to find out if there is a problem with your account. Call a number you already have, NOT any number included in the email (same goes for any fake credit card alerts, etc.)
- Speak up! Did you click on the link? You will need to be disconnected from the network and have your system cleaned. Keep in mind that many advanced threats are designed to run on timers so you may not notice anything right away and keep working. Create a culture where people feel free to speak up. Trying to hide something could do a LOT more harm.
Many messages are designed to get loyal and diligent employees to make a mistake. The bad actors are working all the time to develop new threats. With the availability of cryptocurrency, cyber crime is now bigger than all organized crime.
Talk to your employees about security on a regular basis. THINK BEFORE YOU CLICK!