After reading this article from Inc, I think there are really three things that hackers are taking advantage of, that they didn’t used to, and these are things that we are only just starting to include in anti-phishing training.
- They are doing research about companies before sending messages.
I’ve seen this myself. In the legal industry it’s common practice to list firm management and their email addresses on our websites. In the last couple of years I have heard more and more about phishing messages coming into firms where the “from” is spoofed to look like it’s coming from one of those folks. But, it’s more than that. They’re also doing more research on those people, trying to glean more information from social media profiles, and client testimonials, to include as part of their message. They are also taking advantage of mobile devices limited screen size to hide true email addresses after the name, unseen by the common phone email user. Or, as Kevin mentions in the article above, they’ll know when someone in management is going on vacation, and use that information.
- They are taking advantage of our training, and the tools we are using.
Hackers know that we’ve been taught, over and over again, not to open unexpected attachments. So, as Kevin mentions, they’re moving to links instead. Which, takes advantage of something else. We are getting very, very, used to getting links to documents, secured emails, cloud based databases, etc. in an email. We are even getting used to those emails coming directly from the cloud tools and not people we already know. So, when we get a link that says “An account has been setup for you to view these shared documents”, it’s actually something we’ve gotten quite used to.
- We’ve gotten used to shortened links
Now that we are using cloud based tools at work, and social media tools at work and home, we’ve also gotten very used to shortened links through services like Bitly, etc. Heck, go look at Twitter and see if you can determine the true URL that is linked to without clicking the link. Even my blog posts go out on social media using the WordPress built-in link shortener. We have gotten very comfortable clicking links that have been shortened. Hackers know this too. They also know that we’ve been taught, over and over, to hover over any suspect links to see where they really go. Well, when it is just a Bitly link, that doesn’t really tell us much. So we click, and then when a site pops up asking us to login, or confirm our identity, we go right ahead and do that. That gives a hacker an account to actually login to our network, not just a malware install, but an active, live, connection to everything that employee can access.
Are our security training tools keeping up with these changes?
IMHO, I have seen an increase in training around being careful with possibly spoofed email addresses. I have not seen as much discussion about links beyond they old “if it’s unexpected, hover over it” advice. I don’t think that advice is enough when we are being barraged by links sent to us through cloud-based tools, using shortened URLs. If we were really considering that, we might see people being a bit more thoughtful about sending those links. Not shortening them, or asking people to simply login to “Cloud Service” and see what has been shared with them, rather than sending links from the cloud service. It might take an extra step, but we are training our users to get phished when we don’t take that extra step.