Phishing e-mails are getting more sophisticated, and with so many potential enemies out there, it may be easier to know your coworkers in order to head off attacks. Something as simple as an uncharacteristic turn of phrase or tone can clue people into an e-mail’s illegitimacy.
Evan Schuman writes, “Cyberthieves today know that it’s better to be sneaky and crafty than forceful. To be even more blunt, they know that it’s better to trick you into doing their work than to break in and do it themselves.
“That trickery starts with ever-more-subtle ways to get you to click on an e-mail attachment. A recent attack used an employee accomplice who was to flag any meetings with multiple people and note who was presenting. Within 30 minutes of one meeting’s end, the crooks sent an e-mail attachment to everyone on the original e-mail thread, with fake headers so that it appeared to be from the presenter. The e-mail said, ‘Sorry, everyone. Here is the updated version of the slides from our 2 PM meeting.’ Even an especially security-conscious person could get pulled into clicking on that one.
“But a lot of attacks go beyond e-mail scams to include efforts to get employees to do high-risk activities—such as wiring corporate funds—instead of merely opening an attachment.
“I recently spoke with Mark Fidel, who is co-founder and head of corporate development of New Mexico-based security firm RiskSense and someone who is a strict believer in rigid separation of security and financial duties as a breach-avoidance tactic. He pointed to a recent incident at his firm, where an attacker who had done his homework tried to trick the company’s CFO into making an unauthorized transfer of $20,000 to a bank account in Georgia. It would have worked, too, Fidel said, had not the politeness of the e-mail raised his suspicions.”