Cyber security…how can companies make sure they are protected? A Halifax based company completed a “simulated” phishing email security test to determine its vulnerability during an attack. The test was based on real-world ‘targeted’ attacks. Employees received an email posing as the President asking for their help. The return email address was a ‘home’ or ‘private’ address (Gmail/Hotmail). If the employee dealt with the email as directed by IT, they received a pop-up message congratulating them on identifying a scam email. If they failed, the employee was approached by Management. When an employee fails in a real world situation, the scammer often follows up asking for gift cards, wire transfers, or passwords. As a result of this test, approximately 30% of staff replied to the bogus email. This is a huge risk to any organization. Whether you know the signs of a phishing attempt or not, a company’s best practice is to provide extra training.
Frequently Asked Questions Q: How did they get my address? Did they hack my email? Did they hack the spoofed sender?
A: It is very unlikely that you were ‘hacked’. Sure, it happens, but with modern antivirus software and firewalls, it’s much simpler to do a little research. With all the information available online these days, it’s easy to harvest information. Ex. Through a simple Google search of a company or basic terms such as “CEO”, “VP”, “Accountant”, an outside person is able to retrieve names, photos, email addresses, and more. They now have enough information to begin an attack.
Q: Why can’t we block these messages from entering our network?
A: Most phishing emails get through the front line defenses because they are from a real person using a real email account. Also, these messages no longer have a payload to drop (viruses attached, etc.), or a link to click, or a service to sell you. They are generic by design and prey on the fast-moving work-style.
Q: What happens when I reply to a legitimate phishing attempt?
A: You’ll often get a reply from the scammer asking for a favor. Furthermore, if they know you handle company funds, they may ask you to send money to a ‘client’. Otherwise, they may ask you to run to a nearby store to pick up gift cards and send them the codes. They may ask you to verify your network credentials. Also, they will add you to a ‘phish prone’ list and will be a target of future attacks.
Q: What happens if I send money or gift cards to a scammer?
A: You can’t get it back. It goes on the company ledger as an uninsurable loss. Also, damage done by an unauthorized user using your credentials would fall into the same category.
Q: How can I report or verify a suspicious email?
A: Contact the company’s IT department.
Q: How can I determine if an email is legitimate or a phishing attempt?
A: While extra training will take you over some red flags, you can ask yourself a few questions. Would this person contact me? Do I recognize the reply-to address? Does any of the wording seem “off”? Are they asking me to do something I wouldn’t usually do? Are they asking for my password?
Q: How many emails come into an organization?
A: For the company that did the test, within a 12 month span, they handled just shy of 9 million inbound emails. About 7% was legitimate traffic. For even more details on cyber security and safety, give one of our commercial specialists a call. For any cyber threat advisories, please visit the Government of Canada
website for more details.