Last week a client called our office and asked if I could clear up some doubts that he had about an email he’d received. I told him it would be my pleasure to answer any concerns he may have, as always.
He then told me that he’d received an email from his manager which had arrived into his Junk Mail folder in Outlook. The email instructed him to send a wire transfer for a large sum of money to a specified account and to do it before the end of the day. Coincidentally, his manager had just started her vacations so he was unable to go to her office and double check these instructions.
The fact that this email came from his manager’s email address but arrived in his Junk Mail folder was suspicious. The email looked genuine enough and requests to pay bills and transfer money wasn’t an unusual request in his business. However, when he clicked “Reply”, the email address it defaulted to when replying was a completely different and unknown address.
It’s actually very easy to set up an email address and make sure that when someone hits “reply”, they are replying to a different address (as illustrated above).
How often do you look at the email address you’re sending to after pressing the “Reply” button?
This issue caused concern for me as well as for our client. Our client was concerned that if he hadn’t have spotted the “Reply to” address as being different, he may have carried out these instructions and sent a spammer a large quantity of money. I was concerned because the person I was talking to was smart and well educated in the area of Spam email, and he knew what signs to look out for, nevertheless it almost fooled him. If it almost fooled him, it could easily have fooled somebody else.
The next question to come was “How did this email come from my manager’s email address?”. After I was forwarded the email, we examined the headers and found that the email had originated from somewhere in the Asian Pacific region, so it was likely that the email address was Spoofed. Spoofing is simply mimicking an email address, person, or in some cases the MAC address of another device in order to mask your identity and make your device look like an authorized device. Considering that so much information about a person is available online nowadays (Linked In, Facebook, Google etc) it’s possible for Spammers to find an email address online and simply spoof it. In this case, it was a scary coincidence that the wire transfer subject was a common request in this company.
At ETTE, we were able to look at the Microsoft account on the servers and confirm that the email had not originated from the manager’s account. As a matter of precaution, passwords were changed and emails of this nature will be verbally verified in the future. But it goes to show the importance of paying close attention to everyday events in which we naturally carry out our duties on the assumption that everything is safe and legitimate.
A recent study carried out by Arun Vishwanath, Associate Professor of Communication, University at Buffalo, The State University of New York pointed out the following reasons why human behavior is the weakest link in Cyber Security:
” We found two primary reasons people are victimized. One factor appears to be that people naturally seek what is called “cognitive efficiency” – maximal information for minimal brain effort. As a result, they take mental shortcuts that are triggered by logos, brand names or even simple phrases such as “Sent from my iPhone” that phishers often include in their messages. People see those triggers – such as their bank’s logo – and assume a message is more likely to be legitimate. As a result, they don’t properly scrutinize those elements of the phisher’s request, such as the typos in the message, its intent, or the message’s header information, that could help reveal the deception.
Compounding this problem are people’s beliefs that online actions are inherently safe. Sensing (wrongly) that they are at low risk causes them to put relatively little effort into closely reviewing the message in the first place.”
Something I seem to be mentioning more and more lately is the importance of vigilance from end users when it comes to cyber security. As an end user, you are the weakest link in the chain that makes up your network and operational security.
The sad truth is that even if you were to invest $1 million in hardware to keep your network safe, it still only takes one mouse click from inside the network to allow a hacker to circumvent everything and obtain access to your databases. The end users are the real gatekeepers and this emphasizes the importance of users knowing what they are doing when they are using their computer at work and at home.
A few years ago it wasn’t uncommon to see people from an older generation facing the struggle of adaptation to the use of computers for everyday tasks in offices. Most had little to no training and simply had to learn on the job. (My father was very slow to adopt to it and I would spend hours with him showing him what to do and what not to do). We could get away with this approach a few years ago because the number of online threats was significantly lower than today. It’s also arguable that the maliciousness of the online threats was at a lower level when compared to today’s cryptoware and ransomware.
These days, it’s imperative that all users are fully trained and educated about online threats and how they can be avoided. It’s not just because some people can be fooled into sending their social security number to a stranger overseas and have their identity stolen, but also because sometimes that email from your “manager” asking you to send money to someone might not be what it seems.
Remember that if you ever doubt the authenticity of a request, verify it. There may be an occasion when verifying an email from a colleague could be considered a waste of time or an inconvenience. But consider the alternative – your entire business network compromised, your data stolen and held to ransom and the entire business shut down, unable to work. All simply because you didn’t verify a suspicious request.