Email Security Threats Are More Prevalent and Dangerous than Ever
There’s a reason why 95 percent of targeted security threats originate in email. Human beings are the weakest link in the security chain. If an email gateway is like a brick wall that surrounds the network and only lets in a small percentage of threats, a human being is often like a turnstile that only requires a gentle push to gain entry.
In a previous post, we discussed spam, which has been curbed significantly by the elimination of prominent botnets but still represents 70 percent of all email. Spam drains productivity, wastes network resources and provides hackers with a vehicle for phishing and spear phishing scams that use malware capable of bringing down entire networks. The rise of social media, web-based applications and mobile devices has made it easier for hackers to make their scams more believable and circumvent defense systems.
Most people are familiar with phishing, which occurs when cyber criminals, posing as a legitimate company, try to acquire sensitive information. This information can range from usernames and passwords to bank and credit card account numbers to social security numbers. Phishing scammers can also pose as disgruntled customers or claim that you’ve won a contest. They typically lure people to bogus websites, where they’re tricked into providing personal or sensitive information. Otherwise, malware is automatically activated when a link is clicked.
Spear phishing is a more sophisticated, focused approach that targets specific organizations, and very often specific individuals, with a goal of stealing financial information, trade secrets and even confidential military data. It’s a more customized form of hacking. The sources of most phishing emails appear to be well-established websites and organizations. The sources of spear phishing emails, on the other hand, often appear to be executives and authority figures within the recipient’s organization. This increases the likelihood that the email will be opened and links will be clicked.
There has been no more widely publicized security breach than the one involving Target that compromised the credit card and personal data of more than 100 million customers. Reliable sources revealed to one reporter that the breach has been traced to an email phishing attack targeting a HVAC contractor that did business with Target.
A number of other phishing scams have made headlines within the past few months:
- Hackers created a bogus landing page for Google Drive in an attempt to steal usernames and passwords of Gmail users. With “Documents” in the subject line, the email included a link to a page with a fake portal intended to make users think they needed to sign in to access Google Docs.
- Apple users are receiving phishing emails that claim the user’s Apple ID has been disabled because someone attempted to log in from a different IP address. Users are then told to verify their identity by clicking a link that takes users to a fake Apple website.
- Phishing emails from hackers claiming to be the Coinbase Team emerged in January, telling people that they’ve just received money from an external Bitcoin account. To view the bogus transaction, people have to click a link and sign in.
While more modern, sophisticated threats can be difficult to detect, there are steps you can take to avoid becoming the victim of a phishing scam and compromising your own or your employer’s private information.
- Use common sense. For example, why would an anonymous person give you money out of the blue and provide no details? How could you have won a prize if you didn’t enter a contest? If it’s suspicious, delete it.
- Look for obvious warning signs. Phishing emails often include a greeting with “Dear” or “To” and no name after them. If you received an email from a legitimate, established company, it wouldn’t come from a Gmail or Yahoo address, and the name of the company would have been spelled correctly. For example, a hacker may use an email address with “PeyPal” instead of “Paypal.”
- Hover or “mouse” over links. This will usually show you the URL without having to click the link. If it looks the least bit suspicious, don’t click it, or call the organization’s customer service line for verification.
- Make sure your operating system, browser, applications and security are up to date. You reduce the risk of a security breach when your online tools are current.
The first line of defense is your network’s automated security system. The final line of defense may be you. Be cautious, be skeptical and be careful.