Tag: social engineering

Anatomy of a Phishing Email – How to spot social engineering emails targeting your small business

The local fire department is reaching out to let our small business know that we’ve passed our inspection. Very important! Or is it? Let’s take a close look at an innocuous email that slipped into a Firewalls.com inbox in an article we’re calling “Anatomy of a Phishing Email.”

A Not So Convincing Phishing Attempt

How phishing attacks work

Building false trust – The above email was definitely targeted. By providing accurate information about our company, street address, and employee names, this attacker was attempting to build trust with the recipient. Social engineering attackers often attempt to impersonate legitimate mail senders by doing pre-emptive research on their targets.

Setting the bait – Phishing attackers are always on the lookout for some theme to build their scam around. This bait often relates to trending news topics, routine business processes, or impersonating someone you know. In this example, our phisher relied on quarterly fire inspections in an attempt to trick our recipient. Fire inspections are routine, but infrequent enough that the average employee will not have much knowledge about their last checkup. On top of that, the setup sounds critical to everyday business operations at first glance.

Springing the trap – Fortunately, our team was quick to spot the fake. This attacker wanted our recipient to visit a certain URL where something far more nefarious lies in wait. Here, the attackers provide a hyperlink that they know will not function properly and provide further instructions to manually enter a URL, rerouting victims to their intended trap.

Blog Banner General Buy Now Red-High-Quality

How can you spot a phishing attempt?

There are several questions you should ask yourself if you think you may be the target of social engineering. Here are a few things that stuck out to Firewalls.com that made us suspicious.

Sender legitimacy – Is your local fire department really going to send you an invoice by email? Have you ever received an email from this person/organization before? Most businesses and institutions won’t suddenly reach out to you via a new platform without some warning first. If the legitimacy of the senders gives you pause, you may be a target!

What information do they know about me? – Building trust by personalizing phishing emails to their target is common sense. You are more likely to believe hackers’ schemes if they seem to have accurate information about you. However, what exactly do they know? In this case, our attacker seems to know an email address, company name, and a physical address. Impressive at first sniff, but this is all publicly-available information! Never take the bait just because it has your name on it.

What is being asked of me? – While the initial setup seems believable enough, this ruse starts to fall apart when you peel back the layers. Why would the fire department send me a link that they know is broken? Why send complicated instructions on how to manually edit URLs to work around a defunct web portal?

Does it all match up? – If an email says it is from the local fire department, but the send domain contains something completely unrelated (mobile-eyes?), you may be onto something! In this example, the attacker is instructing our recipient to visit a web domain that has nothing to do with fire inspections. More like “mobile-eye-don’t-think-so.”

What to do if you think you received a phishing email

Never spring the trap – First and foremost, do not click anything! Links, attachments, replies, forwards—leave it all alone. You cannot be breached simply by receiving the email, so stop while you are ahead.

Get IT involved – Alert your IT team and immediate supervisors. If you have even an inkling of doubt about the legitimacy of an email, there’s no harm in getting a second opinion from an expert. Reach out to your IT department for further guidance.

Block the sender – If this is just one attempt in a more persistent or complex spearphishing campaign, there will be further emails brewing. Blocking the email domain of a bad actor prevents a future lapse in judgment or mistake from providing a second point of entry for foiled attackers.

Rely on defense-in-depth – Want to know the easiest way to sidestep an attempted phishing scam? Do not let it ever land in your inbox. Defense-in-depth network security strategies employ email encryption, cloud-based sandboxing, and Time-Of-Click protection to provide email security before, during, and after delivery of suspicious messages. Tools such as SonicWall Capture Advanced Threat Protection and Barracuda Essentials take the guesswork out of checking your mailbox.

Ransomware and malware delivered through phishing emails are more rampant than ever before. Whether hackers are relying on coronavirus scams, election news, Black Friday deals, fire inspections, or otherwise, there’s always some new social engineering scheme on the horizon. Protecting yourself starts with educating yourself against these attacks. Stay safe while holiday shopping by tuning into our podcast episode “Black Friday Becomes Cyber November 2020” featuring Dan Lohrmann.

Blog Banner General Buy Now Red-High-Quality

Want to learn more about phishing and social engineering?

Check out our podcast on Phishing with SonicWall’s Matt Brennan.

Check out our Firewalls.com Threat Dictionary entries on ransomware, phishing, and spearphishing.

I Spent 5 Years in the Hotel Industry; Here’s What I Learned About Cyber Security

Stroll into any mid-range hotel with a flash drive in your pocket. Don’t bother with the old desktop computer in the lobby “business center.” Stop at the front desk, smile wide, and slap your USB device on the counter. Politely ask the guest services agent to print a document for you. If they direct you to the business center, claim that you tried it the previous night and couldn’t get it to work. Then observe.

Congratulations, you just slipped past the perimeter defense of a multi-billion dollar corporation. Let me lay out what happens next. The front desk staff takes your flash drive to the back, pops it into a USB port, and joyfully opens whatever file you ask them to.

I know this trick works because I’ve witnessed the scenario play out a thousand times. In a few instances, I was the unwitting hand guiding the thumb drive into a terminal. While most Firewalls.com blog posts shy away from anecdotes and keep individual histories at a professional arm’s length, this post is based on personal experience.

I worked in the hospitality industry for half a decade before shifting into the info sec market. This is what I learned.

Corporate Will Do the Leg Work for You

Okay, getting a file onto a machine was easy, but you’ve only infected a single computer on a closed network. Now what? Wait for corporate to do the heavy lifting.

Each night when the hotel audits their daily transactions, troves of data are gleaned from employee desktops and rolled up to the corporate servers for safe keeping. Your freeloading file needs only loiter on the network until about 2:00 or 3:00 in the morning, when corporate provides a free lift to the database where comprehensive financial data, transaction history, and confidential customer information for a multinational brand is stored.

Security Culture in 10 Minutes or Less

Hotel new hires typically sit through a series of training modules where the mainstays of employee on-boarding make their appearances: OSHA policy review, incident reporting, benefits programs, core values. If the brand is more forward-thinking, then somewhere in this hodgepodge of instructional videos is nestled the briefest touchpoint on cyber security.

Included in one training excursion I trudged through, the company splurged on commissioning Kevin Mitnick to narrate a nine-minute video on cyber crime. After a Spark Notes’ tier definition of social engineering, Kevin encourages new employees to address further email fraud questions to their direct supervisors.

Hoteliers Wear Many Hats, But None of Those are White Hats

Asking superiors for further information sounds reasonable, in a script. But I was a direct supervisor to over a dozen employees and was granted no special insight into preventing cyber crime. I was consistently preoccupied with expanding a repertoire of customer service, accounting, management, sales, payroll, quality control, HR, safety, facilities management, commercial kitchen, and plumbing skills. Hotel employees tend to be jacks of all trades at the expense of being even a journeyman in any specific talent. Specialists graduated away from the front lines quickly or were chased out when one of their duller skills failed to impress.

Perhaps further up the chain of command an answer could be uncovered? But my direct supervisor played audience to the very same training modules I watched. And his supervisors, now nearing the vice presidential or regional territory types, likely hadn’t seen a training video since before cyber crime was a credible threat. But surely further up the ladder, someone was watching over us. I’m certain that scouring LinkedIn or the company Outlook Address Book would inevitably turn up a VP of Technology or comparable title, but they were off in a lofty C-suite well outside the reach or even the zeitgeist of any ground-level employees looking for answers. For all intents and purposes, further information is impractical beyond utility if it exists at all.

Throwing the Baby Out With the Hogwash

An anecdote burned forever into my psyche involves an umbrella term that some corporate security wonk for one hotel brand took a liking to: hogwash. The term ‘hogwash’ and cyber security were married after an impassioned email in which the word was typed in bold font, in all capital letters, a total of 7 times. Several months later this diatribe lead to the introduction of a “hogwash button” on corporate email applications. At no point was it expounded exactly what ‘hogwash’ entailed or why reporting it proved crucial to company goals. The only instruction given was to delete and report any email that looked suspicious. The grounds for basing our suspicions, I suppose, were left to individual interpretation.

The Lesson to Be Learned

This is no simple attempt at picking on the hospitality industry. Instead, take this post as a wake-up slap. When discussing information security, there is a magnetic draw to discussing the healthcare industry, banking and financial institutions, or vulnerabilities haunting our governmental or infrastructure systems. But if we trot out the conversation to less flashy or FUD-inducing industries, we find a landscape brimming with entities just begging to be caught with their pants down. And while malware crashing the power grid makes for better thriller movie material, the hospitality industry still handles the confidential information of millions of travelers each day.

We must address the disconnect between security administrators in high towers and front-line employees operating in distant venues. Real human connections are necessary to impart the axioms of cyber security to ground level employees. This is personnel that doesn’t spend hours browsing Dark Reading or CNET.

Firewalls.com dedicates a lot of time and screen space to the cause of nurturing cyber security cultures in the office. We understand that even the most expensive and sophisticated security setup will fail if employees leave gateways wide open.

It’s time to revamp your library of training videos. It’s time to review SOPs with VPs who have occupied their positions since before the hazards of cyber crime fleshed out. It’s time to put cyber security on the same pedestals as accurate payroll, helpful customer service, and efficient logistics. And for the hotel industry in particular, it is time to leave the printing of boarding passes to airline kiosks.

Firewalls.com is a value-added reseller of firewall appliances & a vendor of managed security and Firewall-as-a-Service support. Our engineers are rigorously trained and certified by all of the major manufacturers that we partner with. Whether you’re looking to add an appliance to your security set-up or seek ongoing support from seasoned experts, we can provide the security solutions necessary to get you secure and keep you secure. Contact one of our knowledgeable sales staff to answer any questions you may have about your network, firewalls, or endpoint protection.

You can also follow us on Twitter and Facebook.

PHISHING ALERT: The Better Business Bureau warns members about fraudulent emails

Companies are being urged to think twice before opening notices of complaint from the BBB as an intense phishing campaign ramps up targeting business owners. An email from Central Indiana branch of the BBB issued statements claiming that the “BBB name and logo are being fraudulently used by criminals” in a social engineering scheme.

Fraudulent emails are delivered under the guise of a violation complaint. Over 100 malicious websites have been shut down in response to attempts over the last few days.

Here are signs that you’re being targeted:

1. Check BBB emails to ensure details look legitimate. Poor formatting, typos, grammar mistakes, and generic form field greetings are all signs of a phishing email.
2. Double-check the sender’s email address. Does it appear accurate?
3. Do not click, save, or open any attachments or links.
4. Social engineers take advantage of fear, urgency, and doubt to rush targets into a rash decision. If an email asks you to take a specific action (like opening an attachment) to maintain your account or rating, think twice.

If you believe that you may be the target of a phishing email, follow these steps:

1. Delete the email and ensure that you empty your recycling bin.
2. If you clicked any links or opened attachments, immediately change your log-in credentials.
3. Watch your finances. If you see any unexpected transactions, you may want to investigate further.
4. Ensure that your endpoint protection is running with all available updates installed.

With proper understanding of social engineering practices, you can stay safe even against emerging threats.

Here’s a quick look at one of the inbox impostors:

bbb phishing social engineering email firewalls cyber security

The silver lining

Phishing is a topic to discuss in your workplace. This BBB scam represents a prime example of social engineering and cyber security safety that can be dissected for your team. Building a culture of cyber security in the workplace is a best practice that every business should keep on its to-do list. We encourage you to print the sample email provided above, highlight the tell-tale clues of social engineering, and hold a discussion with your staff about email security.

If you found a suspicious BBB notification in your inbox, do your part by reporting the email to phishing@council.bbb.org.

Fortunately, you don’t have to worry about fraudulent emails when you use SonicWall’s TotalSecure Email Protection.