06Nov 2015

Fishing_hooks_on_white_surfaceAs experts in the IT industry, it’s easy to think we’re bullet-proof. It’s our job to help everyone else avoid the risks associated with complex computer systems—including security threats. Others depend on our advice to know what to do (and what not to do) in the untamed world of the Internet.

One of our key pieces of advice is “It can happen to anyone.” That includes us, and yesterday we were a prime example.

Yesterday morning, I was leaving a meeting with a potential new customer. It was about 11:00. a.m. I checked my phone, as I often do following a meeting, and saw an email from one of our customers—someone we had just been working with earlier in the day. The email said he had a document I needed to sign. Honestly, I didn’t think twice. We were in the middle of a project with this customer. He was the right person to send over a document in need of a signature. The email purported to come from Docu-Sign, the contract authentication service used by a number of our customers. It asked for my Google credentials, something that happens frequently since Google is now used as a single sign-on for so many third-party applications.

When I entered my credentials, there was no document. I had fallen victim to what is known as “phishing” (specifically, a “spear-phishing.”) Utilizing the credentials to my Google account, the persons behind the email were able to log in and send similar phishing emails to everyone in my address book. Boom. Just like that the infection continued on its way through the Internet.

Fortunately, no confidential client information stored on our computers was compromised. While the incident was aggravating and embarrassing, I am grateful that no real harm occurred.

While it is no consolation, I am not alone in my experience. The security firm CYREN, Ltd. reports incidents of phishing attacks rose 38% in the second quarter of 2015. At PerAspera, we have noticed a marked increase in email security incidents (specifically related to wire fraud) among our own customers in recent months. In many ways, the Internet is a more dangerous place than it used to be. The scammers are getting more sophisticated, and any of us can be fooled.

What can you do to protect yourself? Here are a few best practices you can follow to avoid becoming the victim of a phishing attack:

Be skeptical
We often tell users not to click links or open documents from senders they don’t personally know. This may not be enough anymore. The increasing sophistication of phishing attacks means the email you receive may appear to come from someone you know—perhaps even someone you expect to send you links and documents. There is no such thing as “too careful.” If you have any doubt at all whether an email is legitimate, call the sender to verify before opening or clicking.

Be cautious on mobile devices
You don’t have the same visibility to many elements of an email message when operating from a phone or tablet. On a computer, you can often hover the mouse over a link to see where it will take you before you click it. We have identified numerous scam emails in this fashion. Make sure you know what you can and can’t do from a mobile device. If you are missing key details, wait until you can check it out in more depth from a computer.

Utilize two-factor authentication
In today’s heightened security environment, most major platforms for email and other services now offer something called “two-factor authentication” or “multi-factor authentication.” This means that before you can start receiving email on a new device or in a new client, you must provide two identifying “factors.” One factor is your password. The other factor can take a number of forms, depending on the email platform you are using and how you set it up. One example would be a special code you access from your cell phone. These days, everyone has a cell phone, and the chances of scammers stealing both your password and your cell phone are slim.

Two-factor authentication has been available for a while now, but most people still don’t use it—for reasons that are understandable. It’s more cumbersome than traditional single-factor authentication (your password.) With two-factor authentication, you must authorize each device or program which will be accessing your email—your phone, your tablet, your email client, and any online programs which may access your email automatically. We highly recommend two-factor authentication for any industry dealing with non-public information, such as finance, law or medicine. Most other users, however, still use single-factor authentication. As scams become more difficult to detect, however, you may want to consider trading convenience for the maximum possible security.

Additional Precautions

The three practices above do a pretty good job of covering the sort of phishing attack I encountered yesterday. Sometimes, however, scammers will download your contacts and use them to send out malicious messages even after you have secured your account following the initial attack. Listed below are three steps you may want to take to protect against this eventuality:

SPF (Sender Policy Framework)
This is a special record on the Internet which tells recipients which servers are allowed to send email on your behalf. It can protect against unauthorized persons sending email that appears to come from you but is really from an email account they control.

DKIM (DomainKeys Identified Mail)
This is a record on the Internet that works in tandem with SPF. It uses encryption to tie each email message to the domain it came from. DKIM can help the receiving server distinguish between email that comes from you, and email that comes from persons pretending to be you.

DMARC (Domain-based Message Authentication, Reporting & Conformance)
This is a standard created in 2012. It allows you to request that receiving email servers check both your SPF and DKIM records before accepting messages that appear to come from you. It allows you to increase the likelihood that email will actually be evaluated based on the records you have setup online.

All three of these steps are very technical, but they can also be very effective. You may want to enlist the help of your IT support personnel to implement them.

At the end of the day, no list of steps can protect 100% against phishing. These scams rely to a large extent on “social engineering”—understanding which familiar elements will make a recipient feel safe enough to enter his or her login information. It’s also a numbers game. If I had received the same email I got from my customer yesterday, but we hadn’t been in the middle of a big project with that same customer, I certainly would not have clicked the link. Scammers send out so many fraudulent messages that they will eventually catch someone in the wrong place, at the wrong time, who will draw the wrong conclusion. Click!

Vigilance will always be the first and last line of defense. Following the practices listed above, however, will help put you in the strongest possible position to protect yourself and your data online.

Brian S. Pauls is the president of PerAspera Consulting, LLC, providing comprehensive technology solutions–from the Web, to mobile devices, to the desktop. Phishing is not his favorite sport.