It’s coming from inside the house!

Even if you’ve never seen (or heard of) the 1979 horror classic, When a Stranger Calls, you likely have heard the iconic line, “the call is coming from inside the house”. This line evokes instant fear in the recipient and is the same fear used in a classic email scam.

Fake emails have been around for at least three decades. Even today, it is easy to spoof someone’s email address for sending spam or phishing emails. The trouble stems from how trusting the whole Simple Mail Transport Protocol (SMTP) is. You can essentially set your email address in your email client to be whatever you like and it will tell all your recipients that it came from that email address. Additionally, you can tell the recipient to reply to any other email address and the recipient’s client program will trust that, too.

Here are just a couple of the ways that this simple email spoofing can be used for fraud:

CEO Fraud

CEO fraud preys on an employee’s desire to feel important. It typically appears as an email from the CEO of your company. Often it is an innocent request at first, such as, “Are you still at the office?” to see if you’ll respond. The response always goes to the hacker’s email address, which may or may not appear like the sender’s email. Often, no one notices that the reply is going to a different email address than the sender. Technically, this is accomplished by spoofing the “Mail from:” address and hiding the “Reply to:” address. If the Reply to: address appears similar to the Mail from: address, the fraud is less likely to be detected.

If you reply to the original innocent request, the hacker will then usually ask for a monetary favour with some sense of urgency to prompt a quick response. It could be as complicated and expensive as a wire transfer request, or as low budget as some iTunes gift cards. It can be embarrassing for the recipient and very costly for the company.

For more information on CEO Fraud, check out: https://www.knowbe4.com/ceo-fraud

Bitcoin Extortion Fraud

The bitcoin extortion fraud preys on its victim’s concern about being publicly exposed. This simple email scam involves sending a note to a recipient, using the recipient’s own address as the sender. The body of the email then goes on to say that you’ve been hacked and the hacker has complete access to your computer and all your contacts.

It continues that he has been recording you watching adult content on your PC. The only way to prevent the hacker from sending this recording to all of your contacts is for you to pay a certain amount of bitcoin to the hacker’s private wallet.

A variation of this scam is that the hacker includes a password of yours as “proof” that they’ve compromised your account. This password is invariably a real one that you recognize and is particularly dangerous if you happen to use the same password on many sites. The source of the password is almost always from a breach of a popular web service, such as LinkedIn or Yahoo. There have been dozens more over the last few years alone.

Protect Yourself

How can you protect you and your company from these attacks? The simple answer is training. While there are technical solutions that attempt to spot and prevent these types of emails from coming in, the reality is that the tactics are changing all the time and rely on unsuspecting users to fall victim. Proper training can harden you and your users to these attacks and help you spot future creative social engineering exploits. If something looks suspicious, it definitely warrants a closer inspection and a pause for thought.

Please call me if you’d like further information or would like to discuss training. It is much less expensive than you think.

Gone Phishing

phishingToday I witnessed first hand a new threat that has successfully infiltrated a friend of mine: a DocuSign phishing email.

Hackers have stolen the customer email database of DocuSign, the company that allows companies to electronically sign documents. These criminals are now sending phishing emails that look exactly like the real DocuSign ones, but they try to trick you in one of two ways:

  1. With an attachment to an encrypted (to bypass antivirus software) Word document and an accompanying password to “unlock” it. This will potentially launch any sort of nasty surprises upon its victims, including Ransomware, which I wrote about last week;
  2. With a link to a phishing site that asks for email credentials to gain access to the DocuSign document. This provides the hacker complete access to your email account, including potential access to your OneDrive or Google Drive documents and also a base from which to launch a further attack to all of your contacts.

Either of the above two scenarios is not pretty and malware may be installed on your workstation. So if you get emails that look like they come from DocuSign (or any other web service, for that matter) and have an attachment or a link requesting login credentials, be very careful. If there is any doubt, pick up the phone and verify before you act on any suspicious email. When I replied to the email I received today, it was actively responded to by the hacker, who “assured” me that it was legitimate. This is a classic example of why you must use a separate medium to confirm the authenticity of any suspected email you receive!

How can you protect yourself from this type of threat? There are two things you can do:

  1. Pay attention to any email you receive and always be suspicious, particularly when an email is unexpected.  If you or any of your staff needs security awareness training, contact us!
  2. Implement two-factor authentication (this is a very old link – I’ll update it shortly) on your email system to prevent third parties from stealing your credentials. Again, contact us if you need assistance with implementing this for yourself and your users.

Remember: Think Before You Click.

Stay safe out there!

Dan