Beware of Compromised Personal E-mail

Over the last few years personal e-mail providers like Yahoo and AOL have had massive data breaches, in which user's e-mail addresses and passwords were compromised.  Recently there have been a number of phishing campaigns whereby these compromised e-mail accounts are being used. 

How this works
So a Yahoo or AOL e-mail account owner who has never changed their password, and a hacker gains access to it (Most likely from a password list bought on the Dark Web).  The hacker then send a personalized e-mail to everyone in the compromised account owner's Address Book with a link to either collect credentials or launch malware.  The sad thing is some people have been getting these phishing e-mails from people close to them who have passed away.  Other's are getting e-mails from friends and relatives that seem legitimate and so the recipient innocently clicks on the link seeing that the e-mail is from someone they know.

Security Tip

Ask yourself these questions when you receive an e-mail:

1. Do I know the sender?  (hover your cursor on the display name or click the display name to see the real e-mail address)
2. Am I expecting this e-mail or any web links/attachments from this sender?

If you answer "No" to either question, it is probably a phishing e-mail.

If you know the sender, pick up the phone and verify that they sent you the e-mail and any attachments or web links.  Don't reply to the sender's e-mail as the hacker has control over the e-mail account.

In 2018, the number of malicious web links (URLs) sent by cyber criminals was more than twice as many as malicious attachments sent.

Think before you click!


In addition, if you have a Yahoo or AOL e-mail address and haven't changed your password in the last year,,,,CHANGE YOUR PASSWORD NOW!


Be Secure!

@TJMProfessional

Who is Responsible for Security?

Ultimately, management (including the owners) are responsible for the implementation and oversight of both the Information Security and Physical Security programs of an organization.  So when you read about a data breach where a retail vendor had thousands (or millions) of credit card records stolen, or a hospital is locked out of their systems for days/weeks due to ransomware, or a real estate broker that had their e-mail compromised by a phishing attack, at the end of the day it is management that is responsible, not IT, and not the security officer or security analysts.  It is an organization's management that approves the security policy and the security budget which determines the level of effort given to the security of the organization.  Even if employees or an outsourced company are responsible for implementing and maintaining good security practices, management is still held accountable for monitoring their activities and ensuring that the organization's security program is being carried out according to the security policies.

There is also another group of individuals in an organization who are responsible for the day-to-day execution of proper security procedures and processes: the employees.  Or, in other words, Everyone.  In an organization, it is everyone's responsibility to follow good security practices, from setting strong passwords, to not letting strangers piggy-back into secure buildings, to reporting anything suspicious to management or their designee.  Truth be told, no matter how much money is in the budget for security, there is never enough.  So to provide adequate protection for your organization, your employees need to be trained, empowered and in a sense, be "deputized" as security officers in order to maintain a culture of security in your organization.

So to answer the question "Who is Responsible for Security?", the answer is two-fold; primarily management for ensuring good security practices are in place (including security awareness training for employees and contractors). And the organization's employees who need to follow security procedures and act in a secure manner at all times when conducting the organization's business.


Be Secure!

@tjmprofessional.com

Information Leakage - Using the Internet Judiciously

One of the best online resources for cyber criminals is Google.  While businesses seek to utilize their company website, Facebook, Twitter, LinkedIn, and the like for marketing and recruitment purposes, they are unintentionally leaking information that can be useful to cyber criminals.  At the same time, their employees are also guilty of both disclosing more details about their job duties as well as connecting to and friending people based on invites without any due diligence.

For businesses, below are some typical areas where internal information is disclosed:

Press Releases: Expanding your business?  Offering a new product?  That is great and something to brag about.  But pick and choose what details you make public.  Let's say you are offering a new product or service, and you bought a new piece of equipment to provide it, or have a new vendor to help you support it.  If possible, don't name business partners or describe any new additions of equipment by name.  While these details don't sound like anything of importance, internal details can be used in spear-phishing to gain the trust of your employees.  Let's say you name your new business supplier (XYZ Corp) in your press release.  A few weeks later an e-mail is sent to your accountant that appears to be from XYZ Corp saying they just changed banks and to use the below banking information to pay future invoices.  You figure out that it was a phishing e-mail when XYZ Corp starts calling you because of all the unpaid invoices, and now you are out the money.

Job Postings:  One of my pet peeves is all of the information you can glean from an organization's job postings.  An example is if your company is hiring a Database Administrator, you don't have to say in the posting "Must be experienced with MS SQL Server 2008 R2 Express"  This tells the public what version of your database you are running, and what security issues you may be vulnerable to.  Simply saying "Must be experienced with MS SQL Server" will suffice.

Vendor Endorsements: I never give public vendor recommendations (posted on the vendor's website).  Why?  Because I don't want anyone knowing too much about the inner workings of my business, such as my vendors.  The reason being is that a cyber criminal can use that relationship to try to spear phish either company.  Also, this may not be something you want your competitors to know about either.  If you have a really good vendor relationship and they want a recommendation, offer to give one-off personal recommendations.  Just don't put it out on the web for the world to see.

Website Contacts: If possible (granted it is a must for some industries), do not have a directory of your employee's names and contact information on your company website.  This is a treasure trove for cyber criminals for both phishing e-mails as well as scam phone calls.  Use generic contact e-mails in your Contact US sections such as sales@xyzcorp.com, or even better is a contact form that does not disclose company e-mail addresses.


Tips for your employees:

Social Media: Encourage your employees to leave their job duties generic when updating their LinkedIn profile or online resumes.  If you are an Accountant for a business, that is great.  You don't have to put on LinkedIn that you handle all of the business's banking, send wire transfers, or are familiar with Wells Fargo's business banking portal.  This is way too much information to be giving out to potential cyber criminals and can be utilized in a Business Email Compromise (BEC) or spear -phishing attack.  Save the details for the resume you submit to a potential employer.  The one you publicly post should be a summary.

Technology questions using company e-mail address: Technology folks will often visit tech blogs and websites soliciting information and knowledge regarding a problem they are trying to resolve.  This is all well and good, but sometimes they post detailed questions that disclose the names/versions of systems and applications using their company e-mail address, and therefore identifying the organization with the problem.  Information about current IT issues (whether security related or not) should not be publicly disclosed.  It's not something you want hackers to see, and it doesn't look good to current or future customers to see.

Be Secure!

@tjmprofessional

How to Overcome Your E-mail Insecurity - Part 3 of 3

Phishing

Less complex than BEC, but even more widespread, phishing e-mails will usually come from free e-mail providers, ex. gmail, yahoo, outlook/hotmail, but will have a display name that is different than the actual e-mail in trying to gain your trust.  The e-mail is supposedly from DHL, UPS, DropBox, Microsoft, or some large company that you trust, but then you find out that the underlying e-mail address is not from that companies e-mail domain, but is a gmail account or a similar domain like DHL_Accountservices.com, etc.  

Some recent attacks actually impersonated domains to try and fool employees at the actual business.  An example is if your business e-mail domain is "marysdonuts,com", the impersonated e-mail domain might be rnarysdonuts.com, whereby the "m" is replaced with an "r" and an "n" to fool your eye into thinking it's a lower case "m".  Cyrillic alphabet characters have also been used to play tricks on your eyes.

Security Tip:  Like the BEC e-mails, there is a call to action, usually an attachment (virus infected) or a button/link to click. 

Ask yourself these questions when you receive an e-mail:

1. Do I know the sender?  (hover your cursor on the display name or click the display name to see the real e-mail address)
2. Am I expecting this e-mail or any attachments from this sender?

If you answer "No" to either question, it is probably a phishing e-mail. Again, if you do know the sender, pick up the phone and verify that they sent you the e-mail and any attachments. 

So the lesson at the end of the day, is if you want to be safe, and not be a victim of e-mail fraud, BEC, or phishing you should use the low tech communication device that was invented by Alexander Graham Bell and verify before taking action based on e-mailed instructions.  After all, as discussed in my Part 1 blog post, e-mail is not secure by design.

Be Secure!

@tjmprofessional

How to Overcome Your E-mail Insecurity - Part 2 of 3

Business E-mail Compromise (BEC)
For the last two years this has been a growing threat to small businesses.  It is a phishing e-mail, whereby the hacker poses someone of authority, your boss, the CEO, the CFO, the IRS, etc. and asks you to send either your employees HR data, ex. W-2 information, customer information, send money or buy gift cards.  The things to look for in identifying a BEC attempt is:

• Usually sent off hours or right before you are about to leave for the day.
• Has the appearance of being from someone you know, work with, or government agency, but is usually from a g-mail, yahoo, or some other free e-mail domain and not a business domain.
• Has a sense of urgency, and asking you to take immediate action.
• May be written in odd English or European style English.
• The message in the e-mail is usually short and to the point, and may be trying to start a conversation to gain your trust.  E-mail #1 might say "Are you in the office?"  Which will cause you to respond "Yes", then E-mail #2 says "Great, I need you to send (money, gift cards, data) urgently.  More likely than not will have the word "Kindly" as in "Kindly send,,,".
• The e-mail will probably be asking you to do something out of the ordinary. (This is where the red flashing lights should start going off in your head)

Security Tip: Always pick up the phone and call a number (that you already have on file) and verify with the person sending the e-mail is who you think it is and not a hacker.  As for the IRS,,they will never e-mail you asking for anything.  They used certified/registered mail for official business.

A good rule of thumb is, if an e-mail seems strange, or is requesting something that is not normal procedure, it's probably a scam.


Be Secure!

@tjmprofessional

How to Overcome Your E-mail Insecurity - Part 1 of 3

As a small business owner you probably have a lot of things keeping you up at night.  Your use of E-mail in doing business probably wasn't one of them, until you read this post.

E-mail was not designed to be secure.  It was created to be a simple electronic messaging platform for trusted networked computers back in the late 1960's, and grew in use during the 1990's.  It eventually replaced both the telephone and the fax machine as the primary communication medium for business in the 2000's.  Its security flaw of being "trusted" remains from its original 1960's design, and is what has also made it the preferred attack vector for cyber criminals to defraud both individuals and businesses.  Rather than dwell on what we can't change, let's focus on what we can.

The E-mail Interloper

Over the last year a very popular type of e-mail hacking has been targeting attorneys, loan officers, and realtors. (Although there have been similar scams with vendor payments and payroll provider settlements)  A hacker compromises one of these party's e-mail accounts.  Rather than make their presence known, they will just sit back and read through the person's e-mails and wait for the right situation to arise, usually a real estate transaction.  Once the hacker knows the particulars of the deal, they wait until the time of closing and then send an e-mail from the compromised party's e-mail account stating to the buyer or the buyer's agent that the wiring instructions for the settlement has changed and to use the new bank routing and account number to transfer the proceeds of the transaction.  The buyer then sends the wire to the hacker's bank, and by the time all the parties figure out what has occurred, the hacker has since moved the money to several other banks and eventually wires the funds to an overseas bank and "poof" hundreds of thousands, potentially millions are gone.  If that wasn't bad enough, now everyone gets lawyer-ed up to try and figure out who is at fault, and the real mess begins.  Regardless of whether you are the buyer, seller, a real estate agent, or attorney, this can be a business nightmare as both the money and the deal are gone.

Security Tip: If you are in the real estate business, or another business where you frequently send wires to different parties, always pick up the phone and call a number (that you already have on file) and verify with the receiving party the wiring instructions before sending the funds.  A simple five minute phone call will defeat an e-mail take over scam, and will also demonstrate to your customers and business partners that you take security and doing business with them seriously.  If your clients are the ones sending funds, remind them to do this one simple thing to protect themselves, and your commission.

Be Secure!

@tjmprofessional

Phishing is not a Technology Problem

In reading the title of this post, IT folks all around the world are shouting at the top of their lungs; "Amen!".

While perhaps not a profound statement for the IT community, it is however a true statement that phishing is not an IT risk, but it is a Business risk.  Phishing is about social engineering or the use of trickery and deception through the utilization of technology as a delivery platform to coerce your employees into e-mailing mass HR or customer data, give up their password, or send money to the criminal posing as a company executive, government official or a vendor.  Therefore it is the social engineering aspect that needs to be addressed, but rarely is.  Hence, why Phishing is very effective, very profitable, and the volume and complexity of attacks are growing at a rapid pace.

The security software and appliance providers keep upping the ante with the latest technology tools (now AI) to detect or block phishing e-mails, but at the end of the day, this is just a holding action, not a sustainable solution as it is not 100% effective.  The root cause is still sitting one foot in front of the keyboard.  It is your employees and contracted staff that make phishing attacks possible.  And this is where the least amount of budget and time are spent on reducing your organization's risk of being phished.

Security experts have been debating for years about how effective security awareness training, mock phishing exercises, the security posters hung in the break room, and posting security tips on your organization's intranet site are.  And to be honest, perhaps the jury is still out on having any scientific data on that, but what is the alternative?  Do nothing?  We've seen first-hand with recent data breaches how well that works. 

Perhaps the secret formula is a balanced approach of tools, training, and procedures to combat this business risk.  At the end of the day, if you have tools that scan e-mails for suspicious activity, you train your employees on what phishing e-mails look like, give them an avenue to report them (be included in the security process), and hold mock phishing exercises with a teachable moment built in to educate, plus have well communicated procedures on not e-mailing mass data without approvals, or not sending wires without phone verification, or that the CEO (who probably doesn't remember your name) is never going to ask you to "kindly" pick up some iTunes gift cards at the store, then perhaps your organization has a shot at thwarting the Phishers.

Be Secure!!!

@TJMProfessional