“You take the blue pill – the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill – you stay in Wonderland and I show you how deep the rabbit-hole goes.”
-Morpheus from The Matrix (1999)
October is Cyber-Security Awareness Month. Throughout the month, I’ll posting on some topics that you can share with your co-workers.
It goes without saying that we all rely on e-mail as a critical business tool. It is also plagued with annoying advertising based SPAM that is getting increasingly malicious. Millions of computer users are getting infected, spoofed, and tricked by malicious emails every day.
E-Mails from People You Know
The old adage was that you shouldn’t open emails from people you are unfamiliar with, of course just like marketing professionals, criminals know that getting an email from someone you know is more likely to be opened than one from a stranger. Email accounts, especially free ones, are commonly accessed for this purpose. Not only knowing the sender, but knowing why or what they would send something to you is important to be aware of.
Take away: Watch out for emails with a single line saying “I saw you doing this?” or “Check out this cool website”
“Phishing” Emails from Companies You Know
Phishing is the most common way that systems are compromised today. Most of the high profile websites and twitter accounts illegally accessed recently originally started as a phishing attempt. Most phishing is throwing out a wide net with the hopes that a couple of people will click on the link or open an attachment. These are frequently, fake IRS notices, delivery or invoices from shipping companies such as DHL and UPS, or bank alerts.
The best way to spot a phishing attempt is to first look at the sender’s email address and look closely to see if the address makes sense. For example, a Bank of America email shouldn’t be sent from a yahoo address. Next, hovering over the provided link, BUT DO NOT CLICK, most email clients will give you a pop up of what the link really is going to. If it’s not one from the intended website, that is also a tipoff.
Spear-phishing is another form where it is very narrowly targeted. A very well crafted spear-phishing email can be very difficult to pick up. Most websites will never send an unsolicited email asking you to log into their website.
Take away: Don’t click on links even from companies you are familiar with, the REAL site may not be a good one.
Keeping the Bad Stuff Out
Many SPAM or Phishing campaigns originate from bot-nets, groups of computers that have been compromised and are running small programs in the background that will do its master’s (the bot-herder) bidding when asked. Security vendors are constantly looking for these bot-nets to prevent emails from them from making it through their systems and into your network. If you aren’t using one of these systems, you are doing your email system and your employees a disservice. Although no system is 100% which is why awareness is important, you will go a long way to keep bad things out if you put in an email security service in place.
Take away: if you aren’t using a hosted anti-SPAM/e-Mail Security System, get on it!
Compliance and Email
If you are in a regulated industry such as Financial Services, Medical, or are a public company, you have to take special care on how you handle email in transit and storage. For example, registered investment advisors must retail all email received for a period of time, it cannot be deleted, and must be easily retrievable. Medical companies not only have to keep email records but emails with personal health information must be handled carefully so that it cannot be accessed. Normally email is not a secure medium. Just like your regular mail, it can be accessed by anyone who has access to the path your email takes. Protecting that email message while it travels is not only important but required.
Take away: Regulated industries need to review what their compliance requirements are