3Pointer: Why High Tech Thievery Is Closer Than You Think
Why would anyone attack my small business? Answer: Because they can. And, they’re good at it. And, it nets high tech thieves between 14 and 150 thousand dollars per campaign. According to a Cisco white paper, phishing – mass emails that “bait” targets to share information like passwords and account numbers – costs brands and corporations more than 98 billion dollars a year.
On April 9, 3Points joined American Chartered Bank and The Horton Group in presenting a seminar on electronic fraud called “Steps You Can Take to Help Protect Your Company.”
Unanimously, people in the crowded room agreed that understanding phishing and spear phishing is a top priority. The latter, a far more lucrative endeavor, targets a specific individual. Attackers conduct research to uncover personal information used within a malicious email. Such efforts are dubbed an Advanced Persistent Threat or APT.
Sure, many of us have become smarter about such attacks. We all know our best friend from college is not really stranded in Tailand and that the link to an awesome site sent using a colleague’s email address is suspicious. However, the problem is much more complex, and the tools of these high tech thieves are much more invasive. Any time a PDF file is opened and you suddenly see something running in the background, an attack probably has been set in motion.
Take RSA, the security division of EMC, as a prime example. On St. Patrick’s Day of 2011, a small group of employees were targeted with an email slugged “2011 Recruitment Plan” and a Microsoft Excel file attachment. One user opened both – that’s all it took – whereupon a zero-day exploit or Trojan was downloaded onto the recipient’s PC giving the attackers remote access to RSA’s SecurID products, internal networks and SecurID source code. RSA’s stock dipped after the attack although the company maintained no real damage was done. A month later, another security breach occurred at defense contractor Lockheed Martin Corp. with data stolen from the RSA attack. A June 8 Reuters headline points out the intangible loss of integrity: “Hacking Crisis Costs EMC Reputation in Security.”
The RSA scenario follows a growing trend in spear phishing attacks. Recent statistics show that the open rates for spear phishing emails is about 70% compared to an open rate of 3% for mass spam emails. Additionally, 50% of those that open spear phishing emails also click the link, which is 10 times the rate for mass mailings. Lastly, a spear phishing campaign comprised of one thousand messages is likely to generate 10 times the revenue of a phishing mailing targeting one million individuals.
What to Look For
What does a phishing or spear phishing email look like? Typically, you’ll see a link within the email that appears to be legitimate. The attackers are smart. They know where you bank or what social media sites you follow and perhaps even names of people you regularly email. Expect to see a threat, as in a membership due to expire, an account soon to be cancelled, or a site you follow requesting immediate information. Lastly, the email will sign off with a name of a well-known company, logos and all. Sometimes, what looks to be a PDF attachment will accompany the email. Note: an ellipses (.pdf…) at the end of the URL is a red flag that an APT may be present.
What To Do
The best way to protect your business from phishing and spear phishing is to educate everyone in the company about the topic, regularly monitor for attacks, be wary of links within emails, and make sure the URL matches a link when your cursor grazes over it. Choose to err on the side of caution. If you are not sure, email the sender in a separate email to verify the email is the real deal.
Product Focus: Microsoft Office 365 vs Google Apps
Pure Hosted Email & Docs from 3Points moves office applications to the cloud, turning work essentials like email, documents, calendars, conferencing, contacts and more into vibrant business tools. Communicate, create, conference or collaborate via the web—from anywhere on any device—in a secure environment. Pure Hosted Email offers two great options: Microsoft Office® 365 and Google® Apps. What’s best for you? Check out this one-of-a-kind chart put together by our Research & Development taskmaster Mike Magnesen …