There’s No Such Thing as Free Phish and Chips

Employees of a global IT services company found out the hard way that hackers use even the most innocent tactics to hook their victims. Those employees around the world received an email offering a voucher for a free holiday lunch. What could possibly be wrong with that? Well, 80% of recipients, including senior security professionals, gladly took the offer. Fortunately, the phishing email was a test for employees to show just how gullible and trusting we are as human beings. Had the email been from a hacker, 4 out of 5 employees–and the company–would be on the hook for something nefarious, and only the hacker would know what that something might be.

The incredible success of phishing emails continues for the biggest reason of all: Humans can’t help being human. For that reason alone, the social engineering tactics hackers use end up being quite successful. Social engineering is any act that may cause a person to take an action that may or may not be in their best interests or that they may not do otherwise. It often includes psychological manipulation tricking people into performing actions or providing confidential information…again, that they may otherwise not do. Whether hackers agree with the definition or not, all they need to know is–it works.

From generic emails sent to millions of recipients to spearphishing emails that target individuals with specific information, hackers are continually refining their efforts. Work environments provide a “phish in a barrel” type of victim, as hackers use email subjects pretending to be from a vendor, a co-worker, or a higher-up, never failing to include an attachment that needs opening…and bam! Malware is unleashed on the company–it’s that simple. There are some common sense “don’t” steps to avoid falling for social engineering email phishing at work. Remember the most important “don’t” of all: Don’t be gullible!

• Don’t click it. Unless you were expecting an attachment, don’t click it. Don’t hesitate to contact the sender directly to verify if the attachment is legitimate. Just remember to do this independently of any information in the received message.
• Don’t “Act Right Away!” Suspect every email urging or threatening you to take immediate action, no matter what the subject may be. It’s a tactic to get you to act before thinking it through.
• Don’t fall for generic greetings. An email sent from an alleged source like a bank or a vendor should always address you by your first and last name. Bulk email phishing uses generic greetings like “sir or madam” because they don’t have your specific name.
• Don’t believe what you see. Hackers put together exact duplicates of web sites you trust, only to get you to provide account numbers, passwords, etc. Check for misspellings and bad grammar, and always check the URL carefully as hackers spoof the URL using very sneaky changes not likely to be noticed.
• Don’t give it up. Companies rarely ask for personal information in an email, nor do vendors ask for important company information in emails. Even if they do request it, don’t send it in email. Email is not a secure form of communication in most instances.