Distracted people low hanging fruit for hackers
Busy business people are more vulnerable to cyber-attacks than they realise. Here are some simple security practices they can implement when using smartphones for work. No doubt you’ve seen the recent news headlines on the wave of cyber-attacks hitting businesses in New Zealand. What you probably don’t realise is that you personally could be the ideal […]
Busy business people are more vulnerable to cyber-attacks than they realise. Here are some simple security practices they can implement when using smartphones for work.
No doubt you’ve seen the recent news headlines on the wave of cyber-attacks hitting businesses in New Zealand. What you probably don’t realise is that you personally could be the ideal target for a cybercriminal looking to attack your business.
Recently while making a mad dash to work I received an email on my smartphone. Glancing quickly at my inbox I saw a short message from our Group CEO asking if I was available to help with something urgently. It’s not unusual for me to receive a request like this, so this message wasn’t out of character.
Alarm bells rang as I took a closer look. Firstly, the message had a red flag next to it. Our email system had highlighted this email with a warning – a major clue something wasn’t right. Secondly, despite being labelled with our CEO’s name as the sender, on closer inspection the actual email address wasn’t from my work’s domain.
I paused for a moment and ran through a mental checklist of the action points our CISO recently shared to avoid falling victim to scam emails. Something about the message felt off, so I reported the email using Outlook’s phish report tool.
Phishing attacks are more sophisticated than ever
Our IT department confirmed the email was a phishing attempt, and both the email and the sending address were blocked from our system. While I’m grateful the threat was swiftly identified, I’m surprised how convincing the email was.
We expect phishing attempts to be obvious to spot with horrendous spelling, claims of winning fictious lotteries, or bizarre requests from Nigerian royalty. This email was simple and personal, pretending to be from someone I trusted. The language was typical of a quick email fired off by a busy executive. If it hadn’t been for the red flag from the system, I wonder whether I’d have known this was a carefully crafted trap laid specifically for me.
Aura Information Security’s General Manager, Peter Bailey, told me this was a classic example of how hacker operations are evolving.
“While the ins and outs of ransomware attacks haven’t changed dramatically, phishing attempts used to gain personal credentials are becoming increasingly more sophisticated and targeted. Social media and the internet enable hackers to easily find information about a target to create highly convincing scam messages,” said Bailey.
“It’s not unusual to see phishing attempts that imitate legitimate correspondence from friends, family, banks, or your own colleagues. It’s an easy method hackers keep leveraging because it works.”
Had I clicked any links in this email, it’s likely nothing would have happened immediately. This email was just to gain my credentials, part of a strategy developed by the hacker to infiltrate our business before deploying a full ransomware attack.
Smartphones add to your risk
Today we’re used to doing business on our phones, getting work done anytime and anyplace. But it’s precisely these moments, conducting business out of office, when our guard is down and we’re most vulnerable to attacks.
“Smartphones add a level of vulnerability, not because the devices are inherently less secure, but because we tend to be more distracted when using them. Seated in front of a computer, it’s much more natural to scrutinise an email’s content and sender before clicking a link,” Bailey told me.
Technology has freed us from the confines of our desks – something incredibly valuable, especially during a pandemic. As we relax back into regular working patterns, it’s time to refresh ourselves on basic cyber security principals, especially if you’re a busy professional who finds themselves working out and about.
Train yourself out of bad habits
Kordia CISO, Hilary Walton (pictured above), says busy people can implement simple security practices when using smartphones for work.
- Stay vigilant when checking emails or text messages
Get into the habit of reading and analysing emails before responding. Have a healthy amount of scepticism for any email that seems a little unusual. Do you know and trust the sender? Is this the type communication you’d expect from the sender, or is there something unusual about the request?
- Watch out for links
Secondly, Walton says to exercise caution with links, attachment downloads, or requests to share information. If you’re not sure the email is legitimate, wait until you can return to your PC and investigate.
- If in doubt, ask!
Don’t be afraid to reach out for help if you think it’s suspicious. “At Kordia, we have a “no blame” attitude towards reporting cyber security incidents. It’s better to ask your IT department to review an email than risk clicking a malicious link that will compromise your systems. And if you think you may have accidently clicked or downloaded something you shouldn’t have, let your IT team know ASAP so they can mitigate any damage,” Walton says.
Although many companies have great technology in place to catch potential threats, it’s important to understand what threats exist and what a phishing attempt could look like.
Educate yourself on cyber security basics through CERT NZ or ask your CISO or IT person if they can offer training to help you feel more confident in spotting an attempted attack. Greater knowledge and awareness are the key to combating malicious phishing attempts.
Sally Vernon is Kordia’s Head of Communications.