September - October 2018

Written by Mark Evilsizor
From his column Church Tech

About a year ago I wrote about phishing and provided advice on how to avoid getting hooked by those who would do you harm through the lures implanted in email. Since then, things have not gotten any better. According to the highly regarded Verizon annual security report for 2018, 58% of the attacks tracked were at small businesses, and 93% of all security breaches involved phishing. Due to our continued vulnerability to this type of attack, I want to warn you about some of the sophisticated new phishing strategies I have seen, and suggest how you and your organization can be proactive in reducing the risk of becoming a victim.

Methods of Attack

One strategy involves impersonating someone in authority to manipulate other staff. At a glance, the email appears to be a leader in your organization, and says something like, “It was good talking with you today. Would you please give me your mobile phone number so we can continue this conversation?” When this email is sent broadly enough, it occasionally catches someone who has actually had a conversation with the purported sender, and who responds with the number as requested. Once this happens, the dialog moves to cell phone text messaging where organizational security measures are not in play. The perpetrator then asks the staff person to take an action in their behalf in an attempt to gain financial or computer access at the expense of staff or the organization.

A similar attack involves what appears to be someone in authority requesting W-2 information for an employee from HR staff. In the wrong hands, such information can lead to identity theft and activities such as filing false tax returns. According to the law firm of Poyner Spruill, such an attack on a business in North Carolina in 2016 resulted in someone sending W-2 information of several hundred employees to a hacker. When employees sued, a federal court ruled that since the information was freely shared rather than taken as the result of a breach, the company was liable for damages.

Another class of phishing attack targets those who pay the bills. Someone pretending to be a company with which your organization does business sends an email requesting a change in their mailing address or bank account numbers for electronic payments. If this is accepted as true without verification, payments may be made to bad guys rather than to your vendor. Before taking action, it’s a good idea to check by phoning a known number from an old receipt to make sure the request is legitimate.

Note that neither of the attacks just described requires the click of a link. They are attempts to get someone to act through social manipulation. The result, however, can be just as damaging.

If staff is too intimidated to ask questions, or afraid of being shamed for opening a harmful email, they may keep a breach to themselves.

Another type of intrusion combines both of the above elements. It starts with a message that appears to be from someone in authority and is sent when they are out of the office (perhaps randomly or as a result of reviewing social media). The email requests an urgent wire money transfer. If the action is taken by the home office without verification (other than email) of the legitimacy of the request, the money could be gone forever.

Lastly, I have seen an attack which uses the credibility of previously used passwords to manipulate persons. Perhaps a site was breached and passwords were stolen. Bad guys send a threatening email and use an old password to “prove” they have access to someone’s computer. They then make threats about an embarrassing video they will release unless the recipient provides remuneration. This assault has the added sting of making the target fearful of talking with anyone about it.

Taking the Initiative Against Attacks

So what can be done to lower the risk of staff being duped by such phishing attacks? First, I recommend designating someone in the organization as “security officer.” Usually this is someone in the IT department, but if you don’t have an IT staff it may be someone in charge of office administration or operations. Making this a part of someone’s job responsibility will raise awareness of the importance of this issue throughout the group.

Second, create an atmosphere of trust rather than one of “gotcha” between this person and the rest of the staff and volunteers. The security officer must develop a relationship so all know they are on the same team working against the miscreants who would do them harm. This is imperative. With such an atmosphere of trust, staff and volunteers can view this person as a protector and feel free to ask them about emails they have received, or share cases where they think they may have been fooled. If staff is too intimidated to ask questions, or afraid of being shamed for opening a harmful email, they may keep a breach to themselves. In such instances, the delay in dealing with the problem usually results in greater damage.

My third recommendation is for the security officer to create security awareness and implement training exercises to help employees recognized phishing when they see it. That sounds intimidating, but there are free and low cost tools online, such as Knowbe4.com or Cofense.com. With assistance from these organizations, weekly educational emails to staff can be scheduled that are personalized to the situation. The administrator can also create fake phishing emails to send to staff. If they are fooled, follow-up can be provided to educate them in detecting similar attacks in the future.

Staff and volunteers are an organization’s greatest resource and vulnerability when it comes to computer and network security. From what we are seeing, hackers have no intention of giving up in their relentless efforts to do us harm, so be proactive and step up to fight the good fight.

Mark Evilsizor has worked in Information Technology for more than 20 years. He currently serves as head of IT for the Linda Hall Library in Kansas City, Mo. Views and opinions expressed are strictly his own.