This email was one of five phishing scams found in the 6,400 pages of Hillary Clinton’s emails released on Wednesday. While there’s no confirmation that former First Lady fell for the scam, her political opponents are using it to attack her for the security risks of the unconventional private server she used while in office — even though a recent report found that 1 of 7 emails received on official U.S. Defense Department servers were either spam, phishing or other malware attacks.
Receiving such attacks is inevitable. Cyber criminals have long known that one the best ways to hack into something is to simply ask you for the password.
This technique has long relied on the fact that most of are used to entering our credentials so if a site looks trustworthy enough, we’ll just type our credentials. From there, the bad guys can use these keys to unlock our digital life.
As we’ve become more savvy in recognizing untrustworthy emails like the one above, criminals have taken advantage of our growing desire to share information about ourselves online to pioneer a more advanced technique called “spear phishing,” which usually arrives in the form of a personalized email from an person or business you have a relationship with.
This sort of attack was pioneered to hack high-value targets like Clinton. The Russian-backed Dukes group used this method in its 7-year campaign against western interests and others. In our Business Insider blog, Eija offers an inside look at how the CEO of a Finnish startup was the victim of an attempted spear phishing.
“However, anyone can be a target…” Eija explains.
And if you work in the U.S. government your chances of being hit with a very personalized attack have greatly increased as a result of the recent hack of the Office of Personnel Management.
“Every bit of my personal information is in an attacker’s hands right now,”Paul Beckman, the Department of Homeland security’s chief information security officer, said at the Billington Cybersecurity Summit in September. “They could probably craft my email that even I would be susceptible to, because they know everything about me virtually.”
Beckman said he regularly sends fake phishing emails to his staff to see if they fall for them, and “you’d be surprised at how often I catch these guys.”’
Getting caught results in mandatory security training. But even after two or three rounds of instruction, the same people still fall for similar scams.
“Someone who fails every single phishing campaign in the world should not be holding a [top secret clearance] with the federal government,” he said. “You have clearly demonstrated that you are not responsible enough to responsibly handle that information.”
Beckman said he has proposed that those who prove they cannot detect a scam be stripped of their clearance, which could limit their career possibilities or even cost them a job.
If you’re the CEO of a startup, you recognize that security of your business is essential to your success. But if you’re just an employee, your incentives for protecting intellectual property are nowhere as strong.
Criminals only need one victim to make one mistake to succeed. So what are employers to do when education just isn’t good enough? How about positive reinforcement for those who successfully avoid a scam?
The truth is we’re all only as secure as our training and focus. Organizations need to work on the best methods for developing both.
Whether it’s at work or at home or in the U.S. State Department, you’re likely to be faced with a phishing attempt before long. Here’s basic guidance from Eija on how to avoid being hooked:
This may sound like a nightmare or a Black Mirror episode about a dystopic future, but…
March 23, 2017