Breaking Business

An average user is exposed to several cyber attacks per week with the vast majority of attacks coming through the inbox. Cyber security awareness training which has focused on phishing has been fairly effective with enabling users to become good at detecting suspicious emails however, the cyber criminals have also become more effective at making their emails look less suspicious. (Thank you English as a second language training).

So what are some other tactics we can employ to avoid becoming victims of cyber crime?

It’s a Business

When we look at the sheer volume of phishing attacks against users, it becomes pretty clear that it is not individual cyber criminals arbitrarily attacking users but rather coordinated teams or dare I suggest businesses launching increasingly targeted and believable campaigns in an effort to acquire victims. The suggestion that a “company” on the other side of the world is targeting us, rather than some hacker in a seedy basement is unnerving, however I would like to argue why this one fact may actually be a feather in our cap in avoiding becoming a victim.

Businesses need to operate efficiently and by all observations (based on the volume of phishing attacks) it is easy to make the following assumptions:

  • CRM For Bad Guys: Just like “real” business, cyber crime businesses buy and sell mailing lists with increasingly detailed customer profiles

  • It’s a Numbers Game: The attackers are sending millions of emails per day in hopes that they can achieve a hit rate of 0.1%. (0.1% of 1 million emails is still 1,000 victims)

  • Scale Requires Automation: The bigger the business, the more crucial automation processes comes into play

It’s a Marketing Campaign

Let’s stop thinking phishing attacks are crimes of opportunity and look at them as what they truly are: marketing campaigns. however instead of the target being enticed to buy something, they are enticed to fall victim in one way or the other. Phishing attacks are merely lead generation and customer conversion. Cyber criminals have become attuned to our culture, our society and what we care about in an effort to make their illegitimate emails look, legitimate and enticing: Marketing 101. I know this sounds cynical but how different are these phishing campaigns from any other marketing campaign? There is a list, they spray and pray and hope to get a conversion rate of x%.

Generally speaking most phishing campaigns have one or more of the following “conversion” objectives:

  • Trick a target into going to a fake website of a brand they trust to harvest credentials or other sensitive data

  • Open an attachment which will infect their computer (and others)

  • Reply to the email and interact to the attacker further

How-To: Break the Business

As suggested above and a commonality with legitimate marketing campaigns, cyber criminals are using business tooling, automation and workflows to efficiently attract and convert victims. And herein lies the opportunity: breaking that process will prevent you from becoming a victim.

There are a myriad of rouses that the cyber criminals use to convert victims, but I will focus on two of the most common:

  • Emails from your Bank or the Tax Agency

  • Something salacious that you just must click on or open

These types of phishing emails are either looking to send you to a fake but recognizable website or having you open up an hostile attachment. They use either the fear of a financial loss or our natural curiosity to get around any objections we would have. Below are three simple techniques you can use to cyber criminals in their tracks.

Ignore

The easiest and most obvious thing to do is to ignore the email entirely. I would argue that any urgent matter your bank or tax agency has to discuss with you will be done over the phone or through standard mail. Of course there are a lot of scam calls happening these days as well, but ignoring them is easy to do with very little consequences if they end up being legitimate.

And of course if you are concerned of the legitimacy move on to the next step.

Don’t Trust, Verify

Next and what this post is all about is breaking their victim conversion workflow. They have designed their campaign for victims to receive an email, go to a website and enter in data. If you don’t follow their workflow, you break their process and walk away without being victimized.

A good example of this would be the common “CRA Scam” which is both launched from email as well as over the phone. They will tell you an oversight in your taxes means you owe the tax agency money and if you do not pay immediately, you will go to jail. Scary! So, while 99.9% of these emails and calls are scams, if you are genuinely concerned with your tax situation don’t follow the suggested workflow in the email, but rather go outside of it and give your tax agency a call from the phone number posted on their website. Instantly you have broken the attacker’s workflow and you are no longer a victim.

In a similar fashion, when an attacker sends you an email purportedly from a friend or colleague and asks you to open an attachment, the best thing to do is NOT OPEN the attachment, and then follow up with the purported sender about the email and verify its legitimacy. Again, you have broken the workflow and drastically reduce the likelihood of becoming a victim.

Report and Share

Lastly, most email service providers such as Gmail have a reporting function which will allow you to report a suspicious email to their anti-spam/phishing technology. By reporting suspicious emails to these systems, you are helping educate the anti-spam/phishing systems which in turn improves the detection cyber attacks and protect, a win for everyone!

Conclusion

The Internet is full of mine fields and viper pits, just waiting for victims. However, most of these attackers are relying heavily on repeatable processes to be successful and when you break those processes, you break their business.

Alex Dow