I do work for some higher ed institutions, and almost every year without fail we have seen (and dealt with) successful phish attempts of various staff members... it's usually something small like a credit card number, but it still amazes me how an email that may look "very suspicious" to me doesn't set of a flag for someone else who isn't really thinking about this type of attack.
I mean, you would expect that we should at least be able to tell that if you get a firstname.lastname@example.org email in your email@example.com inbox, it actually came from x who works at Snapchat. However, that is (in general), not how email works, for some reason (yes, I know, ancient protocol, tons of stakeholders, identity is hard, but come on...).
Maybe it's time to start something like an SPF Everywhere campaign.
Hell, if I get firstname.lastname@example.org on my Gmail inbox, I cannot really tell whether even the @company.com part has been authenticated or not. There isn't even an HTTPS like lock icon or anything, let alone a "Google has verified that this email comes from Amazon.com" assurance.
DMARC protects the From header, but isn't widely deployed.
We had a phishing attack on an employee in accounting that was stopped in progress and just in time before a bank transfer took place. The emails in question passed SPF as they weren't actually from another user in our domain.
An unknown person told the manager on the phone that they were with the fire department and needed to conduct a diagnostic test on the fire system, police said. The manager followed instructions and turned on the restaurant’s fire suppression system. The caller then said what the manager had done had caused a gas leak, so everyone had to evacuate the restaurant and the employee was told to break all the windows to avoid an explosion.
Wendy’s employees complied and smashed every single window, while waiting for the fire department to show up. Once officials arrived, they confirmed the call was a hoax.
> In the scam, a criminal mimics a chief executive’s email account and directs an employee to wire money to an overseas bank account. By the time the company realises it has been duped, the money is gone.
> [This scam] has cost businesses around the globe more than $2bn in little over two years, according to the US Federal Bureau of Investigation," with more than 12,000 victims, some of which "have been tricked into sending as much as $90m to offshore accounts."
As the company scales, we may add other people like a CFO to the bank account, but we will always require two people to authorize wire transfers.
The most effective part of our program is the internal phishing attempts. They aren't annually or quarterly but almost monthly and sometimes weekly. It works very, very well and keeps phishing at the top of everyone's mind. There is nothing quite like teaching someone how easy it is to be caught off guard by showing them how easily someone can be phished and how they took the bait. It disarms them and the ego part of the conversation. It makes it a psychologically safe element of the corporate culture. It changes the conversation from "You're a dummy <3 SecOps" to "It can happen to anybody. In fact it's happened to a number of important and very smart people here. Stop, Look and Think before you click or fill out that form or send that file/information."
It's an interesting part of our security awareness program. In fact, we've built out a small application that sends the phishing email with a remote <img /> to track the email view(see the bait).
We then track them hitting the link through a unique URL (taking the bait), and track the final push of a login button or web-form (swallowing the hook entirely.)
It allows us to track how effective the campaign is and understand who may need some remedial training and of course how we can better improve the security awareness training because if a high percentage take the bait, the security awareness training wasn't effective.
In fact, I sent this article around the office this afternoon and sometime mid-week, plan to send another phishing attempt to see if it helped.
This strategy of course requires an organization to be fairly emotionally intelligent and have the right corporate culture. One of trust and transparency in a psychologically safe environment where people aren't mocked or made fun of but properly educated if they take the bait. I know that this kind of culture may not be the norm.
NOTE: We don't have as much to secure as a SnapChat and we aren't a high profile target. We just figured these things were the bare-minimum things to do to protect our employees and our customers.
These days I just delete such emails sight unseen. Also I block external images or at least used to just because.
The scammers asked for W2 tax forms. They use this to collect your refund. This has happened to dozens of startups in LA, among other businesses, ironically the ones which have HR departments.
Do you think you'd think twice before responding to a mail from your manager asking for information that they had reason to ask for? Would you challenge them to verify themselves over the phone at 11:00 PM, just to be sure no one spoofed their email address?
I bet I wouldn't, and I'm paranoid.
Also, spoofing an email address wouldn't help. If you respond, it will go to the spoofed address, which is the correct one. They need to send it from their own email address, which means that you only need to verify that it's send from your manager's address, or just manually send it to your manager.
This shows up in email clients as "From: email@example.com". When the recipient replies, they don't notice that they're sending a reply to a different address than the one their client claimed was the sender of the original message.
Receiving SMTP servers need to be configured to require SMTP authentication for messages claiming to originate from the company's own domain.
Or validate SPF / DKIM and enable it for their own domain.
Now if you ignore that and respond anyway... well, there's not much anyone can do about that.
I look at mail headers more often than necessary.
Shameless plug - if anyone is in need of an open source phishing training solution, I recently launched gophish to great feedback so far, and have a new version being dropped early next week: https://getgophish.com.
Everyone should have access to training to prevent this as much as possible.
I'll keep this feedback in mind. Very helpful!
The 401(k) provider regularly sends a plaintext deposit confirmation email (deposit amount, confirmation number) with each payroll cycle. Any time a change in contribution amount is changed, they send a plaintext email with the new contribution percentage. Occasionally they send plaintext statements containing dividend amounts.
When asked to stop sending these e-mails, the 401(k) administrator replied that it wasn't possible, supposedly due to the way they integrate with they integrate with a 3rd party mail provider. (what?)
Its much easier to teach people to access their emails using a particullar application then it is to make them aware for phising attacks which sometimes can be very sophisticated.
While this does not work if you have to receive emails from unknowns, it is a no brainer to use something like this at a comapny level for all online communication. In my opinion not doing so is really careless behaviour especially for a tech company...
Unfortunately, outside of the world of these internal corporate email products the situation looks a lot worse. Reliably secure delivery of email to external users is a hard problem and most of the current solutions being used are really, really terrible.