Working in cybersecurity, I’m extra careful about what I click, which is why I’m always concerned when I nearly slip up. In these times, it makes me wonder how many other people are doing the same?
Like everyone else, I have several personal email accounts hosted by some of the big-name tech vendors like Google and Microsoft, and their email filtering is pretty decent. If I look in my Junk and Deleted Items folders, they’re full of emails from casinos, adult sites, and lazy scams offering “too good to be true” business opportunities. Thank goodness I don’t need to sift through all of that rubbish
But despite their sophistication and the billions of emails that they scan and analyse every day, they still inevitably let some scams through, which reminds me that no one vendor can stop every dodgy email. In cyber security there’s a principle known as ‘defense-in-depth’ that in essence says, ‘don’t rely on a single layer of protection’. A multi-layered strategy will prevent more breaches, and more incidents. It’s common sense, a second set of eyes will often see what the first pair didn’t, and that’s nothing against the first person. They just have a slightly different perspective on things.
Even if a solution has a 99% success rate, when you consider that on average, we all receive around 100 emails each day, that’s a threat a day that’s slipping through. And if you’re a large organisation with thousands of employees, that’s a lot of risk that you’re assuming. Close to 300 billion emails are sent and received globally every day, so if 1% are threats that are slipping through the cracks, then that’s 3 billion opportunities for a compromise.
Here are some simple examples that slipped through into my personal inbox this morning, that many of us might mistakenly click through on.
Scam #1 – “Photo’s from Kellie”
The first one is a basic email with a link from a friend. More specifically, ‘Kellie’ is a close friend of my wife, and with a shared contact list, a scammer that’s likely on the other side of the planet thinks that I might click through to see the pictures that she has shared with me.
Note that although I opened it at 9:10am AEDT, it arrived in my inbox at 3:10am AEDT, which is why I think the real sender is probably in a time zone somewhere far away.
The message itself is incredibly simple, just titled “FW: Note from Kellie (Surname)” with a similarly simple message reading “Some pics that I added this Wednesday (link)”. See the image below.
The simplicity of the messaging almost makes it more powerful, because it’s not convoluted. It’s from a close personal contact and simply a link that they’re sharing which could well be of a recent social engagement or celebration, maybe drinks, or a party. It would be very easy to see that message pop up on your phone and to click through to have a peek.
My guess is that one of Kellie’s accounts has been compromised, likely a personal email or social media account, and that the perpetrator has simply sent a familiar note out to all of her contacts. Just like the initial phishing scam that probably led to the breach, this stage is a numbers game too. If there are 2,000 contacts and 1% click through on the link, then that’s 20 people that have fallen into the trap.
If ever you do have suspicions, one of the first things to check is the sender details. In this case the actual email has come from an unrelated account, not owned by Kellie. See below.
Scam #2 – “A refund from my telco”
The second example that I stumbled upon while browsing messages on my phone over coffee this morning, was this delightful news that I have overpaid my phone bill, and that the good people at my telco want to give me a refund. How quickly I almost clicked. My fingers were ever so close, nearly beating the rational side of my brain to the buzzer.
Of course, it was too good to be true, but I was so eager to believe, and the (not so good) people behind the scam were more than obliging, planting lots of seeds of doubt. The message after all is from ‘Telstra Service’, and the link is even an https:// from telstra.com, so it must be real, mustn’t it?
I know the tell-tale signs of a scam. It’s generically addressed to ‘Dear customer’, the logo is stretched and not of the typically high aesthetic standards of Australia’s number one carrier. There are grammatical errors, like ‘…use the link below to procedure.’ But it has the 2022 Telstra copyright stamp, so maybe it is real? It’s not, I know, but I think it’s a pretty good try.
I know that Telstra would apply any refund directly to my next bill. They wouldn’t ask me to jump through unnecessary hoops, handing over my sensitive credentials in the process, but I was still curious, and I bet so too were more than a few others.
Even clicking through to check the link behind the sender (see below), it’s clear that the scammers have gone to some trouble to spoof a legitimate account, registering the address Telstra(at)cp01(dot)sequrehosting(dot)com.
I bet that more than a few people would have sadly been ensnared in this scam. And we know it’s not the only one. There are thousands upon thousands of them circulating every day, and they have the potential to do some serious damage. Not just to the individual, but to your business too. Whether the email slips into a work inbox, or a private email account that a staff member is accessing on a work device, or maybe it’s a private account on a private device, but the credentials that are stolen can be used to access services relating to your business like a cloud hosting service or platform. They could even be used to launch follow on identity fraud attacks. There are myriad possibilities and permutations.
So, what should you do?
Don’t click links or open attachments in emails that:
- Are not addressed to you by name (i.e. ‘Dear customer’)
- Appear to be from a legitimate company but use poor English or omits personal details that a legitimate sender would include (i.e. ‘…use the link below to procedure.’)
- Are from businesses that you were not expecting to hear from, and/or
- Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.
Educate your staff members and peers within your network, especially those in your supply chain. Many attacks are successfully launched by breaching a service or organisation in your network, or by impersonating someone that you trust. And the last thing that you want is something awful happening to them. Do them a favour and ask them what they’re doing to stay safe.
And finally, don’t expect a single vendor solution to solve all of your problems. If you’re using Microsoft 365 or Google Workspace, or any other software solution, don’t think that they can anticipate every possible threat, and cover every vector. Adopt a ‘defense in depth’ approach and invest in specialist solutions, like MailGuard to provide an added layer of protection for your email.
Many businesses turn to MailGuard after an incident or a near miss, often as a result of emails similar to the ones shown above. If unwanted emails are a problem for your business, don’t wait until it’s too late.
Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
One email is all that it takes
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.
