Don’t Get Reeled In: Understanding Phishing Emails
JULY 17, 2020
Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. It’s important to protect your sensitive information now more than ever. In this episode of the GEEK FREAKS PODCAST Ron explains how to spot phishing scams, how they work and why you should partner with someone who can help you stay on high alert for “phishy” activity.
VIEW TRANSCRIPT >
Ep. 29 Transcript
Ron: (00:05) Hello and welcome. I'm Ron Harris. And today we're going to talk about, well, I guess another security related topic is phishing, not fishing with a fishing pole, unfortunately, phishing with email. And, you know, I guess we gotta kind of work through this whole process. Why is it happening? What we can do to stop it and kind of what they're trying to achieve. So we'll start with why is it happening? Right. So it's happening because we're still falling for it. They're still able to get access to privileged information, and now they're either using it for themselves or they're selling it for others to use, to compromise in the network. So think about that. You harmlessly get an email about COVID or your FedEx package. You enter your credentials. And now, uh, essentially what they do is they put a forward into a foreign mailbox, or they just kind of sit in your mailbox and go through what you have in there.
Ron: (00:56) Now, for the most part, a lot of people probably don't have super sensitive information in their email box. Um, being one of the owners of the company, I have a lot of weird stuff in my email box, whether it's bills from vendors or things we've purchased for customers or contracts from customers, or just, you know, not really sensitive employee information, that's all in a different system with a different person, but things that are discussed that you probably don't want to get out for your business. So what they do with that, um, you know, we don't traditionally send passwords via email, but if I was to click on that email, they would have my access. So whatever my access is to the network, into my Office 365 account, they would be in. So then they're going to put a forward in. So then anything that gets sent to me gets sent to their mailbox and anything that's undelivable, they put a rule in that just goes to the deleted.
Ron: (01:45) So you can't even see what they're doing. And they do that all through the AWS portal. So what they're doing is just securing a way in, and hopefully pharming and gathering any information that you may have in your mailbox, but it's still continuing to happen because we fall for it. We do it. We participate in this activity. Most of the time when you get a sketchy file, your first reaction is to probably not trust that file, but emails, if they come from somebody, you know, that's been phished and you're like, well, I didn't ask for a Dropbox link, but, uh, you know, maybe Garth wanted to send me this file. So I'm going to go ahead and log in. Now, the thing to kind of really look for when you click on that is why is it asking you for your Office 365 password.
Ron: (02:29) Now I understand that we as humans and we, as people inherently trust other humans that we know we've got to start questioning that. And I don't think that's done enough. It's not talked about enough in a, if somebody sends you a Dropbox link, you shouldn't have to sign into your Office 365 account, same for a Google account same, I mean, we've seen them all. Um, right now they're kind of attaching themselves to the COVID stuff. But prior to that, you know, we see a lot during the holiday season, Thanksgiving, Christmas, um, even new year, tax return time, um, we get a lot of, hey, you need to update this employee's, uh, 10 99 or whatever the case is, W2 information. And those come in and a majority of them get blocked, right? Um, a majority of them do not get through. So here at Omega, we use a couple different spam filtering and security practices.
Ron: (03:18) So to keep it very generic, a lot of the Office 365 built in policies will stop some of those, not all of them, because you may have a sender marked as a trusted sender. So those emails will get in. So what can you do from the standpoint of these emails are coming in, number one, work with a provider. So whether it's Omega or another MSP, or even an email host, work with them to understand what policies are set up, right? So that you cannot send internal emails with the name of Ron Harris from a separate outside account asking an internal account. So if you look at an email address, it will say, Ron Harris is the sender name, but that email address is woodentable5@yahoo.com, right? It has nothing to do with me, but that's where people fall for it. That's what they fail to look at.
Ron: (04:06) So make sure you're checking out the email letters, make sure they're there from that email address that you're supposedly being seen or being shown. The other thing to think about when you're getting these is what is it actually asking you to do? So again, to go back to the Dropbox situation, if you're receiving an email that says, Ron wants to share a file with you, and it's got the Google, uh, logo there and all that other stuff, but then you click on it and asks for your Office 365 login information. Something's probably off. Now here. What we do is we brand all of our customers' portals. So you're going to be shown a website that looks pretty damn close to the Office 365 portal, but it's not going to be perfect. It's not going to have the same calls. It's not going to have any of that.
Ron: (04:52) Um, the particular backend framework that I would not expect anybody to dive into to look at, but it just won't be there. So you can, if you have your portal branded by your partner, your CSP, your MSP, whatever the case is, when you log in, you should see your logo. You should see your custom background. You should see your colors. It should mimic what you expect when you go to the portal at any other time. Now, if that's not the case, that's also something for your mind and your eyes to say, wow, something doesn't seem right here. I probably shouldn't log in. Now, the other thing to look at is just the email itself. They always have the weirdest greetings, you know, salutation something that I would never send. My, my staff will get an email that will be like salutations, Mark. And never, in a million years, would I sent an email that started that way?
Ron: (05:44) So there's just things misspellings. Uh, typically when they're asking for gift cards, it's always a sense of urgency. Like, Hey, I need you to do do this task for me. I have an important meeting. So on and so forth. Now, most of the time that's going to come from like a CEO or a CFO, somebody on the executive end of the building there. So that's just a matter of reaching out and saying, Hey Ron, did you mean to send me out to buy 10 Apple iTunes gift cards? And I'm going to say no, right? Cause there's no really there's no, not really a reason that we would need to do that. But unfortunately there's something in us as humans that is just like, yes, I have to do that. That's a task. I'm going to go do that. I need to please this person. So that's what they prey on.
Ron: (06:28) They prey on that immediacy that, uh, like, Hey, this needs to happen right now. And it's for my boss, so I need to do it right now. And that's a weak point that we can't control, but that's also something that we can coach for. So by coaching, I mean, teaching people to look for the proper things, uh, you know, looking at the email header, making sure it's coming from who you think it should be coming from, look for those checkpoints. Why is it having me log into a portal? Why in the world, would my boss be saying salutations Ron or, um, hope the day finds you doing well. And it's all misspelled. And you know, even though the urgency's there and they may create, I mean, I've seen some of them where they're, they're swearing, they're very upset about not getting their gift cards. And you would just know that that would not be something that would upset someone.
Ron: (07:15) You know, I don't think a CEO of a fortune thousand company would say, Hey, uh, I'm really mad. I haven't got my gift cards yet. So that's a lot of stuff to take and put in your mind and kind of remember now there's why like it's going, there's nothing we can do to be a hundred percent foolproof in this avenue, right? In in this way in, we can block senders that are going to change what we're blocking. They're going to get more, um, savvy with their login pages. They're going to use certain things that they know we're going to click on that we expect. We've seen a lot of SharePoint in OneDrive things, uh, emails come in that, uh, are now being looked at as phishing attempts because they know a lot of a majority of people are using, um, Microsoft products.
Ron: (08:01) And you can see that just based on your Amex, public information, MX records and your DNS. So how do you combat that other than education, you know, having that conversation, reaching out to whoever you think should be sending this email. We use a product called KnowBe4. There's lots of other products now that we'll do these phishing simulations. And essentially what we do a once a month to once a quarter, depending on the industry is we send out fake phishing attempts and they're really, really good. And we get people to click on them. And then once they click on them, that sends them into a training program so they can learn the things to look for. Right? Because again, once you give up your credentials, it could be weeks before you even know that they're forwarding emails or they're capturing this information out of your, uh, Outlook.
Ron: (08:51) And that's the scary part. It's not a one and done situation of the time. We're, we're finding things. Uh, we had a, um, we had an alert on our security side that it was a it's, uh, impossible travel alert. So basically the account was the last accessed in Michigan. And then all of a sudden it was accessed in Germany within like 45 minutes. So it sent off a trigger to us to say this, this mailbox is being accessed. So we dove into it. And essentially he had received an email a while ago about, um, Oh, I believe it was like deed information. And of course he logged in to get the secure transaction. And once he did that, uh, Microsoft does log it. So we were able to work through that process with them. But it's stuff like that. It's just things that you don't even would, you wouldn't even consider to be, um, an issue.
Ron: (09:43) And it ends up being an issue. And it's because they're preying on us, right. So we have to be smarter. So use KowBe4, go through the training, understand or any other phishing products, sorry. Um, so you can at least educate them and let them know that they've done something wrong if they click on it, but don't like, make it a big deal, right? Everybody's going to make a mistake and you don't want to shame them into this pit of like, I want to say misery of email, right? If they click on something, they log in, we want to know immediately, your provider wants to know immediately you as a business owner, want to know immediately. So you can start to control...not to control, but you can start to remediate the situation because if they don't, it could be weeks.
Ron: (10:24) It could literally be weeks of them just basically pharming out emails to this unknown email box. You have no control over. And there's nothing we can do. There's a lot of, um, anonymous email providers that people can create email boxes on that catch stuff, and they can log in and they set a secure password. And then you email the provider and say, Hey, I need to know who this box belongs to. But since there's no signup, they can't tell you. And that's very typical with what we're seeing now. And it's fine because in the world of, you know, Google and Microsoft going through your emails and an anonymous, secure email box seems very appealing. So you really can't hate what they're doing, but it's just really hard to remediate things like this. And you won't know, that's the, I guess that's the worst part of this situation is if you're phished and they're sitting there and they're gathering information, you sitting at your computer won't know, you just won't know they put rules in your Outlook.
Ron: (11:16) So those undeliverables, or, you know, Hey, the mailbox is full because eventually these phishing mailboxes get full and it starts to send you emails. And you'll say, woah, what the heck is this? But they put rules in there just to move that to the deleted items or to take the sent emails that they're sending to phish your contacts. They'll delete those right away too. So it's very hard to catch if you don't catch it in the front end or have a security...So we use a program, um, here that will monitor all our Office 365 activities and logs for our customers. And that's how we know the impossible travel and these logins. And Hey, you're, uh, just the other day our marketing box was, or marketing email box was being accessed in Utah. So I got an alert, so I checked it out and it was AWS.
Ron: (12:02) And we, uh, building up our client portal and working on that stuff and that's all into AWS. So it was fine, but it was smart enough to alert us. So partner with someone or be diligent on what you're doing with your logins. Um, Microsoft now has two form factor authentication that's available for free. It's part of the package that you get when you get an email account sign up for that, that is probably the biggest stopper you're going to have for unauthorized logins. You, they cannot access your email box or any email box without that. Uh, I think it's six digit pin code that's randomly generated on your phone. So start to think about that. If you haven't moved to it as an organization or as a business, or even as a person, a human, do it, do it now and do it quick. Um, you've probably been using it for a while with your bank accounts.
Ron: (12:54) So it's really not that big of a deal. So you can use a smartphone app. You, I would suggest a smartphone app, cause it's the easiest thing to do. There's other forms like you can use YubiKeys, which you just plug into the device and it randomly downloads, um, your, your key to let you log into things, but be prepared. It's only gonna get worse along with the ransomware and everything else. We're seeing these, these bad actors for lack of better term. Everybody just says the term. So these bad guys we'll say bad guys. Um, they're not going to stop coming. And they're going to unfortunately, keep going after your data and your email, because that's where the money is for them. And now granted, you can get into some people's mailboxes and there's going to be nothing you want to see, but you still don't want them to have access to anything within your organization because they're either going to sell the access to someone else.
Ron: (13:44) Or they're just going to sit there and pharm whatever may come through that box. So be mindful of it. Uh, watch what you click, whether it's Facebook emails, we're getting phished everywhere. And I think that's the other thing to kind of hit that real quick is this is not just emails where we're getting phished. It's Facebook, it's social media, it's Twitter, it's now Instagram. You're getting phished everywhere. So before you click on the link, really think it through and ask questions maybe to the, to the sender or, Hey Ron, did you mean to send this to me or whatever you can do in your power to be proactive about these situations is going to be the easiest way to stop it, but they're not going to stop because we still keep falling for it. We still keep clicking the links. We, I mean, everybody's guilty of it.
Ron: (14:26) I'm sure we've all clicked a suspicious links and maybe got halfway through filling out that email. And you're like, Oh shoot. That's not what I want to be doing. So be mindful of it. Look for the signs. Look for the urgency. Look for the misspellings. Look for the uncommon salutations. Look for, um, weird asks, you know, get 55, $50 gift cards. Like what in the world would you need that for? Um, just be mindful of it. Cause it's only gonna get worse. And unfortunately, if you do get phished and they do get your credentials for the network, they are now, you're now in the realm of getting ransomware where they're going to, they're going to do, you know, everything we talked about in the past podcast. So be mindful of it, stay on top of it. Be safe. Um, find a partner, find a MSP or an MMSP or CSP. Anybody that can help you secure and lock down your emails and, um, make sure you're protecting yourself and educating yourself. And if you have any questions, comments, thoughts, let us know we're here to help. Uh, be good, stay safe. Love everybody. Take it easy.