This blog continues from Part One.
Firstly we looked at how the email got through in the first place. The technique of an email coming from one place, but appearing to come from another is known as spoofing. Often in larger organisations it is quite normal to have third party applications or companies who legitimately spoof email – Marketing, HR, Cloud based application vendors and many more.
This is what had happened here, some issues with an external vendor had caused them to turn off the Content Control rule to allow spoofed email to be delivered. Of course what should have happened is for an exception to be created for that particular sender. It was only a temporary change during testing, but had never been fixed (I am not going to comment here on their testing processes).
That was easy enough to address, but the next area was not so straight forward. When we actually looked at the email, to an experienced eye there were enough clues to suggest it was not be legitimate. There was no normal corporate signature, the formatting didn’t match that normally used by the company and the language was unusual. The content of the email implied that there was an issue but only with the user’s remote access and the sender, who said he was from the IT department, could easily remotely fix it. All that the sender required was the logon the recipient used for said application and their password. This alone should have alerted a recipient to a potential problem.
Really nothing out of the unusual for a phishing email, so it did surprise us that the recipient had responded. (I should say at this point that the email also went to a couple of other people in the organisation, but not so senior and they had spotted and reported it. The fact it went to this individual was found with a subsequent search using their Symantec.cloud Track and Trace facilities. All recipients were contacted to see whether they had responded or deleted it) A brief conversation with the recipient quickly exposed that they were completely unaware of the concept of phishing emails within a corporate environment. The recipient believed that phishing was only attempted on webmail accounts. What then transpired was that this organisation had never made any efforts to provide training to their staff, at any level, on phishing, spamming, scams or any other threat they may encounter via email or phone.
Companies spend thousands of euros on technical equipment, services and solutions, and the teams to run them and they are essential to protect businesses. However, without considering the humans that form part of that solution, it can easily fail. It is imperative that all organisations regardless of their size undertake some form of training for all of their staff to highlight where they can take simple steps to avoid being part of the problem.