talking to a friend this morning who is a business adviser, we discussed common questions and assumptions his clients have regarding cybersecurity. One of their assumptions was dead wrong and it reminded me of the scariest email I ever received.
A few of the older business owners he works with thought as long as they only use the internet for email and minimally surf the web that they were safe. This assumption couldn't be farther from the truth nowadays. Getting a computer virus like ransomware isn't like catching a cold (regardless how similar the names are); you don't get a virus because you spend hours on the internet and you were accidentally exposed to a website with cold symptoms.
Most hackers penetrate a company's network because they dupe an employee into allowing them access into the network via an email; this tactic is known as a phishing email or phish attack. Hackers impersonate an email a person would normally legitimately receive in hopes that they'd click on a link and download their virus or provide value login credentials like a bank or email account.
The Scariest Email I Ever Received
Last year, I was in a rush to get things in order before I went out of town to a conference where I would be speaking. During this process, I was working with my real estate agent, title company, and wife to finalize paperwork to purchase our new house and my wife had to do a power of attorney because the seller had to push our closing back a few days to a day where I was out of town. As I left my office for an important lunch meeting, I saw an Outlook notification for an email from Wells Fargo (my mortgage company) with the subject: Important - Timely Documents Need Your E-Signature.
I sat back down in my chair to open the email when a question popped in my head, "Why would Wells Fargo start emailing me at work?" The attorney at the title company knew I was heading out of town and that I didn't check my personal email throughout the day, so I thought she may have sent it to my work email knowing I'd see it sooner.
Then I thought, "How'd she get my work email?" Knowing that my wife was working directly with the title attorney, I thought my wife may have given it to the attorney, but I still had hesitations.
It's a good thing I paused. That email was from a hacker posing as Wells Fargo and it looked legit.
I deleted that email immediately and then permanently deleted it from my Outlook so I don't have access to it, but it looked similar to these emails.
Why Do Phishing Emails Work?
It's simple actually - hackers want to catch you off guard, in a hurry, and probably checking your email on your smartphone. They send an email that looks just like an email you'd probably receive - from your bank, favorite brands, social media accounts, etc. in an attempt to fool you.
You might be thinking that you'd never fall for an email like that because you don't use Wells Fargo. You are correct in thinking that; those emails are easily dismissed and deleted just like getting physical junk mail or mail for the person that lived at your house years ago. You throw it away and don't think about it again.
What are the odds that a hacker succeeds with phishing emails? What are the odds that a hacker happens to email someone in my scenario, closing on a house with that specific bank? Probably low, but most hackers don't send emails to one person at a time. Hackers send millions of spoof emails, sometimes hundreds of millions of emails to unwitting people. If they succeed .01%, that means 100 people out of 1 million clicked that link. (Actually, hackers do send emails to individual people after they've researched them to know what will likely get them to click. That research is known as "social engineering" and the tactic is called "spear phishing". In fact, 83% of spear phishing attacks use brand impersonation. [Barracuda])
Back to the question about how successful are hackers in phishing emails -- about 5%. Hackers generally get 5% of people to click on their emails. In comparison, a good marketer gets about a 2% click through rate when emailing a cold mailing list (one that the recipients didn't opt in for). Yes, hackers are twice as effective as most marketers. My opinion (as a marketer), hackers don't have to be realistic in their "bait"; they're criminals so they don't follow any government advertising guidelines or rules regarding truth in advertising. They can send you an email giving away a free car, $1,000,000 cash, or what have you.
That scariest part of phishing emails is where the links go. I didn't click the link in the phish email I received, but it probably went to either a DocuSign type document that would have me sign a fake agreement or to a website that looked like Wells Fargo's login page so I could enter my username and password. Fake login screens (like the fake Microsoft 365 login screen to the right) are a common tactic that hackers utilize to get key information which they will use themselves or sell on the Dark Web (internet's black market). Once a hacker gets access to your email, they can easily social engineer your colleagues, clients, and vendors, as well as change passwords to all your accounts including your bank, social media, and anything else that you sign in with that email. (You can safeguard account hijacking by enabling two-factor authentication on your accounts, which we highly recommend, especially for your email.)
Now you may be wondering, why did I have the wherewithal not to click on that email. How did I know to think long enough to realize the email was sent to my work email instead of my personal email? It is simple - training.
Here at My IT, we use a cybersecurity awareness training program that provides both the multimedia training and simulated phishing attacks via email, voicemail, and USB drives. We also provide the same training to all our clients because the weakest point of any company's cybersecurity efforts are humans. Hackers have adapted past attacking firewalls and putting viruses online because IT companies and departments have thwarted those attack vectors, so hackers now attempt to fool humans into allowing them inside your networks. Companies must create a "human firewall" via training and testing to better protect their data and networks because 90% of cybersecurity professionals feel their company is vulnerable to insider attacks. [Forbes]