Shift Systems

Pricing
Our Team
Remote Assistance

Why Phishing works

Published by

Mathias Palmersheim

on

The most common way security breaches occur is phishing and there is a ton of blame and pressure placed on non-technical people to avoid these attacks. Today I wanted to empathize with non-technical people as someone who has to interact with E-Mail in a professional setting and has been administering E-Mail systems since 2017.

There are Bad Work Flows with E-mail

The Inspiration for writing this post came from accepting a job offer and during the on boarding process I received an E-Mail describing the different vendors that I will need to interact with all of them were tied to different subsidiaries from the parent company I was working with. The E-Mails from these services looked they were sent in 200late and the domain didn’t match the company they were tied. All of these things are red flags that would normally cause me to view an E-Mail as garbage, but I had to risk it in order to get paid. This is the exact scenario attackers will try and create to get someone click on the spicy link or transfer funds to a random bank account.

The other scenario that looks a lot like phishing I have seen is interacting with small businesses over E-Mail. There are a lot of solo business owners who are intelligent people who are good at their craft but are not tech-savvy. These amazing people don’t double-check their spelling before sending an E-Mail. So you can receive a poorly constructed E-Mail ripe with spelling issues and no signature with invoice.pdf attached to it that is perfectly legitimate and looks just like a bad phishing E-Mail.

It is Hard to Filter out the Baddies

E-Mail started to become a standard in the early 1980s and has its roots dating back to the 1960s. During this time computers and access to the internet were still expensive. So sending spam and malicious E-Mails was extremely expensive and there was difficulty accessing these e-mail-capable devices. Along with the internet being new security was not built into the design of E-Mail. Most attempts at making E-Mail more secure have been bolt-ons to a system that didn’t have security in mind when it was built and there is not an active governance structure to keep the standard up to date. So things that are commonplace in modern messaging apps like multi-factor authentication and notifying the user that this message was sent from a new device are either not possible, not standardized, or extremely difficult to use. This coupled with access to reputable mail services being free in some cases and pretty cheap in others and extremely easy to access have made it difficult to distinguish friend from foe. Especially since a bad actor will use the same services as a legitimate actor to deliver E-Mail. So Simple Solutions like Ignoring emails from G-Mail, Microsoft, and SendGrid will lead to legitimate messages getting blocked. Leading to the common ways phishing E-Mails make it to your Inbox.

1. A legitimate E-Mail Address is Compromised
2. Some use a compromised E-Mail Address on a common provider like G-Mail or Outlook to impersonate someone else
3. Someone uses a Free/Cheap Mailing service to impersonate someone

Phishing attacks have become Really Good

As seen above, Phishermen sometimes have a pretty low bar to clear, and some attackers are back-flipping two feet over it. Using open source intelligence, or creeping as it is known to non-technical people, attackers can find the Name, E-Mail address, the services that a company uses, and look at the writing style of someone in the company to construct a phishing E-Mail that looks incredibly accurate and they can use a legitimate E-Mail service. Both of these things together can fool a SPAM filter and most humans.

What can be Done?

The easiest way to avoid all the problems with E-Mail being insecure is to avoid doing important things over E-Mail and use a secure messaging app like Element, or whatever messaging app your company uses. This doesn’t work for everything since everyone uses E-Mail, but not everyone uses a secure messaging app and the people who use secure messaging apps can’t agree on which one to use. So if you can’t avoid using E-Mails, and if you are using a more secure communication channel use context to sus out weird behaviors like why does my boss need gift cards? or this is payment info seems off. If something looks weird find another way to reach out to that person to verify that they sent you that E-Mail and it’s safe to interact with or listen to. Generally, it is better to be safe than sorry, and if someone needs something, they will not ignore the notification when you reach out for confirmation.

Image by Freepik