More Clever Phishing – Will it ever stop?

I have been too busy to write blog posts… I will be writing a couple of quick ones during my trip West…

We are being inundated by cleverer phishing attempts. Though our attempts to educate our users are helping, the new phishing attempts are essentially bypassing the safeguards that we have put forth and rely on social engineering.

Imagine getting a very short email from the President of the College or the Provost. Mind you, the hacker is careful to choose who to send it to. If it is coming from the President, the person has researched who are likely to be communicating with her – senior leaders, support staff etc., all of which is publicly available. And the email is always from the President or Provost or some other senior official, except, if you drill down deep, you will see that it is not from the College email address. It is likely to be from gmail.com, me.com, or any such domains. But, think about a one or two liner coming from a higher official and the name is prominent in the from address… The natural inclination is to respond.

The email typically reads something to the effect that “I am in a meeting and can’t talk but need an urgent help”. If someone responds, you get a second email asking that you send some amazon gift cards (or other gift cards) because “I really want to give a few gift cards to the folks here for their good work”.

Thanks to our constant efforts, almost always, we have suspicious users who send it to us and we take the usual precautions to contain the damage (which I will not elaborate here, for obvious reasons). But almost always, a handful fall for this scam. So far, no major damage has been done. But a few have given out their phone number for the other person to call. Obviously it is not desirable and we provide some guidelines on due diligence.

Unfortunately, as a Higher Ed, it is impossible for us not to have some of the information public. And a determined soul at the other end is going to take advantage of it and try these out. We have had a handful of cases where the hackers have attempted more serious crimes, involving finances, through emails. In all these cases, thanks to the security education we provide, damages have been halted at various stages by someone detecting an issue.

Of course, the root of the problem is that anyone can create any email address that is available on any free email system and modify the name to be anything they want. These were celebrated features of email systems! So, these hackers go and create email accounts and change the From address the way they want! And there are many other ways to do this, including on one’s home computers…

As I have said before, companies are always rushing to roll out the next best technology. What we need is for the bright minds to come together to solve this annoying issue in a way that it does not take so much time and effort on several people’s part. Rather than rolling out new technologies as a field trial and “break-fix” model, we need sound systems to start with!

Leave a Reply