Earlier this week, one of our clients submitted a service ticket after receiving a suspicious email from the business owner. While the “from” name was the business owner’s actual name, the email address was not. This isn’t a unique phishing technique, but there was one detail that makes this stand out from the rest – the email was sent to an employee’s personal email address.
About 4% of all emails sent are phishing attacks, and our systems prevent our clients from receiving thousands of these and other types of malicious emails each month, so seeing phishing attempts is nothing new. This email, however, was a bit out of the ordinary and caused us to ask ourselves several questions:
- How did the attacker get the employee’s personal email address?
- How did they know how to leverage this information in a targeted manner?
- Was this a targeted attack or part of a larger, possibly automated, effort?
Regardless of the answer to these questions, an email like this has the potential to be extremely damaging if a recipient falls victim and is very concerning.
Our service team addressed the issue and then performed some additional research to better understand the email and the malicious link that it contained. They discovered that the malicious link was for an Internet domain that had been registered a day before the email was received and had been shut down only a short time after.
Blurred Lines Lead to Risk
The lines between professional and personal space tend to be very blurred in many small businesses – even more so with a large number of employees working remotely as a result of the COVID-19 pandemic. These blurred lines often lead to staff acting without hesitation when receiving messages from their team members and superiors, regardless of the source of the email, leading to this type of social engineering attack having a high probability of success.
Attacks like this are difficult, and sometimes impossible, to prevent as a business does not have control over personal email accounts and demonstrates the need for both administrative controls and security awareness across entire businesses. The importance of creating boundaries, for the sake of ensuring communications are genuine and take place only via corporate channels, cannot be understated.
A Modern Workplace Requires Modern Approaches to Security
As the modern workplace expands to a hybrid model without physical boundaries, such as office spaces, we must change our mindset and operate under the assumption that we are constantly under attack. Staff must be educated on best practices and boundaries created to make it clear that their boss will never email them from a non-business email address. Messages that come through any other non-business channel must be questioned and responded to via voice or other systems to guarantee authenticity and avoid the risk of compromise.
Security Best Practices
Workflows that help ensure communications are genuine, paired with security awareness training and next-generation mail filtering technology are critical components of an effective security best practices strategy. This is a matter of IT governance and is a shared responsibility between a business’s IT team or provider and management team.
Our team recently delivered a webinar on the topic of Security Best Practices and a recording is available to watch on-demand. Over half of small businesses that fall victim to an attack cease operation within 6 months, and I encourage everyone to watch the webinar and question any processes in place to prevent this type of event from occurring – and if you have any questions, give us a call.