Kazmarek

Free Site Analysis 1-858-952-5400
REMOTE ASSISTANCE
  • Home
  • OnGoing Management
  • IT Services
    • Microsoft 365, Exchange Services, and Consulting
    • Cloud Solutions
    • Virtualization
    • Mobility
    • Backup & Disaster Recovery
    • Server Installation/Migration
    • VoIP
    • Network & System Administration
    • Additional Solutions
  • Why Kazmarek
    • Case Studies
    • Testimonials
    • KTS Values
  • For Clients
    • O365 Log In
    • Client Portal
    • KTS Documents
    • SonicWALL VPN Client
  • News
    • Newsletters
  • Who We Are
    • Company
    • Team
    • KTS E-Award Winners
    • KTS Values
    • Charities We Support
  • Contact Us
    • Contact Us
    • Careers

Issue No. 116April 2022

Goin’ Phishing

As many of our readers are already aware, phishing attacks represent an ever-present danger in today’s business environment. They carry not just the risk of a compromised email account, but potential financial and reputational consequences that any business owner would be loathe to ignore. Below, we outline some tips on what to watch for to prevent falling victim to a phishing attempt, and some strategies on how to best educate your team and protect your business.

In recent years phishing attempts have grown increasingly sophisticated. Attackers use multiple techniques to mask the true origins of the malicious emails they send, specifically target individuals within organizations with access to capital, and employ advanced behavioral and social engineering techniques to ensure the greatest chance of successfully compromising corporate assets. By breaking down and examining these techniques, we can arm individuals inside organizations with the knowledge they need to spot phishing attempts before they lead to compromise. First, let’s examine how an attacker masks their email address.

The protocols that govern email date back to the early days of the internet. As such, they have become increasingly vulnerable to individuals that would like to exploit flaws for malicious intent. One of the ways this is done is by changing the display name, or envelope address. This allows an inbound email to impersonate a legitimate one, and largely takes advantage of the way that different email programs like Microsoft Outlook display emails. For instance, an email might originate from [email protected], but the display name might show up as Your Company CEO. Masking the envelope address requires a bit more sophistication, but actually obfuscates the email address itself. So although [email protected] sent the message, the email purports to be from [email protected]. It might also come from an address that doesn’t exist at your organization, but has the correct domain associated (the stuff after the @ in an email address is the domain.) Either one of these attacks can be mitigated by most third party email filtering services, but should an email make it through it is important that end-users are aware of these techniques so that they can guard against them. One means of doing so is validating the actual email address of the sender, something that you should be able to do with just a few clicks in a piece of software like Outlook. Next, let’s take a look at how a scammer will target specific individuals within an organization.

Most phishing email is entirely automated. A malicious actor sets up an email blast, similar to one done by a marketing department and sends emails out to a number of individuals, likely across a broad swath of organizations. Once someone’s credentials have been compromised, a sophisticated attacker will gain entry, and then bide their time performing reconnaissance before taking any further action. Generally speaking this would mean using access to the mailbox they’ve gained entry into to try to determine the corporate structure. Although the compromise might happen with a lower level employee, the attacker will use the access to their mailbox to determine who in the enterprise has access to whatever they’re looking for, generally money. They might then seek to target the CFO or Controller, use that access to intercept wire or direct deposit transactions, and then disappear before they’re discovered. Users can guard against this type of behavior by validating any unusual requests by a method other than email, like a phone call or face-to-face meeting. Finally, let’s take a look at some other examples of social engineering that a threat actor will use to gain entry into an environment.

Social engineering is at once the simplest and most sophisticated methodology employed by malicious actors. Essentially, they are using knowledge of human behavior to elicit the types of responses they’re looking for. Techniques of this type are also employed by the phishing emails more analog cousin—the con-man. Perhaps the most common technique is playing on an employees sense of urgency. A user might receive an email purporting to be from the organizations CEO, saying that they’re in a high level meeting and need the employee to immediately procure some gift cards for…reasons. What the attacker is counting on is that the importance of the CEO, coupled with the impression of urgency, will get the employee to overlook the overall oddity of the request and simply comply with it. This is similar to an old scam called the Spanish Prisoner, in which someone receives a letter from a ‘relative’ who claims to be imprisoned and requires funds to be released. The greatest defense against social engineering techniques is incredulity on the employees part. Would the CEO really be asking ME for something like this? Would they really need it that quickly? Does this vendor that I have never heard of really need immediate access to sensitive systems with no approval from the ‘powers that be’? By asking themselves these questions, and consciously working against the false sense of urgency, an informed employee is the best line of defense against social engineering scams, whether they be digital or analog.

In summation—an informed employee is a better protected employee. By facilitating training for your team, you empower them to question suspicious emails and constitute another line of defense for your corporate infrastructure. When training of this type is coupled with spam and phishing filtering, access controls, and multi-factor authentication, an organization becomes a much less attractive target to malicious actors. Ensure that your employees recognize a suspected phishing email when it is received, if they’re ever in doubt, send it on to your IT provider. Phishing emails that can potentially compromise a mailbox are a perfect example of, better safe than sorry.

Written by KTS Operations Manager, Tristan Collopy

 

 

Testimonials

Testimonials

“We’re building a solid IT foundation to be able to go where we need to be for growth and success. I couldn’t be more pleased with KTS’s performance and progress on our IT Projects.”

Shawn Ellis, CFO Custom Logos

Testimonials

“Both company email migrations have were completed without a problem. Thanks to your team both transitions went smooth.Everyone with your group are both knowledgeable and professional, and you should be proud of the organization you are building.”

John Sonnen, IT & Security Director Child Safety Network

Testimonials

“We have been using KTS for our IT support for about a year now, and we are very pleased with the service we have received. Chris has been our first line person, and has been able to resolve issues quickly, and often remotely, which helps reduce costs. Our staff has really appreciated his fast response and resolution to the issues that have come up. We have also appreciated that there are other folks at KTS who can fill in if Chris is out. Thanks to all!”

Suzy Halleland, Executive Administrator Village Church

Testimonials

“I think you know we have been very happy with your service and are very grateful to have been referred to you guys. But on a more personal note, I want you to know that Kevin in your office has provided a service for us that is way over the top.”

Jeff Golumbuk, CEO Custom Logos

Testimonials

“I just wanted to thank you and your staff for the excellent service and work provided by KTS.  It has been night and day compared to our old third party IT consultant.”
Nick Walters, VP Project Management West Coast General Corp.

Testimonials

“I wanted to let you know that I am absolutely delighted with the service we have received from you and your team so far. I know we put you in a tough position with such short notice of having to jump in and take over, and we really appreciated that. But there are many other reasons as well. First, I’m so glad they discovered the hard drive problem right away, as that could have caused us a huge issue as you well know. Second, everyone that I’ve had the pleasure to work wi… Read more
Jo Barsa, CPA Barsa & Company

Testimonials

“Kazmarek is fantastic!  I’ve used every size of IT company over the past 20 years and Kazmarek is by far superior to all I’ve used.  We are extremely happy with their service and expertise.  One of the things I like most about them is that they have engineers available to respond to our prioritized needs but they also wanted to give us the best customer service possible so they went above and beyond and put in place an escalation plan so that if I feel the response time i… Read more
Marisa Janine-Page, Partner Caldarelli Hejmanowski Page & Leer LLP

Testimonials

“I have thoroughly enjoyed working with the Kazmarek team through the years! They are responsive and have a great team to work with, whether it’s day-to-day IT needs or special projects. ”
KC Martin, HR Director Full Swing Golf

Testimonials

“As a local San Diego business, we were looking to partner with another local business after our IT needs just weren’t being met with a nationwide provider. We could not be happier with our decision since KTS has been very swift, attentive, and collaborative with our IT needs over the past three years. Their engineers, support desk, and managers are patient and able to effectively communicate issues and solutions to a layperson which speaks volumes about their hiring and customer… Read more
Carrie Lamb, Project Manager Chuao Chocolatier

When Was Your Last Backup?

When Was Your Last Backup?

If you don’t know, you’re not alone.
Find out more

Join Our Newsletter

Join Our Newsletter

Free On-Site Analysis

Free On-Site Analysis

Contact us to receive a 1-hour complimentary evaluation.
Learn more here.
  • This field is for validation purposes and should be left unchanged.

Copyrights: © 2023 Kazmarek. All rights reserved.

Designed by TinyFrog & N Halie Designs