This time it was an official British Red Cross education campaign, however, you need to read this advice as next time it may be the real deal and clicking on that link could have more severe consequences.
Cybercrowd is working with your Information Security Manager at the British Red Cross, Lee Cramp, to help improve the awareness of email security threats across your organisation.
We all take email for granted, yet it is also the most likely starting point for a cyber-attack on your organisation. Email attacks rely on human error and trust. We have learned to trust emails, especially if they appear to be from a reputable source. Unfortunately, it is easy to make emails look genuine and to trick people into opening attachments, clicking links and submitting their username and password.
Even though the British Red Cross is a charity, cyber criminals will still attack you. Because of your size and diversity and the large number of volunteers working for your organisations, you are more likely to be targeted. Whilst you have good email security technologies installed, these are only a safety net. The first and most important line of defence is you. It is really important that you are vigilant when you receive an unexpected email, even if it seems to be from a trustworthy source, because it could be a phishing attack.
What is phishing?
Email phishing happens when someone tries to get you to do something using email. At one time, phishing scams were rudimentary and obvious to identify. Emails from ‘Nigerian princes’ offering to transfer money to you is one example. Today, phishing attacks are more sophisticated. They will often want you to open an attachment (which can lead to your computer becoming infected with malware, such as ransomware). Increasingly, they will encourage you to click a link that takes you to a genuine looking website where you’ll be asked to submit your username and password. This is heaven for a cyber attacker because they don’t need to break into your computer systems and bypass your sophisticated defences – they can simply use your genuine log-in details which they have collected (or ‘harvested’) when you have submitted them on the scam web page.
Our phishing emails have done this. We encouraged you to click a link that took you to a genuine looking website. From there we tricked you into giving us your username and password. Don’t worry; we haven’t kept any of these details.
How do you avoid becoming a victim?
If you receive an unexpected email then treat it with suspicion, especially if it wants you to open an attachment or click a link. When you do get an email like this then do the following:
Take a look at sender’s email address. Attackers often spoof a sender’s email domain by buying and using very similar names to the target organisation’s email domain. We used this approach for this campaign. We bought and sent emails from redcrosss.org. The extra ‘s’ is clearly there but wouldn’t be obvious from a casual glance. Check suspicious email addresses carefully. If the email address isn’t in the format you would expect, is incorrectly spelt or is a collection of random letters and numbers then you should send the email to the IT Service Desk and ask them for advice.
Email Address Spoofing
If the email includes a link don’t click it – firstly hover over the link with your cursor to check whether the destination web address looks valid. If the address doesn’t look right or is a collection of random letters and numbers, as shown in the picture below (from one of our phishing test emails) don’t click it, send it to the IT Service Desk and ask for their advice.
Suspicious Link Address
If for any reason you do click the link, stop before you doing anything on the website it leads you to. The chances are it will look genuine. These days you don’t have to be a ‘master forger’ to recreate the look and feel of a genuine website, such a Dropbox, Amazon or even the British Red Cross website. Open source ‘screen scraping’ tools do the work for attackers. Some even come with pre-built templates. These sites often hyperlink through to the genuine sites to make them more credible, but there are still usually tell-tale signs. Firstly, if the website asks you to submit your username and password then don’t do it. If in doubt, contact the IT Service Desk and ask for their guidance. Secondly, look at the web address – does it look genuine? If it is a random collection of letters or numbers or doesn’t look as it should do, then don’t trust it. Again, send the email to the IT Service Desk to make them aware of the threat so they can block the email and warn others.
Suspicious Landing Page Address
If you receive an attachment that you didn’t request or expect then don’t open it, no matter how interesting it looks. It’s not uncommon for phishing attacks to include ‘purchase orders’ or ‘remittance advice’ or similar. If the email looks genuine and is from a sender you know but is still out of the blue, then call them up to check that it’s genuine. If it looks suspicious; never call the number on the email, always come out of the email and search for the person/company to confirm the true identity. If you’re still in doubt, speak to the IT Service Desk.
What happens next?
The British Red Cross Information Security Manager will be publishing statistics from this educational phishing campaign together with additional guidance in a forthcoming blog, so please look out for that. In the meantime, please be vigilant and think about unusual or unexpected emails that you receive. If there is any doubt, don’t open any attachments or click on any links – simply forward them to the IT Service Desk who will investigate the matter.