Phishing Emails - Steer Clear

It is important for state employees to become very aware of one of the many hostile ways that malicious groups and nations will attack our state technology infrastructure; one of which are phishing emails. Many of you reading this may already know what these are or have experienced them in your inbox at some point, but let's look at them again, as a friendly reminder.

Example: A BIT staffer recently received a friendly invitation from a third party research company claiming to contact them on behalf of one of our software vendors. We have been doing business with the vendor in question for decades; for this example we will call them Business Automation for Information Technology or BAIT (because in government we love acronyms). As vendors go, we would call BAIT an acceptable business partner, but not a great partner. As with most vendors there are a few things about their business model that seem counter-productive or less than ideal for our needs and we have always felt that our concerns about that were falling on deaf ears. Now it appears that BAIT has decided to hire a research group to find out what BIT thinks of them AND that they intend to use our feedback to improve their services. BAIT sends this notice to our staffer in an email.

In brief, here are the thoughts from the person who received the email:
  • Well, it's about time they start to listen.
  • It might be a good investment to spend a few minutes with them. But it’s odd that no one in BAIT told me they had hired this research firm. (Yellow flag goes up.)
  • I'll have to assign someone to follow up with our official BAIT rep to make sure this is legit before I do anything. (Healthy caution sets in.)
  • Oh, hey. Look at that. They are offering me a chance to win something cool just for responding. (Red flag goes up.)
  • They provided a simple link I can click on. (Red flag starts waving.)
  • They want an answer in a short time-frame creating pressure to ‘act now’. (Warning horns go off.)
Here at BIT, we are on the technology front-lines where we count the number of sneaky and hostile cyber attacks and probes launched against us in the tens of thousands. This type of email might appear to be just what the text it contained said it was: a trusted business partner wanting their clients' feedback. The temptation would likely be to "sneak a peek" at the survey to see if it's nice and short. The logic would be: I can give this vendor some feedback I really want them to hear, get a chance to win something cool, and still get to my next meeting on time. If you did that, however, you may have traded someone who has hostile intent secrete control of your desktop and everything connected to it in exchange for that quick little peek.

Bottom line: Do not click on links in emails unless you asked the person to send you the link or have another reason to trust the source of the email.

Special thanks to Wayne for the article!

Popular Posts