In our last post we talked about social engineering, and how it uses our human nature against us to gain access to personal information we wouldn’t otherwise divulge. Social engineering, in a sense, is a method of hacking the human brain. Since it’s often much easier to convince someone to give you something voluntarily, hackers frequently employ these tactics as the opening steps of a larger campaign. Why brute force your way into a system if you don’t have to?
It’s helpful to think of hacking, social engineering, and spam as all going hand in hand. Picture your classic three-circle Venn diagram — you know the ones from that one logic class you were forced to take in college. The overlap is a lot like that.
Smush social engineering and spam together, and you get those frustrating Nigerian email scams. Combine hacking and social engineering, and you get a phishing attempt or ransomware attack. Make a slurry of all three, and you’ve got a recipe for a very confused employee… and disaster. Part of the problem is that many companies don’t properly educate their employees about what to keep an eye out for. Junk mail gets mistaken for spam. A malware payload in an email attachment goes unnoticed, because the document was that boring.
People don’t realize they’re being hacked, because their only frame of reference is what they’ve seen in movies. In reality, hacking is tedious, time-consuming, and not at all visually stimulating. Reading and parsing thousands of lines of code for hours on end in search of a vulnerability you can exploit? Yes. Flashing pop-ups, scrolling numbers, and a race against the clock? Not quite. Real life hackers don’t show their work — at least not on their victim’s computer screen while they’re in the middle of doing it. That would be silly and foolish, especially considering a hacker doesn’t want to be caught. In truth hacking is really more of a background process — your average employee end user might notice that their computer is slower than usual, but 99.99% that’s going to be chalked up to “stupid technology.”
If it sounds mundane, that’s because it kind of is. But that’s why it’s important for employees to understand what a hack doesn’t look like. If what they expect is the computer version of a high-octane action extravaganza, then the much less in-your-face, slightly-out-of-the-ordinary “huh, my computer is uncharacteristically slow today” experience won’t seem worth mentioning.
Misconceptions can be costly, and one of the worst ones we see regards spam — or maybe you call it junk mail. The thing is, though the terms are often used interchangeably, not all junk mail is spam. Where your email is concerned, Junk mail stems from its older brother in the physical space. It originates from legitimate services that you can opt out of, like a marketing campaign from that store you bought clothes from once. Verdict: completely harmless.
Spam, on the other hand, is entirely unsolicited — but the harm it can bring is much more of a mixed bag. The vast majority of spam received daily is harmless cold-emailing done by entrepreneurially-minded people. Turns out bulk-sending 100 million emails in hopes of getting a few dozen sales is cheap, easy, and shockingly effective — though as a consumer it’s sometimes impossible to tell what’s legitimate, and there are plenty of reasons why you shouldn’t try to find out.
It can be difficult to tell the difference between harmful and malicious spam, but employees educated on how to do so can save your company from a world of hurt. For starters, most harmless spam will be caught by your filters and sent to the spam folder. With malicious spam, this isn’t always the case — it’s often designed to look so real that it can bypass your filters. Classically, spam this sophisticated is the sort of stuff hackers send out — phishing attempts and emails with malware payload attachments. It’s convincing because they want you to click. But there are ways that you can pick one of these malicious emails out of a lineup, like by paying attention to incorrect spelling, and checking for weird return email addresses. Major companies spend billions of dollars every year to perfect every aspect of their customer communications, so if you get an email that is less than flawless that should raise an entire flutterance of red flags.
If an employee has concerns about the veracity of an email they’ve received, that’s something we can look into. That said, it is never a good idea to forward the email directly. The safer method, which is what we request, is for a client to “forward as an attachment” when submitting a service ticket.
The reason IT professionals ask this to be done is because forwarding as an attachment is the only way to send the entire email… including the header. The header contains vital information that techs can analyze to determine the source of the email, and determine whether it comes from a spoofed address. Nearly every part of an email can be forged. The only part that can’t be is the “Received:” line, which is found in the header. This line was created by your computer or service provider, and contains every server the email had to travel through in order to reach you, as well as the originating IP address. This IP address may then be reported to the owner, who can then take steps on their end to put a stop to scammers and spammers.
Miseducation when it comes to hacks, social engineering, and spam can be costly — both by being too concerned about the non-attacks, and too trusting of real attacks. Educating employees on the differences between these kinds of hacks, and what to look out for, is one of the best ways to empower them. After all, security is a team effort.
Contact JNT Tek for ways to educate and train your staff on scam detection and prevention.