Phishing scams have been around for a long time. Just when you think that you have figured out the difference between a phishing email and the real thing, the spammers go in a new direction with trickier and harder-to-discern cons.
But now they may have stumbled on the ultimate scam to trick users into clicking on links or opening malicious attachments. According to new FireEye research, a phishing technique growing in popularity is the impersonation of IT staff. As ZDNet reported:
Social engineering, phishing campaigns and the impersonation of legitimate IT personnel are also on the rise. The security firm says that through 2014, FireEye observed hackers impersonating IT staff in 78 percent of phishing schemes directed at companies, in comparison to just 44 percent in the previous year.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
It’s a brilliant turn in social engineering, if you think about it. It’s a lot easier to hit the delete button on email that appears to be from a package delivery service if you didn’t order anything or from PayPal or Facebook if you don’t have an account with those sites. But an email that looks like it is coming from the IT department? That’s a lot harder to ignore, especially if the email covers a legitimate area of concern with the business.
There is certainly enough advice available to help people figure out if an email is real or phishing, but frankly, being told that the IRS won’t contact you via email or that you should never reveal your PIN or password to a company doesn’t do much good when that email looks like it is coming from the team who handles your network. Depending on the size or configuration of the company, an employee may only know the IT staff through email contact.
So what can you do to keep from being a victim of this clever social engineering scheme? It’s simple – don’t click on anything or take any action you think is suspicious without verifying the source of the message. If you aren’t sure, contact the IT department to see if the message did generate from their office. No one is going to be upset by simple verification, and the IT staff will be appreciative for either being alerted to the situation or for your help in preventing a potential data breach or malware infection.
The FireEye research had a lot of other interesting tidbits about the state of data breaches, such as how the amount of time it takes to discover a breach has decreased. (But more than 200 days is still way too long!) But the report of how social engineering plays a role in cybersecurity breakdowns is what most interested me. We’ve come a long way in our understanding of phishing scams, but it seems we still have a long way to go.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba