A recent data breach involved a deliberate email phishing* attack on an industry organisation. The email purported to come from the chief executive and requested a copy of the membership list (names and email addresses).
At the time, the CEO was away from the office. This fact could have been known by the person who sent the phish, as a high profile person’s travel for work is often publically known. Because this attack was targeted, it was not easy to spot. One of the reply addresses was unfamiliar, but the other was the CEO’s work email address so the unfamiliar one could have been assumed to be their personal email address.
The request was also plausible, particularly since the information asked for was limited to names and email addresses.
The most effective way for an organisation to protect against this form of attack would be to have a policy of independently verifying requests for sensitive information. Since this might involve junior staff having to contact senior management to verify a request, employees need to be confident that they are expected to do so.
A basic phish can usually be spotted by moving your mouse cursor over the link without clicking. The text that pops up when you do so will usually look different from what you might expect. This difference might be just one character. Moving the mouse cursor over the reply email address can similarly be helpful when in doubt.
The basic phishing email below is an example. It should not have been addressed to “undisclosed-recipients” as your bank can address an email just to you. And you can see the box that popped up when the mouse cursor was held over the link. An address of “alex-parus.ru/” does not seem likely for a New Zealand company to use.
We regularly get data breach notifications and, this year, we will be sharing the lessons learned from these more regularly. If you want to know more about data breaches please check out our Data Safety Toolkit.
Three things to do when you get a phishing message
1. Report it!
Let others in your organisation know. If you have IT support people, forward the email with a warning that it is a phishing email. They should handle the rest. In a small organisation, let everyone know - but do not forward the message. People have been known to click on the links in such situations “to see what happens”! You can convert the link to plain text so people can see it, without it being so dangerous.
Report the phish to the Electronic Messaging Compliance Unit at the Department of Internal Affairs (DIA) by forwarding the email to firstname.lastname@example.org or by forwarding the TXT for free to the shortcode 7726 (SPAM).
Let the other organisation know. If the message pretended to come from an organisation, then it is helpful to let them know. It can take a little time looking on the organisation’s website (type the real web address in yourself – don’t click on that link in the phishing email!) to find where to report the spam. Netsafe have listed the common New Zealand bank reporting addresses here.
2. Delete it!
3. Get help!
If you responded to the phishing email with personal information, contact us using this form or phone us on 0800 803 909 (Monday-Friday between 10am-3pm).
You may want to seek help in handling enquiries by affected people. IDCARE is a sponsored support service. Contact them on 0800 201 415 or email@example.com.
You should still report it as above. DIA may pass on your report to the Police, Netsafe or MBIE (Consumer Affairs) for further help.
* Phishing is a term invented, by analogy with fishing, for emailing scams where the email is the “bait” and a link is the “hook”. It is a form of social engineering that was previously done by letter or in person, but can be done so much more prolifically using email. Phishing emails are generally sent out to a lot of people, in the hope a few will respond.
Image credit: Flying Phish by Chris Slane.