Phishing - How to avoid being Catch of the Day
So, a member of our team decided to secretly put the Haigermeisters to the test using a trusted third party. The aim was to assess our awareness of phishing and phone social engineering to inform any required security awareness training.
Haig&Co take the bait? No chance!
Even with my knowledge of the sophisticated tricks that todays' Social Engineers (fancy way of saying cyber con artists) are using I'd still have put money on the fact that we wouldn't take the bait. So this experiment was an important wake up call.
Phishing for detail
Armed with simply our email addresses and names, the four phase experiment took place over a two week period and consisted of the following:
Having purchased the domain www.secure-dropbox.co.uk a seriously legitimate looking Dropbox login webpage was created, with the intent of stealing any credentials shared. Three emails were then sent, which again look completely trustworthy, with a link to the sign in page where our credentials would unknowingly be harvested.
Open Source Intelligence gathering (OSINT)
The second attempt to compromise our account security was based on knowledge gathered using open source Intelligence gathering techniques.
Bullhorn CRM phishing
Stage three was the creation of a legitimate looking Bullhorn login page (the cloud based CRM we use here at Haig&Co) and the circulation of phishing emails, again containing a link to encourage us to input account information.
Phone social engineering
The final phase of the experiment was a follow up phone call to develop a sense of trust in the fake bullhorn email sent the previous day. Security questions were used to once again give the impression of complete legitimacy.
Which bait got us biting?
The first two phases of the experiment hooked nothing but, thanks to their persistence, our undercover phishers did end up netting a catch. The Bullhorn email looked so genuine that Haigermeisters were convinced to either click on the link or open the email but nobody actually entered their login details. It was the phone call that clinched it for our cyber detectives. Such was the professionalism of the questioning and information shared that, despite initial resistance, enough trust was developed to encourage the input of login details.
What was the catch?
As well as access to our CRM system, the big win for our fake phishers was the fact that the login information shared was the same for other online accounts including Dropbox, Google docs and LinkedIn. Having reeled in this precious password and username our undercover cyber detectives were able to access sensitive information about Haig & Co and its employees.
Changing passwords and phone phishing
In a world overflowing with passwords, codes and pin numbers we know that adding to the login list is a bit of a pain. But, following password best practice (no more using the same login information for multiple accounts.) is something we must all do. Failure to do so poses a huge risk to our company and individual security and, as the technology continues to improve, this is only set to increase. Following our secret experiment we will also be reviewing training surrounding phone phishing (the point at which they hooked us in.)
How's your Cyber Security awareness?
Cyber Security is not, as we've said before, a new kid on the block. But in this ever-changing world of online fraud, clever technology and increasingly devious approaches we must keep up to speed and make sure that everyone in our business is fully aware. Not just the IT department.
So, we encourage you to join us in testing your own Cyber Security. Bring in experts to carry out penetration tests like this to assess the training needs for your business and protect you from risk.
If this had been a genuine attack, Haig&Co would sadly have been the catch of the day!
We would love to hear what you are doing to protect your business and its staff from cyber attacks.
Thanks for reading & here's to beating the fraudsters.
P.S. If you are interested in the world of Cyber Security and would be interested in attending our round-table event in May please email me at firstname.lastname@example.org and we'll be in touch.
Business Partner - Cyber Security Practice