Morgan Stanley CEO James Gorman has joined a new club along with the CEOs of Goldman Sachs, Barclays and Citigroup. Each has fallen victim to an email prankster who, posing as a colleague or friend, sent email messages to them and tricked them into responding. Luckily no money or data was stolen. These banks spend millions on cybersecurity yet the weakest link is still the human factor.
It’s easy to push “send” on a reply email, text or instant message, especially when the note appears to be from a trusted source. It is easy for someone to spoof (fake) the sender address to trick you into believing the message was from a trusted source…and even have your reply routed to the imposter so that they can engage in a back-and-forth message string all the while posing as your friend. It is easy for someone to alter an Outlook Read Receipt to make it appear an email sent to you was read by you at a point in time. [Watch this video to see how easy it is to alter an Outlook Read Receipt]
It is trivial to do these things, not only in email, but with text messages and other messaging apps. For example, “phishing” attacks don’t just happen via email…. Criminals use text messages to trick consumers into providing personal information. These so called “smishing” scams typically appear as urgent requests for information from your bank or credit card company, or someone you know and trust. Smishing uses simple texts as well as popular messaging apps to request confidential data. These work because it’s easy to quickly text a response or open a link without checking the source.
How can you protect yourself from the urge to email or text without validating the source? There is not one solution.
Over the next several weeks we show you how simple it is for these Internet criminals to trick you with short how-to videos, and we will share some fun stories of successful pranksters, with the aim of providing greater awareness as to how important it is, and how challenging it is, to secure the “human factor”.
Let’s start with three quick tips to consider to start securing the human factor:
1. To alert you of certain types of imposter email tricks (email phishing), we recommend RMail anti-whaling technology that runs within Microsoft Outlook and alerts you when an email comes from an imposter trying to lure you into transferring money to the imposter account posing as a legitimate friend, supplier, partner or vendor.
2. When you receive an information request via text or messaging app, insist on replying using email, and emailing to an address that you can verify. The text message, although appearing to be from a telephone number you recognize (with perhaps a corresponding name in your phone address book that will make your friend’s name display) may not be from that person.
[Have you received marketing calls on your mobile phone from a number that looks similar to your own phone number? These are likely spoofed robocalls where a marketer or criminal falsifies the caller ID so that it appears to be coming from your own area code and location – often the first six digits in the telephone number will match yours. This is intended to lower your guard and lure you into responding. One Miami man is now facing a $120 Million fine from the FCC after he allegedly made 96 million automated calls using this trick.
3. When sending email with sensitive information, passwords, credit card information, and other confidential information, avoid the urge to simply enter the information into an unsecure text message, email or messaging app — consider using Registered Email™ secure email that can run inside your Outlook or Gmail, to send the message.
[Banks have started prohibiting the use of texting and messaging apps, citing security concerns. In March, an investment banker at Jefferies Group in London was forced to resign and was fined almost $50,000 after he shared confidential client information using a messaging app. Deutsche Bank now prohibits employees from texting and using WhatsApp. Other banks are likely to adopt this rule.]
The easiest way to send messages securely, is to stick to email and use RMail® Registered Email™ services. Messages can be sent with encryption and can stay encrypted even after they reach the recipient’s inbox, requiring a password if the sender selects this option. Messages can be sent from a desktop, laptop or mobile device.