Put protection from spam and phishing on your list of 2015 resolutions

John Gunn, December 31, 2014

SPAM does not really need an introduction. Everyone knows those more than unwanted e-mails and everyone hates them. The phishing phenomenon, though, might need a few words.
Undoubtedly you and your employees have already been the luckiest people on earth inheriting an enormous amount of money from your long lost Nigerian uncle who has, unfortunately, passed away. You only have to cover some minor transaction costs in order to receive the big bag of cash. The only difference between you and every other internet user in the world is the amount of time needed to realize you were targeted as a phishing victim. Ever since then, you have developed a sense of awareness and the conviction that they will never fool you. Or will they…?
We are right at the end of 2014 and while we get ready for the New Year’s Eve partying, we are seeing the typical rise of spam and phishing attempts.

Safety first

Preventing is better than curing. A few simple measures will drastically decrease your vulnerability and increase security. Communicate these measures to your employees, as it will help them as well as yourself (you will have to resolve fewer security issues in your business administration).

  1. Attachments
    An e-mail containing an attachment should, by default, immediately ring alarm bells even when it seems to come from a known sender. Today’s cyber criminals know their way around a wide range of viruses and hacking tools. An e-mail that seems to come from one of your close friends may still be a scam. Just ask yourself if it is likely that this person would send you something similar. Any odd content might indicate fraud. It is even easier when you do not know the name of the sender: simply do not open any attachments and do not click any links.
    Also be careful when it comes to preview functions (such as MS Outlook’s) in e-mail programs. They will also open the attachment and potentially expose you to threats.
  2. Financial and personal information
    E-mails asking you for financial and/or personal information of any kind are very suspicious and should be treated as such. It is important to realize, and to remember, that banks and other financial institutions would never have you send over financial information via e-mail.
  3. PINs, passwords & other access codes
    The same goes for providing PINs, passwords and other access codes when replying to e-mails you might receive. You simply should never e-mail this kind of data.
  4. Unsubscribe is not always the way to go
    Just open your spam folder and you will see it is full of messages that do not concern, let alone interest, you. A lot of these seem to be newsletters you cannot even remotely remember having subscribed to. Well, you probably did not. Unsubscribing seems like the logical step to take, but it is not always the proper one. Clicking the ‘unsubscribe’ button will inform the malicious party that your e-mail address is valid and active, which often leads to even more spam.
    These unsubscribe pages are sometimes used for drive-by downloads of malicious software. So you can stop wondering where all the spyware on your computer comes from.
  5. Read between the lines
    Very often, a phishing attempt is easily detectable because of the content. When the text strongly urges you to click a specific link or open an attached document, you are probably being targeted. This approach is very typical for phishing messages as it is a way to directly attack your computer. Again, content that does not seem relevant to you probably is not. Airline tickets you did not book, documents you did not scan, delivery tracking links when you did not order anything, they all indicate something is wrong. Be smart, be alert.

Facebook password change

Lured into LinkedIn

A year ago, the Belgian (partly governmental) communication enterprise Belgacom suffered a phishing attack by Britain’s GCHQ intelligence service. The GCHQ used fake LinkedIn profiles of Belgacom employees. Employees would log in to a spoof website containing malware, which offered the spies an entrance into the Belgacom internal network. This phishing attack created political tension in the European Union and led to a Belgian investigation.

Better safe than sorry

Apart from making your employees aware through basic tips on how to avoid phishing attacks, we would like to point out a series of tools that can make successful phishing attempts useless. If you want to both feel and be safe, these are your options:

  1. Use strong authentication against phishing
    Stopping phishing attempts is impossible, but VASCO’s DIGIPASS knows how to make them ineffective using three major forms of strong two-factor authentication. Dynamic one-time passwords cannot be reused if acquired during a phishing attack (User Authentication). Host Authentication is a mechanism that verifies the authenticity of a website, while Transaction Authentication works with an e-signature that verifies the authenticity of a transaction or document. These e-signatures are starting to find their way into political environments as well. In Belgium, King Filip I might soon be e-signing Royal orders.
  2. Tackle the man in the middle
    The concept of a man-in-the-middle attack (MITM) is a situation where person C intercepts and edits a message between person A and B. When such a MITM attack takes place, user authentication alone is not enough to verify the authenticity of a transaction because all traffic and communications would go through a spoofed website managed by the hacker.
    To counter this, VASCO uses account numbers, transaction amounts and timestamps to generate an Electronic Signature that is unique to each transaction.
  3. Go for maximum security
    For maximum security, it is best to use a secure communication channel, which ensures the sender of a message is absolutely certain the only party to receive and read that message is the one intended. The receiver will know for certain the message came from a trustworthy sender. This is made possible by CrontoSign technology and uses encrypted QR codes. Who said QR codes are history?

Protect your own

When it comes to phishing, there is one thing you absolutely want to avoid: cyber criminals who use the name of your brand to gain the confidence of your clients. Unfortunately, it is very hard to prevent such practices. The least you can and should do is to – at first – keep an eye on complaints and take them seriously.
Let us assume that your business is a bank. Once you realize there is a problem, make sure you communicate openly with your clients and contact them. Inform them there is a malicious party using your bank logo and layout for criminal activities and tell them exactly which e-mail or form not to trust and delete. Tell your clients you will take legal action. Doing so, you will prevent most trouble and will show your clients that you, as a bank, are on top of things and prioritize their security. You will see that this is very much appreciated.

John Gunn is OneSpan’s CMO and brings two decades of leadership experience in the IT security and software segments. Before joining OneSpan, John led the Security Solutions Group at Harland Clarke where he launched a popular SaaS consumer identity protection and anti-fraud solution.