Thursday 26 September 2019 5:50 am

Gone phishing: How easy is it to fall for a fake email?

Luke is a former City AM features writer, now features editor for Tyto PR

Some time ago, I received an odd email allegedly from Google, saying that it had received a request to delete my Gmail account.

According to the message, I had just 48 hours to cancel the request. All I had to do was click on a link and enter my account details.

I had not made such a request, but before clicking on the link I checked online to see if this was legitimate.

Of course, it was not. This was a classic phishing email designed to trick me into giving away my personal details. I deleted the message, blocked the sender, and 48 hours later my account remained miraculously intact. 

Phishing emails are a major concern in cyber security. Some, like that message, are intended to trick the recipient into revealing sensitive information, while others are used to install malware onto someone’s device – sometimes without their knowledge – or can even lead to a ransomware attack, where the user is locked out of their system unless they fork over cash to the perpetrator.

Some readers may wonder who would fall for such a scam and actually click on a suspicious link. But it’s easier than you think. 

In fact, even experts can make mistakes. At least, that’s what happened to Martin Lee, outreach manager for cyber security research and intelligence group Cisco Talos. 

Lee, who has over 15 years of experience in identifying and understanding online threats, holds his hand up to falling for a phishing email.

“I started my career writing spam filters for email accounts. I know every single trick used in a malicious email and how to spot it. It’s my job to look for these things – and I fell for one,” he admits. “It was incredibly embarrassing, but it was also incredibly informative. In my defence, as I’d like to say, it wasn’t my fault.”

Lee explains that he sent an email to his company’s HR department asking about expenses. He received a response saying that someone would get back to him in a few days’ time. Shortly after, another email came through with a subject line about tax information.

“It said ‘here is the information regarding tax that you requested, please click here’,” he recalls. “And I’m thinking, ‘I know what this is’. This wasn’t an unexpected email to me. I was like ‘yep, that’s the response to my query on expenses’, and so I clicked.”

Lee says that this is a common way for phishing emails to succeed. The people sending them are effectively playing a numbers game, using innocuous subject lines to dupe recipients, hoping that if they send out enough messages, someone will associate it with something legitimate and make a mistake.

“You feel like a complete fool, but this is the way the attacks work. A lot of the time, it’s just a coincidence – if you send out a million emails along the lines of ‘we were unable to deliver your package’, there is someone along the line who was actually expecting a package. They will see that message, and click on it.”

So what happened when he clicked on the seemingly innocent email from HR? Thankfully, it turns out that rather than a malicious actor, the culprit behind the email was Cisco itself.

“Our own security office conducts phishing and sends fake phish. It took me through to this mandatory re-education page, basically saying ‘Martin Lee, please don’t be so stupid, and watch this video about falling for phishing attacks before you get access to the network again’.”

The business world clearly recognises the threat from cyber crime, knowing that an attack happening is a matter of when, not if, and so is investing millions into defence. 

Many organisations will have front-end protections, such as spam filters and firewalls. But additional layers of security are needed. These could include website filtering, so if someone clicks on a suspect link, the malicious page it leads to is blocked. There are also tools such as multi-factor authentication, which can stop someone who has stolen a username and password from actually logging onto a system.

But while businesses are quick to turn to technology for answers, they must not forget the human element of cyber security. Sending out fake phish is a good way to raise staff awareness – although it may not be enough.

“Yes, we have filters that can detect phishing and spam emails coming through. These filters are incredibly effective. Will they always stop every single phishing email? No. There’s always going to be some which come through. We can have awareness campaigns so people can spot these emails. Is that going to work in every case all of the time? No,” explains Lee.

“We need to think about all these different levels of protection, how might they fail, what are people likely to do just because they’re human, and how can we enable people to do their jobs and take advantage of technology, but at the same time keep them safe.”

The important thing for businesses to realise is that, even with the best technology and plenty of awareness, some cyber attacks will succeed. That’s because – as Lee’s personal experience shows – humans make mistakes. All it takes is a moment of inattention or distraction to fall for a fake message. Businesses need to be prepared for that.

“In the security world, we have to recognise how people work. Human failure is part of being human. And so what we try and do is help humans fail safely,” he says.

Main image credit: Getty.