By Eric Howes, KnowBe4 Principal Lab Researcher.
It will surprise few people to learn that during our daily review of suspicious emails forwarded to us by users of the Phish Alert Button (PAB) we routinely see a large number of phishing emails targeted at employees of financial organizations -- banks, credit unions, and other organizations whose business it is to manage financial assets. But malicious actors are happy to take advantage of any organization whose user accounts and networks can be compromised and leveraged for financial gain.
Over the past month we have observed the growth of a cleverly crafted phishing campaign aimed at employees of public school districts and small colleges, including community colleges. In this campaign the bad guys flood educational organizations with emails purporting to be from a senior figure. These malicious emails typically announce new policies governing employee conduct or a renewed focus in the organization on proper, ethical professional behavior.
Here's a fairly routine example of one such malicious email:
A couple of things to note about this email.
- First, it is directly targeted at employees of a specifically named community college.
- Second, although not visible in the screenshot above, the email spoofs the President of this community college -- a senior figure surely familiar to most employees, if only because they are used to receiving similar organization-wide emails from that person on just this sort of topic matter.
- Third, also not visible in that screenshot are the graphics used to establish the authority of the email -- namely, the institution's logo and school mascot.
Clearly, the bad guys prosecuting this campaign have done their research and taken the time to craft appropriately officious emails cleverly designed to trade on the authority of the senior organizational figure being spoofed. Although using a differently worded email body, this next email, targeted at employees of a public school district, employs a very similar social engineering strategy:
Note the slightly stilted, yet authentically bureaucratic language that one would expect in such an email -- language that leads us to believe that the half-dozen or so email bodies used in this phishing campaign have been obtained from real emails harvested by the bad guys from previously compromised email accounts. Subject lines vary, but usually rely on a core set of words and ideas:
- codes of conduct
- ethical standards
- professional guidelines
- proper workplace behavior
- rules governing conflicts of interest
Again, employees working within educational organizations -- especially publicly funded institutions -- will be familiar and experienced with regular discussions of these topics.
These malicious emails deliver attachments -- both Word docs and PDF documents...
....that require users to click through to slickly designed external web pages inviting them to cough up their login credentials:
Users gullible enough to hand their credentials over to the bad guys may not even notice anything is amiss, as submission of a username and password whisks users to a web page on their organization's own web site specifically chosen to reinforce the authenticity of the social engineering scheme.
That web page, it's worth noting, is most certainly NOT password-protected and can be accessed by any member of the public visiting the organization's web site.
Once inside an organization malicious actors can wreak all kinds of mayhem (think ransomware). They may also elect to play a longer game by sticking to the shadows, quietly exploiting the organization's computer resources (think processor intensive crypto-mining bots or sophisticated backdoor trojans used to harvest confidential data and gain access to financial tools).
If your organization's business lies outside the financial industry, you shouldn't think for a minute that it is safe from professional grade phishing campaigns. Malicious actors have developed a wide repertoire of fraudulent schemes and tools to exploit even "boring" industries like education. Make sure that your employees are equipped not only with a healthy understanding of your organization's professional code of conduct, but with the critical skills necessary to spotting malicious emails and shutting down a potential breach of your organization when the bad guys come knocking.
Do your users know what to do when they receive a suspicious email?
Should they call the help desk, or forward it? Should they forward to IT including all headers? Delete and not report it, forfeiting a possible early warning?
KnowBe4’s Phish Alert button now also works with Outlook Mobile for iOS and Android. This enables your users to report suspicious emails from not only their computer but from their mobile inbox as well.
(If you’re running Office 365 and want to give your end-users the ability to report suspicious emails from from their mobile inbox, you can enable the official Outlook Mobile app for iOS or Android directly from the KnowBe4 console. )
The Phish Alert Button gives your users a safe way to forward email threats to the security team for analysis and deletes the email from the user's inbox to prevent future exposure. All with just one click!
Best of all, there is no charge!
- Reinforces your organization's security culture
- Incident Response gets early phishing alerts from users, creating a network of “sensors”
- Email is deleted from the user's inbox to prevent future exposure
- Easy deployment via MSI file for Outlook, G Suite deployment for Gmail (Chrome)
This is a great way to better manage the problem of social engineering. Compliments of KnowBe4!
If you do not like to click on buttons with redirects, here is a link you can cut and paste into your browser: https://info.knowbe4.