Threatening staff with dismissal for clicking on phishing emails that infect corporate systems with malware is a big mistake, a leading security expert has warned.
Raj Samani, chief technology officer for Europe, Middle East and Africa (Emea) at Intel Security, said the widespread practice of making falling for email scams a sackable offence in City firms is simply bad for security.
In an interview with Computer Weekly, Samani said hackers, private detectives and criminals use sophisticated psychological techniques, designed to bypass the conscious mind, so that otherwise sensible people click on malware.
The malware is often hidden in an email targeted to a specific victim – a technique known as spear phishing.
In one notorious scam that still attracts multiple victims, hackers pose as the victim’s chief executive officer by sending a convincing email to a victim in the finance department, asking for an immediate transfer of cash to complete a business deal.
The scam works because of the urgency of the email, and the tendency of people to comply with requests from people in authority, coupled with the risk that an employee might damage their career if they don’t comply, said Samani.
But creating a blanket policy – as many City firms do – that anyone who clicks on a phishing email and introduces malware into the organisation will be at risk of instant dismissal, creates a cover-up culture that can weaken security, he said.
“The de facto mechanism for most attacks is some degree of spear phishing”
Raj Samani, Intel Security
People need to feel they can report potential incidents to IT security without risking their careers, and each case should be investigated on its own merits, he said.
“What was the email that person clicked on? How sophisticated was it? If it’s the first time he has ever done it, we will do some training. Or maybe it’s the fifth time he has done it this week,” said Samani.
Most hacking and electronic fraud cases rely on stressed or busy employees clicking on links to malware, often in plausible-looking emails that appear to come from colleagues or managers – a technique known as social engineering.
And it is surprisingly easy for fraudsters to concoct highly convincing emails by monitoring the victim’s social media accounts and checking publicly available information about the target company.
In one exercise, Samani was able to convince a senior employee to click on a fake link by sending him an email about his daughter, purporting to come from another parent at school congratulating her success in a soccer match.
“We knew his daughter played football, we knew the score, it was all on Facebook,” said Samani. “We constructed an email to make it appear to be from the same team. We said: ‘I have attached photos, one of which is your child scoring the winning goal’. It was very elaborate.”
Once a hacking group has tricked an employee into downloading malware onto one machine, they will typically use it to gain administrator rights, which will allow them access to other, more sensitive, machines in the organisation.
Six psychological tricks
Researchers have identified six psychological levers that hackers and fraudsters use to bypass the normal psychological alarms that alert people to suspicious emails.
One of the most common is “reciprocation”, an apparent act of helpfulness by the attacker that encourages people to help them out in return.
For example, con artists are able to build up credible personal references on LinkedIn by offering recommendations to other people in the knowledge that most people will give them a LinkedIn reference in return.
HR departments often make the mistake of assuming that candidates will excel if they have a large number of recommendations, but rarely take the trouble to check whether their LinkedIn profiles are part of a mutual appreciation society.
Samani said he once turned down a job offer from someone who approached him after reading his LinkedIn profile because the recruiter had not carried out any independent checks on its authenticity.
“You have an employee who comes in, and you want to check if are they any good,” he said. “The first thing you do is check them out on LinkedIn. You see they have 300 recommendations, and you think I am going to hire them, but they may have used reciprocation.”
Another classic phishing technique is known as liking. In this case, tricksters take time to research who the victim’s close friends are and use that as leverage.
“I send you an email, it’s an urgent email from your friend Warwick, saying ‘I am overseas and my phone and wallet have been stolen – would you mind sending me £100’,” said Samani.
Creating a sense of urgency or scarcity is another favoured tactic. Recently, for example, fraudsters have been sending out emails containing an urgent invoice, or realistic emails from banks urging people to log into their account within a certain time, or their account will be disabled.
Phish in a barrel
These techniques are enshrined in psychological tricks used by fraudsters that go back long before the internet, said Samani.
Samani himself fell victim to a fake closing-down sale, in which he thought he had bought a bargain sofa for £800, only to find three years later, when he returned to the same shop, that the closing down sale was still going on.
But the effects on organisations that fall victim to these sorts of attack on the internet can be far more devastating. For example, Samani has spoken to one employee who wired £60,000 to a fraudster after receiving an authentic-looking email from his boss.
Read more about social engineering attacks
And in October 2016, Lincolnshire and Goole Hospitals NHS Trust had to cancel almost all planned operations and outpatient appointments for four days after being hit by malware – an attack that may have put lives at risk.
“The de facto mechanism for most attacks is some degree of spear phishing,” said Samani. “Email is the most frequent entry for attacks, whether it is directed against finance, power plants, or your mum and dad. Social media using direct messaging is also common. It is the modus operandi for cyber crime.”
Crooks can buy malware and the email addresses of potential victims relatively cheaply on the internet, with 5,000 email addresses going for as little as £5.
“People talk about cyber crime and think it’s a malware issue,” he said. “But it’s not, it’s about hospitals that can’t conduct operations, it’s about libraries not being able to lend books, it’s about business not being able to operate.”
Cyber bank heists
In one of the biggest electronic heists, an international group of hackers known as the Carbanak gang stole an estimated $1bn from banks, e-payment systems and other financial institutions in 30 countries.
According to Bloomberg, the criminals infected employees’ computers with malware that spread across company networks and allowed them to conduct video surveillance of staff.
That enabled them to mimic the behaviour of employees, so they could transfer and steal money without being detected.
It has been estimated that ransomware – malicious software that encrypts files and then demands a ransom to decrypt them – costs $1bn a year, and most of it finds its target through spear phishing.
So Samani advises HR departments not to adopt a black-and-white policy of firing any employee for clicking on a malware link. Sophisticated phishing attacks are easy to fall for, and issuing threats will only encourage staff to hide the problem, rather than report it to IT.
“If you open an email and realise that ransomware that has taken down the whole organisation, are you going to put your hand up and say it was you?” he asks.
There is also a risk that threatening to fire employees could leave them open to blackmail, with hackers threatening to report the breach to their boss if they don’t comply with the fraud.
Once an attack occurs, it is still possible for companies to mitigate the damage if they are alerted in time, said Samani. “Look at the Carbanak case. They targeted employees. There were five or six different instances where they could have been stopped.
“They go from your computer to someone else [to gain access to the network], they start recording using webcams, extract information and send it around the world. You still have opportunity to identify the threat and stop it at any stage.”
Training employees in the tactics used by scamsters can help, but awareness alone is not the answer, said Samani.
“The key thing is to give people an understanding of the value of what they have,” he said. “It’s less about having someone sit in front of a PowerPoint. It’s about getting them to understand the value of information.”
Employees should feel empowered to challenge people who enter a building to show their pass, even if they claim to be very senior, he said.
Bluff your way in
In the past, Samani has managed to bluff his way into buildings during physical security tests by wearing a sharp suit and insisting he must see the CEO immediately to close a multi-million deal – even though the secretary has no knowledge of the appointment.
Technology can also help. Call centres often record scam callers as a learning exercise for call handlers, and voice stress detectors can give an early indication that something might be amiss.
“We feel almost embarrassed to challenge people,” said Samani. “But this is something we need to foster. Not a climate of fear, but a climate of empowerment.”
HR departments should feel able to talk to the IT department to find out who clicked on an email that exposed the company to malware.
Equally, they should be aware that the malware may have been designed to deliberately point the blame at someone else who was not the culprit.
“I want people to have a deeper understanding of psychological influence, and how these things are used in the digital world,” said Samani.
Raj Samani is speaking at HR Tech World on 21-22 March in London.
The psychological tricks used by hackers and spear fishers
An employee receives a call from the IT helpdesk claiming some company computers have been affected by a virus that cannot be detected by the company’s anti-virus systems. The caller talks him through security precautions before asking him to test a software utility that has just been upgraded to allow users to change passwords. The employee is reluctant to refuse because he has just received help and reciprocates by complying with the request.
A spoof email arrives from a bank containing the bank’s logos. It warns the user to provide current account information through a weblink, sayng that if they do not comply with the instructions, the account will be disabled immediately.
An attacker contacts a new employee and reminds him of the agreement to follow company security policies and procedures. After discussing a few security practices, the caller asks the user for his password “to verify compliance” with policy on choosing a difficult-to-guess password.
Targets are more likely to comply when the attacker is someone they like. For example, Bernard Madoff, the Wall Street trader convicted of running a $50bn pyramid scheme, won victims over through his charm, his command of finance and his unshakable confidence.
People tend to comply with a request that comes from a figure of authority. In the fake president fraud, attackers impersonate a company executive and call a manager or an accounts payable clerk, requesting them to execute an urgent and confidential offshore payment.
People tend to comply when others are doing the same thing. People are more likely to open an email attachment if it appears to have been opened already, with other people they know copied in on the email.