How many times do we as IT Professionals tell our users (and anyone else who stands still long enough) not to click embedded web links in their e-mail? What, maybe a billion times a year? I, like most IT Pros, have a long e-mail about IT Security covering passwords, data security, phishing attacks, and social engineering, that I send this out to my users on a regular basis with the hope that seeing my reminder several times a year will help to protect my users and their families.One of the lines in my e-mail reads “…Your IT Department will never ask for your password(s) in an e-mail or over the telephone…” That’s pretty standard because IT pros know we don’t need your password.. Sure I might need a name or username so I can find your account in Active Directory or on the E-mail Server to reset your password when you lock yourself out, but you called me for that.. I didn’t solicit your data just out of the blue – right?
So the other day I got a call from a friend and as we were catching up on work and life, she started a story about this new e-mail protection scheme that just popped up when she was trying to send an e-mail.
“Uhh yes,” she said, “I sent an e-mail to [a co-worker] and this message came that said to fill out this information about myself so your e-mails can continue to be accepted on our servers.”
I choked on my coffee and she continued.
“I clicked on the link and it opened a browser window with a bunch of questions like what office I was in and the office phone number and my employee ID number and then some weird questions like home addresses and personal cell phone number and then it asked about my skill sets which I couldn’t understand but I answered it as best I could.”
I quite sure that you can imagine the horrified look on my face.
Now this friend is whip-smart. She’s got two college degrees and a handful of professional licenses and certifications, she’s very computer savvy and she admitted that she knew better, but followed the link because of the timing of the e-mail. She just sent an e-mail and the phishing e-mail showed up, she assumed they were related. The e-mail used the logos from her employer, and was from the IT department. All of the signs pointed at a legit e-mail… except it asked for passwords and it contained an embedded link.
If you hover over a link in your e-mail with your mouse you should be able to see the translation of the URL in the status bar area of your e-mail client. If you can’t see that – change e-mail clients – or look for a button or menu option that will display the “raw” or “original” message. Scan down those headers until you find the text body and look for the link.. it should start with something like ..a href=”http://www.geof-franklin.me/”>Geof Franklin’s blog page</a… if the part near the “href” doesn’t match where you would expect to go (like maybe the e-mail is from your IT Department but the link points to a web site with a foreign domain or is just a bunch of numbers) don’t click on the link. The other method is to open a new browser widow and actually type in the web address yourself – not the false one, but what it’s supposed to be. (eg – not that “http://188.8.131.52/hackers_steal_passwords” one but the actual url for your bank..)
So my friend, now in a near panic, hung up and ran off to contact her HR and IT departments in a rapid attempt to stop her information from working in a potential system breach. A little while later she called back to give me an update, sounding more relaxed – but also really angry. She was relieved to find out that the e-mail was actually from her IT Department, but she was furious with them for even thinking about sending it out. They didn’t even warn the department managers or their users or even post a notice on their intranet news board. (They even post messages there about the new wireless passwords.. but not that they were sending a potential phishing e-mail?)
Sure, maybe it was the simplest way to collect information from their users, but it was also the stupidest. We drill it into our users (seemingly on a daily basis) to not click links in e-mails and that we will not ask for passwords in e-mails. So what were they thinking? When she asked them that very question their response was “Gee.. I dunno.” And these people are responsible for the IT Security of almost thirty-thousand user accounts. – sigh.
We can’t expect our users to follow our instructions if we don’t follow the instructions ourselves.
~Geof “Hey click this link and send me all your money” Franklin