When a Phish Catches a Shark

October 31, 2017

It happens - and if it hasn’t happened to you it probably will.

I wanted to share a recent experience with you all hoping it will reinforce the diligence required in email communication. Because again, if you haven’t been phished, you will be. And you need to know what to look out for!

I recently got an email from one of our executives inviting me to a party at his house. A toga party no less…should have been my first clue! This guy doesn’t do togas.

But I thought it was nice to be invited and responded by asking what the occasion was.

Minutes later I thought to myself – that was really weird. Not his style at all... I checked back on the email and of course, there it was. A change in our standard email domain. I’d been phished…

Now it wouldn’t be much of a story if that was the end of it.

Later that day, I was emailing some of our sales team and when I typed this executive’s name to cc him, the first email associated with it came up. You guessed it - the phishing email address.

So of course, the ‘phisherman’ was included on my internal email which outlined some forecasting details for one of our sales teams.

It could have been worse – no confidential customer information or personal data was shared. It was really an unfortunate series of events including me not clearing my outlook cache after I realized the issue with the initial communication.  

Phishing is a serious offense that is categorized as fraudulent activity across a digital, virtual or electronic setting. Typically, someone masquerades as a credible source in order to entice you to perform a certain action – click a URL, open an attachment etc. That didn’t happen in this case, but the experience raised a few eyebrows internally and caused us to look at our own practices - ensuring we practice what we preach each and every day.

And so I share this story - because it’s an important reminder to all my team members, and the greater enterprise community that you aren’t immune and you can never be too careful. There are so many risks with email communication and often phishing risks come down to the weakest link - the human element!

You’ve got to make sure you cover the basics:

How to spot a phishing email:

• Sender’s email address: Watch out for email addresses that you don’t recognize, or aren’t consistent with what you’d normally expect, even if you recognize the sender’s name
• “Reply to:” email address: Beware when this email is different from the sender’s email
• Links: Always hover over a link to see if the destination is the same as how it’s displayed when typed out. If you don’t recognize the link destination, don’t click!
• Poor grammar and punctuation in the email body
• Phishing emails often urge you to take action immediately to avoid grave consequences
• Proceed with caution if you are asked to provide account information or log in to a fake site that is designed to mimic a real site
• Be wary when there are attachments in an email that you must download to view very important information
• Attachments: as a rule, never open any attachment from email addresses you don’t recognize or companies you’re unfamiliar with

The best way to mitigate the risks associated with phishing is to educate and train your employees on how to spot malicious emails.

Some easy ways businesses can prevent falling victim to these scams are:

• Network administrators should block all attachments from being automatically downloaded onto corporate devices
• Whitelist acceptable file extensions as this list will be smaller and easier to manage
• Beware of being emotionally exploited by hackers for natural disaster or terror attack relief funds as they take advantage of people’s goodwill and use phishing emails to ask for ‘donations’
• Include “external” as a flag on any communication exiting the corporate domain as a reminder for your team that an external contact is included on the email
• Conduct random internal phishing tests for your employees to test how likely they are to fall for phishing scams

The Department of Homeland Security (DHS) recognizes October as National Cybersecurity Awareness Month (NCSAM) and Herjavec Group is a proud champion of this initiative.

As the month comes to a close, I wanted to share this experience with you in hopes that that we can continue this cyber conversation on a more consistent basis so that this heightened level of awareness around cyber risks is maintained each and every day.

Slow down, be diligent and be careful - the cyber waters are choppy out there!!

To your success,

Robert Herjavec, Founder & CEO