Yesterday, Aaron Boyd, a reporter at the Federal Times, wrote that someone tried to plant malware on his system through the use of a fake State Department email. Mr. Boyd reports:
Among the many emails waiting in my inbox this morning was one that seemed to come through a State Department .gov domain address. It purported to be a fax from a State Department machine, containing a PDF file…Getting an unsolicited email or document isn’t that unusual in the day-to-day of a reporter. However, the link to download the document went to a .org site (not the actual State Department site) and the file itself was a ZIP, not PDF. Seeing the red flags of a potential spear-phishing attempt, I contacted our IT department and we opened the file in the safety of a sandboxed environment.
Fake Email Fax
What is unusual about this incident wasn’t the attack — it was the response of the intended victim. Mr. Boyd’s very careful approach to email is laudable — but it is also unusual. Also yesterday, Ilia Kolochenko, writing in CSO, wrote about email attacks:
Unfortunately, human psychology cannot be altered by security training and awareness alone, so people will always have their basic instincts dominating over acquired skills. We were recently assisting a medium-size insurance company that decided to outsource cybersecurity management to a third-party provider, cutting the majority of internal security jobs. Security people received a very well prepared
[fake] email from the management about their future placement and dismissal compensations. Everyone, including senior security experts who have been in the industry for dozen of years, clicked on the included link.How can more people overcome their basic instincts and be like Mr. Boyd? IT could help them by highlighting trusted email using SP Guard. Users will decide which emails to trust. That decision can be guesswork or it can be guided by IT.