BLOG
Are you (accidentally) supporting phishing
One of the themes in some of my recent talks has been how some marketers teach their customers to become victims of phishing. Typically I’m talking about how companies register domains “just for email” and then use those for bulk messages. If customers get used to mail from company.ESP.com and companyemail.com they’re going to believe that company-email.com is also you.
There are other ways to train your customers to be phishing victims, too. Zeltzer security walks us through a couple emails that look so much like phishing that it fooled company representatives. Go take a read, they give a number of examples of both good and bad emails.
I was a little frustrated that the examples don’t include headers so we could look at the authentication. But the reality is only a teeny, tiny fraction of folks even know how to check headers. They’re not very useful for the average user.
Security is something we should never forget. As more and more online accounts are tied to our email addresses those of us who market to email addresses need to think about what we’re teaching our recipients about our company. DMARC and other authentication technologies can help secure email, but marketers also need to pay attention to how they are communicating with recipients.
Accidentally? Hah! We train our internal users to be phished intentionally! $DAYJOB hired fake “Security Awareness and Training” company Wombat Security to train our users to be phished, and paid them money for this service.
It starts off with an email that says something like “You’ve been assigned an online security class, click http://yourcompany.wombatsecurity.com/ and enter your computer’s login and password. You must complete this prior to $date.” — And they’re serious, it’s not even a “Okay, you fail, don’t do that” intro to the program or anything of that sort, it’s what they expect you to do.
While they don’t actually have access to intercept credentials (they authenticated through our Office 365 authentication service), they’re literally telling us that we must open an email from an unknown company, click on a link to a tricky looking, fake URL that includes our company name, but not in our company domain, and enter credentials.
The only way it makes sense is as a false flag operation, so I assume they sell their company list to phishers who will send similar messages to vulnerable users in the future, including scores from their online test which show which users are most vulnerable.
Although in reality it’s probably simple incompetence, I’m probably giving them too much credit to assume that they’d pull this off effectively.