You are not only the first line of defense for ensuring the security of URAC’s systems, data and network, you are also its weakest link.  We are human and we all make mistakes, however there are cyber-criminals constantly not only enticing but counting on you to make a mistake so that they can take advantage.  The most vulnerable point of entry for these hackers to invade the URAC network is through our email system.  

Taking simple spam messages to the next level, cyber-criminals use email phishing and spear phishing to accomplish their goals:

Phishing emails are usually automated and do not require a lot of skill on the hacker’s part.  Very broad, phishing is characterized by a hacker blanketing the organization email address book looking for credit card data or user names and passwords.  The attack is typically “once and done”. 

Spear Phishing on the other hand is targeted, going after specific, key individuals within a company, such as a member of the executive team or finance department.  Through spear phishing the cyber-criminal uses more advanced techniques and is looking for more valuable data: confidential information or business secrets.  These attacks are usually the beginning of an attack on the company’s whole network. 

To defend against these type of attacks, you need to understand the process used by the cyber-criminal to invade an email system:

1. Obtain email addresses. As you know most corporate email addresses follow a simple “first lastname@companyname.com” theme.  Hackers may also find their targets through social media, LinkedIn being a key location to identify an organization’s staff members.
2. Get past the antivirus. Finding out about a company’s security defenses may be as easy as looking at the company’s technology job descriptions. 
3. Get through the firewall.
4. Create a great story. The story is created to invoke an immediate action by the recipient without close examination of its content.
5. Send the email. Set up a temporary mail server or purchase a domain name to provide more credibility.
6. Sit back and gather the results.

Prevention

Good defenses against attack are multi-focused.  URAC has implemented several security applications to address these issues including software that filters email from dangerous or risky websites.  Additionally, an application is in place to scan all incoming email, placing links and attachments into a “safety zone” to avoid the introduction of a virus or malware upon opening the link or attachment.  Outgoing email that includes data that resembles a social security number, credit card number or certain types of account number are quarantined until they are examined and released by IT Security.  The Internet is scanned by software that detects exposed URAC email addresses or credentials.  Finally, IT will be adding the phrase “***External Email***” to all email originating outside URAC, as an added reminder for you to remain vigilant.

On a personal note, you should never send sensitive information via email and carefully evaluate what you share on social media sites.  You may wish to set up multiple email addresses, both private and public.  Don’t be afraid to change either address should it be discovered by spammers.  Never respond to spam.  Keep your browser updated and use an antivirus that includes advanced anti-spam features.