Social Engineering Via Fake Emails

One common method of attack used in targeted attacks on organisations is the use of fake emails – an email that appears from someone important in an organisation telling someone else to do something unwise. Such as requesting that an important password be changed, or advising someone to check out some sort of attachment.

Often there is some good reason why normal security policies should be avoided – “I can’t bring in my photo ID card to get my password changed; I’m at a conference in Thailand” – which whilst they sound reasonable, can be simply a means of bypassing normal procedures. These are not intended to be inconvenient to the user (although often are), but are intended to protect the organisation.

What surprises many people when they first learn of it, is that faking emails is remarkably easy. That “From” header that appears when you read an email is literally no more than a comment – it could easily be provided by an attacker as there is no form of checking on it.

Now how common these attacks are, and how likely the University is to be targeted by them is unknown. But there are some counter-measures, although the best counter-measures are social rather than technical.

Technically it is possible to use a cryptographically strong digital signature on emails to ensure that an email arriving was sent by whom it purports to be sent by. Unfortunately, the most common method to do this, is rather technical and difficult to use – I get confused using it although I have been signing my emails for a long┬átime now.

But the most obvious protection is common-sense: Does this request that came in via email make sense? Is the sender likely to ask me to do this ? Is it suggesting I bypass normal procedures and policies ?

If in doubt, contact the sender via phone (and look up the number elsewhere) to check.

This entry was posted in Uncategorised. Bookmark the permalink.