Michael and Jose discuss a dangerous online threat - phishing. They tell listeners what to look out for and what managers can do to help minimize damage.
Show Episode Transcript
[Avoiding Phishing with Jose Rodriguez]
Intro:Welcome to manufacturing leadership, a podcast for young professionals in and out of the oil and gas industry. And now here's your host, Energy WeldFab's Michael Clements.
Michael C.: Hello podcasters, welcome to manufacturing leadership, an oil and gas podcast, I'm your host Michael Clements and I'm extremely happy to have you with us today. I am with good friend, professional angler, company IT man and great all-around dude, Jose Rodriguez, how you doing today Jose?
Jose Rodriguez: Hey Michael, thanks for having me, I'm doing great. I will have to say you sure did lure me into this podcast.
Michael C.: Well enough with the phishing. Our topic today is phishing emails, so what a great opportunity to have a self-proclaimed angler on the show with us.
No, I take that self-proclaimed back, Jose is actually a very good fisherman, has excellent stuff on his social media page with his family, I've some of those big basses you've been catching on there Jose. Hey, what is your favorite type of bait?
Jose Rodriguez: I do like to use a lot of lures; it depends on my target species. For bass I like to use a lot of crank baits, plastic baits as well, trout they do have different power baits that resemble their forage or just a doe that's kind of based on what they're fed at the hatchery.
Michael C.: Wow, interesting. Well speaking of crank bait, let's crank this thing up a notch. Alright, we want to talk today a little bit about email phishing scams, this is something that we're all aware of, we've all been potential victims of and some of us have even been victims of email phishing scam. Some of the ones that you're probably most used to are ones want you to click here, or very obvious hey you inherited a million dollars, or hey give us your credit card information, there's a lot of different ones out there, but they're getting harder and harder to decipher through.
Some of the fraud scams that have been out there just bogus business opportunities, chain letters, work-at-home schemes, health and diet scams, easy money, free goods, investment opportunities both email guys if you're getting these things in your email inbox like everybody else is, for one you need to turn your spam filters up.
But also start junking these things, that can also help a lot, but without getting into too much of the what you can do, we're going to talk about some of the things that are out there and what could be happening to you. Jose what are some of the things you've seen in our organization that you have came across?
Jose Rodriguez: I've seen several that'll come through in and imply that your email is full, and you must click it to empty or expand your mailbox size. They are fraudulent emails, all of that is handled on the server side through the IT; the users themselves would never have that function to be able to increase their own mailbox size.
Also I have seen several that come in as invoices, posing as invoices and they're actually not. They lead you to an external link and have you signed into your Google Drive, 365 just any account that they can get.
Michael C.: One thing that's interesting if you've never actually clicked on that, a lot of times when you actually click on there it takes you to a web page that looks identical to the sign in for one drive or for Google or whatever it may be, I mean it's almost a spot for spot.
The only difference is if you look up in the address bar, it's not going to have say Google or Microsoft in there, it's going to have some other address is that correct Jose?
Jose Rodriguez: Yes, that is correct. If you're to put it in a sandbox environment or if you're running a virtual machine of your own, kind of like a DIY sandbox, and you do decide to go with the course and see where it leads to.
A lot of the times you can actually enter a made-up email address and credentials, and it'll accept it and look as if it's going to login and then it leads to a fake 404 page essentially, an error page and that's how you can tell that they're just out nabbing passwords.
Michael C.: And if you've never done this, a lot of times you'll hit back and go continue tapping in your server, and continue giving them the information that they're phishing for. So in 2016 one in a hundred and thirty-one emails contained malware, now this is really a problem, not just ransomware either malware is a serious issue these days and two thirds of all malware was installed via email attachments in 2016 too. This is how hackers are getting into your computers, this is how they're getting into your address book, and then this is also how they're getting into your buddy's address book and their email accounts.
So it's an ongoing thing, and it's kind of like hogs here in these Texas, you're not going to get rid of it, they're not going away, we're seriously just going to have to learn how to deal with these email phishing scams. So although we can upgrade the spam filters, we can do these things, identifying emails that are coming in it's still going to happen. One of the things you can also take a look at is whenever you get an email in, check out the address bar in there or the email that it was sit from, if you click that email it's going to pull up the actual address that the email came from, and be sure whatever is after the @ symbol is the company name that the email came from.
And if it's not the company name, I'm not going to tell you that it's automatically a bad email, but what that does mean is you need to contact that provider or you need to contact the person who that email was sent from. And you may say well it came from AT&T, well unfortunately if it came from AT&T contact their customer support, you may be on hold enough to press 1 14 times but you will eventually get through. It's very important though that we're doing this, some of the other ones that are coming through these days are also plane tickets, tickets to events, things that you're going to these phishing scams are getting more in-depth and they're starting to figure out what you're doing.
And so a lot of times there's metadata that sent out from these websites whenever we sign up for things, or whenever you do something and a lot of times these companies don't know where that metadata is going and what can happen is someone knows that you just signed up or just got tickets to the maverick spurs game on Saturday, well once you got those tickets to the game and you click that somewhere somebody got a notice.
Something was given to somebody that they said hey this person's going to a game, why don't I send them a link that will tell them this is their tickets. And so what happens is you click that link and Jose said earlier it's going to ask you for a sign-in, you give them your sign and information but here's the catch.
A lot of times they're going to take you deeper and it's not going to be right on the surface, especially one that is really malicious and they're trying to get into your financial information. If they're asking for a credit card or if they're asking for a bank account number or they need to make a digital transaction, a lot of times they're going to ask you for your email address first to confirm it, and whenever you hit okay obviously it's going to confirm it.
Then they're going to ask you can you confirm your phone number, and you're going to do that all that while you're sitting here saying well this isn't a scam or the thought of a scam hadn't even crossed your mind because seems legit. So you keep going through this process, the next thing he gets to a page oh by the way we didn't get your payment information on those tickets, can you please put in your credit card information or it may say to confirm these tickets to give them to you, to release them you need to put in your credit card information. And what happens is you put in your credit card information and next thing you've been compromised, Jose is this a path that can potentially happen?
Jose Rodriguez: Yes definitely. So you'll go through the motions and it'll seem like it's an actually email from that provider or vendor, and that is how they take your information, they completely replicate either their website or their login portal.
Michael C.: Well 50 percent of emails that are coming in to our inboxes nowadays are spam or phishing emails, and out of those emails, out of that 50% that are coming in, what you may say a little 50% of my inbox isn't these emails, well that's because you have a spam filter that's picking these emails up, but I'm telling you they're coming to you, you're getting them you just don't see them. But as you also continue to get these emails and out of that 50%, 25% of those I think you hit on it earlier invoices, this is a common way of fishing and getting the information from you that they're looking for.
Critical information, this is stuff how they get into your bank account, you know what hey, I got a limit of $100 a day, no one can take out more than that out of my bank account, well let me tell you something these folks can get $100 from you for doing nothing but phishing, they don't care they'll take your hundred dollars okay.
So there is no big or small or it's a big problem or small problem whatever, this is just a problem and it's one that we all need to be aware of and be cautious about. And for leaders out there in your organization you need to be keeping an eye on this, you need to make sure that your people are taken care of and they have the best practices in place.
I think that's a responsibility of a leader in today's work environment, where you live in a digital world and even if your company has not made the transformation yet or has not picked up on this, it's critical. You can say it'll never happen to me, but I'm telling you if you're the person saying it's never going to happen to me, you will be the person that it happens to when you least expect it. These emails come in at specific times of day, and they continue to come in until they hack your system.
Now other things that you can be looking out for, not only your attachments but the wording and the emails, the signature on the emails and just really ask yourself the question, is this legit? Get a little passionate here do I believe with all of my heart that this email is legit? And I'm not saying you got to do that with absolutely every email you get in, but you know what if you get one in that shady, I'd rather be corny and sit in my office and ask with all my heart if this email is actually something that's legit, rather than me putting my credit card information and looking like a fool at the end of the day.
So you know what I will take that, and I will do it that way. And I want to encourage everybody else to, because if someone hacks your system or hacks your email address, you're compromising everybody else that's attached to you whether it's through an address book, whether it's through emails that you've sent, and this is why the path continues, and why this circle continues to go on, but it's also unfortunately why the circle won't end. Jose, other things on emails that are coming in, you got anything else for us?
Jose Rodriguez: Yes, I'm just going to have to go back and agree with you that you definitely should not skimp on the spam filtering; it is 2018 if your companies run an email you definitely need a filter and that is just a precursor to it all.
Another thing you can do is a have your groups trained on how to deal with it, as well as there are services out there that will test your companies user base to see how they react to phishing attempts.
Michael C.: Yes, there are plenty of things out there to combat, you may say man I don't want to spend any money on this, well I guarantee that it's better, it's like buying an insurance policy it's what it is. Here's some of the highest click rates for large campaigns last year for phishing scams, so some of the different ones that were used, and you may have been subject to some of these, now whether you click them or not I don't know but on this list I know there's a few on here that I received emails from these groups you have Dropbox account, Adobe account, Google Drive, Microsoft, Financial institutions, Generic email credentials, Apple accounts and PayPal.
One that's real touchy is financial institutions, I know I was getting them from Wells Fargo last year and I don't have a Wells Fargo account which that was how I knew that hey, I know that this is a phishing scam. But if I had a Wells Fargo account I may have been led to click on that and see what was going on with my account. So you all just be careful with what you got going on out there, Jose touched on the spam filters, definitely something.
Now they may be a nuisance, they may catch your buddies email every now and then and that can be frustrating. It happened to me, I had an event I was going to and the whole thread was in my spam filter, and I found out the next morning at 7 o'clock. But you know what I would rather find out the next morning 7 o'clock than compromise my entire team, or maybe I should just be using my personal email. How about that Jose? how can that Jose, can that put a company at risk whenever people are using their personal or their work email addresses for personal matters?
Jose Rodriguez: Yes, I definitely would recommend have two separate emails. You could have them within the same client, but have two separate addresses one for personal and one for business.
Michael C.: I like that. Well you all this has been a wonderful show with Jose, Jose what would you like to leave our listeners with here, maybe a little bit of encouragement for the cyber world we're living in.
Jose Rodriguez: The best takeaway I would say is pay attention to your emails, a lot of them will take time to replicate it, to high-definition others will be sloppy, so if you get a login portal or a page that's off colored or pixelated or even with spelling errors, that is usually a really good indication that it is not a legitimate email.
Michael C.: Well we'll leave you with this, 76% of organizations reported being victim of a phishing attack in 2016, that's over three-quarters of businesses everybody or organizations. In a country that is built on business, that's a lot of people being impacted by phishing scams. So although we have a professional angler with us today everybody, don't get caught by a fisherman dead gum, you'll be all right. Jose thank you for being here today, I really appreciate you being on the show, I look forward to doing more shows with you, and even getting into some more details.
I think we covered some things today we could have a whole show about, so appreciate you being on the show today. If you want to get in touch with us, send us an email Podcast@EnergyWeldFab.com also on the social media channels Instagram, Facebook and Twitter @EnergyWeldFab, you can also check out our podcast at Stitcher radio, iTunes as well as our website EnergyWeldFab.com. I'm your host Michael Clements, I've had a great time today, Jose my man thank you, appreciate you being on the show.
Jose Rodriguez: Yes sir, thank you for having me.
Michael C.: Can't wait to do it again, everybody thank you for listening and have a wonderful day, thank you.