Email Security

[Audio] This is an introduction on Email Security and how to avoid a phishing or social engineering attack.

[Audio] This Cybersecurity module discusses the various methods used to phish or socially engineer victims. Despite the various movie representations of "hacking" a company, the simplest methods are mostly used as they are very effective. The two common methods are social engineering and phishing. Fifty percent of successful hacking attacks occur via these two methods.

[Audio] By compromising a companies systems, attackers can steal confidential information and then Ransom it back to the company by threatening release Sell it on the black market Use the companies email system to send out further phishing emails to other people Intercept financial information in emails and alter the payment details.

[Audio] Social Engineering This is where an attacker engages with a staff member to obtain their credentials, or get them to do something to enable further access or some financial gain..

[Audio] The usual method is by pretending to be the CEO or Executive who needs assistance, another staff member asking for help, or the IT department sending instructions. The message will have a sense of urgency so you pay less attention to possible flaws in the email or the reason for the request..

[Audio] An example of these types of emails is shown here. The message appears to be from the CEO, who is busy and wants something done..

[Audio] Emails have a from and a reply to address. These can be different. The from address can be faked. Attackers though have a problem with the return address. This must go to a real address that they can access to see your reply. This means you may see things like a gmail return address or another non AHRI address..

[Audio] Outlook helps in identifying mismatched from and reply to addresses. The message is supposed to be from the AHRI CEO sarah.mccann-bartlett@ahri.com.au.

[Audio] Outlook shows the error of "You don't often get Email from" and shows the real address is pajspahd4@gmail.com So this is definitely a social engineering email attack.

[Audio] In this example the attackers are trying to get the victim to use Whatsapp for future correspondence to avoid the problem of the wrong address and keep the activities secret..

[Audio] Phishing uses an email to get you to click on a link or open an attachment. The link or attachment then triggers the following A login screen to a Microsoft login or request for other credentials which can then be stolen. This allows the attacker to login to the organization and try and obtain further access to sensitive data. A download from a site which contains malware to infect the PC and allow the attackers access into the organization via the PC A download from a site which contains ransonware that infects the PC and spreads to other devices in the organization.

[Audio] AHRI uses Microsoft Exchange and Outlook so the login screen for a webmail service on the right is a phishing attempt.

[Audio] A legitimate AHRI login to Microsoft will request a login name, your email address a password a second factor of authentication, this will be a code from an SMS message or an authentication app.

[Audio] A legitimate AHRI login to Microsoft via a browser will show the following screens First it asks for a user name in an email address format. Note the Microsoft logo.

[Audio] Then a password. Note the AHRI logo on this screen..

[Audio] You may then be asked for a second factor authentication depending on how long since your last login and the device you are using. The code will come via SMS or there is an app available that can be used as well..

[Audio] Entering the code will complete the login and provide access to the AHRI network..

[Audio] Entering the code will complete the login and provide access to the AHRI network. You should not share your authentication codes with anyone..

[Audio] In this example they are trying to install malware onto a phone and using a link via a QR code to do it. This hides the real link. However, you can see that the email has come from and not a Microsoft one. Microsoft does not have multifactor authentication expire in this way..

[Audio] The example on the left shows a common Docusign phishing attempt. Clicking the view completed document button will either download malware or try and steal login credentials..

[Audio] The fake is more difficult to identify but docusign documents are sent directly by Docusign from the email addresses dse@docusign.net or dse-demo@docusign.net not paul@paulboonelaw.com which is probably a compromised email account Always check the sender address on emails.

[Audio] This email is an example of social engineered phishing attack. The email from the CEO encourages the recipient to click on it and hopes that they do not realise the sender address is incorrect..

[Audio] It uses a CEO@outlook.com and not an AHRI email address. Clicking the item will result in a malware download.

[Audio] Normally you can hover over a link and see where the source is. However as part of our security system any email links are now replace by text containing an outlook safelink It contains the URL safelinks.protection .outlook.com which replaces any link in an email. It allows Microsoft to check downloads for malware. As well, if Microsoft discovers later that the link connects to malware, it can remove the link after the email has been delivered..

[Audio] A variety of email types are used to get credentials. Each type tries to use a sense of urgency to prompt immediate action without the recipient thinking. Common ones are Mailbox expiring or full, click on the link Voicemail message, click on the link In both cases you are asked to login and provide organization credentials which are then stolen..

[Audio] As an end user, in normal operations, you will not receive emails like these. If you do forward them to IT support at itsupport@ahri.com.au AHRI uses Microsoft Teams for its phone system and any voice messages will come through as an attachment in an email in Outlook. AHRI uses the Microsoft365 office suite. All email processes are handled by the IT department..

[Audio] Outlook provides additional indicators if there may be something wrong The Outlook message below shows you do not generally get messages from this email address. The message will show that the sender is not in your safe senders list..

[Audio] If the name on the email is someone you regularly correspond with, then it is a phishing email as the real sender address is different..

[Audio] If this is a new person you are dealing with, you can click the Show blocked content link to see the whole message. Only click the I trust content from link, if you know that this email address and sender are correct, and you will be getting further emails from them otherwise the warning message will no longer be displayed..

[Audio] SMS messages can also be used in a phishing attack. The example on the right shows how an SMS fraud can be created, in this case they are bank messages. They can also be used in social engineering by faking the sending number, so the message appears to come from the CEO or other staff member..

[Audio] By default, mobile phones list SMS messages from the same number in a single panel. This makes it easier to follow a series of messages. It also means that an attacker can fake the SMS phone number, send a message, and it will display with all the genuine messages from the number. As the rest of the messages are genuine, the recipient believes the message with the malicious link in it is also genuine..

[Audio] SMS messages should not be trusted as the source number can be faked. Direct phone call numbers can also be faked. In some sophisticated attacks, deep faking of a callers voice has been used to convince the victim that a company executive was calling, and wanted a financial transfer made. These attacks though are fairly sophisticated, and require more extensive preparation than most attackers are willing to go through, but they do have potentially high rewards if successful..

[Audio] On all emails you receive Always check the reply address on an email If an email asks you to use some other reply method (such as whatsapp, telegram etc) it is a fake email If you are at all unsure about an email, contact the person who is supposed to have sent it via other means, do not just "Reply" to the email directly as you are replying to the attackers Use another method to check that the email is legitimate such as Team IM, direct phone call or look up the persons email address directly..

If you are unsure about an email or web page contact the AHRI IT Department so it can be checked and verified. IT is contactable via email at itsupport@ahri.com.au or the helpdesk directly on (03) 9918 9284.