How do you know that RFP solicitation you just received is real?
You don’t, unless you know what to look for and are aware of the threat.
For clients, I monitor and evaluate RFP/RFQ opportunities from various state, federal and corporate agencies across the US and just received this message from the Maryland State Dept of Information Technology.
Subject: Message to Vendors regarding fraudulent emails
State of Maryland has been made aware of a new phishing scam that targets the community of vendors doing business with the State of Maryland. A phishing attack occurs when a fraudster tries to trick you into sharing personal information online.
In Todd R. Weiss’ online article “$100M Email Phishing Case Offers Lessons Learned for IT,” Neil Wynne, an IT security analyst with Gartner warns that “business email attacks have been occurring with significantly higher frequency in recent years.”
Have you received phishing email? If your answer is no, then you don’t know what the threat looks like. It is safe to say that EVERYONE on this planet who is Internet connected has received one of these email based IEDs (or Internet Explosive Devices as I like to call them). So what do you do when you receive one of these?
The answer varies with your situation but there are some common actions and things to know, consider and do. For example . . .
In it’s email warning, Maryland State Dept of Information Technology helped its existing and potential vendors/suppliers by doing two things:
First was to educate by saying:
“The scam attempts to lure vendors into taking certain actions, including visiting a fraudulent website to input personal information and/or to download malicious programs. Other messages request that the vendor remit payments and provide remittance information within the body of the message in the form of a routing and account number.
The State of Maryland does not request payment or ask its vendors to provide personal information via email.”
The second was to create a call to action with the following statement:
“If you receive an email similar to the ones below, don’t reply. You should delete the message immediately. Do not open attachments, click links contained in the email, or provide any data to the websites mentioned or linked. Refrain from remitting payment to bank account information provided.
Update your subscriptions, modify your password or email address, or stop subscriptions at any time on your Subscriber Preferences Page.”
Maryland State Dept of Information Technology’s approach is good! But the one BIG thing I did not like about their email warning is that it had links. That immediately raises a red flag in my mind.
What I have more commonly seen is a statement that says something like feel free to visit the institution’s website or call if you have any questions. No links or phone numbers are provided in those messages. Given the nature of the situation, rather than rely on email links, I think it is understandable that you should use the contact information already on hand to establish any desired communications to the institution. After all, how do you know that someone didn’t send out a fake message pretending to be the Maryland State Dept of Information Technology? Yea, yea, I know this can get real squirly. So what is the solution?
In Todd’s article we read that a key tool to fighting phishing attacks “is a secure email gateway” along with a host of other rather complicated security technology solutions. But reliance just on technology is not the ideal solution here, especially for budget wary or non-tech savvy small businesses. Also, I take Wynne’s statement about how “attackers are easily bypassing these traditional prevention mechanisms,” one step further to say that attackers (especially those who are well financed) will continually exploit the inherent insecurity in our Internet that was originally meant to be open to all. For example, did you ever wonder why Microsoft is always sending out Windows security updates and patches? Bottom line here is you need more than technology to fight this problem.
Ultimately, the solution lies not with technology alone but in combination with human beings recognizing suspicious emails and deciding what should be done. I think Gartner’s Neil Wynne agrees when he said “ultimately, the fact remains that human beings are the most vulnerable point of any information system.”
Whatever you do, the last line of defense against phishing attacks will always be employees who must receive the latest training to help them recognize and respond to phishing attacks and encouragement to remain vigilant or else as Rob Enderle, principal analyst at research firm Enderle Group warns “over time, people tend to start thinking it will never happen to them…”
So, do you know when someone is phishing for your confidential information?
Check this image to learn the signs or (if you don’t trust my links) just Google “stop phishing attacks.”