No Phishing on Sundaes

What is a surefire way to identify phishing attempts?

Just remember a popular ice-cream treat: SUNDAE, said Mr Cody Li, a consultant from the Cyber Security Group at the Government Technology Agency (GovTech) of Singapore.

He was speaking at the recent Cyber Safe Cyber Ready 2016 seminar and exhibition, organised by GovTech and held at Pan Pacific Singapore on 21 October 2016.

The event was dedicated to educating public sector employees on the importance of cybersecurity today.

The SUNDAE acronym stands for:

• Spelling errors or bad grammar
• Urgent or threatening messages
• Never click on links
• Do not trust unknown display names or email addresses
• Attachments could be malicious
• Email signature could be fictitious

Say you receive an email which appears to be from Outlook, requesting that you click on a link to increase your inbox space. Using the SUNDAE framework, you notice the urgent and threatening message prompting you to click.

Here, Mr Li advises never to click on the link provided, but instead to hover your mouse over it to view where the URL goes to—most probably a malicious site.

You may also notice that the sender’s email address ends in @upr.edu, for example, which Outlook does not use and thus is not to be trusted, added Mr Li.

Furthermore, the email signature is an unusual way of signing off for the company—another red flag.

For bonus points, if you notice that the ‘To’ field is blank, that means that the email is not directed to you, but rather, is a mass email. Four hits in, and it will be obvious that this email is phishing for credentials.

“If you are observant enough, you should be able to spot these phishing emails,” Mr Li said.

Social Engineering: the Human Factor

Such practical advice is timely, as Singapore is now seeing more cases of cheating involving internet-enabled scams, Mr Kelvin Chua, Superintendent of Police, OC Prevention, Technology Crime Policy Branch of the Singapore Police Force, noted during his session.

While Singaporeans continue to enjoy an overall low crime rate in one of the safest countries in the world, cybersecurity is a shared responsibility, and tackling cyber crimes in today’s context is a matter of when and how to effectively respond, Mr Chua explained.

“People like you and me can the weakest link,” he said.

Social engineering techniques, as those who watch the hacker drama series Mr. Robot will know, are one way that hackers and cyber criminals can gain your trust, impose authority or instil fear, for the purpose of stealing crucial personal information.

As an example, there exists a phishing website that was created to steal Singpass usernames and passwords, Mr Chua said.

This fake Singpass website, which looks just like the real thing, may fool all but the most eagle-eyed of observers.

Its URL is singapass.sg, just one letter off from the original. “Besides stealing user logins, this website might open the doors for malware to enter your device and take control,” he warned.

Users should also be aware of ransomware, a type of malicious software that spreads through email or lurks on untrusted websites, said Mr Chua. Ransomware numbers are on the rise, with almost 4,000 ransomware cases a day worldwide, he said.

While he concedes that it is a bit more challenging for human resources and finance professionals who need to process attachments such as invoices, they should make it a point to scan or screen these attachments before downloading them.

“If you receive a ransomware notice, do not switch off your computer and be quiet about it. Approach your company’s helpdesk or IT security department right away. You may also visit nomoreransom.org to learn more,” Mr Chua advised.

What Hillary’s Leaked Emails Taught Us

The importance of user awareness of cybersecurity was brought home by Mr Ryan Flores, Threat Research Senior Manager for APAC at Trend Micro.

He cited the famous—and equally infamous—scandal surrounding US presidential candidate Mrs Hillary Clinton’s leaked emails.

Mr Flores showed the audience a screengrab of a phishing email that came from the same attack group that carried out the US Democratic National Committee (DNC) hack, but which had the subject line “Product Enquiry”.

“This email does not contain any attachment but I know for a fact it came from a scam,” Mr Flores remarked. “This particular scammer is requesting some information to establish a relationship first; This is also a form of social engineering.”

As proven by the DNC hack, Mr Flores said that if attackers are able to see Mrs Clinton’s credentials, accounts of her staff could be hacked as well, revealing email threads discussing political moves, donor information and so on.

If hackers could somehow obtain the credentials of heads of finance or sales of various companies, they can access email threads on business transactions and even masquerade as that particular individual and send emails on their behalf, from their very own email account.

The hackers then merely need to spy on that mailbox and wait for an opportune time to divert cash transactions to their own bank accounts, Mr Flores explained.

Thus, employee education is essential here, Mr Flores said, adding that companies may introduce more security in internal processes and policies, and push for user awareness.

“Singapore is organising all these conferences on cybersecurity. They are a good time not only to learn but also to network, see what the security pain points are, and share your experiences and best practices,” he concluded.