Email Phishing: Know the enemy

Written on Jan 24, 2017

By Travis Vogt, CPA, CISA

Think of your email inbox as a wide open virtual front door to your computer network, as it is inherently necessary to allow communications from outside parties to come in. It’s through this access that attackers use phishing campaigns to try to breach your network. Phishing, in its simplest terms, refers to an attacker masquerading as someone or a business to get you to do something you shouldn’t. There are many types of phishing, from phone calls to text messages but, by far, the simplest and most effective method is email.

Sun Tzu wrote in The Art of War, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” If you know how cyber criminals use email phishing, and know what you can do to prevent being a victim, you can be more secure when accessing your inbox. Here are three popular goals of phishing emails and what can be done to prevent and mitigate the potential damage:

Attack goal: Holding your data hostage

This attack is based on a classic email phishing scenario that’s been around for decades: tricking the target to unknowingly install malware. In the past, these tended to be viruses or worms that wreaked havoc on the victim’s computer. Although these destructive payloads still exist, attackers are turning to a much more profitable endeavor: ransomware. This variety of malware uses strong encryption to lock files, rendering them inaccessible. The only way to regain access and (nominal) control is to obtain the key to unlock the files by paying the attacker’s ransom, and there’s no guarantee the key will work.

Ransomware typically is deployed through a phishing email in one of two ways: an attached document or a hyperlink in the message body. The malicious attachments can seem benign (a Microsoft Word document or a PDF file), but once opened, macros or embedded code run silently in the background and install the ransomware. Similar to attachments, hyperlinks may not show any sign of concern because it’s simple to disguise the destination of a link. Once installed, ransomware goes to work encrypting as many files as it can access. Depending on how your network storage is configured, a ransomware attack could mean a staggering amount of files potentially are lost forever. It’s likely the entire drive will be encrypted before you notice anything happening.


Applications used to access email should be configured to open attachments in a “read-only” mode and also block particularly risky file types such as java script (.js) and executables (.exe). These barriers may delay or deter ransomware before it begins self-installation. It’s also a good idea to use anti-malware software to scan incoming mail for links to known malicious sites. By far though, the simplest and most effective prevention method is teaching employees to think before clicking a link or attachment.

Incremental backups and testing the restoration capability of those backups should be a standard, pre-scheduled procedure. If you’re infected with ransomware, being able to restore data to a point in time before the attack means you may lose a day or two’s worth of work instead of years of data.

Attack goal: Steal sensitive data

The goal of this phishing attack is to convince the victim to provide sensitive data. Personally identifiable information (PII) such as a list of Social Security numbers and financial accounts with associated names and addresses can be very valuable to criminals. Increasingly, personal health information (PHI), including health insurance identification, is being compromised. Company confidential information, such as customer lists, also is being stolen. The more actionable information attackers can get, the more they can sell it for, so they’re becoming more personalized and targeted. Although social engineering still is the dominant means of hacking, criminals use social media and other publicly-available information to determine the organization structure of a target company. This allows them to spoof the email address of high-level personnel to elicit PII from target employees.


Always confirm the validity of the request through some other channel, such as in person or over the phone. Implement and enforce company policies requiring personally identifiable information be encrypted if sent through email. When encrypting, use a strong password with at least 10 characters and a mix of upper- and lower-case letters, numbers and special characters.

Attack goal: Obtain your username and password

This attack has a simple goal: obtain your login credentials. This is where social engineering produces major returns for criminals. With the increasing reliance on cloud-software storage, attackers only need a user name and password to remotely gain full access to those resources. These breaches can quickly multiply if the victim has poor password techniques, such as using the same password for multiple sites.

The typical phishing technique involves sending an email that looks identical to one you’d receive from your bank, cellular provider or company IT department. The email will contain some sort of urgent request, such as a large charge on your credit card that needs to be verified, and a link to login to your account. The destination of the link is a site that looks identical to the expected page. However, when you log in, rather than accessing your account, you will have provided the attackers your username and password.


Never click a link in an email you didn’t explicitly request or confirm independently. Did you request a password change and receive an email with a link to change it? Click away. However, say you receive a fraud alert from your credit-card company, verify it by going directly through the company website you normally use. Always use unique passwords for each website or service. This will limit the scope of a breach, if it occurs. Consider using a password manager (there are numerous secure providers available) to help organize and store passwords for multiple sites.

Phishing is a very real threat to anyone who uses email. Because email allows attackers from any part of the world the potential to directly access your system, and because phishing attacks are so successful, they’re not going to slow down anytime soon. The good news is you can mitigate the potential damage by using the most conservative (and these days, practical) advice. It’s easy to be complacent when checking your inbox, but you absolutely must remain skeptical of all links, attachments and requests. Cyber criminals are counting on you to do otherwise.

Travis Vogt, CPA, CISA is the IS Compliance Manager at Landstar System, Inc. in Jacksonville, Fla. He holds a bachelor’s in accounting from the University of Florida and a master’s in accounting from the University of North Florida. Before joining Landstar, Vogt worked as an auditor for KPMG.

Reprinted with permission of the Florida Institute of CPAs from the November/December 2016 issue of Florida CPA Today.

Leave a comment