email is dangerous swim at your own riskIf you spend time every day worrying about the risks in using email, you might be a security professional.  Email is dangerous even if you don’t realize it.  Imagine that you are just walking along a bridge safely.  What you don’t realize is the pit that is just a few inches below the bridge is filled with snakes, gators, and poison spikes.  One small mistake could mean – dum, dah, dum, dum, duuummmm.  Email is dangerous, seriously it is.

HIPAA For MSPs by David Sims Email Is Dangerous
00:00:00 00:00:00

Email is the simultaneous source of much dread and productivity for most people every day.  For years we have had vast numbers of emails telling of the latest “email killer”.  Those solutions have just gone away or become another communication tool we use in addition to email.

The funny thing is even my nephew who rarely looked at his email while in college is now on top of his email since he started his first “real job”.  I had assumed the millennials would finally break us away from email with their reliance on other communication tools.  They may still do it yet.  However, it hasn’t happened so far.  What is one reason it isn’t happening is that they don’t standardize on one method to communicate very long?  A group of friends will all use one tool for a while.  Then, you meet another group that uses another tool so you start using that one to talk to them.

Business needs a tool that works internally for a company and externally with customers and partners.  So far, that standard is still email.  Even if you use 15 other tools for that communication to get started it will end up in an email at some point.

So, back to the point of this episode.  Email is dangerous.  It is such a common tool that we must start teaching people to treat it that way.  How is it dangerous you may ask.  Let us count the ways.  Well, let us tell you just a few concerns you should have about your team using email.

Proofpoint reports show email is dangerous

ThreatList: Credential-Sniffing Phishing Attacks Erupted in 2018 tells us how the goal in many phishing scams now is to get credentials not just to load malware.  But they and many others got their information from a pretty cool report put out by Proofpoint (Wombat is now Proofpoint).

pasted image 0 2

pasted image 0 1

pasted image 0 3

People are the top target for hackers these days.  Also, it is more about stealing credentials than ever before.

pasted image 0

Proofpoint also put out a notice about a new custom web font phishing technique that they found.

Real-world examples show email is dangerous

How about some real-world stories we can share with you.  We have several to go with here.

Even more tricky

Here is an article about one that is fooling even security pros.

Just picked this one up today. They are making sites that look like legit blogs you would want to read. But, you have to log in for a free account to read it. Use FB OAuth. No problem until the FB popup is shown to log in. That isn’t really FB. You’re just giving hackers your FB login info. MFA is a must for any OAuth accounts like Google or FB or LinkedIn.

CCRM sends out spam to patients

First, there is the one from CCRM.  CCRM is a large IVF clinic with 19 locations across the U.S. and Canada.  This problem only happened in the Dallas-Fort Worth location.  They notified over 1,100 patients in November about a data breach involving an email account.  What makes this one super special is the account belonged to a nurse who no longer worked there.  That’s right.  A clear example of a termination checklist at work – NOT!  The nurse didn’t use the account but at some point, someone had managed to get the credentials to the account.  They were using it to send spam to patients!  The notice says that once they got notifications from patients they took immediate action:

…the practice immediately contacted its IT vendor to deactivate the account and determine what information may have been impacted. The investigation determined that an intruder could have viewed or accessed patients’ names, addresses, email addresses, health information, insurance information and medical history within the account, and for a limited number of patients, Social Security numbers and driver’s license numbers.

After the patients let them know they called IT to deactivate the account.  This is one of David’s favorite issues!  If the account had been properly disabled when it should have this wouldn’t have happened.

Next, they say the intruder could have viewed or accessed PHI within the account.  We can only assume the PHI was in there because it was considered safe because it was encrypted.  Another problem that sets people up for failure.  The assumption that encryption means you don’t have to worry about anything else with your email.

Finally, the notice includes the standard statements about how seriously we take privacy and security and how sorry they are this happened.  It also says there is no evidence “that an unauthorized third party actually viewed or accessed patient health information and we are not aware of anyone’s information being misused”.  I personally hold issue with that since this breach is how I the patients received the spam.  If they didn’t catch the spam or have it blocked for them, they may be harmed and not even know it!

David also has a long story that ends with one of his clients getting invoices from his old company name because a Yahoo email account was hacked.  Yes, the person in charge <cough> the doctor <cough> didn’t want to stop using his tried and true Yahoo account even though he had a business one.  Maybe he never changed the password because he didn’t hear about the 3 billion accounts involved in the Yahoo breach.

Autocomplete addresses allow sending PHI to the wrong person

As I often do, let’s just say I heard about this one personally.  (You know who you are when you hear this one.)  A cool feature in email clients such as Outlook and even in Gmail web clients can be another sign of how email is dangerous.  You know when you start typing a name and you get a list filled in automatically for you.  Yes, it is so nice that the program gives you a list of names and tries to “guess” who you want to address the email to so you type fewer characters.

Yes, that is so convenient but what do we say about convenience?  Security is not convenient.  Once you get an address in that list it continues to show up for you when you type names similar to it.  That one time you send a message to is all it takes for that name to show up any time you type John.

When that happens and you also have a John you work with also then things can go awry easily.  You need to send PHI to John at work but you type John and press enter.  That sends the email to, you guessed it, John Jacob Jingleheimer Schmidt.  Boom, you have a data breach that must be evaluated and dealt with because of one enter key.

The easiest way to avoid this is to turn off that suggestion feature.  It can be done in all versions of Outlook and Gmail in a different manner.  Either way, it won’t suggest names just because you sent them an email recently or ever.  Nope, not as convenient but then again – not as secure either.

Verizon case studies include specifics about email

Verizon case studies show that email is dangerous, too.

Ever popular webmail phishing campaigns prompted dozens of unsuspecting employees in one company to divulge their login information. Then the self-service payroll accounts of these individuals were accessed and direct deposit information changed, netting the attacker sizable paychecks for a hard day’s work.

All my emails are gone. So is everyone else at my domain.

This one is from the story that came out just this week.  It must have been another one of those moments when a tech person was in the fetal position as David mentioned last week.

The story I first saw was here:  Hackers Destroyed VFEmail Service – Deleted Its Entire Data and Backups.  It is very scary to imagine that your email hosting company may have this happen.  If it happened to one host you can never rule it out.  You have to consider this another risk that shows us our reliance on email is dangerous.  Somehow, we don’t know just yet, the entire email service was wiped clean by hackers.  Everything was wiped out – gone.

Hopefully, we have made a difference in your fear of email.  The knowledge that email is dangerous means you have a fighting chance of defending yourself.  Stay diligent and make sure you walk down the middle of a very stable bridge.