Gone Phishin' | UNITS Magazine

the Magazine of the National Apartment Association

UNITS Header Navigation

Mobile menu

March 2016

Gone Phishin'

 

March 2016

Email phishing scams are becoming more sophisticated. Learn to spot red flags and train your employees on how to recognize them and prevent unwanted access to files.

It's easy to see how a recipient would not notice the difference between emails sent by scott@allresco.com and scott@allreco.com. But by simply removing the letter "s," email phishing scams can capitalize on those not paying attention, and it can bring down a company's email operation, or do far worse damage.

Email scams, such as those involving "Nigerian Princes" who are looking for wire transfers, have been around for awhile, but scammers today have become more sophisticated in their attacks.

Scott Pechersky, Vice President of Technology at Alliance Residential Company, shared some of his observations and explained what apartment community owners and managers can do to fight against such strikes.

NAA: How common are email phishing scams, and how aware do apartment communities need to be about the opportunities for scamming?

Pechersky: Very aware. We get these scam emails daily. We put in spam filters and things that try to weed them out, but a lot of these attacks are becoming more calculated. The scammers are researching and identifying individuals from either the community or corporate offices and phish-attack them directly.

NAA: What are key red flags that apartment community staff need to be aware of that might indicate that the email they're reading is spam and is attempting to collect their personal information?

Pechersky: We always warn against clicking on any links. And be very cautious about who sent the email.

What we see even more is people who pinpoint our domain. They're buying domains that are similar to ours. Ours is allresco.com, so they buy allreco—or a domain that is off by one letter—and they send an email to an individual that uses our email address, stating that it's from our company's accounting or HR department, and they ask for personal information. They then hope the recipient opens it and shares that information.

The most important—-and obvious—thing that recipients should do is look at the domain and be sure it is authentic. Even that doesn't help completely, because scammers could still spoof the domain and the emails that they send. But if staff members do happen to reply, they need to make sure that it actually is going to the domain.

For example, if the email comes from scott@allresco.com, when staff members reply, they need to make sure it's not being sent to scott@allreco.com.

Internally, we try to educate our users as much as possible up front. We tell them that we are not going to ask for this information via email. We tell them that if they have any question about whether an email is legitimate, that they please pick up the phone and call that person directly. Don't do so by replying to the email.

NAA: As part of the education, do you send out test spam emails to see if any of your employees click on them or click on the links in the emails?

Pechersky: That's something we're exploring. It will be implemented in the first half of 2016. We'll have a third-party send emails that look very much like the type of spam email that we have seen sent our way. And if team members click on those, they are triggered automatically to attend classes about cyber security. We piloted it with a small group, and it is pretty funny to see how many still click on the emails that they really shouldn't.

In addition to education, we'll also be building more sophistication into some of our firewalls and filtering systems in an effort to help the people who aren't really being as diligent with what they're clicking on.

NAA: That makes sense. When you do identify a spam email, how do you go about not only containing it within your system, but also potentially busting the person who sent it, or at least alerting authorities or appropriate folks?

Pechersky: We have dealt with ransomware (a type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction). And we did submit, per request, to the FBI. But, quite honestly, we never heard back.

As for faking our domain, this happened three or four times per week with different domains being bought and thrown our way. So I typically will reach directly out to the domain registrar, and they're very good about disabling them right away.

NAA: What's the worst-case scenario that you've faced in dealing with scammers?

Pechersky: The worst are ransomware that encrypt all your files, and you lose all access to your files unless you have a backup. Luckily for us, we do. But not all companies have properly invested in backups.

Another is paying these cyberterrorists through bitcoin (malware operators demand bitcoin because it is not traceable), and then hoping they give you the key to decrypt it. We've never had the situation where we had to pay, but I certainly wouldn't trust that the correct decryption key would be sent in exchange for the money. I've heard that almost anyone can download a package to do some of these attacks on people's computers. Some are so unsophisticated that they literally didn't do it right. So even if someone did pay them, they did not have the decryption key keyed correctly.

NAA: Is there any other advice that you typically give during panel sessions or that you can share in general about data protection?

Pechersky: We always recommend to staff-if there's any question at all-just delete the email. Someone will follow up with you; nothing could be so urgent that you can't wait. If you truly think it is urgent, and you are worried, pick up the phone. Do not continue correspondence via email, because even if everything is legit, there's no safeguard to say that someone on the other end of that hasn't been compromised.