Lessons Learned from Clicking

December 14, 2015 | Posted in:

Data Protection, Managed IT, Network Design & Implementation, IT Security

Posted by April Laverriere

Keyboard_ORIGINAL.jpgWe all receive information and education about what not to click on in terms of attachments, suspicious files, messages, and website advertisements. With today's sophisticated social engineering attacks, it's difficult to discern what's trustworthy versus what is not. Here's a first-person account of what can happen when you do click on an electronic "something" that is ill-intentioned.

The "Situation"

I began my day by entering our company inbox to scan emails that had come in throughout the night. The inbox included varying emails along with a job applicant's email and resume. Because this happens several times a month and is not out of the ordinary, I forwarded the email to our HR representative for further review.

What's wrong with that, you ask? I didn't inspect the email enough to notice the many "red flags" that were vague, but apparent:

  1. The email was from an address with a foreign country's postscript.
  2. The sender's name was suspicious in format.
  3. The attachment was a Word document, as many resumes are, but a specific job was not specified.
  4. The body of the email did not mimic a typical cover letter format.

By forwarding the email and clicking on the resume, both my HR representative and I were infected with malware. Now what?

The "Quick Fix"

One benefit of working at a Managed IT Solutions company is that we have the monitoring and security solutions in place to catch these threats and ill-intended programs right away. Within moments, our engineers descended upon our computers because alerts had popped up in the system with our names attached. They ran the appropriate scans, discovered the malware on our computers, and had the viruses contained and deterred before serious damage could ensue.

The Lesson Learned

In the end, the best case scenario (other than not clicking!) had occurred as a result of having the right preventative solutions in place. Had that not been the case, the story could have taken a more serious turn; instead of two people infected, the whole company could have had files encrypted for ransom and/or secure information stolen.

Here are the lessons learned from this experience:

  1. Understand if your network is adequately protected by signing up for a complimentary Security Assessment.
  2. Conduct annual Security Awareness Training, as we do at Systems Engineering, with your employees so they can spot the "red flags."

IT Security Consultant, best-selling author, and hacker, Kevin Mitnick, said it best when he stated, "Think before you click." Those are words to live by.

For questions, email info@syseng.com, or to speak with a Systems Engineering representative, call 888.624.6737.