Guest contributor Bob Covello isn’t happy about automated emails being sent out by a legal firm.
How can we teach security awareness if the legitimate messages ring all the warning bells?
One of my colleagues received the following message from a “law firm” the other day.
This is an actual screenshot of the message:
(The message also contained a telephone number and a confidentiality notice, which I have omitted for brevity.)
Does the email look suspicious to you? It should. The message contains three tell-tale signs of a potentially malicious message:
- First, it arrived unsolicited, from an unknown sender.
- Second, it contained nothing more than a vague subject, and only a name and alleged title of the sender
- Third, it contained an ambiguously named PDF attachment.
Fortunately, I work with very security-aware colleagues who know the signs of a bogus message, and I was alerted to the message.
When I researched the purported sender, I found that the email was sent from a legitimate organization. I called the office to ask about the message and was shocked to find out that it was a legitimate message, sent by their automated mailing system.
How are we to train our staff to recognize and not click on attachments in unsolicited messages, only to be undermined by a careless legal firm?
I am not using the word “careless” lightly either. When I contacted the sender on the phone, I was told: “Our mailing system just does it that way.” They simply did not seem to care at all.
This creates a problem in two ways.
Firstly, that firm may be losing business, since most of the civilized world is probably ignoring their messages, or worse, their messages are never reaching the intended recipients.
Secondly, if they are accustomed to sending such poorly formatted messages, then they probably click on equally suspicious messages that they receive, making them an easy target for cybercrime.
I decided to use the contact form on their web page to alert them of the problem, and I received another automated message notifying me that they will review “my case” and assign a dedicated team of attorneys to it.
*Sigh* I don’t need an attorney, I just need a good headache medication.
One would hope that a firm that sends out suspicious messages would at least employ a competent tech team to configure their systems correctly. I remain hopeful that this is just an anomaly, and not the norm.
My wife works in a finance/payroll position. One of the worst she received was a similar one line email stating "Update" and an attached EXE file. No name, just sent from an address in a company she'd vaguely heard of. Looked up their support staff, rang them up and was told "Oh yeah, that's from us, why haven't you installed it" She tried to explain why, kept getting told "but its from us so its ok"!
There are also many banks and other "legitimate" business that run lots of off site scripts (facebook, google, adobe, multiple analytics companies) on their login pages. They limit passwords to alphanumeric, limit the length so you can't use a passphrase, and only offer a 2FA method that requires you to give up a phone number which they shouldn't need.
When will the Feds produce a best practices guide that will shame companies into limiting off site scripts? When will they stop linking our email addresses to their passwords so any compromise will be easier to match up with other compromised databases? I guess it's too much to ask that they allow us to enter our own salt in a separate field when logging in.
Xero invoice emails are pretty bad for this – attachments from a generic email address unrelated to the sender asking for money.
Just a custom display name.