Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication. Below is the transcript of the KyCPA podcast with special guest Jay Mallory, executive vice president, marketing and business development to spoke about the what is phishing and the dangers that come with it.
Click here to listen to the podcast instead of reading the transcript.
Marvin Stewart (Host of KyCPA podcast, Behind the Numbers):
I'm here with Jay Mallory. Jay, if you could just talk about yourself and what organization you work for?
Mallory:
Sure, absolutely. Yeah. My name's Jay Mallory. I'm an executive vice president of business development and marketing at ImageQuest, and ImageQuest is an managed IT services, cyber security, and compliance consulting company. We work with many regulated industries and work with a lot of industry that may not necessarily be regulated, but they work with regulated industries. As you as you know, there's that a lot of buzz out there around the cyber security, a lot of buzz around compliance, and there's not a lack of that in the news almost every day.
Stewart:
Yeah. I think cyber security is becoming more and more important as everyone's becoming more and more online. I think it's just crazy how, I mean I guess hackers is the right term to use here, but just people trying to get information. I think it's definitely evolving to the point to where they're adjusting so fast and there's always different apps coming out. I feel like every week, everyday, you always hear breach, breach, breach, breach. Like every single day. It's crazy.
Mallory:
Right, right. The latest is the face app, right?
Stewart:
Yeah.
Mallory:
You could make yourself young and make yourself old. That's been just the hottest thing out there. Then come to find out the Russians created that app, and so there's a lot of buzz in the news today as to whether that is safe or not.
Stewart:
Oh my gosh. Something Just so simple just to be funny. I mean, I've seen people posting on Facebook, Instagram, and Twitter and everything. That's crazy.
Mallory:
It is. It is.
Stewart:
All right. Today, we are talking about the main sources of cyber security problems these days, if you could talk about what that is exactly.
Mallory:
Well at the end of the day, it's people. The bad guys and girls out there are inherently lazy, so they go after the lowest hanging fruit. It all starts with people. We are the weakest link in the cyber security chain. What does almost every employee of every company have? That email.
Stewart:
Yeah.
Mallory:
And that is the vector that the bad guys get almost every time. If you had a lot of paper files and a lot of information in your filing cabinets, you had to worry about someone breaking in and stealing those. Well today, those are all electronic, and all the bad actors know that. And they know that the people are the weakest link, everyone has an email, and that's how they get in 90% of the time
Stewart:
Is through email?
Mallory:
Absolutely.
Stewart:
What is that called exactly?
Mallory:
Well, there's different terms for it. The one you hear the most is phishing. A phishing email is basically when a crook sends a fraudulent email pretending to be someone else. Phishing is they're casting, really, a wide neck and they're searching for bites. I think most everyone who's listening today have seen the email with the link or attachment that does look really look right asking for your network credential, or they'll try to trick you into logging into a fraudulent website.
It's really all about stealing something of value. That that could be money or that could be someone else's identity. But the bad actor, they cast they cast a wide net and they just sit there and they wait for bites. When they get a bite they open the door, they go inside, they take a look, see what they can find. Sometimes they may find nothing. Sometimes they might get in and say, "Wow, here's some good stuff. Here's some medical records. Here's some financial records. Let's poke around here for a while."
If a bad actor hacks in, does it find anything, you may never know that they were even there.
Stewart:
Yeah. Yeah. It's like a backdoor. Like, I may not even notice until I directly am effected or until like something pops up that's been stolen. Right?
Mallory:
Right. Yeah, I think I left the back door open to let the cat out, but then I close it, right?
Stewart:
Yeah.
Mallory:
But you know, it takes around 180 days on average to determine if you've had a breach.
Stewart:
180 days?
Mallory:
180 days is average. So typically, the bad actors are in your system for an average of 180 days before you even know they are there.
Stewart:
That's scary. I guess, so it's kind of like those Nigerian prince emails? It's crazy, because nowadays they're like different apps now where people are making bot accounts and they're doing something similar where it's like, "Hey, I can send you money. Just give me your bank information."
Mallory:
You don't have a rich Nigeria somewhere?
Stewart:
Well, apparently I do. I get emails all the time. I guess it's the whole family.
Mallory:
You know what's crazy, and we'd laugh at that, and that was that was the first iteration of phishing, but it's still out there. I still see those and I assume someone is selecting that or clicking on that, right? Or they wouldn't be doing it anymore.
Stewart:
Exactly. It's obviously working on people if it's still continuing on. It's just scary how fast it's adjusting. We talked about the face app thing earlier. I mean, every time I feel like we're thinking what else can they do, and it just just changes. It's scary, but it's also like it's incredible how creative people are with these kinds of things.
Mallory:
Right. And they're getting by smarter. I mean, it's getting harder and harder to tell whether it's a real email or not. The phishing email, they're casting a wide net, but what they're starting to do is they're starting to figure out within a company who should I be going after? That's called spear phishing, so that's more of a direct attack. Then there's the term of whaling out there and where I'm going after a high wealth executive. There's casting the wide net and then there's getting very, very targeted on who they're going after.
A perfect example is if you and I get a Nigerian prince email, we're probably not going to click on that. Right?
Stewart:
Yeah.
Mallory:
We're probably not going to do that.
Stewart:
Hopefully not.
Mallory:
Yeah. Let's say I'm golfer, and I love to play golf, and my favorite golf course is Persimmon Ridge. Let's say I follow Tiger Woods and I follow Titelist on Twitter. I've got pictures of myself at Persimmon Ridge playing golf with my friends. I've be a geotagged bear multiple time. Doesn't take a bad actors algorithms very long to figure out I liked gold and I'd like to play at Persimmon Ridge. So we're not going to click on that Nigerian prince email, but if I got an email that looked like he was from the pro at Persimmon Ridge and it said, "Hey Jay, thanks for your patronage. We love with you're a member out here. Here's a $50 gift certificate to the pro shop. Click here to gain your reward." I might click on that if I'm not paying close attention. And behind that a $50 reward, more than likely, is malware that's opening the door to my system.
Stewart:
Yeah. I guess that also ties back into the adjusting thing. I would never think to do that. Like, I love Waterfront Park. I'm there all the time in Louisville. It's crazy how I can easily be targeted by something saying, "Hey, we know you're at Waterfront Park all the time. Here are great Forecastle tickets." That's insane.
Mallory:
Exactly. Exactly. Free Forecastle tickets and you're like, "Wow! Free Forecastle tickets!"
Stewart:
Exactly.
Mallory:
You think to yourself, "You know, these guys are out to make money. Are they really giving away free Forecastle tickets?" Probably not.
Stewart:
That is true. I guess what you're saying is they rely heavily on I guess interest and I guess overall attachment, because in the moment I would never think I'm being phished because I hear about it all the time and I think, "Oh, I'm perfectly safe. I'm perfectly safe. Nothing can happen to me. I never opened those emails." But it's crazy how people can just figure out my interest based on my digital profile, which I imagine is probably a lot bigger than what I think it is.
Mallory:
Right. Every app on your phone within the terms and conditions and allows them to follow you, geotag you, many you give their permission to listen. There you go.
Stewart:
How can I avoid being phished? I know we've been talking about ways it can happen, but I guess, how can we avoid being phished?
Mallory:
It's easier said than done, but we all have to slow down. We all have hectic schedules, and we're all in a hurry. You're trying to get our we're trying to get tasks done and I'm trying to move to the next email, so slowing down, taking a good look at the email. If it seems a bit odd or too good to be true, in your example free Forecastle tickets, delete it.
If it's important, it'll come back. The email will come back. But if it's something that you need to take care of immediately, pick up the phone and call the person that sent you an email and ask them did you send this to me.
There's other things you can do, Martin. You can hover over the email address and if there's a long line of, in technical call terms, we'll call it googly goop, letters and numbers, that's typically coming from outside your system.
Our clients, we have a special email address set up for them to forward us emails that looks suspicious. We'll take a look at them. Check in with your it provider, check with your internal IT, have them take a look. Then there's all kinds of tools out there within the Office 365 that will flag external emails. It'll even put a specific messages that let you know, "Hey, this is from an outside source." You can make that bright chartreuse green if you want to to make it stand out. But that's what we recommend for all of our clients is to notify when if an outside email. Then if I get an email from someone that works internally at ImageQuest and it has that little chartreuse sign on it that says, "Hey, this came from an outside resource," it makes you think maybe there's not good knowing on here.
Stewart:
Going on? You're saying that like with email addresses, people can have them look shortened and like to where it looks like the person sending it to you? That's crazy.
Mallory:
Yeah, absolutely. I mean, think about it. You go out to Gmail and set up a new Gmail account. You can make the name of the sender anything you want it to say.
Stewart:
Like tools, are you suggesting antiviral software or like stuff like that? Would that help? I know, is it Malbytes? Is that how you pronounce it? Stuff like that? Will that catch it or is that a completely separate thing?
Mallory:
Well, you've got your firewall that's stopping things from the outside from coming in. But yeah, antivirus is taking a look on your PC, or your laptop, whenever you're using there, and it's taking a look. It's looking for things like this, but the bad guys are creating new malware every second. So if they get ahead of the malware, then yeah, things can get through and you just have to be diligent about what you're doing and what's in an email.
Stewart:
I know you said that people have to check the email address. Why did they just check the email address? If people know about phishing and know how to avoid it, why are they not checking it when people may know the risk?
Mallory:
First of all, many folks don't know to do that. Don't know to take a look. But even if you do, like I said earlier, we get in a hurry, we're overworked, we're distracted, trying to motor through that inbox to get everything taken care of, you're multitasking, you're not paying attention. Things just happen.
One of the classic phishing emails is to find out who an executive is in the company, and then you go find out who the newest employee is, and send them a phishing email asking them to complete a task. So if I'm a new employee and I get an email from the boss, I want to please the boss. I want to be a good employee, so I immediately follow up on that and take care of whatever that request was. Many times, that's a phishing attempt. It's all about social engineering and all about getting inside the psyche of the person.
Stewart:
That's just crazy how it's basically like people are preying upon people and it's like exploiting stuff like that. I would never think to do that, but the fact that people can and will, I guess that's just crazy. I think a lot of people now are just not, like, the Internet is always changing. It's impossible to always stay on top of it. It's always changing. It's impossible to know what's going to happen one day, how viral something's going to go, and it's just crazy how the adjustment process is for everybody. It's only up from, here I feel like.
Mallory:
Right. Right, right. You asked the great question of why doesn't everyone just hover over the email, and you have to train your employees to look for the telltale signs of a phishing email. I work with a lot of companies that tell me, "Oh, we do this online cyber security training." In my experience, you really have to combine that with them in-person training. You have to get people out of their element, out of their office away from their computer, and put them into a room, and have someone come in and talk to them about the dangers that are out there and things they can look for.
And not only cyber security training, but talking to them about what are the ramifications of a breach to their organization. It can lead to lost customers. It can lead to find it can lead to bankruptcy. It's their job to be on the line and they need to look at it like that. We have clients that go as far as having a sanction policy for their employees, so there's real teeth if an employee clicks on something they shouldn't click on it.
We have those where we could send out fake phishing emails. They look very real. And we can tell you who in your organization actually clicked on that phishing email and who didn't. Who needs more training.
Stewart:
Wow. Talk about that. Did you open this email? Nope. No. Yeah, you did.
Mallory:
Right. Send them back to remedial training if they do something they shouldn't do. But you've got to train your employees. I mean, there has to be some teeth, there has to be a sanction policy. You also have to have IT policies. You know, we've talked about this, but there's really nowhere to hide. You have to have policies in place for if something does happen, we're all on the same page. Remember when we're kids, we all practiced the fire drill, right?
Stewart:
Yeah.
Mallory:
We practice that fire drill, and we all went outside, but we practiced it, and we were ready for the day of the fire. You know, the day of a fire in a company is the day someone has hacked in, they still looked 16,000 records or they have them, and they're asking me for a ransom to get those files or give that information back to me. That's a fire, when I've lost my client information and I have to pay someone to get it back, and I have to notify my clients that this is happened.
Stewart:
Which can cause a whole avalanche of problems.
Mallory:
Absolutely. Absolutely.
Stewart:
Safety is definitely important. Why would someone want to target an accounting firm?
Mallory:
Well, that's a great question. Let's think for a minute what an accounting firm has. Tax return, right?
Stewart:
Yeah.
Mallory:
I have tax returns, you have tax returns, we all have our tax returns. But what's in that tax return is a lot of personal identifiable information. If you think about it for a minute you've got your name, you've got your address, but you got your social security number, you've got your wife's social security number. If you have children, it has your children's social security number. Like I said earlier, the bad guys are trying to steal something of value, and what is the value to them, how can I create a new identity? If I've got your name, I've got your address, I've got your social security number, I have a lot of the pieces in place to create a new identity.
Stewart:
And something you won't even know that won't even notice for a while. You said, a 100 and was it 80 days or eight days?
Mallory:
It's 180 days on average. Now, there's certain tools you can have in place that will alert you immediately if you have had a breach, but your typical CPA firm may not have those tools in place. They may not have trained their employees, may not have policies, they may not have had a risk assessment, so may not have things in place that would allow them to know something has happened.
What happens more times than not is you've had a breach, you don't know about it, and then your client finds out that their data has been stolen and they come back to the CPA firm and say, "Hey, I found that my data was taken. Do you know anything about this?" That's when it all starts to unravel.
Stewart:
Yeah, I mean that's so many people, right? I imagine if they got one person, they probably have multiple at that point, considering every tax information and stuff has a lot on it and everything.
Mallory:
Yeah. They they go after all of that. And some accounting firms provide payroll services, so if you hold data on the employees of the companies they represent.
Stewart:
Wow. I never would have thought of that.
Mallory:
They do they do billing for their clients. Your CPA is one of your most trusted advisors. You allow them to have access to a lot of information and if you pay attention around tax time, that's when you see a lot of phishing emails coming that looked like we're from your CPA.
Stewart:
Oh my gosh. That's so scary. It's kind of like dodging bullets, it seems like, especially one tax season.
Mallory:
That's right. Exactly. Right. Yeah, it's scary out there, but if you can train your folks, provide some some fake phishing tactics to make sure they're paying attention, make sure they understand the impact of a breach.
Have a risk assessment. There are third party companies out there like ImageQuest, and we provide this as well, they come in and do a and look at your risk, and identify your risk, create a gap analysis, and work to close those gaps. And as I mentioned earlier, have a written plan in place and practice it in the event of a breach.
Stewart:
I guess on that note, what are ways that our members can protect themselves against these attacks? I mean, you touched on it a little bit there.
Mallory:
Yeah. I think the number one thing you can do is train. Train your employees. You have to create a culture of compliance and security, and it all starts at the top. Many times, we have provided training for an organization, but the CEO is not in the room. We we put in place that everyone has to have a complex password and you have to change that every 90 days. That's good for everybody but the CEO. So, it really starts at the top. Cyber security and compliance, it's not an IT issue to solve. IT needs to be part of it, but it all starts with the executives and starts in the board room. If it starts at the top, then the employees or the organization pay attention.
Stewart:
Yeah, I definitely think you're right about the IT thing. I think a lot of people would with IT, they automatically assume they can fix everything, but usually if there's a problem, it's because someone within the department did it. Outside of IT, like you have your issues, but if you would have had the protection against it, you wouldn't be in the same position where you're putting them in a corner, as well.
Mallory:
Yeah. Yeah. I don't know if the right word is excuses, but I talked to a lot of organizations that don't have any this in place that we've talked about. There's a few things that I hear from them.
One is IT is taking care of it, and typically IT is not taking care of it 99% of the time. They're taking care of some of it, but they're not taking care of all of it.
The other thing that I hear is we will get to it. It's on someone's list of things to do, and we have championed them with writing our IT policies or have or writing our incident response plan. Typically it goes to someone who doesn't have the time and do it and doesn't have a skill set to do it, so it sits on the list of things to do and never gets done.
Stewart:
Which is dangerous.
Mallory:
Or they think it's never going to happen to them. Or it's a combination of all three. I've worked with organizations, I've met with them and heard all the excuses, and years later we get a call from them and says, "Hey, we need you. Can you get in here? We've had an incident. We should have listened to you three years."
It's a horrible feeling for them and for me because I know what they're going through.
Stewart:
Exactly.
Mallory:
I mean, I understand because I've firsthand seen the pain of a client or are talking about a client, but a prospect give me a call and saying, "We were hacked, we lost all of our client records, and we don't know what to do next.".
Stewart:
Which is a bad spot.
Mallory:
If not for the fact, it's tough, right?
Stewart:
Yeah.
Mallory:
It's tough. I mean, we can we can help you starting now and going forward, but that damage is done, and what does that damage due to your reputation, to your business? It's tough.
Stewart:
Completely hard to bounce back from. You're right. Completely right. I guess what about accounting firms that handle business evaluations? Is there an issue here for them, too?
Mallory:
Yes. It really is. What we're starting to see are company's doing more due diligence around acquisitions. So if I'm getting ready to acquire a company, and typically I'm working with a trusted advisor like a CPA and I'm doing my due diligence, the CPA is taking a look at the evaluation of the company, what that company by the word.
But what's important is to dig in a little bit more and take a look and see, have company secrets been acquired by someone that shouldn't have acquired them? Maybe the Chinese have hacked in and stolen company secrets or intellectual property. I had a sales person walk out with a client list. Has someone been in their system for 180 days taking things that they shouldn't be taking. You know? There's lots of things outside of the top line and the bottom line of a business that creates the evaluation of that organization.
We're starting to see the buyers of these companies really dig in and do much more due diligence around security.
Stewart:
Would you say it's gotten a lot better I guess within the past, I'll say five, years of phishing? Has it gotten a lot better when it comes to people being more protected? Are the numbers dropping of people being phished through emails and organizations? Is that something you know off the top of your head?
Mallory:
It's growing. I mean, it's getting worse and worse.
Stewart:
Oh, okay.
Mallory:
Yeah. It's the number two industry in the world behind government corruption.
Stewart:
Wow. Wow. I did not know that.
Mallory:
Yeah. Drug trafficking is three. Government corruption is one, and cyber is two.
Stewart:
So, it definitely should be on everyone's radars. I guess what are the three or four takeaways that you think people should know about when it comes to phishing?
Mallory:
I've kind of beat this dead horse.
Marvin:
No, it's good. Repetition is good.
Mallory:
Training, training, training. Training your people and having a comprehensive training program. Conducting a risk assessment of your organization, because as we've talked about through this podcast, the chances of someone getting first is very, very high. So, having a risk assessment.
Understanding what you have. You know, what data do we have, where does it reside, and if I had an employee who was compromised, how easy is it one of the bad actors to get to that data? Having policies in place is big. Having IT policies, having an incident response plan, having a vendor management plan, having all of that in place is very important.
And then doing some technical things, using some technical tools to kind of dig in behind the scenes and take a look and try to find things like on software and root passwords that haven't been changed. Things like that. Really if you're doing those four things, you're doing many things that will protect you from having a breach.
I'm not saying you're not going to have one, but I'm just saying if you do those things, there's a good chance. You stand a better chance of it not happening, and when it does, you're prepared