Friday, March 8, 2013

Dun & Bradstreet Phishing Scam

Today I received an e-mail from Dun and Bradstreet requesting that I respond to a complaint filed against my company. It had an attachment, and requested I download it, read and respond. I'm always cautious, but this e-mail was extremely convincing.

I contacted Dun & Bradstreet directly and learned that it was in fact a phishing scam, and customer service has been inundated with inquiries today. They are currently in the process of investigating.

Phishing scams are generally used to target the general public, but clearly scam artists are upping the ante.

Use these best practices to prevent phishing scams while not missing a legitimate communication.

Rule #1: Never open an attachment unless you are expecting it. It used to be they told people not to open attachments from e-mails they don't recognize, but today that's not good enough. I received malicious e-mails from extremely credible companies and even personal e-mail addresses. Even e-mails from your mother should be suspect unless you are expecting it.

Rule #2: Never open an attachment until you verify it, even if it may be legit. Some malicious software can replicate and read e-mail themselves from an infected device. If you get an unexpected attachment from someone you know, call them or e-mail them to verify that they did in fact send you an attachment.

Rule #3: Never open an .exe file for any reason. Application files pose the most risk. If it is necessary to send an executable file, don't use e-mail at all. Today there are better ways of transferring large files securely.

Other notes:

  • As I've said, .exe files are the most dangerous but other types of files can also have embedded content. Any web link could be potentially suspect. Word processing documents such as .doc or .docx can also contain malicious script. Generally .txt and .rtf files are safe. Image files are generally safe as well. It's important to note, however, that just because a file ends in a safe suffix doesn't mean that it's absolutely clean.
  • Malicious e-mails don't necessarily need attachments. If they provide a link, often this link will take you to a look-alike site with login information. This is particularly dangerous when it's a financial institution such as PayPal or your bank.
  • If it's from a company you use, type the web address directly into your browser, rather than clicking a link. Links can be masked, and will often use is similar, but not exact domain.
  • If it's from a company you don't necessarily use, use Google to search for the company to make sure you have the legitimate website.
  • Call the company, providing them with as much detail as possible. It's important that large companies know when their customers are being targeted.
  • Don't rely on antivirus software. I use one of the better antivirus software's available, Outlook has built in protections, and I use a second antivirus software to screen the e-mails individually as they arrive. This particular scam penetrated three layers undetected. Unfortunately this isn't uncommon because most software can capture things they haven't seen before. Even the best antivirus will never catch everything.
What if it is legitimate business e-mail?

Most companies today know that sending attachments through unsecured e-mail is bad practice. If you receive an attachment from a place of business that you did not request and discover it is legitimate, advise the business to investigate other protocols. The most intelligent customers will be cautious, and some may see it as a sign that the business doesn't act professionally. It's easy and free to transfer files when needed without using e-mail.

What is the law regarding e-mail scams?

Unfortunately, there is no law against attempting to trick someone. Companies can use copyright law to sue individual who misuse their trademarks, but to my knowledge this has never been applied to phishing scams.

In a previous event, I contacted the FBI in Philadelphia which has a dedicated staff focused on Internet fraud. Unfortunately, however, the FBI cannot file charges unless someone has actually been damaged. Almost being tricked is not enough to press charges. You actually have to suffer monetary damages before you can pursue a criminal complaint.

Report phishing scams to the companies, and other scams to the FBI. It's good to generate awareness, however unfortunately, it's a very difficult problem to police.
Post a Comment