04:33 PM
Murray Walton, Fiserv
Murray Walton, Fiserv
Connect Directly

Email Phishing Is Serious Business

An inside look at how Fiserv CRO Murray Walton communicated an IT threat to 19,000 company associates.

Editor's Note: Communication was critical following the early-April Epsilon data breach in which a database containing names and email addresses of millions of Americans was compromised. But it wasn't only external communication between businesses and customers that was important. With the heightened threat of phishing attacks, effective internal communications was every bit as vital.

The following is an email sent by Murray Walton, Chief Risk Officer for Brookfield, Wis.-based Fiserv, to the company's 19,000 associates.

Phishing is the act of sending email intended to deceive the recipient into revealing personal information or taking an action that allows personal information to be extracted later. Most phishing schemes are designed to turn that personal information into money, either through identity theft or the hijacking of bank accounts or credit lines. If you are on the receiving end of a phishing attempt, you receive an email that claims to be from a legitimate organization. It asks you to log on to a website whose address it provides, or it asks you to click an embedded link or open an attachment.

  • Perhaps the sender claims to be the Internal Revenue Service, and the email asserts that you owe back taxes, or a creditor or lawyer alleges you owe a debt. The type and amount of debt are supposedly described in an attachment you are asked to open.
  • Or the sender claims to be your bank, and the email asserts that your account will be frozen if you do not re-establish your username and password. The email contains a link where you are told to log in using your old credentials and establish new ones.
  • Or the sender claims to be from Desktop Support or Email Administrator, advising you of a problem that you can cure by following a link in the email where you would give the impostor your legitimate logon credentials.
  • Or the sender claims to be the HR department, and the email asks you to provide a comprehensive set of personal data because your HR records were supposedly lost due to a recent system conversion.
  • If you open the PDF that supposedly describes your debt, or go the fake bank website and log in with your real credentials, or provide personal information to the phony HR department or Email Administrator, you will be sorry. You will install malicious software on your computer that captures all of your keystrokes including usernames and passwords. Or you will give thieves login credentials they can use to drain your bank account or romp through your computer and any networked to it. Or you will give them the means to impersonate you and establish enough credit in your name to bury you in debt. Or you may unleash a virus that infects your computer, and sends out something equally poisonous to every person listed in your address book.

    When things like this happen within most corporate environments, there are excellent defenses to blunt their impact. But what would you do if this kind of attack hit you at home, via your personal email? And how many of your business’ clients have corporate-class defenses in place? With the breach last month of the Epsilon email marketing firm, security experts predict we will see a spike in phishing attacks in the weeks and months ahead. Those who breached Epsilon now know that Sam Security, email address, does business with specific banks, travel companies, retailers, and other companies, and they know how to reach him by email. They will use this information for phishing attacks that attempt to get information from him that can be monetized in some way, enriching them at his expense.

    So what can we do? We can be smart and cynical, and adopt a trust-but-verify model for engaging with those phishers who reach out to us via email.

    Murray Walton is Chief Risk Officer and head of Enterprise Risk & Resilience at Fiserv, Inc. He leads the teams responsible for business continuity, incident management, insurance, logical and physical security, PCI and regulatory compliance, and risk assessment and remediation for this Fortune 500 provider of information management, processing and electronic commerce services to the financial services industry. Murray joined Fiserv in 2006, building on more than 25 years of prior professional experience in financial services management, law and technology, including five years as Chief Compliance Officer at H&R Block and prior experience in banking and bank systems. Murray holds degrees in economics and law.

    Comment  | 
    Print  | 
    More Insights
    Newest First  |  Oldest First  |  Threaded View
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: Janice, I think I've got a message from the code father!
    Current Issue
    Security Operations and IT Operations: Finding the Path to Collaboration
    A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
    Flash Poll
    New Best Practices for Secure App Development
    New Best Practices for Secure App Development
    The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    Published: 2017-05-09
    NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

    Published: 2017-05-08
    unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

    Published: 2017-05-08
    A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

    Published: 2017-05-08
    Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

    Published: 2017-05-08
    Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

    Dark Reading Radio
    Archived Dark Reading Radio
    In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.