A distressed man that has been phished, generated with the assistance of AI.
Part 1 – The Hack
In early August 2023, I returned from vacation to find hundreds of unread emails waiting for me. While the urgent matters had been handled, I still had a backlog of approvals and document reviews to tackle.
One afternoon, I clicked on yet another email about approving a policy document. After authenticating, I was hit with a stark message: I had fallen victim to a phishing attack. This was part of OKIOK’s phishing awareness campaign. The page outlined how to detect phishing attempts and reassured me that there were no adverse consequences since it was just an exercise.
Relief washed over me, but my mind raced. How could I—president of a cybersecurity firm—have fallen for this? I scrutinize links, domain names, and web pages constantly.
Part 2 – How It Happened
Reflecting on the incident, I realized it mirrored the complexities often seen in aviation disasters: multiple factors converging to create a perfect storm.
-
High-Quality Phishing: The email and phishing site mimicked a service we use perfectly. The URLs were almost identical, differing only by a “.ca” domain, common and seemingly legitimate for a Canadian company. Our pentesters had even secured a valid certificate for it.
-
Vacation Mode: Coming back from vacation, I was eager to clear my email backlog, which lowered my vigilance.
-
Entra ID Desensitization: With SSO configured for this service via Entra ID, I didn’t think much of the login prompt. I should have recognized that I should already be signed in, instead of being asked for my password.
-
The Click: The initial mistake was clicking the link. If I had accessed the service directly, none of this would have happened.
Part 3 – Lessons Learned
To counter such attacks, I believe the best approach might be to avoid clicking links in emails altogether. However, this is challenging; links streamline access and save time, ingraining a habit that’s hard to break.
Some governments have begun banning email links in communications to discourage bad practices. For instance, Quebec’s “Ministère de la Cybersécurité et du Numérique” has mandated that public services refrain from including links in emails to external stakeholders.
Yet, this isn’t a simple fix…
Part 4 – The Missing Links
Links in emails can be incredibly useful. For instance, invitations to Teams or Zoom calls often rely on links containing all necessary information. Without them, joining a call becomes cumbersome.
At OKIOK, we faced a similar challenge with our S-Filer solution, which generates a GUID for one-off file transfers. The link in the notification email was essential for recipients to access their files.
Part 5 – The S-Filer Solution
Last year, we began reworking our “Quick Send” feature. Transfers are now identified with a unique code composed of clear, uppercase letters and numbers. Instead of a link, notifications include instructions directing users to our website, where they can enter the code for access.
We’ve maintained the previous link functionality for clients who prefer it, ensuring a smooth transition.
Part 6 – Conclusion
As AI-generated phishing emails become more sophisticated, spotting them grows increasingly difficult. I once believed we could train people to identify phishing attempts, but now I think it’s safer to train them not to click links at all. We’ve adapted our phishing campaigns accordingly.
Part 7 – Epilogue
Had this been a real attack, the stress would have been immense. Thankfully, our multiple layers of defense would have mitigated the consequences:
- MFA: Required for all external access, suspicious MFA prompts would alert us to any unauthorized login attempts.
- Limited Privileges: My day-to-day account has restricted access, reducing potential damage.
- Password Manager: Unique, strong passwords mean a phished password can’t be reused.
- EDR/MDR Solutions: Our detection systems would likely catch any malware installed during the attack.
While I still feel embarrassed, I find comfort in our robust security measures.