First think, then send 

Petr Šantrůček

I would like to react (and also add a little bit) to the article "Crime-as-a-service" of Petra Štogrová Jedličková's from the May issue of Crowe News. I am asking - can you really order a cyberattack today as a service, and thus "Crime as a Service" (CaaS), or is it a totally exaggerated and pessimistic perception of today's "technology world"? And at the same time I am answering – yes! The CaaS is the today’s reality. Everything described in the article is an undeniable truth. However what I lack as a technician, is a solution how to defend against it.

Those of you who are expecting a description of high-tech security technologies…Please accept my apology. The following text is about you – common users (really well-meant), who can successfully defend security threats infinitely more efficiently than any firewalls, antiviruses, antimalware, content filters, and even today's so-called artificial intelligence (AI) can do.

So let’s get started! We will go through the most common cases that may meet you and their possible solutions.

Emails with dangerous content or links to a dangerous website

Have you got an email from a strange unknown email address, however with a content which looks trustworthy to you? Or an email with a strange attachment, but from a known sender to you? Does the email contain a link to some website, a link looking credibly? At this point even the technology can still work well and with a little luck and the right management of your IT, such an attack will be stopped. However let’s be honest, the technology is not all-powerful. In addition, not possible for security companies to respond immediately to any threats that occur on the Internet. And then it’s your turn! You and your own intelligence are replacing the artificial one. Although you are not branded by any sophisticated abbreviation, such as “AI”, but believe me – you’ll be fine!     

An email case from a strange or unknown address containing a trustworthy text or attachment with a trustworthy name

Before opening the attachments, take a break, have a coffee and think - why would someone send you such an email? Does the email include the sender’s contact information? Other than email address? No? Such a rather strange situation, right? If there is some information, use it! Telephone, LinkedIn, Facebook…all these sources can easily help you to contact the sender. But do not be surprised when you find out in 99% of cases that this is a totally false identity. If you only have the sender's email address, just reply to the email and ask if this email is for you and what exactly the attachment contains. In the vast majority of cases, your email will return to you very quickly as undeliverable. If an attacker used (or rather abused) an existing email, the person will certainly write to you that he has never knowingly sent anything like it. And now, as the Czech classic would ask - What to do with it? DELETE IT! :-)

If you got a strangely or unusually looking email from a person you do know, do not hesitate to verify with that person that the email was really sent to you. Again, ideally use different source than email (phone number, instant messaging etc.). Maybe you are afraid you are going to be paranoid for others, but a reasonable person will understand - better safe than sorry.

Emails trying to get your login or requesting you to perform a specific action

Another topic is emails (but now also messages from instant messaging tools - Viber, Whatsup, Facebook messenger and others), which are trying to get you into some action. Mostly these email are trying to get an access to some system from you. The attacker often pretends to be an IT support worker, not only from your company, but even a support from Google or from your bank. In that case, please remember a golden rule that applies absolutely and without any exception. No professional IT support ever requires from users login information!

Logically, the support worker can reset your user account and set any password - why would he ask for it? And even if you are more or less sure it is "your IT guy", refuse to give the access. Let him to change the password to your account and to send it to you by an alternative way - a different way than the request came to you.

However what’s in this year? Email frauds! An attacker tries to uncover part of your company's organizational structure from publicly available sources and sends an email requesting a quick bank transfer. Typically, these are emails pretending that an owner, statutory representative or other executive is asking a responsible person (accountant, office managers or someone who might have access to bank accounts…) for a money transfer. What to do? I believe that now you know the answer. Correct! Verify the sender’s identity. And because a completely different address may be hidden behind the sender's plausible looking address, which will be used for your response (which is technically trivial), you would ask the attacker himself - which has no sense. Use the different channel! Instant messaging, SMS, phone. I have no doubt that a reasonable manager will not only yell at you, for example, that you are disturbing him on holiday, but should, on the contrary, acknowledge your caution.

If you apply the double verification principle, cyber attackers may do anything possible, but they will not get to your data or money (forget the situation that they are holding a gun at your boss’s head and thus he probably will confirm the transfer to EUR 100,000). But we are back with the gangsters of Don Corleone's time. Let’s hope this is not a near future.


Petr Šantrůček
Executive Director
exTerra Services s.r.o