Close desktop login portal

Client Login

Select one of the portals below and login with your credentials

Advisory

Richey May Advisory provides the full spectrum of transformative solutions for your business. From Technology and Risk Management to Specialty Audit Services and more, Richey May Advisory has the solutions you need to find and focus on your competitive advantage.

Learn More

Richey May Advisory

Richey May Advisory provides the full spectrum of transformative solutions for your business. From Technology and Risk Management to Specialty Audit Services and more, Richey May Advisory has the solutions you need to find and focus on your competitive advantage.

Learn More

Contact Us

Richey May Headquarters
9780 S Meridian Blvd., Suite 500
Englewood, CO 80112
Directions
303-721-6232

Question or comments?  Click here to fill out our inquiry form.

Richey May Advisory

Richey May Advisory provides the full spectrum of transformative solutions for your business. From Technology and Risk Management to Specialty Audit Services and more, Richey May Advisory has the solutions you need to find and focus on your competitive advantage.

Learn More

Richey May Advisory

Richey May Advisory provides the full spectrum of transformative solutions for your business. From Technology and Risk Management to Specialty Audit Services and more, Richey May Advisory has the solutions you need to find and focus on your competitive advantage.

Learn More

Contact Us

Richey May Headquarters
9780 S Meridian Blvd., Suite 500
Englewood, CO 80112
Directions
303-721-6232

Question or comments?  Click here to fill out our inquiry form.

Mobile menu toggle
Back to menuBack to menu
Richey May Headquarters
9780 S Meridian Blvd., Suite 500
Englewood, CO 80112
Directions
303-721-6232

Employment Documents

Testing4321

Technology

Hooked: A Phish Tale

Articles by: Richey May, Oct 25, 2019

We all get hundreds, maybe even thousands, of phishing emails over the course of the year. Lurking in our inboxes, these emails carry risks that would spook any sys admin. In recent years, the tools to combat these annoyances have increased in their effectiveness in catching and preventing these emails. In combination with better tools, awareness among engineers and end users has increased, though it has a long way to go before we have perfect protection.

Unfortunately, this also means is that threat actors are developing more advanced techniques and investing more energy into their attacks to get unsuspecting or inattentive end-users hooked. Some phishing attacks are starting the blur the lines between traditional phishing and full-blown social engineering.

On a dark and spooky night (just kidding it was a Friday afternoon) one of our clients received what may look like a typical phishing email designed to appear as though it was from the company CEO (personal data redacted):

example of CEO phishing email

This email is deceptively simple. It doesn’t have the typical company email signature, but using “Sent from my iPhone” may make the email more believable. The message is simple, and again, believable, as the end user might typically be asked to complete tasks for the CEO while she is on conference calls.

A suspicious user might notice it’s from a Gmail account. What made this event different is that the attacker also created a LinkedIn account and attached that email address, in essence attempting to impersonate the CEO.

CEO impersonation example

Although this was just one additional small step in this attack, the threat actor may have been able to instill a sense of urgency with the target victim, enough to get a new employee or someone just at the right moment to fall for this trick with little effort needed from the attacker. With the added effort of making a fake LinkedIn account, the reputation of this false identity can easily be increased to further legitimatize the attack, even if the employee makes a cursory Google of the suspicious email address.

To combat these attacks there are both technical controls and further security awareness efforts enterprises need to take to reduce the impact and chances of becoming victims to phishing and social engineering attacks. Technical controls that combat this are impersonation filtering tools and phishing detecting via secure email gateways. Ultimately, items will still get through and the focus should be strong security awareness trainings that promote users to be ever vigilant against these types of attacks.

Our cybersecurity team takes an integrated approach to assessing your risks as they apply to people, processes and technology. If phishing attacks and email security are a top concern for your company contact us today