In the connected world we are all responsible for cybersecurity.
My mouthful of coffee splattered the screen, the unexpected email was that good. It was addressed to me by name, confirming the purchase of a £350 British Airways ticket, for a flight departing the next day.
I was invited to open the attached boarding card to make sure everything was in order. The BA logo looked genuine, and there was a helpful link to a BA web address.
It was of course a ‘spear phishing’ attempt. The attachment, which I was supposed to open in a panic, presumably contained a virus which would take over my computer and harvest login details to my bank accounts and heaven knows what else. Luckily I had a genuine BA ticketing email to compare.
I was also in hyper-suspicious mode following the theft of a bag containing some important identification documents a few weeks previously. I deleted the email before it could do any damage (I hope).
I don’t know if it is connected to the theft or just that my suspicions have sharpened, but I have noticed a rash of these attacks lately. Some are obvious crude spam - ‘esteemed customer please update your account informations' - but some, like the airline confirmation, are well-designed and targeted. I shouldn't be surprised as a lot of information about me is openly available from business directories and Companies House records.
If your personal identification details are in the public domain, for example if you are on the roll of solicitors, you too are under attack.
Last week, the phishers were posing as the Law Society, last month, the Solicitors Regulation Authority. Next week, they will be someone else. Law firms make good targets for cyber crooks - they are presumed to be too small to employ full-time security experts yet have access to vast amounts of sensitive data.
What worried me about the response to the attacks was the widespread assumption that someone had hacked the Society's systems.
Of course you'd expect me to say this, but I don't believe that to be the case. Not so much because we take IT security seriously here (again, you'd expect me to say that) but because anyone who had really cracked the systems would be doing something a sight more sophisticated than sending out phishing emails.
My bet is that the scammers are compiling their mailing lists with simple software that 'scrapes' data from public websites. (I know several people who use such software for legitimate purposes.)
Blaming the attacks on the regulator or the Society may be fun, but invites complacency. In the modern connected world we are all responsible for cybersecurity. Perhaps the phishers have done us a favour by reminding us of the fact.
Michael Cross is Gazette news editor
2 Readers' comments