Don’t blame Russian hackers for your low phishing IQ

“Russian hacker attack” is turning into a meaningless meme that travels from news site to news site every time there is a security breach of serious magnitude.

The current victims are JPMorgan and four other banks, and the Federal Bureau of Investigations and other federal agencies are looking into the Russian connection. The hackers’ motive appears to be retaliation for Western financial sanctions, rather than filthy lucre. Who knows, they may even be in the employ of the Russian government – yet from the point of view of U.S. companies, that is irrelevant.

Blaming all serious cyber-attacks on the Russians or Chinese is at this point like accusing the rain when you leave the window open. Doing so shifts attention to shady characters with funny accents from where it belongs: on the company employees or contractors at fault. Sometimes these people act consciously, as National Security Agency contractor Edward Snowden did; mostly they have what is known as a low phishing IQ.

A phishing IQ is a person’s ability to determine whether a link in an email message is legitimate or a lure, clicking on which may result in a hacker takeover of the person’s computer.

According to Dell SonicWALL, the test’s designers, 6.1 billion phishing emails with fake links go out worldwide every month. My private and corporate mailboxes are full of them. Here’s one, from “suppourt@apple.corporate.com”: “Dear Apple User, We just need to verify that this Account belongs to you. Simply click the link below and sign in using your Apple ID and password. This verification is only valid for 30 days. If you attempt to verify your Account after this time, you will be asked to resubmit for confirmation the next time you log in to the Apple website.”

I know it’s a low-level attempt to obtain my Apple ID, used to make purchases in Apple’s iTunes store – not least because of the misspelling in “support”. If I click on the link, and especially if I supply my credentials, some hacker somewhere will do some simple checks on me and get access to my other accounts, especially if I use the same password for several sites. Alternatively, my click will download a malware program to my computer and hackers will use it to steal information, send out spam and run denial of service attacks.

Corporate systems often include safeguards against phishing. Here at Bloomberg, for example, links to unknown sites will only open in a special, secure browser and some sites won’t open at all. A secure site will prevent any malware from getting into the corporate network, but it will still let negligent users give away their credentials by entering them into phishing sites.

The simple rule of thumb is never to follow an emailed link, no matter who it appears to come from. If you are alarmed or acutely interested, go directly to your account at the service that may or may not have emailed you.

Apparently, someone at JPMorgan Chase & Co. did not follow that rule. The Wall Street Journal reports that “hackers appear to have originally breached JPMorgan’s network via an employee’s personal computer.” They could have hacked the employee’s home wireless network, but an email attack is more likely. That’s how the Target breach, in which 110 million credit card numbers were stolen, was initiated: someone at a Target contractor clicked on an emailed link or opened an attachment, and voila, hackers were romping through the store chain’s network.

That’s also how Russia’s major cyber weapon, the Snake malware, spreads through Western bureaucracies. It could be a Chinese, Iranian or homegrown American worm, it doesn’t matter – to get on, the malware needs someone to click on a link, open an attachment or plug in a thumb drive found in a parking lot. JPMorgan may spend $250 million a year on cyber security, but its network is as unsafe as your home computer so long as people make these silly mistakes.

David Upton and Sadie Creese of Oxford University’s Said Business School write in an article for the September issue of the Harvard Business Review that at least 80 million “insider attacks” occur in the U.S. every year. These include what happened at Target and other inadvertent breaches. Upton and Creese go so far as to suggest that companies “give employees the freedom to go where they want on the web but use readily available security software to monitor their activities, thus yielding important information about behaviors and personalities that will help detect danger.” In other words, companies should treat employees and partners as potential security threats and spy on them.

To me, that is a solution as cumbersome as it is unethical. A direct, clearly communicated ban on following emailed links and opening attachments without contacting the sender first would do the job. Employees who violate it should be treated either as incompetents to be fired, or as Russian hackers to be handed over to the FBI.

Leonid Bershidsky is a Bloomberg View contributor. He is a Berlin-based writer, author of three novels and two nonfiction books.