Security Awareness News for December 2019
- The Art of the Con: How Social Engineers and Phishers Use Psychology to Their Advantage
- A Con in Action
- 5 Real-Life Cons and How to Avoid Them
- Why Social Engineering Works
rco
You may log in to your email account with a password, but that does not make the transmission of email secure. When an email is sent, it travels across a series of networks and servers to reach the recipient, often in human-readable text. During that time, it’s possible for hackers to intercept it without detection. Ask yourself: would I send this information via U.S. Mail visible in a see-through envelope?
Besides the transmission part, a copy of email messages is typically stored on your computer, your server, likely your server’s backup server (physical or in the cloud), the recipient’s computer, their server, their server’s backup, you get the idea. Hackers can be patient. They’ve been known to enter a network through a vulnerability and remain in the shadows for weeks, months, or years. Even if you believe your network is sufficiently protected, you cannot control the quality and effectiveness of the recipient’s security measures.
Things You Should Never Send
1. Social Security number. This is the skeleton key to your financial life. It can be used to open accounts, steal tax refunds and commit many other kinds of fraud.
2. Your credit card information. There is too much malware out there for this to be a safe practice. Don’t send this information via email or any other electronic means that is not secure (look for https:// and the Padlock on websites before hitting submit).
3. A copy of your driver’s license. Remember, fraudsters are not big on in-person transactions, but they are very good at talking their way around security protocols. If they have your Social Security number already (this can often be found online through shady websites), and they have enough other pieces of your personal information to convince you they are an official organization, they can dupe you into sending your photo ID — or steal it from someplace you do business — they can do a lot of damage.
4. Your PIN codes or passwords. These should never be shared, period, but if you are sharing that information in a pinch to someone close to you, do it on the phone . Malware is too prevalent to risk communicating that information electronically.
While all of this may sound like common sense, the myriad mistakes people make on a daily basis is beyond the ken of understanding. The key to staying safe is staying vigilant. Always practice the Three Ms: Minimize your exposure, monitor your accounts and manage the damage the minute you discover a problem.
While there is no preventing identity-related crime, you can avoid becoming an unwitting volunteer.
rco
Have you ever found a USB Stick/Thumb Drive, or a CD on the ground or in a parking lot? Hopefully you did not put this into your computer. While you may be tempted by curiosity to see what data is on there, or perhaps to identify the owner, DO NOT insert any of these found objects into your computer.
You may think that it is your lucky day... 'Hey, Free USB Stick!', but in fact it could turn out to put you in a hot seat with your IT department.
This is a common tactic used by bad guys to infiltrate your network and steal information and to gain unauthorized access.
Code can be executed simply by inserting these devices into your computer. By the time you can see what files are on it, the damage may have already been done.
The average cost of a cyber attack such as this one on a small company is $200,000.
The cost to a large public corporation can cost over $6,000,000 per day of downtime.
rco
Below is a copy of an email that was in quarantine this morning. These types of emails have been going around the Internet lately. Hopefully none of them will get through but wanted to make you aware just in case you get one. The eFax logo and the trademark at the bottom are real but if you look at the from address, the country code (PW) is for Palau. Spammers have been using the (.PW) country code a lot lately. The phone number area code (939) is for Puerto Rico. Both are red flags that this is not a real eFax. If you happen to receive anything similar, let IT know so we can try and filter them.
rco
When you receive an email from an online service or business partner that you are not expecting, proceed with caution.
For example, if you receive an email from eBay stating that you have just won an online auction, there are a couple of questions you should ask yourself:
- Am I a member of eBay? (This goes for online banking as well. If you receive an email from a bank you do not have an account with, do not click any links)
- Did I bid on any auctions recently? (If you did not bid, you cannot have won)
This does not apply to eBay alone. The bad guys can use any online service such as banking, shopping and social networking to try and trick you.
Remember to Stop, Look, and Think before clicking on any email links.
When in doubt, open a web browser and visit the company website of the person who sent you the email. From there you can log in to your account to verify any activity that has taken place.
Do not click a link in the email to visit the site... Open a browser and type in the address of the company.
rco
One of the most common and successful tricks cyber criminals use to trigger you into falling for their scams is fake “stressor events”. In this context, “stressor events”, are shocking or compromising situations that inflict fear or provoke other emotions, for the purpose of causing an impulsive reaction.
How it works:
When the bad guys present a shocking claim to an unknowing victim, they often add a sense of urgency to drive home the “importance” of the scenario. In reality, this sense of urgency is another factor increasing the chances that you’ll react impulsively and click on their malicious links or download their dangerous attachments. Attackers explain their fake scenarios in the body of their phishing emails, but they’re also known for using shocking subject lines such as, “Act Now: Fraudulent activity on your checking account”. Though these tactics certainly aren’t limited to phishing emails, scammers also use these techniques in Smishing (SMS, or text phishing) and Vishing (voice phishing) attempts.
How to avoid falling victim to pressure:
The reason these attackers are often successful is because they‘re convincing the target to either avoid a negative consequence or gain something of value. Stop and think about the likelihood of the scenario before making the wrong move.
- Never open an attachment you weren’t expecting. Even if it appears to be from someone you know, pick up the phone to verify it’s legitimate.
- If the sender of the email is difficult to get in touch with or unwilling to speak on the phone, it’s likely a scam.
- If the sender requests that you send or receive money in unusual ways it’s probably a scam. For example, if they’re requesting a payment in the form of gift cards, don’t fall for it!
rco
|