October is Cybersecurity Awareness Month. While Online is passionate about cybersecurity 365 days a year, during October we like to revisit some of the basics that keep our team, our clients, and our community security-aware, and safe. This post is the first in a series of thoughts and tips we will be sharing throughout the month of October.
It wasn’t that long ago that our digital interactions were based on the adage “trust but verify”. Most of the time it was easy to determine which things were clearly implausible, such as emails from a Nigerian Prince or threats about catching HIV from needles being left in the change slot in payphones. And on those occasions when it wasn’t obvious, basic common sense mixed with a smidge of skepticism helped most people avoid any trouble.
It’s Time for a New Adage
Fast forward to modern times where the power of information has allowed technology to advance in many ways. While these advances have brought many benefits (“Alexa, what’s the weather going to be today”), they have also opened a plethora of new attack vectors to be used by nefarious individuals, crime gangs, cause-driven groups, and nation-states to influence innocent people like you and I to do things that are not in our best interest, or to think things that simply aren’t true.
I’d suggest our new adage should be - “do not trust any information UNTIL you have verified it”.
The Most Common Way: E-mail
One of the most common ways attackers use the new information available to them, is through a phishing attack*. Phishing attacks are getting more and more sophisticated every day, and if you’re not paying close attention it can be easy to think they are from a valid sender, when they are not.
*Phishing is when an attacker dupes a victim into opening an email, instant message, or text message with the goal of getting access to their personal (or company) data.
We regularly run phishing simulations for our team at Online where we emulate some of the most recent phishing attacks we’ve seen happen in the community, and try to trick Onliners into doing what the message suggested, such as clicking on a link. We want to arm our team with the right vigilance weapons, so they don’t fall victim to an attack, personally or professionally.
Why Does Phishing Work?
Part of the art of deception is to get the targeted person to actually believe the message – oftentimes by praying on basic human emotions such as fear (“the IRS is going to arrest you because you didn’t pay your taxes”), excitement (“your package is here, click on the link for more info”), or on our basic desire to help people (“can you please purchase these gift cards for me because my credit card didn’t work?”).
Even if only a small percentage of people fall for these schemes, it is easy money for the attackers. What is a mere mortal to do? Let me offer some basic guidance here that while may appear simple at first, will truly save you from even the most sophisticated phishing attack.
- NEVER click on that link. Anything that is legitimate can be reached through the sender’s website.
- If one MUST click on the link, find an out-of-band mechanism to call the sender. (do not respond to their email because if the attacker has compromised it then of course they will tell you to click on the link)
- Anything that is too good to be true probably isn’t.
- Anything that seems out of character should be considered questionable.
- Finally – many of us tend to let our guard down when we are reading emails on our mobile devices – sometimes because it’s when we first wake up or when we have other distractions – and sometimes mobile devices don’t display when the source of the email is from an outside entity – so when in doubt, take time to digest those messages that are asking you to click on something – it never hurts to wait.
When it’s Not Digital
Not all scams come through email. I probably receive a phone call a week (from different a phone number each time) telling me that my vehicle warrantee is about to expire (funny thing is that I don’t have a vehicle warrantee…). A co-worker of mine just received a notification by mail from their state unemployment office talking about their application and unemployment benefits (they reached out to me to make sure that they weren’t fired which of course they weren’t!). And many of us receive those phone calls stating that we owe back taxes. Just because these attackers have gotten increasingly more creative and convincing doesn’t mean that what they say is any truer.
When in doubt, do the research first to determine the validity and get back with them later (if it’s even valid). Verify first, then trust.
When it’s Not Personal
But let’s face it, not all deception is used to attack you personally. There are plenty of adversaries that feast on sharing misinformation to cause unrest and mistrust amongst societies. On top of that, we are all exposed to so much information every minute of the day (note to self, maybe it’s a good idea to go off the grid from time to time) and many of us don’t take the time to review the source of the information or its validity.
It doesn’t matter what end of the political spectrum you come from, it is important for humankind to consider the integrity of the information their news and data sources. Just look at the misinformation shared on the internet about COVID-19 – those with bad intent could easily kill thousands of people without firing a single bullet. If I could invent one life-changing thing, I think it would be the “information integrity-ometer” that would vet the validity and the bias of whatever information one is exposed to.
A gut check doesn’t cut it anymore – everyone, no matter their age, profession or demographic needs to verify before they act.
Where Do I Go From Here?
Information is a great thing and when you think about it, we are exposed to increasing volumes of it every day. Just as most folks (and systems) are pretty good at filtering out junk mail, we need to do the same to take an ever-vigilant approach pertaining to whatever information comes our way. Verify, verify, verify.
Through the month of October, we will be spending time with Onliners and our Clients, providing them with tricks and tips they can use to keep their data protected.
About Steve Levinson, Vice-President, Risk, Security & Privacy
As Vice President of Online Business Systems’ Risk, Security, and Privacy Consulting Practice and the company's Security Officer, Steve Levinson is building, growing, and leading a collaborative, risk-based, business-minded security consulting team.
Online’s RSP practice focuses on governance/program management, including PCI, ISO, HIPAA, vulnerability management, data protection, and virtual CISO services.
To contact Steve or our RSP team please email firstname.lastname@example.org.