I’ve spent the last 150 years (IT years are like dog years!) in the cybersecurity consulting arena helping organizations of all sizes protect their digital, intellectual, and reputational assets from the ever-changing threat landscape.
October is known as Cyber Security Awareness Month (CSAM), so one of my annual rituals is to share my and our team’s wisdom pertaining to cybersecurity hacks and scams that apply to humankind – not “just” businesses – as bad cyber things could happen to anyone. Internet scams and ransomware attacks account for billions of dollars, so there is good reason for these scammers to be incentivized.
These hacks and cyber-attacks commonly play on human emotions or gullibility, including, but not limited to fear, urgency, love, laziness, humiliation, and things that are, well, just too good to be true. We feel that this write-up is one of our ways of giving back to make the world a better, or at least digitally safer, place.
DON'T TRUST UNTIL YOU VERIFY
It is important to adhere to the mantra in the digital world- “don’t trust until you verify.” Anything that you receive – be it by email, social media, or even your newsfeeds, is subject to scrutiny. And in the rapidly evolving world of AI and deep fakes, it is even easier to be fooled. So, if you’re not seeing it live with your own eyes or hearing it directly from the person you’re speaking with (note that there are voice simulators that allow the attacker to sound just like someone else, so even phone calls could be suspicious), then think before taking any action.
Scams and social engineering attacks can have immediate impact to your financial, social, or general well-being, and these attacks are evolving at a breakneck pace.
Key theme: If you receive an email, text, or even a phone call telling you to take some sort of action, even if it’s just clicking on a link or QR code, DON’T DO IT!
At least not right away – THINK before you click/respond. There is nothing so urgent that it requires your immediate response. Some basic cybersecurity hygiene can reduce your risk of becoming a cyber victim.
WHERE TO BE WARY:
Business email compromises – This is where a social engineer researches your company on the internet to learn who the executives are and then they pose as that executive when reaching out to employees from an email account that looks like the real account (maybe one letter is off) asking for a favor such as purchasing gift cards. They make it sound convincing. I know several well educated and smart people who have fallen for this – which is why these attacks continue to be pervasive.
If you do receive a phone call, text, or email like this, and you think it could be real, verify it by communicating out of band (i.e., don’t respond via that same channel; instead switch, for example, from email to a phone call).
2. Charging stations – Be wary of any USB-based charging stations as attackers could potentially inject malware into your mobile device. If you need to charge your devices when you’re on the road, just plug in to AC power and not a USB port.
3. “Your package is…” – DON’T click on the link from anyone who sends you something that tells you where your “package” is or its delivery status. If you want to check on something like that, just go to the site of the shipper (e.g., FEDEX, UPS) or shipping party (e.g., Amazon).
4. Improve your vigilance – Many banks allow for you to set up alerts (text or email) whenever there is activity in your account. Along similar lines, most credit card companies allow you to do the same regarding any credit card transactions (you can even set thresholds if you’d like). On top of that, there are many free or inexpensive credit monitoring/locking services that allow you to lock down any activities associated with your identity/accounts or that provide monitoring of any suspicious activities. While this won’t prevent fraud, it can help you react promptly to react to abnormal activity.
5. Disaster relief scams – While our hearts go out to the thousands of people who have been impacted by the recent hurricanes, this also opens the doors for fraudsters who try to take advantage of good people who are hoping to help. Hiding behind the guise of an actual aid organization, scammers typically use a tragedy or natural disaster to con you out of your money. By thinking you're donating to an emergency relief fund, you unwittingly provide credit card or other e-payment information. Do your research first! Only give to established, legitimate organizations.
Visit GuideStar, Charity Navigator, or CanadaHelps to verify the validity of any charitable organization you are considering supporting before you donate.
6. So many phish in the sea – You receive an email from a seemingly familiar enterprise that you deem legitimate, such as your bank, university, or a retailer you frequent. But in this case, it’s not legitimate – the message directs you to a site, oftentimes to verify personal information such as email addresses and passwords—attempting to steal your information/credentials to expose your computer to attack by scammers. Phishing scams are some of the most common attacks on consumers. Phishing emails and text messages frequently tell stories to trick people into clicking on a link or opening an attachment.
How to avoid becoming a victim? DON’T click on the link. Instead to go to the actual website where any legitimate company will present that same information to you on their website once you’ve logged in. If not, call the customer support number from the website (and not the one shown in the phishing message!).
Phishing attempts might:
- Say they've noticed suspicious activity or log-in attempts on your account.
- Claim there's a problem with your account or payment information.
- Say you need to confirm or update personal information.
- Include a fake invoice.
- Ask you to click on a link to make a payment.
- Claim you're eligible to sign up for a government refund.
- Offer a coupon for free goods or services.
7. Grandparent scams – This is where a fraudster poses as a panicked grandchild who needs cash immediately for some emergency—to get out of jail, leave a foreign country, or pay a hospital bill. My parents and in-laws have received a good handful of these types of phone calls over the past decade. Oftentimes the attacker will just mumble a grandchild’s name to the grandparent who may be fooled into thinking it’s their grandchild. But also, some attackers take things one step further to harvest info on social media to gain deeper knowledge of relationships/names. A common theme here is to resist the urge to act immediately. Scammers pull at your heartstrings and rely on you to respond quickly—before you've had a chance to think things through. Verify the caller's identity and ask questions that a stranger couldn't answer. Confirm the story with other family members or friends, even if (or especially if) the caller says to keep it a secret.
And never send cash, gift cards, or money transfers.
9. Lottery scams – Congratulations! You’ve won the lottery or some other large amount of money! Except you haven’t. This bogus email comes to you out of the blue—usually claiming to be a part of an international sweepstakes—stressing that you’ve won big and need to send over a processing fee or get in touch with someone who can process your winnings. Unless you have entered some legitimate lottery, chances are you haven’t won the jackpot.
If for some reason you do think you’ve won, DON’T respond to the message; instead reach out to the organization sponsoring the lottery.
10. Who needs fake friends – If you receive a friend/connection request on Facebook, Linked In, etc., do some quick legwork to see if it’s really from that person. (Oftentimes you will see that you are already connected to the real person.) Otherwise, an imposter may try to pull some of the aforementioned tricks on you or spend time reviewing your profile to launch a social engineering attack on your connections.
Some things to consider before accepting the invitation:
1) See if you are already connected to this person (the “real” one)
2) See how many connections the requestor has since if it’s just a small handful, it is likely that the requestor is fake. Think before you link!
11. Financial scams – More advanced attacks involve the attackers posing as your bank or credit union to trick you into gaining access to your account. For example, in the “pay yourself scam,” you receive a text message that looks like a fraud alert from your bank about unusual activity. The text may look something like “Did you make a purchase of $100.00 at ABC merchant?” If you respond to the text, you have now engaged the scammer and will receive a call from a number that appears to be from a bank. (DON’T blindly trust caller ID – it is not always who it says it is.) They'll appear to be a representative from a bank and will offer to help stop the alleged fraud by asking you to send money to yourself with Zelle or some other online payment platform. Of note, the scammer will ask you for a one-time code you just received from your bank.
If you give them the code (DON’T DO IT! EVER! NEVER share a one-time code with ANYone!), they will use it to enroll their bank account with Zelle while using your email or phone number, hence granting them the ability to receive your money into their account.
12. Spam – Emails that we didn’t ask for are a minor nuisance in life. When you receive an unsolicited email, your first inclination may be to either just delete that email (that is a safe thing) or if you’re feeling slightly more resourceful, to click on the “Unsubscribe” link or button – which may not be a good thing to do. How do we know that the Unsubscribe link or button is a safe link?
The link could instead introduce malware (used to be known as viruses) or ransomware (where the attacker encrypts your data and you must pay ransom to recover it).
If you only have one takeaway from this post, it’s to NOT click on any links unless it is a link that you are expecting to receive! If you DO want to unsubscribe from an email list, oftentimes your email provider/application will allow for you to do anything from block a sender to categorizing emails from that sender to spam or junk so that you don’t need to click on “Unsubscribe.”
13. Pop-up windows – Don’t click on pop-up windows that you’re not expecting, either. Let’s face it, there are a lot of companies out there that don’t necessarily harden (secure) their websites appropriately, so the attackers use those sites as vehicles to play to your fears.
For example, you may be on a compromised website where the attackers install malware to present a pop-up window on your computer stating that you need a “critical update” and to “click here” to fix it.
Oftentimes, by clicking, you may be opening the door for the attacker to install nefarious software on your computer. If you do think you need to update your system or your application, just go to the website of the provider to pull down the update rather than click on a box/link.
Since cyberattacks and ransomware attacks could happen to anyone, anywhere, some things you can do to reduce the probability, besides being vigilant to the threats mentioned above include:
- Keep your system up to date with security patches.
- Install current anti-virus/anti-malware programs.
- Use multi-factor authentication for any of your critical accounts (e.g., banking, finance accounts) if available.
- Use long passwords wherever possible and don’t use the same password for multiple accounts. Better to have a long memorable passphrase (e.g., Thecowjumpedoverthemoon) than a shorter complex one (+heM00n).
- Ensure that you periodically back up your files to an off-line source – even better if you can set this up automatically; but make sure that a ransomware attack won’t propagate to your backups.
- Lock your computer when not in use (requires password to re-access).
- Don’t click on links you are unsure of.
If something looks like it’s too good to be true, it’s likely not true.
It is always safe to take some time before responding to something so you can either reflect on it or so you can talk with someone who may be more in the know about scams, be it your children, your friends/co-workers, or your friendly neighborhood cybersecurity professional.
Learn more about Online's Security Advisory Services!
About the Author
As Vice President of the Risk, Security, and Privacy Consulting Practice at Online Business Systems, Steve leads the rapidly growing pragmatic risk-based cybersecurity consulting practice including security advisory services/virtual CISO, risk assessments, PCI assessments, healthcare cybersecurity, cloud security, and penetration testing. Prior to joining Online, he provided consulting leadership for the security consulting practices at Verisign and AT&T Consulting. His experience includes serving as virtual CISO, performing hundreds of risk and PCI assessments, and providing strategic security advisory services. Steve have over twenty years of IT security experience, and over thirty years of IT experience, CISSP certification, QSA certification, CISA, and an MBA from Emory Business School.
Submit a Comment