Are You Getting Phished?
Since I am an avid fisherman, I thought I would use the illustration to the right to compare the correlation to actual fishing. Is it Fishing or Phishing? In essence it is still the same thing. Bait is thrown out there waiting for a bite. So a bad guy waits for a fish/victim to swallow the hook and make the run. Wait, you're not going anywhere. Why? Because you have a hook in your mouth and can't get away. Whether they have have installed malware or got you to inadvertently give away information that is all they need. Enough about that, I think you get the point. Phishing, as we call it, is the fraudulent practice of sending emails to a reputable company to induce individuals to reveal personal information, such as passwords, social security numbers, credit card numbers, and other PII, Personally Identifiable Information. It is incredible how many of us have fallen victim to this type of attack, while at work or on your personal time. Either or, it is a severe problem, even more now that we have so much unrest in the online world. So many hackers and scammers are coming out of the woodwork in droves to wreak havoc. According to Dmitri Alperovich, head of the Silverado Policy Institute, who made his name as the founder of CrowdStrike, indicated it's quite possible "they" will release the criminals "they" have arrested this year, which would send a signal to the criminal underground that it's open season on Western organizations." We know who the "they" are. For the purposes of the article, let's be neutral.?
How many of us clicked on unsuspecting emails? Don't say you haven't. I have. I don't do it anymore since I am a little more cautious and yes a little paranoid. This past weekend someone reached out to me from ________ Realtors asking me if I was interested in a real estate sales position. I am protecting their name because I don't want to be accused of slander; there is enough of that going around these days. I would never consider selling real estate, nonetheless. I investigated the email address and the person behind it. Guess what? The person that emailed me did not exist, red flag #1. Here was the exciting part, there was a link in the body of the email saying that if you are not interested in receiving this type of email and "don't?want to make a lot of money," click here. I love the FOMO "fear of missing out". The bad guys are using this technique, so be careful. Getting back to the email, the unsubscribe link in the email is usually at the bottom because they want you to finish reading the email then decide what to do. Because the person did not exist led me to believe that the connection was an extension to a Malware virus; now once malware is installed on your computer, the bad guys can follow everything from keystrokes to passwords and anything in between. Oh yes watch out for the unsubscribe button, there can be malicious links in there as well. Just delete it!
While going through your cybersecurity journey, it is essential to dig a little deeper. The?Federal Trade Commission?is the U.S. Consumer Protection Agency?charged with helping Americans protect their data and privacy. Its goal is to help adults and teens think through the consequences of oversharing. There are many tips on their website if you are unsure.
I picked up some great advice from Kristin Judge, CEO and President of Cybercrime Networks, while researching for this article: Here are some great tips.?www.Internetlivestats.com?is a website that shows in real-time how much we are sharing our lives digitally and using the internet to communicate. It's become second nature for some people to post the good, bad, and ugly about their life online, with Photoshop, of course. Now with more Deepfakes out there what do we believe? It is unbelievable how much the younger generation is posting in SNAPCHAT and now TikTok. It's important to realize that a business can be impacted by the actions of staff, family, and friends, even when they're away from work. With five billion videos watched on YouTube on any given day, think about what could happen if a video of someone at your office doing something controversial went viral.
The website ReputationDefender has four common-sense tips about limiting sharing online. The first is to lock down your account. Think before adding birthdays, addresses, phone numbers, and other personal information to your profile. Why? Because you can be profiled and targeted in a Spear Phishing attack. Set your privacy settings to keep the public from seeing your posts. A friend of a friend's privacy setting may not be a good idea. Do you trust all your friend's, friends? Next, consider who might read your posts. Does the information you post online pass the grandma test? The rule in our family was never post something you wouldn't want your grandma to see.?Your posts may be read by future customers, members of the press, your competitors, future employers or investors, or even worse, your grandmother.?If you don't want her to see it, don't post it. The third tip is, don't post other people's information. Anyone born after Facebook was created most likely has a photo history of their life online that they did not make or give permission for. I understand proud parents wanting to show off their beautiful baby, preschooler, kindergartner, middle schooler, but the experts at ReputationDefender encourage you to think twice before sharing information about others. Set your privacy settings to require you to approve someone else tagging you in a post.
And please, please stop posting about upcoming or ongoing trips. Just this past spring break, I saw posts with friends sitting at the airport, announcing they were on the way to a beach vacation for a week. I called my friend who I knew was on vacation and said, how is your trip going? Great, he replied. I said, then why is there a moving truck in front of your house? Next, I can't feel my legs, he replied. I said, no worries, I am only kidding. The point is, when the bad guys want to get you at your most vulnerable, they will usually exploit that.
Do you trust the 800 people within your social media accounts that know your house is empty? How about an email notifying you that your Netflix account was suspended while you were away? A simple email explaining that you must put in a credit card to get that account back online might prompt you to do something now instead of doing it when you get home. If a would-be cybercriminal can look at a business website and find contact information for the CEO, accounts payable manager, HR specialist, or CFO, then they can start the?phishing?process. They can send a pretty convincing email to test the waters. This is know as social engineering. So take a look at your company website and see how much information can be gathered to help trick someone online. The point is, creating a sense of urgency is one way the bad guys get what they want. If you are a bad guy and experienced with any form of socially engineered tactics, then it can be figured out.
Email is not the only place to watch for phishing attempts.
The bad guys know how much time we now spend on our phones, so they're now phishing us by text or through sophisticated apps. If you get a text you're not expecting, delete it, especially if that random text has a link or asks you for information. Now, with many people out of work, employment apps are working to separate you from your information. If someone needs you, let them call you. Fake websites can also phish sensitive information from an unsuspecting user, such as Covid-19 information or charitable organizations. The website?www.opendns.com?has a free online test to see if you can spot a fake website. Also look for the HTTP vs the HTTPS. The HTTPS indicates that it is a secure website. A lock icon can usually be found next to it. Take some time to go through this test with your coworkers and learn together. The best way to avoid becoming a victim of phishing is just to slow down a bit and be cautious.?The Stop Think Connect International Campaign?has a very simple message. Stop before you click on something, think about what you are sharing and with whom, and then connect to the internet with confidence—good advice for all.
Go Fishing and have fun!!!! But don't tell everyone where you're going and how long you will be out of town. LOL. That's me on the right, fishing for Striped Bass a few years ago.
I hope this information was helpful, be safe and be well.
Having the best system in place is all well and great but it means nothing if it does not protect. Businesses and organizations collectively lose billions of dollars a year to IP thief, financial thief, malicious attacks and social engineered attacks etc. Let’s not forget about professional reputation.
Current member of these professional affiliations
InfraGard, Federal Bureau of Investigation (FBI)
International Association of Financial Crime Investigators (IAFCI)
Association of Fraud Examiners (ACFE)