The Greatest Threat to your Company’s Cybersecurity
No matter how much you have invested in your firewall or how effective your antivirus or anti-malware applications, you are still not protected from the most common means of intrusion by a hacker, virus or ransomware – YOU! (and your employees)
Nearly every news-worthy story of celebrities, high ranking government officials or well-established institutions have had their computers, accounts or networks compromised by the most insidious, common weakness – human nature. According to Webroot’s 2020 Cybersecurity Report, cybersecurity breaches will be increasing this year.
Just as allowing a stranger through your home’s front door is asking for trouble, opening an email from someone who seems legitimate can be just as dangerous. And the bad guys are getting much better at gaining your trust. There are two methods they use to fool you:
Not too long ago, the bad guys would send batches of emails to random people and make the email look like it came from a bank or a well-known website like eBay or Amazon or Walmart. The email might inform the recipient that their password had expired or that their account had some suspicious activity. The email then requested that the user change their password through a link which asked for their old password and then to select a new one. However, these emails did not come from a legitimate source and the website, which looked very legitimate, collected their credentials and stored it for future abuse. These poor victims had been ‘phished’.
Due to news reports and better cybersecurity awareness, the average computer user started to become more aware of these attempts to steal their information and credentials, so the bad guys had to change their tactic slightly.
When you receive an email, one of the first things you look at is the sender. Is it from someone I know? Maybe a relative or a coworker? Is it from a business or website that I use? If the email passes this mental screening, most people will just open the email. But what if the bad guys can make it look like it came from a trusted source? From your Uncle Jerry or your credit card company? They may even include the last four digits of your credit card number.
The bad guys are getting good – really good at fooling you. They are not content to just send out random emails to random people, but are gathering information about you – where you work, who you communicate with, online companies where you shop, etc. How do they know about Uncle Jerry? Well, you keep posting about him on Facebook. Social media websites are literally databases of information about you, your company, your relatives and where you shop. So it is not very difficult to create a custom tailored email that includes a few nuggets of personal information to lower your defenses. And when you open that personalized email – you have been Spear Phished!
So what can you do?
The best defense is common sense. Be constantly aware of an email’s ‘red flags’. Here are a few examples of common red flags:
- If you receive a notice that your package from FedEx needs your attention, but you are not expecting something from FedEx, that should be a red flag.
- If you recognize the company or service and they may even include your account number, but the sender has an unusual or foreign email address, that should be a red flag.
- If the email has a lot of misspellings or contains very poor grammar (and is not from your 6 year old niece), that is a red flag.
- If you receive an email to reset your password but you did not initiate it, that should be a red flag. If unsure, close the email and go to the website directly through your browser, but never click on the unsolicited link.
- If the email is of an urgent nature and requests sensitive information, that is a red flag (you can always confirm with a quick phone call if it’s that urgent).
But as mentioned before, we are all human and we get tired, bored and have to go through hundreds of monotonous emails every week. It is not surprising that we miss a few of these red flag clues. If you think that you have clicked on something that you shouldn’t have, the best thing you can do is let an IT professional know and run a malware scan on your computer.
When someone tells me that they think they were hacked or they clicked on a suspicious link, I tell them that the first thing they should do is change their password. The second thing to do is run a virus scan on the machine they used to open the suspicious link.
If you think you are a victim of a phishing or spear phishing email, you can contact Infinity Networking and we will help you assess your situation.
If your business would like to know more about Security Awareness Training for its employees, Infinity Networking offers a free trial of Webroot’s Security Awareness Training with simulated phishing emails and a library of security awareness training videos.