22Feb

U.K. Phishing Attack Targets Those Seeking the COVID-19 Vaccine

February 22, 2021By 0 comment

This latest phishing scam impersonates the UK’s National Health Service, telling recipients that are eligible for the vaccine in order to collect valuable banking and credit card details.

I really despise these scammers. At a time when people are searching for a way to protect themselves, these lowlifes of the cybercriminal world prey on those in fear. This latest scam has recently hit the UK where unsuspecting victims were sent an official-looking email purporting to be from the UK government with a simple message – that the recipient has been selected for the vaccine.

Would-be victims who click the “Accept Invitation” link are taken to a legitimate-looking website that appears to be the NHS:

phishing-landing-page

Source: Bleeping Computer

Once victims again choose to accept the invitation, they are prompted to answer a series of questions that collect personal details including the victim’s name, their mother’s maiden name, address, and mobile number, as well as credit card and banking details.

While this scam feels like it’s targeting individuals, the very same scam is possible within your organization; all it takes is a little spin on the theming (e.g., make the email be from the HR department about a company-wide vaccination with a link to the rollout schedule that happens to attempt to collect Office 365 credentials) to be business-worthy.

Organizations need to take attacks that seem to target individuals over a corporation, as the shift in a campaign to steal corporate data only requires a few changes in how an attack like the one above is executed.

Putting users through Security Awareness Training is an effective way to help them protect themselves and the organization, regardless of how well-executed a phishing campaign is.

READ MORE
19Feb
gallery

Popular Car Company Becomes Next Target in $20 Million Dollar Ransomware Attack

February 19, 2021By 0 comment

In an unfortunate situation popular car company Kia Motors America recently made headlines of a possible ransomware attack and the company was demanded to pay $20 Million ransom from a cybercriminal gang in order to not leak stolen data.

It was reported by Bleeping Computer earlier this week that the car company suffered a major IT outage that affected all of their technology applications. A customer tweeted that they were told from a dealership that the outage is due to the ransomware attack.

The alleged ransomware group responsible for this attack was DoppelPaymer ransomware, a popular gang that steals unencrypted files before stealing the encrypted device. They also leak data on a site to further pressure the victim to pay the ransom. Below is a recent example of just that:

Source: Bleeping Computer

Kia Motors America released a statement with the following, “KMA is aware of IT outages involving internal, dealer and customer-facing systems, including UVO. We apologize for any inconvenience to our customers and are working to resolve the issue and restore normal business operations as quickly as possible.”

Make sure your organization is not the next victim of ransomware. New-school security awareness training can teach your users how to spot and report any suspicious activity.

READ MORE
18Feb
gallery

Bogus Bug Reports as Phishbait, Scams

February 18, 2021By 0 comment

Some bug bounty seekers are using extortionist or fear-mongering tactics in an effort to get paid for reporting trivial flaws, according to Chester Wisniewski at Sophos. He calls them “beg bounty” attempts. Wisniewski explains that, “‘Beg bounty’ queries run the gamut from honest, ethical disclosures that share all the needed information and hint that it might be nice if you were to send them a reward, to borderline extortion demanding payment without even providing enough information to determine the validity of the demand.”

For example, some of these individuals use automated scanners to identify websites that don’t have DMARC enabled, then send a copy-and-pasted notification to each website’s owner.

“They claim to have found a ‘vulnerability in your website’ and then go on to explain that you do not have a DMARC record for protection against email spoofing,” Wisniewski writes. “That is neither a vulnerability nor is it in your website. While publication of DMARC records can help prevent phishing attacks, it is not an easy policy to deploy, nor is it high on the list of security tasks for most organizations.”

While some of these people are probably well-meaning, others are clearly scammers seeking to frighten victims into paying. Even in the cases where real vulnerabilities were identified, the flaws were minor and not worthy of a bounty payout. Additionally, many of the targeted organizations didn’t have bug bounty programs set up in the first place. Wisniewski thinks small businesses are most at risk of falling for these tactics.

“There are reports that paying beg bounties leads to escalating demands for higher payments,” Wisniewski says. “One organization apparently said it started out at $500 and then, as further bugs were reported, the senders quickly demanded $5,000 and were more threatening.”

If you do have a bug bounty program, you’ll know about it. And if you don’t, let your people know that, too, so they don’t fall victim to this…what? Grey hat scam? Not all scams come in black and white. New-school security awareness training can help your employees remain calm and avoid falling victim to scare tactics and other social engineering techniques.

READ MORE
17Feb

Caught by a CAPTCHA?

February 17, 2021By 0 comment

Be aware of being involved in malicious CAPTCHA solving.

I do not know anyone who loves CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart). These are little online tests that supposedly tease out whether the action being performed is being done by a human or some automated bot program or script. They are needed because miscreants across the Internet would otherwise abuse the involved services to create bogus accounts used to hack others or simply abuse the system in some other way. CAPTCHAs are an unfortunate, but necessary part of life (at least right now). We are forced to interact with them when we are newly registering on websites or performing a potentially risky action.

CAPTCHA Examples

There are many different types of CAPTCHAs, ranging from extremely easy to solve to ones that require more effort and are more prone to human error. In their easiest form, they are simply a box (see example below) that we are told click.

im not a robot example

And all we do is click the box to prove we are not a bot, resulting in the image we all see below.

im not a robot example

Some of the CAPTCHA tests ask us to type out characters we see that have been exaggerated and changed in some way that humans can supposedly still make them out, but an automated optical character recognition (OCR) program could not. See example below.

unlike impossible example

I am sure many of us really hate those sorts of tests because it can be tough for anyone to figure out what the characters or words are at times. I have even hit the ‘Send a new word’ button before and had to cycle through a few new offers before I could find one that I could figure out 100%.

Some CAPTCHAs (like the one below), used by Tik Tok, simply ask you to pick out two similar objects.

captcha example

The most complicated ones are the ones that ask you to “Click on all the squares…” that contain traffic lights, cars, traffic signs, or some other supposedly common image (like the image below).

google captcha example

The problem with these types is that many times, the blocks will contain a very tiny piece of the required object, often looking almost accidental or microscopic, and you’re not sure if it should be selected or not. Forget frustrating bots, CAPTCHAs frustrate humans.

If you want to a seriously funny video that pokes fun at the trials and tribulations of CAPTCHAs, watch this video here.

CAPTCHA Tricks

The reason why CAPTCHAs are not going away is because they work. They do significantly defeat automated bots and scripts. There have been many attempts by hackers to automate answering CAPTCHAs in bulk, including using machine learning, OCR, and artificial intelligence-like tools. None of them work as good as a human.

So, hackers simply outsourced CAPTCHA solving to human beings. Hackers still use bots and automation to register on websites and create accounts, but the whole process is automated. They do not use the involved website’s normal code as offered up to a normal user surfing the web. Instead, they create malicious programs that interface with the website or its application programming interface (API), which removes all the human-readable text and simply, quickly fills in the required account registration information. And when the CAPTCHA component is shown, the bot sends just the CAPTCHA part to real humans paid by the hackers to solve one CAPTCHA puzzle after the next. Somewhere in the world are teams of sweat shop workers who are working tirelessly to solve CAPTCHAs, one after the other, as fast as they can. The sweat shop workers make only a tiny amount per solved CAPTCHA, but if they can solve hundreds to thousands of them in a day, they can make a few dollars or a decent living for their skill set in their part of the world. I know of skilled IT workers who bought their less skilled parents a computer, set it up in their house, and their mom and dad solve CAPTCHAs to supplement their normal income. It’s not ethical, but in many parts of the world, it’s the way a part of the population makes their money.

Websites using CAPTCHAs understand that hackers will hire teams of sweat shop workers to solve CAPTCHAs, so they fight back in many ways, including tracking the originating IP addresses involved with solving the CAPTCHA. If too many CAPTCHAs are solved from one IP address, they cut that IP address off or no longer allow it to solve future CAPTCHAs. Hackers responded by changing up used IP addresses, so they do not get “burned”, but it significantly slowed down illegal CAPTCHA solving.

Frustrated hackers responded by sending CAPTCHAs to be solved to millions of innocent people across the Internet, each with their own individual IP addresses. The criminals compromise innocent websites around the Internet and instead of inserting a malicious JavaScript that tries to install malware or phish login credentials, it sends a CAPTCHA image, which it hopes the hapless user will fill out and respond to.

It was just such an attempt that I saw today that inspired this blog. I went to a popular news website that I visit every day, several times a day, and all of a sudden on that website, I saw a CAPTCHA pop-up that it told me I had to solve (just one of the simple click-here types). I shook my head, and thought, “What’s This?” and was just about to click it when I realized that it was probably a malicious CAPTCHA redirect. I examined the proposed CAPTCHA. It looked as normal as any CAPTCHA I had ever seen before. I would have taken a picture for this column, but it looked like any other CAPTCHA I had ever seen before…no clues of its maliciousness. It was just a CAPTCHA on a website that does not require registration and never before had asked me to fill out a CAPTCHA.

I hit the refresh button and the malicious JavaScript CAPTCHA disappeared and the regular website came up. I downloaded all the website code to see if I could figure out where the malicious JavaScript was, but my browser refresh had bought up a new instance of the website without the malicious CAPTCHA. My “evidence” was gone. More importantly, the website I was on was not asking for me to complete a CAPTCHA, proof that the one shown to me was a malicious redirect. I notified the website’s developers about the issue, but haven’t even received an automated reply.

I am not sure where the malicious CAPTCHA redirect came from. The average popular website has 50 to 150 different elements that make up the website page we see and most of those elements are from third-party sites and services, and not from the domain name you went to. Maybe the malicious JavaScript came through on a banner ad. Maybe it came through on a borrowed JavaScript element. Somewhere on that web page was a compromised element that ended up, at least for that one instance, displaying a malicious CAPTCHA redirect.

Why You Should Care About Malicious CAPTCHAs

Now in the grand scheme of things, malicious CAPTCHA redirects are very low risk to the end user. As far as I know, they cannot be used to silently install malware on a user’s device or to redirect them to a malicious web page. In that way, they are a bit like adware malware – more of a pest than outright dangerous.

But like adware, malicious CAPTCHAs, can be a stand-in for how something far more malicious is presented to us or our end users, that if they don’t realize it and click, can lead to something far more malicious. The effort needed for adware and CAPTCHA redirects to get presented to an end user is the same root exploits as the much more dangerous things that could otherwise be presented. Presence of adware on a computer means a much more malicious backdoor trojan or ransomware program could use the same hole or trick. If a user ONLY has adware, they are just lucky. It could have been far worse. And if they do not figure out that adware got on the computer, worse things could easily happen next time. Luck runs out.

The same is true with malicious CAPTCHA redirects. At the very least, none of us want to be involved in solving CAPTCHA puzzles for hackers so they can automate malicious account creation and do worldwide malicious things. But it also a teachable moment for end users. All users should be aware that potentially dangerous elements could be presented to them that they need to evaluate and handle properly, even if they go to what they think is a “safe” web page.

Educate your end users to be aware of possible dangerous website elements that get inserted into their favorite, legitimate websites; and how to recognize and respond. New-school security awareness training is all about making people aware of what can be done, what it looks like, and how to treat issues. Let your end users know about potential malicious CAPTCHA redirects, because if they can recognize and avoid those, they are going to be ahead of the game with the more malicious web elements.

READ MORE
16Feb
gallery

Phishing and Impersonated Brands

February 16, 2021By 0 comment

Microsoft is still the most impersonated brand for phishing campaigns, according to researchers at Vade Secure. The security firm spotted 30,621 unique Microsoft-related phishing URLs in 2020. The researchers note that “[a] single unique phishing URL could be used in hundreds or even thousands of phishing emails.” Facebook was the second most impersonated, with 14,876 unique phishing URLs. PayPal came in third, followed by Chase and eBay.

“COVID-19 colored everything in 2020, so it’s not surprising that cloud came out on top,” the researchers write. “As the working world switched to remote, the need for cloud-based solutions skyrocketed. Microsoft Teams users increased from 44 million in March 2020 to 75 million in April 2020. Meanwhile, Facebook, Google, and Netflix saw big financial gains during COVID-19, and each is in the top 20.”

E-commerce phishing has also been on the rise due to the pandemic, and some new brands have made it to the top ten list.

“New to the Phishers’ Favorites list, Rakuten, a Japanese e-commerce company, made its first appearance on the list, coming in at #6,” the researchers write. “Rakuten’s rise is thanks to a large spike in phishing activity in Q3 2020, when Vade Secure detected a 485 percent increase in Rakuten phishing URLs.”

The researchers also observed a year-over-year increase in phishing emails laden with the Emotet banking Trojan.

“Phishing emails weaponized with malware also featured prominently in 2020,” Vade Secure says. “Emotet, which had gone silent in early 2020, returned briefly in the spring and came roaring back in the fall. A wave of Emotet malware emails hit Microsoft users in September, with a single-day high of 1,799 phishing URLs and 13,617 for the quarter, a 44 percent increase from Q2.”

Trends in phishing lures change over time, but the underlying hallmarks of social engineering remain the same. New-school security awareness training can help your employees recognize phishing emails and other social engineering attacks.

READ MORE
15Feb

New Phishing Scam Uses Fake PPP Loans to Trick Victims into Giving Up Personal Information

February 15, 2021By 0 comment

Taking advantage of people’s need for financial assistance, these scammers pose as a bank offering “forgivable business loans to individuals impacted by the pandemic.”

Nothing says low life more than someone who purposely targets those who are already down and out. Those responsible for a new scam identified by the security researchers at Abnormal Security are the lowest of the low – running a scam essentially promising free money to those that are in need.

In this scam, thousands of potential victims were sent an email impersonating an SBA Lender “World Trade Finance” informing the recipient that the Paycheck Protection Program has been extended and they are now taking applications for new forgivable loans.

Those interested click a link that takes them to a legitimate Office 365 form that appears legitimate:

k7tpHZAJPR3XoIV91Eev2PHG6V9QRCWbJczMzTipqnbBTQxQrcyDaiyXS-oX9VwvEI3oi4sj2M6yor2crx4fOK0hXQaEniMha0hppia5CuGXovm43S1TAf6kPX8CyCaYJLyt3s8-

Victims are asked for every piece of personal information including name, birthdate, and social security number – along with other business details to make the form seem legitimate.

There were some telltale signs that this was a scam to begin with:

  • The email is sent to ‘payments@sba.pppgov.com’, a domain obviously not associated with the government.
  • It appears the actual recipient must have been blind cc’d
  • The link goes to an Office 365 form and not something embedded in the business’ actual website
  • While there is a ‘World Trade Finance’ that is an SBA lender, a quick look up of the lender and a comparison to the address provided in the email would result in a mismatch.

Users can easily avoid becoming the victim of such scams once they look at email and web content through a scrutinizing lens. This only comes through continual Security Awareness Training that educates users on what to look for, the types of scams that occur, and how to keep a vigilant mindset while working.

READ MORE
12Feb
gallery

It’s Not Only About the URL

February 12, 2021By 0 comment

You have to look at the totality of an email to determine whether it is a phishing attack or not.

I’ll admit it, I’m guilty. When I get a phishy-looking email, the first thing I do is hover over the URL to see if it is legitimate-looking or not. And, most phishing emails do contain rogue-looking domains. So much so, that I actually wrote about this here previously and created a one-hour webinar all about how to teach yourself and co-workers how to spot rogue URLs. You can even download our handy Rogue URL PDF handout (shown below) for a quick review or to hand it out to your co-workers.

Red Flags of Rogue URL's

Analyzing included URLs is a big part of determining if something is malicious or not.

It’s just not the only thing!

The URL Is Not Everything

We all need to look at the totality of the potentially suspicious phishing request to determine if it is malicious or not. URL investigation is a big part of that process, but there are many phishing scenarios where the URLs are indeterminate or even completely, 100%, legitimate. For instance, many phishing emails originate from common, shared domains. For example, many phishing emails come from onmicrosoft.com (0365-hosted domains), gmail.com, sendgrid.net. I’m highly suspicious of sendgrid.net because a lot of phishing emails come from there and then I realized that one of my absolutely favorite computer security portals, Spiceworks, sends all their emails from sendgrid.net. And that’s not a bad thing. Sendgrid.net is a legitimate service used by mostly legitimate people, but because it is widely and publicly available, it is often used by scammers, as are the shared, public domains by Microsoft and Google.

Many times, the phishing emails come from legitimate, private domains. Oftentimes, they are a hijacked domain and the involved link has nothing to do with the brand being or request being impersonated. For example, the rogue URL link says something like waterworks.com/inbox/subscriptions/rogue.jsp, where you can tell that someone’s otherwise legitimate domain and website have been hijacked by a hacker who is using it until the exploit and hole that allowed him/her in is shutdown.

But sometimes, not only is the domain legitimate but it comes from a domain you trust and regularly do business with. Most of the time, the other side you trust has been pwnd and is not being used, unbeknownst to the victim involved, to send spear phishing attacks to people who trust and regularly do business with them. These types of phishes are known as third-party phishing attacks and I wrote about them here. Add to this any time a co-worker has been infected or compromised. The email coming to you could be coming from a close friend.

And sometimes, despite your experience and expertise, looking at the URL just doesn’t solidly indicate whether a suspected phishing attack is definitely a phishing attack.

I found myself relying way too much on URL inspection and my first and often only sign of whether something was malicious or not. So much so that I almost prematurely approved some malicious emails as legit. It happened enough that I was starting to scare myself that one day I would miss one. And even though I knew I was overly reliant on URL inspection, I couldn’t shake the habit at first. I still found myself looking at the URL in a suspected message first and often making the decision then and there.

Drill – Everything But the URL

So, I created a new drill for myself. For months, if I suspected an email or web scenario as being malicious, I refused to look at the URL until the very end of the inspection. I would take my time and see how many other “red flags” of social engineering I could find. Did I see obvious typos? Did I see subject and content mismatches? Did I see email address mismatches? Did the email come in at a strange time? Was the email an unexpected request for something I had never done before? Did the email contain a “stressor” event where it is telling me I had to do something very quickly or there would be consequences? Is it asking me to perform an action that may result in harm? And so on.

My self-imposed drill was a success! In every case of a legit phishing email (or website), I found at least a handful of other clues, that taken in their totality, indicated that what I was dealing with was a malicious phish. Oftentimes, by the time I got to the URL, I had already made my decision. And here is the most important lesson: When I looked at URL last, I was more often able to determine whether an email was malicious or not overall. I didn’t let the URL alone become the primary deciding factor. With my old behavior, using the URL alone or first and primarily, there were definitely times when I wasn’t sure. Using my new strategy, I have successfully determined legitimacy faster and with more accuracy.

If You Still Can’t Confirm Legitimacy

Phishes are ever marching toward more realism. I’m seeing more phishes show up that I can’t as easily determine the legitimacy of, whether or not I’m looking at the URL first. Here’s what I do:

First, if there is a way, I try to confirm the email externally, not using any of the provided information in the email. For example, if it says something has happened to my account that I need to verify, and it links to an account that I actually use, instead of clicking on the URL in the email, I simply go to the legitimate domain, log in, and then see if I get the same warning message. If not, the suspected email was a scam. If the email contains a phone number, especially if I’m told to call it, I go to the Internet, find the real company’s website, look up the phone number there, and call it. If the email claims to be from a department in your company or from a company you trust, call the legitimate phone number you already have on file. Do not call the phone number in the email. Scammers often have fake “switchboards” and operators ready to answer with the right branding.

In moments where I really can’t tell for sure if the email is legitimate or not, I can report it to a trusted colleague. Two sets of eyes are better than one. I’ve got a trusted friend in my company who I trust as much as myself or more to determine legitimacy. Sometimes when I’m in a bind, I send him the email…with a big subject banner indicating what I’m sending him is a suspected phish. And he has really helped me to see clues that I didn’t notice on my own.

At KnowBe4, we are also big believers in the Phish Alert Button. Our Phish Alert Button (PAB) is a free download and works with Microsoft Outlook and Gmail email clients. It installs a “macro” button on the email client’s toolbar that a user can click to report and delete suspected phishing attacks. Admins determine where to collect all suspected phishes ahead of time. It allows an IT security team to investigate individual phishing attempts more quickly and be able to report back to their end users if they reported a real or simulated phishing attempt.

If I have the time, I may send the suspected phishing email to a “throw-away” Hotmail email account I have and then open it up in a safe, isolated, virtual machine. I wrote about how to use Windows 10’s Sandbox feature to do this; although overall, I prefer the professional features offered by VMware, Hyper-V, Parallels, VirtualBox, etc. The Windows 10 Sandbox was convenient, but it just didn’t have enough features and was constantly being corrupted for reasons I don’t know and would not start unless I did a reboot of the host system. If you are interested in forensically examining phishing emails and are inexperienced at doing so, consider watching my webinar. If you don’t know how to forensically examine phishing emails, don’t risk it. Send to a friend instead or don’t do it. It’s all too easy to accidentally click on a link or initiate a malicious JavaScript.

Lastly, when in doubt, chicken out. A few times over the last year, I have received what I’m fairly sure are legitimate emails. Due to nature of my job and writing for nearly 30 years, I receive dozens of emails from complete strangers every day. Many of them are overly familiar, acting as if we are long-time friends, and asking me to click a link to review something for them. Many of those emails are obviously written by English-as-second-language folks, so the sentences and phrasing often looks like what you would see in a real phishing email. I get enough of them that I realize that they are likely legitimate, and I don’t want to not respond and have them think I’m ignoring their email and simply providing poor service. But sometimes, in the end, no matter how hard I try, I don’t know for sure, and when that is the case, I either report it via our PAB button and let the experts determine legitimacy or ignore and delete it. I, and my company, can’t take the risk. When in doubt, chicken out.

We are starting to see more advanced phishes where simply hovering over the included URL doesn’t help you to determine legitimacy or not. You and your co-workers should always look at the totality of the phishing attempt to gauge legitimacy. Don’t rely on the URL alone. All people should be taught how to spot the common “red flags” of social engineering. You can also download and distribute far and wide our “Red Flags of Social Engineering” PDF.

No matter how you learn it, everyone should be educated to understand how to look at the entirety of a potential, suspicious request to determine maliciousness. Here at KnowBe4, we are big believers in security awareness training.

READ MORE
11Feb
gallery

New Phishing Attack Uses Morse Code to Avoid Detection by Email Scanners

February 11, 2021By 0 comment

Yes – you read that right: Cybercriminals have found a way to use 1830’s technology to trick 2020s security solutions into not identifying phishing attachments as malicious.

Like you, when I first read about this I shook my head and through “no way – how would that even work??!?” But according to a post on reddit, the bad guys realized they could digitally encode their malicious java script in Morse Code, effectively bypassing any email scanners.

The phishing attack starts out like any other, using some basic social engineering around paying an invoice and hosting an attachment made to look like an invoice with the filename ‘[company_name]_invoice_[number]._xlsx.hTML.’

But upon further inspection of the attachment, it leverages javascript, containing a basic decoding function where each letter and number is assigned a Morse code value, and then calls to decode a massive amount of Morse code stored within the file.

morse-code-attachment

Source: Bleeping Computer

The result is when the html attachment is scanned, its contents appear benign to a security solution. But when run, the script converts the Morse code into two additional javascript tags that are injected into the page and executed.

The result of all this is a pretty creative rendering of a fake Excel document and an Office 365 logon screen, stating the user’s session had timed out.

fake-office-365-sign-inSource: Bleeping Computer

Creative? Yes. Unique? No – bad guys can derive even their own simple character replacement encoding (e.g., ‘A’ would be replaced with ‘D’, ‘B’ with ‘E’, etc.) and one can achieve the same result.

The real stopping point here is the bogus email theming and horrible attachment name. Users that undergo Security Awareness Training are positioned to quickly see this for what it is and stop the attack before it goes any further than making it to the Inbox.

READ MORE
10Feb
gallery

Three Tips to Stay Safe on the Road and the Information Superhighway

February 10, 2021By 0 comment

You surf the world wide web, you scroll through social media feeds, read articles, shop online, and respond to email through the incredible invention of the internet. We’re all driving on the internet superhighway, but are we aware of what it means to be safe when we’re online? You know when driving in a car, you need to wear your seatbelts. You need to signal when changing lanes (well, some people do), and at a stop sign, make sure the car comes to a “full and complete” stop before waiting two seconds and proceeding forward if there is no other oncoming traffic.

People driving on the road find shortcuts or easier ways to evade some of the road’s safety rules. You might not always signal when turning or changing lanes, and I’ve seen many people who roll through stop signs, where they slow down, and if traffic is not coming, they make the turn. While these aren’t dangerous, people get comfortable with unsafe driving habits, which is very similar to unsafe internet surfing habits.

1. Double Check Links and Attachments Before Clicking
When you’re driving and the need arises to change lanes or turn onto another road, you have a flashing orange light on either side of the car to signal to other drivers your desire to change position. Like signaling a lane change or turning, users want to check any links or attachments they receive in their email. The email will not be malicious most of the time, like not signaling will not result in an accident. However, like not signaling, you run the risk the email is not malicious and could lead to a cybercriminal gaining access to your computer, the organization’s network, or worse, leading to data theft and damage to the brand.

Cybercriminals will send phishing or socially engineered emails to thousands of email accounts with a message that may be too good to be true, like winning money or striking curiosity with an attached file containing information the user needs to see. The cybercriminal’s expectation is not for everyone, but to get several people to open the email and click the link.  When you receive emails, it’s essential to be aware of proper thought processes, like “am I expecting this email?” or “do I know the sender?” or “why do I need to click the link?” Stopping and making sure the lane is clear or stopping to ensure the link is safe will provide a safer experience for you when surfing online.

2. Make Sure That Clickbait Isn’t Malicious
Coming to a “full and complete” stop in the car allows you to take a moment and check for oncoming traffic before proceeding into the intersection or making a turn. This action is a moment to stop and verify traffic. When surfing the web, you will come across links, advertisements or memes, which are humorous images with a saying that spreads rapidly online. All of these encourage you to click and follow the story — otherwise known as clickbait. These clickbait links help marketing companies track clicks of users interested in seeing the material. However, these advertisements may come from other third-party sources, which may not be vetted by the marketing service and can expose you to malicious code loading onto your device.

This code can allow cybercriminals to steal personally identifiable information, credit card numbers and other sensitive information. To guarantee a safer internet experience, when you sees those “too good to be true” or enticing messages about a celebrity’s latest escapade, you may want to ignore it, or if it’s really of interest, do an additional Google search to make sure that it’s valid. This step provides the chance to get a reputable link and site to read about the story further and avoid the unnecessary opportunity to have malware installed on your system.

3. Be Aware of Webcam Security Issues
Putting on your seatbelt in the car is necessary to protect yourself while driving. In the unfortunate event that you have a fender bender or another type of car accident, it reduces the risk of being thrown into the windshield or possibly smashing your head into the steering wheel. The seatbelt is designed to protect you while you’re driving, and a webcam cover can protect you from hackers watching you online. You’re online all the time with your laptops, smartphones and tablets. Most times, you may not be aware or forget that you have a webcam staring back at you. These webcams are a target of predators when they gain access to someone’s laptop.

Most cybercriminals go after Windows machines with webcams because they are easier to infect with malware, and most people do not cover their webcams. Cybercriminals are sophisticated to access the laptop and disable the LED light from turning on when they activate the camera. It’s critical to either put a piece of tape over the lens or get a webcam cover, as they are inexpensive to buy online. Like the seatbelt to protect you while you’re driving, having a webcam cover can protect you from someone capturing you when they’re in front of a computer.

Think Before You Click!

Whenever you’re online, you assume a risk that you could experience a data breach or hack by cybercriminals. This risk is similar to driving on the road, and we’re alert to other drivers to avoid a car accident and suffer the potential increased costs of our driver’s insurance. Unless you’re a large organization, you can get cyber insurance, but not for individuals. You have to implement your risk measures to protect yourself online on an individual level. Whether that’s checking email links to avoid a phishing attack, verifying clickbait articles that seem too good to be true or even putting tape over your webcam, these measures can provide you with an overall safer internet experience.

READ MORE
09Feb
gallery

Every Employee is Part of Your Security

February 9, 2021By 0 comment

Employees are an essential component of an organization’s security defenses, according to Nico Popp, Chief Product Officer at Forcepoint. On the CyberWire’s Hacking Humans podcast, Popp explained that humans generally want to do the right thing and can help prevent cyberattacks that can’t be stopped by technical safeguards. Popp pointed to the way financial institutions have their customers verify potentially suspicious transactions as an example of this.

“I always use the example of credit card companies,” he said. “They have been brilliant. You know, they have huge fraud issues. And what have they done? They basically involve us in the process of solving, right? They don’t always block your credit card. They may block you, but they may ask you, you know what? We’ve seen that transaction. It looks suspicious to us. Is that really you trying to complete this thing? And it’s working, right? Can you imagine, they are using all these consumers to solve the fraud problem? And, of course, we care. So we participate.”

Popp concluded that organizations need to shift the way they think about how employees fit into their security posture.

“So, taking that concept of putting the human in the middle and saying, look, you’re part of the solution,” Popp said. “We’re going to engage you. It’s not just about monitoring you, spying on you. Quite the opposite. We’re trying to make you better. But also, we want you to be part of our cybersecurity team, you know, because we want to be able to leverage the fact that we have this smart and caring human being, common folks behind the keyboard that also care about the company assets and can help there. Something that cyber has never done, really, that whole idea of putting humans in the middle of cyber. It’s all this different dimension, these different approaches.”

New-school security awareness training can create a culture of security within your organization by enabling your employees to thwart social engineering attacks.

READ MORE