As noted in Part 1 of this series, employees have access to a variety of IT resources critical to the operation of your business. Computers and other hardware devices, data storage systems, email and mission-critical software and cloud accounts all require security policies that will protect your valuable data and sources of income. Employees who have access to any of those resources are the first line of defense against malware, hackers, and social engineering attacks. As such, your business needs a strong and properly managed IT security policy.
Phishing scams are so named because the bad guy attempts to steal your information by tossing in some bait and hoping to hook an unwary mark. Sometimes comical on the outside, these social engineering attacks are nothing to be laughed at. Millions in cash and data are stolen every year through the simple ploy of appealing to natural fear of authority, trust or greed. Tricks used by scammers are usually very simple; however, thousands of intelligent people fall for them every day.
Much is made of increasingly common data breaches, massive and small, but the most successful scammers do not need information generated from these leaks. The fact of the matter is that simple tactics work just as well to keep them well-supplied with your hard-earned money.
Online scams have increased geometrically in recent years and companies have begun to employ both internal and external consultants to get a handle on the problem to protect their customers. Recent reports indicate that as many as 30 to 50 percent of phishing emails sent are opened by the receiver.
Research by IBM reported in the IBM Threat Intelligence Index 2017 notes the volume of spam emails increased nearly four times in 2016 and the trend continued in 2017. Making these data even more significant is the estimate that more than half of all emails are spam and nearly half of all spam email contains some form of malicious content.
Companies have begun to test their security by testing the weakest links, their employees. One large banking concern found that over 20 percent of their employees opened a phishing email sent out as part of the test. A success rate like that in a huge financial institution is significant and dangerous for everyone.
The Anti Phishing Working Group identified over 120,000 unique phishing websites at the beginning of 2016 and by the end of the year, they reported nearly 100,000 unique phishing email campaigns aimed at their clients. The APWG findings note that nearly 20 percent of those campaigns specifically target the financial sector.
Symantec reports 76 percent of all companies fell victim to phishing campaigns over the course of Q2 2017. This clearly indicates that no business is immune to these scams and every business must take steps to mitigate the risk.
Common Types of Phishing Scams
Deceptive Phishing is the most common form of this type of scam. Bad actors will mimic legitimate companies to convince people to give up personal information. Emails of this type use the power of the company or government name they are impersonating to either gain trust or threaten an individual into giving up identifying data. One can easily recognize the hallmark of this type of attack in the sense of urgency expressed by the scammer: “You must take care of this bill today or we will be forced to initiate legal action.”
Spear Phishing is a more highly-targeted form of the phishing scam. An attacker has procured the target’s personal information, or some piece of it, and uses that information to convince the victim that he is legitimate. Gaining such information is not difficult as we now tend to provide lots of personal information on social media sites which scammers can scrape together and use to lull us into a false sense of security.
In a spear phishing attack, one might receive an email or phone call from an individual claiming to be from ABC Company wishing to speak to Your Name Here. He will then produce information about the victim’s job, phone number and other information he or she would only expect someone with need-to-know access to have. Such knowledge tends to verify the credibility of whatever the attacker tells one. He may suggest that the victim owes a sum of money which is past due on an account or an underpayment of taxes or any number of scenarios designed to convince him or her to read off a credit card number over the phone, reply in the email, click on a link or download an attachment.
Other email phishing attacks include concealing malicious attachments as scanned documents sent from a Xerox or other brand of office copy machine. Many offices neglect to change the settings on their copiers from the default “Sent from a Xerox Scanner” message to something more specific to their company. As a result, it is easy to be fooled by an incoming email with the generic message. An unsuspecting victim clicks on the attachment which may then install a trojan virus on the computer.
Similarly, one might receive what appear to be order confirmations, booking confirmations, newsletters, email delivery failure messages, even email from one’s mother. All must be carefully inspected to verify authenticity. Any suspicion should be treated as reasonable.
CEO Fraud, also known as a “whaling” attack because it is a spear phishing attack aimed at a high-level executive within a company, has been an area of interest for fraudsters in recent years with close to 50% increases in such attacks last year.
Such an attack is a multi-phase endeavor in which the criminal gains access to email or account data through an initial attack on a company executive. He then uses the information and spoofs (fakes) a directive from the executive’s email account to transfer funds from company accounts to those of the attacker.
Another kind of whaling attack involves spoofing an email account from a company’s client with a fake invoice. Many large, and even small, company executives are often too busy or distracted to carefully peruse every document. He or she may forward the bill for payment without verifying its authenticity. Alternatively, the invoice attachment may be yet another disguised malware waiting to be opened and activated.
A whaling attack found to occur around tax season involves an employee receiving an email appearing to be from the HR department requesting an updated W-2 statement. The schemer gathers social security numbers and identifying information to use in further fraud schemes against the employee.
Pharming scams are forms of attack in which an attacker will target, instead of an individual, a DNS server. Domain name servers (DNS) are used to store databases that convert the alphabetical website name, i.e. www.google.com, to and from the numerical address the internet uses, i.e. 188.8.131.52.
In a pharming scam, a hacker will poison a DNS server to convert an alpha address to the false numerical address of their own server. A victim is forwarded to a fake server without realizing it and duped unless inconsistencies are noted.
Dropbox, Google Docs, and other SaaS (Software as a Service) Apps phishing scams take advantage of the usefulness and convenience of these platforms to millions of individuals and businesses around the globe. A recent scam using Dropbox attempted to lure victims to log in to a false Dropbox login page that was ironically hosted right in a Dropbox account.
Dropbox and an increasing number of accounts which host sensitive or personal information offer two-step verification. 2SV requires a user to first enter a username and password and then enter a second verification such as a code sent to the user’s email or cell phone. 2SV ensures that only someone with access to the password AND the secondary device may access the account, providing a double layer of protection.
Vishing takes advantage of the gaining popularity of Voice over IP (VoIP) technologies. Scammers use VoIP lines to go back to the old-fashioned method of just calling victims on the phone to phish for information.
Bad actors can set up a VoIP server to fake a call from anywhere and anyone they wish. Therefore, the victim feels secure because the caller ID information looks correct. The scammer then impersonates whomever he wishes to propagate his scam.
SMiShing is the name given to any attack broadcast through SMS or texting. Any of the previously mentioned types of scam can be completed through a text, email or phone call. Some are more effective through one or more routes, but one must be aware that swindlers will use any method that works. If one vector does not, they will simply try another until they get a hit.
Avoiding Scams in the Workplace
DO NOT click on a link in an email unless you are 100% sure that it is real, such as a link in a newsletter to which you intentionally subscribed and receive regularly. Hover your pointer over the link and make sure the link that pops up is the same as the one suggested by the wording of the link. Avoid clicking the link if it is different from the text or if it uses a link shortener such as bit.ly or goo.gl.
DO remember that government agencies and most large businesses will not initiate contact with you in ways that would trigger suspicion such as adding attachments, making demands, or requesting phone calls. They are aware of the scams out there and do what they can to avoid making them easier to proliferate.
DO NOT open an attachment unless you asked someone to send it to you or verify that the person intentionally sent you an attachment. Malware is capable of adding attachments to legitimate email as it is being sent.
DO consider amending your company financial policies to prevent authorization of financial transactions via email.
DO take the time to open a browser and log into your bank or other financial institution if you get an email from them instead of clicking a link to log in. That way you’ll know it is really your bank. Most banks have an internal messaging system which will place any urgent messages for you within your account page.
DO recognize that any scam will indicate a strong sense of urgency that you to take some action immediately to prevent an event you should recognize as unconstitutional or illegal, such as an arrest or property seizure without the proper legal procedure.
DO remember that a scammer seeks information you would not typically give via insecure channels or to unvetted individuals. Scammers must make you believe they are someone in authority with a valid reason for collecting this information. People in such positions of authority know when and where it is appropriate to collect such information.
DO always be suspicious. Phishing emails often look very real and appear very frightening. The tactic is to make a victim click without stopping to think first, so never click without thinking first.
DO ask yourself questions when you receive any kind of communication. Have you ever heard of this company? Did you send an email to this address? Are you behind on your taxes? Is this your bank or credit card company? Did you ask for this information?
DO use a good anti-virus software and spam filter to prevent most spam from ever entering your mailbox in the first place.
DO check the email header details, even when it comes from someone you know. Spoofing the display portion of an email address is very easy but spoofing the actual return address is not.
DO note whether a communication contains significant misspelling and/or poor grammar. This is often a clear red flag that one is dealing with a scam.
DO know that any claim that you have money coming to you from anyone outside of your home country is almost 100 percent guaranteed to be fraudulent. Too good to be true is just that.
DO NOT believe anyone claiming to have found viruses on your computer. Other than the virus checker you have installed on your computer, no one, not even Microsoft, can determine that your computer is infected with a virus. Your virus checker will inform you if a one is found, but no one from the company will call or email you to let you know. If someone claims to be capable of doing this, they are scamming you
DO NOT take any action of any kind that provides any information or takes you to an alternate website as a result of a “popup.” Popups may be safe but they may also be the result of a virus infection on your computer or a website you are visiting. Clicking the popup is likely to have negative effects.
The weakest link in any area of security risk is the human factor. When dealing with these types of scams, the only risk is the human one because they rely on people giving up information voluntarily and without suspicion.
Therefore, it is critical that businesses present clear company policies which express how employees will respond to all communications which present a risk to private, personal, or sensitive information. Additionally, training should discourage users from publishing sensitive personal or corporate information on social media and elsewhere. Proper training must be implemented to teach employees to recognize these scams and avoid them.
Unfortunately, the human factor is too frequently contravened even with strong training and policy measures in place. Companies should further ensure against fraud with strong security technology which goes beyond the standard desktop virus checker, though these are still valuable assistants in the war against malware. Companies should also invest in solutions which can analyze incoming and outgoing emails for malicious links and email attachments.
What to Do if You Are Scammed
It happens. A scammer gets the best of you or someone you know. The response needs to be as quick as possible to mitigate the damage. One should assume the scam has definitely resulted in identity theft and the response should take such a worst-case scenario into effect.
First, shut down the computer. Turn it all the way off and make sure it is no longer running or connected to the internet or any other computers on the local network. This is to attempt to prevent any virus from escaping onto the company network and will halt damage taking place from a running ransomware package. If this is a work computer, contact your IT team immediately and let them handle the cleanup of the computer itself. Make sure they are aware of any details you can provide. If it is a personal computer, contact a reputable service to help.
Next, you need to get online using a different computer and begin changing all of your passwords, beginning with your financial accounts. Next, take care of email accounts, file storage accounts, social media accounts and down the line to the least sensitive. Change security questions and add two-factor authorization to any accounts where these are available.
If you find that you are no longer able to login to any of your accounts, immediately contact the company and report an account hijacking. Any time you wait to act is time the attacker is doing damage to your account.
Call the major credit reporting agencies and put a fraud alert on your credit account as a potential victim of identity theft. While this is not likely to stop an identity thief from making use of your stolen information, it will make the cleanup of damage much easier later. Plan to monitor your credit closely for the next few years to make sure no unusual events occur. Quick responses to such events will mean the difference between a fix and a loss.
If you gave out your debit or credit card information, call your bank and report that card as stolen and monitor the account carefully to make sure the charges do not go through. If a bank account number was given to the attacker, immediately close the account and open a new one. Be sure to remove all funds from compromised accounts.
How to Report Suspicious Emails
If you have a good spam filter, you are not likely to see the most common phishing emails, but sometimes one will make it into your inbox. Such an email is particularly dangerous because it has defied the spam filter. If you receive one of these, you may wish to help the community at large by reporting it to an authority which may prevent its spread to other unsuspecting victims.
In the United States, you may report suspicious emails to one or all of the following by simply forwarding the email including the full email header, which includes the display names and email addresses of both the sender and recipient, the date, and the subject:
FTC at email@example.com
Anti-Phishing Working Group at firstname.lastname@example.org
US Computer Emergency Readiness Team (US CERT) at email@example.com
The primary takeaway from this article is not to react over-hastily to any communication which you have not verified by secondary means. Companies are either aware of the need to use secure means to access your personal information or should be. Either way, it is inappropriate for them to use email or the phone to secure such information. So always be wary. You are the last line of defense in protecting your personal information and that of your company and its employees. When in doubt, check it out.
Security for Your Small Business
Part 1 – Passwords
Photo by NeONBRAND on Unsplash
Your employees have access to a variety of IT resources critical to the operation of your business. Computers and other hardware devices, data storage systems, email and mission-critical software and cloud accounts all require security policies that will protect your valuable data and sources of income. Employees who have access to any of those resources are the first line of defense against malware, hackers, and social engineering attacks. As such, your business needs a strong and properly managed IT security policy.
Passwords are the most common security measure used in office IT systems. Passwords must be sufficiently complex and difficult so as to limit unauthorized access to systems. Employees must choose passwords that are at least eight to twelve (8-12) characters long and contain a combination of upper- and lower-case letters, numbers, and special characters, ideally something like 6iN!m8HLxS&A. Company policy needs to support these requirements for every case where a password is required, without exception.
Common sense must be applied when choosing combinations to avoid combinations that are easy to crack. Hackers are aware of the tricks for making easy-to-remember passwords, including those with the appearance of complexity such as choices like “password,” “password1” and “Pa$w0rd.” All of these are equally inappropriate from a security perspective. Recognizable words, proper names and common phrases must be avoided. According to security expert Bruce Schneier:
Crackers use different dictionaries: English words, names, foreign words, phonetic patterns and so on for roots; two digits, dates, single symbols and so on for appendages. They run the dictionaries with various capitalizations and common substitutions: “$” for “s”, “@” for “a”, “1” for “l” and so on. This guessing strategy quickly breaks about two-thirds of all passwords.
One recommended method to choosing a strong password that is still easy to remember: Pick a phrase, take its initials and replace some of those letters with numbers and other characters and mix up the capitalization. For example, the phrase “This may be one way to remember” can become “TmB0WTr!”.
Most people can understand the need for complex password strategies, but many do not use them because they are simply too difficult to maintain and remember. So the question really boils down to: How does one find the balance between the necessity for secure passwords with the need to be able to easily recall them all? The answer is to develop a system for creating passwords which are both secure and memorable.
Some Methods for Choosing Unbreakable Passwords
Bruce Schneier Method
Use a personal and memorable sentence and turn it into a password. Take the words from the sentence, then abbreviate and combine them to form a password. For example:
I like to pick up a latte at Daves’s every morning before work = iL2pUaL@DeMb4W!
Will Smith is my #1 actor at the moment = !WSim#1a@atm!
My first trip to Disney was when I was 12? = Mft2DwwIw12?
I work for the best boss ever at Cogswell! = Iw4tbbe@C!
Pass Phrase Method
Rather than a complicated string of characters, you might want to try a phrase. First, come up with a random, but a memorable phrase, preferably a little nonsensical rather than a common quote. Try something like:
I wake up at 6 every morning with a cat in my face= IWakeUpAt6EveryMorningWithACatInMyFace@
Twelve of my kinfolk like to wear parkas = 12OfMyKinfolkLikeToWearParkas$
I usually have at least $15 left at the end of the week = IUsuallyHave$15LeftAtTheEndOfTheWeek!
Alternately, you can come up with a set of 12 random words rather than a phrase (note that it would take roughly 238,378,158,171,207 quadragintillion years for a brute force attack to crack such a passphrase!)
To make remembering easier, use the memory trick of chaining these into a story in your head: “My Dog likes my cat Fluffy who recently used up her 9 lives and ended up in the pet cemetery…”
The PAO Method
Other common mnemonic devices might also assist you to remember an unbreakable password. One suggested method by Carnegie Mellon University computer scientists is the Person-Action-Object (PAO) method to create and store your passwords.
First, choose an interesting place such as Disney World. Then think of a familiar or famous person such as Michael Jackson. Finally, imagine a random action to tie them together (Flying). Now see Michael Jackson flying over Disney World. From this image, create your password by combining the first 3 letters from each word into a new made-up word: MicFlyDis.
Develop 4 such picture stories, add the resulting words together, and you have a nice random, lengthy password. Seed it with some numbers and characters for additional security. It helps if you weave the website or account for which you use the password into the story to solidify the memory for a specific location. Once you create and memorize a few of these PAO stories, you can use the stories to generate new passwords as they are needed.
Phonetic Muscle Memory
Blogger Kevan Lee suggests yet another memory device for creating strong passwords. Start at any random password generator website, such as Secure Password Generator (which, as a bonus, gives you suggestions of the type noted below).
Randomly generate 20 or so new passwords that are at least 10 characters long and include numbers and capital letters. Allow punctuation for extra security. Scan the list of passwords looking for phonetic structures within the randomness. You want to find sets that make something sensible to you:
drEnaba5Et – which could read: (doctor enaba 5 E.T.)
BragUtheV5 – which is more memorable as (brag you the V5)
From the list, keep the ones that are easiest for you to remember and forget the rest. This should give you a series of passwords to choose from as you need them.
Use A Password Manager
If you have a large number of passwords to remember (keeping in mind that passwords should never be reused on different accounts and should be changed often), you may wish to make use of an encryption-based software password tool like LastPass or 1Password.
These tools will store passwords for you using a solid encryption algorithm as well as provide randomly generated new passwords as they are needed. To access any single password, you just need to remember the master password for the tool. Please make sure you use an extremely secure password for the master and change it often.
Test Your Password Strength
OnlineDomainTools provides a password tester to verify the security level of your passwords. The tool checks your password against tricks used by password crackers to determine how long it would take to crack using typical methods. Try it out to see how secure some of your current passwords might be.
Some Final Advice on Password Security
Regardless of the strength of your passwords, they must all be changed regularly. More secure accounts, such as banking and other financial accounts, should be changed more frequently. If possible, you should allow this to be managed automatically in software or accounts which provide for it. It is difficult to forget to change your password if you are required to do so every so often in order to enter the account. Any time there is any suspicion that a password may have been compromised, change it immediately along with any others that may be related.
Always avoid using default passwords when setting up new accounts for employees or others. Each new account should have a new, strong password generated along with it. Make sure the new account holder is required to change it as soon as possible to his/her own strong password.
Many sensitive accounts now provide two-factor authentication. This method requires you to enter a password and then requires a secong method of proving your identity, such as sending an email or text message containing a secondary passcode. Whenever this is available, make use of it.
Avoid sharing a password unless it is absolutely necessary. If it does prove necessary, change it as soon as the shared user is done using it.
Get out of the habit of using a “Remember Me” function to store your password for easy entry even on your personal computer, but especially on public computers. Try to avoid using any passwords at all on public computers which are often infected with viruses that can steal your password and pass it on to a hacker. If forced to use a password on a public computer, change it as soon as possible on your private computer.
If you must keep passwords written down, be sure to store them securely. Ideally, these should be under lock and key.
Why is it so Important to Maintain Password Security?
Even accounts which may not expose your personal or financial data directly can provide juicy bits of information which can be used by hackers, scammers and other bad actors to put together a profile that eventually adds up to a pretty solid picture of your identity. This profile may be pieced together from many seemingly insignificant chunks of information left lying about along your electronic trail on the internet. The final result can be used to break into your accounts, open new accounts in your name, or even steal your tax refund.
Whole or partial profiles are regularly sold in bulk to organized crime organizations in the US and abroad. Carefully aggregated data is then sold again and again to anyone willing to pay a few cents for your name and any identifying information that goes with it. If you use the internet for any reason, or even if you don’t, thanks to huge data breaches such as the recent Equifax and Target leaks, there is a better than likely chance that your information is already out there. So, protect your information as well as you can to keep the amount of data about you to a minimum so what there is will be uselessly incomplete.
NEVER REUSE PASSWORDS
For the reasons stated above, NEVER reuse passwords. If you do and your password is compromised in a breach at a low-level site, someone now has a known-good username/password combination to inject into the other information known about you and he can be reasonably sure that this combination will work somewhere to get even more important information.
The bottom line: Some account you have somewhere will be hacked someday. With luck, it will be an unimportant account. And if you don’t have the same password everywhere, then the damage will be isolated to that one account. But if you reuse one password all over the place, then the chances that other accounts will be hacked goes up significantly.
What Should You Do Now?
1. Purchase or develop a detailed password policy for your business right away and provide training to your employees on its importance.
2. Change at least your most important passwords right away using the suggestions mentioned in this article or elsewhere.
Finally, here are the 100 most popular passwords used this year. This list is tested first by the software used in any brute force attack, which guarantees your password will be cracked in less than one second if you use any of them.