Cyber Security - Go Phish
SecurityFIRST!
Cybersecurity Awareness
November 22, 2021
October Was
Cybersecurity Awareness Month Phishing remains the Number 1 way to breach a network.
Fight the Phish……and the
Lizard!
Scammers
use many tactics and cast a wide net with phishing attempts designed to entice
recipients to click on malicious links or attachments. According to the Federal Bureau of Investigation (FBI),
phishing was the most common type of cybercrime in 2020.
A recent
Wall Street Journal article1 asserts that our brains along with cognitive biases
are the biggest cybersecurity threat. Cybercriminals prey upon targets by
taking advantage of the lizard brain, the most primitive part of the brain that
controls unconscious processes.
People
tend to perceive information based on their own experiences and preferences
leading to cognitive biases. Our minds use these biases to act quickly and automatically
without pausing to consider the ramifications. Living in a digital world has
increased the number of distractions and diminished our ability to concentrate.
Social engineering scams capitalize on these biases and rely on humans
naturally invoking mental shortcuts to reflexively click.
Cognitive Biases &
Social Engineering
Loss aversion: more
likely to click on a phishing link if a service is purportedly being
disconnected vs. a similar offer to pay a lower monthly fee.
Authority bias: impersonating
a person in authority or an executive, often in the form of Business Email
Compromise (BEC).
Urgency bias: conveying
a sense of urgency such as a link that will only be active for 24 hours.
Halo effect: spoofing a
website or an email address of a well-respected organization, brand, or
person.
Present bias: instant
gratification such as a clickable link to a pre-release of a new gaming
app.
Availability bias: making
judgments on what we’ve most recently experienced so scammers are always
coming up with new, unfamiliar cons.
Optimism bias: thinking
that you’re too smart to get scammed.
Be aware of
biases, slow down, focus on the task at hand, and avoid distracted clicking.
It’s easy
to understand why phishing continues to be the top method used
to breach a network when you review the many methods listed below:
Spear
Phishing: targets a recipient and includes personal or
professional details to boost credibility.
Angler Phishing: the practice of masquerading as a customer service
account on social media with the intention of reaching a disgruntled customer.
Angler phishing attacks typically target customers of financial institutions
with the intention of luring targets into handing over access to their personal
data or account credentials.
Whaling: a
highly targeted attack of someone in a powerful position typically focused on
senior leadership.
Business
Email Compromise (BEC): Cybercriminals impersonate
company executives to trick employees into sending confidential information or
wire transfers to bank accounts controlled by criminals. By combining spear
phishing, email spoofing, and social engineering, the attacker creates a
plausible appeal that inspires trust and exploits employees’ inclinations to
respond quickly to requests from people in powerful positions without
questioning them. Typically, the targets are Executives, Finance, HR, and IT;
however, every area of an organization has potential value.
SMiShing: SMS
is an acronym for Short Message Service, more commonly known as a text
message. SMiShing is sending a fraudulent text message requesting sensitive
information or including a malicious link.
Vishing: fraudulent
phone call or voice mail message from an allegedly reputable organization with
the intent of obtaining personal information. Tech scams, such as unsolicited
calls from someone purporting to be Microsoft, are a frequent ruse.
Consent Phishing: intended to trick people into granting a malicious app access
to sensitive data stored in the cloud.
Visually
Deceptive Phishing: homograph or homoglyph attacks
using visually similar characters to spoof legitimate websites or email
addresses.
Do Your Part, Be Security
Smart!
In August
an astute Intact employee received a text message on their personal phone that
appeared to be from Intact’s Chief Financial Officer requesting gift cards be
purchased. The employee did not take the bait, blocked the number, took a
screen capture, and immediately contacted management. Because of the employee’s
swift actions and initiative, the Enterprise Support Center (ESC) was able to
issue a timely Support News Flash to make the entire organization aware of this
scam.
Security Best Practices
NEVER click on links in emails or text
messages.
ALWAYS open a browser and hand-type
the website address.
Be suspicious of all unsolicited
emails and text messages at home and work.
Approach all email with heightened
awareness and focused attention – at work pay extra attention to email
with the external indicator [E!] that appears in all
emails from outside your
organization
Do not hesitate to authenticate a
business email no matter who it is from by making a phone call, sending a
separate email
Carefully check app names, website
addresses, and email addresses. Be aware that they are sometimes slightly
modified to look legitimate and often redirect people to malicious
websites.
1Mitchell, Heidi. “The Biggest Cybersecurity Risk: Our
Brains.” The Wall Street Journal, September
9, 2021, pp. R1+.
Want to know your Company’s BitSight Security Rating?
Email us at jasonw@intlbondmarine.com