Cyber Security - Go Phish

SecurityFIRST! Cybersecurity Awareness November 22, 2021

October Was Cybersecurity Awareness Month Phishing remains the Number 1 way to breach a network. Fight the Phish……and the Lizard!

Scammers use many tactics and cast a wide net with phishing attempts designed to entice recipients to click on malicious links or attachments. According to the Federal Bureau of Investigation (FBI), phishing was the most common type of cybercrime in 2020.

A recent Wall Street Journal article¹ asserts that our brains along with cognitive biases are the biggest cybersecurity threat. Cybercriminals prey upon targets by taking advantage of the lizard brain, the most primitive part of the brain that controls unconscious processes.

People tend to perceive information based on their own experiences and preferences leading to cognitive biases. Our minds use these biases to act quickly and automatically without pausing to consider the ramifications. Living in a digital world has increased the number of distractions and diminished our ability to concentrate. Social engineering scams capitalize on these biases and rely on humans naturally invoking mental shortcuts to reflexively click.

Cognitive Biases & Social Engineering

Loss aversion: more likely to click on a phishing link if a service is purportedly being disconnected vs. a similar offer to pay a lower monthly fee. Authority bias: impersonating a person in authority or an executive, often in the form of Business Email Compromise (BEC). Urgency bias: conveying a sense of urgency such as a link that will only be active for 24 hours. Halo effect: spoofing a website or an email address of a well-respected organization, brand, or person. Present bias: instant gratification such as a clickable link to a pre-release of a new gaming app.   Availability bias: making judgments on what we’ve most recently experienced so scammers are always coming up with new, unfamiliar cons. Optimism bias: thinking that you’re too smart to get scammed.

Be aware of biases, slow down, focus on the task at hand, and avoid distracted clicking.

It’s easy to understand why phishing continues to be the top method used to breach a network when you review the many methods listed below:

Spear Phishing: targets a recipient and includes personal or professional details to boost credibility.

Angler Phishing: the practice of masquerading as a customer service account on social media with the intention of reaching a disgruntled customer. Angler phishing attacks typically target customers of financial institutions with the intention of luring targets into handing over access to their personal data or account credentials.

Whaling: a highly targeted attack of someone in a powerful position typically focused on senior leadership.

Business Email Compromise (BEC): Cybercriminals impersonate company executives to trick employees into sending confidential information or wire transfers to bank accounts controlled by criminals. By combining spear phishing, email spoofing, and social engineering, the attacker creates a plausible appeal that inspires trust and exploits employees’ inclinations to respond quickly to requests from people in powerful positions without questioning them. Typically, the targets are Executives, Finance, HR, and IT; however, every area of an organization has potential value.

SMiShing: SMS is an acronym for Short Message Service, more commonly known as a text message. SMiShing is sending a fraudulent text message requesting sensitive information or including a malicious link.

Vishing: fraudulent phone call or voice mail message from an allegedly reputable organization with the intent of obtaining personal information. Tech scams, such as unsolicited calls from someone purporting to be Microsoft, are a frequent ruse.

Consent Phishing: intended to trick people into granting a malicious app access to sensitive data stored in the cloud.

Visually Deceptive Phishing: homograph or homoglyph attacks using visually similar characters to spoof legitimate websites or email addresses.

Do Your Part, Be Security Smart!

In August an astute Intact employee received a text message on their personal phone that appeared to be from Intact’s Chief Financial Officer requesting gift cards be purchased. The employee did not take the bait, blocked the number, took a screen capture, and immediately contacted management. Because of the employee’s swift actions and initiative, the Enterprise Support Center (ESC) was able to issue a timely Support News Flash to make the entire organization aware of this scam.  

Security Best Practices

NEVER click on links in emails or text messages. ALWAYS open a browser and hand-type the website address. Be suspicious of all unsolicited emails and text messages at home and work. Approach all email with heightened awareness and focused attention – at work pay extra attention to email with the external indicator [E!] that appears in all emails from outside your organization Do not hesitate to authenticate a business email no matter who it is from by making a phone call, sending a separate email Carefully check app names, website addresses, and email addresses. Be aware that they are sometimes slightly modified to look legitimate and often redirect people to malicious websites.

¹Mitchell, Heidi. “The Biggest Cybersecurity Risk: Our Brains.” The Wall Street Journal, September 9, 2021, pp. R1+.

Want to know your Company’s BitSight Security Rating? Email us at jasonw@intlbondmarine.com