Completing our look at the 7 common-sense cyber protections with #5 and #6:
#5 DO NOT open emails, links, or attachments from strangers – especially if the email demands urgent action from you. Stop and think, that email could be a “phishing” email from a cyber attacker
#6 DO NOT give any of your usernames, passwords, or other computer/website access codes to anyone else. Never email your credentials to anyone and never give them out of someone over the phone (no matter how urgent that person says it is)
These two rules are your best defenses against perhaps the most difficult kind of cyberattack to recognize: the social engineering attack. This is when a cyber attacker leverages the way we typically respond to certain social situations to trick us into disclosing sensitive information about ourselves, our organization, or our computer systems.
Social engineering attacks usually arrive by:
Attackers pretend to be:
Their attacks ask you to take action quickly, before you have time to think, in the hope that you will disclose sensitive information that is useful to the attacker.
The most common social engineering attack you will face online is called phishing. This is when you receive an email or instant message asking you to “do something” immediately, often involving clicking a link or opening an attached document. At the other end of the link can be a login page that will steal your username and password. Opening the attachment could silently deposit malware on your computer that will begin watching your every move, steal copies of all your electronic documents and email, or encrypt your files and hold you to ransom.
While common-sense protection #6 (don’t give out sensitive information) speaks for itself, here are the details for #5 (think before you click):
BEFORE CLICKING ON ANY LINK IN E-MAIL (or on websites) keep an eye out for misspellings, special characters like “@”, and suspicious sub-domains. Often a phishing email will appear to have arrived from one someone you know, but if you check the email address (by hovering your mouse over it in Microsoft Office or if you click on it in Apple Mail) you will see that it is not that person. For example, a recent phishing attack pretending to be an e-mail from the DocuSign company had e-mails sent by “william_scott@flexovitportal.com” instead of from a real “docusign.com” e-mail address.
The United States Computer Emergency Readiness Team (US-CERT) has published detailed guidance on avoiding social engineering attacks. You should consider educating your employees on social engineering tactics and how to recognize them. Ideally, this education should be part of new employee training or IT training. Unfortunately, anti-phishing and other social engineering defense training tends to be quickly forgotten. Follow-up reminder emails should be sent out about every six months.