Cyber Criminals often succeed not through advanced technology or by hacking systems, but by taking advantage of people.
Reformed computer criminal and later security consultant Kevin Mitnick points out that it is much easier to trick someone into giving a password for a system than to spend the effort to crack into the system.
Cyber criminals are always trying to find a way in to your business, and the easiest route for them is to trick your employees into “opening the door”.
Your business is only as secure as the least cyber-crime savvy person you employ.
Here’s some of the most common methods hackers use to trick your employees in order to gain access to your networks:
Yes – people still fall for Phishing, and the emails are getting better
Simply put, phishing is when a cyber criminal tricks you into carrying out an action that will allow them to compromise your computer or networks. They usually use email, and try to appear as legitimate communications that have a reason for users to click on them.
The days of phishing emails being easy to spot because of bad spelling and grammar are over. There is a pre-conception that phishing emails use hastily built templates with bad spelling and grammar, waffling about an invoice or a missed delivery, with a poor quality logo tagged on. Bad phishing emails are like this, but good ones can look pretty much identical to the business or organisation they’re impersonating, and use clever tactics to make you click.
We’ve seen extremely convincing phishing emails that would probably have quite a high rate of success. For example, emails that look exactly like invoices from the Apple App store – with purchases that you haven’t made – with the goal of the curious victim clicking through to find out what the unknown purchases are.
Phishing emails may also be very topical, using recent headline news or current trends to encourage clicks.
Avoid being Speared… You’re 10 times as likely to be fooled by a Spear Phishing Email
Regular phishing is delivered en-masse, in the hopes of snaring a small percentage of the overall target. Spear phishing is different in that there is only one target.
Cyber criminals will identify an organisation they wish to compromise, and will often also identify a person within that organisation who they will target. These phishing emails have a much higher success rate because they’re very tailored and use information about the organisation and/or person they are targeting to come across more credible (more later on how they get this information).
If a cyber criminal really wanted to target your organisation, they could identify someone senior within it, then attempt to get their email address by simply calling the main phone number. A tailored email can then be sent to that person. Could you imagine being fooled by an email written by someone claiming to be an old acquaintance from school or university – who could list the names of the classes you took at the school you went to, with the correct year? (information freely available on your LinkedIn Profile)?
Another tactic the criminals use to glean information for use in phishing is creating fake social media accounts.
Ever Receive A Friend Request from Someone You’re Already Friends With?
Careful, when someone sends you a friend request, and you pause, confused, for a moment before accepting, you could be helping a cyber criminal to impersonate you or one of your friends.
This tactic is often used by cyber criminals to mine for more information to use in tailored spear-phishing attacks. Social media profiles are full of personal information which could be used to add a tremendous amount of credibility to a random email you receive at work, making you more likely to click on a dangerous link or attachment.
If you’re not careful about accepting friend requests, your personal information is available to anyone masquerading as somebody you know. Most people have at least their Facebook profile picture publicly visible, so it’s easy for strangers to copy them and create fake accounts. To add legitimacy to fake friend requests, the fraudsters sometimes also try to add other mutual friends between the person they’re imitating and their target. They may also create fake profiles for these people and add them all as friends of each other. Most people would accept a friend request from someone with the name and face of one of their friends. If they have friends in common with the “friend” then it seems even more trustworthy.
- Review your Privacy Settings and make sure NOTHING is visible to strangers on social networks (especially pictures and posts).
- When you receive a friend request, check with that person via another means of communication if they sent you a friend request, before accepting.
- Don’t assume that someone is legitimate even if they have friends in common with you.
Beware “CEO Fraud”
Another scam that is currently a threat to organisations is what is known as “CEO Fraud” or also the “Friday Afternoon Scam”.
This threat involves a fraudster spoofing an email from the CEO of a firm, to someone in the accounts department. The email will ask the employee to send funds to an account under the premise of an urgent and confidential business deal. The email may instruct the employee to await a phone call from an intermediary in the deal, who will then call the employee and provide instructions for the bank transfer.
In the US, companies have lost over $2.3 billion to these scams.
- Treat any emails like this with extreme suspicion.
- Pay close attention to the email address that the message has been sent from – confirm it is correct.
- Create a company policy on processing ad-hoc transactions which requires the request is verified as legitimate through a second form of communication.
The most successful attacks are timed at the right moment, and it isn’t a coincidence. The best cyber criminals will quietly infiltrate business networks by phishing another employee and deploying malware which enables them to monitor communications in order to discover both how and when to strike. Through their access to similar accounts related correspondence, the criminals can figure out who they need to target and how to make their request appear more credible.
The email will then be sent at a time when the boss is out of the office.
Never Plug Anything into the USB Slots on Your Computer Unless…
… you know 100% that it is safe. If it hasn’t been given to you by someone you know and trust, or you haven’t bought it brand new, in sealed packaging from a trusted retailer or supplier, then you shouldn’t plug it in.
“Baiting” is a technique cyber criminals have been using to compromise business networks for a long time. USB memory sticks or flash drives are most commonly used, but anything that plugs in via USB can be made to deploy malware to a PC.
Criminals will leave USB sticks in locations where they will be found, for example the toilets in the building where their target company is located. This usually plays on the human sense of curiosity, so they might label the memory stick something like “Company Salaries 2016” or “Confidential”. Alternatively, an interesting or novelty USB device will be left around as the finder may be more likely to want to use it.
Compromising business networks in this way allows the cyber criminals to cause disruption, bring systems down, or stay in the background monitoring communications and gathering information to help with other crimes (e.g. CEO Fraud as mentioned above).
Another way employees can be tricked to allow cyber criminals a route into a business is through:
Connecting to Public WiFi in Coffee Shops a Security Risk?
When you choose a free wi-fi hotspot to connect to, you could actually be connecting to one set up by a hacker using a cheap, easy to get hold of device as shown in the image. They are then able to sit in between you and the internet, collecting all of the information you send to and receive from websites. This could be anything, including log-in details.
This is known as a “man in the middle attack”. The criminal can also hi-jack your browser, push notifications to your device to download “updates” that are actually malware, or re-direct you to sites that look like the ones you visit, but contain malware. This malware can then spread inside a business network after you disconnect and go back to work.
Isn’t it time you enforced a company security policy?