Security Awareness
-
Protect Yourself from Email Spoofing
Tip 1: Don’t trust the display name A favorite phishing tactic among cybercriminals is to spoof the display name of an email account. For example, see the image above. An email is coming from “Mark Adams” but upon a closer look, the actual email address is hacker@gmail.com. This requires us, as employees, to remain vigilant and on the look out for potential spoofing. On a computer, we can hover the cursor over a display name to see the actual email address. On a mobile device, it may require us to fully expand the message information. Tip 2: Look but don’t click Cybercriminals love to embed malicious links in legitimate-sounding copy. Hover your mouse over any links you find embedded in the body of your email. If the link address looks weird, don’t click on it. If you have any reservations about the link, use the Phish Alert Report in Microsoft Outlook. Tip 3: Check for spelling mistakes Brands are pretty serious about email. Legitimate messages usually do not have major spelling mistakes or poor grammar. Read your emails carefully and report anything that seems suspicious. Tip 4: Analyze the salutation Is the email addressed to a vague “Valued Customer?” If so, watch out—legitimate businesses will often use a personal salutation with your first and last name. Tip 5: Don’t give up personal or company confidential information Most companies will never ask for personal credentials via email--especially banks. Likewise, most companies will have policies in place preventing external communications of business IP. Stop yourself before revealing any confidential information over email. Tip 6: Beware of urgent or threatening language in the subject line Invoking a sense of urgency or fear is a common phishing tactic. Beware of subject lines that claim your “account has been suspended” or ask you to action an “urgent payment request.” Tip 7: Review the signature Lack of details about the signer or how you can contact a company strongly suggests a phish. Legitimate businesses always provide contact details. Check for them!
-
Understanding Email Phishing
Not long ago, email phishing was primarily aimed at the consumer market, and malware was considered the biggest threat to business. Today, however, email phishing is the top social attack on businesses. Because no cybersecurity solution can block 100 percent of attacks, employees need to understand what to look for to protect themselves from phishing attacks. Below are some things employees should understand about phishing: Phishing Explained -- Phishing is a type of fraud in which a hacker attempts to impersonate a person or brand and tricks users to provide confidential information, such as social security numbers, routing or account numbers, passwords, etc. Phishing emails can be aimed at asking for information directly or by having the potential victim visit a fraudulent website. Email Addresses Can Be Spoofed -- Never trust an email based simply on the purported sender. Cybercriminals have many methods to disguise emails. They understand how to trick their victims into thinking a sender is legitimate, when the email is really coming from a malicious source. With display name spoofing, the phisher uses a legitimate company name, such as support@microsoft.com, but the email underneath is a random address like xyz@yahoo.co. Attacks Are Becoming More Targeted and Personal -- Many phishing attacks of the past were sent in bulk to a large group of users at once, resulting in impersonal greetings. Today’s phishers are including the victim’s name in the subject line and prefilling the victim’s email address. Links Aren’t Always What They Seem -- Every phishing email includes a link, but phishing links are deceptive. While the link text might say “Go to your Office 365 account,” the URL takes the user to a phishing page designed to look like Microsoft. Make sure to hover over all links before clicking them to see the pop-up that displays is the link’s real destination. Hackers Use Real Brand Images and Logos in Phishing Emails -- Brand logos and trademarks are no guarantee that an email is real. These images are public and can be downloaded from the internet or easily replicated. Even antivirus badges can be inserted into emails to persuade victims into thinking an email is from a legitimate source.
-
Ten Common Signs of Email Phishing
Phishing scams are becoming more and more difficult to detect. Here are ten common signs of phishing emails that can help you spot an attack. An unfamiliar tone or greeting If a message seems strange, it’s worth trusting your gut to investigate. Obvious grammar and spelling errors You would expect emails originating from a professional source to be free of grammar and spelling errors. Sure, errors are known to occur, but not to the extent of most phishing emails. Inconsistencies in email addresses When unsure if a sender’s email address is legit, check your previous correspondence to confirm. Strange links and domain names If a link is embedded in the email, hover the pointer over the link to verify what ‘pops up’. If the domain names don’t match, don’t click. The ‘Phish Alert Report’ should be used to confirm its safety. (See below for instructions.) Threats or a sense of urgency In a bid to fluster the receiver, one common tactic is to use a sense of urgency to encourage immediate action. The scammer hopes that by causing panic, the content might not be examined thoroughly. Unusual request If the email is asking for something that is not the norm, this could be an indicator that the message is potentially malicious. Short and sweet Many phishing messages are sparse in information. For example, a scammer sends a message from a familiar contact’s spoofed email address that says, ‘here’s your info’. Request for sensitive information An attacker has created a fake landing page that recipients are directed to. The fake landing page will have a login box or request that payment is made to resolve an issue. As always, contact the company directly and don’t use email-provided links for these scams. Suspicious attachments If an email with an attached file is received from an unfamiliar source, do not open the attachment. The ‘Phish Alert Report’ should be used to confirm its safety. (See below for instructions.) Sender doesn’t want to speak to you If the sender does not want to speak over the phone and only wants to communicate via email, this is a red flag. Before fulfilling any request for money, information, etc., it is always best to speak in person or over the phone to confirm identity.
-
Protect Yourself from Spear Phishing
Not to be confused with an aquatic hunt on a tropical vacation, spear phishing is a targeted cyberattack toward a specific individual or organization with the end goal of receiving confidential information for fraudulent purposes. Spear phishing is an ultra-targeted phishing method whereby cybercriminals — or spear phishers — pose as a trusted source to convince victims to divulge confidential data, personal information, or other sensitive details. The cybercriminal will then use this information for malicious purposes, including identity theft or data breaches. Spear phishers often prey on their victims via targeted emails, social media, direct messaging apps, and other online platforms. And the strength of these cyberattacks is that they’re tailor-made for victims and grounded in quality over quantity. Spear phishing vs. phishing Spear phishing is different from phishing in that it’s a cyberattack toward a specific individual or organization, whereas phishing is a more generic, automated cyberattack that’s attempted in one sweep of a large group. You might think of phishing as casting a wide net over a school of fish, whereas spear phishing is using a spear to catch one single fish. Phishing emails might be sent to hundreds of recipients simultaneously with little customization. Spear phishers, however, will pose as a friend, boss, family member, or enterprise to gain your trust and fool you into giving them your information. These emails are well-researched and personal, making it harder to distinguish between what is real and what is fake. The intent of phishing and spear phishing is the same — acquiring confidential data or sensitive information for malicious purposes. Still, victims can be more susceptible to a customized experience, which in this instance is spear phishing. Three examples of spear phishing Executive leader fraud Malicious attachments Ransomware What you can do about it If you should encounter any emails that appear to be a spear phishing attempt, use the Phish Alert Report in Microsoft Outlook! After clicking the Phish Alert Report, a response should be sent to that employee within 24-72 hours. NOTE: If you are not receiving one the following email responses, try checking your “Junk” folder. If your email is considered SPAM, the original message will be returned to you in the form of an attachment. (See above) If you are notified that the email is considered phishing, the original email will NOT be attached. If your email is NOT phishing or SPAM, you will receive notification and the original email will be attached to the response.
-
Protect Yourself from SMiSHing
What is SMiSHing? How can I protect myself? Your cell phone is one of the most used — and — trusted devices. Help keep your device and personal information safe with these cybersecurity tips: The first rule when dealing with smishing texts is to never respond. Contact banks or retailers directly as cybercriminals often try to impersonate legitimate businesses in smishing texts to gain access to credit card or other important personal information. Avoid clicking on suspicious links and files. These may direct you to an infected site with spyware to record what you type or install malware onto your device. Inspect new phone numbers. Take notice of four-digit numbers or any others that stray from the typical 10-digit format. To keep yourself safe, never give out personal details, such as passwords, credit card numbers, addresses, and emails via text. Use two-factor authentication as another means of protection. Biometric technology uses fingerprint technology and facial recognition to verify your identity. Forward suspected smishing attacks to SPAM (7726) and/or reach out to the Federal Trade Commission at ReportFraud.ftc.gov.
-
Stay Safe on Public WiFi
Public Wi-Fi is notoriously unsecure. This makes it easy for hackers to spy on you or access private/proprietary information when you’re relying on the free public Wi-Fi available in hotel lobbies, coffee shops, bed-and-breakfast inns, and airports. Fortunately, you can help protect private/proprietary information and passwords by surfing smart when traveling. Here are some tips to protect your online activity as you travel. Use a VPN A virtual private network, better known as a VPN, can protect you when you are using public Wi-Fi. With the help of Global Protect VPN, the data you send and receive while browsing the internet is sent through a type of tunnel that encrypts it, meaning that hackers can’t see what sites you visit, files you download, or email messages that you send. Only visit secure websites If you do use public Wi-Fi to surf the internet, only visit sites with URLs that start with "HTTPS" and avoid those with URLs starting with "HTTP." Why? The "S" in "HTTPS" stands for "secure.” This means that the data on that website is encrypted, making it more difficult for hackers to access. Secure your mobile devices Before taking your trip, visit the "Settings" page of your mobile devices. Turn off any features that automatically connect your devices to available Wi-Fi networks. This will give you more control over when your devices are logged onto the internet. Use many unique, complex passwords It's tempting to use the same password at different sites. But resist this urge. If you don’t, you face risks. What if a hacker cracks the password to one of your accounts while you're traveling? If you are using that same password at several other accounts, that hacker can use it to access them, too. Don’t forget to log out When you’re done visiting a website, log out. You should never stay permanently logged onto accounts when you’re done with them. But this is especially risky when you’re traveling and using public Wi-Fi.
-
Signs Your Phone Has Been Hacked
Pop-ups If you’re seeing a lot of unusual pop-up ads, your phone could have an adware infection. Steer clear from these pop-ups — don’t click or open them because it could make the problem worse. Unrecognized texts or calls Receiving communications from unrecognized numbers could indicate you’ve been the victim of a random data breach. Don’t answer calls from unrecognized numbers, unless you’re expecting them or can verify their authenticity. A hacked iPhone or Android phone can send text messages to all its contacts. If the phone of someone you know has been hacked, your number could be next. Check your call logs for any unusual activity, and if you see a number you don’t recognize, consider blocking the contact and reporting it as spam. High data usage If your online activities haven’t changed much but your data usage has shot up, it could be a sign of a phone hacker. A malicious app running in the background can cause unusually high data usage. Review your apps and delete anything suspicious. Battery drains quicker than usual Are you charging your phone more often? Does your battery seem to last a fraction of the time it used to? Your phone might simply be getting old, or you could have more than just a battery issue. Unwanted apps installed on your phone via hacking can take over your phone’s resources and drain your battery quickly. Hot phone Is your iPhone or Android getting hot and staying hot, even when you’re not using it? Like all devices, phones get hot with continued use, especially if you’re streaming or gaming for long periods of time. But if that’s not happening and your phone still feels unnaturally hot, something else might be causing it to overheat. Reduced performance Is your phone dropping calls? Are you not receiving texts or are texts you’ve sent not getting through? Is your phone freezing, crashing, or unexpectedly rebooting all the time? The culprit may be malware or unwanted background apps draining your phone’s processing power. Websites look strange A hacked iPhone or Android phone can be infected with malware that redirects you to sites other than those you want to visit. If websites look odd to you, they might have undergone a redesign recently, or it might mean your phone was hacked and you’re being sent to unsafe websites. Unexpected charges on your phone bill If your phone bill is higher than usual, you could be incurring unexpected charges from unwanted apps running on your phone and spiking your data use. Fleeceware apps stuff your bill with excess charges, and if someone has remote access to your phone, they might take advantage of your subscriptions and other services. If you have unwanted subscription fees on your phone bill, consider canceling those subscriptions, and delete infected apps immediately. Apps you don’t recognize Strange apps that you didn't install shouldn’t end up on your phone. If you notice an app on your phone that you didn’t put there, a phone hacker might be responsible. Of course, some unnecessary apps come pre-installed on new phones (these are called bloatware). So, if you don’t recognize an app, it doesn’t necessarily mean it’s malicious.
-
Tips to Avoid Phishing
Ways to Spot a Phishing Email Don't trust display names - Check the sender's email address before opening a message- the display name might be a fake. Check for typos - Spelling mistakes and poor grammar are typical in phishing emails. If something looks off, flag it. Look before clicking - Hover over hyperlinks in genuine-sounding content to inspect the link address. Read the salutation - If the email is addressed to "Valued Customer" or "Dear Employee" instead of to you, be wary. It's likely fraudulent. Review the signature - Check for contact information in the email footer. legitimate senders always include them. Beware of threats - Fear-based phrases like, "Your account has been suspended" are prevalent in phishing emails.
-
Phish Alert Button
Reporting Emails with the Phish Alert Button It's important that users report suspicious emails prior to clicking on any links or replying to the sender, even if they look like an internal employee. By using the Phish Alert butoon, the IT Help Desk can investigate the email for you first and then let you know if it's safe to proceed or not. To report an email with the Phish Alert button at the top of your Outlook client, follow the steps below: Open your Outlook client. Select or open the email that you would like to report. Click the Phish Alert button at the top-right corner of the page. In the pop-up window that opens, click Phish Alert to report the email. If you decide not to report the email, you can click the X. *FYI: When using the outlook app on mobile, make sure to open that specific email and click on the 3 dots and not the 3 dots on the email thread.