Completing our look at the 7 common-sense cyber protections with #5 and #6:
#5 DO NOT open emails, links, or attachments from strangers – especially if the email demands urgent action from you. Stop and think, that email could be a "phishing" email from a cyber attacker
#6 DO NOT give any of your usernames, passwords, or other computer/website access codes to anyone else. Never email your credentials to anyone and never give them out of someone over the phone (no matter how urgent that person says it is)
These two rules are your best defenses against perhaps the most difficult kind of cyberattack to recognize: the social engineering attack. This is when a cyber attacker leverages the way we typically respond to certain social situations to trick us into disclosing sensitive information about ourselves, our organization, or our computer systems.
Social engineering attacks usually arrive by:
- instant message
- some other kind of electronic communication
Attackers pretend to be:
- someone above you in management who demands something from you
- a contract employee hurrying to finish a time-critical task for your company
- a supplier asking you to pay a bill or re-validate your payment credentials
- a marketing researcher wanting information about your company
- a bank or credit card representative saying your account has a problem
- an electric company worker threatening to cut off your power unless you pay a missed bill immediately
- a charity appealing for money after a natural disaster (e.g. hurricane, earthquake, flood)
Their attacks ask you to take action quickly, before you have time to think, in the hope that you will disclose sensitive information that is useful to the attacker.
Have you been phished today? Could you tell?
The most common social engineering attack you will face online is called phishing. This is when you receive an email or instant message asking you to "do something" immediately, often involving clicking a link or opening an attached document. At the other end of the link can be a login page that will steal your username and password. Opening the attachment could silently deposit malware on your computer that will begin watching your every move, steal copies of all your electronic documents and email, or encrypt your files and hold you to ransom.
Take a moment to think before you click
While common-sense protection #6 (don’t give out sensitive information) speaks for itself, here are the details for #5 (think before you click):
- DO NOT provide sensitive or confidential information (or even non-confidential data and credentials) via email, instant message, phone or in-person to unknown, unexpected, or suspicious individuals.
- DO NOT OPEN EVERY EMAIL ATTACHMENT. Just opening an attachment from an unknown or unfamiliar source can install malware silently on your computer.
- DO NOT SIMPLY CLICK LINKS OR BUTTONS IN E-MAIL (even if the email appears to come from a known source). Hover your mouse pointer over the links or buttons. Does the URL that appears beside the pointer look familiar? If it points to a website you don't know, or is not the same as the website named in the link, DO NOT CLICK THE LINK. In the example below, the mouse is hovering over the “urgent action” the hacker wants you to take. Moving your mouse over this big red button shows you the URL it points to. Does that look like a link to a “docusign.com” web address? Of course not.
- NOTE: You may have read about attacks that install malware if you even hover your mouse over a link. That is a specialized kind of attack that is prevented if you have “Protected View” enabled in Microsoft Office (and that is enabled by default).
BEFORE CLICKING ON ANY LINK IN E-MAIL (or on websites) keep an eye out for misspellings, special characters like “@”, and suspicious
sub-domains. Often a phishing email will appear to have arrived from one someone you know, but if you check the email address (by hovering your
mouse over it in Microsoft Office or if you click on it in Apple Mail) you will see that it is not that person. For example, a recent phishing attack pretending to be an e-mail from the DocuSign company had e-mails sent by "email@example.com"
instead of from a real "docusign.com" e-mail address.
- If you open a Microsoft Office document attached to an email, and you are asked to enable macros, DO NOT CLICK TO ENABLE MACROS unless you are sure the document is from a known and trusted source (and always check the validity of the email address the document came from). Get in the habit of never enabling macros the first time you open an unfamiliar document. Take a moment and check it out with macros disabled… you can always enable them later.
- DO NOT ELEVATE PRIVILEGES WITHOUT THINKING. When you click on a link in email or at a website, watch out for unexpected or unrequested automatic downloads – especially ones that ask you to elevate privileges on your PC to allow something to install. This is a common warning that malware is trying to install itself. Unless you are sure of what is happening, do not approve the request, do not supply your administrator credentials, and report the activity to your IT department.
The United States Computer Emergency Readiness Team (US-CERT) has published detailed guidance on avoiding social engineering attacks. You should consider educating your employees on social engineering tactics and how to recognize them. Ideally, this education should be part of new employee training or IT training. Unfortunately, anti-phishing and other social engineering defense training tends to be quickly forgotten. Follow-up reminder emails should be sent out about every six months.
Contact firstname.lastname@example.org for more information on how to better protect your business against social engineering attacks.