Cyber-Security Begins with You!

Posted by Theresa Hietpas

Sep 23, 2015 1:54:00 PM

phishing on a smartphoneAt River Run, our mission is to keep your network up and running.  Our Technicians and Engineers work diligently to ensure the safety of your network with recommended software and hardware updates, malware protection, high quality firewalls, redundant backups, network monitoring, and more.  We can do everything technologically possible to protect your network, and you could still have a major breach of security because the “liveware” – you and your employees – accidentally opened the door.

If you’ve been reading the news in the last year or two, you’ve seen multiple high-level breaches of credit card, healthcare, identity and background information affecting millions of people. Chances are  you have been touched in some way by a data breach in the last two years.  In many of those cases the initial breach that allowed the disruption was accomplished not by superior hacking skills, but by “social engineering” – getting somebody in the company to provide access that allowed malicious parties to do damage or steal information.

“Phishing” is the practice of sending out legitimate-looking emails, or making legitimate sounding phone calls, asking for information that only an authorized user would have access to. Lately there seems to be an uptick in these incidences.

Here are a few examples from our Tech staff:

  • Incoming “Online Tech Support” or “Support Desk” calls – incoming calls or pop-up windows from “IT support” personnel who then directed the user to convincing “evidence” of virus infection (normal error messages found in the system’s event viewer) or a very long, complicated “unique” id like “CLSID{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}” (that is likely to be found on most computers) as evidence that the user’s computer has been positively “identified” as a problem.

Once they’ve “proven” their authenticity with seemingly accurate information, the scammer establishes a remote log-in with the user’s help, and takes control of the computer. In one case, disabling every startup service on the machine.

Clients have received multiple calls asking for payment for additional support, and finally found their data encrypted or destroyed after they refused payment.

  • Spoofed Domain – some of our clients have received email from a domain that matched their own very closely -- other than an easily overlooked extra character (an extra hyphen, or 3 lowercase “L”s instead of 2) with a simple, personalized message:

 Scammer: “Hey, (correct name), are you in the office?”

Client: “Yes I am”

Scammer: “I need you to authorize a wire transfer to XYZ at….”

With just a few bits of usually public information, scammers can easily target the right person in an organization with a request for confidential or sensitive information so casual and specific that it is believable. They might even CC other high-ranking people in the organization (but using the fake domain address). By the time the user realizes it’s a mistake…it’s too late.

  •  “Offensive Content” demands – Client gets a handful of emails regarding “offensive content” that was sent to someone, and the sender wants to be contacted regarding the content or they will contact the authorities.
  •  “Your mailbox is full. Click here to…”- Legitimate sounding emails that appear to come from your internal IT department  telling you to “Click Here” and enter your credentials to “increase your mailbox quota”, “update your password” “update Outlook” “install the new software”.

What all of these examples have in common is that they were personalized, looked and felt “legitimate” and were targeted at well-meaning people trying to do the “right” thing.  So how do you protect against those kinds of attacks?

  • VERIFY requests for information or actions that require you to provide authorization, information, remote access or credentials for anything. Pick up the phone and make a call to confirm, if it’s something you didn’t personally request.
  • VISIT KNOWN WEBSITES yourself instead of responding to an email or phone call that appears to be from them. It’s a good practice to never give information to anybody who comes to you for it – “phishing” is common enough that companies with good security practices won’t ask you for information that way – and those that do make legitimate requests will always give you the information you need to go there directly rather than click a link.
  • LOOK carefully at email addresses, website links, etc. Whenever possible, visit websites directly or address a new email to known parties rather than clicking links in messages you’ve received.  If you MUST click a link, always hover over it first, and wait for the pop up text to show you the actual address it’s going to. If it doesn’t match the text or it isn’t a site known to you, don’t click it.
  • DON’T GIVE PASSWORDS to anyone. Legitimate support personnel will generally have credentials themselves or ask you to log yourself in. If you must disclose a password, change it immediately. Better yet, change it to a temporary password and change it again after the work is completed so you don’t disclose information that might help someone figure out other passwords you use.
  • ASK QUESTIONS of yourself and others. Does it “feel” funny? Phishing requests are often (nearly) flawless. The little details can be hard to pin down, but there are frequently grammar errors, logo differences…little things that just aren’t quite “right.”  Trust that feeling -- if you’re not 100% sure, call or email your support desk and ASK. It’s worth a few extra minutes.

If you have questions about Cyber-Security issues call our support desk at 414-228-7474.  If you’d like more information on Cyber-Security education programs for your employees, call Theresa Hietpas at 414-228-5010.

Topics: Phishing attacks, Cyber Security

Most Popular Posts

Subscribe to our newsletter

* indicates required

Posts by Topic

see all