Wednesday, October 9, 2019

Beware short URL links to videos!

Using an idea from the KnowBe4 blog, recently I ran a phish test of over 3,000 people that returned a 100% open-to-click rate. That means that every individual who opened the test email clicked the link. I've never seen a click rate that high in my career.

The email was quite simple:

The subject line displayed only the recipient's first name.
The body of the message was this, and this alone:

I saw you in this video! https://bit.ly/<random 7-character string>.

See the brief article here: https://blog.knowbe4.com/video-becomes-the-next-big-bait-for-social-engineering?utm_content=100985508&utm_medium=social&utm_source=linkedin&hss_channel=lis-TEZp_Z6yIE...

...or here: https://bit.ly/2pVITpD.

Both links above point to the same article, but the second link is a "short URL" that I created on bitly.com. These are also known as "tiny URLs," and they are easily decoded.

If you get an unexpected or unusual text message or email enticing you to click a tiny URL, be sure to decode it at a site like checkshorturl.com and verify the destination domain is trustworthy before clicking it.

Friday, August 2, 2019

What to do (and not do) with suspicious emails

Everyone with an email address receives phishing emails, at home as well as work. Here is a list of do's and don'ts culled from Navigating the Phishy Social Engineering Ocean by Cheryl Conley at https://medium.com/sans-security-awareness/navigating-the-phishy-social-engineering-ocean-5882e8965fa2:

Do:

  • Check the From address, be wary of fake or unknown domain names, and be sure the domain
  • name properly corresponds with the sender’s display name.
  • “Mouse over” links (hover over links with your mouse cursor) to see the real destination.
  • Use a unique password for each online account, and immediately change it if you suspect a
  • breach. For added protection, consider (1) using a passphrase and (2) implementing two-step
  • authentication.

Do not:

  • Click links or attachments unless you’re sure the message is from a trusted source.
  • Give out personal or private information to an unknown.
  • Succumb to emails just because the branding looks real or the sender appears to be someone
  • you know.
  • Click or call listed phone numbers that are included in pop-up ads or threatening emails.
  • Reply to phishing emails.

Other red flags:

  • Mismatched URLs — hover your mouse over the link and compare the destination URL with the
  • displayed URL.
  • Poor grammar and spelling could be an indicator.
  • A request for personal information.
  • Asking for money, especially with urgency.
  • An offer that appears too good to be true.
  • Unrealistic or unlikely threats.
  • Content just doesn’t look right — trust your gut.



Monday, July 15, 2019

Easy steps to secure your online information

While researching international privacy law the other day at work, I stumbled across this helpful web site from the Australian Cyber Security Center. It offers a checklist of easy-to-use tips that everyone who uses the Internet should be aware of and practicing daily.

Topics include:
  • Securing your email, social media sites and apps
  • Identifying scams
  • Securing your mobile device and your computer
  • Using public Wi-Fi safely

To see the full article and watch the checklist video, go to https://www.cyber.gov.au/advice/EasyStepsGuide.

Thursday, July 4, 2019

HTTPS means "secure," not "safe"

By now, most of us know to look at the URL, or uniform resource locator, of web sites we visit. The URL is more simply known as the web address. For example, https://www.blogger.com is a URL.

When a URL starts with HTTPS, it means that the web site owner has purchased an encryption certificate and applied it to that particular web page. This means that any data you type into that page, such as user name, password, payment card number, account number, etc., is encrypted in transit. In other words, your sensitive data is secured when it is transmitted from your computer up to the server that hosts that web page on the Internet.

When a URL starts with HTTP, it means that your user input on that web page is not encrypted. And that is all it means.

HTTPS does not mean that the web site is safe to visit - it just means that your data is encrypted. Bad guys can buy encryption certificates just as easily as legitimate site owners. And because browsers like Chrome visibly proclaim a site is "not secure" when HTTP is in the URL, users are more apt to associate that HTTPS sites (which do not display the warning) must be safe to visit.

Not so!

Always be cautious of browsing to unknown or unfamiliar web sites. Only navigate to sites you deem trustworthy. And stop clicking! Just because a site is encrypted does not mean that it cannot infect your computer with malicious software if you click a link on it.

For more information, check out the warning issued by the FBI three weeks ago at https://www.ic3.gov/media/2019/190610.aspx.

Sunday, June 9, 2019

Fake legal threats make for good phishing

Scammers are sending well crafted legal complaints in email messages to unsuspecting citizens, enticing them to open document attachments to view the charges or complaint. If you open an attachment, you've just let the bad guys into your computer to infect it with malware.

The emails typically come from a domain owned by a legit law firm that has been compromised. But the sender may also use a made up firm. Either way, anyone can create a fake legal document and email it to you. Don't fall for it.

For an example, see https://krebsonsecurity.com/2019/05/legal-threats-make-powerful-phishing-lures/.

If you receive an email like this, treat it like spam. If you have doubts that it is a fake, instead of clicking attachments or links in the suspicious email, find out if the law firm is for real and, if so, call them by phone.

Never reply or act on threatening or urgent emails that are unexpected or in any way seem out of the ordinary.

Sunday, May 12, 2019

Seven behaviors that make you vulnerable to fraud

AARP Magazine regularly publishes extremely useful content about scams conducted by phone and email. Recently, AARP released a relevant article about what makes us vulnerable to fraudsters. Here are those seven personality traits:
  1. You respect authority.
  2. You like to please people.
  3. You are cocky.
  4. You slipped up once.
  5. You're friendly.
  6. You are under stress.
  7. You're lonely.
In a nutshell, we are vulnerable because we are human. The best way to avoid becoming victim to fraud is not to believe everything you hear or see, and to put a stop to the bad habit of clicking links and opening attachments without first thinking and validating the source.

For the full article, see https://www.aarp.org/money/scams-fraud/info-2019/vulnerable-to-fraud.html, by consumer fraud experts Amy Nofziger and Mark Fetterhoff.

Sunday, February 10, 2019

Free cyber security training videos for family & friends

KnowBe4 is an organization with expertise in cyber security exploits that use social engineering tactics to trick everyday folks like yourself into clicking a link, opening an attachment or replying to a suspicious email. Recently, they developed some basic online cyber security courses targeted for families and children.

I stepped through some of the modules, and what I saw is quite useful. The videos are brief yet informative enough to keep you engaged.

To complete the courses, go to https://www.knowbe4.com/homecourse, and enter password homecourse. The courses are free and you don't have to provide a shred of personal information to complete them. Way to go, KnowBe4!

Maybe you and your family can plan on stepping through one module each night after dinner. You'll be more cyber savvy for it! Here are the topics offered:

  • Passwords
  • Online banking security
  • Protecting your identity
  • Avoiding malware
  • Keeping personal info confidential
  • Protecting kids online
  • Securing your home network
  • Email and attachment safety




Tuesday, January 1, 2019

How to be cyber safe (and keep your identity secure) in 2019

I've been meaning to blog for weeks, but life gets hectic around the holidays.

Today on LinkedIn, a fellow cyber security pro posted a link to an article that neatly outlines the habits you should adopt in 2019 if you haven't done so already.

In summary

Do these:
  • Update your passwords. 
    • Personal tip: also consider modifying your username on sites that hold your most sensitive data - like your bank, for example. Don't use the same screen name that you use for your email and social media posts. Append it with a few characters that you associate with that site.
  • Stop oversharing.
  • Restrict yourself to secure web sites.
  • Stay updated.
  • Back up [your data], not down.
  • Take extra care with emails.
  • Use a VPN. [See article link below for VPN comparison info.]

Details

For more information, go to Seven cyber security resolutions to boost your security at https://securethoughts.com/cyber-security-new-years-resolutions/.

Happy New Year, all! May God bless you and keep you today and always.