Loading...
 
Skip to main content

DRAFT

SIL Information Security Training for End Users:  Secure Your Online Accounts

Phishing is a type of social engineering where an attacker sends a fraudulent message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious software on the victim's infrastructure like ransomware. 

In a phishing scam, you might receive an email that appears to be from a legitimate business and is asking you to update or verify your personal information by replying to the email or visiting a website. The web address might look similar to one you’ve used before. The email may be convincing enough to get you to take the action requested. But once you click on that link, you’re sent to a spoofed website that might look nearly identical to the real thing—like your bank or credit card site—and asked to enter sensitive information like passwords, credit card numbers, banking PINs, etc. These fake websites are used solely to steal your information.

What are the latest trends? 

  • There are more scams than ever coming at us in more ways
  • Phishing Attacks on Social Media Doubled Over 2021
  • COVID-19 Test Related Phishing Scams Jump 521% Into January
  • Malicious Office Documents Jump to 37% of All Malware Downloads at the End of 2021
  • Ransomware Attacks are Growing in Number but not in Sophistication 

You as an IT specialist can implement many measures to reduce IT security risk. 

  • Maintain the firewall to protect the office from different threats from the internet
  • Make sure your computers are protected against virus 
  • Keep your computers up to date 
  • Encrypt sensitive equipment
  • Keep good backups 

But even the best IT security can be compromised if one of your users clicks a link, they should not.

We sometimes think when 2SV is enabled we are less likely to be compromised by phishing attempts. This is not the case. These security codes generated by authenticator apps change every 30 seconds increasing the level of security. But hackers succeed in stealing both the password and the 2SV code, in the 30 seconds window. Consider this true case:

Someone is waiting for a parcel delivery. Let’s call him John. It takes longer than expected. 

John receives a text message that the delivery was delayed because he needed to pay for the shipment, 3 euros. So, he pays for that shipment. 

Then John receives a call from his bank, customer service. They tell John there is a security incident. 

A Western Union payment for more than 600 euros was emitted from his account. The bank asks Johns if he noticed anything weird recently. John tells them about this shipment thing. 

The guy from customer service explains to John that this is a phishing attack and that his data was used to create this Western Union transfer. 

The guy put the call on hold because he needs to refer to his manager. John is reassured because the music jungle is the one from his bank. The guy takes the call again and tells John he is fortunate because they can stop the transfer. He is going to receive a 2SV notification on his phone. The only thing he should do is to click that notification to cancel the transfer. 

John receives the secure 2-step notification on his smartphone. He taps the notification. 

And guess what? He indeed validates not the cancellation of the transfer, but the transfer itself. 

The guy on the phone was not from the bank.

This is a veridic example of how bad guys can easily bypass security by social engineering. 

As soon as money or sensitive data is involved, hackers redouble their ingenuity. They attack the weakest link: user ignorance.

SIL recently conducted a phishing awareness program. They asked a company to test how their users deal with phishing. They periodically sent staff “test phish” email messages and gave SIL the results. During the last phishing simulation, a phishing email was sent to 1/10th of SIL Staff. 1 in 4 failed the test. The departments with the worst percentages were Finance and HR. 

Hackers can conduct their attack on a large scale. It doesn't cost them much to try and to steal personal information. Out of 100,000 attempts, a few people will fall for it.

Hackers can make their attacks even more personalized when they send what we call spear phishing. 

Spear phishing is a type of phishing where you target someone in an organization. This can be the Director, the HR manager or… the IT guy.

For this they can try a wide range of methods. Whether it's an e-mail with a seemingly harmless link, a password-protected attachment, a text message from a family member indicating an emergency situation, a phone call from “your bank" or a counterfeit website. And this is not always so obvious to spot these scams.

The best protection lies where hackers attack: people's gullibility.

Hackers try to manipulate your emotions. They may try to appeal to your greed, guilt, fear, and unhealthy desires. They may also try to appeal to your compassion by making up a terrible story, pretending to be stuck somewhere and in dire need of help. Or they may promise you big payouts or the job you've always dreamed of having. Beware of curiosity that can take over and push you to click on a link.

The best thing you can do is to think thoroughly before you click, or before you answer requests. 

If it’s too good to be true, it usually is.

If you think you are a victim, you can freeze your credit. Notify your bank or other company as soon as possible that your account might have been compromised. You may want consider subscribing to an ID theft protection service like LifeLock, ID Watchdog, Zander, or PrivacyGuard, which will help you freeze your credit and notify you if it appears that someone stole your identity.

To minimize the risk of hook-biting you and your users should have a healthy level of skepticism and evaluate all incoming messages, no matter how they arrive (email, SMS, social media, voice calls, etc.), and look for potentially suspicious signs of a social engineering scam. 

So how to spot a scam? 

These are the signs that should alert you: 

  • You receive a request that is unexpected (but sometimes an unexpected request is legit)
  • The request addresses you with a generic greeting, not with your name (but if a Spear phishing it will have your real name)
  • The email/text/notification content is rated as important, they indicate a sense of urgency claiming you will be penalized if you do not act immediately (but your director can sometimes ask to do something urgently for good reasons)
  • The sender asks you to do something you have never been asked to do before (but this can happen in real life too)
  • The request uses a fake domain. Look out for spelling errors and inconsistencies - such as @micrusoft.com instead of @microsoft.com
  • There are spelling and grammar mistakes. Real emails from large companies will almost always be proofread
  • The sender's email address may be weird (but it may also seem normal if an email address is being spoofed) 

To combat this scourge, the general best practice is to step back and reflect. 

  • Hover over links and see what address the link points to before clicking on it. This will let you see if the domain it points to is legitimate
  • If you are asked to change credentials, don’t click a link but instead type in the web address of the website you know, directly in your browser
  • Do not open password protected attachments when you are not 100% sure. These cannot be scanned by antivirus.
  • Never give anyone your credentials, your 2SV codes or backup code, or whatever security information
  • If there is a shortened URL, check it before clicking (http://checkshorturl.com)
  • Be careful with what information you share online or on social media
  • If you are not sure, ask IT consultants

This is important for you, first. You can be targeted as you are responsible for IT security in your organization. This is important for your users as well. Your end users are in the end the best security your organization has. We encourage you to train them, when they start their assignment, or on a personal basis, each time you can, and even remind all employees of these things as part of ongoing training.

There is Phishing simulation software that you can subscribe to, for free or not, for testing and raising employee security awareness. You may want to search for it and try some. You could get a good return on your investment if it helps you avoid large-scale attacks on your systems.


 

You might like to view this video

Social Engineering

Social Engineering II

Phishing

Impersonation

Other Social Engineering Attacks

Principles of Social Engineering

Contributors to this page: admin .
Page last modified on Tuesday March 4, 2025 10:22:39 GMT-0000 by admin.
Show PHP error messages