So, now you know what ransomware is, you’re a cybersecurity master, right? Not quite. Keeping up with cybersecurity challenges organizations big and small – and keeping up with the lingo can be difficult too. As new cyber attacks launch day after day, new language and names for these attacks are released as well. This article will help you understand the basics and keep up with that the latest cybersecurity chat at the office water cooler.
This one is simple. Phishing refers to criminal activity in which the criminal attempts to obtain sensitive information by masquerading as someone or something else via email. Ever get an email from “Amazon” asking about your recent payment activity and the need to update your account but you find out it’s not really Amazon? That’s phishing. The criminal poses as a legitimate person or entity in the hopes of you trusting them and giving up personal information such as you username and password, credit card details, security codes, etc.
Phishing attacks are on the rise (150% in the past year on social media networks like Facebook, Twitter, Instagram and LinkedIn) and the bait is becoming increasingly believable and harder to identify. The logo looks legitimate, the promotion sounds good, the quiz seems so fun! So as much as you want to take that survey on Facebook (you can even win a prize!), don’t.
Even scarier, is spear fishing, in which the email appears to be from an individual or business you know and trust, but it isn’t. Unlike a random attack, these target a specific organization to access confidential information such as financials or trade secrets. Think that email came from your CFO? Think again. Hackers are now looking at your organization’s web page for employee listings and contact information so they know who to pretend to be and who to target. If you get an email from an internal employee asking for information that 1) seems suspect relative to their business needs and job function or 2) seems like something they should already have access to, don’t reply right away. Give them a quick call or stop by their office and make sure it was really them reaching out to you.
Voice + Phishing = Vishing; the telephone version of phishing. In this scenario, you receive a phone call from a criminal posing as an authentic business or agency in an attempt to fool you into providing personal information. A five minute identify theft. Vishing can occur via voice email, VoIP (Voice over IP), landline or cell phone. These criminals are hard to track down as they have even spoofed caller ID numbers to hide their identities. So while it “looks” like you’re getting a call from your bank, you aren’t. Be sure to verify who it is that you are talking to on the other end, never provide personal or payment information over the phone if you are unsure, and don’t be afraid to tell them you’ll call back after you validate the proper number for the business.
Your phone lights up and you’ve got a new exciting text. “You have won a free gift card, click this weblink to claim your prize!” But it’s not a prize, it’s a fake link that captures your personal information. That’s smishing – SMS + Phishing. If you get a mysterious text (many of which conveniently contain hyperlinks to fraudulent sites or phone numbers to call back) don’t reply. And keep an eye out for messages coming from a “5000” number. This generally indicates the text message was sent via email to your cell phone and not another mobile phone.
While the attacks above will solicit you for personal information and rely on you to make an error in trust or judgement via clicks and keystrokes, this form of attack will simply take you there! Using malicious code, pharming directs internet users to a fake website that mimics the appearance of a legitimate one in order to gain a user’s personal information. Pharming can redirect you to the false website without your knowledge. Everything looks real and you may not have even noticed a change in the webpage. Online banking sites and e-commerce organizations have become prime targets here. Be extra careful when entering sensitive or payment information online. Take an extra second and make sure you see an “s” in the “https” of the URL, and check for the lock, key or padlock symbol (this may vary based on the browser you use). Be wary of websites that look a bit “off” or different than the last time you visited.
Cyber threats are growing smarter and more sophisticated by the day. It’s important to remember that although these forms of attack exist, they are not independent of each other. You may get a vishing voicemail directing you to a phishing website. The attacks are intertwined and refined. Don’t believe every sender and site is legitimate, and most importantly, don’t take the bait. If it looks “off,” it probably is. It’s not a waste of time to stop and verify who you are talking to and what you are receiving or viewing online before handing over up your information.
And now that you’re caught up on the latest lingo, it’s time to help spread awareness. Ensuring the employees of your organization are aware of what cybercriminals are up to, where attacks are most often aimed and what risks are out there is key. Education is the first line of defense. The single second someone takes to stop and think before they click or enter information online may be all it takes to avoid a privacy breech, data loss or identity theft.