By: John Jones | Director, IT Security
NCSAM is upon us once again. Exciting, isn’t it? What, you’ve never heard of it? Well, it’s been around for 15 years and is a joint effort by government and businesses to raise awareness and knowledge for how people can better protect themselves and their workplaces from the threats we’re all exposed to when we use technology or go online.
The three most common threats or attacks to be aware of are Spam and Business Email Compromise, Ransomware and Phone Scams. Here we provide you with some helpful tips to avoid falling victim.
Spam & Business Email Compromise
You may not realize, but there are different kinds of mail that could possibly jeopardize your security. Spam, for one, is unsolicited commercial email. It’s any email that is sent to you without some form of approval or existing relationship. Another kind of harmful email is Business Email Compromise (BEC). BEC targets people as well as businesses by making an email look legitimate in an attempt to get you to do something. For example in the workplace, the attacker will send someone in your accounting department an email that looks like it’s from the CEO to get them to wire money to an account (that the bad guys are watching). Another example is sending your elderly parent an email stating you’re in jail and need to pay bail money by wiring it to an account. In order to not fall trap to this, here are some helpful tips:
To avoid, simply delete any email that you wouldn’t normally expect. If it looks like it may be legit, but is asking you to do something abnormal, like not following an established procedure, it may be BEC. Call the sender (don’t use email in case their account is compromised) to confirm.
Don’t bother with unsubscribe buttons; for spammers all that does is confirm your email address is legit so they’ll send you even more spam.
If you aren’t sure about a work email, contact your manager or the Information Security team.
These are computer viruses that encrypt all of the data on your PC (Windows/Mac). It then demands payment (typically $300 to $2,000 for consumers) for the key to decrypt your files. Here are some helpful tips to protect yourself from these costly viruses:
Practice good computing habits. Don’t surf sites with a bad reputation, don’t open downloads you didn’t explicitly ask for, always run up-to-date antivirus software or an internet security suite, apply Windows/Mac/Firefox/Chrome/other updates as they’re released, etc. If you’re running an old version of Windows or Mac OS X, consider upgrading.
If you can, arrange to have a backup of your data. Use Microsoft OneDrive, Google Drive, another cloud backup service, or get a spare hard drive and back up your files to it (unplug when not backing up). If your system does get hit, your data can be safely restored after your PC is reloaded.
You get a robocall or person calling who describes some sort of issue (relative in jail or needs medical care, PC has a virus, outstanding warrant for your arrest, owe the IRS money, bill collector, etc.) and says you have to call some number to arrange payment. Oftentimes the phone number looks to be a local area code. In order to not get scammed, here are some helpful suggestions to follow:
Caller ID is easy to spoof so don’t trust the caller is actually in your area. Many people opt to simply not answer the phone if they don’t recognize the caller.
No government entity such as the IRS or law enforcement solicits payment via phone; hang up without saying anything.
Tell them to mail documentation to your home address and hang up. Note: DO NOT give them your home address; a legitimate contact would already have it.
National Cyber Security Awareness Month ends November 1, but your vigilance is needed year-round. BEC alone has seen over $26 billion in losses over the past few years. There’s money to be made and the criminals aren’t going to stop.
If you suffer a personal financial loss, file a police report and submit a complaint to the FBI through the Internet Crime Complaint Center (IC3). If you suffer a business loss, contact the Information Security Team to start an investigation.