Just this past week, according to an article at Forbes.com, Cisco was hacked by a ransomware group who claims to now have 2.8GB of their data. Yikes.
Even scarier, according to the article, “Cisco said that the initial access vector was through the successful phishing of an employee’s personal Google account, which ultimately led to the compromise of their credentials and access to the Cisco VPN.” That’s right, the phishing of a single employee – through their personal account, no less – lead to this fiasco.
It’s always time for phishing awareness training
While I’ve posted all about phishing and the need to train your users time and time again, here’s yet another quick refresher. Share with them the following information, and make sure they apply it not just to work accounts, but to personal accounts as well.
Look for those signs!
My advice these days when getting an email, text or voicemail is to start by BEING SUSPICIOUS. I know, I know, it sounds so cynical, but it’s what I do, and so far (knock on wood) I haven’t been successfully phished. But beyond that basic (and unfortunate) “state of mind”, here are some specific things to look for:
Playing to your emotions: Hackers use curiosity, fear and desire to get you to click a link or provide confidential information.
Urgency: They know that the more you rush to act, the more likely you are to ignore telltale signs of a scam. Which is why they use scary phrases to make you “act now…or else!”
Poor spelling (or grammar): While Amazon or FedEx or your bank aren’t likely to misspell words in an official notice to you, cyber criminals – particularly those whose first language isn’t English – aren’t the most careful with spellcheck.
Asking you to “click here” or “open the attachment”: Never click on links or open attachments in messages from people you don’t know. OR even those who claim to be someone you know but their message is unexpected. Message separately (or call) the actual person the message purports to be from. Or, if from a supposed business or government office, go to official websites to check out the request or claim.
Asking for confidential information: Huge red flag! Never (ever) provide sensitive personal information in response to an email or text. Any legitimate entity (bank, retailer, government office) would never ask you for that type of information in an email or text.
Spoofed websites: Only provide confidential information on a website if you’re 100% confident that you are on a legitimate site. (In other words, it is best to go directly to a website by typing in the URL yourself, not by clicking on a link in an email.)
Fake phone numbers: Phone numbers are also easy to spoof these days. Which is probably why the vast number of smishing (another word for SMS phishing) texts and voicemails seem to come from your own area code. If it looks local, you’re more likely to assume it’s someone you know (or a legitimate local business). Unfortunately, it’s probably not coming from your area code at all. Bottom line: If the number is not in your phone’s contacts already, at least be wary.
Strange sender address: Check the actual email address (as opposed to just the alias, or name you initially see) in the “from” line of the email. This will pop up if you hover your cursor over it. Look for a legitimate domain name (e.g., “@bankofamerica.com”). If it doesn’t match up with who it is supposed to be coming from, it’s most likely a phishing message. And be sure to look very closely; hackers have gotten good at establishing phony versions of legitimate domain names by using subtle typos. (For example, the letter “l” might be switched to the number “1”, or the letter “O” to the number “0”.)
This message is suspicious. What should I do with it?
Well, that depends. If it’s the subject line that’s making you suspicious, just delete it without opening. However, if it is what the message says that’s making you suspect, DO NOT click on any links or download any attachments. And DO NOT reply to the sender. Usually, deleting the message is the easiest/safest step. However, you may want to check with your IT department for guidance on what to do beyond just deleting it. Some organizations have procedures for flagging or reporting suspicious messages.
On no! I think I’ve been phished!
OK, I know I just said this hasn’t YET happened to me, but I know of some very cyber-savvy people that it has. And you probably do as well. I mean, these criminals have gotten really good at this stuff. The bottom line is this: If you even slightly suspect you have been successfully phished – even if on a personal account, as the person at Cisco was – report the incident to your IT department immediately. Because not only is your private information compromised, but that information can be used to gain access to your organization’s sensitive data. IT will want to change out all compromised passwords right away. They will likely want to inspect your computer for signs of malware. If the incident happened through your private computer, mobile or personal email, you will also want to take the obvious, immediate actions: Change passwords and contact relevant financial accounts.