Don’t get hooked – self defense against phishing
When it comes to cybersecurity, there seems to be all kinds of intimidating threats lurking out there, from black hat hacking schemes to exotic viruses. And the average person or business might feel totally outgunned by the bad guys.
However, in reality, it is often the simpler threats that do serious damage and make the big headlines. For example, when health insurance giant Anthem saw data for 80 million of its customers and employees stolen in an attack in 2015, the culprits targeted workers with a common — albeit sophisticated — phishing scheme. Closer to home, that was also the case when the Wyoming Medical Center had the records of more than 3,000 patients compromised in a phishing case earlier this year. Instead of going up against tough-to-crack firewalls or the latest anti-malware software, the crooks went after what is always a data system’s weakest component: the people that use it.
To fight phishing, it’s good to know “what it is and what it’s not,” said Alec Muthig, information technology trainer and program manager at the University of Wyoming, who was a presenter at the first annual Cybersecurity Symposium put on by the Wyoming Business Report in Cheyenne on Wednesday.
“Phishing is social Engineering,” Muthig said. “It is a con game on you.”
Phishing scams just don’t work on “ignorant” victims, either, Muthig said. CEOs can be just as vulnerable as the office intern. The common factor being that a successful scams often appeal to an emotional component in their victims and prompt them to act quickly and without fully thinking the situation through.
“They target the emotional triggers. They use psychological trick that they know can make you act,” Muthig said. He said appeals to a victim’s curiosity, empathy and even greed can be in used, whether it be in a “shotgun” scam, where multiple individuals are all sent similar bogus emails, to “spear phishing” attempts — email spoofing frauds that target a specific organization, seeking unauthorized access to confidential data.
There are some simple steps that can be taken to help protect data from phishing, Muthig said. Things like unusual web and email addresses and awkward language or misspellings in the text of a message can be telling indicators that something “smells phishy.” He said one simple technique is to “hover your cursor” over a hyperlink in order to see the source address it links to before clicking on a suspicious link and being trapped or infected by malware or ransomware.
Muthig also offered a quick checklist for boosting one’s defenses:
Slow down and think critically. “Is this from someone who I have expectations of receiving something from?” Muthig asked, adding that if you think you are being emotionally manipulated, it never hurts to pick up the phone or walk across the office and double check.
Do not trust links. If one looks suspicious, it probably is. Muthig warned that the crooks often come close to the real thing, so if an address seems just a little off, again its best to take a little time and check back with the source.
Do not trust attachments. “Examine an attachment’s file type,” Muthig said, noting that while “exe” files are always suspicious and will be flagged by anti-malware software, document files and even PDFs can also carry malicious threats within them. “If an attachment is unexpected, do not open it without first checking with the source,” Muthig said.
He said even pop-up ads can be malicious, noting that he has even seen cases where the close-out “X” link users click on to get out of an ad can be spoofed, so when a user clicks on it, the trap is sprung. “If it looks suspicious, just close out of the whole program,” Muthig advised.