Spoofed Emails No More
This certain person named James prefers buying from ThisShoppingStoreIsLegit.com for items such as clothes, shoes, and bags for one major reason: faster and hassle-free shopping experience. Therefore, James chooses one bag, its size, the color, and design, and he is ready to click Add to Cart. Without any second thoughts, he clicks Add to Cart, keys in his home address, company name, and credit card details to proceed to Payout. Then poof! James’ purchase is complete. But the next day, he receives an email from ThisShoppingStoreIsLegit.com stating that his seller is asking for email verification plus his credit card details. Do you know what happens next?
Private and public organizations have been struggling to protect their computer systems, networks, and data from unwarranted breaches. In this regard, the Cyber Division of the Federal Bureau of Investigation has released a report through Private Industry Notification (PIN) discussing that state, local, tribal, and territorial (SLTT) governments have been targeted by spoofed emails, phishing, compromised vendor accounts, and credential harvesting. The said report includes accounts of cybercrime rates that led to losing nearly $4 million which impaired operational capabilities and caused resource strain on SLTT governments.
Cybercriminals or hackers do not choose who to attack; whether the potential victim is James or SLTT governments, hackers see vulnerabilities and start spreading cyber attacks.
Business Email Compromise or BEC
In a scheme like business email compromise, hackers watch and study the normal course of business for some time, penetrate the victim’s email system, and inject their own email text into a chosen conversation. This instance poses not only risks but also danger as the hacker may trick the firm into paying hundreds and thousands of dollars or even millions into a fraudster’s account, a fake account. Or, a masquerading email-er may negotiate – on behalf of the business – with a buyer and instruct to make a final payment into an account only the fraudster knows. With a simple replacement from the letter “O” to the number “0” in an email address, the attacker is sure going to get the sum he or she wants to siphon into a personal account.
Threats to Be Aware of
Since many of us are like James, we seem to let websites store our personal information, numbers, home addresses, and purchase histories. But with this ease of access on our favorite sites, we seem to be placing ourselves in grave risks – not to mention the high possibility that our money gets wiped off. Therefore, before we go for a click and let unauthorized access roam over our online visits or email creation, here are cyber threats we should not miss out on knowing:
- Malware: Whether you receive an email from a known organization or a close, dear friend, there is a fat chance their emails contain cyber leeches. By cyber leeches, we mean Trojan, malware, and spyware which may be embedded in any attachment we open. Downloading suspicious attachments online may get your system corrupted by these malicious web add-ons.
- Phishing: Hackers may send you emails which may appear to be coming from some legitimate source but are actually fraudulent ones. These emails install malware and steal your personal, precious data – probably your credit card information and credentials you use when logging in.
- MitM: MitM stands for man-in-the-middle attack; you may relate this man in the middle to a broker. So when it comes to hacking, the perpetrator crosses over the path between your device and the server of the website you are visiting, i.e. to get your IP address. Thus, when you are using the net, your interaction with the website may be secretly intercepted. This case happens because of unsecured networks and – again – malware.
- Password Cracking: As the term suggests, password cracking helps hackers gain access to your account – your email for example – for motives, such as monetary gains. To crack your passwords, attackers may use a software in their own system to compare various numerical, alphabetical, and alphanumerical combinations.
- APT: You must have been employed in your company for years and are still not aware that for years hackers have been constantly feeding on data moving around your network; then, you must be a victim of advanced persistent threat or APT. Over a period of time, hackers have been benefiting from the unprotected information you and your co-workers share every day.
- DoS: If for some unknown reason you suddenly cannot access your network, you may have been targeted with denial of service (DoS) attack. What DoS attack does is your network or machine is flooded with too much information, leading to network crash and eventually impossible access. With you or your company being deprived of the access, the attack may result it theft or loss of data.
Say, how many James are there that we should educate on the threats that hackers keep on attacking us with?
Cyber Security Practices to Combat Threats
Private and public organizations and even individuals should be educated on tips to strengthen cyber security. With cyber security, networks, computers, and email systems can be saved from unauthorized access.
- Establish a Firewall: A software and/or an application, a firewall acts as a virtual wall between your computer and the Internet. With a firewall installed, every incoming and outgoing traffic from your device is filtered to safeguard your network. Further, it is better to not open an email coming from an unknown sender. Opening one may send your system a malware that corrupts your data.
- Use Honey Pots: While bees are attracted to flowers, you may set up a dummy computer system – called honey pots – to defend your real system. Even though your honey pots may look vulnerable, attackers may be deceived into accessing it, thus protecting your real system. If you need help with setting up honey pots, you may consult with a cyber security professional.
- Employ Strong Passwords: An obvious take, there may be not a single recommendation as regards how to choose a strong password, but you should try on alphanumeric ones and strong paraphrases on a secure Internet connection – say something that really protects.
- Separate Company from Personal Accounts: Have you ever tried sending data from your company to your personal accounts, and vice versa? We suggest that you avoid doing such as your professional account should be used for and remain in your company; on the other hand, our personal email accounts should be for personal documents and messages. Not separating your company email from your personal one may pose risk not only to your privacy but also the information, employee records, and even the reputation of your company.
- Utilize Alternative Communication Channel: If your business has been using social media sites and emails for any verification of transactions, you may consider establishing a different band of communication. To set up the process, you may opt for calls or text other than receiving emails.
- Inform Changing Business Practices: It is good that your business may have been in constant transactions with your partner, thus forming a fixed set of communication line. However, should you receive an email stating a sudden or suspicious change of practice from your partner, you should see the possibility of being targeted by cyber attackers. With such a scenario, choose to message your business partner on a different communication channel and confirm whether such change comes from them. On the other hand, if you modify your business practice, always choose to inform your partners.
As mentioned, opening emails – unwanted or not – may peril your personal information, credit card details, and login credentials, as well as expose your company records, documents, and sensitive business information. Thus, picking up habits to efface business email compromise should be first in your list. With your email, your small acts can contribute big to your and company’s cyber defense.
- Reply: Rather than clicking Reply All, have the effort to click Reply. When an email carries several or many recipients though CC and BCC, remember that going for Reply All may put all of them at risk. Even if you are a trusted sender, you may not be aware that the email you are sending, sharing, or forwarding contains malware that corrupts systems. Plus, you do not want to get your friends and co-workers spammed. Therefore, if you are replying to the original sender, simply click Reply.
- Deleted Messages: Your life would have been much easier when your deleted emails had been really deleted, completely gone. But take note that your trashed messages are saved somewhere on remote servers which can be retrieved by any extremely adept hacker. Therefore, remember that what you send through an email is like a permanent document. Be careful what you put into writing.
- BCC/CC/Forward: BCC, CC, and Forward work in a similar fashion where everybody in the loop receives whatever is sent. While companies have standard operating procedures in reference to email correspondence, avoiding filling out the BCCs and CCs is a good try. Forwarding such email may also forward unidentified malicious software to every recipient. For hackers, that would be hitting a lot of birds with one stone.
- Suspicious Links: The moment you own an email account, you start receiving unsolicited promos and interstitial adverts. Everybody has been there and done that. Nothing new actually. So, your curiosity may place you in danger as you click an unfamiliar source. DON’T. This link takes you to a specified location and eventually inserts malware into your machine upon your check or download.
- Unsubscribe: This Unsubscribe link is beneficial – those links from the ones you know. If you are unfamiliar with a link, open it not. Or better, blacklist the email addresses. Our email servers are equipped with such functionality, so go ahead and get that email blacklisted. This way, you should stop receiving fake newsletters, giving you stronger security.
- Email Encryption: You or your business may get a function like email encryption service. Simply typing Encrypt: New Password in your subject line, for example, lets an email detect sensitive information such as a new password in this case. Then, when an email is encrypted, the recipients are instructed to download the message from a specified link, thus keeping information away from theft.
Getting Help from Cyber Security Professionals
Your privacy, your company’s, and your recipients’ means more than much to factors, such as reputation, protection from theft, and operational capability. Whether you are an individual, an employee, or a small or large corporation, it is high time you consulted with a cyber security professional to keep yourself from cyber threats. However, before a talk with one, you should know what they can do to help you with cyber security.
- Ethical Hacker: Also called white hat hacker, an ethical hacker is simply a hacker that does ethical hacking. Be confused not. Still fascinated with hacking, an ethical hacker can help you attack the vulnerabilities of your system not to tamper with credential details and gain monetary advantage. Instead, an ethical hacker identifies such weak zones and protects them for you, thus securing your system.
- Security Architect: Quite similar to an ethical hacker, a security architect picks up a view of the overall system to spot and indicate cyber threats. Then, they focus on analyzing such threat and design strategic ways to combat such attack.
- Security Software Developer: These professionals are responsible for coding to develop software and/or applications to maintain cyber security. If you need any antivirus program or a tool that detects possible cyber threats, you may consider consulting with a security software developer.
- Chief Information Security Officer: The chief information security officer plays a crucial role in the overall protection of not only company assets but also technologies. Paired with their skills in technology, the CISO is responsible for the security of information, documents, and emails in general.
Back to James, imagine James had been able to read the PIN from the Cyber Division of FBI. If so, James should have known better than keying in his personal details, credit card numbers, and other sensitive information that easily on ThisShoppingStoreIsLegit.com. While purchasing items on a site that has already stored our data promises faster and hassle-free shopping experience, we should be aware that with every click our privacy and overall digital security is at stake. Remember that it is okay to be skeptical.
If cyber security is a challenge, you may consult with a cyber security professional and create #CyberSecureMindset.
We all are James, but remember that your click means a lot!