It was not that long ago that when Home Depot’s credit card system got compromised. It was huge news and since then there have been hacks of Target, Equifax, NSA, Cloudflare and many others. It is almost a daily occurrence, so much so that I think some people are now numb to the risks associated with computer systems in general. At the risk of being the boy that cried wolf, I am going to talk a little more about security and one of the most common attack vectors, social engineering, called phishing.
Phishing is a technique used by bad guys to entice you to click on a link where you think you are doing one thing but you are actually doing another. For instance if you get an e-mail saying your bank account has been compromised and you must reset your password, it’s very likely a phishing scam. Many times, it is very easy to spot these type of e-mails, however some of these threats are now very sophisticated and are very difficult to detect.
When I think about why phishing is still so effective I think the answer is simple. There are still some very common misconceptions out there around phishing. Here are a few.
“You can trust e-mails from people you know”. I hear this all the time and it is just not true. You should still be wary of e-mails from people you know, if the e-mail is out of the ordinary. If the e-mail is out of place it is possible this is a “spoofed” e-mail, this is where an attacker “pretends” to be someone you know hoping you will trust that person and click on the link. Some of the most dangerous attacks look like they are coming from someone you know. Social engineering is all about trust.
“It’s easy to spot phishing e-mails” This is far from the truth. This last year I have seen multiple e-mails that looked so real it was very difficult to spot, even after we knew it was fake. Some of these attacks now use actual names of internal people with the context of their job duties. This makes it very effective at tricking even the most perceptive of people.
“My computer gets a pop-up saying my computer is infected”. Most of the time your computer is not infected, unless you click that OK button. This seems like it is easy to spot, but it is amazing how many times a year we see this problem. It is common for these type of attacks to launch fake windows, some say they are Microsoft updates, some look like Windows in Windows trying to get you to click a fake close window. Be very cautious when you have something pop up on your computer you are not expecting.
“I have anti-virus and a firewall, I’m safe”. Anti-virus software can save you from some something; however, there are many attacks anti-virus just cannot stop. The last line of defense against attacks is the user. The users will be the one that decides if it is safe to click on that link or open that attachment.
Having connected computers allows for wonderful options for companies these days, hosted servers, hosted applications, and even hosted phone systems. However, it also allows for dangers. Security cannot be an afterthought. Let us show you how you can help your users have a better, safer experience.