Cyber Security Tips

Cyber Security Tips

First National Bank Wants to Help You Stay Safe Online

Social engineering is the art of manipulating and deceiving a person in order to gain control over his or her computer. It's important to understand what social engineering tactics hackers use (and more importantly, how to protect yourself against them) because they pose an enormous risk to everyone using the Internet today. So here we'll focus on online/email tactics, like "phishing" and "spoofing," because with cyber attacks rising dramatically in society's increasingly tech-saturated environment, data breaches are no longer a question of "if" but "when."

Cyber Security Basics

What is "phishing"?

Phishing is a common social engineering tactic in which the hacker targets a user and sends him or her a counterfeit email that appears to be coming from a legitimate organization or acquaintance. The email urges the user to take a specific action, such as clicking a link or downloading attachments. Once the user takes this action, the hacker is able to access the machine, seize personal and financial information, and effectively compromise all data within.

What is "spoofing"?

Often going hand-in-hand with phishing, "spoofing" is a common social engineering tactic among hackers in which the hacker manipulates the "sender" or ("from") email address. Hackers can make the sender's email address appear as whatever they want. They can spoof your boss's email address, your mother's email address, or they create their own appearing to be coming from a company you trust, like "support@yourbank.com" or "ITdept@walmart.com."

Phishing Scam Example

A classic example of phishing is the tech support scam, and it comes in many varieties and levels of sophistication. When unusual activity is detected on their users' accounts, service providers notify the user to verify that the activity was made by the account holder. Hackers manipulate and use this practice to their advantage by replicating these types of emails and sending out dangerous links appearing to be coming from a company the recipient knows and trusts.

The message urges you to perform an action (e.g., type your username and password, click a link, etc.), alleging that it's for your own "safety and security." Many of the emails are designed poorly with bad grammar and hasty demands, but others look legitimate enough for someone to click if they aren't paying close attention.

This fake Amazon security notice warns potential marks of "unusual log in activity" on their accounts and prompts them to click an unsafe link. Clicking can download harmful malware or ransomware and/or grant remote access to the cyber criminal unbeknownst to you.

Phishing Attempt Warning Signs

When it comes to identifying a phishing attempt, there are a few key areas that can implicate a potential threat. Ask yourself these questions when you receive an email that seems out of the ordinary.

  • Am I expecting an email from this sender? Or does this correspondence strike me as suspicious, unprompted, and out of the blue?
  • Does this email sound like the sender? If the sender is someone you know (i.e., a friend or colleague), does it sound like him/her? Is this how they normally talk/write? Is it riddled with typos? If so, is that typical of the sender?
  • Is the subject matter characteristic of the sender? For instance, if the email appears to be coming from your brother and asks you to wire him money but not to call him, is this characteristic of him or does it seem unusual?
  • Similarly, does the content/subject matter make sense? For instance, if the email is an order confirmation from "Amazon," did you order anything from Amazon recently or does this seem wrong or out of place?
  • Do you normally receive these types of emails from this account? For instance, this appears to be your bank statement, but it's going to your work email instead of the personal email listed on your account?
  • Does the email urge you to take immediate action? Is the email trying to force you to take a certain action by using terms like "ASAP," "urgent," "immediate," "right now,"? I.e. You "must" change your password "right away."
  • When hovering over the links in the email, do they appear to be legitimate? Place your cursor over one of the links (but DO NOT click it). The URL/website that the link will direct you to will be displayed next to your cursor. Does it match the website it says it will take you to?

Does anything else feel "off" to you?

Overall, do you trust this email? Or does the sender email address, subject, phrasing, timing, spelling/grammar, logo, layout, links, or anything else seem "off" in any way? If so, DO NOT click, respond, or interact with it.

How to Handle a Phishing Email

First things first, trust your instincts. If there is any question as to the legitimacy or intent of the email, DO NOT click any of its links, download any attachments, respond to the sender, or in any way interact with it.

Instead, you should:

Critically review the email—ask yourself if it seems fishy or unusual in any way or if it's typical of the sender. Then contact the sender directly via phone call or in person and ask whether they sent the email.
If you've deemed the email unusual in any way, then without clicking any of its links or contents, forward the email to your company's IT department. Let them know you received the attached email and believe it to be a scam.
The IT department can then:
  • Investigate the matter further
  • Help you determine whether or not the message is safe
  • Block future messages from this sender
  • Warn others within the company if necessary (as colleagues may have been targeted as well)
  • Educate other users on the dangers of phishing and social engineering so they're prepared to deal with these types of attacks
  • Potentially report and identify the sender and pursue punitive measures accordingly
  • Can You Spot the Red Flags?

    Now that you know some of the red flags that often indicate the presence of a potential threat, see if you can spot them all in the email below. Then, check out the red flags we identified in the email below that!

    Below, we've flagged a number of the keys areas that should've aroused your suspicion. Review the red flag comments and keep them in mind when you receive unusual emails in the future!

    Contact Applied Connective Technologies if you want to learn more about cyber security and how your business can take proactive measures to improve your security posture.