Security Hints + Tips — Pretexting

May 6, 2024
Pretexting is when the bad guys create a false scenario using a made-up identity or pose as someone you know. They can even pose as employees of bank or credit card companies to manipulate you into divulging personal or sensitive information.

How it Works: Common Tactics of Influence
The bad guys will try to persuade you into giving them sensitive information. Oftentimes, the information that they need is not specific to your organization. Below are examples of two common tactics used to influence victims in pretexting scenarios:

Pretexting with Authority
You receive a call at work from someone demanding immediate assistance. They are speaking in an aggressive and authoritative tone. This person establishes their authority by using an executive-level or official-sounding job title. They may even insult you for not being familiar with “who they are”. These scare tactics often persuade victims into giving away sensitive information or complying with the cybercriminal’s request. It’s human nature to act in a responsive manner around someone of authority, but don’t fall victim to false claims of authority! 
 
Pretexting with Obligation
You receive a call from someone posing as a member of your IT department. The bad guy tells you they’ve found malicious activity on your work computer and begin questioning your recent browsing history. The fake IT employee implies that you’ve accessed a malicious website and have put the company in danger as a result. They demand you update your password with a more “secure” password which they provide. Would you feel obligated to comply with their instructions? Many unsuspecting people would, but don’t fall victim to a false sense of obligation!

How Can I Avoid Falling Victim to Pretexting Scenarios?
Use the tips below to help protect your organization against pretexting scenarios:
Never give out sensitive information over the phone, online, or in email, unless you are absolutely sure you know who you’re dealing with, or you initiated contact with the individual.
If the caller claims to be an employee but their request seems suspicious, verify their identity through a trusted party and let them know you’ll call them back. If the caller questions the need for your verification efforts, explain that you’re following the process required for sharing the type of information they are requesting. Maintain a respectful but forceful attitude.

Make sure you’re familiar with your organization’s protocols for handling requests for information or ask your supervisor if you need assistance.
The KnowBe4 Security Team
KnowBe4.com


Security Hints + Tips

May 6, 2024

Don’t Be Fooled by Workspace Tools

Many organizations use platforms such as Microsoft Teams, Google Drive, or Zoom to stay connected. Unfortunately, these trusted communication tools can lead to a false sense of security. Just like with traditional email, bad guys can use these platforms to launch a cyber attack.

Below are three examples of how cybercriminals use these platforms for phishing—and what you can do to keep your organization safe

Lurking

Recently, a cybercriminal gained access to an organization’s Microsoft Teams channel, which is similar to a group message or a chat room. The scammer lurked in the channel for nearly a year, reading messages, collecting data, and waiting for the perfect time to strike. Finally, someone asked that a file be shared to the channel and the bad guy used this opportunity to send a malicious ZIP file. When opened, the file installed malware that gave the scammer full access to the victim’s computer.

Remember: If someone sends you a link or an attachment, verify that you know and trust the sender before you click.

Playing Tag

On Google Drive, anyone can be tagged in a file, so long as their Gmail address is valid. This means that if a bad guy tags you in a Google document, you will receive a legitimate notification from Google that includes a link to the bad guy’s file. If you view the bad guy’s file, you’ll likely find that it tells you to click another link. This second link is actually a malicious attempt to steal your sensitive information.

Remember: If you receive a suspicious notification, contact your IT department or follow the specific security procedure for your organization.

Phony Notifications

Attending meetings on Zoom is as simple as clicking a button within an email. Unfortunately, getting phished is just as easy. Cybercriminals send out fake Zoom notifications that claim you missed an important meeting. They use a sense of urgency to get you to click on a link to view the meeting schedule. But don’t be fooled! The link actually sends you to a phony login page designed to steal your username and password.

Remember: If an email asks you to log in to an account or online service, log in to your account through your browser—not by clicking the link in the email.
The KnowBe4 Security Team
KnowBe4.com


Tech Tip: How to Prevent “Zoom-Bombing”

May 6, 2024

Zoom-bombing is the term for when individuals “gate-crash” Zoom meetings. These uninvited guests share their screens to bombard real attendees with disturbing pornographic and/or violent imagery. Most of these are perpetrated via publicly available Zoom links; however, not all depending on your settings. Here are ways to protect you and your guests from falling victim.

Read more about what you can do to protect yourself here: https://security.berkeley.edu/resources/cybersecurity-and-covid-19/settings-preventing-zoom-bombing

Tips courtesy of Zoom and UC Berkeley



The holiday season is upon us for family, friends, and … phishing?

May 6, 2024

This festive time of year is when many cyber thieves try to trick you with holiday-themed email scams.  These phishing scams are professional-looking emails that attempt to steal your personal information (such as login password, bank account, or credit card).  The emails generally look authentic and appear to come from a valid organization (like WVNET or your bank).  They may even include a “helpful” link to a website for your convenience.

Some phishing examples from previous holiday seasons include:

From “Amazon”: Enter your username and password to receive a “free” $100 Amazon gift card. Unfortunately, the webpage captures your login credentials and installs harmful software (known as malware) on your computer.

From “PayPal”: You are “notified” that a fraudulent charge has been posted to your PayPal account.  Just click on the link, enter your credit card number, and the charge will be cancelled.  Unfortunately, you will now begin to see other holiday surprises appear on your credit card statement.

From “The IRS”: You receive a threatening email from the IRS about unpaid taxes, lawsuits, arrest warrants, etc.  You have to enter your Social Security Number and birthdate to check the status of your tax payments.  You have also unknowingly become a victim of identity theft.

Keep the holiday season a happy and relaxing time.  Here are some general tips to help you avoid falling for these online con artists:

1.     Don’t get pressured into providing sensitive information. Phishers like to use scare tactics, and may threaten to cancel an account or block a delivery until you provide the desired personal information.

2.     Watch out for generic-looking requests for information. Fraudulent emails are rarely personalized.

3.     Don’t open unexpected files or pictures that are sent to you from “friends.”  Phishers can make it look like an email is coming from an address you trust (known as spoofing), with attachments that launch harmful software when opened.

4.     Never click on a website link include in an email, even if it looks trustworthy.  Instead, open a new browser window and type the URL address yourself into the address bar.  Confirm that the website is secure (httpS🙂 before entering confidential or financial information.

5.     Finally, if it looks suspicious, even if you know the source, it’s best to delete it.

Remember, offers that appear too good to be true are just that – not true.  Also, when was the last time something good arrived via email?  When in doubt, throw it out.

So, enjoy the holiday surprises while avoiding these seasonal nightmares. 

– Carl R. Powell, Ph.D.
Director, WVNET