Articles in this section

KnowBe4: Weekly Security Hints and Tips

Avatar
Abi Iliesi
  • Updated

THE FOLLOWING INSTRUCTIONS ARE FOR UO FOUNDATION STAFF 

 

The Security Hints and Tips campaign is sent out weekly via email to reinforce basic security hints, tips, and tricks. The emails contain general security tips that are useful for any employee to review, to help better defend against phishing and other cyber attacks.

 

Choose a Security Hints and Tips resource to review from the list below:

 

Phish or Spam? No, it’s not what’s for dinner!

Phish or Spam? No, it’s not what’s for dinner! However, it could be a question you struggle with when deciding what types of email to report to your IT department. Potentially malicious emails make it to your inbox every day, so it’s important for you to understand the difference between a Phishing email and a Spam email.

This Email Seems Phishy
Phishing is the process of attempting to acquire sensitive information (such as usernames, passwords, and credit card details) by pretending to be a trustworthy entity. Most commonly, phishing emails will try to lure you into clicking on a link or opening an attachment.

Phishing emails can appear to come from reputable businesses or even departments and users from within your own organization. They often have a sense of urgency to them. Some may even use shock and intimidation to get what they want.

If you come to the conclusion you've been sent a phishing email, we strongly recommend that you report the email to your IT department for their review.

Spam Alert
Spam is unsolicited, unwanted email typically sent for marketing purposes. It is often trying to sell you something, such as unwanted goods or services – but, it is not asking you to take specific action. Although spam can be annoying, it is common to receive it in your business email. These types of emails do not typically need to be reported, unless you believe they pose a threat to your organization. In most cases, spam email can simply be deleted or ignored.

Note: Always follow your organization's policy regarding what type of email to report in case it differs from the above.

Whether a Phishing email or Spam email, you should always be cautious when clicking on a link or opening an attachment. An email should never be considered safe until it is analyzed carefully. Remember, you’re the last line of defense to prevent a phishing attack on your organization. Always Stop, Look, and Think!

 

Look Before You Book, or You’ll Cry After You Buy

If you’re planning a trip soon, there are some things you should consider. For starters, is that dirt cheap flight to Tokyo too good to be true? Probably so, especially when the booking site also offers a boatload of other deals at shocking, unbeatable prices - who does that? A scam artist looking to take your money, that’s who. For this reason, you need to learn how to sniff out these “too good to be true” offers. To help you out, here are some tips:

  • Go official: Book a trip directly with an airline or hotel, or through a reputable agent/tour operator.
  • Do your research: Do a thorough online search to ensure the company is legitimate. Are there very few pictures of the business’ property, or unfavorable reviews? If they’re suspect, other people may have posted their negative experience to warn others.
  • Stay safe online: If sent a deal via social media or email, be very cautious and think before you click! The link may direct you to a malicious site. Make sure to pay special attention to the website name and domain. You may notice small changes in the name or domain – such as going from .com to .ru, which can direct you to a completely different company.
  • Pay safe: Don’t pay in cash, via bank transfer (MoneyWise, Western Union), or virtual currencies like Bitcoin. These payment methods are hard to trace and are non-refundable! Instead, pay with a credit card. Also, check that the website uses a padlock icon (https) on the address bar, indicating it’s secure.
  • Check the small print: Check that the website offers terms and conditions, a refund policy, and a privacy policy.
  • Use your instincts: If something sounds too good to be true, it probably is.
  • Report it: Keep all of the evidence and report it to your local authorities right away.

Use these tips to help avoid becoming the next victim of a scam. Remember, always look before you book. Otherwise, you’ll cry after you buy.

 

Social Engineering Red Flags: Recipient

The prevalence of phishing scams is at an all-time high. Because you are the key to preventing a cyberattack within your organization, it is important to question the legitimacy of every email you receive. Below is a list of questions to ask yourself about the recipient of the email that may help you realize that you are being phished.

TO: Analyze who was the email sent to.
Were you CC’d on an email and you don’t personally know the other people it was sent to?
Was the email sent to an unusual mix of people? For example, a seemingly random group of people with unrelated email addresses, or a group of people at your organization whose last names all start with the same letter.

If you notice anything about the email that alarms you, do not click links, open attachments, or reply. You are the last line of defense to prevent cyber criminals from succeeding and making you or your company susceptible to phishing attacks.

 

Pretexting

Pretexting is when the bad guys create a false scenario using a made-up identity or pose as someone you know to manipulate you into divulging personal or sensitive information. They often pose as employees of bank or credit card companies or even as your own coworkers.

How it Works: Common Tactics of Influence
The bad guys will try to persuade you into letting your guard down and giving them what they’re looking for. Oftentimes, they don’t even need information specific to your organization to trick you.
See below for an example of two common tactics used to influence victims in pretexting scenarios:

  • Influence by Authority
    For example, you receive a call at work from someone demanding immediate assistance, using an aggressive and authoritative tone. This person establishes their authority by using an executive-level or official-sounding “job title”. They may even insult you for not being familiar with “who they are”. These scare tactics alone often sway victims into giving away sensitive information or complying with a request.
    It’s human nature to act in a responsive manner around someone of authority, but don’t fall victim to false claims of authority!
  • Influence by Obligation
    For example, you receive a call from someone posing as a member of your IT department. The bad guy tells you they’ve found malicious activity on your work computer and begin questioning your recent browsing history–implying that you’ve reached a malicious website and have put the company in danger as a result. Then, they demand you update your password with a more "secure" password which they provide.
    Would you feel obligated to comply with their instructions? Many unsuspecting individuals would–but don’t fall victim to a false sense of obligation!

How Can I Avoid Falling Victim to Pretexting Scenarios?
Remember the following to help protect your organization against pretexting scenarios:

  • Never give out sensitive information over the phone, online, or in email, unless you are absolutely sure you know who you’re dealing with, or you initiated contact with the individual.
  • If the caller claims to be an employee but their request seems suspicious, verify their identity through a trusted party and let them know you’ll call them back. If the caller questions the need for your verification efforts, explain that you’re following the process required of your position. Maintain a respectful but forceful attitude.
  • Make sure you’re familiar with your organization’s protocols for handling requests for information, or ask your supervisor if you need assistance.

 

Is That Email Really from HR?

One of the easiest ways the bad guys trick you into falling victim to their fraudulent scams is to exercise a sense of trust by pretending to be someone you know. More than likely, you receive emails from your Human Resources team on a frequent basis. Scammers take advantage of this constant communication by crafting spear phishing attacks using emails that spoof your HR team.

Spear phishing attacks are email scams that typically target an individual or organization by spoofing, or appearing to come from a trusted sender. Don’t blindly trust emails that seem to come from your HR department. See the tips below to learn more about these types of scams.

How Do I Spot a Fake?
Does this sound like typical communication?

  • Pay attention to the context in the body of the email.
    Look for spelling errors, grammar errors, and odd sentence structure.
  • Are you being asked to review unfamiliar policies or procedures?
    If you’re being asked to download an attachment or click a link to review a policy you’ve never heard of, think twice before you click.
  • Are you being asked to do something that wouldn’t typically be addressed via email?
    Beware of emails containing an attachment for your “paid bonus” or any other matter that seems out of the ordinary for email communication.

Who sent the email?

  • Does the sender’s email address appear to be from an unfamiliar domain or a third-party company?
    If the domain of the sender’s email address is generic, for instance, “humanresources.com”, the email may not be from your internal HR department. Ensure the email is from an address that your HR team typically uses to send mail. But remember, even if the domain is from your organization, it could be spoofed.
  • Does the email signature make sense?
    Ensure the signature in the body of the email matches the name and job role of the sender. Some HR phishing scam emails have unusual, or inaccurate job titles in the email signature–or have no signature at all.

When in doubt, always pick up the phone and call someone from your HR team to confirm the email is safe and legitimate. They’ll be thankful you used your resources, rather than putting your organization at risk.

 

Vishing

Cybercriminals not only use the internet and email to gain access to sensitive information, they use telephones to their unlawful advantage. Vishing is the term for criminal attempts to influence action or gain confidential information over the phone using social engineering.

How it Works:
Criminals have the ability to call from a blocked, “spoofed,” or private number, making it easier to pose as a fellow employee, an authority figure, or any person or organization that you would commonly interact with.

Any information regarding the processes or technologies a company uses would assist in a breach of an organization. Information that you may not consider very sensitive, such as employee names, titles, or ID numbers, could certainly help these criminals.

Don’t Fall for These Phony Attempts
Think twice about giving out personal information to someone who claims to be from a different organization, or within your organization, unless you initiated the call yourself and you are certain the number called was valid. If someone contacts you requesting sensitive information, you can check the caller’s validity by asking to speak to their supervisor, or tell them you will call back, which will buy you time to investigate the request.

Vishing is not limited to gaining data from your organization, as vishers are also known to prey on your personal information. Remember to stop, look, and think before answering unfamiliar numbers, or before calling phone numbers you see in emails, internet ads, or pop-ups.

 

Proper Workstation Use

Should you be doing that on your work computer?
Personal pictures, social networking, online banking... These are the kind of things that you should try not to have/do on your work computer.
Work computers are for work, visiting work-related web sites, researching, emailing, generating Powerpoint slideshows, etc.
Much like posts to social networking sites... everything you say or do can be used against you.

Acceptable use policy
Most organizations (perhaps yours too) have a 'workstation acceptable use policy' with regards to proper use of your work computer.
If there is one and you haven't read it, you should.
Visited web sites, how much time is spent on facebook, playing solitare, instant messenger chat... technically all of this can be monitored.
- Think about what you are doing... and realize, that it can be logged. Anything you post on the internet is there forever.

Be safe online
Especially when it comes to visiting web sites or opening personal email... those actions that take place on your work computer can affect other work computers.
If you happen to visit a site that has malware on your work computer, you may now have exposed the rest of the company to a malware infection.
It is difficult to explain why you were doing what you were doing when its against the policy to be performing non-work related activities on your work computer.

Try to be aware that you are using a computer that is not yours, things you do on that computer are not private.
Lawyers say that anything that happens on the corporate network, the company owns and can monitor.
In most cases the IT department does not have the time and resources to monitor everything, but if you give them a reason to, management may ask them to do so.

 

What’s the Deal with Data Breaches?

Data breaches are becoming more and more common these days. You hear about them in the news all the time. So you might be wondering: what exactly is a data breach? A data breach is when secure information is taken from a trusted environment without permission. The bad guys can use this information to steal your identity, hack into your online accounts, or use the information for targeted phishing attacks to gather even more information about you.

However, just because the data was exposed does not necessarily mean it’s already being used by the bad guys. It only means that bad guys can easily gain access to it. There are steps you can take to protect your information even if you were exposed in a data breach.

How do I protect my information?

  • Use secure passwords. You may also want to try using a password manager.
  • Set up two-factor or multi-factor authentication.
  • Keep your personal information secure. Never share your passwords or personal information with anyone you don’t know. Shred documents with your personal information on it before throwing it away.

What do I do if my information was already exposed in a breach?

Don’t panic! Take a moment to assess the situation. Ask yourself: What sort of information was exposed? Do I need to notify my bank or other entities? What steps should I take to make my information more secure now?

  • If your password was exposed, we recommend changing your password for all online accounts associated with that password immediately. Make sure the password is complex or use a password generator to create one for you. For extra security, you may want to set up two-factor or multi-factor authentication.
  • If your credit card number or bank account number was exposed, we recommend calling your bank or cardholder and canceling your card(s) immediately. Let them know that your information was exposed so they know to look out for charges that may be fraudulent.
  • If your social security number was exposed, immediately report that your social security number was stolen to the police, credit-reporting agencies, and the IRS. You may also want to sign up for a service that can monitor your identity or credit for added protection.

 

WiFi Hot Spots and VPN

Using free public WiFi at a coffee shop or airport hot spot is great for convenience, but bad for security.
Most free access points do not make use of encryption. This is done for convenience and ease of access. If every person had to ask the barista or gate attendant for the WiFi key, it would get unruly, and no actual work would get done.
Keep in mind that you are sharing those wireless airwaves with anyone that is within range of your wireless communications.

There is technology out there that allows you to view the wireless computer communications that are within range of your device.
To the bad guys, this technology lets them see what you are doing, the data you are passing to websites, and your usernames and passwords.

  • UNLESS
    You are on websites with 'https' ... the little S is for secure. Its like speaking a language that only two people can understand (your computer, and the website).
  • You are using VPN software to encrypt all your wireless communications
  • You are using a wireless device from your cellular phone provider, 3G or 4G network access... This is not WiFi, and is not subject to WiFi Security Policies

Using a VPN client to encrypt and route your wireless communications allows you to create a secure channel for your computer to communicate.
Even if you are accessing a website without HTTPS, your communication to that website is secured through your VPN connection. If there are any bad guys around you listening in on your wifi traffic, it will be safe.

VPN stands for Virtual Private Network. It is good practice to use a VPN when in a public networking spot such as wifi hot spots. This will create a virtual tunnel for your computer to communicate securely through the public network.

Before traveling for work, consult with your IT department about their data security policies when on the road, how to setup your VPN connection (if your company has VPN access), or how to obtain a 3G/4G cellular network card.

 

Social Engineering Red Flags: Date/Subject Line

The prevalence of phishing scams is at an all-time high. Because you are the key to preventing a cyberattack within your organization, it is important to question the legitimacy of every email you receive. Below is a list of questions to ask yourself about the date, time and subject of the email that may help you realize that you are being phished.

DATE: Analyze the timing of the email.

  • Did you receive an email that you would normally get during regular business hours, but it was sent at an unusual time, such as 3 a.m.?

SUBJECT: Review the subject line.

  • Does the subject line make sense given the context of the email?
  • Is the email message a reply to something you never sent or requested?

If you notice anything about the email that alarms you, do not click links, open attachments, or reply. You are the last line of defense to prevent cyber criminals from succeeding and making you or your company susceptible to phishing attacks.

 

How Secure is Your Mobile Device?

Most of us have a smartphone, but how many of us really think about the security threats faced by these mobile devices? Mobile devices are vulnerable to many different types of threats. The bad guys are increasing attacks on mobile devices and targeting your phone using malicious applications. Using these methods, they can steal personal and business information without you having any idea what’s going on.

Even if you’ve downloaded a security or antivirus application, securing your smartphone goes beyond these services. Improving your mobile security practices is your best defense against the privacy and security issues associated with your mobile device.

How can I improve my mobile security practices?
Always remember these best practices to minimize the risk of exploits to your mobile devices:

  1. Ensure your phone’s operating system is always up to date. Operating systems are often updated in order to fix security flaws. Many malicious threats are caused by security flaws that remain unfixed due to an out of date operating system.
  2. Watch out for malicious apps in your app store. Official app stores regularly remove applications containing malware, but sometimes these dangerous apps slip past and can be downloaded by unsuspecting users. Do your research, read reviews and pay attention to the number of downloads it has. Never download applications from sources other than official app stores.
  3. Ensure applications are not asking for access to things on your phone that are irrelevant to their function. Applications usually ask for a list of permissions to files, folders, other applications, and data before they’re downloaded. Don’t blindly approve these permissions. If the permission requests seem unnecessary, look for an alternative application in your app store.
  4. No password or weak password protection. Many people still don’t use a password to lock their phone. If your device is lost or stolen, thieves will have easy access to all of the information stored on your phone.
  5. Be careful with public WiFi. The bad guys use technology that lets them see what you’re doing. Avoid logging in to your online services or performing any sensitive transactions (such as banking) over public WiFi.

 

Piggybacking

To kids, piggybacking is when someone jumps on your back and you carry them around for a while. In the business world, piggybacking is when you let someone that you do not know enter a door that you just opened.
A lot of organizations rely on biometrics, key cards, or even regular keys to open locked doors. These could be doors to get into the building, parking garage, a particular office.
Piggybacking is when someone you do not know, waits for you to open a locked door, and enters in behind you.

Many people allow this to happen because they want to be nice and courteous and open doors for people... you may even hold the door open for them.
While this may be a nice gesture in public places, at the workplace, this could end up costing you.
The bad guys, just like they would try and trick you with a fake email, are targeting your good nature, to gain access into a secured building.

If someone you do not know, is trying to enter the door behind you there are a couple of things you can do to still be courteous and follow the rules.

  • Ask them where they are going and who they are there to see, then escort them to the office of the person they are going to see, and verify that they are supposed to be there

or

  • Kindly decline to let them in and explain that your organization has a strict no-piggybacking rule.

Once the bad guys have access to your offices, they can plug into any internet outlets, or sit down at any open and unlocked workstation, or place infected USB keys around the hallways and bathrooms... (All real-world tactics that are being used to trick you)

Remember... when it comes to piggybacking, kindly decline or insist on escorting them to the person they are there to see.

 

Multi-factor Authentication

What is it?
Multi-factor Authentication (MFA) is the process of verifying that you are who you claim to be when logging in to a device or an account. If you're reading this from your work computer, you probably logged in to your computer - that's single-factor authentication. But single-factor authentication is no longer enough to keep your accounts secure. Learn more below about the various ways you can digitally-authenticate your identity.

Understanding the Types of Identity Claim Factors:

  • Something you own. This is using a mobile phone or device that you have in your possession to prove your identity. Typically, the device provides a code via an application, text message, email, or voice call. You then enter this code, and for successful authentication, your code must match what is expected by the service you’re attempting to log in to.
  • Something you know. This is something you’ve memorized or stored somewhere, such as a PIN. You must supply the correct PIN to log in to your device or service.
  • Something you are. This factor is something about your physical body that cannot be altered, such as your fingerprint or retina. Biometric scanners or readers are used to confirm you’re physically the person that you’re claiming to be.

Why do I need it?
In our digitally-driven world, passwords are no longer enough to keep your information safe. These days, it takes minimal effort for hackers to break into, or social engineer their way into, accounts that are only protected by passwords. Adding an extra step to access your accounts, such as entering an authentication code, means that hackers would also need to have your phone to break in.

Create an additional layer of security and make it harder for criminals to access your data by using two-factor or multi-factor authentication. Consult your IT or Security department to see if your organization has a preferred method of multi-factor authentication.

 

That's Suspicious!

Have you ever encountered a situation at work that was suspicious?
Perhaps this was a suspicious person, a suspicious email, or even a phone call that didn't seem right.
Most organizations have a policy regarding how to handle these suspicious 'events'.
These 'events' could potentially put the organization and/or the computer systems of the organization at risk.
Some of the more common events are listed below:

Suspicious persons - Trespassing
When it comes to physical security (securing the building and its assets from unauthorized access), identifying suspicious persons is key.
If you notice someone that you do not recognize, you should ask who they are and what they are doing.
It is possible they are a new employee, or on a short term work contract... or it is possible they are not authorized to be there.
- Attackers will try to enter the building posing as an employee, or a contractor. From inside the building they can gain access to internal computer networks.

Suspicious Emails - Phishing
The majority of all recent cyber attacks have been a result of social engineering via an email.
These phishing emails can be designed to be sent to: everyone in the organization, a division within an organization (accounting, sales), or YOU specifically.
- Using social networks like Facebook and LinkedIn, attackers can gather just enough personal information about you to make a very convincing email.

Suspicious Phone Calls - Vishing (Voice Phishing)
The oldest trick in the book, and has been in use by hackers, fraudsters, and scam artists for decades.
This involves someone calling you and pretending to be someone they are not: (IT Dept, Insurance Company, Bank, etc).
The attacker will try to build credibility and a good rapport with you before asking for sensitive information such as a password, social security number, or bank account information.
With the latest in technology, attackers can now change the caller-id to show whatever number they would like (adding more credibility).
- You get a call from a number that appears to be the IT department. They claim there is an issue in IT that is too technical to explain, but they require you to give them your password over the phone to fix it.

Always remember to follow your organization's security policies when it comes to suspicious events. If your organization does not have a specific policy regarding these situations, escalate ANY suspicious events to the IT or Security department.
Security is a team effort. Every employee has a responsibility to the organization to report these events.

 

Malvertising

Visit any website these days and it’s very likely that you will be viewing ads as well. Sometimes these ads can be tempting, with many offering sales, promotions, or freebies to attract more clicks. Ads on certain websites can even be targeted specifically to you based on past browsing history, making you even more likely to click!

Remember this: just because you are on a reputable, well-known website, it does not mean that the ads on the website are safe to click as well.

How adspace can become infected: Advertisers do not sell their ads to websites one at a time. Websites that want to make money sell their advertising space to an ad network. Advertisers sign contracts with that ad network which then displays the ads on the participating websites. The ad network sits in the middle between the advertisers and the websites and manages the traffic and the payments.

Cybercriminals can take advantage of this system by fooling the ad networks into thinking they are a legit advertiser, but the ads which are displayed on major websites can be poisoned. If you browse to a page with a poisoned ad on it, that is enough to run the risk your PC will be encrypted with ransomware, which can hold your computer or your entire network hostage until you pay the cybercriminal a ransom.

Tips to prevent the effect of harmful ads:

  • Disable Adobe Flash on your computer - or at least set the Adobe Flash plug-in to "click-to-play" mode - which can block the automatic infections.
  • Keep up-to-date with all the security patches and install them as soon as they come out.
  • Download and install a reputable ad blocker plug-in for your browser. These prevent the ads from being displayed in your browser to start with. These ad blockers are getting very popular with hundreds of millions of people using them.

 

Company Size Doesn't Matter

Think hackers are only trying to target large corporations for their cyberattacks? Think again! If you are an employee of a small to medium size business, you may have an even bigger bullseye placed on you by hackers.

Smaller businesses have recently become a bigger target for cyber attacks because the hackers know that they likely have fewer defense resources in place. According to the National Cyber Security Alliance, one in five small businesses falls victim to cybercrime each year. And of those, some 60 percent go out of business within six months of an attack.

Remember these tips to stay safe:

  • Never provide your password to anyone. Use complex passwords, and use different ones for each of your online accounts or programs.
  • Check for red flags in emails to tip you off that the sender may not be legitimate. Check domain names carefully.
  • Don’t open any email attachments if you don’t know exactly why you received them or what they contain.
  • When in doubt, throw it out. Hit that delete button.

Remember, you are the last line of defense to prevent a cyber attack. You are the key to keeping the "human firewall" strong for your organization, no matter the size.

 

Top 5 Facebook Scams

Facebook now has over a Billion users, that's a mind-boggling number of people who check their page regularly. The bad guys are irresistibly attracted to a population that large, and here are the Top 5 Scams they are trying to pull off every day of the year.

  1. Who Viewed Your Facebook Profile: This scam lures you with messages from friends or sometimes malicious ads on your wall to check who has looked at your profile. But when you click, your profile will be exposed to the scammer and worse things happen afterward.
  2. Fake Naked Videos: There are tons of fake naked videos being posted all the time using the names of celebrities like Rihanna or Taylor Swift that sometimes make it past the Facebook moderators. These scams are in the form of an ad or a post and have a link to bogus YouTube videos. That site then claims your Adobe Flash player is broken and you need to update it - but malware is installed instead!
  3. Viral Videos: Viral videos are huge on social media platforms. If you click on one of these "videos" you'll be asked to update your video player (similar to the scam above) but a virus wil be downloaded and installed instead. To avoid this, type the name of the video into Google and if it doesn't have a YouTube or other legitimate site link, it's likely a scam.
  4. Fake Profile Scam: Scammers are stealing the name and pictures from an existing profile and "friending" the real person's friends in efforts to scam friends and family by faking an emergency. Be very cautious of accepting friend requests from someone you're already friends with.
  5. Romance Scams: A specific type of "Fake Profile Scam" where con artists create a fake profile using the photos and stories of another person, and then develop "relationships" with their victims over posts, photos, and Facebook messenger. These scammers typically shower you with romantic language, promise happiness, and eventually con you into giving up personal information, or even money. Avoid personal and financial heartbreak, don't "friend" people you don't know in real life.
    Facebook is used for connecting with people you know. Be especially cautious of "friending" strangers, and of clicking on links in suspicious posts, and in messages. Stay away from these traps if you want to avoid giving away personal information or getting your PC infected with malware.

 

Additional Resources

KnowBe4 Security Hints & Tips Blog

 

Contacts Regarding  KnowBe4 Security Hints and Tips 

UO Foundation Helpdesk: 541-302-0338 or helpdesk@uofoundation.org

 

Was this article helpful?
0 out of 0 found this helpful
Return to top