It may sound like the plot line from a well-written TV drama, but the chances that your personal information has been or will be compromised is more likely than any of us want to accept. In fact, according to a 2016 survey by Zogby Analytics for The Hartford Steam Boiler Inspection and Insurance Company (HSB), more than one-third of U.S. consumers experienced a computer virus, hacking incident, or other cyber attack in the past 12 months. Since October is National Cyber Security Awareness Month, it feels appropriate to address how you can protect yourself from being a statistic.
Email is a universal communication method and it is one of the easiest methods for cyber criminals to exploit. In my February/March article, I shared password best practices that should be followed on email accounts to avoid breaches. In this month’s article, I’ll focus on three specific tactics criminals use to gain access to our information and systems. I’ll also share ways to avoid these situations.
Spam, phishing, and spoofing, oh my!
No, I am not talking about canned meat, a weekend activity, or a Halloween movie parody. I’m referring to the email vulnerabilities that open the door for cyber criminal attacks. To successfully prevent these attacks, we first have to understand them.
If spam doesn’t sound yummy to you, you are not alone. Whether it’s canned meat or unwanted email, most of us try to avoid spam. Spam filters are a good first-line defense; however, unwanted emails still make it into our inbox. Spam that makes it through may be harmless ads, but some spam emails present a threat.
By simply replying to or unsubscribing from spam email, you are in fact confirming your email address is valid and therefore, a possible target. This not only creates an opportunity for the account to be breached, but it can also put the account on a target list to be sold, creating additional risk. On the flip side, do report spam you receive to your email provider. Most services have an easy way to do this, and, as a bonus, it helps reduce spam not only for you, but for everyone who uses that service, and others as well.
Although fishing for sport is enjoyable, phishing emails are not. Phishing is a type of spam in which a cyber criminal attempts to entice a recipient to disclose personal details such as bank accounts, credit cards, usernames, passwords, and more. This method is literally “fishing” to see if you’ll provide information
to the hacker.
These emails appear to be from a legitimate source, sometimes including logos and URLs that appear to be company-based. However, there is no reason to share personal or secure information via email. Ever. Businesses you have accounts with should never contact you for this, and certainly not without a request from you.
A common example of phishing is below:
The page then asks you to fill in your checking account information, which is information you might enter on PayPal’s website during account setup. The problem is, the URL above is not a PayPal website. The parent URL is actually securerefund123.com, which has nothing to do with PayPal and isn’t even a real domain. It looks legitimate, and many have and will fall victim to this trick.
Spoofing is funny when it’s a parody of a scary movie, but email spoofing is scarier than any Halloween movie I’ve seen. Spoofing has two unique characteristics. One, a cyber criminal impersonates another organization or individual via email. Like phishing, these emails look legitimate, and can even use names of employees on staff at said company – including our own.
Two, the goal of spoofing is to have us open an attachment or visit a website given in the email. By doing this, we are delivering a virus to our device and possibly our entire computer network. Spoofing is the most common way ransomware attacks are being distributed.
Ransomware: Malicious software preventing access to systems and files until a ransom is paid.
What follows is an actual real-life example of a spoofing email. It looks legitimate and could fool most of us into clicking the link, which is masking a destination URL containing malicious code.
All together now
Although separate concepts, spam, phishing, and spoofing can be used together. Criminals use spam to get us to open the emails, phishing to extract information, and spoofing to deliver malicious software. Even though spam filters and anti-virus software exist, they simply cannot keep up with the minds of criminals, so we have to be proactive, controlling what we can control – our own behavior.
Here are 10 things you can do to stay safe:
- Never provide personal or secure info via email.
- If you don’t know the sender, don’t click, open attachments, or even respond.
- Do not click on link-only emails, even if the sender is someone you know.
- Even when you know the sender, if you aren’t expecting attachments from him or her, ask before opening any attachments. It’s possible systems have been compromised.
- Hover over links in emails to see the actual URL before clicking.
- Avoid opening emails from unknown senders, especially if there are spelling errors in the subject line.
- Does the message seem too good to be true? It likely is. You did not inherit cash from an Ethiopian prince.
- Make sure the software on your system is up-to-date, especially anti-virus software.
- Use smart and secure passwords unique to each login you have.
- When in doubt, check it out. Follow your instincts. It’s not worth it to assume a link or attachment is safe if it’s not.
In addition, fcc.gov/cyberplanner and staysafeonline.org are two helpful websites with some great resources that address the risks to consumers and businesses regarding identity theft, data breach, and cyber attacks.
Jodi O’Toole is Director of IT and Web Development at the National Wood Flooring Association in St. Louis. She can be reached at email@example.com.