Cybercrime is growing and morphing into a type of criminal octopus with tentacles reaching far beyond anything previously imagined. Snaking its way into our lives in alarming ways, data breaches are currently producing subsets of cybercrime, some likely to include organized crime. Consumers are in a tizzy, wondering how to arm themselves against a continually evolving and persistent threat. In a 2015 Internet Organized Crime Threat Assessment (IOCTA) report, the key findings of their cybercrime investigation show how crime is shifting to take advantage of data breaches, ATM crimes, and malware-infested websites.
In just the past three years data breaches account for 100s of millions of data records of US citizens. Criminals are using this data to build comprehensive profiles of Americans to better execute their attacks. This data makes spearphishing campaigns extremely effective. The more information known about the target, the easier it is to gain trust and convince them to click a link, open an attachment or execute a fraudulent wire funds transfer. We do have several ways we can protect ourselves from this cybercrime wave. The key is realizing that we must all take an active role in our security. Long gone is the day when we could ignore the news and believe “it will never happen to me”.
Protecting Your Information from Data breaches
Data Breaches are seeing a dramatic rise in public reporting. This public knowledge is leading to subsets of cybercrime. Extortion and fraudulent transactions are becoming commonplace, in some cases leading to health problems and suicide (think Ashley Madison public breach).
It really isn’t a matter of if you will become a victim of a data breach. Chances are high that you already have. If you are one of the few that has not, it is definitely a matter of when. While you cannot prevent it completely, you can do something.
- Monitor your payment card statements and charges often. The more often, the better. In any case, do it at least once a month and alert your financial institution of anything that does not look right. The sooner you deal with it, the faster it can be remedied and at the least cost to you and your financial organization.
- Take advantage of the free annual credit report you are entitled to by staggering when you order them. Get one from each of the three major credit bureaus every four months. This will allow you to see potential issues and take care of them before they get out of control. Even if information is not fraud, but perhaps there is a previous address listed that is unfamiliar to you, notify the agency to get it removed. This could be just a mistake, but it could also indicate attempted fraud.
- If you are at the register to make your purchase, choose the option to use your debit card as a credit card. This provides more protection to you and will prevent a thief from getting your card number and your PIN and creating a fake one to empty your bank account.
ATMs are Still a Hot Place for Cybercrime
ATMs still remain a popular target for cybercriminals who consistently create new ways to attack them.
- When using ATMs, find one in a well-lit area or that has a locking vestibule. These are less attractive targets for criminals who may want to put card-skimmers on them. In addition, it is just better for your physical safety.
- Before putting your card into a slot, make sure it isn’t a skimmer. New ATMs have technology making it extremely difficult or impossible for these to be implemented. However, sometimes criminals are successful with very simple techniques, such as attaching the card-reader to the ATM with double-sided tape. So, if you suspect something odd, give the reader a jiggle. If it moves, it may be a skimmer. Then call the financial institution to have them check it out.
Website URL’s Do Not Tell You That You Have the Wrong Address
When browsing the web, you don’t get the “incorrect address” notes that sometimes appear on letters that are misdelivered by the postal carriers. Instead, you could find yourself at a site that houses malware and just by showing up, you could execute some nasty virus.
- Don’t click on links that arrive in email messages unless you are expecting them or are 100% certain they are safe. Manually type it into the address bar to be safer.
- Before typing in a web address, check it carefully. Different spellings of names, or using “.net” as opposed to “.com” is something sneaky cyberthieves count on users not to notice. Also look for slight misspellings of the organization’s name. Criminals count on you not paying that close of attention to those little details.
- Once you have used what you know is a safe URL for sites such as your financial institution and healthcare sites, bookmark them and use those to locate the site. Don’t click on links in email messages to get there.
- Make sure that there is a lock icon at the top of the browser or somewhere on the page or that the address is preceded by “https:” if you are entering sensitive information into a website form. If you are not certain it is a secure site, don’t go further.
- Pay attention to those warnings telling you that a site may not be secure. They are there for a reason and can protect you. Take a few seconds to read the warning before going further.
We Are Our Own Worst Enemies
The human element is something cyberthieves count on for successful attacks. Over the past two years, two-thirds of incidents involving cyber espionage were done via spear phishing. This is a form of social engineering using information about particular people working in targeted industries, such as government or financial organizations. Keeping employees educated with common social engineering tactics used by cyberthieves is critical for minimizing attacks.
Many attacks start with something simple like a phone call or a visit to your office. A nice person calls asking for information on the phone and because he or she is so charming, you feel like they can be trusted. There are also stories of criminals walking into offices claiming to be pest control, the HVAC repair people, or maintenance of some type. Often, they are never questioned and are allowed to roam wherever.
- Don’t let those not authorized to work in your environment walk around without an escort. If you work in a financial organization, don’t let them out of your site even to use the restrooms. Wait outside for them.
- Even if they have a badge, it doesn’t mean it is real. Verify that someone requested they show up before moving on.
- Just because someone says they are from IT, it doesn’t mean you should give them your information. They don’t need your passwords, so don’t give them away.
Secure Passwords and Login Credentials
Social engineering gurus count on the ability to get passwords and login information out of you. They also count on getting any information out of you that will help them piece together a story. Online dating websites are common places for these cybercriminals to stalk victims. They will connect with someone and collect bits of information until they have gained trust and have enough information to use it against someone. Many will pose as military members and play on emotions of military families who know someone in a similar situation or have been in such a situation themselves. Money is usually the target. Therefore, keeping information safe is paramount, especially information that could get someone into your financial accounts.
- Avoid using common verbiage like popular words and phrases, and particularly information that can be gleaned from your public websites such as Facebook, Twitter, and other social media sites. Change them periodically and don’t reuse them.
- Make sure your passwords are strong and include at least eight characters with special characters, upper and lower case letters, and numbers.
- Use different login credentials for each online site; particularly those that store any sensitive data such as financial information.
- Never give your user names or passwords to anyone. Legitimate organizations will not ask for them. There is a well-known scam where someone will call you and pose as someone in the IT department and ask for your passwords. Don’t give it to them. Instead, hang up and call back separately to confirm it was them and let them know someone just asked you for your credentials.
Preventing Malware from Wreaking Havoc
Malware such as banking Trojans stealing account information are still popular with cybercriminals. The malware Dridex and Dyre, which both use attachments to target online bankers are now top of the list for malware crimes.
It is always worth repeating that identifying potential phishing email messages is a valuable skill to have. Phishing email messages are the number one way malware gets distributed and executed. And again, they often involve some element of social engineering. Often, when email addresses are stolen, they are used to spam friends and others that you know. Getting a message from someone you know may give you a sense of security that the cybercriminals take advantage of when creating messages.
- Look for poor language skills and typos in the messages. Be suspicious if you spot those.
- Make sure the logos of a company supposedly sending the message are indeed the right ones. Criminals are getting pretty good at copying the logos, but they are often not of the highest quality and often they miss some details.
- If you receive an attachment or link in an email, approach with skepticism. Contact the sender directly, and mention you received an email from them and are wondering if it’s safe to open or click.
We live in a world where data and information is everywhere, whether we intend it to be or not. The Internet is a great tool and it is nearly impossible not to participate in some capacity. Just learn ways to secure your information and you will be able to take advantage of it more securely.
The Internet Organized Crime Threat Assessment (IOCTA) report found that many of those negative aspects of being on the grid are still very prevalent and likely won’t go away any time soon. For example, social engineering never goes out of style. Passwords are still a weakness and malware just won’t go away.
© Copyright 2015 Stickley on Security