Introduction:
October is Cybersecurity Awareness Month and we have been working to spread awareness around the most common threats to individuals and organizations alike. The Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) lead this collaborative campaign between government and industry to raise cybersecurity awareness nationally and internationally.
This year’s campaign theme—“See Yourself in Cyber”—demonstrates that while cybersecurity may seem like a complex subject, ultimately, it’s all about people…it’s about you, me, your coworkers, family and friends.
This past week, someone close to me fell victim to a scam—one most commonly identified as a phishing attack. He had received a text from “the government” saying he had missed jury duty and now had to pay a fine of $1,000, or risk going to jail. Ridiculous, I know. Unfortunately, these scams are meant to prey on the vulnerable. This person is newer to full-fledged adulthood, unaware that this is most certainly not how the system works. He was getting ready to click on the link to transfer the $1,000 when he reached out to a family member, who immediately stopped any further interaction with this scammer.
Like most cybersecurity scams, phishing leverages human emotions to trigger a response. Your attacker wants you to do something against your best interests, such as click on a link, download an attachment or send sensitive information. They will convince you to perform these actions by creating a deceitful scenario as matter of extreme urgency, such as offering large sums of money, threatening you with fees or claiming that your account has been locked due to fraudulent activity. Just like what happened to my friend above.
You—like me—might be thinking, there’s no way I would ever fall for a scam like that! But bad actors are getting more and more clever with the ways they plan to trick you. And with roughly 15 billion spam emails making their way across the internet each and every day, that means spam filters are working overtime, creating the chance for malicious phishing attack emails to slip through. In fact, 83% of organizations reported experiencing phishing attacks last year, and 6 billion additional spam attacks are expected to occur this year. Let’s start by debunking the 5 most common myths about cybersecurity attacks.
MYTH #1: Only people in high-power positions are targets of cybersecurity attacks
Executives and administrators are prime targets for cybercriminals in a phishing attack, but that doesn’t mean they’re the only targets. Scammers attack every level of an organization, looking for gaps in security. After all, it can only take one hacked machine to access your entire network. Basically, cybercriminals are casting their nets wide, phishing for targets of all sizes, and not always whale-phishing for high-profile, wealthy individuals.
MYTH #2: High-tech hackers pose the highest threat to your organization
You may imagine a cyberattack as the use of highly sophisticated technology to break down firewalls and decode user passwords. But in truth, it is much more likely that “Dave” wrote his password on a sticky note and it fell into the wrong hands. Oh, Dave. Human error is an easy target for cybercriminals, so stay alert! Many successful phishing campaigns start with a simple phone call. This approach is commonly referred to as “vishing” (or voice phishing) and uses social engineering such as impersonating a trusted individual to extract private credentials from unsuspecting targets.
MYTH #3: Cybersecurity is a highly technical process that only your IT department can handle.
The security tools that your IT department manages are important, but technology can only do so much. These security measures can’t always stop an employee from providing sensitive information to a website. Creating a human firewall, made up of each and every employee, is essential to the security of your organization. Security is everyone’s responsibility, and the human firewall is only as strong as its weakest link. Organizational security awareness and initiatives that address topics such as phishing and social engineering will reinforce your cybersecurity defensive.
MYTH #4: Security awareness only really matters when you’re at work.
Your organization’s at-work policies and compliance regulations may not be necessary in your home life, but security awareness still matters. Scammers could phish your personal email for bank accounts, login credentials, or even personally identifiable information, which can be used to perform identity theft. Individuals often practice unsafe password hygiene by sharing credential across business and personal life. And it isn’t stopping there, if you are like me, you’ve seen an alarming increase of “smishing” (SMS Phishing) showing up in your text messages!
MYTH #5: Smart devices are rarely targeted by cybercriminals.
Nearly everyone has a smartphone and many people use smart devices throughout their homes. From smart speakers to security cameras to lightbulbs, all of these gadgets connect to the internet. As these devices become the norm, cybercriminals happily accommodate. Treat smart devices the same way you would treat any other computer. Always use strong passwords, install antivirus and anti-malware software, and keep these devices up-to-date with the latest security patches. Be wary of TinyURL scams in everyday text messages. Shortened URL are often used by trusted vendors to direct you to a commerce website to confirm appointments or take advantage of retail offer. Many attackers are leveraging this convenience to take you to their malicious website that are designed to steal private data.
How to spot phishing attacks
To identify phishing attacks, carefully inspect the message and answer these questions:
- Are you familiar with the sender?
- Does the message contain poor grammar or misspelled words?
- Are there any suspicious links or unexpected attachments?
- Does the message offer unrealistic promises, like large sums of money?
- Does it please with you to click on a link, download something or send personal information?
- Does it threaten you by saying an account has been hacked or that you face legal action?
If you answered yes to any of those questions, then you’ve identified one or several red flags that the email is a scam.
Don’t get hooked by a malicious scam!
Cybercriminals continue to find new ways to trick users and steal their information, both at work and in their personal lives. Follow these tips to stay safe from phishing attacks and other similar scams:
- Never click links or download attachments in an email or text that you were not expecting.
- Before you share any sensitive information online, make sure that the website is legitimate. For example, an MP3 file should never take you to a login page. If you’re uncertain, navigate to the website directly without clicking the link. When in doubt, don’t risk it.
- Remember that cybercriminals can use more than just links within emails to phish for your information. Always think before you click, tap or swipe!
Strengthening security with education and zero-trust solutions
An overlooked aspect of cybersecurity threats is that protecting data isn’t just about limiting malicious intent—it’s often about the inadvertent compromise of data, otherwise known as human error. In fact, IBM research shows that 95% of all security breaches had been attributed to a simple mistake made by a person.
Since human error plays such a vast role in cybersecurity breaches, addressing it is key to reducing your business’s chances of being successfully targeted, and it can empower your workforce to actively look out for/report new threats they may encounter.
But for the moments when one of us slips up, which is bound to happen, making the move to zero-trust security solutions like Security Service Edge (SSE) or Secure Access Service Edge (SASE) has been proven to be the most effective way to protect against future unknowns. Because the cybersecurity landscape is constantly evolving, solutions that were built to protect perimeter-based networks are no longer capable of fully protecting organizations in the new threat environment. There’s no better time than right now to jumpstart your organization’s zero-trust journey by starting to bring these new zero-trust capabilities on board.
Ready to step up your cybersecurity game? Connect with our security experts to assess your current security posture, and determine what next steps you should take to reduce security and compliance risks.