The general public, at home and in the workplace, is often the weak link in cybersecurity, too often deceived by phishing emails and other scams designed to mine sensitive information such as account numbers. Area experts offer some basic advice on strengthening defenses against increasingly creative cyberthreats. Photo by: Jan Swoope/Dispatch Staff
January 19, 2019 10:00:06 PM
Today, she has a hard time believing she fell for it. But four years ago, Julie -- who asked not to use her last name -- accepted an email from her "bank" at face value. It informed the Columbus woman that her account information needed updating. Without thinking, she clicked on the link conveniently provided in the email and followed instructions. Most of us know the rest of story.
Becoming the victim of a phishing scam, like Julie did, is a painful way to learn caution. She's more savvy now, and every January, her New Year's resolutions include reviewing digital defenses, something she also does throughout the year. She considers it another form of "getting fit."
Many people would say they're wised up to phishing -- attempts to fraudulently gather sensitive information using deceptive emails and websites. But while we may not be fooled by the "Nigerian prince" scam any more, criminals continually morph the game.
A 2015 McAfee survey revealed that 97 percent of 19,000 consumers from around the world were unable to correctly identify phishing emails. In 2018, a study by the Center for Strategic and International Studies, in partnership with McAfee, concluded that close to $600 billion, nearly one percent of global GDP, is lost to cybercrime each year. Anyone can be a victim -- a CEO, a grandmother, a veteran banker or a seasoned geek. And even if we're pretty good at spotting phishing, what about variations like vishing (scamming via phone), smishing (through text), pharming (directing consumers to bogus websites) or cryptojacking (the secret use of your computing device to mine cryptocurrency). The list goes on.
The cyberthreat landscape is too vast -- and rapidly evolving -- to address in one newspaper article, but two area experts do offer some basic "101" advice for shoring up the fort against malicious attacks. It begins with awareness -- awareness that almost everything we do these days leaves a digital footprint.
Unfortunately, the weakest wall in defense is often ... us. We click on a link, play a game online, or respond to emails or texts without knowing who they're really from.
"People are the biggest vulnerability we have in terms of cybersecurity," said Sarah Lee, assistant department head and associate clinical professor of the Mississippi State University Department of Computer Science and Engineering. "Obviously, it's possible for someone to hack into your phone or your laptop, but there is also a lot of software that helps prevent that as well. But we can't install software in people."
Social engineering is a criminal's most potent weapon, Lee said.
"In a nutshell, social engineering is manipulation, manipulating people into divulging information about themselves, with ill intent." Any form of digital communication is vulnerable. It's all about gathering data.
"Do not divulge so much information," warns Brandon Sesser at East Mississippi Community College, where he is information systems technology director and cybersecurity instructor. "Just because someone sends you an email doesn't mean it's legitimate. Never open attachments from an individual you don't know. It can carry a virus. With a virus, it takes human interaction -- someone has to double click to initiate the virus -- but with a worm, no human interaction is necessary."
A computer worm is a malware program that replicates itself in order to spread to other computers. Malware is software specifically designed to disrupt, damage or gain unauthorized access to a computer system.
"When people are just surfing the web, a lot of ads carry malware, and if you don't keep your computer up-to-date, you're opening a back door for that malware to infect your machine as well as your entire network," Sesser said.
Scammers frequently phish, vish, smish and pharm for bank account or credit card numbers. It might be through a message that a password is about to expire or needs to be updated. Contact the bank or credit card company yourself to verify any such request.
"Most of the time they're phishing attacks, sending that out hoping people will be naive enough to click on a link and type in their personal information," Sesser cautioned.
Always assume someone is watching.
"People are watching those social accounts to see what you're doing, what your interests are, and every time anybody does a search online, that website is capturing what you do and what you look at so they can target market," Sesser said.
"Everything we do -- phone, text, web browsing -- it's all cataloged. The mindset was, oh, this will make it easier for people to get credit cards and loans, but it also just opened a big caveat of overload of data; data miners are constantly creating a profile about you and selling it to the highest bidder."
Lee remarked, "People can gather a lot of information about us from Facebook, LinkedIn, Twitter or whatever social media you're using and correlate all that info and pretend to be somebody you know to get you to divulge more info. ... One of the worst things is to play one of those games -- 'What was your first pet's name?' 'Who was your first best friend?' 'What high school did you attend?' You've just given somebody a lot of information."
Lee also pointed out that the public should be aware that digital photos have metadata stored in them.
"It's not just the picture you see; there's data stored that is the exact GPS coordinates of where that picture was taken. All you need is some software that can tell you when and where a photo was taken."
Privacy settings are important, she stressed.
"And remember, when you delete something, it is not gone," Lee said.
In the workplace
Both Lee and Sesser are involved in helping to train work forces in better cybersecurity awareness. Lee, for example, recently conducted webinars for a banking system.
"In days gone by, if you watched an old western, you'd see the masked man ride up on a horse and go into the bank to rob it," she said. Modern thieves try robbing banks and businesses on a digital horse.
One common social engineering attack is "pretexts" that pose as an internal employee or someone hired by the company, perhaps to conduct an audit or survey. Emails purportedly from a boss or big customer instructing an employee to transfer money can be made to look legitimate.
A phishing email scam warning an employee about an open enrollment deadline for healthcare could lure in enough clicks to do damage. Employees may feel both the fear of missing the deadline and the need to obey the command to sign up before the deadline has passed, potentially clicking on the link and entering personal information or downloading malware before realizing the mistake, cites comparitech.com.
Lee herself noted a recent rash of bogus emails that appear to be from colleagues, but aren't.
"If I'm a hurried professional and get an email initiating a conversation ... that's what they're hoping for, that you're frazzled, you're busy and that we kind of see what we want to see," she said.
The best defense in such a situation is to cease communication. If there's reason to believe account or banking information has been compromised, contact the bank or credit card company immediately and change passwords on all accounts. Breaches should be reported to the companies and can also be reported to law enforcement as well as other appropriate agencies, including the FBI.
A few additional tips from the Federal Trade Commission and other resources include to use complex passwords and periodically change them; regularly update your system; initiate two-factor authentication for accounts wherever possible; don't believe your caller ID; hang up on robocalls; don't pay up front for a promise; don't ever deposit a check and wire money back; and sign up for free scam alerts from the FTC.
Learn more at sites such as consumer.ftc.gov, usa.gov/stop-scam-frauds, or fbi.gov.
In addition to course study for students, Mississippi State and East Mississippi Community College both offer the public opportunities to learn more about computer skills and security. Through its Bulldog Bytes program, MSU offers summer camp for K-12 students. It also offers teacher professional development.
"It's not so different from teaching children don't get into a car because someone wants to show you a puppy; it has to become part of our educational culture," Lee said.
MSU also periodically conducts workshops for seniors. The next should take place this spring. For more information, email Lee at [email protected]
EMCC will offer a cybersecurity awareness course in March, conducted two nights a week for three to four weeks. For more information, contact the Center for Manufacturing Technology Excellence at 662-243-2686, or email Sesser at [email protected]
A new year is as good a time as any to commit to getting "cyber-fit" with every device we use. Data should be a private and protected asset. Even small changes can be effective in thwarting someone who wants to steal it.
Jan Swoope is the Lifestyles Editor for The Commercial Dispatch.