Internet-supported crime and cyber threats are becoming more and more sophisticated and preventing them demands each and every user of a connected device to be on high alert at all times.
Cybercriminals have grown increasingly creative; their attacks, ever more complicated, and their efforts, carefully targeted. Now more than ever, it is imperative that organizations and individuals are scrutinizing every message, email, and link that appears legitimate. “Think before you click” is the catch phrase ringing off in everyone’s ears.
This past year, some of the most common and brand-damaging cybercrimes begin with an unaware employee clicking on a link embedded in an email that appears to be from a colleague, following emailed instructions from a manager or opening an invoice that appears to be from a current, and trusted vendor of record.
Cybercriminals are often creative, patient, and plan the execution of their attacks with what might be considered laser accuracy and execution. Once an employee executes these seemingly routine workplace actions, an organization may find their entire networks exposed to a data breach, ransomware attack or any one of many other malicious crimes.
Major Cyber Threats of 2019
Phishing is a favoured cyber-attack that uses disguised emails as a weapon. The objective is to trick the email recipient into trusting that the message is something they want or need, a request or problem from their financial institution, a note from a colleague all with some level of trust and a sense urgency to click on a link or download an attachment.
What differentiates phishing is the form the email takes. Typically, the attackers masquerade as a trusted individual of some kind, often a real person, a manager, human resources, IT staff, or a company the victim might conduct business with. Surprisingly, it is one of the oldest types of cyberattacks, dating back to the 1990s, and it’s still one of the most widespread and malicious, with phishing messages and techniques becoming progressively more complex.
One of the most common items distributed during phishing campaigns is ransomware. Ransomware is a form of malware that encrypts a victim’s files. The attacker then demands a ransom from the victim to reinstate access to the data upon payment. Users are provided instructions on how to pay the ransom to acquire the decryption key. The costs can range from a few hundred dollars to hundreds of thousands, payable to cybercriminals in the form of Bitcoin.
Poor Password Habits
Earlier in 2019, Harris Poll partnered up with Google to conduct an online security survey in order to establish an understanding of the common beliefs and behaviors surrounding cybersecurity. The results were frightening, with upwards of 25% of users reported using common and insecure passwords including: abc123, 123456, iloveyou, and password. Only 15% of users reported using a password manager, with 36% percent stating a definite preference for written passwords. Lastly, over 2/3rds of users openly admitted to using the same password across numerous accounts.
Apart from keeping software up to date, and using a good anti-virus program, there are some simple tips that can greatly increase the effectiveness of these tools, which are only so effective and certainly not guaranteeing your network’s safety. These tips include:
- Carefully examine all email addresses and URLs in every correspondence. Often cybercriminals will mimic a legitimate site or email address by using slight variations in spelling and format.
- If you receive an unsolicited email or text message, requesting you to update or verify account information, do NOT follow the link provided in the message. Visit the company’s main page and log into your accounts as usual to verify there are actions requiring your attention.
- Examine all electronic requests to a payment or transfer of funds.
- Do not open any attachments that are unexpected and examine the senders email address to slight deviations in spelling or format.
- Be especially cautious of any message that urges immediate action.
- Seek to confirm requests for payment in person or over the phone as part of a two-factor authentication process. Do not use the phone number listed in the request.
If you have any questions pertaining to anything you’ve read here, and would like more advice on how to protect your organization, please contact us for more details!