It is that time of year again… the weather is getting brisk, snowstorms are making the news and festive lights are appearing all around us. The season of giving for many of us is also a season of opportunity for scammers and hackers who specifically want to take advantage of our willingness to give… and our feeling overwhelmed dealing with the typical craziness that comes during this time of year.
As our dependence and access to communication based technology has advanced, so too has advanced the sophistication of the types of attacks which often target us. Three or four years ago, a phishing email message was fairly easy to identify. Reading it closely, you could make out the grammar was not quite right, or perhaps they used employee signatures, titles or language that didn’t quite match to the norm of what we expect to see. We could make educated guesses as to what may or may not be genuine.
Fast forward to today, where everyone now uses communication tools on the go via our mobile phones and digital devices. Our individual focus is pulled now more than ever before, and it is within that window of distraction scammers often strike. We have seen a significant advancement in targeted attacks looking more genuine. Nefarious attackers now use social engineering to review our web sites, figure out organizational hierarchy and use that to take advantage of us during a moment of distraction. An urgent email from your boss asking you to review a purchase order may not be so innocent. On the surface, everything looks right… the name matches, it is well written and perhaps even the signature is correct. Dig a bit deeper and you will find the origination is not a University service but rather five or ten hops, routing through different servers until it ultimately reached your inbox. It looked genuine so filters did not catch it, and now your only remaining line of defense is to ask why you are getting this. Did you miss something; did your boss need you to process something that slipped your mind?
Interestingly, although email and general phishing attacks are more sophisticated today, organizational susceptibility rates were down overall between 2015 to 2017, going from 14.1% attack success to 10.8%. Many factors contribute to this decline, such as employee understanding and better central protection. However, a breach of your password or protected information is still a scary thing and may not only affect you professionally but personally as well.
Here are some tips you can use to guard yourself today and into the future:
- Never reuse passwords. Use a password manager such as LastPass or Dashlane to establish a unique, complex and long password for each web site you use with a login.
- Use two-factor authentication. Many services such as Rutgers and various financial institutions support this. Using this method you will log into a web site, then be texted an access code to a mobile device. It may take a little more time, but it significantly decreases your exposure should your password be hacked.
- Freeze your credit with the four major reporting agencies. Experian, Transunion, Equifax and Innovis allow you to put a hold on hard credit checks. This prevents anyone from pretending to be you and opening new accounts in your name. If you don’t have any major purchases on the horizon, considering freezing them all for added safety.
- Use a current and up-to-date antivirus and malware detection software on your computer. Here at Rutgers ITACS maintains this for you, but it is important to have these types of software installed on your personal devices as well.
- Make sure your mobile devices and computer operating systems are fully patched. Patches are essential preventative maintenance necessary to keep machines up-to-date, stable, and safe from malware and other threats. Patching removes backdoors and access paths hackers may have exposed in older versions of the software code.
- Always think before you click. Ask yourself if the message makes sense. If your bank or any other service is trying to contact you via email, type the URL into your browser on your own or even call them to ask what the matter is about. No service you use should be asking for passwords over the phone or email.
As always, we here at ITACS are happy to offer you assistance or advice on any matter pertaining to your professional or personal digital security. Feel free to contact any of us for assistance and best wishes for a safe and enjoyable season.