Our news programs and social media feeds are often full of the latest and greatest in technological innovation – this year has already brought us the 53rd Consumer Electronics show where companies demonstrated their new inventions, from vegan pork to flying taxis! But whilst the world concentrates on the great new beneficial technology developments, it’s important for us to remember that the bad guys of technology are innovating too. Av-test.org estimates that 4 new instances of malware – ‘potentially unwanted programs’ – are created every second. That means that by the time you get back to your desk after your lunch hour 14,400 potentially dangerous new programs have been created to try and deceive you.
Another scary statistic is that, according to endpoint security provider Webroot, 2% of all websites in existence are malicious. Whilst that might not sound like much on first reading, have a think about how many links you click at work every day, and then how many links you might click on your mobile or tablet at home. I’d wager that it’s more than 50, so the chances are you’re clicking on at least one malicious link every single day. This high percentage of dangerous content reflects in the number of attacks and data breaches; business insurance company Hiscox reported that their research suggested as many as 61% of all businesses they surveyed across 7 countries in Europe said that they had been victim of a data breach.
This begs the question: how can we possibly hope to stay safe from malicious online attacks among such a vast array of malevolent online content? Luckily, there are cyber-security specialists working day and night to help protect innocent users. As well as relying on the ever-advancing anti-malware programs available on the market, another way we can look to arm ourselves against malware is through making sure we’re prepared for what’s out there, and ensuring we’re well equipped to keep ourselves safe. In order to help everyone prepare for new security threats, the experts at Experian publish a paper at the end of every year listing what they believe to be the biggest threats to cyber security for the year to come. Using this list, we’ve come up with some ideas of how to train yourselves and your colleagues to stand a better chance against malware… After all, even with the most secure network and the best security practices in place, the last line of defence is you.
One of the most common, and sadly one of the most successful, spam attacks is ‘Phishing.’ Phishing is a broad term given to any e-mail sent by someone pretending to be someone else in order to trick you into giving them your private details such as passwords, credit card details, and other personal information. I’m sure we’ve all seen them, in fact you’ve probably been sent one today but hopefully your spam filter is clever enough to have marked it as spam. The general template of a phishing e-mail will look something like this:
From: Amazon Accounts <firstname.lastname@example.org>
Sent: 28 January 2020 06:56
To: Josh Adams
Subject: Thank you for your order
Thank you for your paymint of $1000 for order number #123abc, your order will be send soon.
https://www.amazon.co.uk/ to viewing your order
As this is so common, hopefully there are some things about the above e-mail that would jump out to most of you, some really common warning signs shown above are:
- Addressed to Sir/Madam rather than your name
- Money in a foreign currency
- URL in the link does not match the website (hover over, do not click)
- Spelling mistakes & poor grammar
- Amazon.email@example.com is not a legitimate amazon e-mail address
While this e-mail example is an obvious over-the-top example, if you bear those things in mind when reading through e-mails that you aren’t 100% sure are legitimate, they should help you to avoid clicking on spam links. Another way to be sure, for this example, would be to open a new internet browser window and go directly to amazon.co.uk and log in from there. These e-mails are trying to get you to click on their links which would take you to a fake amazon website where you’d put in your credentials and they’d be able to steal them – if you go direct to the website, you’re still able to check that you haven’t got an invoice you’re not expecting, whilst ensuring you’re not giving criminals your login details.
According to Experian, though, phishing is old news. They’re still confident that it will remain a prevalent and successful way for criminals to gain access to your details, but there’s a new tactic on the block that’s just starting to become more popular: Smishing.
Smishing is very similar to phishing, in that it’s someone trying to get you to click a dodgy link and enter your information into a fake site. The main difference is that phishing is sent via e-mail but smishing is sent via SMS – a text message to your phone. This makes it very difficult to detect for many reasons, for example people aren’t expecting spam text messages anywhere near as much as they’re expecting spam e-mails, so we are generally a lot more trusting of text messages. A further reason is that it’s very easy for anybody to send a text purporting to be from anyone else. You may have had a text from your dentist reminding you of your upcoming appointment; the likelihood is that even though you don’t have them saved as a contact in your phone it would have shown as coming from YourDentistSurgery, or something along those lines. That’s because the technology exists for people to be able to send their name along with the message, so that customers know who is texting them. This is great news for companies such as dentists and delivery drivers, but unfortunately there is no authentication needed to be able to put any name in that text message, meaning anyone could send a text and put any name that they like.
Another item on our checklist to recognise phishing, that won’t help us with smishing, is hovering over a link to check where it is actually going – it would be much too easy to accidentally click the link and visit the malicious site! Also, in texts the link is more than likely going to be shortened using a url-shortner (looking something like bit.ly/vissensa) so it likely to look dubious even if it’s legitimate. So, if there’s no way of us looking at the incoming phone number to see if it’s one we recognise, as we can do with e-mail addresses, what can we look out for in smishing?
- Are you expecting the text? Have you placed an order or made an appointment with the company supposedly texting you?
- Is the currency correct and do you recognise the amount?
- Are there misspelt words and poor grammar? Even in an SMS, a real company is unlikely to use slang or shorten words
The safest bet is to never click on any links in an SMS, and never reply to one. If you think the text is real, as with a phishing e-mail, open a browser and go directly to the website that is relevant to the text and check there, rather than following a link to that website in the text.
Coffee Shop Wi-Fi
The next big threat identified by Experian is the dangers of connecting your devices to unsecured public Wi-Fi networks. More often than not these days, any public place you go to will have some form of WiFi network for you to connect to. Whether it’s free WiFi on a bus or the local pub who let you join their own private WiFi, it’s very much seen as a convenience – even a necessity – for the general public. We’re all used to seeing swathes of writers, students, and the like sitting in a coffee shop typing away at their laptop, safe in the knowledge that they’ve got a direct connection to Wikipedia or Google should they need it thanks to the ubiquitous free WiFi. Not to mention when you’re in a shopping centre with very little mobile signal and you see the glorious sign advertising ‘Free WiFi’ which lets you ensure you don’t miss that vital e-mail or message whilst shopping. But what are we really letting ourselves in for when we connect to these networks?
Unsecured networks could potentially present hackers with the ability to see all network traffic going through the same WiFi router. This is a scary thought – what if they could decrypt the traffic and learn your online banking password? Even from a less blatantly malicious point of view – what if a ‘marketing agency’ could scrape off all sort of information about where you like to shop, what sort of things you’re looking up on search engines, and view your entire web browsing history? So, how can we protect ourselves?
- Ensure you’re using multifactor authentication wherever available. Multifactor authentication generally means you have to input a code sent to your mobile device, or an authenticator device, which proves it’s you that’s logging in.
- Only connect to public WiFi when you absolutely need to, and don’t set your device to ‘auto connect’ to networks.
- Don’t do anything private such as online banking when connected to a public network.
- Keep information secure on any device that’s going to be connecting to a public network; encrypt sensitive documents and folders with complex passwords.
- Only connect to a WiFi network if you’re 100% sure of its origin. It’s all too easy for a hacker to sit in the middle of a shopping centre with a WiFi router, call it ‘Free Shopping WiFi’ and watch people willingly connect and feed them all their data.
In short, it’s not all rainbows and butterflies when it comes to something as simple as using the wonderful internet – which is a shame, but is the reality of the world we live in.
There are multiple steps you can take to protect yourself, your technology and your data – and at Vissensa we speak to people every single day who are in need of support when it comes to putting those protections in place.
From small start-up businesses to global corporates, we will help identify the right level of protection, within the right budget. Give us a call today to discuss yours.