Security

Advances in technology have allowed many people around the world the opportunity to work from a remote setting. Many users are now capable of accomplishing work-based tasks from an office in their own home. This has made it crucial for individuals to secure their home Wi-Fi networks and personal devices. Hackers that gain access to home networks are capable of infecting all personal devices with malware and viruses, perform various cyber-related crimes from the compromised network, or launch Distributed Denial of Services (DDOS) attacks.

There are three primary steps all users should take to ensure all connected devices and the WiFi network are secured.

Ensure the default network username and password are changed

The first step in protecting a home network is to change the default username and password. This is the foundation of a strong home-based security plan. Wi-Fi network providers assign automatic username and passwords that hackers can easily obtain by browsing the internet. Hackers that obtain these passwords can hijack the network, establish a new password to disconnect users from the network, and cause significant damage.

Once users establish a new Wi-Fi network, they should look to change the default credentials to something personal and secure. Network passwords should be something easy to remember but difficult to guess. Strong passwords consist of letters, numbers, and symbols. More personalized passwords are less likely to be compromised by brute force attacks.

Encrypt the wireless connection

Encrypting a home network ensures that data or the contents of messages are unable to be deciphered by cybercriminals. Users should ensure their home network is utilizing WPA2, the most secure form of encryption. WPA2 scrambles network traffic, making it nearly impossible for hackers to trace. Any device that isn’t compatible with WPA2 likely predates many necessary security features and should be updated immediately.

Hide the network from public view

Newly-established home networks have a default network name that is publicly visible. This network name is called a SSID (Service Set Identifier). Users should change their default network to make it more challenging for hackers to predict what type of router is being used. Users can also use SSID hiding to make the network name disappear from a list of networks in the surrounding area. Controlling who can see the network is one of the strongest steps in protecting a home network.

Summary:

With more employees opting to work from home, users must be diligent to secure their home networks. Hackers that gain access to home networks are capable of infecting all personal devices with malware and viruses, perform various cyber-related crimes from the compromised network, or launch Distributed Denial of Services (DDOS) attacks. Users should follow three primary steps to ensure their network and connected devices are secure. These include changing the network username and password, encrypting the wireless connection, and hiding the network from public view.

It wasn’t long ago that friends and colleagues completed personal transactions through the physical exchange of cash. This changed at the start of the digital age as fewer people carried cash in their wallets and purses. Instead, people now rely on person-to person money transfer apps, such as Venmo and Zelle, to make personal exchanges.

With these being strictly accessible through an app that has direct access to multiple bank accounts, many have wondered how safe the platforms truly are. Generally speaking, they are very secure because the app utilizes encryption to protect every user’s personal information and each transaction. However there are several other risks associated with money transfer apps that aren’t as reliant on the security of the platform but could still put any user’s personal data and banking information at risk.

My Healthcare offers Zelle through the mobile banking app, allowing you to send money to family and friends behind the security and log-in of mobile banking. This adds an additional layer of protection and mitigates some of the potential risks of the stand-alone money transfer apps as indicated below. Learn more about this service here.

The Risk Associated with Losing Your Phone

The primary risk associated with exchanging funds on an app is that a user’s phone is lost or stolen. Once logged into Venmo, for example, the app stays logged in for user convenience. However, this makes it very easy for funds to be stolen if the device falls into the wrong hands. To prevent this, users must always guard their phone as if it were a debit card or cash. Phones should always be password or passcode protected. Users should also consider logging off after using the app so that money can’t be easily extracted from a stolen device.

The Risk Associated with a Stolen Password

Users must also be mindful that the password to their account could fall into the wrong hands. If this happens, criminals wouldn’t need the user’s device to access their account. Users should protect their account with a unique password that is easy for them to remember but difficult for others to guess. Users should also set up multi-factor authentication. This ensures that criminals still can’t access the account even if they’ve stolen the password.

The Risk Associated with Sending Money to the Wrong Person

Money that is sent to unverified accounts that don’t provide promised products or services may not be retrievable. Users must be mindful of the people they send funds to and verify the exact username of the recipient before ever hitting send. Some apps also have security measures set in place to help users avoid sending money to people they haven’t had previous exchanges with or aren’t listed as friends. It is recommended that users who are skeptical of this transaction process to consider other methods such as PayPal. Unlike PayPal, Venmo doesn’t offer payment protection for transactions made within the app.

F-Secure recently conducted a phishing simulation attack in collaboration with 4 multi-national organizations. The simulated phishing attacks that targeted 82,402 workers revealed key insights into why phishing attacks remain a prevalent cybersecurity threat.

In the study, the workers were targeted with four types of phishing emails; a message purporting to be from HR, a spoofed document-sharing message, a fake CEO message, and a fake notification of service failure.  

From the study, both technical and non-technical teams opened the phishing emails, but non-technical teams reported the attacks more. According to the study, the median reporting time for phishing attacks was 30 minutes’ despite about 25% opening the phishing emails in the first five minutes.  

So why do phishing attacks remain a prevalent cybersecurity threat? Let’s look at some of the common phishing attacks and the risks they pose to businesses as well as the possible steps you can take to prevent them.  

What Makes Phishing Attacks Effective? 

From the study, IT personnel were as susceptible to phishing attacks as those in other departments. This is despite IT and DevOps teams reporting having noticed higher chances of phishing attacks in the past.  

What this study highlighted is that general IT literacy and phishing awareness do not reduce susceptibility to phishing attacks. Reporting of these attacks was also almost consistent for both technical and non-technical users.  

What made a difference in the rate of reporting was the reporting mechanisms in place. Organizations that had a reporting mechanism for all workers saw staff reporting 47% of the phishing emails as suspicious. Those without a reporting system saw only 11% of the emails being reported as suspicious.  

Common Types of Phishing Attacks  

Phishing attacks are a form of cyberattacks designed to take advantage of human weaknesses. These social engineering attacks are damaging when successful as they take longer and are harder to detect.  

Attackers can target these messages to a blanket group, or design them to attack a specific person within an organization.  

1. CEO Fraud

CEO fraud is a type of phishing attack where cyber criminals spoof email accounts to impersonate a company’s executive staff. These attacks are a type of business email compromise.  CEO fraud has become so extensive that, according to the FBI, it is now a $26 billion scam that has infiltrated all 50 states and more than 140 countries worldwide.  

The goal of these attacks is to obtain confidential financial information or funds. Businesses that conduct wire transfers of work with foreign suppliers are the most common victims of BEC attacks.  

In CEO fraud, the attackers rely on spear-phishing tactics, meaning they first research the target victim, before reaching out with their impersonation email.  

Most people fall for CEO fraud as it takes advantage of the authority an executive has in the company. Criminals exploit this authority and trust to trap the victims into sending sensitive information or money.

2. Document Share Emails Attacks  

Document share email attacks mimic notifications from a well-known document sharing brand. These types of attacks are popular as people are more likely to open documents and attachments that seem to come from legitimate parties.  

In running file-sharing scams, the criminal must take over an email account. The first step is launching an attack using different forms of phishing attacks, such as impersonating the file sharing service.  

When a person enters their login details, the cybercriminal takes over their email account. The criminal then uses the account to send documents with a link to a document to collect even more credentials.  

Such attacks can snowball for as long as the attacker wants or until an organization notices the scam. One of the popular document sharing email attacks was the 2017 Google Doc File sharing scam. In the scam, cybercriminals impersonated a Google Docs request.  

In the attack, the victims would receive a “notification” that they were added to a document. Clicking on the attached link brought the victim to a Google login screen. The credential theft began when a user entered their username on the login screen. A malicious program would grant access to a user’s email and contacts. 

3. HR Phishing Scams

Cybercriminals use HR phishing scams to impersonate HR staff. These attacks are taking advantage of the transition to remote work to get the victims to disclose sensitive business or personal information.  

Most of the topics these cybercriminals target in HR-related phishing schemes include: 

• Vacation policy updates 
• Dress code changes 
• Remote work policy update  
• ACH payment receipt 
• Security training 
• Salary adjustments 
• Organizational changes 

What makes these phishing attacks successful is that criminals design them to feel as natural as HR-employee communication. They address you by your name and highlight issues that would be captivating to the recipient such as the ones listed above.  

Such personalization creates an additional element of trust, which increases the chances that those targeted will respond with the cybercriminal’s desired action.  

4. Service Issue Notification

Service issues are common, which is why cybercriminals disguise their malicious messages as service issue notifications. Some of the commonly associated phishing scams include: 

• Server notifications claim that additional safety measures are needed to secure email accounts. However, to keep the account safe, you are required to either provide a recovery mobile number or add another mobile number to prevent the suspension or deactivation of your email account.  
• Notification of unreceived/undelivered emails due to system delays. This scam also requires you to click on a provided link to fix the associated “issues”. The link leads to a sign-in page that collects your information.   

Consequences of Phishing Scams  

The study F-Secure conducted was in a controlled environment and no sensitive information was desired from the respondents. However, criminals exploiting social engineering attacks intend to steal personal and confidential business information or money from businesses.  

The effects of successful phishing scams are far-reaching, with some businesses failing in the aftermath of these incidents. According to IBMs 2021 Cost of a Data Breach Report, the cost of a data breach rose from an average of $3.86 million to a new high of $4.24 million marking a 10% increase between 2020 and 2021.  

Based on the cause of the threat, phishing was the second costliest threat, losing businesses $4.65 million and compromised credentials costing businesses $4.27 million. Business compromise emails, which are considered a type of phishing attack, were responsible for 4% of data breaches, but they cost businesses an average of $5.01 million. Stolen credentials were also the starting point of 20% of the total data breaches.  

The damage from phishing scams does not stop at the financial consequence. Most companies that fall victim to a phishing scam take a hit to their reputation as well. Companies that have fallen for phishing scams, subsequently becoming victims of data breaches, become associated with cybersecurity risks which can have lasting consequences on their revenue. 

Customers also tend to lose trust in a business that falls prey to cyberattacks. For instance, after the 2018 data breach Facebook suffered, the company’s valuation  dropped by $36 billion. The reputational damage gets worse when an organization is known to constantly fall for cyberattacks, thus necessitating the need for a robust cybersecurity program.  

The Human Firewall  

Cybersecurity training for both technical and non-technical teams is critical as part of a comprehensive cybersecurity plan. But training alone is not enough to help your organization reduce the threat its workforce presents to your security, creating the need for what is referred to as a human firewall. 

A human firewall is the employees who support your company’s cybersecurity defense efforts by actively looking out for suspicious email and online threats and reporting incidents that could endanger your organization.  

One way of doing this is ingraining in your employees the habit of reporting suspicious activity. Most organizations have cybersecurity drills where they send phishing simulation messages to employees, every quarter.  

Such a frequency is not enough to create the habit of automatically reporting suspicious emails. Having the same simulation several times a month is more likely to build the habit and sensitivity to phishing attacks, thus increasing the likelihood that your organization notices threats and stops them before they cause lasting damage to the organization. 

Simplifying the reporting process also goes a long way in encouraging users to report suspicious emails they receive. For example, if the report button appears within the email, more employees are likely to report it, which makes the process of identifying, isolating, and neutralizing threats easier.  

About 10 million Americans a year have their personal information compromised.  Often, the stolen information is used to take over accounts, open credit cards or obtain medical care long before the theft is ever discovered.

While many people first find out about identity fraud from their financial institutions, there are some red flags that indicate your personal information may have been stolen and used for fraudulent purposes.

1. Unexplained charges or withdrawals:  Check your financial account statements each month and be sure you recognize the transactions.  Thieves will often make small test purchases first, so don’t ignore small charges that seem unfamiliar.
2. Medical bills for doctors you haven’t visited:  Likewise, if your health insurance carrier denies a legitimate claim, find out why.  It’s possible for a thief to use your identity to obtain medical care or max out your insurance benefits.
3. New credit cards you didn’t apply for:  If you receive an unexpected credit card in the mail, contact the company issuing the card right away.  Similarly, any statements that arrive for unknown accounts are a red flag.
4. Errors on your credit report:  Review your credit reports for any suspicious activity, such as accounts you didn’t open.  You can review your reports for free once a year at www.annualcreditreport.com
5. Collection notices or calls for unknown debt:  Don’t assume the information is an error.  Find out what the debt is for.  If you believe the debt isn’t valid, send a letter via certified mail to the collection agency requesting proof of the debt and creditor within 30 days.
6. Your credit card or application for credit is denied:  If you haven’t reached your credit limit or normally have good credit, ask the reason for the denial.  An identity thief may be racking up debt on your behalf or ruining your credit score with unpaid bills.
7. Missing mail or email:  Haven’t seen a monthly statement in a few months?  A thief could be stealing your mail or may have changed the mailing or email address on the account to keep you from seeing fraudulent charges.  Alternately, you may receive a notice from the post office that your mail is being forwarded to another address when you haven’t requested a change of address.
8. Errors on your tax return or Social Security statement:  The Internal Revenue Service may notify you that more than one tax return was filed in your name or that you have income from an employer you don’t know.  Check that the earnings reported on your Social Security statement (available at https://www.ssa.gov/myaccount) match your actual earnings.
9. A warrant for your arrest:  While it may seem extreme, it’s possible for someone to impersonate you while committing a crime.  You may uncover the warrant if you’re stopped for another reason or involved in an accident, for example.

What to do if you fall victim to identity theft:

• Contact your financial institution immediately and alert it to the situation.
• Report all suspicious contacts to the Federal Trade Commission through the Internet a www.consumer.gov/idtheft , or by calling 1-877-IDTHEFT.
• If you have disclosed sensitive information in a phishing attack, you should also contact one of the three major credit bureaus and discuss whether you need to place a fraud alert on your file, which will help prevent thieves from opening a new account in your name.