Cybercriminals know that the more credit cards they steal, the more bank accounts or the more passwords they compromise; the more money they can make. They will literally attempt to compromise anyone connected to the Internet, including you.
Cybercriminals will try to use different techniques such as social engineering and phishing in order to steal your sensitive data or your identity. Depending on the information they receive, they may:
- Access your email
- Access your bank account
- Access your credit cards
- Create new identities
They may also try to trick you into installing malicious software which will grant them full access to your computer and to your sensitive data. This malicious software may allow the cybercriminals to:
- Encrypt your files and hold for ransom.
- Log your keystrokes to discover your passwords to bank accounts and credit cards.
- Send email containing malware to others, including your own contacts.
- Use your computer as a bot to launch attacks on other computers and users.
Remember, you are not being singled out because you are special. Rather, these criminals are targeting everyone they can, which happens to include you. No matter where you are (work, home or traveling), cybercriminals are there to get you and You are the Target, so please Think Before you Click. You are the first line of defense against any cyber attackers!
One day Joe Jones, the Purchasing Manager at Hostia Inc. got the following email from Julie Johnson, the president of the company:
To: Joe Jones <email@example.com
From: Julie Johnson <firstname.lastname@example.org>
Subject: Recent Invoice
As you know I am currently at a conference and found a very interesting company (Fraus Industries) that can supply us with widgets at a very reduced cost. At the time I asked them to send us 10 units at $50/unit. Please find attached an invoice for this purchase. Can you please review this invoice and make the appropriate payment to the included wire transfer number.
BTW, I saw the picture of your recent trip to Disney. Looks like you and the kids had a blast
Joe proceeded to open the attachment and pay the invoice through the Hostia’s corporate banking account through the online banking system he usually uses.
A few days later, Joe was reviewing the recent purchases at the bank and found that there had been a number of large wire transfers that had not been made by him. The corporate bank account was now empty.
What happened? In reality, the email never came from Julie even though it had her name and even displayed her corporate email address. The attachment was fake, as was the email itself. It actually contained a virus which infected Joe’s machine with a key logger (something that watches every keystroke and sends it to the scammer). It also displayed an invoice with the wire transfer details. When Joe transferred the funds, the keylogger captured the login details for Hostia’s bank account and sent them to the scammers. Later, they went in and transferred all of Hostia’s money to their account.
This is an example of “spear phishing“. Instead of sending a generic email, scammers will look through company web sites to try and figure out who might have access to that company’s bank accounts. They will then go through social media for specific details which can make the email seem far more personal. That’s how they knew Julie was at a conference and that Joe had recently been to Disney. In this age of social media, it has become surprisingly easy to find out personal details of someone’s life to use against them to sound like a colleague or even know when they are on vacation or at a conference.
This is the essence of Social Engineering. Scammers impersonate seemingly legitimate people to try and gain access to bank accounts, login passwords, secure areas of a business, etc. Regardless of who someone “claims” to be, unless you are absolutely sure they are who they say they are and that they have a legitimate reason to ask you to do what they are asking, be suspicious and vigilant.
By following some simple steps you can protect yourself:
- Common sense is your best defense: if something seems odd, suspicious or too good to be true, it is most likely an attack.
- Keep your operating system and software up-to-date on all computers and mobile devices.
- Have a good password policy of creating strong, unique password for each of your accounts.
- Encrypt and password-protect any sensitive data before you email it.
- Never respond to a suspicious phishing email; if in doubt, report and delete.
- Be mindful of what you post online.
- Keep your mobile devices secure by enabling a PIN or passcode and only download apps from known sources such as Apple Store or Google Play Store.