Staying Ahead of the Bad Guys

Written by Mark Evilsizor
From his column Tech

Around this time of year, I am reminded some things are inevitable: death, taxes, and bad guys trying to fool us into handing over our money and information. A few months ago I wrote about organizational security trends and preventatives, but so many friends have recently been fooled or attacked that I want to share a couple of the personal cybersecurity trends I am seeing and how we can remain wary to keep thieves at bay.

Phone Phishing
One of the guises miscreants use to get past our defenses is a sense of urgency. By emphasizing the need to act now or else worse things will happen, they work to trigger an instinctive response that avoids thoughtful consideration of what is happening. Several friends and I have recently received phone calls where we were told something had been purchased online in our name—items like computers, phones or other high-dollar technology. In response we could press “1” to approve the purchase or “2” to talk with an agent. One friend chose “2” and was connected to a very friendly person purporting to help them. As part of the verification process, they were instructed to browse to a certain address. When they took this step, a legitimate remote control program was downloaded onto their computer. It was not malware, so security software did not detect anything amiss. Thankfully, at this point, the person’s sense of wariness was sparked, and they hung up. If they had continued, they would have provided the friendly bad guy with access to their PC where they likely would have either installed malware or tried to convince my friend to reveal their account number and password.

The golden rule of email security is: never click on links or attachments you aren’t expecting.

One way to protect ourselves from this type of attack is not to answer the phone unless caller ID reveals someone we know. This reduces our sense of urgency and instinct to respond without consideration. If someone leaves a voicemail, we can later check the claim in a safe and more thoughtful manner. If we do answer a call and find a friendly stranger with this type of message, we should note the vendor they claim to represent, hang up, and contact the company at a known legitimate phone number or website. When a stranger calls us, our default stance should be wariness so we do not download software, share information, or otherwise follow their requests.

Email continues to be the primary way bad guys try to gain access to our valuables. And, unfortunately, the bad guys continue to get better at their methods of deceiving us. In our local school district there are significant budget cuts underway, and many of my teacher friends are suffering significant anxiety. This week, the bad guys sent an email purporting to be from a school HR person. More than one teacher clicked on the attachment and provided their personal or work username, password, Social Security number and more. In this case it appeared the email account of a district staff person was compromised. The appearance of legitimacy, coupled with current work-related concerns, made the email especially convincing. The result is many must now alert credit agencies, set up identity theft monitoring, and closely watch activities on their accounts for months to come.

The golden rule of email security is: never click on links or attachments we aren’t expecting. If we think it may be real, we should contact the sender using a different channel, such as phone, in person, or via a known website bookmark to verify the email address is legitimate. This may take a bit of time, but it’s nothing compared to the amount that will be spent by those mentioned above who have fallen prey to the bad guys.

I have written about multifactor authentication (MFA) previously, and it continues to be one of the most inexpensive methods of securing sensitive data. A password is something we know, this is one factor. By enabling MFA, we require a second authorization to log in to our accounts. This second factor may be a code texted to us, an approval request we accept on our phone, or a code that appears in an app like Microsoft or Google Authenticator. By enabling this second factor requirement, the bad guys cannot get in even if they manage to steal our password. And, if we receive an MFA request and are not currently attempting to log in, we should not approve it. It’s a sure sign our password has been compromised and needs to be change immediately.

MFA is not perfect. There have been stories of thieves triggering 100 MFA requests simultaneously at 1 in the morning knowing many persons will simply approve the request to stop the pinging on their phone. If we experience this, we can just power off the phone and change our password when we get up from bed. Unless we work for an organization the bad guys are specifically trying to infiltrate, this is unlikely to happen to us. So, for most fraud attempts, MFA significantly reduces the risk of losing data or resources.

Each time the bad guys are successful in perpetrating the theft of money and information, it funds thousands of other attempts. The sheer number of attacks and the financial reward of such wholesale hacking means attempts to deceive us are unlikely to diminish in the foreseeable future. However, by each of us strengthening our security posture and remaining wary, we will not only protect ourselves, but our neighbors as well.

Mark Evilsizor has worked in Information Technology for more than 25 years. He currently serves as head of IT for the Linda Hall Library in Kansas City, Mo. Opinions expressed are his own.