Protect Yourself from Vishing Attacks

 

Most everyone knows of phishing scams, spam emails that ask you to click a link or to send personal information so that someone can access your information. Regular security tests and awareness training help people learn and protect against phishing scams to keep individuals and organizations safe. Some scammers will attempt to call to speak to individuals instead of trying to get them to divulge sensitive information over email. While most people know of these phone scams, most don't know that the process of using a voice call to attempt to illegally obtain sensitive information is actually called Vishing.

Vishing is similar to phishing in that the scammer attempts to trick an individual into giving up sensitive information. Instead of sending an email though, the scammer makes a phone call and will attempt to speak directly to the individual or get the individual to call them back. Scammers will try to get you to give up sensitive information by pretending to be a trusted company or sometimes an official from the government or a bank. Spoofing technology can make it to where the scam call has automated systems or change the phone number your caller ID displays so that the call seems like a trusted number.

Since most vishing attempts will be from an individual attempting to impersonate someone that you would be willing to give sensitive information to, the caller will most likely know some personal information. The caller will likely know your name, contact information, workpace, and might even know your address or social security number. Having this information and being able to readily provide it if asked is one of the dangers of vishing since someone will be more likely to believe someone who has access to the personal information.

How can you prevent information theft through vishing attacks?

Most importantly is to not provide sensitive information over the phone. You should avoid giving out login information, account data, or personal identifiers over the phone. You should always verify the number that you receive a call from belongs to an organization without searching the phone number itself. Look up the company or organization that the individual claims to work with and see if the phone number matches and if the individual appears in a directory if it is available. If a directory is not available and the caller is asking for sensitive information, call the company office from another phone and ask to speak with the caller. If the company states that there is no one by that name in the office or if the person in the office is available you know that the caller is not who they say they are.

If possible, avoid answering calls from unknown numbers and decide if you should respond based on the voicemail if one is left. If you answer a call from an unknown number, do not press keys or respond to automated messages in order to avoid being marked as a potential future target. If you are speaking with someone unknown, try to avoid words that can be recorded and used against you later such as “Yes,” “sure,” “okay,” and “that’s fine.” Hang up at any time on a call that makes you feel uncomfortable or that may be a vishing attempt. 

If you believe that a call may have been a vishing attempt, or if sensitive information is provided over the phone, contact Technology Services so that security measures can be taken.

When you’re ahead of the game, you can’t be gamed - 10 Ways to Be Cyber-Secure at Home

Being aware and prepared is one of the best ways to prevent cyber security attacks in the office or at home. When you know what you are looking for, the chances of falling for an attack are slimmer. When you’re ahead of the game, you can’t be gamed. Here are 10 ways to be cyber-secure when you are at home.

1.  Identify your perimeter - Less is more! The fewer connected devices and entry points you have, the safer your network is.
   
   
2. Update software and devices regularly - Regular updates make you less vulnerable to attack. Only download updates from the manufacturer and enable auto-updates when possible.
   
   
3. Secure your Wi-Fi network - Routers often have default credentials that people don’t know about. Disable the “remote configuration” option in your router and change both your Wi-Fi password and your router password.
   
   
4. Watch out for insecure websites - Always use HTTPS for sensitive communications. Don’t ignore browser warnings and always remember to check the website address carefully for misspellings and oddly-placed letters or numbers. When in doubt, manually enter the URL in your browser.
   
   
5. Back up your files - Backups save your information if your device breaks or is taken over by an attacker. Back up files to a removable device that can be locked away safely, such as a CD or flash drive.
   
   
6. Don’t download carelessly - Files can contain malware, and websites aren’t always what they appear to be. Always verify sender identity before downloading files and remember: If it comes from an oddly-spelled email or is hosted on a site that makes your browser generate a warning, stay away!
   
   
7. Encrypt devices to deter thieves - Encryption renders files unreadable without the correct key. Some devices offer the option to encrypt individual files or the entire device. Consider which solution suits your needs best.
   
   
8. Practice password safety - Choose long passwords containing uncommon words. Use unique passwords for sensitive accounts and a password manager to help you remember them.
   
   
9. Always use antivirus software - Antivirus needs updates, too! Set it to auto-update.
   
   
10. Keep yourself informed - New cybersecurity bugs and attacks pop up every week. Staying informed about the latest threats will help you be safe!

Remember, you can report all suspicious emails to Technology Services at  cchelpdesk@ccis.edu

Even if you know it is a phishing attack and ignore it, by reporting it you can help the Information Security Team identify and mitigate the attack for others.  

Be mindful of the information you post online or on social media.

Social Engineers can use all sorts of information you post to help them take over your identity.

The Information Security Team is growing, and dedicating itself to not only keeping our systems secure, but bring awareness and education to you to help keep you more secure in the office and at home.

Stay up to date with all that we are doing at our blog! 

What is Phishing?

We’ve all been there before. Getting into work, coffee in hand trying to keep yourself awake. You go to check your morning emails and you’ve received what seems to be an email seemingly from management stating that employees need to log in to this portal to fill out a form for work. The unaware might walk themselves straight into a classic Phishing Scam.

 

What is Phishing?

Phishing is a form of online identity theft that uses spoofed or fake emails that lead employees to unknowingly give out their personal usernames and passwords, financial info, or sensitive work data. These scams are usually disguised as a trusted company, such as the bank you use, an online retailer you frequent, or being structured as a work email. As a result, these malicious actors use the data provided to gain access to personal emails, banking information, or even your personal identity. With each passing day, phishing attempts have become more common and more complex.

 

Identifying Phishing

Phishing, in its most basic form, can be identified by an urgent request for personal information via email, or through links in emails. This can be disguised as a bank needing to confirm your login for a transaction, Amazon needing you to login to Prime to claim a reward, or a request from your workplace to verify your identity by logging into your works “software” by clicking a shady link.

 

Threats of Phishing

•  Identity Theft

o   Ruining your credit with Credit Cards

o   Crimes being made in your name

• Loss of personal accounts

o   Facebook, TikTok, Instagram, etc.

o   Potential of friends and family falling to these scams as someone portraying you

• Compromised Finances

o   Loss of bank credentials

o   Money transferred out of your account

• Theft of Company Data

o   Sensitive customer information

o   Company files

 

Tips on Prevention

• Be suspicious of any email urgently asking for you to login to your account or to hand out personal information. 
  
  
• Never give out your username, password, credit card information, or social security number to anyone over email. Technology Services will never ask for this information over email and make sure to not provide it to a company requesting it over an email. You can always provide it to them in person or over a phone call.
  
  
• Don’t follow any links in an email unless you are for sure an email is legitimate.
  
  
• If you are in a work setting, or if you are ever unsure, get in touch with Technology Services' Information Security Team for confirmation

Where's My Laptop?

 

Having a laptop can make many aspects of work easier. You can take it to meetings, sit down somewhere for a change of scenery, or even just declutter your workspace with a smaller device. However, having a portable computer like a laptop comes with risks that need to be addressed.

A laptop has a 1 in 10 chance of being stolen over its lifetime according to the Kensington tech company. The research technology firm Gartner found that every 53 seconds a laptop is stolen. Over half of stolen laptops result in some form of data breach by accessing sensitive information through the stolen device. A data breach can result in individuals having their personal information stolen; lead to legal/financial issues; or damage the trust the community has in Columbia College keeping their information secure. These issues and more could potentially come from the theft of one laptop. So how can you prevent laptop theft? 

The best way to prevent laptop theft is to keep your computer with you! Unattended laptops are the ones that become targets for those who want to steal. Your laptop should not be left in your car, unattended in a public area, or in an unsecured area like an unlocked office. Don’t ask strangers to keep an eye on your laptop if you have to step away. If you have to leave the area in a public space, take your laptop with you!

While keeping your laptop with you is the best way to protect it, no one carries their computer with them 24/7. Your laptop should be left in a secure area while you are away. It is best to keep the laptop out of sight in a drawer or cabinet with a lock so that anyone passing by won’t see that there is an unattended laptop. There are also laptop locks that connect the laptop physically to an object and require a code to remove the device. The room your laptop is stored in should also be secured by locking the office door or keeping it somewhere where others have limited access.

If you are only stepping away from the computer for a period of time, it is important to either lock the laptop or sign out completely so that others cannot access your laptop. It is still best to secure the laptop and room just in case someone with ill intent comes by. Do not keep your passwords or security information written down anywhere that others can access it. This includes workstations, journals/planners, and other unsecured locations.

If your laptop does get stolen, or it looks like someone accessed your device without your information, contact the Technology Service Center immediately so that steps can be taken to maintain the data security of Columbia College.

Banking Trojan

 

A banking trojan Is a malicious program designed to steal financial information or money from on-line banking apps or other financial platforms.  There are many ways a smartphone/laptop/computer can be infected with a banking trojan.  Some of these vectors include:

• Malicious Adobe Flash Player update
• Amazon gift card offer scam
• IRS email phishing scam
• Malicious java script file
• Malicious Macro-enabled Word documents
• Malicious Pdf files with weblinks
• Malicious Google Doc
• Malicious WhatsApp Updater
• SMS messages with a link to download a malicious program

Almost every day it seems as though there is a new banking trojan that has been released.  Some of the names are:

• Trickbot
• Emotet
• ZeuS
• QakBot
• IceID
• Bizarro
• And many more

Tips to Stay Secure

• Only install applications from the vendor (Google/Apple)
• Keep apps and OS updated
• Consider whether you should give a certain app the permissions it requests
• Use an anti-malware program
• Stay aware and vigilant of the various threat vectors

Mobile/Laptop/Tablet Security

Most folks carry at least one mobile device - ie. a smart phone.  Besides a smart phone, many may also have a laptop and/or tablet.  There are several different types of threats for these devices.

Threats

• Loss, theft, misplacement – Since devices are small, they can easily be lost or stolen. 
   
• Unauthorized device and data access – If a device is on, unattended, and the screen is left unlocked, a malicious individual could make changes to the device or access data on the device.
  
  
• Malware – Any electronic device with an operating system such as Windows, OSX, IOS, Android, is vulnerable to malware.  Anti-malware software can be installed on a device to make sure it isn’t infected by malware.
  
  
• Electronic eavesdropping – Malware has the ability to turn on mobile device microphones and/or cameras.  If you have a mobile device in your pocket or near to you, this could be used to listen in on your conversations.
  
  
• Electronic location tracking – Most mobile devices have GPS built-in and this can be good if you misplace your phone you can find it with a tracking application, but it could also be bad because malicious software can use the GPS functionality to track your location.

Tips to Securing

• Maintain physical control.
  
  
• Don’t leave device in unlocked vehicle.
• If you must leave your device in a vehicle, put it in the trunk or conceal the item under the seat and lock the doors.
  
  
• Set a passcode and enable auto-lock.
  
  
• Backup data regularly.
  
  
• Apply critical patches/updates to the operating system and installed apps.
  
  
• Use up-to-date antivirus software on smartphones and tablets.
  
  
• Review the rights apps require before installing.
  
  
• Use full disk encryption on the device – Apple FileVault2 or Microsoft Windows Bitlocker.

Register & Track

• Register the device with the manufacturer.
  
  
• Always keep your registration, make, model, and serial number in a safe place at home.
  
  
• Asset tag, engrave the device, or apply distinctive paint markings (such as indelible markers) to make it easily identifiable.
  
  
• Use commercial location software such as Apple FiindMyiPhone, LoJack Security, etc.

·

Cyber Security is Like a Game of Chess

 

And Checkmate! If you are familiar with chess, this is not something that you want to hear. It means that you are in a position with your king piece that you cannot escape. It’s Game Over man! In case you didn’t know, there’s a serious game being played today involving your data and identity. On one side are cyber attackers, and on the other are those who are trying to defend your privacy and personal accounts. Cyber Security is much like a game of chess!

You might be thinking, A game? Like chess? Well let me explain!

Hacking is probably not a new term for you, in fact hacking has been around for many of years. There is an early account from 1971 were a hacker named John Draper, hacked into phone systems using a plastic toy whistle from a cereal box. Crazy, right?  

Well in the early days of the internet and the personal computer, hacking was a game for many hobbyists (There are still people today who participate in hacking championships for fun) The early hackers would test the boundaries of what they could do, and what they could get away with, however, while some treated hacking as a fun innocent game, others began to realize the potential for malicious and criminal behavior. 

Now Jump forward many years, and as cyber attackers have become more sophisticated, the security industry has grown to defend against it. With new types of attacks developing all the time, we develop new strategic defenses to block and prevent them. Security tactics now become outdated as soon as attackers find ways around them, meanwhile, attackers continue to rely more on social engineering tricks that are hard to defend against in general. 

They make a move, then we make a move, and then they make a move, and so on and so on!

For us in the Information Security Department at Columbia College, cybersecurity is a lot like a game of chess. There are many pieces to move, and our strategies needs to keep tabs on all of them. We must adjust to our adversaries’ moves, move quick against attackers and protect your king at all costs. The cybersecurity game continues, but even as the stakes are rising, the rules are changing. It’s now more complicated than ever.

So, what can you do to help keep you ahead in this always evolving cybersecurity game?

• Complete your Columbia College annual Cyber Security Training. 
• This will ensure that you are update to date on best practices when it comes to being cyber secure.
• Follow the best practices and polices outlined by Technology Services
• Use strong passwords and never share your password.
• Remember that not ever Technology Services will ask for your Columbia College password.
• Report all suspicious emails to Technology Services at  cchelpdesk@ccis.edu
• Even if you know it is a phishing attack and ignore it, by reporting it you can help the Information Security Team identify and mitigate the attack for others.  
• Be mindful of the information you post online or on social media.
• Social Engineers can use all sorts of information you post to help them take over your identity.
• Be Aware
• The Information Security Team is growing, and dedicating itself to not only keeping our systems secure, but bring awareness and education to you to help keep you more secure in the office and at home.
• Stay up to date with all that we are doing at our blog!