Human error was the leading cause of data security incidents according to the BakerHostetler Data Security Incident Response Report[i]. Often innocent mistakes and the lack of awareness can lead to exposure of sensitive data; introduce entry points for malware; result in theft, and more. It seems as if each month we hear of yet another company being breached. Even more frustrating is that most data breaches are avoidable. Organizations need to adopt the mantra, security is EVERYONE’S responsibility. You don’t have to be an IT Security pro to protect your organization.
A Healthy Dose of Skepticism
In order to thwart attacks, it is important to know how you are being approached. Here are two tactics hackers use on their prey:
Phishing: Def. a hacker tries to obtain sensitive information, typically by sending an email that looks as if it is from a legitimate organization, but contains a link to a fake website that replicates the real one. [ii]
Phishing scams are not new. However, hackers have become more sophisticated in their tactics and much more patient. Scams are harder to detect and if individuals do not pay attention, or use caution, users’ information can be stolen and used to steal your identity, your funds, medical records and more. An individual being hacked for their personal data is one thing but an employee being compromised puts a Company’s entire customer population at risk..
Social engineering: Def. the psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme.[iii]
Thieves use social engineering methods to get what they want. For example:
- They may call you directly and attempt to gather your information.
- They may state they are with a certain company and ask you to provide them with information to confirm your account.
- They may state there is suspicious activity on your account and request you validate your account.
An Ounce of Prevention
Now that you know how you might be manipulated, what should you do? Here are some tips:
Never click on links:
- That are unexpected and/or from an unknown sender
- Contained in messages sent to an unusual list of people or to an undisclosed mailing list
- Without verifying the target of the hyper-link. (To verify the target of a hyperlink hover over the link with your cursor. While the cursor is over the text link, look in the lower-left menu bar and confirm that the displayed link matches the real link destination.)
Never open attachments:
- That are unexpected and/or from a unknown sender
- Without verifying the integrity of the attachment
Never enter any sensitive data into a form: e.g., names, logins, passwords, contact information, account numbers, and so on.
Manually validate when you are unsure. If you receive an unexpected or suspicious email from someone you know, contact them directly (by phone) to validate it. Remember, email addresses can be spoofed so don’t reply to a suspicious message. Using an alternative method to validate is the best course of action.
Always be cautious with anyone, even if they are a co-worker, who is asking you for information until you have verified the source of the request and that they have an actual business need for the information.
Put into Practice
Let’s put these tips into practice. Here are a few examples of social engineering:
Scenario 1: You receive a phone call and the caller says they were just speaking with a woman in sales, but that they don’t remember her name. What should you do?
- Do not suggest names of people it may have been that they talked with. Do not offer to transfer them to any one individual, but only transfer them to queues.
- Do not give out email addresses, extensions, or any other information about employees or customers.
Scenario 2: Someone visits your office and says they are from the alarm company, and they need to inspect your equipment.
- Ask for identification.
- Ask them with whom they scheduled the visit.
- Contact that person to verify this claim.
- Do not give them access to anything without supervision.
Scenario 3: You receive an email from a co-worker claiming they need you to give them sensitive information in order to carry out a task.
- Call the person who allegedly sent the email and manually verify that they sent it.
- Always be cautious with anyone who is asking you for information until you have verified the source of the request and that they have an actual business need for the information.
- Please remember that no legitimate source will ever ask for your username and password in an email.
Avoid the Oops
Protecting sensitive data is paramount to your business and it is everyone’s responsibility to carry out that commitment. Be cautious, be aware, and make good choices.