8 Critical steps to take after a ransomware attack: Ransomware response guide for businesses - Part 1
Failing to prepare is preparing to fail.
So you don't have a plan or system in place for Disaster Recovery and Business Continuity, that's a shame because you could avoid reading this guide all together if you did.
In the event of a ransomware attack, an effective response plan can mean the difference between panic and decisive action. It can mean the difference between a company-wide infection and a contained incident; the difference between swift remediation and permanent business closure.
In this guide, we’re going to discuss in detail exactly how businesses should respond to a ransomware attack and explore preventative measures that can help reduce the risk of infection.
How to respond to a ransomware attack. If preventative measures fail, organizations should take the following steps immediately after identifying a ransomware infection.
1. Isolate affected systems.
Isolation should be considered top priority. The vast majority of ransomware will scan the target network, encrypt files stored on network shares and try to propagate laterally to other systems. To contain the infection and prevent the ransomware from spreading, infected systems must be removed from the network as soon as possible.
2. Secure backups
While backups play a crucial role in remediation, it’s important to remember that they are not immune to ransomware. To thwart recovery efforts, many modern ransomware strains will specifically target a company’s backups and try to encrypt, override or delete them.
In the event of a ransomware incident, organizations must secure their backups by disconnecting backup storage from the network or locking down access to backup systems until the infection is resolved.
3. Disable maintenance tasks
Organizations should immediately disable automated maintenance tasks such as temporary file removal and log rotation on affected systems, as these tasks can interfere with files that may be useful for investigators and forensics teams.
For example, file logs may contain valuable clues regarding the initial point of infection, while some poorly programmed ransomware variants may store important information (such as encryption keys) inside temporary files.
4. Create backups of the infected systems
Organizations should create backups or images of the infected systems after isolating them from the network. There are two main reasons for doing so:
Prevent data loss. Some ransomware decryptors contain bugs that can damage data. For instance, the decryptor of a prolific ransomware family known as Ryuk was known to truncate files, effectively cutting off one byte of each file during the decryption process. While this didn’t cause major issues for some file formats, other file types – like virtual hard disk files formats such as VHD/VHDX as well as a lot of Oracle and MySQL database files – store important information in the last byte and were at risk of being corrupted after decryption.
Having a backup of infected systems ensures data integrity. If something goes wrong during the decryption process, victims can roll back their systems and try to repeat the decryption, or contact a ransomware recovery specialist for a reliable, custom-built decryption solution.
Free decryption may be possible in the future If the encrypted data is not critical to an organization’s operations and does not need to be urgently recovered, it should be backed up and stored securely as there’s a chance that it may be able to be decrypted in the future.
There have been instances of law enforcement agencies apprehending ransomware authors and C&C servers being found, which resulted in the release of decryption keys and allowed victims to recover their data for free. In addition, a number of ransomware groups – including Shade, TeslaCrypt and CrySis, among others – have willingly released decryption keys after shutting down their operations.
5. Quarantine the malware
Victims should never outright remove, delete, reformat or reimage infected systems unless specifically instructed to by a ransomware recovery specialist. Instead, the malware should be quarantined, which allows investigators to analyze the infection and identify the exact strain of ransomware responsible for encrypting files. Removing the entire infection makes it extremely difficult for recovery teams to find the specific ransomware sample involved in the attack.
If the malware is still running, memory dumps should be made prior to quarantine to create a full record of any malicious processes that are running. The memory dump may contain the key material that was used to encrypt the files, which can potentially be extracted and used to help victims decrypt files without paying the ransom.
6. Identify and investigate patient zero
Identifying patient zero (i.e. the source of the infection) is crucial for understanding how attackers gained access to the system, what other actions they took while they were on the network and the extent of the infection. Detecting the source of the infection is useful for not only resolving the current incident, but can also help organizations address vulnerabilities and reduce the risk of future compromise.
It can be challenging to identify the original point of compromise because, in many cases, the threat actors will have been on the system for weeks or even months before deploying the ransomware payload. Companies that lack the resources or expertise to perform thorough digital forensics should consider enlisting the services of a professional forensics company.
7. Identify the ransomware strain
Organizations can use free services such as Emsisoft’s online ransomware identification tool or ID Ransomware to determine which strain of ransomware they have been impacted by.
These tools allow users to upload a ransom note, a sample encrypted file and the attacker’s contact information, and analyze the data to identify which ransomware strain has impacted the user’s files. It also directs the user to a free decryption tool if one is available.
8. Decide whether to pay the ransom
If backups are damaged and there is no free decryption tool available, organizations may be tempted to pay the ransom in order to recover their files.
While paying the ransom can help reduce disruption and may be cheaper than the overall cost of downtime, it is not a decision that should be taken lightly. Organizations should only consider paying the ransom if all other options have been exhausted and the loss of data will likely result in the company going out of business.
The following factors should be considered:
With the help of Emsisoft.
Apart from some slightly clumsy wording (but when was the last time you received an email about a technical matter that was plainly written in perfect English?) and a tiny error of grammar, we thought it was surprisingly believable and worth writing up on that account, to remind you how modern phishers are presenting themselves.
Yes, you ought to be suspicious of emails like this. No, you shouldn’t click through even out of interest. No, should never enter your email password in circumstances like this.
But the low-key style of this particular scam caught our eye, making it the sort of message that even a well-informed user might fall for, especially at the end of a busy day, or at the very start of the day after.
Here’s how it arrives – note that in the sample we examined here, the crooks had rigged up the email content so that it seemed to be an automated message from the recipient’s own account, which fits with the theme of an automatic delivery error:
Incoming messages for [REDACTED] couldn’t be delivered.
This message was sent in response to multiple incoming messages being rejected consistently from 2:00 AM, Wednesday, August 19, 2020.
To fix, recover and prevent further rejection of emails by our server, connect to your Company-Assigned OWA portal securely below.
Only if you were to dig into the email headers would it be obvious that this message actually arrived from outside and was not generated automatically by your own email system at all.
The clickable link is perfectly believable, because the part we’ve redacted above (between the text https://portal and the trailing /owa, short for Outlook Web App) will be your company’s own domain name.
But even though the blue text of the link itself looks like a URL, it isn’t actually the URL that you will visit if you click it.
Remember that a link in a web page consists of two parts: first, the text that is highlighted, usually in blue, which is clickable; second, the destination, or HREF (short for hypertext reference), where you actually go if you click the blue text.
A link is denoted in HTML by an ANCHOR tag that appears between the markers <A> and </A> while the destination web address is denoted by an HREF attribute inside the opening anchor tag delimiter.
This is a <A HREF='https://example.com'>clickable link</A> going to EXAMPLE.COM But the link <A HREF='https://example.com'>https://different.example</A> also goes to EXAMPLE.COM, because the URL used is determined by the HREF setting, even if the text of the link itself looks like a URL. The domain DIFFERENT.EXAMPLE here isn't actually a web address, it's just text that looks like a web address.
Why not just block links that look deceptive?
If you’re thinking that “links that deliberately look as though they go somewhere else” sound suspicious, you’d be right.
You might wonder why browsers, operating systems and cybersecurity products don’t automatically detect and block this kind of trick, where there’s an obvious and deliberate mismatch between the clickable text and the link it takes you to.
Unfortunately, even mainstream sites use this approach, making it effectively impossible to rely up front on what a link looks like, or even where it claims to go in your browser, in order to work out exactly where your network traffic will go next.
For instance, here’s a Google search for here's an example:
You can see that if you ① search for here's an example, you’ll receive a answer in which ② an explicit domain name (in this case, english.stackexchange.com) is used as the visible text of a clickable link.
You can also see that when you hover over the domain name link, you’ll see ③ a full URL that apparently confirms that clicking the link will take you to the named site.
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=& cad=rja&uact=8&ved=[REDACTED]& url=https%3A%2F%2Fenglish.stackexchange.com%2Fquestions%2F225855%2Fheres-an-example[...]
Eventually, you will end up at the URL shown at position ③ in the screenshot above, but you’ll be redirected (quickly enough that you might not notice) via a Google track-and-redirect link first.
So you do end up where the browser told you, but not quite as explicitly and directly as you might have expected – you get there indirectly via Google’s own advertising network.
What happens next?
The good news is that in the case of this phish you will see the actual web page you’ll be taken to if you hover your cursor over the link-that-looks-like-a-different-link.
So you ought to spot this phish easily if you stop to check where the link-that-looks-internal really ends up.
In our case (note that the exact URL and server name may vary every time), the real link did not go to https://portal.[REDACTED]/owa, as suggested by the text of the link.
Instead, it went to a temporary Microsoft Azure cloud web storage URL, as shown below, which clearly isn’t the innocent-looking URL implied in the email:
The phishing page
If you do click through, and your endpoint or firewall filter doesn’t block the request, you will see a phishing page that we must grudgingly admit is elegantly simple:
Your email address is embedded in the link in the email that you click on, so the phishing page can fill in the email field as you would probably expect.
When we tried this page, deliberately putting in fake data, we received an error message after the first attempt, as though we’d made a mistake typing in the password:
No matter what we did the second time, we achieved “success”, and moved onwards in the scam.
How it ends
One tricky problem for phishing crooks is what to do at the end, so you don't belatedly realise it's a scam and rush off to change your password (or cancel your credit card, or whatever it might be).
In theory, they could try using the credentials you just typed in to login for you and then dump you into your real account, but there's a lot that could go wrong.
The crooks almost certainly will test out your newly-phished password pretty soon, but probably not right away while you are paying attention and might spot any anomalies that their attempted login might cause.
They could just put up a "thanks, you may now continue normally" page, and often that's exactly what they do as a simple way to sign off their scam.
Or they find a page that's related to the account they were phishing for, and redirect you there.
This leaves you on a web page that really does have a genuine URL in the address bar – what's often called a decoy page because it leads you out at the end of the scam with your innocence intact.
That’s what happened here – it’s not perhaps exactly the page you might expect, but it’s believable enough because it leaves you on a genuine Outlook-related web page with a genuine Microsoft URL:
What to do?
Paul Ducklin, Sophos.
Gone are the days when the internet felt novel: AOL Instant messenger opened up a new way of communicating; Google searches yielded new info at mindblowingly quick speeds; a shared computer in a common space was the norm. We lived and learned through our amateur mistakes—getting hacked, fallings for phishing scams, using our first names and birthdays as passwords.
For younger generations who’ve grown up with technology and social media, the internet has always been ubiquitous. They carry it in their pockets, and use it to stay chronically connected to friends and to navigate everyday life and learning. Is security at the forefront of their minds, or is it something they take for granted? Essentially, are they doomed to repeat our mistakes?
Now that many schools are operating virtually, it’s the perfect time to evaluate your kids’ understanding and awareness of digital privacy, and brush up on your own knowledge so that you can be a good guide. Here are CompuBC's tips for encouraging good cybersecurity habits in kids.
Instill confidence, not fear
The internet can be murky, but we can’t expect kids to avoid it. Rather than talking about the internet like it’s the boogeyman, arm your kids with the knowledge they need to navigate safely:
Just like you’d stress the importance of keeping an ATM Pin secure, remind them that login info and passwords are for their eyes only. Teach good password creation habits.
Make sure they check with you before downloading apps (you can also set parental controls on an iPhone or Apple Device to prevent downloads and purchases from the App Store). For Android, Google offers a Family Link app that allows you to pair your device with your kids’, manage their app downloads, and set limits on screen time.
Websites and WiFi
Teach them how to identify a secure WiFi network. The simplest rule: if you click on a network and it asks for either a WPA or WPA2 password, you know it’s secure. Both types of passwords are keys for accessing a secured Wifi network; the latter is a more recent version that uses AES (advanced encryption standard) encryption for maximum security. They’ll also want to make sure that websites start with “https” (the ‘s’ here means secure). Limit their access to specific web content using parental controls, which you can set up on their Apple and Android devices.
Preach Healthy Skepticism
A year-long Stanford study concluded that most school-age children have a hard time differentiating between articles and sponsored content, and possess a general lack of skepticism when it comes to what they read online. Advertisers and content creators are adept at getting users to click and explore ads, apps, games, and articles—just think how likely you are to let curiosity get the best of you when presented with targeted ads. It’s important to encourage kids to think critically about the information they’re presented with online, and to be critical thinkers when navigating the internet.
Teach kids about the permanence of shared info online
A good golden rule: if you can’t share it with your parents, it’s probably not something you want to put online. There’s certainly a tendency to overshare on social media, and the consequences can range from sheer regret to jeopardizing kids’ safety. Remind your kids that what they put online, even in private channels, stays online, and can be found if someone really wants to find it. Depending on their age, it’s a good idea to monitor their social media accounts, and tell them to keep their accounts private and avoid friending anyone they don’t know in real life. Schedule a check-in with them and scope out their requests and DMs to rid them of bots and scammers.
Don’t go it alone—use schools and other learning tools as resources
Many schools have their own policies when it comes to using personal devices at school. Talk to your child’s school to find out their rules, and to see if they teach students “digital literacy”—seeing media through a critical lens. Resources like Common Sense offer courses for empowering students in their digital lives, helping them become more adept at navigating the internet.
Practice what you preach
Familiarize yourself with good cybersecurity habits, from understanding the trail you leave online to quickly improving your online security. Be a resource should they come to you for advice. Set good examples when using your devices, such as not texting while you drive, and being mindful of your own screen time, as kids are likely to pick up on these habits. Likewise, underscore the importance of keeping track of your devices and making sure they are password-protected.
Every week or so, news of yet another company’s data breach breaks. Often, the news stories will include a list of what data was or wasn’t compromised: emails, credit card numbers, addresses, etc.
So, you might assume that if a news story doesn’t include “passwords” on the list of compromised data after a breach, there’s no rush to go reset yours.
But actually, resetting your password for any compromised account, regardless of whether that password was exposed, is exactly what you should do.
Why you should update your password for any compromised account
Even though 91% of people know that reusing passwords across accounts is bad, 59% of people still reuse their passwords—even between personal and work accounts.
There’s a chance the password you’re using on a compromised account is also being used elsewhere. And if someone already has your email address or other personal information from one breach, and then gets your reused password through another, they can put two and two together to hack your accounts.
It’s also possible that the breadth or depth of a breach may not be apparent or reported until months later, so passwords may indeed have been involved. Why take the risk?
The bottom line: No matter the extent of a company’s data breach, you should go change that password ASAP.
Here are a few more tips for creating strong passwords, and other smart password practices
Questions regarding the use of "anti-virus" or similarly categorized "Internet security" products frequently arise on this site. Many of them are from new Mac users whose previous computer experience was limited to traditionally virus-prone Windows PCs. Early Microsoft Windows versions were notoriously vulnerable to unauthorized modifications and malicious interference, which gave rise to a cottage industry of "anti-virus" software companies responding to a need for the operating system security Microsoft neglected to provide.
Apple and Microsoft's respective operating systems were originally conceived and developed completely separately, for use with completely different hardware, and their evolution has only diverged since their inception. In recent years Microsoft has made great strides in protecting its Windows operating system, but owing to macOS's original concept as a multi-user, multitasking operating system incorporating a fundamental requirement to keep users separate from one another, it was never as vulnerable to begin with. With each new release, macOS has only grown more secure from unauthorized tampering.
It's important to understand the nature of threats that exist today, and to appreciate the fact that "anti-virus" software peddlers have been reduced to abject panic as their traditional Windows PC market suffers its inevitable decline. The cottage industry described in the first paragraph has since grown to a multi-billion dollar behemoth with entrenched interests—an enormous beast that demands to be fed. The PC market's demise has led to a predictable response from them and shills who represent their interests, asserting that since Macs are rapidly growing in popularity, they have become just as vulnerable to "viruses" as PCs, implying an even greater need for the products they sell. It just isn't so.
What is true is that the growing base of Mac users are being increasingly targeted and exploited for scams that seek to defraud them of their hard-earned money. Criminals who seek to do that cannot succeed without your help. Don't give them the satisfaction.
The following describes simple principles that will serve to protect your Mac, and yourself, from the various threats that exist today. It's long, but if you read nothing else, read the first three numbered points and the Summary at the end. They are equally applicable to Macs, PCs, mobile devices or anything else that uses software to communicate with the world beyond it.
There will always be threats to your information security associated with using any Internet - connected communications tool:
macOS already includes everything it needs to protect itself from viruses and malware. Keep it that way with software updates from Apple.
Rather than asking which non-Apple "anti-virus" or "Internet security" product is best, a much better question is "how should I protect my Mac":
Summary: Use common sense and caution when you use your Mac, just like you would in any social context. There is no product, utility, or magic talisman that can protect you from all the evils of mankind.
Businesses across the world have been targeted by a new cyber scam that impersonates Google Chrome update download pages.
Researchers at Proofpoint identified the malware campaign targeting organizations in Canada, France, Germany, Spain, Italy, the United Kingdom, and the United States, with thousands of messages sent around the world over the course of just a few weeks.
The messages told the victims they needed to upgrade to the latest version of the Google Chrome or Internet Explorer browser, but actually included links to websites compromised with malware.
Google Chrome malware
Proofpoint identified the campaign as being the work of prolific threat actor TA569, also known as SocGholish, as the compromised messages included links websites compromised with SocGholish HTML injects.
These injects are able to analyse the geolocation, operating system, and browser used by the recipient, and if deemed a suitable victim, look to convince them to click on a link in the email message.
Rather than the promised Google Chrome update however, clicking on this link downloads one of several malicious payload. Proofpoint analysis spotted a a banking Trojan (Chthonic) that was a variant of the notorious Zeus banking Trojan, as well as remote-control software (NetSupport) that can give hackers remote access to compromised systems.
The attack targeted a number of major businesses across multiple verticals, including education, state governments, and manufacturing, and numerous others.
"While this technique isn’t new, it’s still effective because it exploits the intended recipient’s desire to practice good security hygiene," Proofpoint wrote in a blog post outlining the findings.
"Keeping software updated is a common piece of security advice, and this actor uses that to their advantage. These campaigns illustrate that malware and threat actor tactics don’t have to be novel to find success, even in today’s rapidly changing threat landscape."
Encrypting every bit of data on a Windows 10 PC is a crucial security precaution. Every edition of Windows 10 includes strong encryption options, with business editions having the best set of management tools. Here's a hands-on guide
If your PC were lost or stolen, you'd probably cringe at the cost of replacing it. But that's nothing compared to what you'd stand to lose if someone had unfettered access to the data on that device. Even if they can't sign in using your Windows user account, a thief could boot from a removable device and browse the contents of the system drive with impunity.
The most effective way to stop that nightmare scenario is to encrypt the entire device so that its contents are only available to you or someone with the recovery key.
BitLocker is the brand name that Microsoft uses for the encryption tools available in business editions of Windows (desktop and server). A limited but still effective subset of BitLocker device encryption features are also available in Windows 10 Home editions. Here's how to make sure your data is protected.
HOW DOES BITLOCKER WORK IN WINDOWS 10?
On all devices that are designed for Windows 10 (see the following section for the hardware requirements), device encryption is automatically enabled. Windows Setup automatically creates the necessary partitions and initializes encryption on the operating system drive with a clear key. To complete the encryption process, you must perform one of the following steps:
The most important hardware feature required to support BitLocker Device Encryption is a Trusted Platform Module chip, or TPM. The device also needs to support the Modern Standby feature (formerly known as InstantGo).
Virtually all devices that were originally manufactured for Windows 10 meet these requirements.
For the most part, BitLocker is a set-it-and-forget-it feature. After you enable encryption for a drive, it doesn't require any maintenance. You can, however, use tools built into the operating system to perform a variety of management tasks.
The simplest tools are available in the Windows graphical interface, but only if you are running Windows 10 Pro or Enterprise. Open File Explorer, right-click any drive icon, and click Manage BitLocker. That takes you to a page where you can turn BitLocker on or off; if BitLocker is already enabled for the system drive, you can suspend encryption temporarily or back up your recovery key from here. You can also manage encryption on removable drives and on secondary internal drives.
On a system running Windows 10 Home, you'll find an on-ff button under Settings > Update & Recovery > Device Encryption. A warning message will appear if device encryption hasn't been enabled by signing into a Microsoft account.
For a much larger set of tools, open a command prompt and use one of the two built-in BitLocker administrative tools, manage-bde or repair-bde, with one of its available switches. The simplest and most useful of these is manage-bde -status, which displays the encryption status of all available drives. Note that this command works on all editions, including Windows 10 Home.
SAVING AND USING A RECOVERY KEY
Under normal circumstances, you unlock your drive automatically when you sign in to Windows 10 using an account that's authorized for that device. If you try to access the system in any other way, such as by booting from a Windows 10 Setup drive or a Linux-based USB boot drive, you'll be prompted for a recovery key to access the current drive. You might also see a prompt for a recovery key if a firmware update has changed the system in a way that the TPM doesn't recognize.
As a system administrator in an organization, you can use a recovery key (manually or with the assistance of management software) to access data on any device that is owned by your organization, even if the user is no longer a part of the organization.
The recovery key is a 48-digit number that unlocks the encrypted drive in those circumstances. Without that key, the data on the drive remains encrypted. If your goal is to reinstall Windows in preparation for recycling a device, you can skip entering the key and the old data will be completely unreadable after setup is complete.
Your recovery key is stored in the cloud automatically if you enabled device encryption with a Microsoft account. To find the key, go to https://onedrive.com/recoverykey and sign in with the associated Microsoft account. (Note that this option works on a mobile phone.) Expand the listing for any device to see additional details and an option to delete the saved key.
If you enabled BitLocker encryption by joining your Windows 10 device with an Azure AD account, you'll find the recovery key listed under your Azure AD profile. Go to Settings > Accounts > Your Info and click Manage My Account. If you're using a device that's not registered with Azure AD, go to https://account.activedirectory.windowsazure.com/profile and sign in with your Azure AD credentials.
Find the device name under the Devices & Activity heading and click Get BitLocker Keys to view the recovery key for that device. Note that your organization must allow this feature for the information to be available to you.
Finally, on business editions of Windows 10, you can print or save a copy of the recovery key and store the file or printout (or both) in a safe place. Use the management tools available in File Explorer to access these options. Use this option if you enabled device encryption with a Microsoft account and you prefer not to have the recovery key available in OneDrive
BITLOCKER TO GO
Removable storage devices need encryption too. That includes USB flash drives as well as MicroSD cards that can be used in some PCs. That's where BitLocker To Go works.
To turn on BitLocker encryption for a removable drive, you must be running a business edition of Windows 10. You can unlock that device on a device running any edition, including Windows 10 Home.
As part of the encryption process, you need to set a password that will be used to unlock the drive. You also need to save the recovery key for the drive. (It's not automatically saved to a cloud account.)
Finally, you need to choose an encryption mode. Use the New Encryption Mode (XTS-AES) option if you plan to use the device exclusively on Windows 10. Choose Compatible Mode for a drive you might want to open on a device running an earlier version of Windows.
The next time you insert that device into a Windows PC, you'll be prompted for the password. Click More Options and select the checkbox to automatically unlock the device if you want easy access to its data on a trusted device that you control.
That option is especially useful if you're using a MicroSD card for expanded storage capacity on a device such as a Surface Pro. After you sign in, all of your data is immediately available. If you lose the removable drive or it is stolen, its data is inaccessible to the thief.
On a personal note
People like to feel protected and computer manufacturer like to enable the drive encryption out of the factory, it is all good and well until you have a problem with your Windows OS or a faulty hard drive.
If you can't boot into Windows for any reason, OS related or hardware related, your IT support will need the encryption key in order to recover/repair your Windows OS or extract your important data from your drive.
Without the encryption key it is impossible mission so, save your encryption key in a safe place away from your hard drive and log in with a Microsoft account and make sure the encryption key is saved on your account.
Sometimes it’s obvious. That message from a Nigerian prince requesting you wire $2,000? Ok, probably not going to fall for that one. If the CEO of your company asks for your credit card information via email? Something is definitely off. But often phishing is harder to spot.
Phishing is a common scheme in which someone poses as a trusted party (like a bank or government employee) in an attempt to steal personal information, such as credit card numbers, usernames, and email addresses.
You might get an email that appears to be from Netflix, asking you to log in or your account will be terminated. It could come as a text from Best Buy offering you a gift card if you enter your account information. When it looks too good to be true, it probably is and if something just feels off—it’s worth taking a closer look.
How can you avoid phishing?
Phishing attempts will often include a false story meant to lure you into entering your sensitive information.
Some common forms:
Things to watch out for
High sense of urgency
Hackers will often create a sense of urgency like threatening you with the loss of service. For instance, a phishing email from someone posing as a bank or another financial institution might ask for you to “confirm your account” and re-submit your payment information or else your account will be terminated. Don’t panic. If something seems strange or alarming, it’s worth taking a pause to investigate.
Since cyber criminals often send hundreds of emails at a time, another clue that it may be a fake email is the lack of a personalized greeting. Proceed with caution if the email doesn’t include your name or username, or addresses you simply as “Customer” or “Account Holder.”
One quick way to tell the difference between an official communication from a service you use and a phishing scam is the use of misspelled words and poor grammar in the body of the email.
Actions you can take
Check the sender’s email address
Cyber criminals will often create an email account that closely resembles a company’s official email address. For instance, a phishing email address from Amazon might look like “email@example.com”. Notice the “A” in “Amazon” is not included in the email address.
Hover your mouse over any link in an email
Before clicking make sure the address looks right. When in doubt, do not click the link or open any attachments.
If you think a website might be fake, check the URL and confirm it includes “https://”
Similar to phishing emails, the URL of a fake website may look nearly identical to a legitimate website. Make sure to look out for any misspellings, unusual words or special characters before or after the company’s name. Look for “https://” not “http://” at the beginning of the address URL. Any legitimate entity asking for your payment info will have a secured website.
To test whether you can spot a phishing scam, check out Google’s quiz.
Working away from the office is fast becoming the norm for many businesses, and there are tonnes of benefits for employees. But, like anything in the cyber world, there are some considerable risks you and your colleagues should be looking out for. Many companies are asking their employees to work remotely in an effort to slow down the spread of coronavirus and preserve the health and safety of their people.
Here’s what you need to keep in mind so that both you and the company stay protected.
working in the office and working at home are two different kettles of fish (or indeed phish). And not only because the office has a working atmosphere, whereas at home you just want to lie on the couch and pet the dog.
The real issue — at least for cybersecurity, if not productivity — is that in the office, companies thoroughly protect networks and devices. Meanwhile, unless you’re the CEO, sysadmins are probably not going to come around to your apartment or house and set everything up in line with corporate standards. If a confidential document gets leaked from your home computer, the buck stops with you.
Follow these ten simple tips when working remotely to avoid such a mishap.
1. Protect devices with a good antivirus solution.
Companies generally undertake a range of measures to protect computers from malware. They install powerful security solutions, prohibit employees from installing applications, restrict online access from unauthorized devices, and so on. At home, it is trickier to provide that level of protection, but leaving a computer vulnerable when work documents are stored there is also a no-no because if they get stolen or destroyed, it’ll be your neck on the chopping block.
To prevent anything like that from happening, it is vital that you install a reliable security solution on all devices that handle corporate data. If money’s too tight, install a free antivirus. Even one at no cost will significantly reduce the risk of getting infected — and landing in big trouble with the boss.
2. Update programs and operating systems.
New vulnerabilities are forever being found in applications and operating systems. And cybercriminals can’t resist exploiting them to infiltrate other people’s devices. Often, they rely on people being too lazy to update software, because in the latest versions of programs vulnerabilities are usually patched. So it’s important to regularly update everything installed on any device that you use for work purposes.
3. Connect to a secure internet especially on a Wi-Fi connection.
Protecting the computer won’t help if an attacker connects to your Wi-Fi or takes up residence inside your router. Anyone who does that can intercept everything you send or enter online, including passwords for remote access to an office-based computer or corporate mail. Therefore, it is imperative to configure your network connection correctly.
First, make sure that the connection is private and encrypted to keep information safe from prying eyes. If your Wi-Fi asks anyone connecting to it for a password, the connection is encrypted (and Joe Blow will not be able to spy on your work). If you share your Wi-Fi with other unknown people, your connection is not secure. For example, coffee shops like Starbucks, restaurants like fast food places, or basically any public location with public Wi-Fi.
Never ever enter a password or log in with your credentials while on a public Wi-Fi, you can never tell if someone that shares your connection is tapping, scanning or phishing for your user, password, or any personal and corporate info.
4. Lock your device before walking away
Someone can catch a glimpse of your work correspondence even when you’re just having a cup of tea or taking a bathroom break. Therefore, it’s important to lock the screen whenever you get up. Consider the small hassle a tiny price to pay for keeping corporate secrets safe.
Even if you’re working at home and outsiders have no access to the room, it’s still worth locking your device. You probably don’t want your child to accidentally send your boss a smiley-laden text. Or your cat to walk across the keyboard and mail an unfinished message to the board of directors. If you’re about to go somewhere else, lock the screen. And it should go without saying that your computer needs password-protection.
5. Use corporate services for e-mail, messaging, and all other work
Your company most likely has a set of IT services that employees use, such as Microsoft Office 365, a corporate messenger like Slack or Microsoft Team and at the very least corporate e-mail. Those tools are configured by your company’s IT service, and IT is responsible for setting them upright.
But IT is not responsible for the access settings of, say, your personal Google Drive. Are you absolutely sure that your colleague — and no one else — will see the file that you sent a link to? If the file is accessible to anyone who has the link, then search engines can index it. And if someone googles something on the topic of your document, it might appear in the search results and catch the eye of someone who should not even know of its existence.
Therefore, stick to corporate resources when exchanging documents and other information. Those cloud drives, but configured for business, are generally far more reliable than the free user versions. Corporate mail usually has less spam and none of your personal correspondence, which adds up to less risk of missing an important e-mail or forwarding something to the wrong address — and colleagues will know for sure that it’s you, not someone pretending to be you.
6. Stay vigilant
Alas, sometimes a malicious — and highly convincing — a message can sneak into corporate mail. This is especially relevant to remote workers because the amount of digital communications increases sharply with telecommuting. Therefore, read messages carefully and don’t rush to respond to them. If someone urgently needs an important document or demands immediate payment of an invoice, double-check the someone is who they claim to be. Don’t be afraid to call the other party for clarification, or confirm the action one more time with your boss.
Be particularly suspicious of e-mails with links. If a link to a supposed document does not point to a corporate resource, better to ignore it. If everything looks fine, and the link opens a site that resembles, say, OneDrive, do not enter your credentials on it. Better to manually type in the OneDrive address in the browser, log in, and try to open the file again.
7. Keep your passwords to yourself.
You wouldn’t type in your ATM pin for all the world to see, so why should you treat your password any different? With a growing trend of “shoulder surfing” (spying on someone's device to obtain login credentials/ company data - often in a public area such as a train), employees need to take extra care when using devices in busy areas.
It may sound like common sense, but covering your screen is the easiest way to stop shoulder surfers from stealing your credentials and accessing your accounts.
Here are a few tips to keep your password safe:
8. Be careful when using your personal computer
If you're using your personal computer to remote into the business environment, please follow some useful tips in order to keep your personal computer truly personal:
The immensely popular social networking site Facebook has a user base of over 1.19 billion, which also makes it a popular medium for scammers. It is important to be able to identify a threat before it hits you because the consequences that follow one “quick click” may leave your bank account empty and your identity stolen.
53% of scams target social media users
Bitdefender conducted a survey on Facebook and Twitter by befriending 1,900 people. They then sent the users three links leading to malware. Based on the results, they discovered:
“97 percent of respondents on Facebook and Twitter blindly click on links without checking for malware.”
It’s therefore not surprising that scam makers are successful in tricking Facebook users. In fact, during a two year Bitdefender study involving 850,000 different Facebook scams, it was discovered what the top five most prevalent scams are and the collective percentage of users that fall for each. Here are the top 5 scams you need to keep an eye out for:
#5) Atrocity videos: animal cruelty, suffering people and other dark videos (0.93%)
Atrocity video scams prey on a users darker side. Cybercriminals use horrendous images involving maimed animals, murder, suffering children, and tortured women to draw a user in. Although still relatively small compared to other scams (less than 1%), this type of scam is growing at a steady rate, with thousands of victims with every new campaign. According to the report:
“Children and teenagers are the most exposed to atrocity video scams, and we expect their number to intensify in the future.”
Cybercriminals use atrocity videos as a way to serve users with links to fraudulent web sites that prompt you to complete surveys and offers before watching the video. Cybercriminals hope to earn a commission for every survey completed. Malware is also distributed in this way.
In order to combat this type of scam, you must avoid falling victim to your own curiosity and fight the urge to click “play”. Stay vigil and use common sense. Check the domain name of any seemingly suspicious links to videos and images provided before clicking on it. Cyber criminals have no shame and even use tragic events as airline disasters to lure people into clicking. Steer clear from viewing atrocious content on Facebook and get your news from major news websites instead.
#4) Celebrity scams: celebrity scandals and death hoaxes (7.5%)
The fourth most popular type of Facebook scam preys on a users desire to keep up with the latest news and gossip on favorite celebrities such as Rihanna or Justin Bieber. The videos are often shocking news, such as the death of a celebrity or adult content. The primary goal of this scam is to trick you into clicking a link that will then ask you to update your video player or redirect you to an external source prompting you to download something to watch the video.
This scam appeals to a users sense of curiosity and amplifies it by using enticing trigger words and popular celebrities. While some videos lead to Potentially Unwanted Programs (PUPs) such as adware, others are more serious and lead to data stealing malware that can turn your computer into a zombie as part of a botnet.
In order to combat this scam, users must use caution and common sense. In order to stay up to date on your favorite celebrities, use a legitimate and verified news and video source. Think before you act, remember if something seems so shocking that it is unreal, it probably is. Avoid watching adult content based videos on social media sites.
#3) Freebies and giveaways: Free -enter any company name- gift card! (16.5%)
Giveaway scams are the third most popular Facebook scam that preys on the human instinct of greed. A few examples of this scam are – winning free trips to Disneyland, receiving free gift cards, vouchers and free electronic items such as an iPad. A well known saying is “nothing in life is free”, especially if something sounds too good to be true. If somebody on Facebook tells a company is giving away vouchers or gift cards if only you invite your friends to the offer or click on a link—don’t believe it. If you do, you’ll end up spamming all your contacts with bogus messages about the fake offer.
If a user falls for a “free giveaway” or “freebie” scam, they are at risk of downloading a potential malware infection. Before qualifying for a free promotion, you must complete several “special” or “reward” bonus offers. The bonus offers are provided at the users expense costing real money. Cybercriminals receive a commission off each survey and receive a treasure chest full of confidential information such as your username, E-Mail, and phone number.
In order to combat, users must keep a mindset that almost all of the free offers encountered online are bogus. Always think before you click and if an offer does seem suspicious, contact the company to verify the promotion’s authenticity or check the company’s Facebook page. Never enter your most sensitive credentials on any free surveys and promotional offers that seem too good to be true.
#2) Facebook functionality enhancements (29.5%)
The second most popular Facebook scam is one that supposedly extends Facebook functionality. Users are seemingly presented with options to add a dislike button or embellish their profile with different colors or features, such as this one. This scam centers around a users desire to improve their overall social networking experience. Once a user decides to take advantage of the supposed enhanced Facebook features, cybercriminals can access and steal a user’s most sensitive data and spread malware by use of fake online survey pages. Never enter your data in seemingly suspicious forms or surveys on social media sites.
In order to combat this scam, Facebook users need to help raise user awareness. Also, never click on links leading to pages that offer the ability to change your background and profile color as Facebook does not offer such an option.
#1) Who viewed my profile? (45.5%)
By far the most popular, widespread Facebook scam that users will encounter (almost 46%) preys on the aspect of human curiosity. User’s want to see exactly who, what, and how many views their page is getting. The “profile viewer” message is customized to each person, touching users on a personal level. A lot of users want to see if they are still searched for by a person for whom they may still have feelings for, such as an ex.
In order to combat this type of attack, users must be made aware that finding a legitimate application which reveals high profile details such as how many views or how many viewers you have is highly unlikely. Don’t click on suspicious links to pages that you don’t know where they are taking you and don’t add applications to your Facebook that have not been checked and confirmed to be safe by Facebook’s developers.
General human dispositions cause users to fall for these tricks
The report delves into psychological explanations as to why users fall for the traps. The conclusion:
“The biggest vulnerabilities appear because of general human dispositions that may hit any user at one point in his life,” Bitdefender Behavior Analyst Nansi Lungu said. “It’s hard for us to acknowledge our irrational behaviors, or that we’re blindly indulging in impulses we typically attribute to the less educated.”
People are seemingly their own worst enemies. We don’t think before we act, and react before we think. This irrationality leads to cyber criminals having a motive to steal sensitive data and distribute malware as a means to make money. Cybercriminals take advantage of the fact that many users are not aware of online dangers and therefore aim to target this vulnerability. User awareness and caution is the key.
Tips to stay safe on Facebook.
Have a great (scam-free) day!