October 28, 2016 by The GLS Team
An employee has an infinite number of reasons to log onto a computer but regardless of why he or she logs on, all employees share one thing in common: they're human and they all make mistakes. Hackers count on this fact, and they have developed very sophisticated ways to take advantage of it. Companies must be prepared to practice better prevention utilizing their employees, so they can avoid a costly encounter with a hacker. Learn more about the threat and what can be done to avoid it.
How It Works
A virus can be delivered in a variety of ways, but it's clear that attachments are most often favored by cybercriminals. Typically, infection begins as an email imploring areader to click on a link. Once the victim finishes downloading the program, he or she loses access to important files. Because there is bound to be significant information on them, hackers know they can ransom that information at whatever price they want. In fact, this has become such a profitable industry that there are “companies” in places such as Eastern Europe that operate very much the way a legitimate corporation does. Typically, hackers will ask for Bitcoin or some other digital currency as payment because it's harder to track, and also because it's easier to send across countries. The police unfortunately will have very few ways to help.
No One Is Immune
This ransomware has the ability to affect everyone, no matter how tech-savvy. Hackers continuously come up with new methods to make their way past Spam filters and people's own defensive mechanisms. It can be as simple as disguising an email seeming to come from a friend or coworker, or as complicated as embedding a link in a phony website that's been painstakingly created to look like a legitimate company's page. Attacks may be orchestrated by the use of several malware programs that are designed to work together to infect computers across a variety of platforms. When the public catches on to one trick, the hacker will simply move on to the next idea.
To avoid a dangerous interaction with a hacker, it's necessary first to ensure software updates are completed as soon as they come out. When hackers have a chance to become familiar with a program, they can devise ways to infect it. Some viruses actually can lay dormant in a system, waiting for the time when a computer is most vulnerable to attack. Software updates change the code so it makes it harder for hackers to make their greedy plans a reality. Companies like Apple in particular build a lot of anti-malware programs directly into their devices, meaning they block the link before an employee even has a chance to click on it. For people who are prone to mindless clicking, this can be extremely helpful.
Proceed With Caution
Hackers know that human brains are hardwired at this point to click when interested in what is sent their way; they therefore ensure that whatever they're sending is enticing enough to catch the target's eyes. Perhaps an employee already has been instructed several times to be careful, and knows in the back of his or her mind that it is necessary. However, in times of great stress defenses might be down and people could be more likely to make errors. Organic solutions like placing Post-it™ reminders around a computer will be only so helpful. A company will need something more sophisticated. To combat hackers everywhere, Global Learning Systems has end-to-end learning programs that can make employees at any business be more aware when browsing online and checking email. Contact us today for more information and details on how we can help.
October 20, 2016 by The GLS Team
Whaling is the newest and most insidious practice in the hacker arsenal, also known as spear phishing or whale phishing, and it is costing victim organizations billions. Unlike the wide net cast by phishing scams, whale phishing targets specific organizations, individuals, or groups of individuals such as the c-suite — a corporation's most important senior executives — at an organization. Whaling (or “going after the big fish”) is a social engineering scam designed to “trick” a CEO or other individual into clicking on malicious attachments or URLs. What can your organization do to protect itself from whaling?
Be Wary of Fake Emails
With more than 112 billion business emails being sent daily, a fake or “spoofed” email has a good chance of slipping by most users. Hackers are skilled at designing a spear phishing email to look legitimate by embedding the real company logo, for example of a bank, and sometimes even using the person’s real name (versus “Customer”). According to Verizon’s Data Breach Report, the main perpetrators for phishing attacks are organized crime syndicates (89%) and state-affiliated “actors” (9%) who can “put some thought into the ruse they use.” It is important for users to not react quickly to any email that has a call to action such as downloading a document, clicking on a link, or sending funds.
Secure Your LinkedIn Account
LinkedIn is especially useful to hackers because they can gather information about CEOs and their direct reports. One scam fakes an email from a CEO to one of his or her employees, directing him or her to release funds immediately by following instructions in the email. Rather than question the authority of the "big boss," the employee most often dutifully and immediately does what is asked. Securing your LinkedIn account is a necessary step in keeping your organization secure.
Hover Your Cursor to Cover Yourself
Be sure to hover your cursor over a link in any email, suspicious or not, to see where it is really going. If it is a sophisticated whale phishing scam, the link that displays may even have the name of the bank or other organization in it, but don’t be fooled. Call the bank directly if you are unsure and report it to your IT department.
Secure Your Mobile Devices
In the era of BYOD (Bring Your Own Device) it is imperative that you have a compliance program in place that secures your employees’ use of mobile devices. With an ever-increasing array of smartphones, tablets, and other mobile devices accessing your company network on a daily basis, be sure to put a mobile device best practice plan in place.
Make sure your cyber security strategy includes a sandboxing component to quarantine a malicious code should a user click on an infected link or document. If this happens and sandboxing is deployed on your network, the infected file or website gets scrutinized first in the sandbox, which could stop the attack in its tracks. However, be careful here. Hackers have been known to hide themselves, operating in stealth mode, to avoid detection in the sandbox. Make sure you have the latest methods of protection, such as next-generation firewalls, that have more sophisticated sandboxing methods.
It Starts with People
Whaling and other phishing scams are successful only if the human behind the computer falls for it. Company-wide education is an absolute must, but be sure to have a separate focus group just for your c-suite team, and employees who reside in IT or finance departments. These individuals have access to your data, networks, and financials, making them the most attractive “fish” to target.
Global Learning Systems LLC (GLS) is a demonstrated leader in a client-tailored approach to security awareness training. GLS empowers organizations by educating its employees to create a positive, security-minded behavior change.