As the saying goes, “the only constant is change.” Cyber criminals are constantly adapting and changing tactics to take advantage of current events and find vulnerabilities in our systems. Here are some developments we are watching closely:
Termination Phishing Emails: A recent FBI (Federal Bureau of Investigation) Private Industry Notification warned that cyber criminals were taking advantage of the COVID-19 pandemic to target teleworking employees through fake termination phishing emails and VTC (Video Tele-Conference) meeting invites. The bad actors are using spoofed or typosquatted email domains to impersonate Human Resources or management. The emails lure victims to click on malicious links for additional information or online conferences about termination or severance packages.
Voting Campaigns to Spreads Malware: Cybercriminals are also leveraging current emotionally-charged social issues to entice you to click on links you might not otherwise look at. A recent article reported that an email phishing campaign requesting people vote anonymously about current race-related matters was spreading information-stealing malware. In general you should be wary of any surveys you receive.
Security Best Practices to Avoid Threats
- Approach all email with heightened attentiveness and focused attention.
- Double-check all emails received.
- Be aware that sometimes email addresses are slightly modified to look legitimate. This is called typosquatting and takes advantage of common misspellings or slightly modified email and website addresses to re-direct people to malicious websites.
- Carefully, check the “From” email address and domain. If you have the slightest doubt, do not click on any links or attachments and delete the email immediately.
- If you receive a suspicious email:
- Do not click on any link or attachment. Delete the email immediately.
- Do not unsubscribe from the list. Very often unsubscribe also performs malicious activities. Delete it immediately.
Mobile Banking Cyber Threats
A recent FBI Public Service Announcement warns of mobile banking cyber attacks. According to the advisory, there has been a 50% increase in mobile banking use since the beginning of 2020 due in part to increased time spent at home. Additionally, they report U.S. technology providers estimate more than 75% of Americans used some form of mobile banking in 2019. The FBI issued the following tips:
- Obtain apps from official app stores or directly from bank websites.
- Enable MFA (Multi-Factor Authentication) and use the strongest option possible such as biometrics, hardware tokens, or authentication apps.
- Because layering is a stronger security option, use multiple types of authentications when possible.
- Monitor where your PII (Personally Identifiable Information) is stored and only share what is absolutely necessary with financial institutions.
- Do not click links in emails or text messages. Ensure messages come from the financial institution by double-checking email details.
- Do not provide MFA codes to anyone over the phone or via text. Financial Institutions will NEVER ask for these codes over the phone. Beware there is a scam going around now, and the fraudster pretends to be from the financial institution and requests this information.
If a banking app appears suspicious, contact the bank via the customer service number posted on their website. The bank may ask for a banking PIN but will never ask for username and password over the phone.
Turn on MFA (Multi-Factor Authentication)
A recent Krebs on Security Blog warned that not turning on MFA makes accounts vulnerable to exploitation by cyber criminals. Increasingly, bad actors are enabling MFA options and attaching them to devices they control making it much more difficult to regain access when an account is hacked. This risk increases for people who habitually reuse or recycle passwords on multiple accounts. It also cautions that many online sites and services are completely automated and difficult to reach for help when account takeovers occur. This is especially challenging if attackers modify and/or remove the original email address associated with the account. Any MFA option is better than relying on a password alone, but it is best to use the strongest option available such as biometrics, hardware tokens, or authentication apps. For a list of MFA options offered by popular websites, visit twofactorauth.org.