User Conduct

Email Threats: One of the most targeted systems by cyber-criminals

As a user your conduct will determine your safety status to a very large degree. There are recommendations for conduct during work and recreational tasks. Although email systems and email security systems have improved dramatically to ensure the integrity of your emails received, there are always new threats to be aware of. Some of these are:

1. Embedded URL's (Uniform Record Locator)

It is not entirely ideal to merely open embedded website links that you receive in emails.Once you click upon these links, if malicious they will have your internet browser open a link which downloads malicious software. Having a multi-layered security protocol in place (for example, an updated Operating System, enabled Firewall and valid Antivirus software working together) will aid in your protection. Sadly, not in all circumstances. It is of the highest recommendation to ensure you trust the sender of the email, analyse the validity of the URL and not blindly click on embedded links.

2. Phishing attack

These scams trick users into providing their personal details under the guise that a legitimate source is requesting an action to be taken by the email recipient. As a user, you must be aware of Phishing scams. eg. A banking company or software company will not ask you to provide them with legitimate user names and passwords. Some emails from "so- called backing companies" will have mimicked the branding, images and typeface to trick you into believing the request is entirely legitimate. You can further spot these fraudulent emails by their impersonal style often not using your name. Ironically enough, Phishing emails are often riddles with spelling mistakes. Should you still feel the need to change your password on the specific application, you should not use the link in the email but rather, open the browser independently.

Vishing (phishing attack via voice call) is another common scam. Learn more in this enlightening Bizcommunity article.

3. Attachments

Professional companies know that it is inappropriate to send their clients excessive attachments - unless a client has specifically requested same. Unsolicited attachments should be viewed suspiciously by recipients. Never, ever open attachments from unknown email senders.

4. Email instructions from supposedly "legitimate" senders

Although corporate security setups can minimise fraudulent emails within a clients corporate infrastructure new techniques are used daily with an attempt to slip through. Some emails may enter your inbox and the sender looks legit, however, if you hover over the sender's email address they may be using non-corporate free email accounts. In fact, merely customising their display name to contain an email address. For example: <[email protected]>. Criminal entities will go view your corporate website or even go so far as to identify who the Accounts staff member is responsible for making outgoing payments. They would then target this individual.

Case study: Jane and who is Senior Manager at Company ABC would instruct Joe, the Financial Controller at Company ABC to action outgoing payments. Phishing scammers are targeting Company ABC. They have identified Joe as their target and send him an email seemingly coming from Jane (mimicking her display name) instructing him to urgently make a payment to 'Vendor X'. However, upon this new transaction he must use new banking details. Joe does not pick up that he is being targeted / instructed to make a fraudulent payment. He makes the payment and loses Company ABC money. This can have catastrophic consequences.

Takeaway: Through awareness users can be trained to pick up tell tale signs that these fraudulent instructions. Implementing business processes to mitigate these outcomes, for example instilling a process requiring a "double sign off" or verbal communication surrounding payments over a certain amount.

Username and passwords: Using your company details externally

When signing up to personal websites such as clubs and website memberships never use your company email address or company password.

You should create your own personal email address for your personal usage.

The risk is such that cyber criminals purposely hack these less secure websites. They then analyse the data they have stolen. They quickly identify which are corporate addresses. They then target your organisation and try to infiltrate by using a number of sometimes brazen strategies.

As highlighted in email threats, this kind of exposure to your company is risky and can have catastrophic consequences.

User conduct for internet and external devices

In an ideal world users would never use their company laptops with a dual purpose, that being for recreation. For those who have the capacity to invest in a high level of corporate security that machine in question can be locked down and controlled. Corporate environment setups can block inappropriate activity and also report this within the company to the relevant manager. If this is not the case - users must be educated to the consequences of their actions, namely:

Internet usage

  • Being on the internet with known websites is not invariably seen as risky behaviour, however, should a user browse the internet to find questionable software or go to illicit websites, this almost certainly would have a negative impact on the company regarding online security.
  • There are many security reasons to not utilise free wifi hotspots especially ones that don’t require passwords.Your internet traffic will invariably be flowing through a wifi endpoint (router) that may not be secure. It is therefore recommended to use your phone as a mobile hotspot which offers a secure connection.
  • Ensure your home internet wifi has a secure password blocking random users' attempts to join.

USB usage

Through the advent of increased internet speeds sharing large files has become internet based. Still, people opt to share personal content via external hard drives or flash drives. Although your antivirus is there to protect you, external hard drives are known to spread computer viruses. So, if absolutely necessary, in order to move files in this fashion you should have external drives purposed only for work purposes and, as best practice, you should also scan these for viruses before use.

Passwords

Should your machine be governed by a corporate infrastructure managed by an IT company or division you may already be required to adhere to certain standards. If this is not the case, you should know that there are certain passwords that are "weak". These would be combinations of your name or email address, the variant of the word "password". Kids' names and birth dates are also commonly used by cyber criminals or hackers.

There are automatic systems out there actively trying to break passwords. Attack methodologies are sophisticated these days.

Recommendation for passwords:

The best passwords are not easy to guess and are uniquely complex.The password should be at least 8 characters long, include upper and lower case letters, a number and a special character. A unique password that is entirely unique and changed from time to time ensures a high level of security.

Complete and Continue  
Discussion

0 comments