We sat down with NJTC member, Symbol Security. President and Co-Founder, Craig Sandman, has focused his efforts around ending phishing and other cyber risks people might face. Teams are more digitally connected than ever, which presents the need for information and mitigation around phishing and cybersecurity to keep your data safe while working from home.
Keep the Fortress, Well, Fortified.
Cybercriminals are smarter and more targeted than ever before. These crooks are evolving in their crimes as quickly as updated cybersecurity is becoming available.
Our downfall is their greatest advantage:
Humans are a very weak link in a company’s security chain and should have some accountability in cybersecurity as well.
Companies spend millions of dollars on their IT security infrastructure and are essentially building a fortress around all of their sensitive information.
As an employee, you have access to that information and systems.
You are in your company’s “castle,” so to speak, and the next phishing attack is as simple as you opening the castle door and engaging with a cybercriminal via email, text or social media. An organization can effectively build out a cybersecurity system, but the threat is still there if employees are not knowledgeable about the different attacks that exist.
Knowing the difference between clicking the right link in an email versus downloading a file that targets sensitive information can make a significant difference.
Let’s back up and define what exactly is phishing.
What is Phishing?
Phishing is a cybercrime methodology of luring a victim into taking an action (fraud, access or divulging sensitive information) based on a false pretense.
Victims don’t know they’re interfacing with a criminal.
These cybercrooks phish because it is EASY.
Here is what they want from you:
- log-in information and data
- banking and credit card information
- intellectual property
Flashback to the 2016 Democractic National Convention hack where emails from campaign officials were stolen by a group of Russian hackers.
A popular phishing attempt is spoofed emails.
A spoofed email is a fabrication of a well-known business’s email in hopes of duping the recipient into thinking the email originated from somewhere other than the intended source.
Spoofed emails are nuisances because they ask the recipient to provide personal information like a password or credit card number.
If given, these can cause significant problems and sometimes pose a real security threat.
Some cybercriminals are spoofing so perfectly that to an untrained eye, it may look credible.
Is Amazon Really Asking You to Re-Verify Your Account?
Spotting a phishing attempt can be easy.
To identify a fake email, Craig highly recommends expanding the sender name to ensure it is coming from a legitimate sender.
Did you receive an email from a coworker or internal department that does not make sense?
Did IT really need you to download that document?
When in doubt, pick up the phone and call your IT department to confirm a suspicious request.
Beware of the subdomain and look for manipulations.
Cybercriminals use subdomains to fool users into thinking the URL is from a legitimate company. They use a well-known business name in the subdomain but the fraudulent location remains in the primary domain.
The subdomain in the example is “amazon” and the primary domain is “passwordconfirmation.com”.
It may look like a credible source but if you clicked the link in the example above, you would not be visiting Amazon.
Do Not Click! Hover Over Links
This best practice can’t be stressed enough.
Assess your emails for anything that looks odd or seems out of place. While scanning your email for out of place links, domains and such, make sure to scan the actual content of your email as well – does your boss really need you to purchase 10 gift cards for $100 each? Probably not.
If a link is present in the email, hover your cursor over the link to reveal the URL without clicking. Ask yourself if the link URL is pointing to a legitimate website with an easy-to-read web address.
Don’t be fooled by logos or the message of the email. Any cybercriminal can reproduce email communications to look exactly like a company you do business with. Instead, go to the website directly to log in and check for notifications.
How To Keep Your Data Safe Working from Home
Unfortunately, scams can happen at home, too.
It is highly recommended to have different passwords for your work and personal devices and accounts.
Your Netflix account password should not be the same as your work password.
Consider a password manager such as LastPass or 1password to help you store your passwords and create strong credentials.
Use two factor authentication for every account that has the option available.
Practice WiFi safety by creating a network specifically for your guests.
Craig recommends not sharing your WiFi password with your children or people who live outside of your residence. Doing this will help you avoid a compromised network.
We love our children and their happiness is our happiness, but keep your work and personal devices separate. Avoid letting your children use your work device to watch Youtube or play a game.
Protecting your data at home is just as important as being in the office.
Watch The Full Webinar Presentation: Work From Home Cybersecurity
Check out the full webinar where our audience got to test their phishing skills and pick up some best practices on cybersecurity.
NJTC has compiled useful links and past videos/webinars to utilize as resources to help your organization during COVID-19. Safety measures, best practices and more on our COVID-19 resource page are available here.