The COVID19 Coronavirus situation has affected our families, our homes, and our work environments. Our children are home, some people are new at working remotely, others have to be extra vigilant in keeping their areas clean and sterile, and even more are stressed and overworked with more caseloads and more patient care than is common.
During these stressful times, the Internet Bad Guys are going to do their best to trick you. They are working hard to entice you to do the wrong thing. The Bad Guys are going to strike your nerves with Fear, Uncertainty, and Doubt, three of the most powerful influencers ever used against mankind.
How can you protect yourself? The same methods you use to keep you safe “in real life” will also secure your digital world — be aware! Know your contacts, know your computer, and know your context. Let’s take a look.
Know your contacts (your people, your connections)
Do not open links from unknown contacts! Do not open files! Are you receiving more emails about “COVID19”? Information about your stimulus check? Brand new “Preventions” and “Cures”? Source for Toilet Paper and Masks? Do not click those links unless you know the sender, and do not open attachments. These social engineering techniques are known as Phishing attacks.
Are you receiving phone calls asking for information? Spoofing Caller ID is easy; do not rely on Caller ID alone to identify the caller. Be especially vigilant with odd requests such as sending money, or a caller suggesting that you open a web page. These social engineering techniques are known as Vishing attacks.
Did you receive a USB memory stick in the mail or find one while shopping? “Free Gift” from Best Buy or your favorite shopping site? “Proprietary Information” from your employer? Just toss it in the garbage. USBs can be used to spread viruses. If you do not know its origin, it is not worth risking a computer virus infection. These social engineering techniques are known as USB Drop attacks.
Know your computer (your systems)
Be aware when things are not working correctly, or seem particularly slow. Contact your manager or help desk if you notice anything that “doesn’t seem right”.
Keep your computers and phone software up to date. Install all security updates when they are available. Make sure your virus protector is on and updated.
Know your context (your surroundings, your work environment)
Just like in the real world, know your surroundings. Be aware of who is around. Be especially aware when discussing sensitive information. Our environments are rapidly changing, and our work lives and home lives are now more tightly integrated than just a few weeks ago. Know who is around when you are discussing sensitive information, whether it be financial information, patient data, or anything else that should be kept private.
Famous last words
Take care of yourself
Remember, security starts with you. Be aware, be conscious of your surroundings, and be knowledgeable about your rapidly changing work environment.
Fear, uncertainty, and doubt: Three powerful influencers especially at times like today when our physical health is threatened. Let’s be careful out there.
Tell me more! What are your safety tips? How can we all be safe out there?
Have you received a threatening call from the government? The urgent message will demand that you pay an immediate fine or tax or penalty; or else face imminent arrest by the IRS, or revocation of your medical credentials, or something even worse.
These calls are known as “vishing” campaigns in the espionage and social engineering subculture. Vishing is a social engineering technique very similar to the familiar email “phish”. However, instead of the now familiar email phish, vish rely on voice calls and voicemails.
As with phishing emails, vishing voice calls take many forms. In all the forms, you will receive a time-sensitive message alerting you to impending doom. Let’s take a look at a few common vish campaigns.
1. Jail threats with the DEA or IRS
A popular vish is the Drug Enforcement Administration (DEA), calling to explain that there has been suspicious drug prescription activity or some other anomaly associated with your medical license. If you deny having any association with the fraud, the caller may demand to validate that you are actually you. They’ll need you to provide your medical license number, maybe your home address and a credit card with your name on it. Or they may demand that you pay a fine or face revocation of your license. If you don’t pay, the caller will have to immediately notify the hospitals where you have privileges. Of course, the fine can be paid by way of Western Union or MoneyGram.
Another vish is the Internal Revenue Service (IRS), calling about delinquent tax liens. In this scenario, the caller may claim to be at your address waiting for you, but of course you are at work or at another location. They may have your home address, and the caller ID will normally be spoofed to be a real government agency such as a local police station. In this scenario, the caller will give you the option of either paying the debt or being arrested. The caller may demand that you call an “agent” at another phone number to make arrangements for payment.
2. Bank, telephone, or company
Banks and other companies are also popular vish. The caller ID may actually show your bank’s number (do not believe the caller ID!). The scheme may describe how there has been suspicious activity on your account, or maybe even an upgraded card that is now available to you. The caller may have the last four digits of your account number (fairly easy to find since it is on nearly every receipt). To prove that you have the card in your hand, the caller will ask you to verify the remaining digits, or to verify your billing address, or provide the three-digit code on the back of the card. In general, just say no. If you believe the call is actually from your bank, then call the bank back on the number on the back of your card.
3. Hospital or school emergency
Another vish is the emergency call from a hospital or school. Your child, mother, or spouse has been involved in an accident, and the caller needs your permission to treat your loved one. In order to verify your identity over the phone, they’ll need some form of personal identification such as your birthdate, or your social security number, or a bank card number.
B. Vishing: Don’t be a victim
Vish are ever evolving. There is no way to know what tomorrow’s vish will be. That said, here are a few tips to help you avoid being a victim.
1. Be suspicious!
Avoid responding to phone calls unless you know the caller and understand the implications. Research the caller’s identity. If you call the caller back, avoid using the contact information provided by the caller. Instead, use a known valid number if at all possible, such as the number on your bankcard, or a known contact number for the government agency from which the caller is claiming association.
Do not go to websites the caller provides since the website may be infected with malware. Instead, go to the official websites that you know are valid and use the official phone numbers available to you.
2. Keep secrets secret!
Often the vish is used to get “just a little more” information about you for an even bigger fraud like identity theft or creating credit cards in your name. Therefore, avoid confirming or providing personal information to the caller. Sensitive information like account numbers, Social Security Number, addresses, passwords, birthdates, and even mother’s maiden name can be used against you.
3. Maintain your personal, financial, and professional contacts!
Update your mailing addresses, phone numbers, and email addresses with important organizations. Notify your employers, banks, and legal institutions when personal contact information changes.
4. If you think you are a victim?
Report the situation to affected parties. Contact your leader if you have been vished at work or if the vish regards a work related context such as your medical license. Contact your bank if your financial accounts are compromised. Change all passwords for accounts that are compromised. Watch for signs of identity theft. Consider reporting the phone call to the police if you feel physically threatened.
5. Most of all, be alert!
Social engineering attacks take many forms, and not all forms are easy to spot. Technology safeguards alone cannot protect you. You must be able to outsmart “the bad guy”. Look for signs of trouble, question everything, and ask probing questions instead of answering them.
Remember, security starts with you.
C. The Trojan horse
Sometimes all that glitters is not gold. A little cuddly teddy bear might be vicious ransomware instead
Social Engineering is a confidence fraud and takes many forms. A classic social engineering swindle happened during the Trojan War. As the story goes, after ten years in an exhausting and unsuccessful siege against Troy, the Greek army packed their bags and set sail leaving an enormous wooden horse to the Trojans – a gift seemingly to say, “We lose, you win”.
The Trojans wheeled their new bounty into the gates and celebrated their victory with food, drink, and glad hearts! Only, this horse was not a gift. Greek warriors filled the horse, warriors who waited patiently until the Trojans fell asleep. The warriors then violently took over the city.
Today, Trojan software is a particular class of malware that tricks users by appearing to perform legitimate operations while actually doing something nefarious. In the world of vishing, the Trojan caller is the caller masquerading their identity as the bank, IRS, or hospital; when in fact, the caller is really part of a scam. Note to self: Do not fall prey to the deceptive Trojan horse!