7 minute read
Staying Safe: What you need to know about phishing
phish·ing /'fi-shing/ [noun] 1. the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information.
Phishing is the same as fishing. You bait a hook, drop it in the water and hope something will bite. The only difference is that phishing is done in a digital sea, a vast sea filled with millions of people who all too often take the bait.
They respond to a phishing email and end up giving out confidential information — at worst, account numbers, usernames and passwords — to a cybercriminal or, in the parlance, a “bad actor.” Those bad actors then use that information to take their money, often thousands of dollars. Or they simply sell it on the dark web, where special software allows the bad actors to remain anonymous and untraceable. Either way, someone has been scammed, likely with the help of a technique called social engineering.
“Social engineering is psychological manipulation that scammers use to trick people into taking action that, in this case, is not in their best interest and not something they would normally do,” says Alex Laham, Assistant Vice President of Information Security at Service Credit Union. “It’s a newer version of the phrase 'con game.’”
The manipulation, Laham says, involves provoking an emotional response that will lead someone to take the action the bad actors want: “They will say, for instance, ‘Thank you for your payment of $6,000 to Amazon’ and ‘Click this link if you didn’t do that.’ You’re going to freak out, and because you didn’t do that, you click the link, where they then can get your confidential information. That’s how the emotional manipulation works.”
Phishing is only one of the bad actors’ scams. There’s also smishing (a new trend where phishing is done with a text instead of email), vishing (with a phone), spoofing (a method to convince a target they are dealing with a trusted source), and the most serious of all: ransomware.
“That’s where malware gets deployed into a company’s systems, typically through phishing, and locks all of the data with encryption,” Laham says. “The data is held hostage until the company either pays a ransom or is able to recover the data from backups. It’s incredibly profitable, and all they have to do is send phishing emails and just wait for someone to click a link.” Studies show that, worldwide, $20 billion was paid by companies in ransomware attacks, and that figure is expected to grow substantially in the years ahead.
“Whenever there’s money available, people will try to steal it,” Laham says. As head of Information Security at Service CU, his job is to make sure that doesn’t happen and that all of the members’ accounts and data are protected. He leads a team of cyber professionals who watch over company’s operations 24/7, alert to any kind of intrusion. “Our goal is to make sure that those who require access to data have it, and those who shouldn’t, don’t,” he says. “And we have all of the technical requirements that are needed to support that action.”
Another aspect of providing safety to Service CU members is having a staff that’s savvy about what the bad actors are up to. “One thing that’s been proven over the past few years is that no matter how impressive a company’s technology is, the world’s greatest firewall, the best endpoint protection system, sometimes it only takes one person on the inside giving credentials to a fake phishing site to circumvent security platforms,” Laham says. “Training people with a security awareness program is just as, if not more, important than having technical measures in place.”
One part of the training is the simple directive: slow down. “The biggest savior for somebody who may be the recipient of a phishing email is time,” Laham says. “Slowing down allows you to really take a good look at the information that’s being provided to you and to not respond to the emotional generators that bad actors employ. If it’s an email, does the address look legitimate? Is the email unexpected, out of the blue? Does something just not feel right? If you’re suspicious, take a moment and confirm with the institution directly. The fallback is when in doubt, throw it out.”
Laham says Service CU also has tools in place to allow employees to better identify phishing emails. To make sure the program is working, from time to time his department sends fake phishing emails to Service CU employees to test them. “We internally track how we’re doing, benchmark that against the industry, and then report the results to the entire organization. “Our consistent training has produced good results,” Laham says.
He tells the cautionary tale of Sony, which had a document in its system that contained passwords for every one of their accounts. Problem was, it was in plaintext, not encrypted. North Korea hacked it, and got access to everything, from corporate accounts to the latest movie that was coming out.
Lesson learned: Password protection is key to keeping your accounts secure. “I know passwords are the bane of everybody’s existence,” Laham says, “Security people say, ‘Make them hard,’ but we have trouble remembering them. Or we make them easy so we can remember them, but then they’re easy to break.”
The solution, he says, is length. Change it from a password to an easily remembered phrase. Because so many passwords are now available to the bad actors, Laham says, “Eight characters doesn’t cut it anymore; those can be breached fairly quickly. You get exponential strength the more characters you add. We advocate for a passphrase with a minimum of 18 characters on any account.” And, he adds, use a password/passphrase manager for secure storage.
Information about how to prevent being victimized is regularly passed along to Service CU members, but if a member’s account is compromised or even if they suspect it has been, Laham says get in touch with the credit union right away: “If a member becomes aware of it early enough, we will lock the account and reset those credentials. Then, we’ll do an evaluation to make sure that there aren’t any untoward charges.”
Ask Laham what he sees ahead in cybersecurity, and he says, “Phishing, or some form of social engineering, is always going to be in the tool bag of the cybercriminal. But the use of machine learning and quantum computing will add a whole new layer of difficulty to how we defend against systems that are stronger, faster, and with more capabilities. And, because account compromise is such a huge component of cybercrime, I think we’re going to see aggressive moves toward using biometrics or different forms of multifactor authentication instead of relying on passwords.”
He says, trusting in a company to keep data safe will become a deciding factor in whether to do business with them. “We want our members to understand that we value their data the same as if it were ours. I’m a credit union member. My information is here; my family’s information is here,” he says. “We have a fiduciary responsibility to maintain the sovereignty of members’ information. We want to make sure they feel comfortable knowing our focus is on ensuring their financial health.”
