Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Teach your staff to detect social engineering to keep them cyber safe over the Christmas break. Holidays bring with them frantic shopping, party planning, family arrangements, and, finally, taking a well-earned break and connecting with family and friends. However, criminals also look forward to this time of year, for a very different reason: they use our distraction against us, relying on us being even more in a hurry than normal. And when we’re distracted, we make mistakes.
The number of scams goes up exponentially at holiday times, with Christmas and New Year bringing a massive spike in online phishing attacks. The Australian Signals Directorate (ASD) has published useful advice for organisations to help explain the threat to users and help them protect themselves online.
There are several scams that cyber criminals traditionally benefit from more over Christmas and New Year than any other time of year. Starting with fraudulent surveys, criminals use these to harvest user data, credentials and even bank details, so be on the lookout for anything that sounds too good to be true, and if you want to reduce the risk altogether, simply delete these emails and leave attachments unread.
Secondly, the volume of spam and phishing emails will go up, so it’s likely that your junk mail folder will be jammed full of items that your mail client has detected, but it’s as likely some will slip through. Especially at this time of year, when we all want to score a great online bargain, criminals bank on at least a percentage of the population’s greed outweighing sense. Emails that offer deals that are too good to be true are simply that – too good to be true and probably a scam.
Another popular rouse is that of bogus shipping status messages, such as from Australia Post, DHL or UPS. These scams rely on you being curious enough to click on the link to see who might have sent you a parcel – something that many of us will receive over Christmas. If you’re not expecting a parcel, then don’t click on it. If you are in any doubt at all, call the shipping company (not using the number in the email) and they’ll confirm whether it’s real or not.
ASD acknowledges that scammers are getting much better at constructing convincing and highly-sophisticated phishing attacks. In many cases, this means there is no easy way (or at least superficial way) to tell whether it’s real or fake. But users can ask themselves a few questions, taking enough time to simply pause and reflect on the offer of the email, before they open it. This short pause will be just enough time for their brains to properly process the offer, evaluate the risk and stop those natural human impulses from seeing them duped.
ASD recommends reminding staff to challenge themselves with the following questions when reading emails:
Furthermore, email scams are often tailored to appear as if they come from something or someone you trust; criminals harvest open-source data, such as from LinkedIn and Twitter, to appear as if they are one of your legitimate contacts. Others are tailored against a backdrop of current events, such as concerts, open air markets and festivals, to convince you they are real.
One very important point that ASD reminds us of is that if the content of the email is not relevant to work, then users should delete it. If it’s on a user’s personal email system, then it’s a personal risk (which of course is also something to protect them against) but keeping separation between work and home life provides an air gap that will give people time to think about whether they click on the link or open the attachment. A gift card from a hardware store sent to your work account is highly unlikely to be legitimate, since you should never register your work email address for personal services.
One way that users can quickly tell whether or not a URL is real is to hover their mouse over the link and see what address appears in the tool tip. If the address is the same as what the link reports, it’s likely real; if it’s not, it’s likely a scam. For example, an email from your bank that contains a link to an online pharmacy is likely a scam.
Calling senders to verify the legitimacy of an email is the best way to assure yourself that the email is real. Before you open any attachments or click on any links, having a verbal confirmation that this email was sent to you from the associated institution or business will likely save you a lot of hassle. But as we said earlier, don’t use the phone number contained in the email, since that will likely be a fake service desk set up by the criminals to again impersonate the real organisation. Cross check the phone number on the organisation’s website and if you can’t find a direct phone number, err on the side of caution and don’t open the email.
There have been mixed reports over the years on the usefulness of security awareness training, with promoters suggesting organisations can’t live without it, while detractors suggest that people forget what they learn the minute they finish the course. Interestingly, both perspectives are right, so it’s essential you understand how your organisation works and how behavioural change is best communicated in your industry.
Make the consultation with staff inclusive and ask them directly how they respond to training. Some teams, such as desktop support engineers and sales executives see this kind of training as distracting, so look for more effective ways to engage them. Don’t look at all members of your workforce as equal – if they have busy operational jobs then training like this can come across as an inconvenient corporate overhead that gets in the way of their day job. Seek to integrate other more proactive means of raising awareness into the workforce, such as internal phishing campaigns, using free tools, like the Social Engineering Toolkit.
There are commercial tools that combine security awareness training and phishing, but they come at a cost, so test your organisation’s responsiveness to this kind of blended learning prior to investing in a commercial solution.
At this very busy time of year, take heed of established trends to avoid phishing attack gifts that keep on giving. You should remind staff to ‘stop and think’ before opening links and attachments. Have a very Merry Christmas and an uninterrupted, peaceful New Year.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.