Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Teach your staff to detect social engineering to keep them cyber safe over the Christmas break. Holidays bring with them frantic shopping, party planning, family arrangements, and, finally, taking a well-earned break and connecting with family and friends. However, criminals also look forward to this time of year, for a very different reason: they use our distraction against us, relying on us being even more in a hurry than normal. And when we’re distracted, we make mistakes.
The number of scams goes up exponentially at holiday times, with Christmas and New Year bringing a massive spike in online phishing attacks. The Australian Signals Directorate (ASD) has published useful advice for organisations to help explain the threat to users and help them protect themselves online.
There are several scams that cyber criminals traditionally benefit from more over Christmas and New Year than any other time of year. Starting with fraudulent surveys, criminals use these to harvest user data, credentials and even bank details, so be on the lookout for anything that sounds too good to be true, and if you want to reduce the risk altogether, simply delete these emails and leave attachments unread.
Secondly, the volume of spam and phishing emails will go up, so it’s likely that your junk mail folder will be jammed full of items that your mail client has detected, but it’s as likely some will slip through. Especially at this time of year, when we all want to score a great online bargain, criminals bank on at least a percentage of the population’s greed outweighing sense. Emails that offer deals that are too good to be true are simply that – too good to be true and probably a scam.
Another popular rouse is that of bogus shipping status messages, such as from Australia Post, DHL or UPS. These scams rely on you being curious enough to click on the link to see who might have sent you a parcel – something that many of us will receive over Christmas. If you’re not expecting a parcel, then don’t click on it. If you are in any doubt at all, call the shipping company (not using the number in the email) and they’ll confirm whether it’s real or not.
ASD acknowledges that scammers are getting much better at constructing convincing and highly-sophisticated phishing attacks. In many cases, this means there is no easy way (or at least superficial way) to tell whether it’s real or fake. But users can ask themselves a few questions, taking enough time to simply pause and reflect on the offer of the email, before they open it. This short pause will be just enough time for their brains to properly process the offer, evaluate the risk and stop those natural human impulses from seeing them duped.
ASD recommends reminding staff to challenge themselves with the following questions when reading emails:
Furthermore, email scams are often tailored to appear as if they come from something or someone you trust; criminals harvest open-source data, such as from LinkedIn and Twitter, to appear as if they are one of your legitimate contacts. Others are tailored against a backdrop of current events, such as concerts, open air markets and festivals, to convince you they are real.
One very important point that ASD reminds us of is that if the content of the email is not relevant to work, then users should delete it. If it’s on a user’s personal email system, then it’s a personal risk (which of course is also something to protect them against) but keeping separation between work and home life provides an air gap that will give people time to think about whether they click on the link or open the attachment. A gift card from a hardware store sent to your work account is highly unlikely to be legitimate, since you should never register your work email address for personal services.
One way that users can quickly tell whether or not a URL is real is to hover their mouse over the link and see what address appears in the tool tip. If the address is the same as what the link reports, it’s likely real; if it’s not, it’s likely a scam. For example, an email from your bank that contains a link to an online pharmacy is likely a scam.
Calling senders to verify the legitimacy of an email is the best way to assure yourself that the email is real. Before you open any attachments or click on any links, having a verbal confirmation that this email was sent to you from the associated institution or business will likely save you a lot of hassle. But as we said earlier, don’t use the phone number contained in the email, since that will likely be a fake service desk set up by the criminals to again impersonate the real organisation. Cross check the phone number on the organisation’s website and if you can’t find a direct phone number, err on the side of caution and don’t open the email.
There have been mixed reports over the years on the usefulness of security awareness training, with promoters suggesting organisations can’t live without it, while detractors suggest that people forget what they learn the minute they finish the course. Interestingly, both perspectives are right, so it’s essential you understand how your organisation works and how behavioural change is best communicated in your industry.
Make the consultation with staff inclusive and ask them directly how they respond to training. Some teams, such as desktop support engineers and sales executives see this kind of training as distracting, so look for more effective ways to engage them. Don’t look at all members of your workforce as equal – if they have busy operational jobs then training like this can come across as an inconvenient corporate overhead that gets in the way of their day job. Seek to integrate other more proactive means of raising awareness into the workforce, such as internal phishing campaigns, using free tools, like the Social Engineering Toolkit.
There are commercial tools that combine security awareness training and phishing, but they come at a cost, so test your organisation’s responsiveness to this kind of blended learning prior to investing in a commercial solution.
At this very busy time of year, take heed of established trends to avoid phishing attack gifts that keep on giving. You should remind staff to ‘stop and think’ before opening links and attachments. Have a very Merry Christmas and an uninterrupted, peaceful New Year.
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
The ongoing protection of Critical Infrastructure from cyber-attacks has implications for us all – whether it’s supporting our health, well-being or simply our way of life, there is good reason to reflect on the effectiveness your cyber security. Cyber security risks are nothing new and the vulnerability of critical infrastructure to them (and the heightened […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.