Do you know what phushing is? This new form of social engineering can do a lot of damage to private users and DD boards alike. Discover how to mitigate this threat by following the steps listed below.
Phushing Negates One Of Your Most Important Cybersecurity Defenses…
In an era where a username and password is often all that protects a given account’s private information, Multi-Factor Authentication (MFA) is more popular than ever.
You likely use an MFA solution already, as it’s a simple and effective way to keep data more secure—after all, it blocks 99.9% of identity-based attacks.
MFA requires the user to utilize two methods to confirm that they are the rightful account owner. There are three categories of information that can be used in this process:
- Something you have: Includes a mobile phone, app, or generated code
- Something you know: A family member’s name, city of birth, pin, or phrase
- Something you are: Includes fingerprints and facial recognition
Commonly, MFA solutions will send a push notification to the user’s device to confirm a login attempt. While, in theory, this is a simple way to verify whether or not the authorized user is attempting to log into their account, a new tactic in use by cybercriminals is making things more complicated.
What Is “Phushing”?
Phushing is when a user receives an unsolicited push notification from their MFA solution concerning a login attempt for one of their accounts.
A recent study shows that up to 4% of users commonly confirm these unsolicited push notifications even though they’re not legitimate.
This is a big problem, as it directly negates the effectiveness of the MFA solution. This means that cybercriminals can try to log into your account, and expect you to approve the attempt via a push notification sent to your smartphone or email account.
Would You Accept An Unsolicited Push Notification?
This new cybercrime tactic reveals how important the user is in cybersecurity.
No matter what type of defenses an organization invests in, they can all be negated by a user that doesn’t understand their role in the defense of that DD board’s data.
Think of it this way: if your bank called and told you someone was trying to withdraw the sum total of your banking account, you wouldn’t simply approve it, right? That’s essentially what phushing is—a cybercriminal is trying to log into someone’s account, their MFA service sends a push notification to the account holder’s smartphone, and they approve the login without a second thought.
Whether the user is too busy to think about what they’re approving, or they don’t understand what these push notifications are for, this is a major cybersecurity threat.
Phushing is just one type of social engineering, which targets the user as a vulnerability instead of a specific technology.
Social Engineering Remains A Major Threat
Social engineering uses manipulation and deception to target a specific individual with the goal of getting them to give up sensitive information, or complete a task that benefits the hacker’s end goal.
Using email tactics similar to those used to spread ransomware, social engineering is the primary way that hackers influence unsuspecting users to do things they normally wouldn’t do.
Phishing
Phishing is a fraudulent attempt to obtain sensitive information like login credentials or credit card numbers by impersonating trustworthy figures, like companies and other users.
Business Email Compromise
BEC takes it one step further, targeting known users and prompting them to take action, like wiring money to bank accounts or buying gift cards and sending them to a hacker.
In both cases, the cybercriminals exploit the naivety and ignorance of a person to get them to do something they might not normally do.
Spear Phishing
Spear phishing is an enhanced version of these exploitation methods.
The hackers take the time to gather detailed information about the victims, targeting specific people and presenting them with detailed requests that only a knowledgeable person might have, causing the targeted people to lower their guard and leading to much better results.
Tips To Defend Against Phushing & Social Engineering
The good news is that defending against phushing is extremely easy: don’t approve login attempts when you’re not attempting to log into your accounts.
If you get an unsolicited push notification, do not approve it, and inform your IT team right away. Ideally, you’ll change your update your password and then monitor for any subsequent login attempts.
Beyond that, keep these general social engineering cybersecurity tips in mind:
- Be suspicious—never make assumptions or trust what you’re told in an email, text, or push notification.
- Never send money or pay for something without confirming it by phone. Only call a phone number you know is correct, not a number given to you in an email.
- Always be on the lookout for grammar, spelling, phrasing, or punctuation errors.
- Make sure your passwords are complex and unique.
Your Staff Members Need Cybersecurity Training
The key to truly comprehensive cybersecurity is simple, yet often overlooked: the user.
The best cybersecurity technology and practices in the world can be undone by one staff member who doesn’t understand how to use them, or how to protect the data they work with.
An IBM study found that human error accounts for 95% of security incidents, and in a recent survey by ESET, we learned cybersecurity training is not a top priority for many organizations.
This should be a critical concern for DD boards and all organizations operating today. Security awareness training is a key investment in the defense of your digital assets and organization as a whole.
Security awareness training will certainly help employees learn how to spot malicious attempts by cybercriminals, but it is also required to comply with federal and in some cases state regulations. A lack of training will open the door for cybercriminals and may result in a breach, causing potentially significant fines and penalties as well as likely damage to an organization’s reputation.
The good news is that you don’t have to handle cybersecurity training for your team by yourself—VC3 is here to help.
Don’t Let Your Users Put You At Risk
VC3 is dedicated to working with developmental disabilities related organizations to help them best protect their network and private data.
We are here to help make sure County Boards of DD and the agencies and independent providers that work with them are properly defended against the latest cybercrime tactics and scams. That means both equipping you with robust cybersecurity technologies, and showing your staff members how to actively engage as a part of your defense.
With our help, your staff will contribute to your cybersecurity, not compromise it. Contact us today to discuss your cybersecurity needs.