It’s been a week since you started your new role. You’re almost done with onboarding and you get an email from your CEO. She needs help?
You don’t want to disappoint! This is important!
She’s about to give a conference talk but she forgot the prizes and needs you to pick up some gift cards, scratch the back off, and send her pictures of the cards. She needs it in the next hour.
You run to Best Buy. Your corporate card has a limit of $1,200. They have a limit of three cards. You pick up the rest from a store down the street and put it on your personal card. They’ll reimburse you. No worries. You get receipts.
You scratch the back and send the pictures.
You did it. You saved the company leader in a time of need. Well done.
You start to feel a bit weird. Something’s not right. You message the CEO’s executive assistant.
What? There’s no conference? No prizes?
You sit down, head in your hands. You can’t believe you fell for it!
This happens all the time and it’s nothing to be ashamed of. Don’t beat yourself up. The bad guys out there are pretty good at this sort of thing. They literally make their money by preying on good intentions.
This article is not intended to make you a security champion and we’re not going to get into how and why of either technical defense systems or attacker motivations. However, we will arm you with the knowledge to identify some red flags.
Remember that email above? That’s an example of an email scam. More specifically it’s generally called phishing in case your security team is quizzing you. Email scams are fairly varied, but two key indicators are a) a need for you to DO something and b) urgency. We need something and we need it now! New employees are easy targets since they don’t know the people, processes, and technologies that the company uses. If you’re new…watch out! Gift cards are a very common ask in this case. Very common. Very common. Very common. Here’s a news report from Canada about a guy named Dennis Tisner where he walks through his personal gift card scam story.
Another scam I’ve seen quite a lot lately are fake voicemails. You get an email notification saying you have a voicemail. You have to download the file which (not surprisingly) includes some weird file. You open the file and give it permissions and BAM! They hacked your computer. Now you have to report it! Darn! Remember, there’s no shame in opening something you shouldn’t. The first time. Maybe the second. The third time you should probably feel a little bad. If you’re not sure it’s real, ask your help desk or report it to your security team. A little diligence goes a long way! Especially for pride.
There’s another variant of the voicemail scam: you might get a real voicemail from a voice you recognize. A voice you trust. A voice that tells you to transfer money? Well, it can be hard to trust those, too as this link shows from the BBB! What we recommend is always go direct to the source: contact your approval authority. If you can, walk to their office. If you can’t use encrypted video. Verify all the contact and routing information. Be diligent. The more crass versions of this are usually targeted at the CFO or whomever is in charge of accounts payable. The usually craft the email or voicemail to look like it’s from the the CEO. The more advanced versions of this come in different forms but are usually over longer-form communication and hunting for payouts in the hundreds or millions of dollar ranges. Be diligent. Verify.
“Good afternoon, Mr. Franklin. This is Kevin from Microsoft. Are you sitting down? Unfortunately we learned that your computer was hacked…”
This is another common scenario that we saw again literally yesterday. This is how a bunch of different scams start. The bad guy on the other end claims to be from Microsoft and they start using scary words like hacked and exploited and viruses. They almost always get you to open the Event Viewer which is a program that has the word Security next to some numbers. They prey on people that get scared when Security is next to numbers in something they’ve never seen before. Then they claim that they can help. Sometimes they claim that they can fix the problem if you install software which they then use to effectively hold your computer hostage until you send them money…usually in gift cards. Sometimes wire transfer or credit card. Depending on what country you live in, they might start the call with a lot of really scary personal information. Here’s another new story specific about IRS scammers. Check with your local law enforcement to understand what to do if you get a call like this. The answer will probably be “report it.”
Another security red flag is when someone wants you to sign in to your corporate accounts…on their web page. Or just give them permissions to your corporate account. Surprisingly simple. Remember, they probably don’t want to steal your information unless you’re the CFO or have credentials to access really important company stuff. What they’re really looking to do is impersonate you and get you or someone else in the company to send them money. Or lock up company resources and ransom them back to the company. Which is basically money with more leverage. Money. They want your money.
Some Microsoft products have these “powerful” capabilities that you can unlock by allowing macros. There’s almost no real business need to enable macros. Maybe like one guy that works in finance and that guy spends way too much time with the security department. You don’t need macros. If you get a file that wants you to enable macros, DON’T. Send the email to your security team. Send it to the security team even if you know the person it came from. Remember: the bad guys want your money. If you do enable something you shouldn’t, talk to your security manager. There’s no shame in a mistake.
This one’s less on corporate security and more just for you. Unemployment Benefits. You need to go to your local employment office’s website and make an account. You do not need to file for unemployment. Unless you’re unemployed. The reason you need to make an account is because we’ve seen a ginormous increase in false unemployment claims which is basically having your identity stolen. It’s quick and easy and protects you.
The next piece we’ll cover is, or should be, common sense. If our security team gives us security controls, we need to use them! Don’t look for work arounds or shortcuts. Use the tools that they give you. Like two- or multi-factor authentication. Those little apps that give you a six to eight digit code when you login? Yeah, those. Use them. If you are setting up a new system and they have the option to use one of those systems, opt in. They are hugely important. Crazy important. Just do it. If you find a work around or security hole or the app that’s supposed to give you your code is really, really bad, tell the security team. Give them feedback. They can’t help protect you if they don’t know there’s an issue. What I’m saying is this: if you see something, say something.
The last topic we’re going to cover today is a small attempt to demystify the bad guys. We don’t always know their situation, their motivations, and what they’re good at. What we do know is that generally they want your money and your company’s assets. They don’t care how big your company is. They don’t care about how much ROI you have. They don’t care about your bottom line. They care about your top line. You have money. They want it. They’re pretty smart. They have time. They’re motivated. They’re organized. They’re hungry. They’re well resourced. Don’t believe me? Here’s Brook Chelmo’s experience of the two weeks he spent with a Russian ransomware group. The takeaway here is: be diligent.
Security is something we’re all responsible for. In fact, let’s change the narrative a little bit. Let’s switch from “Security is” to “We secure.” Let’s make it active. Let’s build the trust with our security team so that we can secure ourselves, our team, our peers, and our company. Our market is competitive and we need every dollar to compete in the market. The bad guys want our money. Don’t give it to them. Be diligent. Secure the team. And when we do screw up, no shame.
Additional Resources
- Avoid common mistakes when “Getting into Cyber” – Why You’ll Fail in Cybersecurity
- Dive deeper into security. Check out this link here. It’s a great way to determine if a career is interesting — How to Learn Cyber Over the Weekend: An Orientation in 48 Hours
- The cyber field is very broad. Figure out which direction you might want to go or which certification to get next here — How to Pick Your First/Next Cyber Certification
- Which threat should you protect against? What are bad guys trying to do? Your Latest Insider Threat Is Actually an APT
- Go WAYYY down the rabbit hole, check out this intro into malware analysis and reverse engineering — Break in to Tool Dev / RE
This article was originally published at: https://www.linkedin.com/pulse/shame-security-stephen-semmelroth-/