In the last two weeks, we have seen an increase in reported successful password guessing and social engineering attacks.
Password Guessing: In the most basic type of password attack, the attackers simply attempt to guess a user's password. No matter how much security education users receive, they often use extremely weak passwords. If an attacker can obtain a list of employees in an organization (can be achieved through LinkedIn, and other business social media sites), they can often make educated guesses about a user's username and password. They don't need to get everyone's usernames and passwords right; they only need one to gain access to a business network.
The countermeasure to password guessing attacks is to use complex passphrases (upper and lower case letters, include numbers and characters, and at least 8 or more characters), and change your password at least every ninety days.
Social Engineering: It is one of the most effective tools attackers use to gain access to a system. In its most basic form, a social-engineering attack consist of them posing as technical support representatives, an email that looks like your online account asking you to reset your password for access (phishing emails), or an attacker will impersonate an authority figure in your company who needs information immediately (CEO Fraud). Most users are vulnerable to phishing emails because attackers can make the email look professional, and make them appear like they are from someone you know.
The countermeasure to Social Engineering attacks and phishing email is first to stop, think, and investigate before you click on an email, reply to an email from your CEO requesting you to wire funds from your bank right away, or give away information over the phone to a fraud tech support person.
Before you click on a link in a questionable email, hover your mouse over the link in the email, and you will see the embedded URL address on the lower left side of your screen. You will see right away if the URL matches the content of the email. If not, you should delete the email immediately.
Password request from your bank, email provider, or any other sensitive account access. If you get an unexpected email prompting you to change your password by clicking on a link, DO NOT do it from the email. It is most likely a phishing email. Instead, open a web browser and go directly to your account online, and make changes when securely logged in, and make changes directly from your account access.
If you get an unusual request from your CEO or your boss to execute a wire or to provide important and confidential information via email, you can always call them or text to confirm the request. Set-up an internal policy to verify by phone, or text, or do wire transfers by dual custody before any critical information or wire transfers are to be sent out to anyone.
When in doubt, you can always call us directly at 760-752-8309, and we can help you determine if the email is a fraud. Remember, it is better to delete than to click.