Have you ever received an email from an unfamiliar source and wondered, “How did they know that information?” or “How did they get my email address?”
Cyber threats continue to evolve to make it easier for attackers to trip you up. From the “ILOVEYOU” virus email message of the early 2000s to today’s QR code emails, their tactics have changed. What hasn’t changed is the bad actors’ motives to swindle you for financial gain.
Staying abreast of the latest cyber threats is especially relevant now that it’s October — cyber security awareness month. This year, the Cybersecurity and Infrastructure Security Agency (CISA) announced the launch of a cybersecurity awareness program, Secure Our World.
The program focuses on how individuals, families and small to medium-sized businesses can protect themselves by taking these four critical actions:
- Use strong passwords
- Enable multi-factor authentication (MFA)
- Recognize and report phishing
- Update software
In this article, we’ll cover how bad actors are trying to manipulate you and how to take action to shut down these threats.
Evolving Cyber Threats
In the early stages of email attacks, hackers relied on computer code to gain access to and extort money from businesses. To combat this malicious code, anti-virus software was created. It started out as an effective solution, but a lot has changed since then. Every time adequate anti-virus software was applied to one type of attack, the attackers developed new ways to trip us up.
These attackers pay close attention to current trends, and they gravitate to what gets their targets in their grasp to extort money from them. So, what are their latest tactics?
Beware of QR Codes
The latest exploit uses the now ubiquitous QR code to conceal the true nature of the sender’s link. This also attempts to add legitimacy to the attack given that QR codes are widely used, familiar and, therefore, more trusted.
Attackers hope that when you receive a QR code from a sender, you’ll be curious and feel comfortable scanning it, especially if the attackers are impersonating a sender that you know (what’s known as spear phishing), like Amazon or UPS. Unlike hyperlinks in emails, you can’t hover over a QR code to verify whether a link is legitimate or a potential threat.
We see QR codes all over the place — they make it easy to order food at restaurants or visit businesses’ websites, but that doesn’t mean they’re fool proof. Stay diligent and think before you scan.
Let’s say you receive an email from someone who appears to be your colleague in HR asking you to scan a QR code in an email to enter into a companywide giveaway contest.
What should you do?
The first thing to do is confirm who actually sent you this email. Is it your colleague, or is this a spear phishing attack? Check the email address to see if it is your colleague’s correct email. Then, on a separate channel that is not your email, (either in-person, by phone call, Microsoft Teams chat, etc.), contact your colleague to see if they actually sent this email to you. If they have no idea what you’re taking about, quickly report the email as phishing so your IT department is aware of the threat and can protect other members of your organization.
The Role of OSINT
If you’re confused and unnerved by how bad actors are getting your information to launch a potential attack, look no further than Open-Source Intelligence (OSINT) for the answer. OSINT is a tool attackers use to take advantage of the availability of your information online.
They scour the details on your company website or social media accounts to pinpoint situations and context clues that make you and your coworkers susceptible to an attack. For instance, if you post that you’re out of the office at a seminar, they can tailor a spear phishing attack to imitate you and target one of your colleagues who is online. If they don’t know or remember that you’re out of office, your colleague can easily mistake the attacker as you sending them a legitimate message.
Remember when people would post on social media that they are on a fabulous vacation for two weeks, and were essentially letting any would-be thief know their house was an easy target for a crime? The same thing can happen with cyber criminals and businesses. By advertising when and where you will be, you’re contributing to the open-source information that attackers are using to manipulate targets.
Be aware and monitor the accessible information about you and your organization in all corners of the Internet. OSINT makes it that much simpler for bad actors to carry out successful cyberattacks.
Look Out for These Red Flags
It’s your responsibility to keep you and your organization safe from falling victim to a cyberattack, and that’s not something you can do passively. You must make sure you prioritize taking action to guard against an attack.
So, what does this entail? CISA directs you to use strong passwords, enable multi-factor authentication (MFA), recognize and report phishing, and update software. That may sound straightforward enough, but when it comes to recognizing phishing, things may be more obscure. You can set strong passwords, enable MFA and update your software. However, attackers are directly targeting you through communication channels with phishing. attempts, so the burden falls on you to protect yourself.
Be leery of these “red flags” that indicate phishing and other social engineering attempts used by attackers:
- An undue sense of urgency. If the message contains an urgent request out of nowhere, question whether it is legitimate.
- A request for financial or payroll information. Should an unknown sender or a sender impersonating a coworker reach out to you requesting any bank or payroll information, put your guard up.
- Demanding you to not disclose the action they’re asking you to take. Secrecy allows bad actors to keep you from verifying whether a correspondence is legitimate, leaving members of your organization in the dark about a potential cyberattack. If an email says to not share it with anyone else, alarm bells should go off.
How to Respond to Suspicious Activity
If you encounter any of these red flags, move to a different channel to verify the sender. If you get a shady email that appears to come from your coworker, check with your coworker through a different method (phone, chat, in-person, etc.) to make sure it’s them. If it wasn’t them, report the email as phishing and alert your IT department.
Attackers are only getting more sophisticated, as we’ve seen with the use of QR codes in recent cyber threats and the widespread use of OSINT. It’s imperative that you and your team stay up-to-speed on their new tactics through regular cyber security awareness training. You must also keep a watchful eye on the information you put online that bad actors can take advantage of to target you.
Need Help?
Our Technology Solutions Group includes a team of cyber security experts. We’re happy to meet with you for a cyber security risk assessment of your organization’s IT infrastructure. Or, you can contact us online or call 410.685.5512 with any questions.