Defense in Depth: Reducing the Human Risks in Cybersecurity
Author’s Note: Our Defense In Depth series will demonstrate how over the past several years Corso Systems has helped companies implement security. The series includes relatively easy best practices like ensuring your systems are secured with user accounts, network segmentation with Firewalls to reduce the flow of traffic to only what is necessary to move between each part of your operation. We will also discuss more complex technologies such as threat detection, and backups/disaster recovery so you can get back up and running even in the worst case scenarios.
Even for 100% fully automated, lights out manufacturing facilities and especially critical infrastructure systems (utilities, wastewater treatment, communications, dams, and many more) people are involved at some step of the process. With ever more clever ways attackers are trying to compromise systems one of the most common ways they get into a system is through people not following security best practices.
A report from networking powerhouse Cisco ties the top 2 cybersecurity threats specifically to phishing attacks. Things we have run into specifically at Corso Systems include a “representative” from a company calling after registering a domain name trying to get us to give them our credit card info, similar text-based attacks coming from legitimate numbers from banks trying to get us to login to a spoofed login page for the bank in question to steal our passwords, and the ever present threat of email attachments containing malware.
If your people know how these attacks work and are on the lookout for them they are easily avoided. IT can work to incorporate better threat detection and spam filtering to block these types of emails from coming through to your users, and you need to instill a culture of “check first before doing ANYTHING with something that looks suspicious.”
This post focuses on common attacks your people will face, and how to avoid them.
Phishing Attacks
Phishing attacks can come from anywhere on just about any communication method you use. We commonly see them come across via email and SMS messages. The Federal Trade Commission in the US has a great article on how to detect and deal with these types of attacks properly.
You may see these all the time on your personal accounts. Streaming services may reach out saying there is a problem with your billing and your account is on hold, you may be eligible to get something for free, or you might even have a relative reach out asking for help with something, you just need to click a link or open an attachment to get more information.
In the business world these are more commonly seen as invoices, likely from companies you have never heard of, with a PDF attachment. Your employees might receive an email from you asking them for help, and you might get information about a package you never ordered that has an issue being delivered.
Email Attacks
The first thing you should do when receiving any email, even legitimate ones, is check the sender. In many cases you may see something like accounts@streamingservice.someotherdomain.com, or a bunch of gibberish in the email address. It is possible to spoof legitimate email addresses so this should not be your only line of defense.
You should also consider who is sending the email and who is receiving it. If the CEO of a company is emailing junior employees on your team this is a red flag. If you typically work with people on the vendors team and receive an email from an executive instead this is also a red flag. Alert the people you typically work with so they can handle things on their end.
If the email is regarding an invoice you have no clue about, a payment you have no clue about, or something else with an attachment, ESPECIALLY if it has a bizarre email address you should alert IT to quarantine the email. Do not under any circumstances open the attachment.
If there is a link to click instead of or in addition to an attachment under no circumstances should you click the link. Alert IT and let them handle it as well.
If it is an email that looks like it is from a company you deal with, and could potentially be legitimate then you should pick up the phone and call them to handle it directly. If it isn’t legitimate they can look deeper into things on their side, and if by chance it is legitimate you can work it out as needed.
Another “spidey-sense” thing will be the wording of an email. If it seems like it was written by copying text from another language into Google Translate it probably is not legit. A couple years back a bunch of Corso Systems employees received and email from the CEO of one of our vendors. It was sent to our CEO, as well as a number of employees across the entire org chart. No one at Corso Systems had ever dealt with the CEO before, the email was worded in a weird way, and emails were also received by junior employees asking about the status of some project no one had ever heard of. We alerted the folks we normally work with at the company and they had received numerous reports of the same thing from a bunch of other companies. Their email system had been compromised.
When in doubt let IT figure it out, or pick up the phone to verify things.
You should also enable multifactor authentication on any account that offers it. Even if an attacker gets your username or password it will text you a code to verify you are actually the one logging in. If you receive a code when you weren’t trying to login you should immediately call the fraud department.
SMS Attacks
The same concepts around email attacks holds true for SMS attacks. Most commonly these will be things like banking or financial transactions that need verification, or your card was used in some rural city no one at your company has ever been to. You simply need to login to the bank using their provided link to update things.
If you click the link you will be taken to a login page that looks suspicious if you have ever gone to the legit site yourself. It might not have a lock in the address bar meaning it isn’t set up for https, and it might also be a weird domain like BankName.ru instead of BankName.com. It won’t be exactly what you would see on the official site, but it will look close enough especially if you are on a mobile device.
In this instance you need to call the company in question directly. If it is a bank or financial institution they will help you figure out what is going on, likely have you change your password yourself, and potentially send out a new card for the account. If it is for a weird transaction, sit down at your computer, login to the account and see if there are any weird transactions. There likely won’t be and you can reach out to the bank directly if there are. Banks will typically never ask you to do anything directly like log in to your account or call them on a weird number to verify something. Their fraud detection departments will happily respond when you call them, and will generally only let you know something bizarre is going on and tell you to call the number on the back of your card to help get things resolved.
The main trick up the attacker’s sleeve is piquing your curiosity enough with something that could be legitimate while trying to get you to slip up in your security habits.
NEVER use the link or phone number in the text message to call back. This will take you right to the scammers. Use an official number from the company website and let them help you solve the problem with the scammers. There is likely not an actual problem.
AI-Based Attacks
With the rise of AI tools and voice cloning it is becoming increasingly more common for attacks to come from spoofed numbers with someone on the other line pulling you into the scam. If voice cloning is being used it may sound exactly like the person you expect to be talking to, and the phone call will have come from their number directly.
It is relatively easy for attackers to spoof numbers. If you have your number on the company site or registered to any official accounts you will eventually receive a call from your own number. It is a weird experience to have your own phone number pop up when your phone starts ringing!
If attackers can spoof you number, they can spoof anyone’s number.
The trick in any scenario like this is to hang up immediately and call the person back directly. The one benefit is that spoofing only works when calling someone, so if you call them directly you are totally in the clear (at least as of the time of this writing.)
Another common trope is to get a call that your child got arrested and needs you to wire whoever is calling you a bunch of money to get them out before things escalate. In that case call your kid directly and see what’s going on. This has happened to a number of Corso Systems employees, and even the barest minimum of security best practices and habits was enough to avert disaster.
Wrapping Up
The reason these scams are popping up more and more, especially with regard to banks is the prevalence of a service called Zelle. While it is a great tool for easily sending money to people without incurring fees like with wire transfers, it is EXTREMELY difficult to get your money back if it was sent with Zelle. If an attacker has access to your account you effectively have zero recourse because there is no way to tell you weren’t the one who initiated the transfer.
Set up multifactor authentication on any account that offers it, don’t share passwords across any of your accounts, and be aware when things don’t feel right, they likely aren’t.
Please take this post to heart and make sure you have everything you need in case disaster strikes, wherever it may come from.
