CSANews 98

It’s pretty convincing. The inclusion of my name in the beginning already has my guard going down. The inclusion of a phone number adds another level of legitimacy. CSA Online More worrisome is a newer tactic called “spear phishing.” Phishing, as outlined above, is crude by comparison; it casts a wide net and just hopes to catch a hapless someone. Spear phishing, on the other hand, has someone in mind. Rather than sending a bulk message and hoping that it rings true to someone, spear phishers already have some information about their victims. Done well, it’s surgical social engineering that could catch any one of us unaware. It uses some of the same core concepts as regular phishing, but in a more refined and targeted way. The whole idea of spear phishing is predicated on a core idea: “Dear Your Name” carries a lot more weight than “dear sir or madam,” or “valued customer.” Name is a simple example. Home addresses, birthdates, even just names of friends can serve as the narrow end of the wedge used to pry more sensitive information from victims. In short, a little information, used judiciously, goes a long way toward getting us to let our guard down. If a phisher gets access to one of our online accounts, say e-mail, there’s no end of things that they can do. First, they can try the same login and password on a bunch of different sites to see if anything comes up. If you’re using the same password for a bunch of different online services, this could mean trouble. Failing that, the phisher can use the standard password reset function and, having unmitigated access to your inbox, can field and complete all of the password reset procedures, simultaneously gaining access to your important accounts and locking you out of them. Here’s what a spear phishing attempt might look like. ՔՔ Use unique, secure passwords for all of your online accounts. If nothing else, do this for the most sensitive ones. The New Threat: Spear Phishing Youmight have noticed that the URL is a reasonably clever attempt to look legit. It could easily fool someone who was just skimming the text. If you clicked that link, you’d be sent to a site that looked very much like (exactly like, if the ne’er-do-wells are any good) your bank’s main login screen/PayPal login or whatever. Input your username and password here at your peril. Phishing attempts like this are relatively easy to spot. They’re also pretty easy to avoid by just following one simple rule: Never click a login/password reset link in an e-mail unless you are expecting it. Phishing works on the idea that if you send a message out to people en masse, some among the thousands of recipients will be clients of the Recognizable Reputable Institution you purport to represent. From that pool of people, the crooks just hope that at least one among the thousands of recipients will click the link and enter their username and password, thereby landing themselves in a world of misery. How not to be a victim ՔՔ Never click a security-related link in an e-mail unless you have specifically taken an action to receive said e-mail. ՔՔ Don’t click accountrelated links in e-mails. Rather, go directly to the page in question (e.g. your online banking portal). ՔՔ Don’t call phone numbers sent via e-mail unless you’re sure that they’re legit. If you do need to call, use the number found in the “contact” section of the institution’s website. ՔՔ Take control of your social media privacy settings. For example, go towww.facebook. com/privacy to see how your posts are being shared. From: Recognizable Reputable Institution To: You@YourEmailAddress.com Subject: Important account security information Dear Mr. Moore-Crispin, This is an automated e-mail. You are receiving this because recent usage on your Bank of Cash Money Aviator Gold Platinum card triggered a fraud warning. The specific charges we’re following up are as follows: - $8.44 at OMG Great Burritos on 04/11/2016 - $983.11 at Rhinestone Encrusted Shoe Store on 04/12/2016 If these charges are legitimate, no action is required. If you don’t recognize them, we need to speak with you immediately. Please call our fraud prevention team at 1-844-647-3845. Please have your credit card, client card and personal information ready to verify your account details. Thanks, Recognizable Reputable Institution CSANews | SPRING 2016 | 41

RkJQdWJsaXNoZXIy MzMzNzMx