Trust, But Verify

Trust, but Verify:

There are a lot of people and groups out there whose only motivation is to separate people from their money, online credentials (user names and passwords) and identity. The harm that can be done could be anything from minimal to very substantial. The time spent recovering from their exploits can be considerable. The targets can be extremely high profile.

The following is an example of an exploited target that’s both unbelievable and incompetent. This spanned the period where security needed to be at its peak; inauguration & the protests around it.

Ransomware Takes Out 70 Percent of Washington DC Security Cameras
Washington, DC police security cameras covering areas of the city that included the presidential inauguration site were knocked offline for three days before they were restored to service.
This is why it’s essential to:
  • have top notch protection (Ideally Symantec End Point Protection, no longer satisfactory to use Windows Defender); I can get and administer this for you if you’d like.
  • get a real backup solution in place (I suggest CrashPlan, unless you have your own backup appliance and backup software)
  • use best practices when living in the digital world (read on to grasp what these are)

Benjamin Franklin’s axiom that “an ounce of prevention is worth a pound of cure” applies to security practices just as well as it did to his intended subject of fire safety.

There are steps you can take to be careful while conducting business on the web, here are a few you should consider and likely integrate into your best practices:

  • If you receive an email with a link (even if it appears to be from someone you know):
    • Be careful with that link:
      • If it takes you to a site that’s asking for your email and password:
        • check the URL of the site to see if it’s a site you recognize
        • intentionally enter an incorrect username and password:
          • if it accepts it, you know you just visited a site designed to steal your credentials and you avoided the trap.
            • Sound the alarm: Let other people know what you found as they’re likely targets of the same phishing scheme. Let your IT department know so they can try to get that site taken down.
          • if it doesn’t accept it, consider proceeding with authentication only if you expect to interact with the site, document or what ever is being provided to you.
  • If you receive an email with an attachment (even if it appears to be from someone you know):
    • Only download the attachment if you’re expecting it.
    • Scan it for viruses and malware before opening it (assuming your IT team provided you with solid tools for either A) End Point Protection, B) AntiVirus and/or C) AntiMalware)
    • Then only open it once you know it’s not infected.
Phishing email example
Email phishing scheme luring a user to give up their credentials.
Forged Dropbox login page
Forged Dropbox login page designed to steal a user’s credentials.
Forged DocuSign® page phishing scheme, web forgery
Forged DocuSign® page luring users to give up their credentials.

What to do if Your Credentials Were Phished?:

If you think you may have turned over your username and password to a phishing website, you should take immediate actions to ensure you remain in control of your account as follows:

  • Immediately change your password
  • Verify that your account’s recovery information was not updated; recovery email, cell phone, security questions. If they were, change them back. If you can’t change them back, contact your account’s technical support and ask for help.
  • Check for unauthorized:
    • transactions (Cancel any found)
    • sent emails (contact the individuals and explain that they were not sent by you. Let them know to be careful as they may have been phished.)
  • Immediately change the passwords to any other accounts you have that had identical or similar passwords; the hacker may try every popular eCommerce site to see if they can purchase items using your credentials and saved credit card information.
  • Review your password practices and:
    • Install a password manager (Dashlane or LastPass)
    • Ensure your passwords are complex (At least 8 characters, Upper and lower case, numbers and special characters. No sequential numbers or letters. Certainty do not use “password” or anything easy to guess.
    • Your password manager’s password must be unique and not shared with anything else.
    • Your banking password should be unique from other types of sites.
    • eCommerce passwords must be unique (consider using a part of the site’s name as a prefix or postfix to your password to mix it up)
    • All other sites used for browsing could share a common password if you’d like, however, if you use a password manager, that’s not necessary.
  • If Two Factor Authentication (2FA) is available, set it up and use it.
    • 2FA would require you to not only provide your username and password, but also enter a code from a device only you would possess; e.g., after providing your password you’d get a text to your cellphone to enter or you’d have an RSA SecureID with a code that changes every few seconds that would have to accompany your user name and password.
  • Do all you can to ensure your identity is not being misused:
    • Set up Google Alerts and get alerted for important terms; e.g., your name, business name, accounts, etc.
    • Consider setting up a credit watch
    • Contact your banking institution(s) and credit card companies to ensure there’s no fraudulent activity

Leave a Reply