Compliance

Holiday Phishing

Holiday PhishingAs the holiday season quickly approaches, hackers are hard at work targeting businesses and consumers. Now is an excellent time to review traditional phishing methods and the evolution of tactics we’ve seen this year. Even though most people can recognize and avoid email phishing attacks, they still account for 90% of data breaches. This time of year, consumers look for deals in their emails, and criminals are getting much more strategic with phishing campaigns.

Hackers are trying to steal a wide variety of data with phishing techniques, including personal and financial information, login credentials for retail sites, or business login credentials to install malware and steal business data. Since the pandemic, shopping from work computers and accessing work data from personal computers has become such common practice criminals are using retail phishing tactics to attack business resources.

Email phishing is still the top phishing tactic, even with all the consumer education and email filtering. Phishing emails typically create urgency or work on the reader’s emotion to click a link. Phishing email campaigns target a large number of users, normally sent out to thousands of people, hoping a percentage will click on the link.

Spear phishing is the next most prominent type of phishing. Spear phishing campaigns target individual users with information pertinent to that person. Spear phishing emails may use your name, city, bank, workplace, or other publicly available information.

Smishing is the third most prominent type of phishing. Smishing uses text or SMS messages to initiate the attack. Common smishing techniques are fake discount deals, delivery confirmation, and password recovery.

All phishing attack vectors attempt to create urgency or work on the emotions of the user. They may offer a black Friday deal or say that your account needs attention because the password has been changed. A common vector is to ask the user to confirm an expensive online order or show a fake shipping confirmation for a retailer you frequent. The holiday season is a great time of year to remind employees and family members of the dangers and tactics of phishing campaigns.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright in Back to Basics, Cybersecurity, Information Security, Recent Posts, Small Business

LinkedIn Security Updates

LinkedIn Security UpdatesLinkedIn released some new security updates in an effort to combat fraud and bot accounts across the professional social media platform. LinkedIn is the most impersonated brand in phishing attacks by a considerable margin at 45% of impersonated attacks, with Microsoft as a distant second at 13%. Phishing on LinkedIn Messenger has also increased in popularity among criminals. Most phishing messages quickly ask users to take the conversation off LinkedIn and then attempt to steal money, information, or install spyware on the victim’s device.

LinkedIn also has a bot problem. The site started purging accounts early in October, and the move attracted attention online. Users who reported working for Amazon went from 1.2 million to 800,000, and users working for Apple went from 570,000 to 280,000 over the same 24-hour period. Cybersecurity professionals speculate that bot networks could generate broader attacks by connecting to industry professionals and scraping their public information.

LinkedIn introduced three security tools to help their professional community identify fraud and eliminate bots. The first tool is “About this profile,” which shows if the user has verified their phone number and work email address. The menu also indicates when the user joined the site, updated contact information, and profile photo. The move should help users identify fake accounts and make it more difficult for criminals to maintain multiple profiles.

Image from LinkedIn

The second tool LinkedIn identified is a photo scanner designed to flag AI-generated profile photos. Criminals are not just creating individual fake accounts to scrape the platform. To construct the droves of fake accounts needed, they are using AI-generated images as profile pictures.

The third tool is a messenger tool that alerts users and blocks the message when the potential criminal tries to move the conversation off the LinkedIn platform.

Image from LinkedIn

Example of new chat tool from LinkedIn shown above. The new tools aim to protect and educate users of the tactics used by criminals on the social media platform.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright in Cybersecurity, Information Security, Recent Posts, Small Business

IoT Federal Rating

IoT Federal RatingThe Federal Government is taking steps to assign Internet of Things (IoT) devices a security rating similar to how they give Energy Star Ratings to energy-efficient products. IoT devices are any “smart” devices that can connect to the internet and interact with apps or other devices. Read our blog post on IoT devices here. These types of devices in the home are increasing rapidly. Everything from refrigerators to thermostats and door locks can be connected to the internet and are subject to security compromises.

The security of IoT devices is particularly timely now because of the rise of DDoS attacks we have seen over the past few weeks. Compromised IoT devices are commonly used to create botnets that can be weaponized and pointed at websites or businesses to disrupt traffic and take down services temporarily, like we saw fifteen airports deal with last week. Securing IoT devices is the first step in making the devices unavailable to criminals looking to weaponize devices.

Many devices are sold with a default password to help users with setup. The instructions typically tell consumers to change the password, but few follow the steps needed to secure the device. Leaving the default password opens the device up to multiple compromises. In the case of a camera, the criminal could view or control the device. In the case of a router, the compromised device could serve as a jumping-off point for criminals to explore the network looking for personal or financial information. Lastly, as cited above, the compromised device could be added to a botnet and used to attack other businesses or websites.

The Federal rating would help consumers choose more secure devices that have passed the credentials needed for approval. The Federal label would seek to secure IoT home cameras and routers first to secure the most critical and at-risk devices.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright in Back to Basics, Cybersecurity, Information Security, Small Business

Cybersecurity Awareness Month

Cybersecurity Awareness MonthOctober is Cybersecurity Awareness Month and this year’s theme is “See Yourself in Cyber.” The Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) campaign focuses on the individual this year to communicate that while cybersecurity is complex, it comes down to people. The campaign is also based on current data, which shows 82% of breaches involve human error, and the average cost of a data breach increased again this year to $4.35 million.

Phishing campaigns have continued to evolve this year with Ransomware as a Service (Raas), Hackers Getting Around MFA, and AiTM Attacks; the focus on the individual follows the data.

This year the campaign is focused on four essential cyber hygiene points everyone should follow.

  • Think Before You Click: Recognize and Report Phishing: If a link looks a little off, think before you click. It could be an attempt to get sensitive information or install malware.
  • Update Your Software: Don’t delay — If you see a software update notification, act promptly. Better yet, turn on automatic updates.
  • Use Strong Passwords: Use passwords that are long, unique, and randomly generated. Use password managers to generate and remember different, complex passwords for each of your accounts. A password manager will encrypt passwords securing them for you!
  • Enable Multi-Factor Authentication: You need more than a password to protect your online accounts, and enabling MFA makes you significantly less likely to get hacked.

The campaign also focuses on those in the industry and those interested in becoming cybersecurity professionals. The campaign calls on individuals to “See Yourself taking action to stay safe online.” Those interested in cybersecurity to “See Yourself joining the cybersecurity workforce.” And those already in the industry to “See Yourself as part of the solution.”

CISA provides resources for businesses and individuals for Cybersecurity Awareness Month. Click here for more information.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright in Cybersecurity, Information Security, Recent Posts, Small Business, Virtualization