Saturday, March 11, 2023

How To Avoid A Cyber Threat By Smelling Out The Urgency

 


There is one thing that is for sure in the Cyber world today:  The attackers are getting more and more clever in what they do.  And in fact, they phony websites and Phishing based emails look so real now it is almost impossible to tell what is real and what is not.  Even to the Cyber experts, this can be a problem, as even they can be duped into becoming a victim as well.  So now. What do they do to tell the differences?

Here are some clues that even the experts use to make sure that they think twice before clicking on that email or visiting a questionable website:

1)     Taking the time to breathe:

There is no doubt that all of us, in today’s society, get tons of emails every day in our inbox.  Heck, even I do.  Most of them are from other Cyber vendors and  lot of them are just newsletters or some other piece of content, such as alerting people about the latest threats that are out there.  In fact, it has gotten so bad that only do I mark most of them as Spam, but even some legitimate emails go into my Spam folder as well.  So I have to comb through that as well, wasting more time.  What I am trying to get at here is that there are times you might be expecting a real email from somebody that you actually know.  But instead, by coincidence (and I do mean that), you get an email from a Cyberattacker.  This psychological phenomenon is also known as the “Confirmation Bias”.  Technically, it can be defined as follows:

               “The tendency to process information by looking for, or interpreting, information that is   consistent with one's existing beliefs.”

               (SOURCE:  https://www.darkreading.com/risk/scams-security-pros-almost-fell-for).

               Let me illustrate this with an example.  A few years ago, during the holidays, I had made a purchase using my PayPal account.  About 5 minutes later, I got an email from PayPal saying that           the transaction did not go through.  Of course, I was quite alarmed, and I clicked on the link to           respond to without checking it first.  When I logged in, I realized that I was at a phony site. I         logged out immediately, and called PayPal.  They said that they never sent such an Email.  So I       quickly changed my password.  To this day, I don’t even know how it happened.  Somehow,   Cyberattackers are aware of your behavior, and when you do make a legitimate purchase at a            reputable Ecommerce store like Amazon, they send you a Phishing Email a few minutes stating    that something is wrong with your account.  Because of this sense of urgency, you respond.  The moral of the story here is this:  Even if you are expecting an Email from somebody you know,            always contact them to make sure that they sent it.

2)     Submission to authority:

From the moment that we are born, we are always taught to obey our elders, especially those that are in a position of authority.  This is of course a good trait to have as we evolve into adulthood, but this is yet another area that Cyberattackers use to make unsuspecting victims fall prey.  In fact, disguising oneself as this kind of figure falls into the realm of what is known as “Social Engineering”.  This is where the Cyberattacker uses techniques to particularly prey upon our most vulnerable emotions and feelings.  I can even relate to this a long time ago.  I was not in Cyber back then, but rather, I was a creative writer.  But back then, Smishing was still existent.  Long story short, I got a phony call from somebody stating that they were from the IRS.  They had made claims about a tax return that was in error from a few years ago.  Being much more naïve back then, I fell for it.  They had made further claims that I owed $3,000.00 in back taxes, and that I have to make payment with my credit card.  I immediately hung up. They kept calling back, and eventually I answered the phone.  The guy on other end (who claimed he was from the IRS) even yelled at me to make payment. Again, I started to fall prey to this, and almost gave my credit card information.  Something inside me made me hang up, and I did.  Eventually they stopped calling.  I called the Secret Service, and they said that the whole thing was a scam.  Luckily, they never got my credit card number.  This can also happen in the physical world also.  There are even stories of people who dress up as cops and even somehow can get the flashing lights installed onto their cars.  They then pull somebody over, and use that as a technique to cause even much graver harm to their victim much more so than a stolen credit card number.  Again, the moral of the story here is if you ever get a call, or a Phishing email, or any thing like that, or even something suspicious even in the snail mail, never respond quickly to it.  You’re your time, go through it, and try to confirm its legitimacy, if any.  If you have any doubts, always contact the sender.  On that point, Cyberattackers have even resorted to using the USPS as a means for reaching out and luring victims into their cross hairs.

My Thoughts On This:

As you can see here, the common thread is invoking that particular sense of urgency.  And, this is what the Cyber pros use when trying to detect a fake site, a phony call, or a Phishing email.  So keep one thing in mind:  There is always time. A legitimate and true organization will always give you some sort of time period to respond in, which will be reasonable to you.

So if you get anything with a sense of urgency attached to it, first, take your time and breathe.  Read and reread your Email, snail mail letter, etc. over and over again.  Try to find any clues if it is a fake or not.  Look for things like spelling mistakes, capitalization, misuse of grammar, etc.  Any doubts?  Call the sender before you do anything!!!  And remember, always trust your gut.  If something does not feel right, delete it, or just throw it away.

Also keep in mind that with the emergence of AI now coming into the world, it will even be that more difficult to tell what is real and what is not.  This is especially true of ChatGPT, the latest AI craze.  But that will be a topic for a future blog.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...