By: Dr. Angela Orebaugh

Cybercriminals are constantly developing new strategies to exploit our human inattention and weakness.  For example, phishing emails attempt to get a user to click on a link or open an attachment under the guise of a legitimate or well-known site.  As users become aware of less sophisticated phishing scams, cybercriminals have turned to popular news and current events to trick their targets. 

As concerns of the coronavirus outbreak spread, many users are receiving legitimate updates regarding the state of the virus, travel warnings, and protection and detection measures. Yet new phishing attempts have also arisen this month that attempt to bait users with news and information regarding the virus, emails with malicious attachments disguised to look like important information.  The malware in the attachments is capable of stealing or destroying data or locking down the user’s system with ransomware.

Another cybercriminal strategy is actively preying on our emotions during various holidays.  Love is in the air in February, and the FBI has warned of romance scams that target users on dating sites, apps, and social media.  Valentine’s Day phishing scams also include email advertising deals on flowers and other gifts.  Links in these malicious emails may include malware.

SHINE Systems would like to share these tips for protecting your organization from cybercriminals attempting to exploit the human weakness:

1. Policy:  Appropriate-use policies should prohibit the use of social media and certain websites on an organization’s systems.  Password policies should include parameters on password length, complexity, and expiration. More importantly, develop phishing awareness campaigns and train users to recognize scams.  Phishing training should be an ongoing activity and not just a yearly event. There should also be a designated email address where users can forward suspected phishing emails.

2. Practice:  Enable security controls such as multi-factor authentication, patch management, spam filters, and anti-malware to provide additional measures to protect against human vulnerabilities.  Additionally, implement mobile security software on user devices that access the organization’s networks and systems.

3. Posture:  An organization’s human security posture should be tested just as much as (or more than) the physical and logical security posture.  Test user phishing awareness by sending mock phishing emails and analyzing the response metrics. Use the results of the testing to adjust policies and improve security awareness and training. 

Keeping informed of new phishing strategies helps organizations prepare for the latest creative phishing attempt.  Having the proper policies and practices in place and testing the organization’s security posture offers a layered defense against cybercriminals.