Identity management, as a concept, has been around for a while, although many of us are just hearing about it now. It sounds impressive, but what does it really mean, and are there steps your organization should be taking to ensure you have good identity management practices in place?
What is Identity Management?
Identity management (also called identity and access management or IAM) is just a fancy name with a high price tag that essentially covers all of the cybersecurity best practices you likely already have in place. The goal of any IAM strategy is to define and manage the roles and access privileges of all users on your network, and specify the circumstances under which users should be granted or denied privileges.
IAM Takes Cybersecurity Beyond the Workplace
While most organizations have robust cybersecurity practices already in place, the most significant shift IAM brings to the table is bringing cybersecurity out of the workplace and into the personal sphere.
As hacking and other forms of cybercrime become increasingly common, many individuals have begun to pay cybersecurity companies to protect their personal identity by monitoring their personal data for suspicious activities. Though this approach to cybersecurity builds on basic best practices already in place, this is the first time these practices have been applied to individuals in a non-workplace setting as the concept that individuals need to take cybersecurity steps to protect their personal digital assets continues to gain traction.
Identity & Access Cybersecurity Best Practices: A Brief Refresher
We have discussed cybersecurity best practices in the past. However, you should review your current cybersecurity posture frequently so you can ensure your current protocols continue to safeguard your digital assets and meet your needs.
Knowledge is Power
A lack of data can cripple even the best cybersecurity solution. Make sure your network is being monitored 24/7/365 for suspicious activity, and all activity on the network should be logged.
From an identity and access standpoint, suspicious activity may include users logging on at strange hours or from strange locations (a sign that their credentials may have been stolen by cybercriminals) or signs of credential stuffing, where cybercriminals try multiple username and password combinations in rapid succession in the hopes that one pairing will grant access.
Not Everyone Needs to Access Everything
Some areas of your network are bound to contain more sensitive systems and data than others. As such, these areas, such as financial records, should be afforded extra protection. While your network likely already has a firewall around its perimeter, you should consider installing internal firewalls around critical or sensitive systems as a second line of defense if your perimeter is breached.
The Importance of Strong Password Guidelines
Choosing a strong, hard to guess password is a simple step all users can take to improve your cybersecurity posture. To help ensure all users are choosing good passwords, you should be enforcing password best practices. NIST (the National Institute of Standards and Technology) offers comprehensive guidelines on choosing secure passwords in section 220.127.116.11 (Memorized Secret Authenticators) of their Digital Identity Guidelines document.
The Benefits of Password Managers
The best passwords are long and truly random, unlikely to be guessed by anyone in a reasonable amount of time. However, long random passwords are also a pain to memorize, encouraging users to write them down or otherwise store them insecurely, defeating their purpose.
To help ensure users are choosing strong passwords, you may want to consider using a password manager. A password manager works like a book of passwords where only the user has the master key. Passwords within the manager can be randomly generated, and many password managers will flag reused passwords so that users know the password they are using isn’t unique and needs to be updated.
The Power of MFA
Physical devices such as computers and smartphones can be stolen or lost, and passwords can be compromised, which is why many organizations and individuals are turning to MFA. MFA (multi-factor authentication, also called two-factor authentication) pairs a strong password with a second form of identification, such as a hardware element or text message confirmation.
When a user enters their username and password, the system sends them a push notification, often to their smartphone. The push is generated by the MFA app, and the user must acknowledge the push (either by clicking on a link in the message or entering a randomly generated temporary code on the login page) before they are granted access to the network.
Make Sure You Have Offboarding Procedures in Place
While many organizations invest a lot in their onboarding processes to ensure new hires are set up for success, not all organizations invest in offboarding processes. Making sure you have policies and procedures in place for revoking credentials from former employees is vital for good cybersecurity.
Former employees and cybercriminals alike may act unscrupulously and use their old credentials to gain access to the system. If cybercriminals are successful, their unauthorized access may go unnoticed for a while since the former employee is no longer monitoring their old account.
Offboarding is also a good policy to have regarding your personal data. Make sure you are completely aware of any other parties that have access to any personal accounts, including bank accounts or even your Netflix account, and know how to have their access removed should the need arise.
Consider a Zero Trust Approach
Zero Trust Security is exactly what it sounds like: Don’t trust any user until they are verified. Like current best practices, traditional cybersecurity approaches included strong perimeter security, such as firewalls. However, one of this model’s main failings was that if an unauthorized user was able to breach the perimeter, there was little to no internal security to prevent them from accessing sensitive areas of the network.
Zero Trust Security rests on the belief that trust should never be automatically granted either outside or inside a network’s perimeter. All users must verify their identity every time they try and move around the network. This way, even if the perimeter is breached, unauthorized users can be more easily contained to the network’s less sensitive areas.
Cybersecurity is everyone’s business, from the intern in the mailroom all the way up to the CEO, and this idea has spread beyond the workplace and into the home. To help ensure your cybersecurity posture as a business is as strong as possible, you should be:
reviewing your policies regularly
including cybersecurity in your onboarding process for new employees
offering frequent refresher training for all employees
On a personal and workplace front, you should make sure that you, your family members, and your co-workers all understand the importance of good cybersecurity and why each policy and procedure is in place.
If you could use a refresher, we have included a list of articles for your review below. If you have any questions about cybersecurity or could use some expert advice, please contact our experienced team.
We do so many things on our smartphones: We stay in touch with friends and colleagues, we do our banking, we look for work, and so much more. Unfortunately, while phones have made it easier than ever to go about our everyday lives, they also offer another way hackers can reach us by gaining access to our money and private files. While hacking may look different than it did when home computers first became commonplace, some old school tactics are still in use alongside the new and insidious approaches hackers use to gain unauthorized access to our devices. Even if you are pretty tech-savvy, you may be inadvertently exposing yourself to risk.
Ransomware attacks aren’t limited to desktops and laptops. A ransomware attack could paralyze your phone, keep you from accessing critical files, and allow unauthorized users to access sensitive personal data. The basic anatomy of a ransomware attack involves hackers tricking users into downloading malicious software (malware), which they use to take control of the device and lock users out. The hacker then threatens to delete critical files or release private information unless the user agrees to pay the ransom. While some users may be tempted, paying the ransom doesn’t guarantee you will regain control of your device or your data.
While phone calls may seem old fashioned to some people, the truth is we talk about a lot on the phone. Even if you don’t use your phone to stay in touch with loved ones or discuss sensitive business information with colleagues or clients, you may have to call your bank or the government to access services. During calls with your bank, you will likely discuss your banking details, and calls to the government will inevitably require answering verification questions and confirming your social security number.
Blackmail is nothing new, but the tiny computers we carry around in our pockets contain more personal information than our desktops and laptops do, making them tempting targets for hackers.
A typical blackmailing hack may go something like this: The hacker obtains some personal information on the victim that is already available on the black market, likely as a result of a previous, unrelated breach. They use this information to trick the victim’s phone company into believing they are the user and convince the company to transfer the victim’s number to a new phone owned by the hacker. When phone companies transfer numbers, they often transfer all the information on the old phone as well, which hackers can then use to blackmail their victims. In order to regain access to their personal files, victims may feel pressured to give in to the hacker’s demands or pay a ransom.
To Mine Cryptocurrency
Any computing device, including smartphones, can be hijacked by hackers and used to mine cryptocurrencies such as Bitcoin. This attack is referred to as cryptojacking. For more information on cryptojacking, and what steps you can take to safeguard yourself, please read our blog post Cryptojacking: Because Every Currency Needs to Be Protected.
To Gain Access to Your Company
Even if hackers target your phone, you may not be their primary target. A large percentage of office workers are currently working from home, which means many of us may be using our personal smartphones for business purposes. While working in a BYOD (bring your own device) exposes companies to risk providing work laptops and work smartphones for every employee may be cost-prohibitive. Fortunately, there are steps companies and workers can take to safeguard their devices and the company network. For more information, please read our blog post, Keeping Your Network Secure in a Bring Your Own Device World.
Cybersecurity Steps You Can Take to Protect Yourself
Stay Away From Third-Party App Stores
One of the easiest things you can do to protect yourself is to avoid third-party app stores; only download apps from trusted sources such as the Apple app store or the Android app store. However, hackers and other malicious actors have been able to penetrate these platforms as well, and some rogue apps have slipped through, so while this rule will reduce your odds of downloading a malicious app, it doesn’t completely eliminate risk.
Keep an Eye on Your Settings
Checking your phone’s settings can help you spot suspicious behavior. If your phone seems to be chewing through its battery more quickly than usual or appears to be running more apps than you currently have open, it may indicate a hacker has downloaded and is running a malicious app on your device without your knowledge.
Wait Before You Download
While you may be tempted to download that shiny new app as soon as it launches, waiting can help you ensure that new apps are free of serious security flaws. Waiting also gives developers a chance to issue patches to address any issues that do come to light.
When in Doubt, Don’t Click
Whether you are using your smartphone, desktop, or laptop, if you:
COVID-19 has had a profound effect on our society, affecting our health, our work, and our overall well-being. Proximity tracing aims to help track the spread of this virus and use this information to limit future infections.
What is Contact Tracing?
Contact tracing, also called proximity tracing, is, at its core, detective work. Trained medical professionals interview individuals who have contracted a contagious disease to determine who they have recently been in contact with.
This information is used to inform individuals who may have been exposed so they can take steps to prevent the disease from spreading further. In some cases, such as COVID-19, this involves going into isolation. Contact tracing also provides medical professionals with information on how different diseases are spread, which they can use to help the general population flatten the curve using measures such as social distancing.
Contract tracing has been successfully used before to help curb infection rates during the 2003 SARS outbreak and the Ebola outbreak of 2014. It has also been used to track other diseases such as tuberculosis.
Why Contact Tracing Apps Are So Important
Though medical professionals have been using contact tracing for years, COVID-19 has put a spotlight on this important medical investigative tool. To help flatten the curve, Apple and Google are working together to create a cross-compatible contact tracing app.
An app would allow contact tracing to happen automatically, which means that medical professionals would no longer need to conduct lengthy interviews and contact each potentially infected individual.
This app, and other apps like it, trace contact automatically by recording when two people are close enough to one another for a long enough period of time that there is a significant risk a contagion (such as COVID-19) could pass from one person to the other.
This information is securely stored for a set period and used to alert individuals if they were in close contact with someone who has now tested positive so they can take appropriate steps.
Mitigating Potential Privacy Concerns
Tracking people, even if it is for the benefit of public health, raises privacy concerns. To protect user identities, these apps don’t rely on GPS data or other personal information and don’t reveal any identifying details. Instead, the app simply tells the user that they have had contact recently with someone who has now tested positive and should take precautions such as getting tested and self-isolating.
How Contact Tracing Apps Work
The apps work like this: once you download the app (and ensure your Bluetooth is turned on), the phone sends out a message with pseudorandom gibberish every few minutes. This information is picked up by other phones nearby that also have the same app or a compatible app installed. The pseudorandom nature of these messages means they don’t use GPS and don’t contain any personal information that could be used to identify the user specifically.
So, how can the app trace contact if it doesn’t have access to any identifying details or GPS information? The phone both sends out messages and listens for messages from nearby phones. If 2 phones with the same app, or compatible apps, stay close to each other long enough for possible transmission to occur they exchange their respective strings of gibberish.
Each phone then remembers all of the messages it sent and received within a set period (such as 2 weeks). Then, if one user gets sick and tests positive for COVID-19, they can tell their phone to check it’s send and received messages against a hospital or other health authority database.
The database then uploads and stores all of the gibberish messages from the infected person’s phone. Other users’ phones check their own received messages periodically against this database. If the same gibberish message is found in both the database and a user’s list of received messages, then the app knows the user may have been exposed to the virus. The app then alerts the user, who can then self-quarantine to prevent further spread.
What if Not Everyone Has the App?
The more people who use compatible tracing apps, the better since that means more potentially infected but asymptomatic people can be warned and self isolate before infecting others.
Infectious disease epidemiologist Cristophe Fraser and his colleagues at the University of Oxford have predicted how using an app could help stem the spread of the virus. Their model found that if about 56% of the population (or about 80% of all smartphone users) used either the same app or compatible apps the rate of infection would go from a reproduction number (R0) of 3 (roughly where it was at the beginning of the epidemic) to less than 1 (which is well below the necessary threshold for containing the outbreak).
The Oxford team’s model is based on several assumptions that need to be taken into account:
It ignores the use of widespread social distancing rules, which have had a large hand in reducing infections even without contact tracing.
It assumes that individuals over 70 continue to self-isolate, severely limiting their chances of getting infected or spreading the disease.
It assumes that traditional contact tracing measures are not being used in tandem with the app.
However, if even a few users download compatible tracing apps, infection rates go down. And as usage rates increase, infection rates will decrease.
What Should I Expect When I Return to Work?
Post COVID-19 workplaces will likely look very different from what we are used to, and will likely adopt many of the safety measures essential businesses have already put in place.
Contact tracing will likely become standard practice, with organizations either insisting their employees either use approved contact tracing apps or other methods of electronic contact tracing and share the collected data with their employer.
Good contact tracing methods will be valuable both to track the potential spread of infection between employees as well as the spread of infection from employees to visitors or customers or vice versa.
Working from Home Becomes the Norm
Many organizations will rethink the need for employees to come to the office every day. They may begin by asking employees to self-isolate at home for 14 days if they have had contact with an infected person within the last 2 weeks or have recently traveled outside the country.
Companies may also encourage employees to work from home whenever possible. This will reduce the number of people in an individual workplace on any given day and will likely reduce the demand for office space.
Increased Safety Measures
Temperature checks at the beginning of shifts will likely become the norm, and individuals with fevers will likely be sent home or otherwise denied entry to the building. Organizations that work with the public, such as retail stores, may also prohibit customers from entering if they have a fever.
Employees may also be required to wear PPE (such as facemasks) either at all times or when social distancing isn’t possible (such as when riding the elevator). Employers will have to either provide workers with PPE or set guidelines to ensure that the PPE employees bring from home offers adequate protection.
Facilitating Social Distancing
Social distancing is likely here to stay. Workplaces may adopt electronic social distancing practices, like the social distancing necklaces used by one Italian museum. Necklaces, bracelets, lanyards, or other wearable social distancing devices will buzz, flash, or emit a noise when 2 wearers get too close to one another.
How we move about our workplaces will also likely change as employers may also choose to designate set entrances and exits and make hallways one way to better facilitate social distancing.
Rethinking the 9 to 5 Workday
In workplaces where working from home isn’t an option, or isn’t an option for everyone, employers will likely choose to stagger shifts to limit the number of individuals in the workplace at one time.
Changing Workplace Layouts
What the workplace looks like will also change. Employers may rearrange workstations to ensure their workers can safely practice social distancing. This will likely include ensuring workers remain 6 feet apart, moving away from open-plan offices, and potentially limiting the number of employees in the building at one time.
Common areas, such as lunchrooms, will likely be reimagined or closed entirely. Spacing tables farther apart, staggering breaks, and increased cleaning between breaks will all likely be required to ensure these common areas can be appropriately sanitized, and employees can sufficiently social distance.
Workplaces in the post-COVID-19 era will likely look very different than they did just a few short months ago. Even once a vaccine is developed and made widely available, how we trace and fight disease will be forever changed as apps make it easier than ever to trace contact between infected individuals and potentially infected people.
The inability to access medical records, lost productivity as systems are down, and money paid to cybercriminals all have a real impact on the health and wellbeing of patients. One famous healthcare-focused cyberattack, the 2019 ransomware attack on the Grey’s Harbor Community Hospital and Harbor Medical Group, forced the hospital and the medical group’s clinics to revert to paper medical records and affect backups. Though most records were recovered, it still isn’t clear if some medical records were permanently lost.
A breach can also damage the relationship between the patient and their doctor, as many patients may avoid seeking medical help if they are worried cybercriminals or other unauthorized users may access their private medical information. These emotional consequences can seriously damage the health and wellbeing of patients and make it more difficult for doctors to rebuild patient trust and ensure their patients are getting the care they need.
The Cost to Medical Science
Depending on the nature of the breach, valuable research data and intellectual property may be damaged or lost, which can delay research into life-saving treatments. That sort of research is invaluable, and its loss can have devastating consequences for the health and wellbeing of potentially millions of people.
The Unique Challenges of Healthcare-Focused Cybersecurity
Research has shown that the healthcare industry is a prime target for medical information theft at least in part because it lags behind other industries in securing its vital data. So why does this industry, whose assets are crucial to human health and wellbeing, lag so far behind?
To begin with, so much of what hospitals do relies on the internet, from patient test results and medical records to the various machines and technologies used to provide patient care. While this interconnectedness is excellent for data integration, patient engagement, and clinical support it also means that a ransomware or other attack can spread quickly between vital systems, accessing patient data and other highly sensitive information, hijacking medical equipment to mine cryptocurrencies, or shutting down entire hospitals or hospital networks until a ransom is paid.
Not All Software Can be Patched
One of the unique challenges of healthcare is that there is a wide mix of equipment. While some equipment is cutting edge, many pieces of healthcare technology still in use were made by companies that are no longer in business or run on old software that has gaping security holes that can’t be patched. That means that even if vulnerabilities are known to exist (which isn’t always the case), there may not be a way to fix them.
The obvious answer would be to move away from outdated software and equipment with known vulnerabilities, but that is easier said than done. While a small or even medium-sized business could handle a temporary shutdown to migrate the entire network over, hospitals and other healthcare facilities don’t have that luxury: the entire system needs to be running 24/7/365.
Shutting down older equipment and transferring all of the data stored on the network can also be incredibly costly. The ability to patch and update software both extends the lifespan of current equipment and reduces costs.
Human Error Can Expose Patient Data
On the data privacy side of things, recent research from the JAMA found that most breaches in medical settings were triggered by unauthorized disclosures or employee error. When multiple shift doctors, nurses, and specialists need to be able to quickly and easily access sensitive employee data, it increases the odds of one person making a mistake that could leave this data vulnerable.
The Biggest Cybersecurity Threats to be Concerned About in 2020
Ransomware was a huge problem in 2019, particularly for healthcare providers, and it is likely only going to get worse. Unlike some other businesses, healthcare providers aren’t able to pause operations to try and get their files unencrypted to avoid paying the ransom. And while some businesses can carry on even if they are unable to recover a few encrypted files, sometimes even a single unrecoverable file, such as a patient’s electronic file or test results, can have disastrous consequences for the health and wellbeing of patients.
Electronic health records have made it significantly easier for both healthcare professionals and facilities to access patient files, though this system does come with special cybersecurity considerations.
Though there are already privacy laws in place to safeguard sensitive patient data, these laws were mostly written with people in mind, not software. That means that many of these systems remain vulnerable to exploitation by cybercriminals, since the software that many of these systems run on or interface with may have been written in a time before the IoT. Depending on when the software was written, the company may not be around to issue software updates and patches, and even if they are, the software may not be compatible with many necessary cybersecurity updates.
Hopefully, findings like the FDA report mentioned above will encourage the companies that design electronic health record systems to evaluate their software critically so that it can be modified to better safeguard patient data.
How Can Healthcare Organizations Improve their Cybersecurity Posture?
Every organization is different and has slightly different cybersecurity needs. As such, the first thing any organization should do is sit down with their MSSP to identify their cybersecurity needs and create robust yet flexible cybersecurity protocols.
Organizations should also work with their healthcare-focused MSSPs to identify credible threats and create tailored response plans to address those threats. These response plans should be designed to minimize or even eliminate damage to critical systems and help safeguard both vital infrastructure and sensitive data.
To help you get started, please review our blog post Cyber Hygiene 101: Basic Steps to Keep Your Company Secure.
The number of cyberattacks continues to rise every year, and industries that have traditionally been insulated are now more likely to be targeted than they were in the past. As smaller manufacturers aim to stay competitive, many are moving away from analog processes and going digital. While this can be a great way to increase productivity, it can also leave unprepared businesses vulnerable to cyberattacks.
Fortunately, there are a few things businesses can do to help improve their cybersecurity posture. This can include working with experts to evaluate their current defenses, addressing potential vulnerabilities, and investing in employee training.
There are a few steps you can take to improve your current security posture so you can fend off attacks. However, even the best cybersecurity defenses aren’t completely protected from vulnerabilities, so you should also have protocols in place so that all stakeholders (including management and employees) know how to respond if an incident occurs.
Evaluate Your Current Defenses
Before you can improve your current defense systems, you need to know what your current shortcomings are. A full audit can help you catalog your current defenses, but if you really want to figure out where your weak spots are, you may want to consider a pen test.
A pen (penetration) test involves hiring an ethical hacker to stress test your current defenses. They target your current defenses in an effort to break in and take detailed notes about what strategies they tried and how effective they were. Once the test is done, the ethical hacker sits down with you to review their findings and make suggestions.
Address Potential Vulnerabilities
Now that you know where your potential weak spots are, you can take steps to address them. Most small and medium-sized manufacturers don’t have the resources to support full-time in-house cybersecurity teams, which is why more businesses are choosing to outsource their cybersecurity.
By choosing to work with a cybersecurity company, you can enjoy 24/7/365 monitoring and support. Your cybersecurity experts can help you audit your current defenses, address potential vulnerabilities, create robust yet tailored incident response plans, and help with employee training.
Create Robust Incident Response Plans
It’s always good to have a backup plan. When it comes to cybersecurity, you should always have detailed, robust, and flexible incident response plans in place in case of a cybersecurity attack. These plans should cover potential incidents, identify how a potential threat is detected, and make sure every key player understands their role.
Keep Your Software Up to Date
Keeping your software up to date is one of the easiest steps you can take to help safeguard your company’s digital assets. Whenever a software company discovers a bug or vulnerability in their product, they release patches to fix the issue. However, companies can only take advantage of patches if they update their software.
Unpatched software is particularly vulnerable because software companies announce the patches, and the bugs or vulnerabilities they are designed to fix, which means that cybercriminals now know where to focus their hacking efforts.
Keep an Eye Out for Trouble
You can’t adequately protect your digital assets if you don’t know what threats are out there. Managed threat intelligence lets you keep an eye on your entire operation, alerts you to suspicious activities, and confirms threats quickly so they can be addressed.
Invest in Employee Training
Even the most robust and well-crafted cybersecurity plan is useless if it can’t be implemented effectively. Employees need to understand why cybersecurity is critical and what role they play in safeguarding the company’s digital assets. New employees should be provided with cybersecurity training as part of their onboarding process, and all employees can benefit from annual refresher training.
You may also want to consider running tabletop scenarios. Tabletop scenarios are similar to fire drills: They allow your team to practice responding to potential threats in a no-stakes environment. The facilitator poses a scenario, and your employees work together to address the situation and minimize or even avoid disruption and damage. Once the scenario is finished, your team sits down and reviews their findings, identifying gaps in your current protocols or employee knowledge so that they can be addressed.
Cybercriminals are increasingly targeting the manufacturing industry, and smaller manufacturers without robust cybersecurity protocols in place are particularly vulnerable. Investing in good cybersecurity is an investment in your business, and MSSP experts are here to help you every step of the way.
Fear is one, if not the most, powerful motivators for action. It’s a profoundly primal instinct designed to protect us from harm by searing bad experiences into our memories so that we can avoid them in the future. Spam relies on the instinct of fear to get otherwise rational people to act irrationally. Many data engineers are actually trained on the tactics that scammers use to trick their victim into clicking on malware.
How is Spam Related to Fear?
Spam accounts for 85% of all email sent and received globally on a given day, and refers to any unsolicited and unwanted communication, usually email, that is sent out in bulk. Though most spam aims to sell unproven, ineffective, and possibly dangerous products and services to gullible consumers, a small percentage aims higher.
These spam emails, such as phishing emails or malicious links or attachments, usually utilize fear tactics to gain information related to usernames, passwords, or banking information from unsuspecting readers.
How Does Fear Make Spam Effective?
Fear makes us deeply uncomfortable and can override even our most rational instincts. Scammers and other cybercriminals know this, which is why they play on our fears to manipulate us into doing what they want.
How Spam Sparks Fear
Most of us strive to be good, so when even the most rational among us receive an email saying there was a billing error or that we owe unpaid taxes, our fear response kicks in to respond. The same thing happens when we’re told our computer is infected with malicious software, or that we are suspected of being connected to some illegal activity, and the police are on their way to arrest us unless we “click the following link.”
Even seemingly positive spam emails play on our sense of fear of missing out. After all, if we aren’t willing to help a wealthy Nigerian prince gain access to his vast fortune, he will just ask someone else for help, and we will miss out on the generous reward. This holds true for spam emails selling a “miracle cure” since missing out on a “miracle cure” motivates the fear of poor health down the road.
All of these scenarios spark fear of consequences or fear of missing out, priming us to act.
Spam Positions Itself as the Solution
Once the scammer has frightened us, they swoop in and offer a solution. Often it’s something very simple and straightforward, such as clicking a link, downloading a file, or responding to the email with personal information. After all, it’s in the scammers’ best interest to make it as easy as possible for you to hand over your money or personal information.
Once the action is complete, the reader is compromised, and the scammer has all or most of the information they need to harm the reader, either by stealing money from their accounts or using their credentials for nefarious purposes.
The Anatomy of a Spam Email
The average spam email follows a fairly predictable format. The headline is usually phrased to invoke a sense of urgency and trigger our fear response (such as “Payment Declined – Immediate Update Required” or “Re: Claim Office”, which makes it look like someone is responding to an email you sent them.) The email headline may also be worded to suggest that the reader is the one in the wrong (such as implying that a payment is past due, or that this is a final payment notice).
The Sender’s Address
The sender’s persona typically falls into one of two broad categories: They are pretending to be someone authoritative that you trust (such as an Apple employee who wants to help rectify your payment problem) or someone you know (like a co-worker who needs some information from you).
The Body of the Email
In the body of the email, the message of fear really takes root. The reader is typically told that something has gone wrong (or that a once-in-a-lifetime opportunity has presented itself) and that they need to take action to either fix the problem or reap the rewards. In the above examples, a declined payment will likely require the reader to input their “correct” or “updated” banking information so that the payment can be processed or their reward can be sent, or provide other personal information.
The scammer may even ask you to help them perpetuate the scam by having you respond to them and forward the email to your contacts. This not only gives them access to your bank account or other personal details but also makes their original email seem more legitimate to your friends or co-workers by having it come from someone they trust.
The Goal of Spam
The goal of most spam is to scare us into acting quickly by instilling a sense of urgency and triggering a fear response. This helps ensure that the reader acts before they have rationally considered the email, and asked themselves important questions such as who sent it, why they are sending it, and what risk they take in responding to the email.
How Can I Protect Myself Against Fear-Motivated Spam?
One of the easiest things you can do to help protect yourself from email spam is ensure that you have robust spam filters installed. These filters can prevent the most obvious spam from getting through to you or your employees.
Next, you should always take a close look at the sender. Is this someone you can trust? If you aren’t absolutely sure the sender is trustworthy, then you should reach out to them via a communication channel (such as calling your friend or contacting the company’s support line directly) to verify. This is particularly true for unsolicited emails or emails that are formatted so that they appear to be a response to an email sent by you.
Finally, you should evaluate each email carefully. Look for obvious red flags. These include:
Typos in the sender’s address, such as “[email protected] (Note the extra “p” in the domain name). However, DNS spoofing allows scammers to masquerade as legitimate companies, so make sure you look at the whole email address, not just the domain name.
The form of address. Does the sender address you by name, or simply call you “customer” or “friend”?
Embedded links with strange URLs. To assess a URL, hover over the text without clicking so that you can see the actual address. If the link appears suspicious, enter it into your browser directly instead of clicking on the embedded link. Spam emails often include spoofed links that are designed to look like they originate from reputable sources.
Bad spelling, grammatical errors, and typos. This may indicate that the writer has a poor grasp of English, or that the text was translated using a translating app such as Google Translate.
Suspicious attachments. If a suspicious email includes attachments, verify why they are there and what they contain when you contact the sender.
Offers that sound too bad (or too good) to be true. Apple isn’t going to brick your iPhone over a billing error, and even if that Nigerian prince is real, he has no reason to share his vast fortune with you just because you forwarded his chain email to all your friends and family members.
Spam doesn’t look like it is going anywhere soon, so we need to take steps to safeguard ourselves and our businesses from cybercriminals. Learning to identify spam can help, and remember: when in doubt, don’t click.