A Digital Nightmare: Lisa’s Unwanted Exposure

Lisa, a graphic designer with a knack for creativity, lived much of her life online. She managed her banking, shopping, and social interactions through various apps and websites. One day, she noticed some strange withdrawals from her bank account — items she’d never bought from stores she’d never visited. Her social media accounts then began posting spam messages promoting odd products and services, and friends reported receiving unusual emails from her.

Panic set in as Lisa realized she had lost control over her digital identity. Her personal photos were leaked, and private conversations were exposed. Clients began to question her reliability, and her reputation took a hit. After consulting with cybersecurity experts, Lisa discovered that her passwords had been compromised. Cybercriminals had gained access to her most sensitive accounts, unraveling her digital world piece by piece. The question lingered: How did this happen?

The Underhanded Tactics of Cybercriminals: Five Common Methods

Cyber threat actors employ a variety of techniques to harvest passwords. Here are five common ways they could obtain yours like they did Lisa’s:

1. Social Engineering Attacks

Social Engineering is where attackers masquerade as someone or something you know or trust, and they trick you into doing something you should not do. They send emails or messages that appear legitimate, often creating a strong sense of urgency, fear, or curiosity.

How It Happened: Lisa received an email that looked like it was from her bank, complete with official logos and branding. The email claimed there was suspicious activity on her account and urged her to click a link to verify her identity. The link led to a fake website that captured her login credentials when she entered them.

2. Malware

Malware is malicious software designed to infect computers. Once infected, cyber criminals can do whatever they want. Keyloggers (sometimes called information stealers) are a type of malware that record every keystroke made on a device, including your login, passwords, and other sensitive data.

How It Happened: Lisa downloaded what she thought was a legitimate font package for her design work. Hidden within was a keylogger that installed itself on her computer. Over time, it recorded her login details for various accounts and sent them back to the attacker.

3. Brute Force Attacks

In brute force attacks, cybercriminals use automated tools to try numerous password combinations until they guess the correct one. Weak passwords are especially vulnerable to this method.

How It Happened: Lisa used simple passwords like "lisa2020" for many of her accounts. Attackers used software that systematically tried common passwords and easily cracked her accounts.

4. Data Breaches

When a website or service gets hacked, it can affect everyone’s accounts that may be stored on the server. If someone uses the same password for multiple accounts, when that password is compromised for one account, then that password can be used to access the victim’s other accounts as well.

How It Happened: A popular social media platform Lisa used experienced a data breach. Since she used the same password elsewhere, attackers accessed her other accounts using the leaked credentials.

5. Purchased Credentials

Cyber criminals can simply buy your passwords on the internet, often on the Dark Web. Certain cyber criminals specialize in stealing victims’ passwords, using any of the methods we discussed so far. They then store and sell the stolen passwords to other cyber criminals.

How It Happened: A cybercriminal decided they wanted to make as much money as possible over the weekend, so they went to the Dark Web and purchased over 100,000 compromised accounts with their full passwords. One of Lisa’s accounts was on that list.

Three Key Steps You Can Take

 Fortunately, by taking three simple steps, you can go a long way to protecting your accounts and online, digital life.

• Use a long, unique password for each of your accounts. We recommend passphrases, which are long passwords made up of multiple words.
• Use a password manager to securely store and manage all those passwords for you.
• Enable Multi-Factor Authentication (MFA) whenever possible for your most important online accounts.

Used with permission: Unveiling the Shadows: How Cyber Criminals Steal Your Passwords

The Monthly Security Awareness Newsletter for You OUCH! December 2024 © SANS Institute 2024

www.sans.org/security-awareness

A Slick Scam and an Empty Bank Account

Emily was having a typical busy Tuesday. She grabbed her morning coffee, glanced at her phone, and noticed a text from her bank: “Did you make this transaction? Reply YES or NO.” She frowned. She hadn’t made any purchases yet that day. Maybe it was just a glitch.

She replied “NO,” and within minutes, a call came in. It was a woman claiming to be from her bank’s fraud department, speaking in a calm, professional tone. “We’ve detected unusual activity on your account. To secure it, we need to verify some details.” Emily, still groggy from sleep, complied. The caller walked Emily through a series of steps, asking for her online banking password and even guiding her to approve a notification on her phone. “This will block the hacker’s access,” the woman assured her. Emily followed along, not realizing she was falling into a trap.

Hours later, Emily’s phone buzzed again. This time it was a notification: $5,000 had been withdrawn from her savings account. Panicked, she logged into her bank app, but it was too late. The app wouldn’t accept her password. Her account was locked out. Then she saw another withdraw happen, and another.

In a flash, Emily understood. The “fraud department” call was a setup, a well-orchestrated attack by a cybercriminal who now had full control of her account. Emily quickly called her bank hoping she could save her bank account in time.

Why You Need to Protect Your Financial Accounts

Our online financial accounts—checking, savings, and investment accounts—hold more than just money; they represent years of hard work, future plans, and financial stability. Cybercriminals are constantly on the lookout for opportunities to get access to your money, and one mistake can lead to significant financial loss. If you think a simple password is going to keep these criminals out, think again.

Today’s cybercriminals are smart, sneaky, and relentless. It's crucial to be proactive in securing your financial accounts. Not only will this help prevent unauthorized access, but it will also provide you peace of mind knowing that your hard-earned money is safe.

Five Steps to Slam the Door on Cybercriminals

1. Turn On Multi-Factor Authentication (MFA) Right Now: Multi-Factor Authentication adds an extra layer of security to your online accounts by requiring you to verify your identity through two or more methods—something you know (password), something you have (smartphone or hardware token), or something you are (fingerprint or facial recognition). Even if a cybercriminal gains access to your password, they will still need the second factor to access your account. Always opt for MFA wherever available, especially for financial accounts.

2. Use Strong, Unique Passwords: Create strong, unique passwords for every account. The longer your password and the more characters it has, the better. One idea is to use a passphrase, that is a password made up of multiple words. Not a memory whiz? No problem. Use a password manager to help you generate and keep track of all of those long, unique passwords.

3. Scams Are Constant—Don’t Fall for Them: One of the easiest ways for cyber attackers to gain access to your accounts is to ask you. They create emails, text messages, or even phone calls that look or sound like they are from your bank or financial institution. Always verify the source before clicking on links, downloading attachments or responding to messages or phone calls. The greater the sense of urgency, the more likely the email, message or phone call is an attack. The best way to protect yourself is go directly to your bank’s official website by typing the address into your browser or call your bank or financial institution back using a trusted phone number.

4. Get Obsessed with Monitoring Your Accounts: Make it a habit to frequently check your financial accounts for any unusual transactions. Even better, most financial institutions offer automated alerts for large withdrawals or suspicious activity. Setting up automated alerts can help you catch fraudulent transactions early and take swift action to minimize damage. If something doesn’t look right, don’t wait—take action right away.

5. Keep Your Devices Locked Down Tight: Your phone, laptop, and tablet are like vaults to your financial world. Keep them secure with a strong screen lock and the latest software updates, we recommend enabling automatic updating

Used with permission: The Monthly Security Awareness Newsletter for You OUCH! November 2024 © SANS Institute 2024 www.sans.org/security-awareness

The Mysterious App: A Short Cautionary Tale

One lazy Sunday while on social media, Sarah stumbled upon an ad for a new photo editing app, ‘PiksPerfect.’ Intrigued by its stunning filters, she downloaded it without hesitation. At first, the app worked great, but soon her phone became sluggish, and random ads began popping up. A few days later, Sarah received a call from her bank about suspicious transactions totaling thousands of dollars. In a panic, she checked her bank app and found her savings nearly wiped out. After reporting the fraud and freezing her account, she was left confused and upset. Her tech-savvy friend discovered the truth: the mobile app was a fake, stealing her personal information, including banking details. It took months to recover, but Sarah became more cautious, researching mobile apps before installing them. She now shares her story to warn others, understanding that a moment of carelessness can have far-reaching consequences.

How Do I Know What Apps are Safe?

Mobile apps are convenient and powerful, enabling us to do just about everything in our lives with the touch of a button. However, cybercriminals are taking advantage of this by creating fake or malicious mobile apps. If you download one of these apps, they can take over your phone and monitor everything you do. The key to protecting yourself is making sure the mobile apps you install on your devices are legitimate and safe. First and foremost, download mobile apps only from official stores where vendors review the mobile apps, such as the Apple App Store or Google Play Store. This helps reduce the risk of downloading a bad mobile app. Third-party app stores often cannot be trusted and may even be managed by cybercriminals. But even when using a trusted mobile app store, you have to be careful. Here are some additional steps you can take to ensure you are downloading legitimate, safe mobile apps.

1. Check the Developer’s Name: When looking for a specific mobile app created by a certain company, make sure the app you are downloading is made by that company. A common trick for scammers is to create mobile apps that look very similar to well-known apps. Check the developer’s name—is it the same company or a well-known developer or is the app developed by someone you have never heard of? Another option is to visit the official website of the app or developer to find direct links to the mobile app in the app store. This ensures you're downloading the official app.

2. Read Reviews and Ratings: Look at user reviews and ratings. A legitimate app will have a significant number of positive reviews and high ratings. Be wary of apps with few reviews, many negative reviews, or overly positive reviews that sound fake.

3. Examine the Number of Downloads: Legitimate apps typically have a high number of downloads. An app with a low download count could be a red flag.

4. Examine Permissions: Review the permissions the app requests before downloading. Legitimate apps will only request permissions necessary for their functionality. Be wary of apps requesting excessive or irrelevant permissions. For example, does the app really need access to your contacts or always know your location?

5. Check for Regular Updates: Legitimate apps are regularly updated to fix bugs and improve performance. Check the app’s update history to ensure it receives frequent updates.

6. Be Cautious with New Apps: New apps with no reviews or ratings should be approached with caution. If the app is legitimate, it will likely gain positive reviews and ratings over time.

Once you download a mobile app, enable automatic updating. New mistakes and vulnerabilities are constantly found in the code and configurations of mobile apps. By always ensuring you are running the latest version of your mobile apps, you can be sure those vulnerabilities are fixed and you have the latest security features. Also, if you are no longer using a mobile app, delete it from your phone.

Used with permission: The Monthly Security Awareness Newsletter for You OUCH! October 2024 © SANS Institute 2023 www.sans.org/security-awareness

The Unexpected Call: A Story of Deception

Margaret, a retired teacher, enjoyed her peaceful mornings in her small suburban home. One day as she was enjoying her morning coffee, she received a frantic call from her grandson, Jacob, who was away at college. His voice was filled with panic as he explained that he had been in a car accident and needed money urgently to pay for the damages and avoid legal trouble. If he did not get the money right away, he could end up in jail. The voice on the other end was unmistakably Jacob’s - Margaret’s heart raced with worry. Without questioning, she rushed to her bank and wired money to the account Jacob provided. It wasn’t until Margaret called Jacob’s mother later that day to learn how Jacob was doing that Margaret learned she had been scammed. The call had been a cruel trick, a cyber-criminal had used Artificial Intelligence (AI) voice cloning technology to mimic Jacob’s voice, exploiting Margaret’s love and concern for her grandson.

What is Voice Cloning?

Voice cloning is when someone uses AI to recreate a person's voice to include their voice patterns, intonations, and speech rhythms, creating a near-perfect replica. A voice cloning attack begins with a cyber-criminal collecting audio samples of the target's voice. These samples can be harvested from various sources such as videos on YouTube or personal posts on TikTok. After training on the recorded audio, AI generates new audio that sounds like the target. This generated voice can be used in various ways, from phone calls to voice messages, making it a potent tool for deception. When creating voice cloning attacks, cyber-attackers often do their research first. Most of the information they need is publicly available on social media sites. They study their intended victims, to include both the person's voice who they are going to replicate but also the victim they are going to call. Cyber criminals not only learn who their victims know and trust, but which emotional triggers are the most effective. When making these phone calls, cyber-attackers often modify their Caller ID, so when the victims look at their phones, the phone call appears to come from a number the victim trusts. Caller ID can be easily spoofed and is not a good way to validate or authenticate people who call you.

Protect Yourself

The first step to protecting yourself is just being aware that voice cloning is now possible and becoming easier for cyber-attackers to do. Some steps you can take to protect yourself include:

• Privacy: Be aware of and limit the information you share with others and restrict who can access recordings of you on social media.

• Clues: Be on the lookout for common indicators that something is wrong. Whenever someone calls you with a tremendous sense of urgency or is pressuring you to act right away, it is most likely a scam. The greater the sense of urgency, such as demanding money right away, the more likely someone is trying to rush you into making a mistake. Other common indicators include something that is too good to be true (no you did not win the lottery) or when you get an unexpected call that seems just odd.

• Verify: If you are not sure if a phone call is legitimate, hang up and call the individual back on a trusted phone number. For example, if you get a phone call from a senior executive or co-worker in your company, call them back on a trusted phone number that you know is truly theirs. If you get an odd phone call from a family member, try calling them back (perhaps even use video call) or call another family member that knows them well.

• Passcode: Create a secret passphrase or passcode that only you and your family know. That way if you get an odd phone call that seems to be from a family member, you can validate if it's them by seeing if they know your secret passcode.

Used with permission.  The Monthly Security Awareness Newsletter for You OUCH!

September 2024 © SANS Institute 2023 www.sans.org/security-awareness

Sarah was a kind, intelligent accountant nearing retirement. Widowed for several years, she felt a pang of loneliness that online dating profiles promised to soothe. Scrolling through pictures, she stumbled upon David, a charming architect supposedly working abroad. Their messages blossomed into daily conversations. David showered Sarah with compliments, his words painting a picture of a soulmate yearning for connection. Weeks turned into months, filled with virtual dates and shared dreams. Sarah, swept off her feet, readily confided in David about her dreams and finances, including a nest egg she'd meticulously saved for retirement.

Then came the "hardship." David, claiming a stolen passport while on a business trip, desperately needed money for a replacement. Blinded by love and trust, Sarah, despite initial hesitation, wired him a significant sum. This became a recurring pattern: fabricated emergencies or business opportunities followed by a financial plea. Trusting David completely, Sarah emptied her savings, even taking out loans, convinced she was helping the man she loved. Reality struck when David, after one final, exorbitant request, vanished completely. Devastated and heartbroken, Sarah not only faced financial ruin but the crushing betrayal of a love that never existed.

What Are Romance Scams

Romance scams are a cruel form of deception where criminals exploit the desire for love and connection while gaining the affection and trust of the victim. They craft online personas, often using stolen pictures and profiles, to build a facade of affection. Their goal? To manipulate victims into parting with money or sensitive information. Preying on emotions, they create a strong bond, making it easier to exploit people. The emotional investment makes it harder for victims to recognize or admit the scam, leading to devastating financial and personal consequences.

The two most common ways scammers find their victims is by creating a fake persona to meet people on dating apps or randomly texting people and starting conversations. Have you ever received an odd text message simply saying “Hi” or looking like a wrong message to the wrong person? These are romance scammers trying to start up conversations with lonely people. Spotting and

Stopping Romance Scams

• Too Good to Be True: If someone seems like the perfect match quickly and the relationship progresses rapidly, it might be a red flag. Scammers often create ideal profiles to lure in victims.
• Love at Lightning Speed: Scammers express deep feelings and propose a serious commitment very early into the interaction to catch their victims off guard. Genuine connections take time to develop. Beware of whirlwind romances and professions of love that seem unrealistic.
• Never Able to Meet: Often citing living overseas or being in the military, scammers usually have elaborate excuses for why they cannot meet in person.
• Requests for Money: A telltale sign of a romance scam is when the person you are communicating with asks for money, especially under the pretext of emergencies, travel expenses, medical bills, or visas. Never send money or financial information to someone you haven't met in person.
• Avoidance of Video Calls: Scammers usually avoid video calls or repeatedly cancel virtual meetings at the last minute. They might use fake or stolen photos and want to avoid being identified.
• Secrecy and Isolation: The scammer may attempt to isolate you from friends and family or discourage you from discussing the details of the relationship, fearing that others might offer warnings against the scam. Don't be afraid to confide in loved ones about your online relationship. Their objective viewpoint can be invaluable.
• Changes in Communication Style: If you notice inconsistencies in grammar, spelling, or story details that don’t seem to align with previous communications, it could be multiple scammers operating the same profile.

Romance scams lead to significant emotional and financial damage, making them one of the most harmful scams. Be careful with your personal information and finances in any relationship, especially one that starts online. If you ever feel pressured to send money or share financial details, it’s a strong signal that something could be wrong. Remember, it's not just about protecting your finances, and personal information but also guarding your heart.

Used with permission: Guard Your Heart (and Wallet) Against Romance Scams

The Monthly Security Awareness Newsletter for You OUCH!

August 2024 © SANS Institute 2024 www.sans.org/security-awareness

Mark was perplexed by the text message, a package delivery notification from Amazon - "Delivery attempt missed! Click the link now to reschedule or your package will be returned." Mark could not remember ordering anything online recently, but to be honest, he ordered so many things online it was easy to forget. Not wanting to miss any packages, he clicked the link, and a page loaded asking for his contact information "to ensure proper rescheduling." The message seemed a bit odd, but Mark figured better safe than sorry. He entered his home address details and was then asked for additional information, including his credit card information. Trusting the company, he entered everything it asked to ensure delivery. The page then said his package should be delivered soon. Then, within fifteen minutes Mark received a phone call from his credit card company notifying him that his card was being used to make numerous online charges from all over the world. Mark froze as he realized that there was no package and that the text message had been a scam to trick him out of all his information, including his credit card.

What Are Messaging Attacks (Smishing)

Messaging attacks, also called Smishing (a combination of the words SMS and Phishing), occur when cyber attackers use SMS, texting, or similar messaging technologies to trick you into taking an action you should not take, such as giving up your credit card or bank account password or installing a fake mobile app. Just like in email phishing attacks, cyber criminals often play on your emotions, such as creating a sense of urgency or curiosity. However, what makes messaging attacks so dangerous is that there is far less information and fewer clues in a text than there is in an email, making it much harder for you to detect that something is wrong. Sometimes cyber criminals will even combine phone calls with messaging attacks. For example, you may get an urgent text message from your bank asking if you authorized an odd payment. The message then asks you to reply YES or NO to the message. If you respond, the cyber criminal now knows you will engage with the message and will then call you on your phone pretending to be the bank’s fraud department. They can then try and talk you out of your financial and credit card information, or even your bank account’s login and password.

Spotting and Stopping Smishing Attacks

Here are some of the most common clues of a messaging attack:

• Urgency: Any message that creates a tremendous sense of urgency, when someone is attempting to rush or pressure you into taking an action, such as claiming your accounts will be closed or you will go to jail.
• Greed: Does the message sound too good to be true? No, you did not really win a new iPhone for free.
• Curiosity: If you get a message that looks like the equivalent of a “wrong number,” or someone you do not know just saying “hi”, do not respond to it or attempt to contact the sender; just delete it. These are attempts by cyber criminals to start a conversation with you, such as romance scams.
• Personal Info: Is the message taking you to websites asking for your personal information, credit card, passwords, or other sensitive information they should not have access to?
• Payments: Be very suspicious of unusual payment requests, like sending money through Western Union or Bitcoin.

If you get a text message from an official organization that you believe may be legitimate, call the organization back directly. However, don’t use the phone number included in the message, instead use a trusted phone number. For example, if you get a text message from your bank saying there is a problem with your account or credit card, get a trusted phone number by visiting your bank’s website, find the phone number on a billing statement or from the back of your bank or credit card, then call using that number. Also remember that most government agencies, such as tax or law enforcement agencies, will never contact you via text message, they will only contact you by old fashioned mail. When it comes to message based Smishing attacks, you are your own best defense.

Used With Permission: Text Messaging Attacks: A Smishing Saga

The Monthly Security Awareness Newsletter for You OUCH! July 2024 © SANS Institute 2023 www.sans.org/security-awareness

Overview

The summer season is upon us, and soon millions of people will be traveling all over the world. If you are going on vacation, here are some travel tips to help keep you cyber savvy and safe.

Mobile Devices

Avoid overpacking: Only bring the mobile devices you need when going on vacation. By mobile devices, we mean devices including laptops, tablets, smartphones, smart watches, eReaders, and portable gaming devices. The fewer devices you bring, the fewer devices that can be lost or stolen. In fact, did you know that you are far more likely to lose a mobile device than you are to have it stolen? Quite often just keeping track of your devices can be your biggest challenge. Create a habit that whenever you leave a hotel room, restaurant, taxicab, train, or airplane, do a quick device check and make sure you have all of your devices. Don’t forget to have friends or family traveling with you to double check for their devices, too -- especially children who may leave a device behind on a seat or in a restaurant. As for the devices you do bring, make sure you update the operating system and apps before you leave so that they are running the latest versions. Often the simplest way to do this is to enable automatic updating on the device. This ensures that your devices have any vulnerabilities patched and are running the latest security features. Keep the screen lock enabled, and if possible, ensure you have some way to remotely track your devices if they are lost. In addition, you may want to enable the option to remotely wipe the device. That way if a device is lost or stolen, you can remotely track and/or wipe all your sensitive data and accounts from the device. Finally, do a backup of any devices you take with you so that if one is lost or stolen, you can easily recover your data.

Wi-Fi Connections

When traveling, you may want to connect to a public Wi-Fi network. Examples of public Wi-Fi networks include the free Wi-Fi networks at the airport, coffee shops, or at restaurants. Keep in mind, you often have no idea who configured a given Wi-Fi network, who is monitoring it or how, and who else is connected to it. Instead of connecting to a public Wi-Fi network, when possible, use the personal hotspot feature of your smartphone to connect your personal devices to the internet. This way you know you have a trusted Wi-Fi connection.

Another tip to reduce the amount of data you use on your vacation is to download what you need at home before you leave for your trip. This can include downloading versions of maps to easily navigate your destination offline in your preferred navigation app or downloading any digital entertainment beforehand such as audiobooks, eBooks, games, or movies.

Public Computers

Never use public computers such as those in hotel lobbies or at coffee shops to log into any accounts or access sensitive information. You don’t know who used that computer before you, and they may have infected that computer accidentally or deliberately with malware, such as a keystroke logger. Stick to your own devices that you control and trust.

Social Media

We all love to update others about our adventures through social media, but you don’t know who will be reading all of your posts. Avoid oversharing while on vacation as much as possible and consider waiting to share your adventures until you’re home from your trip. Also, don’t post pictures of boarding passes, drivers licenses, or passports, as this can lead to identity theft.

Customs and local laws

Check the laws of the country you are visiting; your legal rights vary from one country to another. Content which may be tolerated at home may be illegal in another country. Know before you go. Vacation should be a time for relaxing, exploring, and having fun. These simple steps will help ensure you do so safely and securely.

Used with permission:

The Monthly Security Awareness Newsletter for You OUCH! June 2024 © SANS Institute 2023 www.sans.org/security-awareness

Overview

Social engineering attacks, in which adversaries trick people into doing something they shouldn’t, are one of the most common methods that cyber attackers use to target people. The concept has been used by con artists and scammers for thousands of years. What is new is that the Internet makes it very easy for a cyber-criminal anywhere in the world to pretend to be anyone they want and target anyone they want. Below are the three most common types of social engineering methods that cyber attackers will use to try to engage and fool you.

Phishing

Phishing is the most traditional social engineering attack; it is when cyber attackers send you an email attempting to trick you into taking an action you shouldn’t do. It was originally called phishing because it was like fishing in a lake: You threw out a line and hook but had no idea what you would catch. The strategy behind this tactic was that the more phishing emails cyber-criminals sent, the more people fell victim. The phishing attacks of today have become both far more sophisticated and targeted (sometimes called spear phishing), with cyber attackers often customizing their phishing emails before sending them.

Smishing

Smishing is essentially SMS-based phishing, in which a text message is sent instead of an email. Cyber attackers send text messages to your phone on apps such as iMessage, Google Messages or WhatsApp. There are several reasons why smishing has become popular. The first is that it’s much harder to filter out messaging attacks than it is to filter out email attacks. Second, the messages that cyber attackers send are often very short, meaning there is very little context which makes it much harder to determine if the message is legitimate or not. Third, messaging is often more informal and action-based, so people are used to quickly responding to or acting on messages. Finally, people are getting better and better at spotting phishing email attacks, so cyber attackers are simply shifting to a new method, messaging.

Vishing

Vishing, or voice-based phishing, is a tactic that uses a phone call or voice message rather than email or text message. Vishing attacks take far more time for the attacker to execute, as they talk directly to and interact with the victim. However, these types of attacks are also far more effective, as it is much easier to create strong emotions over the phone, such as a sense of urgency. Once a cyber attacker gets you on the phone, they will not let you get off the phone until they get what they want.

Spotting and Stopping These Attacks

Fortunately, it does not matter which of the three methods cyber attackers use, there are common clues you can spot:

• Urgency: Any message that creates a tremendous sense of urgency in which attackers are trying to rush you into taking quick action and making a mistake. An example is a message claiming to be from the government, stating your taxes are overdue and if you don’t pay right away you will end up in jail.
• Pressure: Any message that pressures an employee to ignore or bypass company security policies and procedures.
• Curiosity: Any message that generates a tremendous amount of curiosity or seems too good to be true, such as an undelivered UPS package or a notice that you are receiving an Amazon refund.
• Tone: Any message that appears to be coming from someone you know such as a coworker, but the wording does not sound like them, or the overall tone or signature is wrong.
• Sensitive Information: Any message requesting highly sensitive information, such as your password or credit card.
• Generic: A message coming from a trusted organization but uses a generic salutation such as “Dear Customer”. If Amazon has a package for you or phone service has a billing issue, they know your name.
• Personal Email Address: Any email that appears to come from a legitimate organization, vendor, or co-worker, but is using a personal email address like @gmail.com or @hotmail.com. By looking for these common clues you can go a long way toward protecting yourself.

Used with permission, The Monthly Security Awareness Newsletter for You OUCH! May 2024 © SANS Institute 2023 www.sans.org/security-awareness

Overview

Messaging serves as a primary mode of communication in both our personal and professional lives. However, quite often we can be our own worst enemy when it comes to text messaging safely and securely. Learn the most common mistakes people make and how you can avoid them in your dayto-day lives.

Auto Complete

Auto complete is a common feature in many messaging apps. As you type the name of the person you want to message, your app may automatically select the person for you. This feature can lead to mistakes, especially when multiple contacts share similar names. For example, you may intend to send a sensitive text to a co-worker but instead accidentally message your daughter’s coach who happens to share a very similar name. Always double-check the full name of the person you intend to message before you hit send.

Replying to Group Messages

Group chats are another common feature, but make sure you are aware of all group members who are on the thread before responding. When you are replying to an entire group, you want to be sure your reply is appropriate for everyone in that group. Another common mistake is accidentally replying to the entire group instead of a specific person. Take your time in responding: Double-check before hitting the send button.

Emotion

Avoid sending messages when angry, upset, or emotionally charged. That message could cause you far more harm in the future, perhaps even costing you a friendship or a job. Instead, take a moment to calmly organize your thoughts. If you must vent your frustration, open a new message with no recipient selected, type out exactly what you are feeling, then walk away from your device. Perhaps make yourself a cup of tea or go for a walk. When you return, delete the message, and start over again. You will most likely be in a far calmer and clearer state of mind. Consider direct communication via phone or in-person for a more effective conversation. It can be difficult for people to determine your tone and intent with just a text message.

Privacy

Traditional SMS messaging lacks robust privacy protections; once sent, you lose control over the message. Messages can be forwarded, posted publicly, shared as a screenshot, or disclosed due to court orders. For private communication, pick up the phone and call the individual. Finally, if you utilize your work device for messaging, remember that your employer may have the authority to monitor and potentially read messages on work devices.

Malicious

Messages Like with email, cyber attackers are going to try to trick, fool, or scam you with messages. These messages can include malicious links they want you to click, requests for you to share personal information, or pressure for you to call a phone number. Have you ever received an odd text message with just the word “Hi” in the message and wondered what that is about? That is a cyber attacker trying to start conversations with you, often the beginning of something called a romance scam. If you receive odd or suspicious messages on your device, simply delete them. In addition, as also is the case with email, it's possible to spoof the source of a text message. Be certain that you know the identity of the person with whom you're texting before divulging any personal information, particularly if you did not initiate the conversation. You can also block any unwanted or suspicious phone numbers or accounts attempting to message you.

Secure Messaging

Make sure that whatever messaging app you are using is current and up to date, ensuring it has the latest security features. Consider dedicated secure messaging apps like Signal for enhanced security and privacy.

Used With Permission: The Monthly Security Awareness Newsletter for You OUCH! March 2024 © SANS Institute 2023 www.sans.org/security-awareness

Overview

In today's digital age, your personal information is more valuable than ever. Unfortunately, this also makes it a prime target for identity theft. Understanding this threat, detecting it, and knowing how to protect yourself are essential elements in safeguarding your online digital life.

What is Identity Theft?

Identity theft occurs when someone unlawfully obtains your personal information – your name, identification numbers like your Social Security or passport number, or credit card details, for example – to commit fraud or other crimes. A common form of identity theft is Financial Identity Theft, where someone uses your information for financial fraud. For example, they steal your identity and get a credit card, mortgage or car loan in your name, and you have to pay the bills. However, other types of identity theft exist One example is Medical Identity Theft, where someone steals your medical information and charges medical insurance in your name for medical procedures you never received. Another is Tax-Related Identity Theft, when a criminal uses your tax identification number to file a tax return in your name and claim a fraudulent refund. Then when you attempt to file for a tax return, you cannot get your money back as it's already been submitted to someone else.

Preventive Measures

What can you do to protect yourself? Unfortunately, it is not as easy as it sounds, as so many organizations already have your information and it's up to them to protect it. However, there are some key steps you can take.

• Strong Passwords: One of the most effective ways to protect yourself is secure each of your accounts with a unique, long password, and when possible, enable multi-factor authentication.
• Regular Software Updates: Ensure your devices are updated with the latest security patches and features by enabling automatic updating on all your devices.
• Credit Cards: Use credit cards for online purchases, never debit cards, as credit cards give you far more protection against fraud. Another idea is to use one credit card for just online purchases and another for in-person purchases. Some services provide virtual or one-time use credit cards for every online purchase.
• Credit Freeze: A credit freeze locks your credit report, preventing fraudsters from opening new accounts in your name. This can be done for free by contacting the major credit bureaus. This may not be an option in all countries.

Detecting Identity Theft

Early detection is one of the most powerful ways you can protect yourself. The sooner you detect your identity is being used by someone else, the sooner you can act. Some of the most common indications of identity theft include:

• Unusual Financial Statements: Regularly monitor all your bank and credit card statements. You want to look for any charges or money transfers you know you did not make. A great way to do this is to enable automatic notifications. This way anytime there is a charge to your credit card or a change to your savings or checking account you are notified right away.
• Irregular Credit Reports: Annually review your credit reports for suspicious activity. You are looking for any new loans in your name that you know you did not make or any major changes in your credit rating.
• Mysterious Bills or Notifications: Be wary if you begin receiving bills for items you know you never purchased, or if you are contacted by payment agencies for unpaid bills for items or services you never purchased.
• Unexpected Denials: If you're unexpectedly denied your tax refund, or a credit or a loan application, investigate why.

Responding to and Recovering from Identity Theft

If you are concerned that your identity has been compromised, act right away.

• Report Immediately: Report right away if you suspect an incident. For example, if you identify fraudulent activity in your bank account or credit card, contact your bank. Also, file a report with local law enforcement. This can be crucial in proving the crime and helping you recover any costs or file insurance claims.
• Fraud Alerts and Credit Freezes: Place a fraud alert on your credit reports and consider a credit freeze if you have not already. In addition, work with credit bureaus to remove fraudulent information.
• Document Everything: When calling organizations to recover, be sure to keep detailed records of your communications and actions taken, to include who you talked to, what date / time, and what was discussed.
• Change Passwords: Update passwords for all your key accounts. If you do not have a password manager to track all your new passwords, consider getting one.

Conclusion

By understanding what identity theft is and employing these measures, you can greatly reduce your risk of becoming a victim.

Used with permission: Identity Theft: Preventing, Detecting, and Responding The Monthly Security Awareness Newsletter for You OUCH! February 2024 © SANS Institute 2023 www.sans.org/security-awareness

Overview

Have you ever wondered what those squares of dots or bars called “QR codes” are all about? You most likely have seen them posted on websites, printed on posters, used as mobile tickets, or on restaurant tables. How do these work, and are there risks you should be worried about? Let’s find out.

How Do QR Codes Work?

QR code stands for “Quick-Response code” and is a machine-readable code usually consisting of a matrix of black and white squares (they can also come in other colors and contain background images). These squares can be easily created with QR code generators, and they’re used to encode information such as website URLs, email contact information, or other types of data. Think of QR codes like bar codes but more versatile. Most mobile device cameras recognize and decode the information coded in a QR code. In other words, when you try to take a picture of a QR code with your device’s camera, it will decode the QR code and ask you if you want to act on the information it contains, such as opening a link to a website.

What Is the Danger?

QR codes can be difficult for people to easily interpret, which makes it easier for cyber attackers to encode information that could be malicious or cause harm. For example, a QR code could send you to a malicious website that attempts to harvest your personal information, like passwords or credit card numbers, or perhaps even try to install malware on your device.

In addition, QR codes can take additional steps, such as adding a contact to your contacts list or composing an email on your behalf. The QR code by itself is not the threat; however, the information or action it triggers can be.

For example, let’s say you are in the city or perhaps in an airport, and there is a poster on a wall promoting a product that interests you. The poster has a QR code you can use to quickly get more information. What you don’t realize is that someone has covered the poster’s QR code with a sticker of a different QR code. When you look at the poster you trust it, not realizing that the QR code on the poster has been replaced by a criminal. When you scan the QR code to learn more about the product, you are directed to a website controlled by the criminal to start an attack.

What Should I Do to be Safe?

• Be careful before trusting and scanning a QR code. First, ask yourself: Can you trust the source? Do you trust the poster, restaurant, or the website that is showing the QR code? If someone left a handout on your car with a QR code, can you believe it?
• Once you scan a QR code, your device will ask you if you want to act on the information it reads before it does anything. For example, if the QR code is a link to a website, your device will ask you if you want to visit the site before going to it. Take time to review the call to action or the link itself and ensure you feel comfortable visiting it.
• Confirm your mobile devices are always updated and running the latest version of its operating system. This ensures that it has the latest security features. The easiest way to do this is to enable automatic updates on your device.
• There is no need to install special mobile apps to decode QR codes, you should be able to simply use your device’s built-in camera. If a website is requiring you to download a specialized QR scanning app, it is most likely counterfeit or fake.
• Think twice before providing confidential or personal information to any website that you reached via a publicly visible QR code.

QR codes are a convenient way to access all sorts of new information and capabilities. Taking a few simple steps can help you make the most of them, safely and securely.

Used with permission:

The Monthly Security Awareness Newsletter for You OUCH! January 2024 © SANS Institute 2023 www.sans.org/security-awareness

Are you tired of constantly creating complex passwords? Frustrated with having to remember and type all those characters, symbols and numbers? Well, we have a solution for you: the ever-powerful passphrase!

Passphrases

You may not realize it but passwords are one of the primary attack vectors for cyber attackers. Bad actors are targeting your passwords, and if they can guess correctly or hack the right one, they can easily access your email, bank accounts, or perhaps steal your entire identity. The weaker your passwords, the easier it is for them to get in. As such, strong passwords are one of the most effective ways to protect your accounts and online digital life. Traditionally, you were trained to use highly complex passwords. The idea was that the greater the complexity, the harder for cyber attackers and their automated programs to guess the password. But the problem with that is complex passwords are also hard to both remember and type accurately. An even better way to create a strong, secure password is something called a passphrase. Instead of complexity these are strong because of their length. Here’s a couple examples:

Time for strong coffee!

lost-snail-crawl-beach

Passphrases are nothing more than a series of words and can contain over twenty characters if a site allows it. That may seem like a lot but both examples above contain more than twenty characters, and unlike passwords, passphrases are much easier to remember and simpler to type. The longer the passphrase, the more secure it is. In some situations, you may be asked to add some complexity to your passphrase — i.e., adding symbols, uppercase letters, or numbers. The easiest way to do this is to modify some of the letters in your passphrase with symbols or numbers. For example, by replacing the letter e with the number 3, the above examples become more complex, yet are still easy enough to remember and type:

Tim3 for strong coff33!

lost-snail-crawl-b3ach

Keep it Unique

In order for the passphrase to be truly secure, it also needs to be unique for every account. If you reuse the same passphrase, or one that contains an easily identifiable pattern, for multiple accounts, you are putting yourself in danger.

All a cyber attacker needs to do is hack one website you use frequently, steal the passphrase you use for that particular website, and if all your passwords/passphrases are the same they will then have access to all your other accounts. Can’t remember all those long, unique passphrases for each of your accounts?

We have a solution for you: password managers.

Password managers are special computer programs that securely store all your passwords in an encrypted vault protected by a primary password. To access the vault, you only need to remember the primary password. The password manager can automatically retrieve your passwords whenever you need them and will automatically log into websites for you. Password managers have evolved to contain other features, including storing answers to secret questions, warning you when you reuse passwords or end up on a spoofed website, using generators that will create strong passwords or passphrases for you, and many more. Most password managers also securely sync across almost any computer or device, so regardless of what system you are using you have easy, secure access to all your passwords.

The Final Step – Multi-Factor Authentication

A final step to making your passphrases truly foolproof is adding a second layer of protection to them - something called Multi-Factor Authentication (MFA). MFA requires you to have two pieces of identification when you login to your accounts. This could be your password and a biometric like a fingerprint; or it could be your password and an auto-generated numerical code that is sent to a different device or email account. The code is unique every time and can be generated from a mobile phone or another trusted device. This process ensures that even if a cyber attacker gets your passphrase they still can’t get into your accounts, as they don’t have the second factor. MFA should be enabled whenever possible, especially for your most important accounts such as your banking, retirement, or personal email accounts. If you are using a password manager, it is highly recommended you protect it with a strong passphrase AND multi-factor authentication.

Passphrases are a great way to both simplify security and help secure your accounts. To make your online digital life even simpler and more secure, we suggest combining the power of password managers and MFA for your passphrases.

Used with permission.

The Monthly Security Awareness Newsletter for You

OUCH! December 2023

© SANS Institute 2023www.sans.org/security-awareness