The Unexpected Call: A Story of Deception

Margaret, a retired teacher, enjoyed her peaceful mornings in her small suburban home. One day as she was enjoying her morning coffee, she received a frantic call from her grandson, Jacob, who was away at college. His voice was filled with panic as he explained that he had been in a car accident and needed money urgently to pay for the damages and avoid legal trouble. If he did not get the money right away, he could end up in jail. The voice on the other end was unmistakably Jacob’s - Margaret’s heart raced with worry. Without questioning, she rushed to her bank and wired money to the account Jacob provided. It wasn’t until Margaret called Jacob’s mother later that day to learn how Jacob was doing that Margaret learned she had been scammed. The call had been a cruel trick, a cyber-criminal had used Artificial Intelligence (AI) voice cloning technology to mimic Jacob’s voice, exploiting Margaret’s love and concern for her grandson.

What is Voice Cloning?

Voice cloning is when someone uses AI to recreate a person's voice to include their voice patterns, intonations, and speech rhythms, creating a near-perfect replica. A voice cloning attack begins with a cyber-criminal collecting audio samples of the target's voice. These samples can be harvested from various sources such as videos on YouTube or personal posts on TikTok. After training on the recorded audio, AI generates new audio that sounds like the target. This generated voice can be used in various ways, from phone calls to voice messages, making it a potent tool for deception. When creating voice cloning attacks, cyber-attackers often do their research first. Most of the information they need is publicly available on social media sites. They study their intended victims, to include both the person's voice who they are going to replicate but also the victim they are going to call. Cyber criminals not only learn who their victims know and trust, but which emotional triggers are the most effective. When making these phone calls, cyber-attackers often modify their Caller ID, so when the victims look at their phones, the phone call appears to come from a number the victim trusts. Caller ID can be easily spoofed and is not a good way to validate or authenticate people who call you.

Protect Yourself

The first step to protecting yourself is just being aware that voice cloning is now possible and becoming easier for cyber-attackers to do. Some steps you can take to protect yourself include:

• Privacy: Be aware of and limit the information you share with others and restrict who can access recordings of you on social media.

• Clues: Be on the lookout for common indicators that something is wrong. Whenever someone calls you with a tremendous sense of urgency or is pressuring you to act right away, it is most likely a scam. The greater the sense of urgency, such as demanding money right away, the more likely someone is trying to rush you into making a mistake. Other common indicators include something that is too good to be true (no you did not win the lottery) or when you get an unexpected call that seems just odd.

• Verify: If you are not sure if a phone call is legitimate, hang up and call the individual back on a trusted phone number. For example, if you get a phone call from a senior executive or co-worker in your company, call them back on a trusted phone number that you know is truly theirs. If you get an odd phone call from a family member, try calling them back (perhaps even use video call) or call another family member that knows them well.

• Passcode: Create a secret passphrase or passcode that only you and your family know. That way if you get an odd phone call that seems to be from a family member, you can validate if it's them by seeing if they know your secret passcode.

Used with permission.  The Monthly Security Awareness Newsletter for You OUCH!

September 2024 © SANS Institute 2023 www.sans.org/security-awareness

Sarah was a kind, intelligent accountant nearing retirement. Widowed for several years, she felt a pang of loneliness that online dating profiles promised to soothe. Scrolling through pictures, she stumbled upon David, a charming architect supposedly working abroad. Their messages blossomed into daily conversations. David showered Sarah with compliments, his words painting a picture of a soulmate yearning for connection. Weeks turned into months, filled with virtual dates and shared dreams. Sarah, swept off her feet, readily confided in David about her dreams and finances, including a nest egg she'd meticulously saved for retirement.

Then came the "hardship." David, claiming a stolen passport while on a business trip, desperately needed money for a replacement. Blinded by love and trust, Sarah, despite initial hesitation, wired him a significant sum. This became a recurring pattern: fabricated emergencies or business opportunities followed by a financial plea. Trusting David completely, Sarah emptied her savings, even taking out loans, convinced she was helping the man she loved. Reality struck when David, after one final, exorbitant request, vanished completely. Devastated and heartbroken, Sarah not only faced financial ruin but the crushing betrayal of a love that never existed.

What Are Romance Scams

Romance scams are a cruel form of deception where criminals exploit the desire for love and connection while gaining the affection and trust of the victim. They craft online personas, often using stolen pictures and profiles, to build a facade of affection. Their goal? To manipulate victims into parting with money or sensitive information. Preying on emotions, they create a strong bond, making it easier to exploit people. The emotional investment makes it harder for victims to recognize or admit the scam, leading to devastating financial and personal consequences.

The two most common ways scammers find their victims is by creating a fake persona to meet people on dating apps or randomly texting people and starting conversations. Have you ever received an odd text message simply saying “Hi” or looking like a wrong message to the wrong person? These are romance scammers trying to start up conversations with lonely people. Spotting and

Stopping Romance Scams

• Too Good to Be True: If someone seems like the perfect match quickly and the relationship progresses rapidly, it might be a red flag. Scammers often create ideal profiles to lure in victims.
• Love at Lightning Speed: Scammers express deep feelings and propose a serious commitment very early into the interaction to catch their victims off guard. Genuine connections take time to develop. Beware of whirlwind romances and professions of love that seem unrealistic.
• Never Able to Meet: Often citing living overseas or being in the military, scammers usually have elaborate excuses for why they cannot meet in person.
• Requests for Money: A telltale sign of a romance scam is when the person you are communicating with asks for money, especially under the pretext of emergencies, travel expenses, medical bills, or visas. Never send money or financial information to someone you haven't met in person.
• Avoidance of Video Calls: Scammers usually avoid video calls or repeatedly cancel virtual meetings at the last minute. They might use fake or stolen photos and want to avoid being identified.
• Secrecy and Isolation: The scammer may attempt to isolate you from friends and family or discourage you from discussing the details of the relationship, fearing that others might offer warnings against the scam. Don't be afraid to confide in loved ones about your online relationship. Their objective viewpoint can be invaluable.
• Changes in Communication Style: If you notice inconsistencies in grammar, spelling, or story details that don’t seem to align with previous communications, it could be multiple scammers operating the same profile.

Romance scams lead to significant emotional and financial damage, making them one of the most harmful scams. Be careful with your personal information and finances in any relationship, especially one that starts online. If you ever feel pressured to send money or share financial details, it’s a strong signal that something could be wrong. Remember, it's not just about protecting your finances, and personal information but also guarding your heart.

Used with permission: Guard Your Heart (and Wallet) Against Romance Scams

The Monthly Security Awareness Newsletter for You OUCH!

August 2024 © SANS Institute 2024 www.sans.org/security-awareness

Mark was perplexed by the text message, a package delivery notification from Amazon - "Delivery attempt missed! Click the link now to reschedule or your package will be returned." Mark could not remember ordering anything online recently, but to be honest, he ordered so many things online it was easy to forget. Not wanting to miss any packages, he clicked the link, and a page loaded asking for his contact information "to ensure proper rescheduling." The message seemed a bit odd, but Mark figured better safe than sorry. He entered his home address details and was then asked for additional information, including his credit card information. Trusting the company, he entered everything it asked to ensure delivery. The page then said his package should be delivered soon. Then, within fifteen minutes Mark received a phone call from his credit card company notifying him that his card was being used to make numerous online charges from all over the world. Mark froze as he realized that there was no package and that the text message had been a scam to trick him out of all his information, including his credit card.

What Are Messaging Attacks (Smishing)

Messaging attacks, also called Smishing (a combination of the words SMS and Phishing), occur when cyber attackers use SMS, texting, or similar messaging technologies to trick you into taking an action you should not take, such as giving up your credit card or bank account password or installing a fake mobile app. Just like in email phishing attacks, cyber criminals often play on your emotions, such as creating a sense of urgency or curiosity. However, what makes messaging attacks so dangerous is that there is far less information and fewer clues in a text than there is in an email, making it much harder for you to detect that something is wrong. Sometimes cyber criminals will even combine phone calls with messaging attacks. For example, you may get an urgent text message from your bank asking if you authorized an odd payment. The message then asks you to reply YES or NO to the message. If you respond, the cyber criminal now knows you will engage with the message and will then call you on your phone pretending to be the bank’s fraud department. They can then try and talk you out of your financial and credit card information, or even your bank account’s login and password.

Spotting and Stopping Smishing Attacks

Here are some of the most common clues of a messaging attack:

• Urgency: Any message that creates a tremendous sense of urgency, when someone is attempting to rush or pressure you into taking an action, such as claiming your accounts will be closed or you will go to jail.
• Greed: Does the message sound too good to be true? No, you did not really win a new iPhone for free.
• Curiosity: If you get a message that looks like the equivalent of a “wrong number,” or someone you do not know just saying “hi”, do not respond to it or attempt to contact the sender; just delete it. These are attempts by cyber criminals to start a conversation with you, such as romance scams.
• Personal Info: Is the message taking you to websites asking for your personal information, credit card, passwords, or other sensitive information they should not have access to?
• Payments: Be very suspicious of unusual payment requests, like sending money through Western Union or Bitcoin.

If you get a text message from an official organization that you believe may be legitimate, call the organization back directly. However, don’t use the phone number included in the message, instead use a trusted phone number. For example, if you get a text message from your bank saying there is a problem with your account or credit card, get a trusted phone number by visiting your bank’s website, find the phone number on a billing statement or from the back of your bank or credit card, then call using that number. Also remember that most government agencies, such as tax or law enforcement agencies, will never contact you via text message, they will only contact you by old fashioned mail. When it comes to message based Smishing attacks, you are your own best defense.

Used With Permission: Text Messaging Attacks: A Smishing Saga

The Monthly Security Awareness Newsletter for You OUCH! July 2024 © SANS Institute 2023 www.sans.org/security-awareness

Overview

The summer season is upon us, and soon millions of people will be traveling all over the world. If you are going on vacation, here are some travel tips to help keep you cyber savvy and safe.

Mobile Devices

Avoid overpacking: Only bring the mobile devices you need when going on vacation. By mobile devices, we mean devices including laptops, tablets, smartphones, smart watches, eReaders, and portable gaming devices. The fewer devices you bring, the fewer devices that can be lost or stolen. In fact, did you know that you are far more likely to lose a mobile device than you are to have it stolen? Quite often just keeping track of your devices can be your biggest challenge. Create a habit that whenever you leave a hotel room, restaurant, taxicab, train, or airplane, do a quick device check and make sure you have all of your devices. Don’t forget to have friends or family traveling with you to double check for their devices, too -- especially children who may leave a device behind on a seat or in a restaurant. As for the devices you do bring, make sure you update the operating system and apps before you leave so that they are running the latest versions. Often the simplest way to do this is to enable automatic updating on the device. This ensures that your devices have any vulnerabilities patched and are running the latest security features. Keep the screen lock enabled, and if possible, ensure you have some way to remotely track your devices if they are lost. In addition, you may want to enable the option to remotely wipe the device. That way if a device is lost or stolen, you can remotely track and/or wipe all your sensitive data and accounts from the device. Finally, do a backup of any devices you take with you so that if one is lost or stolen, you can easily recover your data.

Wi-Fi Connections

When traveling, you may want to connect to a public Wi-Fi network. Examples of public Wi-Fi networks include the free Wi-Fi networks at the airport, coffee shops, or at restaurants. Keep in mind, you often have no idea who configured a given Wi-Fi network, who is monitoring it or how, and who else is connected to it. Instead of connecting to a public Wi-Fi network, when possible, use the personal hotspot feature of your smartphone to connect your personal devices to the internet. This way you know you have a trusted Wi-Fi connection.

Another tip to reduce the amount of data you use on your vacation is to download what you need at home before you leave for your trip. This can include downloading versions of maps to easily navigate your destination offline in your preferred navigation app or downloading any digital entertainment beforehand such as audiobooks, eBooks, games, or movies.

Public Computers

Never use public computers such as those in hotel lobbies or at coffee shops to log into any accounts or access sensitive information. You don’t know who used that computer before you, and they may have infected that computer accidentally or deliberately with malware, such as a keystroke logger. Stick to your own devices that you control and trust.

Social Media

We all love to update others about our adventures through social media, but you don’t know who will be reading all of your posts. Avoid oversharing while on vacation as much as possible and consider waiting to share your adventures until you’re home from your trip. Also, don’t post pictures of boarding passes, drivers licenses, or passports, as this can lead to identity theft.

Customs and local laws

Check the laws of the country you are visiting; your legal rights vary from one country to another. Content which may be tolerated at home may be illegal in another country. Know before you go. Vacation should be a time for relaxing, exploring, and having fun. These simple steps will help ensure you do so safely and securely.

Used with permission:

The Monthly Security Awareness Newsletter for You OUCH! June 2024 © SANS Institute 2023 www.sans.org/security-awareness

Overview

Social engineering attacks, in which adversaries trick people into doing something they shouldn’t, are one of the most common methods that cyber attackers use to target people. The concept has been used by con artists and scammers for thousands of years. What is new is that the Internet makes it very easy for a cyber-criminal anywhere in the world to pretend to be anyone they want and target anyone they want. Below are the three most common types of social engineering methods that cyber attackers will use to try to engage and fool you.

Phishing

Phishing is the most traditional social engineering attack; it is when cyber attackers send you an email attempting to trick you into taking an action you shouldn’t do. It was originally called phishing because it was like fishing in a lake: You threw out a line and hook but had no idea what you would catch. The strategy behind this tactic was that the more phishing emails cyber-criminals sent, the more people fell victim. The phishing attacks of today have become both far more sophisticated and targeted (sometimes called spear phishing), with cyber attackers often customizing their phishing emails before sending them.

Smishing

Smishing is essentially SMS-based phishing, in which a text message is sent instead of an email. Cyber attackers send text messages to your phone on apps such as iMessage, Google Messages or WhatsApp. There are several reasons why smishing has become popular. The first is that it’s much harder to filter out messaging attacks than it is to filter out email attacks. Second, the messages that cyber attackers send are often very short, meaning there is very little context which makes it much harder to determine if the message is legitimate or not. Third, messaging is often more informal and action-based, so people are used to quickly responding to or acting on messages. Finally, people are getting better and better at spotting phishing email attacks, so cyber attackers are simply shifting to a new method, messaging.

Vishing

Vishing, or voice-based phishing, is a tactic that uses a phone call or voice message rather than email or text message. Vishing attacks take far more time for the attacker to execute, as they talk directly to and interact with the victim. However, these types of attacks are also far more effective, as it is much easier to create strong emotions over the phone, such as a sense of urgency. Once a cyber attacker gets you on the phone, they will not let you get off the phone until they get what they want.

Spotting and Stopping These Attacks

Fortunately, it does not matter which of the three methods cyber attackers use, there are common clues you can spot:

• Urgency: Any message that creates a tremendous sense of urgency in which attackers are trying to rush you into taking quick action and making a mistake. An example is a message claiming to be from the government, stating your taxes are overdue and if you don’t pay right away you will end up in jail.
• Pressure: Any message that pressures an employee to ignore or bypass company security policies and procedures.
• Curiosity: Any message that generates a tremendous amount of curiosity or seems too good to be true, such as an undelivered UPS package or a notice that you are receiving an Amazon refund.
• Tone: Any message that appears to be coming from someone you know such as a coworker, but the wording does not sound like them, or the overall tone or signature is wrong.
• Sensitive Information: Any message requesting highly sensitive information, such as your password or credit card.
• Generic: A message coming from a trusted organization but uses a generic salutation such as “Dear Customer”. If Amazon has a package for you or phone service has a billing issue, they know your name.
• Personal Email Address: Any email that appears to come from a legitimate organization, vendor, or co-worker, but is using a personal email address like @gmail.com or @hotmail.com. By looking for these common clues you can go a long way toward protecting yourself.

Used with permission, The Monthly Security Awareness Newsletter for You OUCH! May 2024 © SANS Institute 2023 www.sans.org/security-awareness

Overview

Messaging serves as a primary mode of communication in both our personal and professional lives. However, quite often we can be our own worst enemy when it comes to text messaging safely and securely. Learn the most common mistakes people make and how you can avoid them in your dayto-day lives.

Auto Complete

Auto complete is a common feature in many messaging apps. As you type the name of the person you want to message, your app may automatically select the person for you. This feature can lead to mistakes, especially when multiple contacts share similar names. For example, you may intend to send a sensitive text to a co-worker but instead accidentally message your daughter’s coach who happens to share a very similar name. Always double-check the full name of the person you intend to message before you hit send.

Replying to Group Messages

Group chats are another common feature, but make sure you are aware of all group members who are on the thread before responding. When you are replying to an entire group, you want to be sure your reply is appropriate for everyone in that group. Another common mistake is accidentally replying to the entire group instead of a specific person. Take your time in responding: Double-check before hitting the send button.

Emotion

Avoid sending messages when angry, upset, or emotionally charged. That message could cause you far more harm in the future, perhaps even costing you a friendship or a job. Instead, take a moment to calmly organize your thoughts. If you must vent your frustration, open a new message with no recipient selected, type out exactly what you are feeling, then walk away from your device. Perhaps make yourself a cup of tea or go for a walk. When you return, delete the message, and start over again. You will most likely be in a far calmer and clearer state of mind. Consider direct communication via phone or in-person for a more effective conversation. It can be difficult for people to determine your tone and intent with just a text message.

Privacy

Traditional SMS messaging lacks robust privacy protections; once sent, you lose control over the message. Messages can be forwarded, posted publicly, shared as a screenshot, or disclosed due to court orders. For private communication, pick up the phone and call the individual. Finally, if you utilize your work device for messaging, remember that your employer may have the authority to monitor and potentially read messages on work devices.

Malicious

Messages Like with email, cyber attackers are going to try to trick, fool, or scam you with messages. These messages can include malicious links they want you to click, requests for you to share personal information, or pressure for you to call a phone number. Have you ever received an odd text message with just the word “Hi” in the message and wondered what that is about? That is a cyber attacker trying to start conversations with you, often the beginning of something called a romance scam. If you receive odd or suspicious messages on your device, simply delete them. In addition, as also is the case with email, it's possible to spoof the source of a text message. Be certain that you know the identity of the person with whom you're texting before divulging any personal information, particularly if you did not initiate the conversation. You can also block any unwanted or suspicious phone numbers or accounts attempting to message you.

Secure Messaging

Make sure that whatever messaging app you are using is current and up to date, ensuring it has the latest security features. Consider dedicated secure messaging apps like Signal for enhanced security and privacy.

Used With Permission: The Monthly Security Awareness Newsletter for You OUCH! March 2024 © SANS Institute 2023 www.sans.org/security-awareness

Overview

In today's digital age, your personal information is more valuable than ever. Unfortunately, this also makes it a prime target for identity theft. Understanding this threat, detecting it, and knowing how to protect yourself are essential elements in safeguarding your online digital life.

What is Identity Theft?

Identity theft occurs when someone unlawfully obtains your personal information – your name, identification numbers like your Social Security or passport number, or credit card details, for example – to commit fraud or other crimes. A common form of identity theft is Financial Identity Theft, where someone uses your information for financial fraud. For example, they steal your identity and get a credit card, mortgage or car loan in your name, and you have to pay the bills. However, other types of identity theft exist One example is Medical Identity Theft, where someone steals your medical information and charges medical insurance in your name for medical procedures you never received. Another is Tax-Related Identity Theft, when a criminal uses your tax identification number to file a tax return in your name and claim a fraudulent refund. Then when you attempt to file for a tax return, you cannot get your money back as it's already been submitted to someone else.

Preventive Measures

What can you do to protect yourself? Unfortunately, it is not as easy as it sounds, as so many organizations already have your information and it's up to them to protect it. However, there are some key steps you can take.

• Strong Passwords: One of the most effective ways to protect yourself is secure each of your accounts with a unique, long password, and when possible, enable multi-factor authentication.
• Regular Software Updates: Ensure your devices are updated with the latest security patches and features by enabling automatic updating on all your devices.
• Credit Cards: Use credit cards for online purchases, never debit cards, as credit cards give you far more protection against fraud. Another idea is to use one credit card for just online purchases and another for in-person purchases. Some services provide virtual or one-time use credit cards for every online purchase.
• Credit Freeze: A credit freeze locks your credit report, preventing fraudsters from opening new accounts in your name. This can be done for free by contacting the major credit bureaus. This may not be an option in all countries.

Detecting Identity Theft

Early detection is one of the most powerful ways you can protect yourself. The sooner you detect your identity is being used by someone else, the sooner you can act. Some of the most common indications of identity theft include:

• Unusual Financial Statements: Regularly monitor all your bank and credit card statements. You want to look for any charges or money transfers you know you did not make. A great way to do this is to enable automatic notifications. This way anytime there is a charge to your credit card or a change to your savings or checking account you are notified right away.
• Irregular Credit Reports: Annually review your credit reports for suspicious activity. You are looking for any new loans in your name that you know you did not make or any major changes in your credit rating.
• Mysterious Bills or Notifications: Be wary if you begin receiving bills for items you know you never purchased, or if you are contacted by payment agencies for unpaid bills for items or services you never purchased.
• Unexpected Denials: If you're unexpectedly denied your tax refund, or a credit or a loan application, investigate why.

Responding to and Recovering from Identity Theft

If you are concerned that your identity has been compromised, act right away.

• Report Immediately: Report right away if you suspect an incident. For example, if you identify fraudulent activity in your bank account or credit card, contact your bank. Also, file a report with local law enforcement. This can be crucial in proving the crime and helping you recover any costs or file insurance claims.
• Fraud Alerts and Credit Freezes: Place a fraud alert on your credit reports and consider a credit freeze if you have not already. In addition, work with credit bureaus to remove fraudulent information.
• Document Everything: When calling organizations to recover, be sure to keep detailed records of your communications and actions taken, to include who you talked to, what date / time, and what was discussed.
• Change Passwords: Update passwords for all your key accounts. If you do not have a password manager to track all your new passwords, consider getting one.

Conclusion

By understanding what identity theft is and employing these measures, you can greatly reduce your risk of becoming a victim.

Used with permission: Identity Theft: Preventing, Detecting, and Responding The Monthly Security Awareness Newsletter for You OUCH! February 2024 © SANS Institute 2023 www.sans.org/security-awareness

Overview

Have you ever wondered what those squares of dots or bars called “QR codes” are all about? You most likely have seen them posted on websites, printed on posters, used as mobile tickets, or on restaurant tables. How do these work, and are there risks you should be worried about? Let’s find out.

How Do QR Codes Work?

QR code stands for “Quick-Response code” and is a machine-readable code usually consisting of a matrix of black and white squares (they can also come in other colors and contain background images). These squares can be easily created with QR code generators, and they’re used to encode information such as website URLs, email contact information, or other types of data. Think of QR codes like bar codes but more versatile. Most mobile device cameras recognize and decode the information coded in a QR code. In other words, when you try to take a picture of a QR code with your device’s camera, it will decode the QR code and ask you if you want to act on the information it contains, such as opening a link to a website.

What Is the Danger?

QR codes can be difficult for people to easily interpret, which makes it easier for cyber attackers to encode information that could be malicious or cause harm. For example, a QR code could send you to a malicious website that attempts to harvest your personal information, like passwords or credit card numbers, or perhaps even try to install malware on your device.

In addition, QR codes can take additional steps, such as adding a contact to your contacts list or composing an email on your behalf. The QR code by itself is not the threat; however, the information or action it triggers can be.

For example, let’s say you are in the city or perhaps in an airport, and there is a poster on a wall promoting a product that interests you. The poster has a QR code you can use to quickly get more information. What you don’t realize is that someone has covered the poster’s QR code with a sticker of a different QR code. When you look at the poster you trust it, not realizing that the QR code on the poster has been replaced by a criminal. When you scan the QR code to learn more about the product, you are directed to a website controlled by the criminal to start an attack.

What Should I Do to be Safe?

• Be careful before trusting and scanning a QR code. First, ask yourself: Can you trust the source? Do you trust the poster, restaurant, or the website that is showing the QR code? If someone left a handout on your car with a QR code, can you believe it?
• Once you scan a QR code, your device will ask you if you want to act on the information it reads before it does anything. For example, if the QR code is a link to a website, your device will ask you if you want to visit the site before going to it. Take time to review the call to action or the link itself and ensure you feel comfortable visiting it.
• Confirm your mobile devices are always updated and running the latest version of its operating system. This ensures that it has the latest security features. The easiest way to do this is to enable automatic updates on your device.
• There is no need to install special mobile apps to decode QR codes, you should be able to simply use your device’s built-in camera. If a website is requiring you to download a specialized QR scanning app, it is most likely counterfeit or fake.
• Think twice before providing confidential or personal information to any website that you reached via a publicly visible QR code.

QR codes are a convenient way to access all sorts of new information and capabilities. Taking a few simple steps can help you make the most of them, safely and securely.

Used with permission:

The Monthly Security Awareness Newsletter for You OUCH! January 2024 © SANS Institute 2023 www.sans.org/security-awareness

Are you tired of constantly creating complex passwords? Frustrated with having to remember and type all those characters, symbols and numbers? Well, we have a solution for you: the ever-powerful passphrase!

Passphrases

You may not realize it but passwords are one of the primary attack vectors for cyber attackers. Bad actors are targeting your passwords, and if they can guess correctly or hack the right one, they can easily access your email, bank accounts, or perhaps steal your entire identity. The weaker your passwords, the easier it is for them to get in. As such, strong passwords are one of the most effective ways to protect your accounts and online digital life. Traditionally, you were trained to use highly complex passwords. The idea was that the greater the complexity, the harder for cyber attackers and their automated programs to guess the password. But the problem with that is complex passwords are also hard to both remember and type accurately. An even better way to create a strong, secure password is something called a passphrase. Instead of complexity these are strong because of their length. Here’s a couple examples:

Time for strong coffee!

lost-snail-crawl-beach

Passphrases are nothing more than a series of words and can contain over twenty characters if a site allows it. That may seem like a lot but both examples above contain more than twenty characters, and unlike passwords, passphrases are much easier to remember and simpler to type. The longer the passphrase, the more secure it is. In some situations, you may be asked to add some complexity to your passphrase — i.e., adding symbols, uppercase letters, or numbers. The easiest way to do this is to modify some of the letters in your passphrase with symbols or numbers. For example, by replacing the letter e with the number 3, the above examples become more complex, yet are still easy enough to remember and type:

Tim3 for strong coff33!

lost-snail-crawl-b3ach

Keep it Unique

In order for the passphrase to be truly secure, it also needs to be unique for every account. If you reuse the same passphrase, or one that contains an easily identifiable pattern, for multiple accounts, you are putting yourself in danger.

All a cyber attacker needs to do is hack one website you use frequently, steal the passphrase you use for that particular website, and if all your passwords/passphrases are the same they will then have access to all your other accounts. Can’t remember all those long, unique passphrases for each of your accounts?

We have a solution for you: password managers.

Password managers are special computer programs that securely store all your passwords in an encrypted vault protected by a primary password. To access the vault, you only need to remember the primary password. The password manager can automatically retrieve your passwords whenever you need them and will automatically log into websites for you. Password managers have evolved to contain other features, including storing answers to secret questions, warning you when you reuse passwords or end up on a spoofed website, using generators that will create strong passwords or passphrases for you, and many more. Most password managers also securely sync across almost any computer or device, so regardless of what system you are using you have easy, secure access to all your passwords.

The Final Step – Multi-Factor Authentication

A final step to making your passphrases truly foolproof is adding a second layer of protection to them - something called Multi-Factor Authentication (MFA). MFA requires you to have two pieces of identification when you login to your accounts. This could be your password and a biometric like a fingerprint; or it could be your password and an auto-generated numerical code that is sent to a different device or email account. The code is unique every time and can be generated from a mobile phone or another trusted device. This process ensures that even if a cyber attacker gets your passphrase they still can’t get into your accounts, as they don’t have the second factor. MFA should be enabled whenever possible, especially for your most important accounts such as your banking, retirement, or personal email accounts. If you are using a password manager, it is highly recommended you protect it with a strong passphrase AND multi-factor authentication.

Passphrases are a great way to both simplify security and help secure your accounts. To make your online digital life even simpler and more secure, we suggest combining the power of password managers and MFA for your passphrases.

Used with permission.

The Monthly Security Awareness Newsletter for You

OUCH! December 2023

© SANS Institute 2023www.sans.org/security-awareness

Have I Been Hacked?

The internet can be overwhelming, with new technologies changing all the time. No matter how safe you try to be, sooner or later you may be unfortunate enough to get hacked. The sooner you detect something bad has happened, and the faster you respond, the more you can minimize the impact. Below are signs that you may be hacked and if so, suggestions to resolve it.

Clues One of Your Online Accounts May Have Been Hacked

• Family or friends notify you they are receiving unusual messages or invites from you that you know you did not send.
• Your password to one of your accounts no longer works even though you know the password is correct.
• You receive notifications from websites that someone has logged into your account when you know you did not log in yourself.
• You receive emails confirming changes to your online profile that you did not make.

Clues Your Computer or Mobile Device Has Been Hacked

• Your antivirus program generates an alert that your system is infected. Make sure it is your anti-virus software generating the alert, and not a random pop-up window from a website trying to fool you into calling a number or installing something else. Not sure? Open your antivirus program to confirm if your computer is truly infected.
• While browsing the web, you are often redirected to pages you did not want to visit, or new pages appear unwanted.
• You get a pop-up window saying your computer has been encrypted and you must pay a ransom to get your files back.

Clues Your Credit Card or Finances Have Been Hacked

• There are suspicious or unknown charges to your credit card or unauthorized transfers in your bank account that you know you did not make.

Now What? – How To Take Back Control

If you suspect you have been hacked, stay calm. You will get through this. If the hack is work-related, do not try to fix the problem yourself. Instead, report it immediately. If it is a personal system or account that has been hacked, here are some steps you can take:

• Recovering Your Online Accounts: If you still have access to your account, log in from a trusted computer and reset your password with a new, unique and strong password - the longer the better. If you did not have Multi-Factor Authentication (MFA) enabled, now is a good time to enable it. If you no longer have access to your account, contact the website and inform them your account has been taken over. If you have any other accounts that share the same password as your hacked account, also change those passwords immediately.
• Recovering Your Personal Computer or Device: If your antivirus program is unable to fix an infected computer or you want to be surer your system is safe, consider reinstalling the operating system and rebuilding the computer. If you feel uncomfortable rebuilding, or if your computer or device is old, it may be time to purchase a new one.
• Financial Impact: For issues with your credit card or any financial accounts, call your bank or credit card company right away. The sooner you call them, the more likely you can recover your money. Don’t call them using the phone number in an email, but use a trusted phone number, such as the one listed on the back of your bank card or their website. Monitor your statements and credit reports frequently. If possible, enable automated notifications whenever there is a charge or money transfer.

What to Do to Stay Ahead of Cyber Attackers?

OUCH Security Awareness newsletter is published monthly and has an entire series on how to secure yourself. In the Resources section below, we list the most important OUCH newsletters to read to protect yourself. These resources focus on three key steps:

1. Keep all your systems and devices updated and current to the latest version.
2. Use strong, unique passwords for each of your accounts, manage those accounts with a Password Manager, and enable MFA.
3. Be skeptical - keep an eye out for social engineering tactics such as phishing emails.

Resources

Password Managers: https://www.sans.org/newsletters/ouch/power-password-managers

MFA: One Simple Step to Securing Your Accounts: https://www.sans.org/newsletters/ouch/one-simple-step-to-securing-your-accounts/ 

Emotional Triggers - How Cyber Attackers Trick You: https://www.sans.org/newsletters/ouch/emotional-triggers-how-cyber-attackers-trick-you/  Phishing Attacks Are Getting Trickier: https://www.sans.org/newsletters/ouch/phishing-attacks-getting-trickier/

Used with permission: The Monthly Security Awareness Newsletter for You OUCH! November 2023 © SANS Institute 2023 www.sans.org/security-awareness

Overview

Cyber attackers are constantly looking for and finding new vulnerabilities in the software you use every day. A vulnerability is a mistake or weakness in how software was developed. This software may run your laptop, the mobile apps on your smartphone, or perhaps even the software in your thermostat. Cyber attackers take advantage of and exploit these software vulnerabilities, allowing them to remotely break into systems, including the ones you use. At the same time, the vendors who create the devices and software are constantly developing new fixes for these vulnerabilities and pushing them out as software updates. One of the best ways you can protect yourself is to ensure that the technologies you use always have these latest updates. These updates not only fix known vulnerabilities, but often add new security features, making it much harder for cyber attackers to hack into your devices.

How Updating Works

When a software vulnerability is known, the developer or vendor will create a software fix for the vulnerability (called a patch) and release the update to the public. Your system then downloads and installs this update, fixing the vulnerabilities. Examples of software you need to update are:

• The operating systems that run your laptop (such as Microsoft Windows or Apple OSX) or run your smartphone (such as Android or iOS)
• Home networking equipment such as your Internet router or Wi-Fi access points or home smart devices such as thermostats, doorbells, home appliances, or security cameras
• Programs that run on your devices, such as your laptop’s web browser or your phone’s mobile apps

This is why whenever you want to purchase a new device or install a new computer program or mobile app, check first to be sure the vendor is actively updating the program or device. The longer software goes without any updates, the more likely it has vulnerabilities that cyber attackers can exploit. This is why many vendors, such as Microsoft, automatically release new patches every single month. In addition, if you are no longer using a certain computer program, software, or mobile app, remove it from your system. The less software you have installed, the fewer potential vulnerabilities you have and the more secure you are. Finally, if any of your devices or applications are old and no longer supported by the vendor, we recommend you replace them with newer versions that are actively updated and supported.

How to Update

There are two ways to update your systems.

1. Manual (the hard way): When an update is available, you manually download and install the update. This gives you more control over what and when updates are installed. The disadvantage of manual updates is that it is much more work, as you not only have to track when each of your devices or programs have to be updated, but you must update them manually, which makes it easy to forget to update them.
2. Automatic (the easy way): You enable automatic updating on all of your devices, which means whenever a new patch is released your device automatically downloads and installs it. The advantage of automatic updates is that most of the work is done for you. The disadvantage of automatic updates is the updated program could cause a problem, resulting in the loss of functionality or data. This is rare for personal devices, but can happen for more complex environments, like within large corporations. When you enable automatic updates, be sure to double check your system regularly to ensure the updates are happening.

Of the two approaches, we highly recommend you enable and use automatic updating on all your personal devices. This ensures that all the technologies you are using, from your smartphone and laptop to your baby monitor and door locks, have the latest software. Up-to-date devices and software make it that much harder for any cyber attackers to hack you and your systems.

Used with Permission:

The Power of Updating The Monthly Security Awareness Newsletter for You OUCH! October 2023 © SANS Institute 2023 www.sans.org/security-awareness