Cybersecurity

Multi-Factor is still the answer, but YOU are the real target.

Social Engineering

So, you’ve heard from all the “experts” that you MUST enable multi-factor authentication (MFA). Then the news highlights where MFA was “breached”. What gives?

The truth? It’s you and I that are the weak links here, and it makes sense when you understand that WE are the targets. Not your PC. Not your email. Not your server. Those are certainly the end game, but hackers know that in order to get through to them they are increasingly having to go through US (the users).

You’ll still have cybercriminals searching for vulnerable systems where best practices aren’t followed such as: unpatched PCs/servers, Remote Desktop opened to the Internet, and re-used passwords on accounts without MFA enabled.

But as organizations shore up these holes, the pool of easy targets are closing. The “game” is changing, and hackers are adapting. Social Engineering has always been a thing, but it’s getting easier to exploit it. Social Engineering is all about tricking you into letting them in. They understand that you’re busy, and they have unprecedented access to information about you and your company.

The following are some different types of scams utilizing Social Engineering.

MFA Fatigue

This has been on the rise recently, but it’s a matter of users getting tired of having to input codes or answer yes to push notifications on your cell phone MFA app. Hackers are taking advantage of this by attempting to login during busy times of the work day, and users are just answering Yes to pop-ups or handing out codes. It sounds simple, but it's very effective.

How to combat MFA Fatigue?

If you're getting prompted, and you haven't attempted a login check with your IT Department.  
If you're using Push MFA, then enable 'Number Matching' that prompts for an additional code. https://docs.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-number-match
Implement hardware based MFA using FIDO such as Yubikeys https://www.yubico.com/
IT Organizations should look at implementing Conditional Access Policies that limit the amount of prompts users get

SMISHING

It's essentially phishing via SMS/Text messaging. Some are impersonating:

* your company's CEO

* UPS/FedEX/Amazon

* IRS

* Bank

The goal is to get you to either click a link, or they'll ask for some quick information that they can use in other scams. In some cases, if you respond they'll call you right away to further coerce you. A common one is a fake message from your credit card company, where they ask you if you made a purchase of $1100 at Walgreens in Portland. Response with yes or no. If you say no, they call right away and "verify" your credit card number.

How to combat SMISHING?

Combat these just like a normal email phishing attempt.  Reach out to the organization or person they are impersonating directly.  If it's an individual you know, then call and TALK to them not just text/email. For organizations such as the bank, without clicking any links I'll log into my account directly to see if there are fraudulent charge prompts there.

Invoice Scams

This has been on the rise lately, but cybercriminals are learning what organizations you work with via social media and trying to divert funds you'd normally send to your vendors. I've seen spoofed email coming from one of the big tech distributors announcing a "New" billing system. Then try and get your to divert your next invoice payment to the "new" address.

How to combat Invoice Scams?

These can be very convincing since they have done quite a bit of research on your businesses, and so they can have some language that looks to reference real transactions.  The only real combat is to call and talk to your vendor before changing how you pay them.  Do not email or text…call them just in case those are in control of the hacker.

Technology Porter provides IT Support and Services to Everett, WA and surrounding areas. If you have any questions on this topic or need any help getting the most out of technology for your business.