In our weekly Library Card Series we highlight a selection from our resource library to help introduce the content to our industry partners.
For this post of our Library Card Series we will be reviewing an article posted by the Cybersecurity and Infrastructure Security Agency (CISA) on Avoiding Social Engineering and Phishing Attacks. This resource allows users to become educated on what social engineering and phishing attacks are, how to avoid being a victim of an attack, and what to do if one becomes a victim of an attack. The guide can be broken down into 7 sections:
- Social Engineering- An attacker uses social skills to obtain or compromise information. An attacker may gain information from one source of an organization to back credibility when they attack another source. The individual may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity.
- Phishing- Emails or malicious websites that attempt to solicit personal information by posing as a source or organization worth trusting. Attackers may take advantage of current events and disasters in order to fake credibility.
- Vishing- Enticing a victim to call a certain number to get sensitive information. Attackers can also use Internet voice mods or broadcasting systems to accomplish their goals as well.
- Smishing- SMS or text messages that contain links to viruses or malicious sites to steal information from an individual or organization.
- Indicators of Phishing- The article goes through different methods to recognize a phishing scheme. Some examples consist of suspicious senders addresses, generic greetings, spelling, spoofed hyperlinks, etc.
- How To Avoid Being A Victim- Be suspicious of unsolicited calls, visits, or emails from individuals asking for internal information; Do not reveal any personal or sensitive information; Enforce multi-factor authentication (MFA); Verify the source by contacting the company directly; Install and maintain anti-virus software to filter some of this traffic.
- What To Do If Victimized- Immediately change passwords, watch for new account charges, contact authorities such as the Federal Trade Commission.
On June 11th, VICE News reported that hackers used Slack to steal data from EA. The hackers used social engineering and phishing techniques to get into an EA Slack chatroom and pose as someone who lost their phone at a party. The threat actors were able to obtain player log in info and much of the code for popular game FIFA 2021. And earlier this year, the Michigan Marijuana Regulatory Agency (MRA) published a bulletin highlighting cases of social engineering attacks against cannabis businesses within the state. In the case of the Michigan schemes, threat actors posed as both MRA inspectors as well as licensee owners in order to obtain valuable business security information as well as cash. The cannabis industry is relatively young and this can make cannabis retailers, distributors, and cultivators targets for groups who want to extort information for their own gain. Being protected and educated to combat social engineering and phishing attacks is critical for maintaining information of users, employees, and assets that can be manipulated by criminals.
A few tips for social engineering and phishing preparedness:
- Review the CISA Social Engineering Article
- Always utilize multi-factor authentication
- Encourage employees to not reuse passwords
- Lock passwords down with a password manager
- Don’t respond to messages and emails from questionable sources
- If a message or email from a friend or coworker looks suspicious, ask them if they really sent the message or email in person or in a secure form of contact.
To find more valuable resources covering a wide variety of topics, visit the resource section of our website, and check back to our blog every Tuesday for our Library Card Series where we highlight different resources from the library.