Recently, I attended a breakfast seminar on cybersecurity, hosted by Enterprise Bank. If the thought of getting your identity stolen, or your business data getting hacked, gives you the shakes, imagine what it’s like to be in charge of protecting the billion-dollar assets of a commercial bank.
The presenters went through a well-organized review of the many ways in which information gets stolen. One thing that struck me is that the cause of the breach, in most instances, was someone who had legitimate access to the data and had been sloppy or made a mistake. Maybe they picked a weak password that could easily be guessed. Maybe they used the same strong password for a bunch of different accounts, and some miscreant had bought a bunch of stolen Yahoo accounts. Maybe the person that set up the 20 routers in the office forgot to override the default user ID and password on one of them, so someone sitting outside in the parking lot was able to get into the network with admin / admin.
These hacks are all avoidable. And, fortunately, most of us present a less attractive target than a commercial bank.
One of the most popular vectors for electronic theft is still good, old-fashioned email. The reason email trips so many people up is because we are all in a rush to get through our email in order to do our “real work.” If you send and receive lots of emails throughout the day, you can get tired, and then you may easily let your guard down. So, here are some things to keep in mind.
1. Even if you recognize the sender, be careful
It’s easy to spoof the “caller ID” of the sender. In fact, any time you set up an email account, it asks you to put in your name. That’s what will appear in the “from” field in the recipient’s email. How hard is it to enter “Bill Clinton” in that field instead of your real name? That’s how hard it is to head-fake someone regarding the sender of a message in their in-box.
2. Don’t EVER click on anything in an email that you are not 100% sure of
Simply opening an email shouldn’t hurt you – email clients like Outlook or browser-based clients like Gmail will generally keep you safe. But the minute you click on anything in that email, like a link or a picture or a “button,” or try to open anything attached to it, that is when you put yourself at risk.
An email attachment can be an executable program, which can do pretty much anything it’s programmed to do. It can be an evil macro hidden within an otherwise benign-looking Word or Excel document. Even images can contain malicious payloads.
Links within an email can be just as deadly. And, when we say “link” we mean not just text links but also hyperlinks hidden within pictures. That PayPal logo in the email can be a link that’s not necessarily going to bring you to PayPal. Once you click a link, your browser goes off to somewhere on the web. It’s like your computer has being blindfolded and thrown in the back of a car and hauled away somewhere. Good luck when that happens!
Links can be sniffed out, though. Let’s say I get an email that’s supposedly from PayPal. The email is telling me there’s something I need to do. Maybe it says someone complained about some transaction on eBay and I must respond before my reputation gets trashed (fear). Maybe I’m being notified that someone just sent me $1,382.62 and I need to come and claim it (greed). Perhaps it’s a “security alert” saying my account has been compromised and I should click the link at once and change my password. I wouldn’t be surprised if the link takes me to a page where I have to log into “PayPal” using my existing password.
If in doubt, the best thing to do is to delete the email and then type “paypal.com” into your browser and head over to PayPal yourself and see what’s up, if anything. It’s pretty hard for someone to hijack the actual paypal.com domain.
If you’re a little more daring and curious, you can mouse-over the link – but for heaven’s sake, don’t click on it! You should see a little pop-up that shows you the URL you will go to. Maybe the URL is paypal.custsvcs.ro/reset.php. Looks like a legitimate PayPal address, right? Wrong! This link will take you a website called “custsvcs.ro.” The .ro tells you the website is in Romania, and the reset.php tells you that when your browser gets there, like in ½ second, it will execute a piece of PHP code that could do just about anything to your computer. The “paypal” part of the URL is just a sub-domain on the custsvcs.ro domain – which is about as easy to set up as an email caller-ID spoof.
What will happen if you click that link? Encrypting your hard drive and demanding several hundred dollars’ worth of Bitcoins for ransom is just one possibility.
So, as they used to say on one of my favorite cop shows, “let’s be careful out there!”
