No matter how legitimate an email may look it is essential that you are always cautious when providing information online as we have seen a significant increase in identity fraud via email in recent months.
Identity fraud and theft is a crime of obtaining another person’s personal information to impersonate them to obtain items such as credits or loans.
Email security
Due to the ease of use, emails are the one of the most likely vectors for an attacker to attempt to gain access to your data; as such, it is important to follow these processes when reading emails:
If you receive an email that follows the characteristics below, you should permanently delete the email or contact the sender directly via phone if you are unsure. It is also important to know and remember that it is quite easy to design an email that looks like it is from a trusted user or company; especially if the user or company in question has been hacked or infected with a virus.
- If you receive unexpected or suspicious email from an unknown sender
- If you receive unexpected or suspicious email with an unknown attachment
- If you receive unexpected or suspicious email with a hyperlink within the body directing, you to a website
- If you receive a suspicious email from known sender
- If you receive a suspicious email with many spelling and grammar mistakes or outdated logos and letterheads
- If you receive an email requesting personal information including bank or credit card details.
File security
Ensure any files received via Email, USB drives, DVD or CD are scanned for viruses prior to opening; you should do this even if it is your own file or from a trusted user. Users who work at customer sites should scan each file for viruses prior to copying the file to their own computer or USB drives. You should not expect that another organizations Antivirus systems are up to date or configured correctly.
How to help protect yourself
The following techniques will help to ensure your systems are as secure as possible:
- User training – Users should be trained on how to identify potential threats
- Password manager – Users should use a password manager to ensure no or minimal password re-use
- OS Update – Ensure Windows, Mac OS or your iPad/Mobile device is always up-to-date
- Software Update – Ensure all software and Apps are up-to-date; especially Adobe Flash, Adobe Reader and Java
- Email Antivirus and Attachment removal – Remote all known malware attachments at the server
- Multiple Spam blocking applications – Block as much as possible, the less spam the less chance of infection
- Desktop and Server Antivirus – Always keep antivirus up-to-date and always scan emails for malware, multiple times if possible
- Network Firewalls – Enable firewalls and ensure they are correctly configured
Types of attacks
There are a number of ways an attacker can gain access to your data to commit identity fraud, these include, but is not limited to, the following:
- Phishing: Defined as “the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.” Phishing is usually in the form of emails, phone calls or messages from websites.
- Spear Phishing: Spear phishing is exactly the same as phishing however it is much more targeted; usually the attacker researches the organization or target to design an email that looks legitimate and is designed to trick the user into thinking as such. Spear phishing can be much more successful as these emails look far more legitimate.
- Hacking: Defined as a process to “gain unauthorized access to data in a system or computer.” Hacking usually exploits security weaknesses on unpatched or poorly configured operating systems and applications on a PC, mobile device or a physical network. Hacking can also take advantage of password re-use; if a user re-uses password it greatly increased the chance of their data being compromised.
- Socially engineering: Social engineering is “an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.” Social engineering can be relatively basic such as a ‘Remote Access Scam’ or more advanced such as ‘Spear Phishing’
- Remote Access Scams: The scam is very simple form of social engineering: someone calls you claiming to be from a trusted organization such as Apple, Microsoft or your ISP in order to gain access to your computer or network.
- Malware: The scammer will trick you into clicking a link or executable either via an email or website which will install software on the PC or phone; this software will then give to hacker access to your data for the purposes of gaining access to banking or other sensitive data.
How can Nexia Edwards Marshall NT help you?
If you would like to know more or further information on how to protect yourself or your business from identity fraud, please contactyour Nexia Edwards Marshall NT Advisor.