Are You the Weakest Link?

If you’re looking for the most vulnerable points of a network, you need only look in a mirror. According to Symantec, 97 percent of cyberattacks start with social engineering. That means cybercriminals are getting access to systems by deceiving individual users – you and your employees.

It shouldn’t be a surprise that the real estate industry is a common target. The wealth of sensitive information and financial data would be a boon to hackers looking to sell to the highest bidder. Due to the amount of money behind real estate transactions, the opportunities for fraud from wire transfers are robust.

For company leaders and security professionals, the exploits are countless: email phishing and pretexting are just a few. Once hackers succeed, attacks like ransomware to encrypt your data or Advanced Persistent Threats to exfiltrate your most sensitive records won’t be far behind.

Nowadays, attackers go the extra mile to do their due diligence. They will try to penetrate you at your business, but they know the levels of defense set by Corporate IT. They will use your personal social media accounts to learn about you, your friends and your work. To make the attack authentic, they will use information you post on social media in ways you would not expect.

For example, you brag on Facebook about the latest Samsung 70 inch 4K TV you bought on Amazon just in time for the Super Bowl. The attacker will send a spoofed email from Amazon with invoice, shipping and warranty information. The email will have an infected attachment or link to a malicious website. If you open the attachment, the malware will try to exploit the weaknesses on your computer. If you click on the malicious link, it may redirect you to a website that looks like Amazon and ask you to login. Once you type in your user name and password, you receive a warning that you mistyped your password and immediately redirected to the real Amazon site. You type it again and Amazon lets you in. You may think you just mistyped your password the first time – in reality, you just gave your user name and password to the malicious actor.

Adversaries use similar techniques to steal your work credentials by pretending to be your IT service desk or company related business. They want to get to your company’s crown jewels, and you are the path to get them there. They want you to be connected 24/7. They want you to use your work computer to connect to your personal social life so they can bridge that last mile to the data they want.

When it comes to cybersecurity, the old saying is true – you’re only as strong as your weakest link. So what should you stress to all members of an organization to protect our companies against cyberattacks? Keeping it simple can go a long way to helping your employees understand their role in keeping your company secure. If you’re expecting something more complex, think again. While many of these may seem “too simple,” we find that employees are still making the same mistakes.

1. Keep your business and personal life separate on social media. Do NOT accept invitations from people you don’t know, regardless of the social media platform. Facebook has confirmed that 600,000 fake accounts are created daily. LinkedIn publicly admitted they don’t know how many fake accounts exist.
2. Keep your systems and auxiliary tools (Java, Macromedia, Adobe) fully patched. With few exceptions, malware always needs unpatched vulnerabilities to get in.
3. Keep your browser and all plugins updated. Flash and Java are most the exploitable add-ons.
4. If you handle transactions, when you receive a last-minute or urgent request with wiring instructions, do your due diligence. Call the sender to verify and DO NOT respond to the original email.
5. Don’t reuse your password. Set up a unique password for each site you visit. If your credentials are stolen from one website, they will be tried everywhere else.

Moreover, it’s critical to ask yourself some of the following questions when you get an email you are suspicious of.

1. Is the sender’s email address from a suspicious domain? Pay attention to look-alikes (Microsoft.com with “i” replaced with “l” or “1”. Some other common substitutes are “zero” for “o”, two “v” for “w”, “five” for “s”)
2. Does the email have a subject line that is irrelevant or does not match the content?
3. Hover your mouse over a link that’s displayed in the email message – is the link is for a different website than the supposed sender?
4. Did you receive the email at an unusual time?
5. Is the sender asking you to click on a link or open an attachment to avoid a negative consequence, or gain something of value?
6. Were you expecting this email or attached document?

People are the weakest link – either by not knowing, not taking the time or just plain neglect. The importance of following through with the simple cannot be overstated. To protect our data, we must do the little things to ensure the protection of our companies, customers and people.