发表于：2022 年 11 月 22 日
BY GENADY VISHNEVETSKY
Stewart’s Chief Information Security Officer, Genady Vishnevetsky is a cyber security expert. In this blog series, he shares on how consumers and real estate professionals can keep transactions (and their own personal information) safe. In the first and second part of this series, Genady shared examples of how hackers start their attack and the techniques they use. Read his continued insights below.
In the first two parts, I covered basic tactics, and techniques hackers use in phishing attacks, but I can't stress enough the importance of password hygiene. The reality of the modern world is that most security incidents and breaches that affected vendors are not publicized. So, if you are using the same or close variation of a password with multiple services, eventually, it will leak and end up for sale on the dark web. You are putting yourself at (unnecessary) risk. Here are ways to keeping your passwords safe:
Coming up with complicated passwords can be difficult. Password managers are reliable and helpful with this tedious task. They are relatively inexpensive and ensure that you will use a unique password for every website/service you use.
The second most important item in keeping your passwords and information safe is multifactor authentication (MFA). It is something you know (i.e., username and password) and something you have (i.e., keyfob, mobile phone), and/or something you are (i.e., biometric - finger or retina scan). Many services won't even ask you to set up MFA. Once you register an account and provide your mobile number, they will send you a code to your mobile phone every time you log in. Even if it’s the weakest type of MFA, text code verification still provides a level of protection in case your account credentials are stolen or compromised because an attacker will need that code that only you have.
The next and recommended level of MFA is an application you install on your phone. Both Google and Microsoft have their version of the app. The most popular vendor-agnostic app on the market is Authy. All these apps are more resistant to SIM-swapping and other attacks than text.
The last and most secure type of MFA is the Fast Identity Online (FIDO) 2 security key, an unphishable standards-based and passwordless authentication method.
Keeping your system up to date is also very important—many malicious attachments and websites look for known vulnerabilities in unpatched operating systems and auxiliary tools. Adobe Acrobat and Java top the list and are widely exploited by hackers. When patching, remember your browser and any add-ons. If you are using a default browser that came with your operating system, in most cases, it will be patched when you update your OS. You are responsible for patching all other browsers.
Use browser add-ons sparingly. Remember, they can read and intercept the URL you are visiting and the data you are typing in the forms or fields on a website. Don't install add-ons unless you are confident you will use them and they are from reputable sources. Some add-ons are designed to lure a user by sounding context but use to spy or even deliver malware behind the scenes.
Maintaining good hygiene for your mobile phone or tablet is as important. Mobile devices are becoming primary targets for attacks. They are easier to circumvent with sender's address spoofing in phishing emails and caller ID spoofing in wire fraud and MFA attacks. URL shorteners are also dangerous because you never know the destination by looking at the URL.
Now you are versed in some tactics and techniques used in wire fraud. Be diligent when you receive an email portraying it to be from Stewart. Remember, the sender's email address can be easily spoofed or replaced, signature and context of the email can be easily replicated, including pictures and links to authentic sources. We even see wire fraud disclaimers our escrow officers put in their signatures get added to fraudulent transactions with replaced wiring instructions.
If you are not expecting this email, cannot correlate it to a specific transaction or don't do any business with Stewart, delete it.
Special thanks to Genady for sharing this detailed breakdown. We hope you found this helpful and remember to stay alert. Make sure to follow us on social media for more cyber security tips.
Read the first and second part of this cyber security blog series:
Want more? Check out these related articles: