Cyber Tips

Shopping Online Securely
November 2017

By Diana Donohue
The holiday season will soon be upon us -- and you know what that means… An increase in scams targeting online shoppers. SANS recently released its November Ouch! Newsletter with helpful tips to avoid becoming a victim, including what you can do to avoid potential fake websites, securing your computer or mobile device and closely monitoring charges on your credit card during the shopping season.
Be sure to look for the letters HTTPS in green right before the website’s name as indication that the connection is encrypted before purchasing any items online.  The SANS newsletter on this subject can be found at this link: Shopping Online Securely

What you should know about … Good Cyber Hygiene

By Laura Owens

Cyber criminals thrive on your mistakes.  And navigating the Internet continues to be more complex – free Wi-Fi, large digital footprints, ransomware … if you don’t watch your digital behavior you raise the odds of becoming a victim of cybercrime. Some simple reminders can help keep you safer:

  1. Pay attention to physical security. Lock your computer (or at least your screen) when you leave your desk. Know who’s around you and who might be watching to capture your PIN entry on a website, or capture your keystrokes as you enter a password.
  2. Use public Wi-Fi wisely. While you’re using a public Wi-Fi (even if you’ve entered a password to get on) avoid confidential activity if possible, such as accessing your bank accounts. In some cases it can be more secure to use your smartphone’s personal hotspot and data plan to access the Internet instead of public Wi-Fi. Always be sure to log out of sites and disconnect the Wi-Fi connection when you’re done.
  3. Watch your social media posts - don’t overshare. When you post details about your location by “Checking in” somewhere, or share photos and other personal information, you give social engineers content they can use to exploit your identity.
  4. Email is not encrypted. Be careful what you put in an email. Unless you use a special encrypted email application (such as Tutanota or ProtonMail) email is not encrypted as it traverses the Internet on its way to the recipient. If you need to give someone confidential information, pick up the phone instead.
  5. Keep your Internet browser up to date. And all of your software for that matter! Installing updates to your applications, including your web browsers, closes backdoors and other vulnerabilities that hackers can exploit and gain access to information on your computer. Did you know the recent WannaCry ransomware attack exploited a vulnerability that MicroSoft had identified and patched several months ago? Only computers that had not installed the OS update were at risk of being infected.
  6. Revisit the basics. You know these – use strong passwords and change them frequently, don’t click on suspicious links in emails and on websites (even those links to cute kitten pictures!). Maintain a good cyber posture and you significantly drop the odds you’ll be a victim.
Want more information on cyber hygiene? Check out the Stop.Think.Connect campaign from DHS.

Notice: New attempt at phishing

By Diana Donohue
Laura Owens

In recent months, ransomware senders have attempted to trick people into opening Word documents that look like Invoices or Receipts, but the new method seems to come from an irate person who has a charge from your company’s domain name (, so to speak). There is also a Word attachment included which likely has some form of malware. Some spam filters will block this, but not all. In any case, the senders will become more savvy and find ways to bypass such filters. The body of the email is typically as follows:

What is this ****ing charge on my card?
I never visited or bought anything from your company.
I have attached a screenshot of my statement.
I want my money back!!!
I have attached my card statement, please get back to me ASAP.

Resist the urge to open the attachment. Contact your company’s helpdesk or fraud alert line if you receive this type of email. If this comes to your personal email delete the email without opening the attachment.

Whaling Attacks

Have you heard of people being “harpooned”, taken in by a cyber whaling attack?  A whaling attack is a type of phishing directed specifically at senior executives and other high profile targets within businesses, where a masquerading web page or email will take a more serious executive-level form. The email may appear to be from an executive or director of the company (CEO, CFO, Board member, etc.) emailing a member of the finance department requesting a money transfer out of the company.  Or, it may be written as a legal subpoena, customer complaint, or executive issue.  Whaling phishermen have also forged official-looking FBI subpoena emails, and claimed that the manager needs to click a link and install special software to view the subpoena.

These types of attacks are increasing substantially and have generated billions of dollars for fraudsters in the past two years.

How can you protect against whaling attacks? 

  • Have good processes and controls in place for all payments, such as separation of ordering and payment processes, using approved purchase requisitions, paying based on an invoice, etc.
  • Educate executives to not deviate from such standard payment processes within their company.
  • Encourage an open and transparent company culture where a member of the staff (especially from HR or Finance) can call the CEO or CFO directly to check on questionable items. 
  • Learn how to identify potential threats and attacks.  
  • Educate executives and staff on the nature of such attacks and what to look for.  
  • Watch for odd requests, wording that doesn’t sound like it’s from the sender, typographical errors, links that don't make sense to normal everyday communications, and attachments that are not generally sent by the purported sender. 
  • Be suspicious of all unsolicited email. 
  • Never click through links or open an attachment in an email message from someone you don't know -- unless you initiated the email exchange.
  • Implement email-embedded digital signatures throughout your company in addition to other security tools, such as spam filters, firewalls, and intrusion detection and prevention systems.
  • Check with the sender to make sure he or she actually sent if an email that appears to be sent by a colleague but seems suspicious.
  • Reinforce good behaviors when staff check to confirm the legitimacy of email requests, and otherwise follow appropriate policies and procedures.