News

3 ways employees are letting hackers into the company

Over the last couple of years, malicious hackers and cybercriminals have become specialists in social engineering methods making their schemes very hard to detect. Here at Sirco, we’ve helped investigate several frauds amounting to more than $400,000 each. Here are a few ways they do it, and how you can be an active participant in stopping them.

Carelessly Opening Email

Did you know the average worker spends 28 percent of their work week on email? That’s more than 11 hours a week! With the average person sending and receiving 124 work emails every day, or 620 emails every week, we’re spending an average of 1.1 minutes on each email. You might not have known this but the hackers do. That’s why email a prime entry point for cybercriminals.

Employees must approach their email with care so they can identify signs of an attack and mitigate the risk.

Common signs of an attack include fake/forged email addresses such as jennnifersutton@gmall.com, unprofessional subject lines, bad grammar/typos, and creating a sense of urgency to respond with personal information.

Today, Employees need to be able to identify a potential threat, and report to the IT department.

Like most people, you may not have noticed 3 n’s in Jennifer’s email address as well as the gmall.com instead of gmail.com domain name. If you notice this type of email showing up in your inbox, you should never click on links (including unsubscribe), submit information, open attachments, or respond to such an email. Hackers were able to con some of our clients out of over $400,000 each when money was wired to the wrong bank account.

If you would like to have your employees tested against these types of phishing attacks, I’m offering a free 30 minute consultation to discuss how we can put your employees to the test and identify high risk employees with a simulated phishing attack.

Giving out passwords over the phone/Leak Passwords

“Hi, this is Tom, from IT. We’re migrating the network to a new system and we’re asking everyone for their passwords so that we can synchronize the accounts to avoid any downtime for the users.”

How would your employees respond?

Or how would they respond to an email like this?

I’m aware, [that INSERT your real password], is your password. You don’t know me and you are probably wondering why you’re getting this email, right?

Let me tell you, I actually placed a malware on the adult video clips (porn) website and there’s more, you visited this site to experience fun (you know what I mean). While you were watching videos, your web browser began operating as a RDP (Remote control Desktop) that has a key logger which gave me accessibility to your screen and also webcam. Immediately after that, my software collected every one of your contacts from your Messenger, Facebook, as well as email.

For the record, my cell phone lite up with calls while on vacation when this scam started out. So much so that I had to create a video on what to do. You can watch that video here https://www.youtube.com/watch?v=sTLAKUQQ3xM

 

This is because when companies like LinkedIn, MyFitnessPal or Marriott get hacked, the weak passwords get decrypted and sold to criminals who then try to sign into your email account using your weak decrypted password to commit a crime.

You need to remember that IT, a bank, or Government will never ask you for a password, or other sensitive information like a social security number, address, or common password reset question/answers.

Of course, a password can be used to log directly into your system, but other information can be used to access a system/reset a password. This is called social engineering. There’s that word again! Social engineering. That’s because hackers are getting lazier and don’t want to get detected trying to attack your firewalls. Why would they when they can just send a crafty looking email to a user and have them click on it.

Another big issue that I see everywhere is people writing passwords on a notepad, or post-it note it to the computer screen. I still come across this whenever I get hired to perform Intrusion Tests on companies.

Ransomware

Ransonware is the latest form of online extortion that targets both businesses and individuals. It’s a global cyberattack that spread the ransomware to 150 countries. Let’s have a closer look at what this entails. Picture this: You’ve spent the last few weeks or months working on a high profile project for work and now that you’re finally done, you’re ready to send it in for review. You get ready to copy your work to a usb thumb drive and this strange pop-up appears on your screen.

“Unfortunately, the files on this computer have been encrypted. You have 24 hours to submit a payment of $500 to receive the encryption key, otherwise the price will go up every hour after that. After 72 hours, your files will be permanently destroyed.” Payment must be done in bitcoin currency. Bitcoin?? What’s a bitcoin.

This attack has become so sophisticated that it can attack a computer, steal the usernames and passwords from it and try to login to other systems in your network all on its own thus infecting it too.

This is happening because system updates are being applied in time, and users being phished into clicking on links and inviting the Ransomware into the company.

Without the proper Protection, Detection and Response in place, your company could close its doors overnight.

If you would like to have your network tested against these types of threats, I’m offering a free 30 minute consultation to discuss how SIRCO can help and identify high risk vulnerable systems with an Ethical Hacking attack. Feel free to contact me at 514-744-1010 or by email at terry.cutler@groupesirco.com

Resource

    Subscribe to our Newsletter

    Find out more about various issues that can affect you or your organization, and about how SIRCO can help.