Every quarter, we publish compliance and security insights that you can share with your employees to fulfill periodic security reminder requirements your organization may be subject to.
As an added bonus, we’ve highlighted some developing security trends and featured a quick tip to get more out of your compliance management.
Don’t Get Hooked By the Latest Phishing Tricks
It used to be that you could spot a phishing email a mile away: they introduce themselves as a Nigerian prince with horrifying grammar. Times have changed, and phishing scams have become much more sophisticated — and prolific. Not only are they coming in through email, but through every channel your company uses, including text messages and voicemail.
It’s critically important to keep up to date with the latest phishing techniques. Here’s a quick primer on the top things to be aware of in today’s phishing attacks.
There’s more to phishing than you might think
Phishing is commonly an email attack, whereby a bad actor sends a message intended to dupe the recipient into providing sensitive information, downloading a malicious file, or clicking on a malicious link. I recently received a brand new scam that I’d never seen before. They included in the email a QR code instead of a hyperlink, “for easier use.” The link went to a malicious site, but you wouldn’t know it because QR codes don’t show the destination.
Phishing isn’t just an email scam, anymore. Today’s attackers have become more innovative and clever. There’s also:
- Smishing — phishing by SMS text
- Vishing — voice phishing, usually by email or live phone call
- Angler phishing — fake social media posts designed to hook victims
- Spear phishing — targeted phishing of a specific individual
- Whaling — targeted phishing attack on a senior executive
In each case, the bad actor typically poses as a trustworthy entity. Recipients assume the sender is a legitimate person or organization, and they do what the message requests.
The goal of a phishing scam is to gain access to your system or Sensitive Data. This can happen by conning you into providing sensitive information (login credentials, credit card numbers, etc.) or by installing malicious software.
Phishing attacks are harder to identify
Phishing attacks used to be easy to spot, but attackers are leveraging AI, other technologies, and social engineering to be almost undetectable. The days of messages written in broken English are gone, because artificial intelligence can write an attacker’s script for them in perfect conversational English.
However, even with greater sophistication ,there are common telltale elements that every phishing attack contains, including:
- Link, image, or button to click
- Attached file to download
- Request for sensitive information
- Request to update banking information to send or redirect funds (e.g., requesting to update personnel banking information)
- Urgent messaging (e.g., take action now, or something bad will happen)
- Payment request via cryptocurrency, gift cards, or cash
In every case, bad actors are counting on you to take things at surface level and to act on impulse. They expect you to be in too much of a hurry to examine the message closely — especially when they use urgent language intended to get you to panic.
Vishing attacks
Vishing is a scam voicemail message. Many organizations use visual voicemail, which automatically transcribes the voicemail message and sends it to your email. Sometimes a vishing attack will leave a URL to redirect people to a bad actor’s malicious site.
Vishing attacks can be incredibly convincing, because some bad actors use AI to deepfake a trusted person’s voice, such as the company’s CEO. If there are videos or podcast recordings of a person’s voice online, that’s all it takes to create a convincing AI facsimile.
Vishing can also be a live phone call. Usually the caller will give you some kind of false story, seeking to gain information or money. In every case, they will create an urgent scenario that requires a quick response, because they want you to act before you can think clearly.
If you ever feel pressured to react immediately, pump the brakes. Hang up and take a moment to check the story using sources (URLs, phone numbers, people) you know to be trustworthy. If it turns out to be a legitimate issue, you can always return the call.
Smishing
Smishing is phishing via text messages. Usually the sender will try to start a conversation by grabbing your attention through a scary scenario or an intriguing greeting. They may send a link, a photo, or a file. Often, they’ll use URL shorteners like bit.ly or tiny.url, which hides the actual URL so that you don’t know what website you’re actually going to. Another tactic is to gain your trust and request sensitive information in the chat.
Victims of smishing are often fooled, because the sender poses as someone they trust, such as the CEO. They’ll say something like, “I’m at the airport and my phone just died, using someone else’s phone. I have an angry vendor, send a money order right now, here’s the details.” If the CEO is in an emergency situation, of course you’re going to jump on it to make things right. Right?
Don’t get fooled
Any time you get a message that isn’t expected, or comes from a source you don’t recognize, always get independent confirmation before jumping into action. There are a lot of scams that center around business payments — for example, “We didn’t get our payment this month.”
Any time an email or text message wants to send you to a link, hit the brakes. Go directly to the website yourself. Don’t click on the link (and don’t enter the URL of the link). Instead, type in the URL that you know from previous experience is the actual website address. If you don’t already know the actual URL, then look it up on Google.
Likewise, don’t use the phone number they give you. Look it up and dial.
It takes a few more seconds and it’s less convenient, but that habit has saved many organizations from falling victim to dangerous phishing scams. Remember that you play a critical role in shielding the organization from the bad actors, and we’re all in this together.
Quick Tip: Split Your Requirements for Less Complexity
If you have multiple locations, multiple firewalls, or multiple operating systems, you have multiple headaches to deal with. You have to gather multiple groups of evidence to satisfy individual controls, making your work more complex and more cumbersome.
When you have multiple people adding evidence to the same line item, it gets confusing. How do you know when all of the evidence has been submitted? It’s hard to know who it is that you’re waiting on when multiple people are assigned to the same item.
TCT Portal gives you a way to alleviate that pain and gain efficiencies to streamline your compliance management. Our platform allows you to split requirements any time you need to submit multiple pieces of evidence for the same line item.
Requirement splitting makes it easy to keep track of every piece of evidence within the same line item. You can split any line item into any number of buckets, so that each piece of evidence has its own bucket. Better yet, each of these buckets can be named in a way that makes sense for your organization and assign the right people to the correct individual buckets. You’ll always know at a glance if anyone’s evidence is still missing.
Better yet, you can move individual pieces of evidence up the workflow to QA, even if you’re still waiting on more evidence within the same line item. Each bucket is completely independent of the others, eliminating the bottlenecking that so commonly occurs when multiple people are responsible for the same thing.
Your compliance engagement is substantially more effective, more clear, and more efficient. If you’re new to TCT, contact our sales team to learn more about requirement splitting and how you can get it set up today. If you’re already an existing customer, reach out to the Portal Support team for assistance with configuration and training.
What’s Going on in Security Today
10 Critical Network Pentest Findings IT Teams Overlook
After performing over 10,000 internal network penetration tests last year, penetration testing company vPenTest has uncovered a startling trend in organizations’ security gaps that can be easily exploited by attackers. These gaps aren’t zero-day exploits, but weak points within organizations’ systems. vPenTest found that 50% of these risks are misconfigurations in settings and appliances for security, 30% are due to missing patches and poor patch management, and 20% are related to weak passwords and password policies.
This article covers the ten most critical internal network security risks, breaking down what they are, why they’re dangerous, and how to fix them before they turn into real problems.
Mobile Jailbreaks Exponentially Increase Corporate Risk
Jailbreaking and rooting have been around for years. Magisk is the most popular form of Android rooting, and CheckRa1n is the one of the more popular iOS varieties. Mobile platforms are very restrictive compared to computer operating systems, and people use these methods to make the phones less restrictive.
New reports and data analyses show that companies that have a BYOD policy have a much greater risk of exploits/bugs getting into their system through employee-owned devices that have been jailbroken/rooted. The greater risk percentage of cyber compromise to a company is anywhere between 3 and 3,000 times.
3 AI-Driven Roles in Cybersecurity
In early 2024, ISC2 members were surveyed about how AI would impact their security related roles in organizations. 82% of security professionals said AI would help make their jobs more efficient. This seems to be holding true.
The average medium and large sized companies average between 60 and 75 security tools at their disposal, meaning the security professionals are looking towards AI to help automate/relieve some of their tasks. This allows these tools to implement machine learning, to observe, learn, and take on some of the repetitive tasks in cybersecurity, making security personnel more efficient.
Steam Pulls Game Demo Infecting Windows with Info-stealing Malware
Steam has pulled a game off of its gaming platform. The demo installer for Sniper: Phantom’s Resolution was found to be infecting systems it was downloaded on, leading to information extortion. Users noticed that the descriptions had been copied from other games, and prompted players to download the demo installer from an external GitHub repository instead of through the primary Steam platform, among other oddities. There are several facets to this installer, and many steps were put into it by the publisher to gather information from the individuals who downloaded it.
A Brand-New Botnet Is Delivering Record-Size DDoS Attacks
There is a new botnet out in the wild, Eleven11bot, which is causing a stink in cyber space. This botnet targets webcams and video recorders. Once infected, compromised systems are used to initiate distributed denial of service (DDoS) attacks to any target Eleven11bot wishes.
While DDoS attacks are not technically a failing criteria for PCI and other types of compliance, they can be very frustrating and annoying to maintain. The simple idea of a DDoS attack is to overwhelm a company’s modem/router/firewall, flooding it with so many packets of data, distributed from any number of systems, that the protection mechanisms stop responding and go offline, taking the target network down.
Get industry insider expertise delivered to your inbox
Subscribe to the TCT blog
