At 4:56am this morning I received an email from a graphics company I occasionally use for quick projects. They were informing its users of a Cyber attack that occurred where hackers gained access to usernames and encrypted passwords. Although their passwords are salted (unreadable) and hackers only gained access to the encrypted portion, they encouraged users to log in to their accounts to change their password. This company included a link to click on in order to do that as well as a couple of other helpful links and reassurance that they are working around the clock to resolve the issue.
I immediately ran over to my laptop, went directly to the website of this company and changed my password. Here’s why that is a critical point.
1 | Never Click On the Internal Links: There are millions of phishing and spear phishing scams taking place every single day, using familiar companies and banks that we have accounts with to lower our guard and trick us into giving hackers and social engineers access to our accounts and information (i.e. passwords, key strokes, camera, microphone, etc. ). The first step I took was a very important one. By NOT clicking on the link inside of the email and going directly to the company site, I ensured that my device and information would not be compromised through the email. Hackers gain control by inserting viruses and malware, unbeknownst to the receiver, by way of links. Email phishing malware works differently from the usual virus where the user may not see those popup screens.
Going directly to the company website can be a matter of protecting all personal and professional data, as well as blocking direct access to your phone and laptop, which is protecting your privacy and also financial assets.
Therefore, I went directly to the company site and changed my password. I did NOT click on the link inside of the email.
2 | Check the Sender Email Address: Next, after calming down, I looked at the “From” email address. It did not read the direct domain of this company. There were other words in front of the company name, which can confuse a user into thinking it’s legit. The brain is programmed to look for what is familiar and tends to fill in the blanks, thus making it easy for hackers to use that as a tactic to fool recipients who are moving too fast to notice the slight difference. For example: Instead of it reading, “From: firstname.lastname@example.org”, it may read, “From: email@example.com”. This is important to notice. Scammers are hoping that we are moving so fast or in panic mode that we miss that. Although I was moving fast myself, I worked from the first tip of not clicking on the internal link. To be honest, at first glance the email looked legit, the logo was inside of the message and it appeared to be trying to help me and warn me of a possible threat. However, I wasn’t going to take that chance!
Social engineers use human nature and tactics of fear to trick the unsuspecting. Be vigilant!
3 | Check the name it is addressed to in the body of the email: This point can be a little tricky. I’ve seen a lot of Cyber Security experts point this out, but I would like to offer additional details. Be careful of companies or emails that use “Dear valued customer” or any rendition of a generic salutation. If you have an account with a company such as your bank, insurance company or auto dealership, it should read your personal name if it is addressing an issue with your account.
Now, some businesses, blogs, online stores and media outlets will use a general salutation if their email settings or the email marketing company they use does not allow for coding the first and last names. This is a matter of caution. So it could go either way.
I’m sure you’ve heard of those emails where a family member is out of the country stranded without money to get back, right? It may appear that it’s from the actual sender; it’s their email address and they’ve used your personal name too. This happened to me a few years ago, and disturbingly enough, that particular family member was out of the country. I knew enough about spear phishing (targeted phishing) scams at the time to not reply. I reached out to this family member directly as well as other relatives, and found out she was not in distress. She was totally fine. I informed her that her email had been compromised and what took place.
The point I’m making by the above is that if the body of the email stirs fear or anger or another primal emotion that seems out of place, do not respond or click inside of it. Call the person or company that is listed as the sender to verify the email.
4 | Be sure to inform others of the breach. Similarly to how I called that family member to inform her that her email account had been compromised, I reached out to two other users of that graphics company via text to let them know the above tips. Even if the email was legit and directly from the company, taking the necessary steps to safely address my account and protect my data is well worth it and sounding the alarm for others means just as much!
If the potential breach comes through via email, call the person directly on the phone. Do not respond to the email. There are some viruses and forms of malware that can insert themselves by clicking anywhere within the email. If the potential breach comes through via text, which does happen, don’t respond in the text. Call that person directly or if you’re concerned that the phone itself is compromised contact someone who may be with them or in the same building to inform them of the compromise.
Due to the nature of the rise of Cyber security attacks, we have to make deliberate and drastic adjustments to our digital reflexes. We must pause before clicking. Yes, it will take effort depending on your current level of caution and daily practice online, but it is well worth it along with the peace of mind that comes with taking the above steps.
For more information on how to respond when your account has been compromised, email me at firstname.lastname@example.org or book a Cyber security strategy session!