Are You a Hard Target for Cyber Criminals? You Must Be

Cyber criminals hate a hard target. In the language of security, a “hard target” is someone difficult to hack, while a “soft target” is someone who is especially vulnerable.

Put yourself in a criminal’s shoes: Which home would you attempt to rob: the one with the back door open or the one with the spotlights and a burglar alarm? Those home security deterrents may not stop a determined criminal, but they send a clear message: This home takes security seriously, and you put yourself at risk if you try to break in.

Cyber criminals think in the same terms. They look for signs that you take security seriously. Some criminal gangs keep databases of known soft targets; you may know someone who is often hacked. All cyber criminals know what signs to look for to see if you pay attention to cyber security. They also know the difference between real cyber security and half-hearted attempts, just as experienced burglars know how to spot fake cameras and alarms.

It is not expensive or difficult to be a hard target. All you need is a little time and a commitment to consider how you approach online interactions. Here are five things you can do right now that will make you a hard target and convince criminals to look for easier victims.

Update your software.

A recent article in The Wall Street Journal certainly caught the eye of cyber criminals. It discussed users who cling to old operating systems and old software because they like certain features or because they do not want to learn a new interface. Some businesses still rely on old operating systems and outdated devices that power critical business functions because they want to avoid the learning curve with new software or because they find upgrading too expensive.

These users and business owners are the ultimate soft target. Criminals have databases of known exploits in old apps, programs and operating systems. They search online to find outdated software that is still in use, then launch attacks to steal passwords, gain access to networks, install ransomware or hijack customer data. Updates should be automatically applied and must be manually applied when auto-updating is not an option. Business owners should note that failure to update systems will void cyber liability insurance policies and trigger violations of the FTC Safeguards Rule. Publicly traded companies and businesses that serve publicly traded clients could face additional penalties under the SEC Disclosure Rule if hackers attack out-of-date systems and software.

If you absolutely must maintain old software or devices, the only safe way to do so is to keep them fully isolated from the Internet. That means no wired or wireless connections that could allow a hacker to access the device.

Change your passwords.

Password and credential theft occur daily. Most people accept it as a fact of life. What most people do not realize is that criminal gangs keep databases of usernames, passwords and other login credentials. These databases are bought and sold on the Dark Web, tested using a variety of methods, then repackaged into verified lists of working credentials. If you change passwords several times a year, you will be seen as a hard target and criminals may stop selling your personal information. Criminals will note that old passwords do not work, and those who act as information brokers may take note of how frequently you change your credentials.

Do not trust. Verify.

If you have ever taken a self-defense or defensive-driving course, you know that one of the first lessons is to question the way you trust. Most people trust unconditionally. They see a yellow line on the road and assume other drivers will respect it. They receive a text that appears to be from a coworker and they respond.

A hard target is vigilant and skeptical. They question everything and develop the ability to sense unusual situations. Instead of assuming that an email, text or phone call are legitimate, they investigate. These skills, which can be developed through cyber security awareness training, make the hard target nearly invulnerable to business email compromise and pretexting attacks.

Anyone can begin to develop these skills by questioning how easily they trust, and why. Criminals prey on trust to steal credentials and cash and to reroute valuable deliveries. Businesses can develop protocols to limit these attacks, but it ultimately falls on individuals to recognize unusual behavior and have the confidence to investigate it. When in doubt about a text or email request, do not respond to it. Reach out to the source at a known phone number and verify the request.

Use multi-factor authentication.

You should be familiar with two-factor authentication, which sends a code to your phone or a verified email address to allow you to log in to services. You may be less familiar with multi-factor authentication, such as biometric logins on devices or apps that check for the presence of your phone before authorizing a financial transaction.

Whenever, and however, multi-factor authentication is offered, take advantage of it. This makes you a very hard target to hack, and shows criminals that you take cyber security seriously. When criminals discover that you have multi-factor authentication enabled, they may stop attempting to hack your accounts and stop sharing your credentials online.

Report successful hacks and data breaches to law enforcement.

Here are two things you must understand about cyber criminals: They want to avoid exposure and they talk to each other. When criminals successfully claim a ransom from a business, steal data. steal money or gain access to networks and systems, they share that information with other criminals in online forums. You may believe that failing to report a cyber crime keeps the knowledge of that crime between you and the hackers, but it does not. Hackers tell other hackers what they did, who you are and how you failed to alert anyone. That invites more hackers to attack you. To be a hard target, you must communicate as loudly as possible. Tell law enforcement. Tell professional associations. Tell colleagues at other organizations. Tell the press. Share everything you know about how you were hacked and how you responded. Cyber criminals do not want the publicity, and they do not want their methods compromised. In the best-case scenario, law enforcement may make an arrest, thwart a future attack or help you regain lost money. In most cases, you will simply be contributing to a shared knowledge base that makes it harder for criminals to operate.

A Hard Target Still Faces Two Types of Cyber Attacks

Making yourself a hard target will deter cyber criminals and reduce the amount of fraud you encounter. There are two additional categories of cyber attacks that you may face, depending on who you are and what you do.

  1. Spam attacks. Inexperienced and unskilled criminals still send mass emails claiming that you have inherited millions from a deceased prince, that your package cannot be delivered or that your account has been deactivated. You will also encounter browser takeovers online from time to time. As a hard target, you will know that these are very unsophisticated, broad-based attacks designed to catch the unwary. They are not targeted and they are not personal. If you have developed a healthy level of skepticism, you will find it easy to ignore them.
  2. Spear phishing and AI-powered attacks. Depending on what you do, where you work or whom you work with, you could be a high-value target for cyber criminals. You likely know if you fall into this category, and you should have received additional cyber security and anti-phishing training. The main question you need to ask is whether you are as vigilant in your personal cyber security as you are on the job, and whether you take steps to help your loved ones maintain good cyber habits. High-value targets are closely watched by cyber criminals, who may use sophisticated methods to attack your personal devices, or people you know, as a means of getting to you.

If you have a few minutes to work toward becoming a hard target, take our free E-Mail Safety Crash Course. Adapted from our comprehensive Cyber, Social, Identity Protection Certification program, this video module offers immediate steps you can take to thwart cyber attacks on any email platform, as well as advice on how to identify suspicious emails.

When and How to Report a Cyber Attack Attempt

Should you report a cyber attack attempt? Even a small, seemingly insignificant one? The answer is almost always yes.

There are two reasons to report a cyber attack. The first is to show cyber criminals that you take security seriously. The second is to gain safety in numbers. The more people who are aware of current attacks and techniques, the harder it is for criminals to operate. Remember that hackers and fraudsters depend on their victims knowing little no nothing about their scams. Spread the word, and you help others defend themselves. When enough people fight back or ignore scam and hacking attempts, criminals move on to easier targets.

When Should I Report a Cyber Attack Attempt?

You should immediately report any cyber attack that occurs at the workplace, targeting your office phone, personal phone, email, text messages or web browsers. You should consider reporting attacks that target your personal email or phone as well, if you believe the attacker obtained information about you online. Senior executives and those who have access to financial or information-management systems should report every attack on any business or personal device.

What looks like a common malware email, such as “Your package could not be delivered,” or “Your account has been suspended,” takes on an added significance if you are a high-value target. Low-level employees may not need to report mass-email phishing and malware attacks, but should report any attack using a business or personal phone number, particularly if the attacker claims to be a co-worker.

Where Should I Report an Attempted Cyber Attack?

The size of your business will determine how you should report the attack.

For mid-size and large companies: You likely have an internal or external specialist who handles your cyber security. Report all attacks to this individual, no matter how small or obvious they may seem. Do not worry about being a nuisance. It is the cyber specialist’s job to determine how significant or widespread an attack may be, and they can only do their job if they have a complete picture of the threats a business faces. Provide as much detail as possible, including screenshots of emails and text messages, if any.

If someone calls or texts you claiming to be a coworker, report this activity immediately. Targeted pretexting attacks are on the rise, with some criminals using sophisticated software to impersonate the voices of business leaders and public figures. These attacks are resource-intensive and require planning. which makes it more likely that a criminal will target multiple individuals within an organization.

For small businesses: If you work in a small business without an in-house cyber security or IT specialist, you have two options:

  1. If you have an external IT specialist, report the attack to them and ask them to monitor your systems for any signs of unusual behavior.
  2. If you do not have an external IT specialist, send an email to all coworkers advising them of the attack. Send a screenshot of the text, email or website and ask if anyone else has received similar messages. If multiple people in a small business report the same attack, it may be a sign that you have been targeted. Strongly consider professional IT support to identify any possible system breaches or data loss if this occurs.

Reporting Attempted Attacks to Law Enforcement

Every successful cyber attack should be reported to local police. Your cyber insurance policy likely requires this. If customer data are stolen, you must report the attack to police and check reporting requirements under the FTC Safeguards Rule, if you qualify as a Financial Institution, and the SEC Disclosure Rule, if you work for or partner with a publicly traded company. Any significant data breach should be reported immediately to your state Attorney General’s office. In the case of a significant data breach or an attack that compromises critical public systems, you should contact the local Federal Bureau of Investigation field office and your state Attorney General, who will provide support and additional guidance on disclosure. Note that in some cases, cyber attacks and data breaches should not be disclosed to the public without first contacting Federal or state officials.

Whether you should report an attempted cyber attack is murkier and depends on the nature of the attack. If you have publicly traded companies among your clients, or clients covered by the FTC Safeguards Rule, you should report targeted pretexting attacks to their IT or cyber security specialists. Criminals may be attempting to harm your partners by attacking their vendors, clients or associates. Law enforcement agencies generally will not handle this reporting for you. You must do it yourself, and you should do it as quickly as possible, as you may have some obligations to report under the Safeguards Rule or SEC Disclosure Rule. When in doubt, reach out.

Where Else Should Attempted Cyber Attacks Be Reported?

If you work for a franchise business, report any cyber attack attempt to your franchisor’s head office immediately. This is especially critical if the attacker attempts to impersonate a senior employer of the business. Criminals may be launching simultaneous attacks against franchisees. Your quick response could prevent significant damage to the business and your fellow franchisees.

If you are part of a trade association, such as a Bar Association or the National Association of REALTORS®, for example, or if you are a member of a state association or Chamber of Commerce, report any cyber attack that targets your business or employees to the senior officials in your area, and to your local and national headquarters. In recent years, there have been surges of criminal cyber activity targeting specific sectors, such as health care or public schools, or specific regions, such as the recent spate of Vacant Land Scam attempts in the Southwest United States. There is no way to know if an attack on your business is isolated or part of a bigger trend. Spreading the word to professional associates may give them the opportunity to stop similar criminal attacks.

 

Would you know what to do during a cyber attack? Download our free Cyber Crime Response Kit, which includes detailed, step-by-step instructions that will help you prevent an attack from spreading, quarantine infected devices and rebuild systems safely. For more detailed guidance on preventing and responding to cyber attacks, please contact us online or call us at 1-800-659-8311.

New National Cybersecurity Policy Is a Step, Not a Solution

The new National Cybersecurity Policy from the Biden Administration holds lofty ideas, but little that is actionable. As reported by The New York Times, the policy, unveiled on March 2, seeks to push greater responsibility for cyber attacks and data breaches toward those who own, operate or use online infrastructure. The policy also outlines a formal strategy for the United States Government to take action against professional cyber criminals and state-sponsored hackers.

With regard to national standards, the new cybersecurity policy is a long-overdue step in the right direction. One of the greatest challenges in convincing organizations to adopt stronger cyber security has been a lack of regulations. In cases where Federal or state governments have mandated security rules, adoption has been swift. Both the Gramm-Leach-Billey Act, which mandates protection of consumer financial data, and the California Consumer Privacy Act, which gives individuals the right to delete their data, as well as the European Union’s General Data Protection Act led to widespread changes in the ways businesses of all sizes collected, protected and stored personal data.

Biden’s Cybersecurity Policy Is Not Regulation

Many cyber security professionals have argued for national standards for years, yet this is where the Biden National Cybersecurity Policy comes up short. Outside of executive orders that narrowly target some Federal agencies, there is no mechanism to create or enforce mandates. Congress would need to pass legislation outlining standards and penalties for noncompliance. There also remains a question of who would investigate and enforce national guidelines.

Simply setting those guidelines will be difficult, given the ever-changing nature of the Internet and the software that powers it.  Internet infrastructure developers have fought standards and regulation on the grounds that mandates deter innovation. A balance must be struck between the needs of a better Internet and a safer one, and any policy that emerges will do well to require a reasonable level of security to exist in new tools and services without stifling innovation solely to deter cyber attacks.

What Does the Policy Mean for Business Owners?

Absent Congressional action to set standards and mandate compliance in the private sector, the new National Cybersecurity Policy has no immediate functional impact on any private or state-operated organization’s cyber security. However, this policy, taken with the Federal government’s more aggressive stance on common-sense cyber security practices, suggests that more executives could be found liable for cyber security lapses until formal regulations are passed.

The new policy may also embolden cyber insurance underwriters to deny claims if, in their assessment, reasonable care has not been taken to protect systems and data.

This policy is likely to lead to several years of uneven enforcement, insurance denials and court challenges that will ultimately prompt Congress to step in and pass broad-based rules. Until then, business leaders should understand that the burden of preventing cyber attacks continues to shift toward individual organizations. In this environment, good cyber security practices and cyber security employee training are more important, and potentially more cost effective, than they were before.

Gartner Survey Explains Why Cyber Security Employee Training Fails

Sobering data from Gartner illustrates the shortcomings of cyber security employee training. The company predicts that more than half of cyber attacks by 2025 will result from :lack of talent or human failure.”

This is in spite of ongoing efforts by businesses to provide employee training on cyber security. What stands out is the reason why that training fails.

According to their survey of 1,310 employees in mid 2022, “69% of employees have bypassed their organization’s cybersecurity guidance in the past 12 months.” More concerning, 74% said the would ignore cyber security practices “to achieve a business objective.”

The problem is clear: employees may know an organization’s rules for cyber security, but they willingly ignore those rules to get their jobs done. As long as this situation persists, cyber criminals will have the advantage they need to carry out attacks.

Cyber Security Employee Training Must Be Personal and Ethical

Every organization has a to-do list for compliance and a general set of employee rules. Most employees know they cannot treat others unfairly because of their background, race or identity, that they cannot steal from the company coffer and that they have a set time for lunch and breaks. Many employees bend these rules at times, while some bend them pathologically.

When cyber security becomes just another set of flexible company rules, disaster follows. The employee who takes an extra half hour for lunch only harms productivity in the short term. The employee who denies promotions to certain co-workers may trigger a lawsuit. The employee who shares passwords with teammates risks a costly data breach or an intrusion that takes all systems offline.

In all of these cases, organizations tend to train on the whats instead of the whys. Employees learn that they can be suspended or terminated for long lunch breaks, then see if that rule is actually enforced. The same applies to discrimination and cyber security. Employees may understand the consequences of breaking rules, but if they see co-workers getting away with things, or they consider some rules flexible, the training they received is useless.

It should be no secret to organizational leaders that employees behave very differently in their private lives. Most people would not brush off a friend or discriminate against a family member, and they tend to take great care with their personal cyber security. They are motivated to do this because they face lasting, personal repercussions in valuable relationships if they behave selfishly.

Leaders expect this behavior to carry over on the job, but Gartner’s data disputes that belief, painting cyber security as just another obstacle employees try to overcome. This occurs because most cyber security employee training, like other forms of employee training, lays out facts and broad hypothetical situations without asking the question that would really motivate employees: What would your friends and family think if you were responsible for a major cyber security attack?

The answer to that question is the key to effective employee cyber security training. Most people would be horrified and ashamed if their actions caused harm to a friend or family member. They would be similarly ashamed and horrified to have to tell people that they were involved in a cyber attack that made headlines. Those emotions provide a powerful incentive to follow cyber security rules, but they are absent from nearly all of the training programs available. Training based on ethics and personal attitudes toward responsibility delivers better results, because it connects with the protective instincts people practice in their personal lives.

Choose Training That Works

The CSI Protection Certification cyber security employee training program created by Protect Now changes employee attitudes toward security by tapping into their personal desire for safety. Created by cyber security speaker and author Robert Siciliano, this program is empowering and entertaining, and it now qualifies for CE credits for real estate professionals in many states. The program is available via in-person seminars, virtual seminars or through a library of eLearning modules. To learn more, contact us online or call us at 1-800-658-8311.

Cyber Insurance Companies Go to Court to Block Claims

Cyber insurance may not offer the protection you expect. In a case that has far-reaching implications for all policyholders, leading cyber insurance providers challenged a New Jersey court ruling ordering them to pay damages for the 2017 “NotPetya” attack that led to $1.4 billion in losses for pharmaceutical company Merck & Co, The Wall Street Journal reports.

Insurers claim that the attack is not covered because it was an act of war committed by a foreign adversary. U.S. government officials attributed NotPetya, a Windows ransomware attack that encrypts operating systems and data, on the Russian government. Insurance companies believe this triggers the “war exclusion” common to many types of insurance policies that blocks claims resulting from military action. Though written to cover damage from bullets and bombs, cyber insurance underwriters now seek to apply that exclusion to damage from state-sponsored cyber attacks.

Should insurers prevail, businesses of all sizes could find themselves without protection for any cyber attack attributed to a foreign government.

Read the Fine Print on Your Cyber Insurance Policy

Few insurance buyers take the time to fully read their policies, and fewer inquire about the extra coverage, which comes at a higher cost, that protects against uncommon risks. This can leave businesses vulnerable if they file a claim in the wake of a cyber attack.

Foreign adversaries may be the least of your cyber worries, but you should understand that a cyber policy is not guaranteed protection, but a relationship between your business and your insurer that demands certain actions on your part to keep the policy in effect. These inevitably include the following:

  1. You will take reasonable steps to secure your cyber infrastructure. This includes setting up secure systems, maintaining security certificates and updating software regularly to apply security patches. A recent attack that brought down servers worldwide took place because some users did not apply a security patch issued in February 2021. Those who failed to apply the patch could have their insurance claims denied.
  2. You will limit access to your systems to essential personnel. This includes password security as well as role-based authorizations. As a rule, employees should only have access to the systems and data they need to do their jobs. Shared passwords, poor password security or unchecked access to data could leave you paying out of pocket if you suffer a data breach.
  3. You will take steps to protect customer data. This includes how you collect data, how you transmit it online, how you store it and how long you retain it. Best practices vary depending on the type of data collected, with the strongest protections required for sensitive personal data such as credit card numbers and financial information.
  4. You will verify security with all third-party providers. This requires you to understand the security practices of your vendors and, in some cases, to get regular statements from them attesting to their cyber security. Vendors include your phone company, your Internet service provider, web hosts and software vendors. Expect a request for cyber security documentation from all vendors if you ever need to file a claim.
  5. You will train your employees in cyber security awareness and phishing protection. This requires annual or semiannual in-depth training on recognizing and stopping social engineering and phishing attacks. Your policy may mandate training within a certain period of time for all new employees, as well as regular refresher courses.

Know What Your Insurer Expects of You

If sitting down to untangle the language in your cyber policy is too daunting, speak to your insurance agent and ask for a full list of your responsibilities and the agent’s recommendations. Recognize that things like training and software updates are in your control, while natural disasters and acts of war are not. Insurance policies protect against everyday risks, not exceptional ones, but that protection is only available if you do your part to comply with your policy’s requirements.

A hack or data breach is stressful enough without worrying over whether your insurance policy covers the damage.

Protect Now provides Cyber, Social and Individual (CSI) Protection Certification, a cyber awareness training program that changes employee attitudes toward security by making data protection personal. This affordable program was built to serve businesses that have significant public interactions and need to protect their clients’ personal data. Learn more by calling us at 1-800-658-8311 or contacting us online.

Your New Year’s Resolutions for Cyber Security

The More You Make and Keep, the Stronger Your Cyber Security in 2023

Resolution season is upon us as we take our annual stock of who we would like to be. Fitter, kinder, more charitable, as always, but why not safer?

Your New Year’s Resolutions for Cyber SecurityThese cyber security New Year’s resolutions vary from simple things you can do in a few seconds to things that might require some outside help. They all have one thing in common: Individually, they will make you safer in 2023, so following just one will give you greater protection against cyber criminals. Each resolution that you add will boost security for you and your business.

I will secure my phone. Around 1 in 4 people fail to use a screen lock on their smart phones. That’s an improvement from 2013,when around 1 in 3 people failed to secure their phones. Use of lock screens must be mandatory for all work-related devices. It is also the first step for stronger cyber security in 2023.

I will use two-factor authentication. Apart from securing your phone, this is the most critical thing you can do to boost security. Every email account, every account that processes payments and all online accounts relating to finances must have two-factor authentication, along with every account that allows admin-level access to business systems or customer data. Two-factor authentication takes a few minutes to set up and adds seconds to the login process. The strongest method sends a text message to your phone (already secured with a lock screen) link to click. Without access to your phone, criminals cannot use stolen passwords to log in. Links are better than plain-text codes, which may be visible on Android devices even while the screen is locked.

I will update my passwords every 3 months. The start of each new business quarter should bring new passwords. Google can be configured to require this on a schedule that you set. This is a best practice for email and all business systems. The advantage is obvious: Stolen passwords become useless once you change them. The more often you change them, the greater your cyber security. If keeping track of business and personal passwords is a challenge, consider using a password manager that centralizes all of your credentials. Good password managers require your main login to be updated regularly.

I will not write passwords down. There is no safe place to store passwords on scraps of paper. Someone determined to find them will, whether they’re on a note in a drawer, tucked in your wallet or written backwards on a receipt hidden in a piece of ice in the freezer. If you must write passwords down to remember them, the safe way to store them is in a password-protected Excel spreadsheet. You will need to change that password a few times a year, and avoid writing it down anywhere.

I will limit what I share online. Some companies make it far too simple for social engineers to get the information they need to launch attacks by publishing executive information online. Far too many individuals overshare on personal social media accounts. Social engineers data mine public information for the names, emails and password hints they use to launch intrusions and phishing attacks. There is a delicate balance between what needs to be shared to promote a business and what creates cyber risks. Sharing less is always better. When personal information must be shared, it should be with safeguards in place to help employees spot possible attacks using that information.

I will close all my unused accounts. This is a more time-consuming resolution, but it only needs to be done once a year. Take an inventory of all the logins you have that you no longer use. Do you still have a MySpace account from your college days? Has your business changed software vendors but left the old logins active? Did you once buy something from an online store and then never visit again? Did you try a social media site for a day or two and then stop using it? Take the time to identify, disable and delete these outdated accounts for two reasons. First, criminals may try to access them through old logins, creating a base that can be used to compromise your identity. Second, if you do not actively use those accounts, particularly if you changed emails after you opened them, you may not be receiving security alerts or breach notifications. Anything you have not used in the past 14 months should be deactivated.

I will review financial statements. Criminals probe bank accounts by initiating a very small transaction, such as $1, then reversing it with a credit. Legitimate businesses also do this to verify bank accounts, credit cards and debit cards. Businesses must mandate a specific review of financial statements for these types of transactions; any debit that is subsequently credited should be scrutinized, along with any small transaction. Anything suspicious should be reported to your financial provider immediately. Do the same for your personal accounts. Financial providers are good at challenging large, unusual purchases, but they often fail to notice the tiny debit/credit transactions that precede an attempt at a big-ticket purchase. Some of the most determined cyber criminals siphon off a small amount each month from a company’s finances, knowing the theft is unlikely to be detected. Bookkeepers and accountants should pay close attention to any new vendors who invoice an organization and raise the alarm if those vendors have the same address, email or phone number as employees.

I will train myself and my employees to prevent phishing attacks. Phishing attacks rose by 61% in 2022, with more than 255,000,000 incidents. For cyber criminals, this is a numbers game. The more attacks they launch, the more likely they are to find a victim. It is no longer just big companies with volumes of personal data at risk, it’s every business in every sector and nearly every individual who has a smart phone or an email address. Annual phishing awareness training should be mandatory at all companies. Twice-annual training is better. Programs that include simulated attacks with a summary of how employees responded provide the best results. You will need professional support for this, but there are a number of affordable solutions available. Weigh that cost against the potential expense of a phishing attack: Someone sending a $500 gift card to a cyber criminal may not seem like a big deal, but once any criminal successfully attacks your organization, more criminals with more sophisticated attacks often follow.

I will hire or contract a Chief Information Security Officer (CISO). All large businesses and most mid-sized businesses have a CISO on staff or on retainer. This executive-level information-security professional handles all cyber security needs, from evaluating and setting up security measures to documenting compliance to ensuring that employees receive appropriate cyber security training. Small businesses and startups, outside of the tech sector, have a far lower level of CISO protection. A full-time security specialist may be beyond the needs or budget of many small companies. In these cases, a part-time, affordable Virtual CISO can significantly improve cyber security. For companies that fall under the FTC Safeguard Rule in 2023, professional support is almost mandatory.

You must change habits to improve cyber security. These New Year’s resolutions can help you do that, and most of them are very easy to keep, with no additional cost for you or your business beyond a bit of time. If you feel that you are not doing enough to improve your business’ security, or if you are unsure where to begin, contact us online or call us at 1-800-658-8311 to speak to a cyber security professional. We build custom security awareness solutions for our clients, based on their needs and what they can afford.

Good luck with all your New Year’s resolutions.

‘Tis the Season to Be Mindful

Don’t Wind Up on a Cyber Criminal’s Nice List

Amid the December maelstrom of planning, parties, shopping and activities lie more opportunities for cyber criminals than any other time of the year. The Grinches running scams like the holidays a lot because they know you have an above-average number of emails and online purchases flying around, because your schedule is packed and because there’s a greater level of personal activity around your workplace and your home. These are ripe conditions for your vigilance to slip, giving cyber criminals the opportunity they need to steal your money, your identity or business data.

Celebrate and savor the season, but keep these tips for cyber security in mind while you do.

Thwarting Cyber Criminals at Home

  • Never Click on Email Links.  Bogus links in spoofed emails are a favorite tactic for cyber criminals at the holidays. Chances are you are ordering more things online. You may be expecting statements or shipping details. You get an email in the evening, claiming to be from Amazon or UPS, and click on the link without thinking. At best, you get scammed for a few hundred dollars. At worst, you compromise your identity or allow a cyber criminal to install malware on your device. Always go to a website via a browser, not an email link, to verify order and shipping details. If you get a tracking number via email, copy it, go to the shipper’s website, and paste it into their package tracker. That will identify any attempts to trick you with phony shipping. You should also read up on a new scam targeting Pay Later users.
  • Leave your devices home for the holidays. If you plan to travel, or your holiday involves overnights at a hotel, a motel or a friend or family member’s home, leave every device with sensitive information at your home. You should never connect your devices to a public network at a hotel or someone else’s home. You have no way of knowing who else is connected, or if the connection is encrypted and secured
  • Don’t let guests connect to your home network. This one is tough if you have friends or relatives staying with you, but you simply cannot allow guests in your home to access your Wi-Fi or wired home network. Familiar fraud is one consequence of too much generosity with your home password. You also run the risk of malware from a guest’s device infecting your network, either when they first log in or while they surf the web. If your guests must have access to email or the daily crossword, provide a device for them in a busy part of your home. Make sure that device has a password-protected login, and be sure to turn it off at night and when a majority of people are out.
  • Scan those tech gifts before you connect them. New phones, laptops, tablets and all USB devices should get an offline antivirus scan before they go online with your network. Be very wary of any USB memory stick or card given as a gift or brought by a well-meaning friend or relative, as malware infections on these devices are increasingly common.
  • Turn off Bluetooth and Wi-Fi discovery on your phone. Big holiday crowds at malls, airports and transit hubs attract cyber criminals, who blend quietly into the crowd looking for data to steal. Open Bluetooth connections and devices seeking Wi-Fi can wind up connecting to criminals with significant consequences. Bluetooth should always be off unless you have a specific need for it. Wi-Fi should be off in general unless you are on a trusted network at home or a secured connection at work.

Protect Against Cyber Criminals at Work

  • Never bring devices to the holiday party. Hats and coats aren’t the only things that disappear when the staff gathers to toast the year. Laptops loaded with customer data have disappeared from cabs and cloakrooms, leading to potential data breaches, expensive customer notification and monitoring campaigns and cyber security headaches.
  • Log off devices ahead of office parties. It can be tempting to hop up and run to say hello to a visiting co-worker or client, or to work right up to the start of a conference-room celebration, but that open device is an invitation to criminal activity. Always log out of devices before leaving your work area and power them off if you can. Threats to data and passwords can come from criminals who sneak into buildings, from visiting clients or from fellow employees.
  • Don’t hold the door for strangers. “Tailgating” is a tactic used by criminals to gain entrance to a secure area. These thieves will ask someone to hold the door, or try to slip in behind an employee before a door closes. During the holidays, tailgaters may pose as delivery people to access secure areas. Whenever you encounter someone you do not know at a door, bring them to the reception area.
  • Give your work devices a holiday break. Avoid traveling with work devices. If you must, leave them turned off and packed in a carry-on bag, never with luggage that will be checked. The best practice is to keep work devices at work during a vacation. The chances of device theft, information theft or malware attacks rise when you are away from the secure environment of your office.
  • Avoid shopping on work devices. It can be convenient to shop from and ship to the office, particularly if you’re trying to keep a gift a surprise or if your neighborhood is prone to porch piracy. Remember that cyber criminals use fake invoices, fake shipping notices and fake order updates, along with the usual assortment of fake gift card offers, to try and steal your personal information and login credentials. It can be challenging enough to spot the scams in your personal email account without adding that burden to your work emails. If your company allows it, shipping to your office is a good holiday option, but always order using your personal email.

Wherever the holidays find you, remember that cyber criminals are also hoping to find you. Trust your instincts. If something seems off to you, like a long-lost “friend” who starts sending holiday greetings via social media, or an email stating you missed a package delivery, find ways to verify without directly interacting with those emails, private messages or texts.

Personal security and device security are critical components of cyber security. Protect Now helps businesses and organizations manage cyber threats by making security personal to every individual. Contact us online to learn more about our services, including Virtual CISO, Dark Web Monitoring and cyber awareness training, or call us at 1-800-658-8311.

Cyber Warfare Is Here: Are You Prepared?

When you think about cyber warfare, you probably imagine an underground bunker full of people working computers to try and take down the Pentagon, or to shut down air traffic control. You probably don’t imagine North Korea or Russian agents coming for your small business.

Cyber Warfare Is Here: Are You Prepared?It’s time for that thinking to change. In its 2022 Digital Defense Report, Microsoft reported that nation-state attacks targeting infrastructure rose from 20% of the attacks they detected to 40%. Microsoft cited espionage attacks on NATO countries and attacks on IT firms as areas of higher activity.

What Does Cyber Warfare Look Like?

Cyber warfare is happening right now, every time a nation-state hacker infiltrates an IT backbone or targets a public health provider. Nation-state actors will not “declare cyber war” or announce their intentions. They will simply strike at whatever targets they can compromise, with the intent of causing as much disruption as possible.

What Is a Nation-State Cyber Attack?

Nation-state cyber warfare differs from criminal cyber attacks in two ways. First, the attack is either carried out directly by foreign agents, or by people who get funding, training and infrastructure support from an enemy country.

Cyber criminals can often be stopped with basic cyber security and phishing awareness training, because they’re looking for easy money and easy victims. They use well-known malware and common social engineering techniques to extort their victims.

Cyber warfare is far more sophisticated. It uses techniques and custom-designed software designed to avoid detection, and to prevent common methods of restoring system access. In less-destructive forms, it is a tool to harass and extort an adversary. In more sinister applications, it can silently exfiltrate information that can give an enemy a strategic advantage, such as the ability to delete needed data or take control of mechanical and energy systems.

Why Would a Nation State Attack My Business?

As in any conflict, there are degrees of cyber warfare. In any attack, the following entities are vulnerable:

  • Energy generation, transmission and controls
  • Water utilities
  • Chemical and fuel facilities
  • Public health facilities
  • Telecommunications, including emergency response

The goal of these attacks is to sew chaos. The size of the target does not matter. Most cyber warfare analysts expect big-city infrastructure and large health systems to be primary targets, but nation-state attackers will look to spark terror in any way they can. Opening a dam in a small town or poisoning a water supply will lead to widespread fear, and smaller municipalities may not be as well protected against a cyber attack as urban providers.

In a wider attack, a nation-state will almost certainly target the following:

  • Banking
  • Food processing and distribution, including supermarkets
  • Logistics, including package delivery, rail and trucking
  • Pharmacies
  • Managed service providers
  • Cloud networks
  • Payroll processing

The goal is to cause as much disruption as possible by denying people access to everyday goods and services. Shutting down thousands of websites via an attack on a cloud provider or managed service provider interrupts the flow of goods and services and gets media attention. Shutting down pharmacy computers makes it harder for people to get essential medications. Adversaries want media amplification of their attacks that will make people fearful.

Your (Unexpected?) Role in Cyber Warfare

We tend to think of cyber attacks in terms of breaches, monetary theft or lost access to systems. If you operate a system that has been compromised, it is easy to see that you have been attacked. If your managed service provider, ISP or cloud servers go down, you may be surprised to find out that you are the reason why.

This is where cyber warfare becomes every online organization’s responsibility. Nation-state attackers continually probe for weaknesses and novel ways to get at essential online infrastructure. Everyday things that many business and developers do can be opportunities for foreign adversaries.

  • Posting source code on GitHub or other online repositories. We recently explained how that led to Federal sanctions against a U.S. executive. Posting source code can expose passwords and pathways to adversaries.
  • Launching new apps or forms without thorough testing. Nation-state attackers have a catalog of known software vulnerabilities and near-unlimited resources to find websites that have those vulnerabilities. You could be the crack in the door that gives an adversary the access needed to take down an ISP or managed services provider.
  • Insufficient online monitoring. The antivirus program will not stop a nation-state attacker, who is using new methods of attack that the software does not recognize. In the most sophisticated attacks, adversaries embed their code in system software so that it looks normal to any scanner. Dark Web monitoring is sometimes the most reliable way to identify these vulnerabilities.

Every business and organization that publishes or maintains a website, whether you collect information or not, is a potential target of nation-state cyber warfare. You could have an unexpected and unwanted role in the next attack, because the United States does not prioritize the role individuals play in cyber security. Major targets may have significant defenses against nation-state attackers, but they also have necessary connections to the World Wide Web. This is like building a massive wall to protect a town but leaving a tiny hole for the wastewater to flow downstream. Enemies will find that hole, find a way to get into it and run wild once they are on the other side.

We often discuss cyber security in terms of business interruption and liability. Those are still significant concerns, but with determined nation-state attackers continually working to find new methods of attack, we need to consider how individual vulnerabilities could escalate into a local or national emergency.

Protect Now specializes in cyber security and compliance for small businesses. We provide affordable VCISO support, cyber security training and Dark Web monitoring. Call us at 1-800-658-8311 or contact us online to speak to a cyber security expert.

Cybercrime and ALMOST EVERYTHING You Need To Protect Yourself

One of the most lucrative illegal business ventures out there is cybercrime, and there are no signs that it is slowing down anytime soon. Over the past 10 years, the “bad guys” have created new and highly sophisticated methods of capitalizing on users of the internet, and the odds are that they will simply not be caught. At the same time, consumers are facing more risk than ever before.

Why is Cybercrime so Dangerous and Can You Be Safer?  

If you are a service professional like me who “puts it out there” I’m sorry to inform you that we are at high risk of becoming a victim of cybercrime. Most of us have gotten phishing emails from people asking for something; many of us have websites that contain a lot of personal info and it is very easy to find our social media pages. Not only is this enough to scam us, it is also enough to scam our clients. You can also add the dangers that traveling puts us into thanks to risky public Wi-Fi. Fortunately, there are some things that you can do to keep yourself safer.

Social Media Risks 

Anyone who uses social media is at risk of becoming a victim of a criminal hacker. It’s pretty dangerous, but I have some good advice. I do training and conferences all of the time, and one of the things I recently told a group of our US Army soldiers is this; “Do not post anything online that you would not tell the enemy.”

It’s that simple.

Afterall, you never know who is paying attention. Do you remember the “Bling Ring?” This was when those teenagers broke into the homes of celebrities like Orlando Bloom and Paris Hilton a number of times. They stole jewelry, clothes, watches, and more…and the teens knew about it because these celebs were posting the items on social media accounts.

Protecting Yourself from Spyware and Viruses  

Here are some tips that you can use to protect yourself from spyware and viruses:

  •  Consider using a safe search web browsing software that is often found in full versions of antivirus software. This helps to alert you of potentially malicious sites by showing a red, yellow, or green dot next to the links on the search engine. Green dots are safe, yellow dots show you should use caution, and red dots…those have some sketchy reports, so be careful.
  • Don’t download any file that doesn’t come from a safe site, and never download a torrent file or software crack. These almost always have spyware.
  • Don’t click on any pop-up window that you are not expecting. Instead, close the window or get out of your browser.
  • Make sure that you are updating your OS’s security patches and always have the latest version of your web browser installed.

Understanding Social Engineering 

Have you heard of social engineering? It is the act of manipulating others into doing certain actions or giving information. Generally, it applies to some type of deception for the purpose of collecting information to commit fraud or gain access to a computer. In most situations, the cybercriminal will never meet or come in contact with their victims, so you must always use caution.

Some Things are Safe, But Some are Not 

It is quite important that you recognize that most people aren’t out to get you; but guess what? Some of them are. This means that you have to realize that some emails you get are not safe, some people who call you are not who they say they are, not everyone who walks into your work is honest, and not everyone who knocks on your door has the best of intentions. Social engineering is a con between people, but technology can help to keep you safer.

Have You Heard of ATM Skimming?  

The danger isn’t always online. It can also happen as you are out and about during your day. You probably use your debit or credit card a lot, and the cybercriminals are out there waiting to collect your information through ATM skimming. They do this by placing a device over an ATM card slot. It easily blends in, and when you swipe your card, the criminals can collect information on your card. They even install cameras to record you putting in your PIN.

Protecting Yourself from ATM Skimming

You can protect yourself from the ATM skimming scam by doing the following:

  • Pay attention to credit card and bank statements
  • Report unauthorized transactions as soon as possible
  • If you can, use your credit card over your debit card. Generally, a credit card offers more protection against fraud than a debit card. Plus, it’s better to get fraudulent credit card charges than a totally empty bank account
  • Cover your hand when you are entering your PIN into any keypad

Caller ID Spoofing; What You Need to Know 

Another cybercrime you need to know about is called ID spoofing. These days, odds are higher than ever that the person on the other end of a ringing phone is a scammer. Criminals can use a method called “spoofing” to hide their information. Basically, they hide the phone number that they are calling from, and instead create a new one. Oftentimes, they will create a number that has the same area code as the person they are calling, as people are more likely to answer local numbers.

Protecting Yourself from Caller ID Spoofing 

You should never assume that the number popping up on your caller ID is legit, and you should never ever give any personal information over the phone, even if the caller ID looks real. If a person on the other end of the line says that you have won something, or creates a sense of urgency, tell them that you are going to call them back. Then, look up the number of the company or person and call that number back.

Protecting Yourself When Shopping/Banking Online

It doesn’t matter if you are shopping, banking, or answering emails online. Protecting yourself is important. Here are some things you can do:

  • Be suspicious of any email that contains an offer of some kind, especially one that is too good to be true. The same should be said for getting offers via social media.
  • Beware of possible phishing scams. Do not click on email links; always type in website addresses into the browser or use a bookmark.
  • Are you aware of typo-squatting? Pay attention to how website addresses are spelled. They might look remarkably like a real website but are a letter off…. i.e. GOOGLE.com vs G00GLE.com.
  • Only engage in business with companies or people who you know and trust. It is best to buy big-ticket items from brick-and-mortar stores, too.
  • Ensure your computer is secure. You should always keep your operating system updated with security patches, virus definitions, and antivirus software. Do not use a public Wi-Fi connection when doing online shopping.

Is Public Wi-Fi Safe?

Unfortunately, public Wi-Fi is not secure. There are a number of security risks that are associated with public Wi-Fi. These networks broadcast signals through radio frequencies, which means that anyone who has the right tools…and these tools are easy to find…can intercept the data that is sent through it.

To protect yourself when using public Wi-Fi, you should use a virtual private network (VPN) software. I really like Hotspot Shield VPN, but a lot of people really like Nord VPN, too, and it’s pretty good.

When you go online, whether it’s at a hotel, airport, or even local coffee shop, don’t log into any account unless you are connected to a VPN.

Even if you have a VPN, keep the following in mind:

  • Be smart about what you are doing online when connected to a public Wi-Fi connection. Do you really need to check your 401k while drinking your cappuccino?
  • Don’t sore any type of critical data on a device, and then use it outside of a network that is not secure.
  • Turn off Bluetooth and Wi-Fi on your cell phone or laptop when you aren’t using them. A device can still be sending wireless signals is very appealing to a hacker.

Should I Have ID Theft Protection?

You might have seen ads for ID theft protection but assumed that your identity would never get compromised, so that would be an unnecessary expense. Unfortunately, that’s just not true. We all should have ID theft protection. These services monitor your credit report and protect you if your identity is stolen.

Though, keep in mind that these services don’t protect against credit fraud or bank accounts, but they are good to have.

What is a Credit Freeze?

If you don’t have a credit freeze on your account, you are putting yourself at risk even more. A credit freeze, sometimes called a security freeze, locks down a credit file so that a lender cannot check your credit. This is a good thing, as it means that criminals cannot open any new accounts using your name nor your Social Security number…and if a lender can’t check your credit, they are very unlikely to extend a line of credit.

Keep in mind that you need to get a credit freeze from all of the credit bureaus including Experian, Innovis, TransUnion, and Equifax.

You can easily find out more about credit freezes for each company by searching on Google. While you are at it, you can freeze the credit of your kids, too. Make sure you keep records and learn how to “thaw” your credit when it’s time.

Keeping Your Passwords Safe and Protected

The most important thing that you need to know about passwords is that there is no such thing as a totally secure password. Some passwords are more secure than others, of course, but they can always be found out. Passwords are extremely convenient for people who want to access your accounts.

Is a Password Manager a Good Idea?

You might have heard of password managers, and if you have more than one online account…which you probably do…you should consider using one. You should have a unique password for every account, and it can be difficult for you to remember them. So, it is very tempting to use the same password for every account. But, if a hacker gets this password, they have access to all of your accounts. Instead, use a password manager to make your life easier.

  • When you use a password manager, you create a password that is secure and safe, and all of your passwords are protected by a hard to guess master password.
  • This master password allows you to access any site you have an account on through your password manager.
  • When you update a password on a website, the password manager will remember it and update it on all of the computers or devices you have the software on.

When you begin using a password manager, it is very likely that you will notice that you don’t have to worry about your online accounts. You will also notice the following:

  • When you visit a website for the first time, you won’t need to put your password in. Instead, you open your password manager and enter your master password.
  • The password manager you use fills in your username and password, which then allows you to log into the site.

Set Up Two Factor Authentication on All Accounts

Any account that you have that has any importance should have two-factor, or two-step, authentication. This is a further step you can take to protect your passwords. Remember, once a hacker has access to your password, that’s all they require to get into your account.

When you use two-factor authentication, the first thing you have to do is enter your password. However, there is an additional step here, too, which is why it is also called two-step authentication. Basically, the site you are trying to log into will send a code to your phone or email, whichever you choose. This is a unique, one-time code that you can use to log in. Essentially, you are using two passwords, your original password and the code, to log into your accounts. This code changes each time you log in, so a hacker would have to have access to both your password AND your phone and/or email address, in order to get into your account.

  • Almost every major company and corporation website that you use has some type of two-factor, or two-step, authentication.
  • To find out if the accounts that you have offers two-factor log ins, simply search for the term “two step verification” and the name of the company, i.e. eBay, Gmail, Amazon, etc.

Protecting Your Credit Cards

Many of us use credit cards in our daily lives, and there are a number of things you can do to protect yourself from credit card fraud.

  • Take a close look at your credit card accounts on a regular basis. Check on your purchases every month, and then look to see if there are any odd or unfamiliar charges on them. Don’t only look for big charges, either. A small charge could still be a scam, and sometimes the hackers make a small purchase to make sure it goes through before buying something big. If you can, check your accounts a couple of times a week.
  • Set up “push” alerts on your credit card accounts. These alerts might come via email or text, and you can set them up for different activities. For instance, you can get a text any time you make a purchase over $100 or get an email when there is an online credit card transaction.
  • Don’t save your credit card information online. Some website allow you to store your credit card information if you make regular purchases, but it is much more secure to manually enter the number every time you shop.

This is all good advice, and you shouldn’t get overly worried about it, but be smart about it and take this advice to heart.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.

The Tricks Behind the Clicks: Cyber Scams and Psychology

What is it that makes people fall for scams? Cybercrime is as hot as ever, with new and more creative scams popping up all the time. There is plenty of focus on spotting scams, but less so on what makes people miss the signs.

The Tricks Behind the Clicks: Cyber Scams and PsychologyMartina Dove, Ph.D., is a senior UX researcher at Tripwire and an expert in fraud psychology. Her research into the brain’s reaction to cyber scams and how the human mind operates when presented with a scam makes for an interesting read. On top of this, it also takes a look at fraud, and how susceptible we are to it, and it does this by using Dove’s own model.

Cybercrime from a Psychological Standpoint 

Discussions around cyber security often center on the technical aspects of security and data protection for businesses and people’s personal lives. New gadgets, devices, controls, and defenses are constantly circulating- which helps the fight to fortify our information and secure the confusing and tricky online environment.

Trust is a fundamental human trait. Humans trust by default. Scammers capitalize on this knowing that people look at life and scams and trust first, and scrutinize later. The hard part is how we can best keep ourselves, and our minds, safe against scams and where the holes might lie. The fundamental psychology behind the cybercrime mentality is underexplored, and so far, discussions often go no further than scratching the surface.

This is surprising, considering that it has such huge impact on what motivates people on either side of a scam. According to the latest Verizon Data Breach Investigations Report (DBIR)social engineering is the most common type of attack in regard to cybercrimes.

The psychological elements of how phishing emails are presented, the power of persuasion, and what makes people fall for scams are all important to really understand how things work and ultimately how to avoid becoming a victim.

Martina Dove’s Research into Fraud Psychology and Scams 

Few people have provided quite as much insight into this topic as Dove. Having specialized in fraud psychology, Dove became particularly interested in the concept of gullibility when pursuing her master’s degree and ultimately decided to carry it through into her Ph.D.

In an interview with Tim Erlin of Tripwire, Dove said that she had always been interested in the idea of gullibility, which is what makes a person gullible- and what it really means to be a gullible person. After reading an article published by two psychology researchers who were exploring the tricks and techniques used by scammers (particularly in phishing emails), Dove decided to drive her own studies down a similar route, diving deeper into the human psyche and scam vulnerability.

The main point of this research is a fraud susceptibility model that looks at the ins and outs of what puts a person at risk on a psychological level of falling victim to spam, scams, and phishing.

According to Dove, it was not her intention to create a model when she first started- the research naturally took her in that direction as she uncovered more fascinating theories about persuasive techniques, thought processing, and personalities that may influence how people react to these attacks.

Martina Dove’s Ph.D. research has also been turned into a book called The Psychology of Fraud, Persuasion, and Scam Techniques, which is available on Amazon.

The Fraud Susceptibility Model 

The research that ultimately led to the model in Dove’s book started as a questionnaire designed to build a “measurable scale of fraud vulnerability.” It was scorable, with the answers determining what areas of a person’s personality put them at risk.

After a series of tests and experimental studies, along with expert analysis and validation, the model just created itself. Dove explained that some factors that influence susceptibility could actually be mapped and used to predict a person’s natural reaction when faced with a fraudulent situation. The fraud psychology expert also went on to describe how the model is used to determine compliance and the reasons behind it, as well as how people strategize after they realize they have been victimized.

It looks into the characteristics that leave a person most susceptible at each stage of a scam.

1.   Precursors

How do personal circumstances- emotional, social, financial, etc. – influence how we react to fraud? Does our demographic play a role? Our family situations? Essentially, how great an impact do our social surroundings and everything that comes with them have on our ability to identify and avoid scams?

2.   Engagement with scammers

Once a person is on the hook, what techniques does the scammer use, and how do personal character traits change how we respond? What types of persuasion works best on different personalities, and how do scammers identify and exploit these vulnerabilities?

3.   Dealing with victimization

Dove’s model explores the conscious versus unconscious decision-making processes that occur when people deal with phishing emails and other fraudulent communications- and after they realize they have been fooled. How do people accept what happened, and how does it impact their behaviors?

Throughout her research, Dove shares examples of circumstances and characteristics that can make people more or less susceptible.

  • Group mentality: Someone who is highly concerned with being part of a group and uncomfortable going against the status quo may ignore signals of uncertainty and doubt if others disagree.
  • Compliance: Naturally compliant individuals are hardwired to follow instructions. Scams prey on this, hoping that the ‘no questions asked’ mentality is enough to make a person adhere to requests.
  • Impulse: Impulsive people are less likely to take time to assess a situation and take the necessary steps to confirm a source or authenticity. Those who tend to favor fast decision-making over meticulous processes are more likely to become fraud victims.
  • Belief in justice: It may sound strange, but people who believe criminals will get caught and that bad things don’t happen to good people are vulnerable. Because they don’t see these things as pressing threats, they may overlook obvious signs. The naivety that says, “this won’t happen to me- I am a good person,” is potentially dangerous.
  • Background knowledge and self-evaluation: How much a person knows- or thinks they know- about cyber security can be a hindrance. People assume that their understanding of how scams work and what to look out for will protect them from becoming victims. This is, to a point, true, but it can also make people complacent. Being an expert in a field doesn’t disqualify a person from falling victim to targeted fraudulent communication.
  • Reliance on authority and social confirmation: If someone is particularly concerned with what others think, they may be at more risk. Authority-driven individuals may make decisions based on the belief it is a request from a superior, and socially-driven people may go along with something because of influence from friends or family.
  • A general predisposition to scams: According to a study published via ScienceDirect, some people are just prone to fraud because of their engagement levels. Everything about them may suggest otherwise, but they have something in them that makes them more likely to go along with a scam.

Examples of Scams and Victim Profiles 

Here are two examples of scams and the types of psychological profiles they are likely to target. 

  • Business Email Compromise Scam: The basis of this type of scam is a boss or member of management emailing an employee asking for urgent funds. It preys on qualities such as compliance, obedience, respect for authority, and hierarchical values. People who have a strong belief in the pecking order are less likely to question a demand made by a superior and are therefore more likely to comply without hesitation.
  • Sexploitation Scams: These scams use fear as the driving force to get people to comply with demands. A scammer working in this field uses language to evoke a person’s most primal drives- hoping their influence takes over the more practical aspects of human thinking. Anyone can struggle to make intelligent decisions when they are especially scared or excited, but someone prone to fast emotions is more likely to be a prime target.

It is interesting to see how different these two examples are, which shows how much a person’s emotional makeup and core values can impact their likelihood to become a victim of fraud.

The Challenges Facing Scam Awareness 

As Tim Erlin rightfully pointed out during his interview with Martina Dove– a significant challenge that stalls the progress of beating cyber criminals is the underlying sense of shame and embarrassment many scam victims feel. He stated that people don’t want to admit they fell for it and may not even report that it ever happened. This, sadly, is true and only adds to the stigma of fraud victimization- making it harder to build a substantial defense against these crimes.

Furthermore, there is a dangerous habit out there of immediately labeling scam victims as stupid, making them feel guilty for being the target of what is, at the end of the day, a crime. Fraud is as real as robbery, yet the victims are treated very differently.

Increasing the awareness and understanding of why these things happen and changing the narrative of how victims are perceived could help bring a more accepting mainstream view.

How Can Martina Dove’s Research Help with Fraud Awareness Training? 

Modern businesses are acutely aware of the very real risk of cyber scams and take steps to protect and educate their staff, but is there enough focus on vulnerability rather than vigilance? The idea that anyone can fall for a scam needs to be more publicized, and people made aware of what exactly is it about a person’s personality and psychology that makes them vulnerable.

As cyber security professionals can confirm- the human aspect is and always has been the weak link in the defense chain because people can make mistakes, and the brain is open to mind games. If scammers are getting better at playing on the mind, then security experts need to get better at educating people on how this exploitation works.

Using Dove’s research to make anti-fraud training more human-focused and interactive could be the difference between a person falling victim and feeling ashamed and being aware of emotions used against them- and being able to stop an attack in its tracks.  

Practical Advice for People at Risk

As part of Dove’s research, she complied a checklist of actions to take towards proactively identifying potential scams and avoiding being drawn into the deception. Here is a brief summary of the key points for consideration. 

  • Question how it makes you feel: Scams play on emotion and aim to evoke a strong reaction, so how you feel when you read something could be an instant warning sign.
  • Look for further language clues: Is there any wording that seems overly strong or makes you feel bad in a way that seems unnatural?
  • Beware of links: A quick and convenient ‘click here to solve your problems’ may not be what it seems. Only access trusted links and log into any secure accounts via the official portals and never through an email.
  • Make space for rationality amongst emotion: Understand that what you feel in the moment could have been engineered through clever psychological tricks and attacks. Take a step back, wait to make a decision, and ask for opinions from family and friends if you are not sure about how to proceed.
  • Scrutinize the details: Look into correspondence for any sign of falsification or something that just doesn’t feel right. Emotional people may be quick to act, but they can also have strong senses of instinct.
  • Don’t rush to action, no matter the request: Sometimes, a pause is all it takes. Stopping and thinking is never bad practice in any walk of life or decision to be made.  

Final Thoughts 

Everyone was not created equally when it comes to emotions and how they drive our thoughts. Moderating how they impact decisions and how vulnerable they make us to gullibility is not easy, and greater awareness is needed.

The ties drawn between psychology and cybercrime are truly fascinating and open up an interesting and far overdue conversation about the correlations.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.