Checklist 201: Cybersecurity Awareness Month

October is National Cybersecurity Awareness Month, and the National Cybersecurity Alliance has kicked things off by releasing some timely recommendations for 2020. We’ll tell you what they say about:

• The COVID-19 pandemic
• Working from home
• Smishing attacks

Avoiding disinformation 

When the COVID-19 pandemic began, there was an enormous spike in fraudulent emails and text messages (they increased by over 600%!). Those threats and scams haven’t gone away: the bad guys are continuing to attack individuals and organizations, and so the National Cybersecurity Alliance is offering some recommendations for how to keep yourself safe:

1. 1

   Seek out reliable information

   Be wary of information related to the pandemic that just sort of “shows up” in your inbox, because this is much more likely to contain disinformation, or to be part of a scam. Instead of passively waiting for info to come to you, take a more active role and keep yourself up to speed by seeking out your own information from reliable sources.

   Daytime programming on cable news channels is one reasonable choice. But be aware that the “talking head” shows that make up the evening programming on these same channels tend to be far more subjective, and may contain analysis based on personal politics or one host’s opinion, rather than hard evidence and data! In terms of online sources, look for well-established news outlets like PBS or the BBC, or some similarly credible journalistic organization — and a word to the wise, you might want to avoid your neighbor’s Facebook rants! If you’re just looking for medical information, the websites of the CDC or major hospital organizations like the Mayo Clinic are probably your best bets.

2. 2

   Be skeptical by default

   There are lots of good people out there … but unfortunately, there are some truly nasty ones as well, and so it pays to be on your guard when you come across an attention-grabbing subject line in your email.

   pIf you get an email telling you that you’ve come into contact with some who tested positive for COVID-19, or that you’re eligible for relief funds, or that scientists have just discovered a “miracle cure” for the coronavirus — be very skeptical. All of these examples were taken directly from scam emails that people have received over the past few months.

   So how do you spot a phony email? Keep an eye out for the following signs:

   • Fake URLs that use the wrong domain (e.g. cdc.com instead of cdc.gov; nhs.uk.info instead of nhs.uk; etc.)
   • Emails that pressure you to act immediately (e.g. “You have 24 hours to claim your relief funds”)
   • Clickable links contained in unsolicited emails
   • Requests for personal or financial information (e.g. DOB, Social Security number, bank details)

Home safe home

With millions of people all around the world working from home, many for the very first time, the threat landscape has changed radically for both companies and employees — and the bad guys are taking full advantage of the situation.

Despite the challenges, many workers report that they actually enjoy working from home, and companies are coming around to the idea that it might be a feasible option for the long term, even after the pandemic ends, which means that the National Cybersecurity Alliance’s work-from-home recommendations are not only relevant to our current situation, but will likely help us prepare for the “new normal” in the years to come.

Here’s what they have to say about staying safe while working away from a traditional office.

1. 1

   Rules are rules

   Think of your home office as a traditional office, at least in terms of security policies. You know all of those workplace password best practices, data handling requirements, and rules for giving out info to strangers who call on the phone? They still apply when you’re working at your kitchen table — and if anything, they’re more important when you’re at home. As far as the non-security issues related to work from home, that’s largely a matter of personal preference: so if you want to take customer calls in your pyjamas, we’re not going to judge!

2. 2

   Ask for help

   Even though the IT gal or guy isn’t working in an office down the hall anymore, you can still ask for help! Call, email, or send an IM through your company’s messaging platform if you have a question about software updates or network security. A true tech professional won’t see this as “bothering” them: if anything, they’ll be glad you reached out (trust us, they would much rather spend 10 minutes walking you through an update than 10 days recovering from a ransomware attack).

3. 3

   Sound the alarm

   If you do experience a security incident, report it to your management and IT staff immediately. The sooner security teams know that there’s a problem, the sooner they can put their response plan into action — and potentially stop a minor incident from blowing up into something far more serious. We know that it’s not an easy phone call to make, but it’s the right thing to do (both for yourself and your coworkers and customers), and will definitely be appreciated by the IT personnel tasked with keeping everyone safe.

Don’t get smished

During the pandemic, the world has gone remote — and that means many of us are using our mobile devices more than ever before. Hackers and scammers have noticed this, of course, and have adapted their tactics to take advantage of our new, mobile-centric reality. 

“Smishing”, a term that comes from “SMS phishing”, is on the rise, with bad actors attempting to use SMS messages to impersonate legitimate companies. Many times, these will be companies that you really do have a business relationship with, and who might actually have a reason to send you a text: banks, mobile carriers, cable companies, and so on. 

Here’s what the National Cybersecurity Alliance recommends:

1. 1

   Learn to spot smishing

   You know how to avoid phishing emails, but how do you spot smishing attempts? Here are some common signs:

   • The text comes from a 5000 number. This number is frequently used by scammers.
   • The number is unrecognized. If you don’t know the number, don’t reply. Not to worry, if it really is Verizon texting about your overdue bill, they’ll definitely find another way to contact you!
   • Something feels wrong. Very subjective, we know, but if you have a “bad feeling” about that text, your subconscious mind may have noticed something amiss about the message. Trust those instincts!
   • Something feels wrong. Very subjective, we know, but if you have a “bad feeling” about that text, your subconscious mind may have noticed something amiss about the message. Trust those instincts!
2. 2

   Get your own numbers

   If an SMS message tells you to call a certain number, you should bear in mind that scammers can easily set up fake phone numbers and answer them (very convincingly) as the organization they’re trying to impersonate.

   So if you get a text from, for example, a bank or credit card telling you to call them, just go online and find their main customer service number yourself, or simply look at the back of your credit card, and call that number instead. If the original text was legit, you’ll be put through to the right person.

3. 3

   Be wary of “urgent” texts

   As with emails, if a text tells you that you need to respond “immediately”, especially if they say or hint that something bad will happen if you don’t, be careful: this is a common tactic used by scammers to frighten people into acting without thinking. If you believe that the text may be genuine, slow down, find the company’s number independently, and call them about the issue.

4. 4

   Be careful with attachments

   Attachments that come in via mobile messaging can contain malware or redirects to malicious websites, just like email attachments. Malicious attachments can even come from your contacts, so as a general rule, never open an attachment from an unknown sender, and be vigilant and follow your best practices for safe handling of attachments even when you do know the person who sent it!

For Checklist listeners, some of these recommendations will probably seem pretty familiar; but for many people, especially those who aren’t as tech savvy as you are, these tips may be things that they’ve never considered before. If you think it would be helpful to someone you know, you might want to share this show with them. After all, it is National Cybersecurity Awareness Month!

If you’d like to get into the spirit of things and deepen your own understanding of cybersecurity, take some time to explore our archives, where you can listen to past episodes and read the full show notes for each podcast.