Directive Blogs
Email Scams Continue to Plague Oneonta
As if Oneonta residents didn’t have enough to worry about during the coronavirus crisis, there’s a new email cyberattack to keep on the lookout for. While it follows the similar pattern of using social engineering to trick its targets into providing funds, this time the attackers have reached a new low. Read on to learn how you can protect yourself.
Small Towns Aren’t Safe from Cybercriminals
One well-held belief we continuously fight against is the idea that phishing attacks and other scams are only targeted towards large companies or people with money. A personal Paypal, eBay, Amazon, or even a Disney+ account can be compromised by a hacker and wreak havoc, even though you’re not a large corporation. In fact, one could say that such an attack can have a greater chance of success and do more damage to those who can least afford to lose the money or have their credit damaged.
Rich or poor, having your identity stolen can have long-lasting effects. Never forget, your identity has value on the black market. The reality is that anyone, regardless of age or social standing, can be the target of a cybercriminal, even in a small town like Oneonta. In fact, Otsego County and Oneonta in particular have faced a variety of cyberattacks and fraud challenges over the last year. For example:
- A skimmer attack which targeted local ATMs.
- Phone scams targeting older residents.
- There was even a SMiSHing debit card scam.
A New Low in Cyberattacks Hits Oneonta
The latest cyberattack in Oneonta consisted of an email threatening to release sexually explicit videos to the victim’s email and social media contacts, unless the victim paid a ransom in Bitcoin. While Bitcoin, a cryptocurrency that utilizes blockchain, has a variety of uses, in this instance its use is nefarious. Unlike credit cards, checks, or other forms of payment such as digital wallets (which have come to the forefront in the age of coronavirus) Bitcoin can be difficult to trace. If a victim of this scam made a payment using this currency, they most likely would never be able to recover their money.
What made this attack difficult for victims to ignore was how direct the attacks seemed. As the email contained personal information, the victim was convinced the hacker would be able to make good on their threat. One tactic of social engineering is to sprinkle true information to add a veneer of authenticity to the threats or request for help.
It’s also a strong possibility that the personal information listed in the email was acquired from the Dark Web, or a previous phishing attack. This is why it is critical that people follow best practices for passwords and network security.
To help, here’s our definitive guide on password best practices.
Another important aspect of this attack is the threat to release explicit videos. In theory, such a threat should be meaningless and a sign that the email was a scam... unless there was a possibility that such content exists. So while distasteful, this scam has highlighted the dangerous consequences of posting pics and other private content online. The internet never forgets and there should not be an expectation of privacy. Never post anything online that you don’t want anyone else to see.
Why Social Engineering Is the Hacker’s Tool of Choice
While popular media often portrays the hacker as a lone wolf who remotely ‘breaks’ into a computer, the reality is most data is compromised because the person who answered a phone call or email didn’t use best practices. Phone or email scams rely on poor security habits and are designed to trigger an emotional response from the victim, causing them to share personal or financial information to the hacker. This type of attack is known as social engineering.
Social engineering is effective because it relies on a person’s tendency to want to either help someone they know or protect themselves from uncomfortable situations. The solution usually requires some sort of transaction to make it go away. The Oneonta email scam used traditional social engineering tactics to control the behavior of its victim, including:
- Creating a false sense of urgency, not giving the victim time to think. (Act now or we will embarrass you.)
- Offer a way to solve the problem requiring something of value in exchange. In this case it was a Bitcoin payment, but it could’ve been anything, from security credentials to even a demand for additional explicit materials.
Social engineering attacks are difficult to prepare for because they don’t rely on exploits in technology, but in human behavior. The only way to defend against these types of cyberattacks is to train your team on cybersecurity best practices to recognize the risks that appear in your email.
What to Do if You Suspect You’re the Victim of a Cyberattack
- First of all, don’t panic. When people panic they tend to have lapses of judgment and make mistakes; which hackers capitalize on.
- Depending on the type of scam (you sent money, blackmail threats), save the email for law enforcement to examine and then contact them for direction as to what to do. If it was a request for passwords or other credentials, you can probably delete it. However, whatever you do, make sure you change your password.
- When you change your password, make sure it is unique. Consider using Two-factor Authentication (2FA) to make it hard for hackers to gain access to your account. If you’re not sure how to go about creating great passwords, Google offers a password checkup tool to help. It can be used by going to https://passwords.google.com while logged into your Google account. Also investigate utilizing a password manager to reduce the need to create easy to remember (and therefore, easy to hack) passwords.
Protect Yourself and Your Business with Awareness and Training
As many workers are working remotely, personal and professional work is becoming more connected. This means it is incredibly important that your team is able to spot a phishing attack or other scam, before a hacker is able to gain access to your business network due to operator error. While it is unfortunate when a person gets scammed or their computer becomes infected with malware, it will be even worse if it’s your business.
Directive wants to help your team stay at the top of their game. We can evaluate how susceptible your business potentially could be to phishing and our phishing simulation will see who takes the bait. Once complete, we’ll work to educate those who were fooled so they are prepared when the real attack comes.
Social engineering attacks are tough to stop and cybercriminals are getting more clever every day--you need to make sure your business is prepared to resist their efforts. This is particularly important during the current push for remote working. Reach out to us today to learn more about our phishing simulations, and what else you can do to keep your business safe. Call us at 607.433.2200.