I could dedicate, as many others have, thousands of pages on fortifying your network and data protection with a myriad of tools that will constantly evolve. These techniques, processes and systems are a must for large organizations with IT staff available 24/7/365. Doing so in small organizations is close to impossible or simply unaffordable. The complexities and nuances of data/network security are a full-time job and could not be appropriately visited in a short article so I am going to focus on the process that will yield the most protection under varying attack scenarios.
I’m referring to training your teams on social engineering. The most common attacks involve a combination of techniques. Other than state-sponsored attacks which will use very sophisticated tools to exploit known and unknown vulnerabilities in systems software such as Windows, ChatGPT, Copilot, Google Gemini, Linux, Web Servers, E-Mail Servers, etc., most attacks rely on social engineering to trick users into loading malicious software without their knowledge.
The most prevalent social-engineering attempts will come through e-mail, text messaging, and telephone calls. This method is called phishing and it refers to a cyber-criminal tricking the recipient into following a link which unless protected by other systems, will potentially compromise the recipient’s computer or phone and potentially turning said system into a zombie. A zombie system is one where the attacker has created a back door to gain control of said system at any time and to be used for anything the attacker wishes.
To underscore the urgency of data protection, company and personal data should be viewed by everyone in the organization as cash. When cash is missing, it is bound to be noticed, but not so with data, depending on the purpose of the cyber-attack. An attacker can simply copy and not remove or damage data. Without systems in place to detect potential intruders, you may never know your data is compromised.
The key is, unfortunately, not trusting anyone. E-mails can be made to look official and from the purported sender. For example, you may get an e-mail from Microsoft, Google, Social Security Administration, IRS, local business, or even from coworkers, customers, or business partners. A few years back it was relatively easy to spot fake e-mails based on grammar, punctuation and words used. This is not so simple anymore. Just like everyone is using AI for day-to-day work, so are the cyber-criminals or scammers. They are using AI to make perfect text and e-mails that could fool all but the most paranoid.
What to do? Training. Bring the organization together and explain the importance of cyber security and everyone’s role in protecting it. Perform random tests where you play the role of cyber-criminal. Call a couple of times pretending to be someone else and extract information from employees. This applies not only to those working with the public. Those not working with the public are at a higher danger of falling for phishing than those working with the public.
Following are a few examples of phishing and how it is used.
- You, a company employee, get a telephone call claiming to be from “Joe” in IT. The caller proceeds to say that they’ve uncovered “unusual activity” on the network and need to verify your password or it will need to be shut off (leaving you unable to work). You look at the caller ID on the phone which shows the company’s main number or an extension in the IT department (information can be obtained from on-line directories). You may be satisfied that the call is coming from “inside” and is likely real. Once the login and password are surrendered to the cyber-criminal, the conversation will end very politely, and they’ll thank you for the help in combating cyber-crime with a promise to follow up if there are any more issues. Let’s be clear about this: Caller ID’s can be faked. Not only can they be faked, it is extremely easy to do. You could get a call with a caller ID of “NY Police” or “IT Department” or “Richard Corona” while originating from anywhere. A few years back I would have said that unless you can recognize the voice of the caller be weary. Today, the voice can be fake as well. Offer to call back when in doubt. If there is resistance to a call back, do not offer any information.
- Similar to the above, you receive an e-mail that looks and sounds real, claiming there is an overdue amount on something. However, there is no reason for you to be receiving that type of e-mail since you work in dispatch, not in accounting. Do not even open the e-mail. Forward a screenshot to IT for analysis and then delete it. If you click on any links to “View the Invoice,” you may become a victim of a Trojan Horse, which means that while you are busy looking at a strange invoice or looking at a funny animation or playing an online game, etc., the host system is infecting your computer in the background. You may never know that your machine has become a zombie.
- In the same light, text messages can be extremely dangerous. Even though telephones are a little bit harder to compromise, they are not perfect. A zombie phone can compromise all your calls, texts, pictures, 2-factor authentication being used by banks, etc.
The scary part is all it takes is one person to make a mistake that impacts your entire organization. They may not even realize it was a phishing effort.
The bottom line is the following:
Yes, cyber attacks will/can happen to anyone. There is no minimum company size, specific industry, product or services types, etc. EVERY computer that is compromised will become useful to cyber-criminals to work their scams. A zombie computer can be a point of access to your entire network or even a jumping point to attack others, such as clients and customers (and the attack on other organizations can be tracked to you and not the scammer). Everyone must be on alert 100% of the time.
The above is just a peek at how vulnerable organizations are to common phishing attacks (that is why they are so prevalent).
The question then becomes, what can be done to protect from phishing (other than training and vigilance), and worse yet, how do you control the network intrusion once someone is tricked? This is a rather lengthy topic given the myriad purposes and access gained. Do they want to encrypt all your data to demand a ransom payment for the decryption key? Do they just want to read and maintain access to your data (customers, financial, employee, etc. which can be used later in further phishing attacks)? Do they want to use your system to send e-mails out to other unsuspecting users/organizations, particularly if they are partners, clients or employees which will recognize your e-mail source (valid) and fall victim, therefore expanding the cyber-criminal’s reach and capabilities?
Though this is beyond the scope of this short article, it is a topic well worth exploring with a reliable technology partner.
BE AFRAID! BE VERY AFRAID!
Richard Corona
Chief Technology Officer (CTO) at Enterprise Database Corporation (EDC®)
EDC® Co-Founder
