The United States Computer Emergency Readiness Team (US-CERT) has issued an alert advising users to be aware of possible malicious activity that seeks to capitalize on recent tragedies. Criminals often use events like this to play on public sympathies and solicit donations to fraudulent “charitable” organizations. Regardless of the direct financial outcome, these scams can result in the criminals capturing contact information, login credentials, and a malware infection on the PC or mobile phone.
Earthquakes, tsunamis, the Boston Marathon bombing, and even the death of Robin Williams have all been used by cybercriminals. And they don't limit themselves to tragedies: major political news, holidays, and economic concerns are all on the table. It's a sick reality that these criminals will use everything they can and do anything they like to make you a victim.
We always advise companies to use a layered defense system to protect their networks and users from attacks like this. When combined with ongoing user training, technologies like Artificial Intelligence and DMARC will go a long way to keep people safe. As part of the user training piece, US-CERT recommends the following measures to avoid social engineering and phishing attacks:
Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
Don't send sensitive information over the Internet before checking a website's security.
Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.
Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic, and take advantage of any anti-phishing features offered by your email client and web browser.
For more information on how to protect yourself from these attacks, contact your consultant today.