- Look for red flags such as misspelled words or poor grammar. Consider the relevance of the email, content, and sender. Malicious cyber actors may create fake domains designed to spoof the user into believing they are legitimate. For example, hackers may send an email from “…@stategov.com” in order to mimic the actual domain “…@state.gov.” Private-sector professionals are also advised to confirm that the subject and content of the email is pertinent to all parties involved.
- Confirm that links lead to the intended website and have not been altered. It is easy for hackers to edit the destination of a hyperlink, while leaving the language in the link unchanged. By hovering the cursor over a link, the user will be able to see the true destination, without actually accessing the link. Users should be wary of instances in which the text and the URL do not appear to have a logical relationship.
- Manually navigate to the website by inputting the desired URL into the web browser, instead of clicking on the link directly. Typing in the web address manually may prevent users from being unknowingly re-directed to an unintended website.
- Exercise caution when downloading attachments and while running executable files: Malware has been delivered through malicious decoy documents. When possible, all attachments should be scanned for malware.
Additionally, some organizations may decide to limit the privileges of non-admin users so that they cannot run executable files (e.g., those ending in .exe and .dwg). The installation of such files could potentially result in the transfer of malware onto an organization’s network. Exercise caution when prompted for password resets and software updates while overseas: Private- sector security professionals should also be wary of prompts encouraging them to reset their passwords or update their software while traveling or operating overseas. If prompted to reset one’s password, the user should verify that the URL of the re-direct page is associated with the account in question. Alternatively, and perhaps more cautiously, the user may consider accessing the password reset prompt directly through the service’s website, rather than through a link provided via email. Use two-factor authentication for all accounts where possible: Two-factor authentication acts as a second layer of security to prevent an actor from gaining access to an account in the event of a compromised password.
Private-sector security professionals are also encouraged to set up notifications for authentications and regularly check login records for suspicious login attempts. Confirm URL of websites, especially those requiring credentials: Hackers have demonstrated the ability to create convincing imitation websites in order to push malware and/or collect account information like usernames and passwords. Moreover, providing credentials to a malicious imitation website can be particularly problematic if the same username and password are also used on other sites, which may allow hackers access to more sensitive data and information.
(Sources: Yonhap, New York Times, USA Today)
Anti-Hijack Prevention And Reaction Training, Disaster & Emergency Response Management, Expatriate Country Familiarisation, Global Security Consultants, High Net Worth Individual Protection, High Profile Security Solutions, Investigative Services Forensic, Property Security And Risk Assessment, Security Awareness Training, Security Drivers, Security Recruitment Services, White Collar Crime Investigations