by Lim Seng Siew, Director OTP Law Corporation
In the first and second parts, we talked about what is a phishing attack and what to do if you are a victim. In this third part, we will talk about simple steps that you can take to reduce the chances of being a victim of such an attack.
Cyber-hygiene – Prevention (or Reduction) is Better Than Cure
It is impossible to prevent a cybersecurity incident from happening. You can only do so if you have infinite resources, infinite time, and infinite talent. And that is an impossibility. Instead, efforts should be focused on, firstly, making it difficult for a hacker to hack into your system, such that the hacker will move onto other targets, and, secondly, if there is a successful hack to reduce the opportunity for harm.
I have divided the precautions that an organisation can take into 3 baskets:
- The first basket contains simple steps that an organisation can take on its own with minimal or no assistance from IT providers (Simple Steps Basket).
- The second basket is for those steps that an organisation can take with assistance from IT providers if the organisation does not have the in-house know-how to do so (Steps With Assistance Basket).
- And the third basket contains those steps that will require the organisation to work with IT providers as these steps often involve consultation with various stakeholders (Steps With Consultation Basket).
I will deal with the simple steps in this article and leave the other 2 for a later one.
It must be borne in mind that cyber-hygiene is not an IT issue, only for the IT staff to implement. It is an ‘all-of-organisation’ issue. The hacker, using social engineering methods, will not be sending phishing emails to the IT staff of an organisation but to the general staff who are likely to be less aware of cybersecurity issues. Social engineering methods are methods used by hackers to manipulate our emotions such that we stop thinking rationally and start acting on impulse without proper regard to what it is that we are actually doing.
Simple Steps Basket
Have Anti-Virus / Anti-Malware
Anti-virus and anti-malware software are almost similar, and the terms are often used interchangeably. However, there are important differences. Anti-malware generally has a broader coverage then anti-virus with advanced features such as sandboxing and removal of potential malware applications, behaviour monitoring to identify threats based on suspicious behaviour rather than relying on the ‘signatures’ of pre-existing and known threats and is designed to be used in a business environment across the entire organisation. As a result, anti-malware is generally more expensive than a plain vanilla anti-virus software.
It is also important to have the software installed on all potential attack surfaces. An attack surface is all possible points of attack, whether physical or digital, where an unauthorised user can gain access to a system. The digital attack surface encompasses all the hardware and software that is connected to an organisation’s network. These include applications, codes, ports, servers, and websites. The physical attack surface comprises all endpoint devices that an attacker can gain physical access to, such as desktop computers, hard drives, laptops, mobile phones, tablets, Smart TVs and USB drives. Even passwords written on paper and physical break-ins to premises are potential physical attack surfaces.
Update Your Software
All software, even those from well-regarded software companies, have bugs. Some of these bugs can result in serious vulnerabilities to systems where the software is used. Hackers routinely scan for such vulnerabilities and once a vulnerability is found, will attempt to exploit it before the software developer discovers and patches the vulnerability. Updating all your software regularly will reduce the hacker’s opportunity to exploit vulnerabilities in your systems.
Many modern commercial off-the-shelf software have automatic updates, some even have this enabled by default while others require you to manually enable this feature. The general rule is to enable automatic updates with one key exception, if your system uses customised software. Occasionally customised software relies on third-party software libraries. If these third-party libraries are updated and routines relied on by your customised software are depreciated (ie made obsolete), your customised software may suddenly stop working. Responsible developers of customised software will have their own updates to avoid this situation, but it is always prudent to check with them.
Practice Password Hygiene
Passwords enable a user to access important accounts and data, making them an attractive target for hackers. Further, just about everything about passwords is inconvenient, from creating them, remembering them, and using them. On one hand they cannot be too simple otherwise they can be easily cracked. On the other hand, they cannot be too complicated otherwise they will be forgotten. So, some password hygiene tips.
First, use strong passwords. The recommendation is to have at least 12 characters mixing uppercase and lowercase letters with numbers and symbols. Popular these days is to use a passphrase comprising a few words strung together. As such phrases are easier to remember, users are less likely to write them down. An example is a passphrase like “2minutE1@QquiZ”, ie “Two minute Ten Question Quiz”. The Cyber Security Agency (CSA) of Singapore has a webpage (at https://www.csa.gov.sg/gosafeonline/Resources/Password-Checker where you can check the strength of your password. Use it.
Second, use different passwords for different accounts. A big No! No! is using the same password for your personal and corporate accounts. While this may make remembering the passwords difficult, there are tricks that can be used to make this easier. As an example, use a passphrase like “2minutE1gma@QquiZ” for your gmail account and “2minutE1yah@QquiZ” for your yahoo account.
Third, enable and use 2-factor authentication (2FA) wherever possible. Modern 2FAs is as simple as receiving a one-time passcode on your mobile device. Most organisations, including Google and Microsoft, offer 2FA free of charge.
Fourth, do not share your passwords with anyone and do not write them down. If you need to grant temporary access to anyone, change your password to a ‘throw-away’ password. Once the need for that temporary access is over change the password back to a more lasting one. Remember that some systems do not allow you to recycle old passwords. So, you may have to change your password from “2minutE1@QquiZ” to “3minutE1@QquiZ”.
Fifth, do not login to online services over an unsecured wi-fi network. If you are unsure about the ‘free’ wi-fi network, make use of the hotspot feature on your mobile-phone. You can then tether your laptop or tablet to your mobile-phone hotspot.
Sixth, change your passwords regularly. The recommendation is to change them every 90 days. However, many users will find this too troublesome.
Seventh, consider using a password manager. Having a unique password for every account or service that must be changed every 90 days will mean a lot of passwords to manage. Unless you have perfect memory, you will need something to help you remember these complex passwords. The temptation to writing them on a sticky note attached to the back of the monitor should be resisted. Instead consider using a password manager. These secure applications store all your unique passwords and can generate new strong passwords as needed. Many password managers can sync the information across multiple devices so you will never be without the correct password when they are needed. Another great feature many password managers have is website verification. If you click on a phishing link instead of the real one, the password manager will not auto-fill your password.
Learn how to Spot Phishing Scams
Here are some of the signs to look out for to determine if there is a possible phishing scam.
(a) The message has mismatched or misleading information.
One of clearest indicators of a phishing scam is when the information in the message is wrong. As a simple example, the message asks you to confirm your payment instructions to Bank A. However, you do not have any account with Bank A or that you had not issued any payment instructions in the past few days. That message is very likely a phishing scam.
The more sophisticated hackers are more subtle. They will attempt to mislead you into believing that the information you see is genuine. Therefore, you need to examine the information closely.
If the message asks you to click on a link to a website, check the website address carefully. Better yet, re-type the website address into your web browser from a source that you know is correct. Hackers often create phishing websites with web addresses (or URLs) that are visually similar to the genuine websites. This technique is called a homograph attack or script spoofing. A simple example is when the web address substitutes a “0” (ie zero) for an “O” or a “1” for an “l”.
More sophisticated methods substitute either Cyrillic or Greek characters for our usual Latin ones. An example of this is the word “bank” compared with “bаnk”, the first using the Cyrillic character for “a” while the latter is the usual “a” of our Latin character. The Cyrillic letters – а, с, е, о, р, х and у – are those that you should look out for because of their visual similarity to those that we are used to. The latest versions of popular browsers have built-in protection against most homograph attacks.
Sometimes, the link ‘as shown’ in the body of the message appears to be a legitimate one. However, if you click on the link, you will be brought to another website. If you move (or hover) your mouse over the link before clicking, a small window will pop-up showing you the true destination. If the two links (the ‘as shown’ link and the link shown when you hover the mouse) are different, it is a strong indicator of a phishing message.
A similar technique is also used for email addresses, they may look similar to, but are in fact different from an organisation’s official email. Hover your mouse over the email to see the true address. Also check the cc or bcc lists to see if there are any unusual addresses. Unusual emails in such lists is a sign of a ‘man-in-the-middle’ attack. A ‘man-in-the-middle’ attack is when the attacker secretly relays and alters the messages between 2 legitimate parties who believe that they are directly communicating with each other when in fact they are referring to the ‘man-in-the-middle’.
(b) The message uses urgent or threatening language.
Hackers also use urgent or threatening language in their messages. It’s a social engineering trick. Urgency can mean you act before you think. Hackers often use words like “Urgent action required”, “Your account will be terminated”, “This is your boss. Transfer money to me urgently.” The fact that the message is unexpected helps create that sense of urgency. Take your time. There is in fact very few situations when you need to respond to any message immediately.
Other tricks used by hackers to create a sense of urgency include saying that they’ve noticed suspicious activity or login attempts, claiming that there is a problem with your account or payment, saying that you need to confirm some personal or financial information, claiming to be from some government authority who requires you to respond immediately, or issuing some ultimatum.
(c) Promise of attractive rewards
If it is too good to be true, it probably is. Phishing messages often offer amazing deals or rewards, again to encourage you to act before you can think. A recent technique used is to ask you to complete a survey (which will have questions about your personal and financial information) for a chance to win attractive, but not so ‘amazing’ that it would be suspicious, prizes.
(d) Request for confidential information
Nowadays, most organisations do not ask for your confidential information to be sent via unsolicited email or unsolicited calls. If the caller or sender claims to be from your bank and asks for your NRIC number or bank account number, be careful. Inquire further. Most scammers will not be able to respond properly to such inquiries.
On the other hand, it is possible to be over cautious. Banks, as part of their security protocols, often ask you for certain information to verify your identity. So, if the caller asks for such information, is the caller legitimately from the bank or is the caller a scammer? When in doubt, contact the bank directly using the contact information from a legitimate source. Don’t rely on the contact information in the suspicious email.
(e) Unexpected emails & suspicious attachments
Hackers send out millions of emails in the hope that someone responds. Don’t be that one. If you receive an unexpected email and have identified it as a phishing email, do not click on any link or attachment. Instead delete it to prevent any accidental clicking. Also notify your IT provider so that the email address can be added to the organisation’s spam or blocked list.
Training & Keeping up to Date
The final suggestion in this basket is training, not just of the IT staff but also the general staff and senior management. Do the training regularly since people need reminding and hackers keep updating their techniques. Learning how to counter these new techniques is important.
In addition, you should also keep up to date with the latest happenings in the cybersecurity world by checking or subscribing to resources provided by the PDPC, SingCert, and many of the major software or cybersecurity companies. These resources provide information about the latest vulnerabilities or hacks and their solutions or patches.
You will also need to reassess your processes on a regular basis to deal with the newer techniques used by hackers or newly discovered vulnerabilities that have yet to be patched.
In the fourth and final part of this series, we will discuss about the other steps that can be taken to reduce the chances of you being a cybersecurity victim.
If you have a need to seek legal advice on your cybersecurity situation or just require legal assistance in any way, please reach out to us at enquiries@otp.sg or +65 64383922.
