#1. The easiest way to get someone’s password, is to ask Human nature is such that we don’t want to offend someone, so out of an abundance of politeness, we often say yes when we want to say no. This includes when someone asks for a password! Hackers know this, so they will just straight-up ask you for it. They do this by sending a constant stream of email, texts and phone calls asking for your password. DO NOT GIVE IT TO THEM. Any technician who is working on your equipment does not need your password. If they do, they will ask you to log in for them. Never, ever disclose your password to anyone, for any reason. This includes anyone from Decision1. The Decision1 team will NEVER ask for your password. The Decision1 technicians do not need your password to make changes to your computer. If they do require your login, they will ask you to login for them, while you are present. To read more click below #2. Internet Links
Internet links are an easy way to trick you into giving away your credentials. The link you see on screen does not have to match the place the link will take you. You could be linked to anywhere on the web. An easy way to catch you out is to send you an email with a link letting you know that there is information you need at this link, and that you need to log in to get that information. The link will direct you to a page that looks EXACTLY like your normal login page, where you enter your credentials, immediately revealing your details to the hacker. Before clinking any link, verify that the link is taking you to the URL you expect to go to by hovering over the link with your mouse. This will reveal the true URL you are being directed to. Beware though, hackers are smart and will use domains to trick you, such as nzmicrosoft.com or microsofthelp.com or googlesupport.com which at first glance can appear legitimate but are not. If you are not sure, pause and ask for help. #3. Attachments Attachments can pretend to be documents that they are not, so attachments can be very dangerous. For instance, you can be sent a document called ImportantDocument.pdf but because of the way files can be displayed, in fact that file is actually ImportantDocument.pdf.exe which is almost certainly a virus or malware. NEVER open unsolicited or unexpected attachments. If you can’t verify an attachment is legitimate, delete it. Verify an attachment by picking up the phone and calling the sender. We don’t recommend replying to the sender, because if it has come from a malicious actor, they will simply tell you that it is legitimate, when it’s not. #4. Public Email Addresses. Don’t do it. A popular way to advertise your business and to generate communications is to publish email addresses on your website. However, this isn’t the best idea, instead we highly recommend that you use a webform, with a captcha, to collect this information instead. The reason for this is that site scrapers are continually searching the web for publicly available email addresses and will use that information to begin a brute-force attack on your network. By publishing this information, you have given them the first piece of your VERIFIED credentials. We have seen this one piece of data used to gain access to the network within a few hours of publishing it. If you absolutely must publish an email address publicly, at least make sure any email are not used to log in to the network. Instead use generic addresses such as accounts@company.co.nz or sales@company.co.nz that can’t be used to log in to your network. However, use this with caution, because even these addresses can be used very effectively, by using them to spoof emails. For instance if I publish accounts@company.co.nz, then I may create a new gmail account called companyaccounts@gmail.com, and use accounts@company.co.nz as the display name. Emails are then sent to your company staff (usually asking for an invoice to be paid), immediately, which looks legitimate because the email appears to be coming from a known internal source). #5. Do they have your credentials already? It is entirely likely that your credentials have already been hacked. Globally, there are thousands of databases that have been hacked, and the data released into the public arena for anyone to access. This often includes your username and password, at the ready for anyone to try out. This is a very popular way to gain access to your resources, as we all know to re-use our passwords. For instance, your credentials may have been included in the LinkedIn breach (they were breached in 2016 and again in 2021), and you may have changed my password since then, but a hacker can still use those credentials against other websites, such as facebook, google, instagram etc, to see if they work. And they often do. You can find out if your credentials have been included in a breach by searching for your email (or phone number) at www.haveibeenpwned.com. This site maintains a database of all the known data breaches, will search those databases for your email address, and report if your address appears in any of these breaches. We recommend you check this website regularly, and if your email appears in a breach, make sure that you change the password for the website concerned, and make sure that those credentials are not used anywhere else. https://www.haveibeenpwned.com Note: Your email or phone number is not collected or stored at this website. It is a well known and secure source of information that you can trust. In Conclusion: Keeping your business safe online is imperative these days with the rise of cyber threats. Cyber Security is becoming an increasingly complex threat to businesses. If you would like Decision1 to help you with your security, please feel free to reach out to us here.
0 Comments
Leave a Reply. |
AuthorVictoria Murgatroyd-McNoe has been working in the IT sector helping businesses achieve their technology goals for over 20 years. Archives
October 2022
Categories |