This Sunday is both Halloween and the end of National Cyber Security Awareness Month – and what better way to mark the occasion than with some cyber security horror stories?
In this blog, we look at three ways in which fraudsters trick victims into handing over their sensitive data. Will you have nightmares over Evil Twins or be scared straight by phishing scams?
Who’s behind the mask?
When you see someone wearing a ghoulish mask on Halloween night, you can rest assured that they’re going trick-or-treating or to a party and are not in fact a serial killer coming to murder you.
But when it comes to cyber security, you can never be as sure that the person behind the mask is as benign.
Picture the scene: you’re walking through the supermarket and you see a 60-inch television on sale. It seems like a good deal, but you want to look at the reviews for it first.
Luckily there’s a Wi-Fi connection nearby. It has the supermarket’s name in the title, so you assume its legitimate and happily create an account to connect.
But little did you know that the connection is controlled by a cyber criminal. They’ve set up a hotspot nearby and imitated the supermarket’s login process in the hope of confusing people and capturing their login details.
These are known as Evil Twin attacks and they can do a lot more than steal your email address. They can also be used to eavesdrop on network traffic and steal any extra data that users input, including their bank details.
The attacker can also see the contents of any files that the victim downloads and could redirect them to bogus sites to trick them into downloading malware.
It can be difficult to spot an Evil Twin, particularly if you’re in a hurry. You should therefore be very careful about connecting to unfamiliar Wi-Fi networks – and if you’re going to access sensitive information or provide confidential records, we recommend using mobile data, which may be expensive but is a lot more secure.
Trick or treat
The most obvious Halloween-related cyber security analogy is to compare phishing scammers and trick-or-treaters.
In both scenarios, the unexpected guest (a sweet-toothed child or an email) appears with a proposition: give us your possessions or you will be made to suffer.
They’re generally more polite than that, but the implication is clear. Both situations depend on the inquirer’s ability to evoke fear, whether that’s the fear of having eggs thrown at your house or the fear of what will happen if you ignore the email.
In many circumstances, phishing emails imply that the recipient’s account will be compromised or something else bad will happen if they don’t comply.
Even phishing emails designed to arouse the victim’s curiosity – such as a special offer or a promotion – engage their fear of missing out.
As such, whether we are reluctant to hand over sweets or our login details, we comply because we see no other option.
But it’s important to recognise the limits of this analogy because it’s only with trick-or-treating that we actually understand what the ‘trick’ and the ‘treat’ are.
Compliance is the best option on Halloween night, because children only threaten to throw toilet roll over your house, not break in and steal your credit card.
So although it’s best to give visitors what they’ve asked for, we would never say the same about suspicious emails. Always take another look to see if anything looks unusual, and get a second opinion if you’re still unsure.
Those who want to know how to detect a phishing email should take a look at our Phishing Staff Awareness Training Programme.
This 45-minute course uses real-world examples to demonstrate what phishing emails look like, how they work and what you should do if you think you’ve received one.
If there’s one cyber security threat that’s keeping business owners up at night, it’s ransomware.
But it’s not just large organisations that need to be concerned. We detected 75 publicly disclosed ransomware attacks in Q3 2021, and that’s just the tip of the iceberg.
There are countless other incidents that will not have been reported because the organisation isn’t legally required to.
Ransomware attacks can cripple an organisation for days or weeks, as it forces them to shut down affected systems until the situation is resolved.
It may be tempting to meet the criminals’ demands, but there’s no guarantee that they’ll keep their word once you’ve paid up, and even if they do, it will take time to get your systems back online.
This is why cyber security experts urge organisations not to pay up and to instead prepare for disaster by establishing an incident response and backup plan.
As Gartner’s latest Emerging Risks Monitor Report demonstrates, organisations are concerned about their ability to respond to an attack, with ransomware being executives’ biggest pandemic-related fear in Q3 2021.
The report also notes that new forms of ransomware are threatening the protections that organisations already have in place. It notes a rise in viruses that remain undetected and infect backup systems, as well as new ways of infecting systems rather than relying on phishing.
“While new models of ransomware attacks are frightening in their own right, the consequences for organizations are even worse,” said Gartner Vice President Matt Shinkman.
“Prolonged operational delays, data loss and exposure, as well as the reputational damage that follows, present potential existential risks to an organization that executives are all too well aware of, especially if the attacks occur as a result of inadequate cybersecurity controls.”