Recognizing and defending against "Cyber Attacks"

At HCG, our number one goal is safety, and not just on a job site! We encourage all of our employees to be as vigilant in their cyber activity as they are on a construction site. With that idea in mind, we wanted to share some of our best internet safety tips with you.

#1 - Don't fall prey to Phishers

Phishing Scam Phishing Scam

A phishing scam is the act of sending email that falsely claims to be from a legitimate organization. Phishing scams are usually combined with a threat or request for information such as: the impending closure of an account; a balance that is due; or that information is missing from an account. The email will ask the recipient to supply confidential information such as bank account details, PINs or passwords. NEVER SUPPLY THIS TYPE OF INFORMATION.

Tips to recognize/prevent a Phishing Scam:

  1. Hover over links in an email and you can see the url. Ask yourself if it looks legitimate. If you doubt it at all, DON'T CLICK!
  2. Always investigate any links in an email to see where they will take before you click; if the link it to a zip file, or a suspicious website, DO NOT OPEN IT.
  3. Look at the from address. Many emails will have an "official" looking logo in the email, but they don't always try to have an official looking email address. If you have any doubts, DON'T CLICK!

Ask an IT professional if you have any questions – it’s better to be safe than sorry!

#2 - Remember the Trojans

A Trojan Horse is a program that appears desirable but actually contains something harmful. It can be a destructive program that masquerades as a benign application, a seemingly useful computer program that contains concealed instructions which when activated perform an illicit or malicious action, or a non-replicating computer program planted illegally in another program to do damage locally when the software is activated. Usually, a pop-up will appear on your screen to try to lure you into clicking the action button (i.e. Remove All, Activate, Scan Now). These appear to be legitimate antivirus applications, but will instead infect your computer. Unless you have asked your anti-virus to perform a scan, these types of pop-ups should not appear.

Tips to recognize/prevent a Trojan Horse program:

  1. Verify that the popup from your Antivirus is really your Antivirus program. If you have TrendMicro on your computer and the popup warning that just came up says "Antivirus 2010" or "Antivirus Protection", DON'T CLICK! Your antivirus should not have a generic name.

#3 - Be careful where you surf

There are many types of drive-by downloads including:

  • A download triggered by scripts etc. on a website, without prompting the user, usually for malicious purposes
  • An incidence of an unwanted program being automatically downloaded to a computer, often without the user’s knowledge
  • A program that is automatically installed in your computer by merely visiting a web site, without having to explicitly click on a link on the page
  • Any download to a computer or device that occurs without the owner’s consent

The most famous example of a drive-by download is the Crypto Locker/Crypto Wall. This attack:

  • Encrypts local files
  • Encrypts server files
  • Is pretty much unbreakable
  • Is installed from a link in an email or from a website

Tips to recognize/prevent a Drive-by Download:

  1. This is a hard one. Since these attacks occur without your knowledge and without having to click on anything specifically, the only way to recognize and/or defend against this type of attack is to practice vigilance in your online activities.
  2. Make sure you type the url of the site you want to visit correctly.
  3. Backup your files regularly. Backup your backup files. And keep those backups in a secure location.

#4 - Watch out for lions

A Watering Hole attack occurs when a hacker manipulates a website that is visited and trusted by members of a target group, usually by placing some form of malware on the website whose sole purpose is to infect the website visitor’s computer. When visiting the manipulated website, devices of the target group are infected which allows the hacker to gain access to the information on the computer/network of the computer that visited the infected website.

Tips to recognize/prevent a Watering Hole attack:

  1. Verify the URL, make sure you're not relocated to a site you don't recognize.

#4 - Keep in touch with your friends

A Social Engineering attack can come from an email, a website and/or a phone call. An email social engineering attack usually comes from a friend (someone you know) who urgently asks for help, usually in the form of money; or an email from a friend that asks you to check out a “way cool link”. However, when you click the link or comply with the email request, you find you’ve been scammed. In the baiting scenario, you’re offered an amazingly great deal that too good to pass up or a link to watch the latest movie free just by clicking here. Finally, there’s the phone call attack where you receive an unsolicited call that asks for personal or company information.

Tips to recognize/prevent a Social Engineering attack:

  1. A great way to prevent this type of attack is to check with your friend in another form of communication to make sure the message has really come from that person.
  2. Check the syntax of the email message…is that how your friend usually talks? Since the hacker doesn’t know how you and your friend usually communicate, he/she probably doesn’t know how to write like your friend, which is a major clue to a scam.
  3. If a deal seems too good to be true, it probably is.
  4. Remember, you are the first line of defense against these attacks, never give your personal information over the phone.
  5. If you think a phone call may be legit, try contacting a trusted source at the suspect company – if you don’t know anyone, try researching the firm and finding another contact number.

#5 - Remember: Free isn't always a great deal

It’s important to know that free WiFi isn’t so free! If you’re using free WiFi, that means other people can use it, too, so you should always assume someone else can be accessing your connection.

Tips to recognize/prevent a WiFi attack:

  1. Never enter confidential information while you’re connected to free WiFi including passwords, banking and credit card information.

Thank you for reviewing our cyber security tips. Remember that the best defenses against any type of cyber attack is you – you can identify suspicious email by verifying links before clicking on them’ not downloading anything you receive from untrusted, unverified source; and generally questioning everything. You should also have a secure firewall in place that scans all incoming traffic, email, web traffic and downloads as well as trusted anti-spam, anti-virus and anti-malware software on your computer. Your company computers should be protected by your IT department, but you can have all those wonderful protection equipment on your home computer. Ask for recommendations on the best software applications, do you research and find one that works for you. Don’t take risks with your personal information – protect yourself and your company!