Rob Shapland of Wavenet has hacked his way into hundreds of company IT systems across the world. However, rather than intending to cause mayhem or profit from the theft of confidential data, Rob performs a vital task for businesses in the increasingly sophisticated fight against cybercriminals and fraudsters. As an Ethical Hacker, Rob is invited to find the weaknesses in security systems and advise corporations on how to avoid falling prey to attacks with far worse intentions.
Having benefited from Rob’s expertise ourselves, we invited him to share some simple ways individuals and businesses can protect themselves from phishing, vishing and other attacks all designed to part you from your money.
Phishing and Vishing
UTB – Hi Rob, thanks for coming in. Let’s start with the basics. Can you explain what Phishing and Vishing are and how we can try to avoid falling for them?
Thanks for inviting me. Sure. Phishing and vishing are two of the most common methods cybercriminals use to gain access to sensitive information. Phishing involves the use of fraudulent emails, messages, or websites that appear to be from legitimate sources. These messages often prompt you to click on a link or download an attachment, which can lead to malware installation on your computer or mobile device – malware is a computer program designed to help the criminals – or direct you to a fake website designed to encourage you to input your personal information which they can then steal or use against you.
Vishing, on the other hand, is a form of voice phishing where scammers impersonate legitimate institutions over the phone. They might pose as your bank, credit card company, government agency or even a work colleague attempting to convince you to divulge sensitive information like passwords or account numbers. Do not divulge any information during a call which hasn’t been initiated by you. Always call the company back on a number you can find on their website or a statement. Do not rely on a phone number given to you by the caller. Even Caller-ID can be spoofed so even if it looks like your bank calling, it may not be.
How can we protect ourselves?
You have to be vigilant all the time because many of these criminals are very clever and highly organised. Always verify the authenticity of any communication before responding or clicking on links. Contact the organisation directly using a known, trusted telephone number or website link rather than relying on the contact information provided in the message.
Be sceptical of any unsolicited communication, especially if it creates a sense of urgency or pressure or surprisingly good news.
Look out for common signs of phishing and vishing attacks, such as poor grammar, unfamiliar or downright strange sender addresses, and generic greetings like “Dear Customer.”
UTB – Obviously I shouldn’t share my password or security numbers etc with anyone calling or emailing me unexpectedly. What else can I do?
No, definitely not. You should also use strong passwords, don’t use the same password for lots of websites or applications and if possible use multi-factor authentication.
A strong password is your first line of defence against unauthorised access. Unfortunately, many people still use simple, easily guessable passwords like “password123” or “qwerty,” making it easier for hackers to gain access to accounts. A strong password should be complex, unique, and difficult to guess.
UTB – Ok. What makes a strong password?
A good password should be at least 15 characters long. The longer the password, the harder it is to crack. Making it longer and unique is more important than making it complex. For example, most cybercriminals now use computers to crack passwords and even though your password may be personal to you it may be very simple to break.
Maggie1 – cracked in around 0.02 seconds
6k5&R*Gz – requires about 20 minutes to crack and difficult to remember!
Ilovegreentomatoes – 99 quintillion years to crack – a very long time!
Actually, you should start to think of passwords more as passphrases. A series of seemingly random words strung together which should still be easy to remember is very difficult to crack.
UTB – What is multi-factor authentication?
Multi-Factor Authentication (MFA) adds an extra layer of security by requiring not just your primary password but an extra form of verification such as a code sent to your phone or using an authentication app. You should enable MFA on all your accounts whenever possible. Yes it takes a little longer to log in or transact but these extra measures mean criminals have another level of security to overcome and they do keep you safer.
UTB – What can we do to help us stay vigilant?
You can check if a password linked to any of your email addresses has been obtained by a data breach by checking on the website www.haveibeenpwned.com. Check all your email addresses and change the password for that website and any other website that uses that same password.
You should also set up alerts for your financial accounts to notify you of any unusual activity, such as large transactions or changes in account details. And review your accounts regularly to ensure all transactions are legitimate. If you notice any unauthorised activity, report it immediately.
UTB – What can I do if I run a small business?
For small businesses, one of the most significant vulnerabilities comes from within. Employees who are unaware of the risks of financial fraud can inadvertently open the door to cybercriminals. Providing regular training and implementing clear security protocols can help minimise this risk.
If you have a website, ensure all your internet-facing login pages have multi-factor authentication, without exception.
Keep your internet-facing systems up to date with the latest software updates.
Train your staff face-to-face or over video conference in a live session, explaining phishing and vishing attacks with real examples and how they can protect themselves both at home and at work. Phishing and vishing can equally be used to gain access to company IT systems as they can personal accounts. Fraudsters posing as staff members, often as IT support ironically, may try to get you to disclose the information they need to gain access to your secure network.
Encourage staff to check with an IT person if they’re not sure about a message or call they’ve received. Much better to be safe than sorry.
Ensure you have data backups of key systems that are completely separate from your normal network.
Have a plan if it all goes wrong!
UTB – Thank you Rob.
Financial fraud is an evolving threat that requires constant vigilance and proactive measures. By staying informed, being cautious of phishing and vishing, using strong and unique passwords with multi-factor authentication, monitoring your accounts regularly, and educating your employees if you run a business, you can significantly reduce the risk of falling victim to financial fraud.
If you would like to know more about the work Rob and Wavenet do to help businesses protect themselves from cyber criminals, you can check out their website HERE