Sometimes phishers will recreate a logo or emblem they include if they feel it will add legitimacy to the message. Typically this only occurs if they are unable to make an existing logo work within their campaign because its time consuming.
Tip: If something seems wrong, a quick search of Google Images for the companies logo should help.
Always Compare the displayed link address to its actual destination: Whether in an email or on a webpage, never take the URL displayed is where the link will take you or that it belongs to the appropriate organization.
Tip: Take you mouse place it over this link www.bankofamerica.com | Now look in the footer of your browser window or the tool tip (depending on browser). Does it display: bankofamerica.com or hackers.xyz. Does the URL belong to the organization its repersents: Often attackers will register URL's that are similar to real ones to trick you.
Tip: If you are not sure if the link points to the intended organization, put the domain name (e.g. acme.com | not www.acme.com) into the search box at: https://www.internic.net/whois.html.
Offers too good to be true? Often phishing emails offer impossible to obtain items, ridiculous discounts, or very short response intervals. This is designed to pressure you into clicking before you think.
Tip: This is the same tactics used throughout time; I have a Bridge in New York ill get you a deal on? You're far more likely to not get what you think, scammed, or phished when these types of messages arrive. If you can't resist the deal, at least use what you learned in the Links section to try to validate the sender and site. Consider calling the real organization to verify if the deal is legitimate.
We all make innocent spelling and grammar errors from time to time. While less reliable than in the past, look for signs that the email may have been written by someone who is unfamiliar with the language of the message.
Tip: The most common mistakes tend to manifest around gender usage, verb-tense, and common regional spellings / word usage (e.g. analog .vs analogue; Interpol .vs FBI; etc...).
Message Requests Personal or Organizationally Sensitive Information: Email is transmitted between mail servers across the internet unencrypted. This means it can be intercepted using a technique called Man-in-the-Middle. Never send sensitive information via email; never ask someone for sensitive information over email!
If someone requests sensitive personal information, use a known valid phone number and call the individual or company.
Never, never, provide your user name to a technical support person over email!
If a technical support person asks for your password, document their name, hang-up immediately, and call you Information Security Officer!
Never use information in the email as a source to verify the company or email sender.
If you receive an email from a senior executive directing you to immediately transmit organization funds to an account; stop! This is a potential sign of what the FBI terms as Business Email Compromise. Always follow the organizational written procedure for transmission of electronic funds. If the request is to an unknown account or otherwise unusual, do not be afraid to confirm the requirement via telephone with the requestor. Its far better to do your due diligence and validate, than to explain why you transferred $50,000 to some off-short bank in Bangkok.
Law Enforcement doesn't take Gift Cards, Bill via Email, or use Bitcoin: The FBI doesn't take gift cards or other electronic media as a form of payment for some misdeed you are being accused!
Tip: If you receive an email or pop-up that appears to be from a Law Enforcement agency that requests money; its malware. Immediately initiate a malware scan both online and offline.
Free is Free - Scrutinize Surcharges or Fees: A service fee to process your winnings form a contest you never entered should raise a red flag. The old saying "We never get something for nothing" applies here. Secrecy or Urgency Requirement: This category applies to two diverse social engineering techniques. First is secrecy; we all want to feel special and trusted. When an email requests you not share something with others, always ask would it be typical for you to receive this information in the course or my normal duties from the sender? Second, while short suspense actions occur in business far too often, they typically known requirements (reports, evaluations, etc...). Urgency is a typical tactic used to drive users to click before they think.
Tip: If unusual secrecy, content provided is outside your typical scope of duties, or the sender is not someone you would typically deal with, you should be suspect. Contact your Information Security Officer and seek assistance to validate the sender. If the matter is truely urgent, taking a minute to validate the requirement using a trusted number in your organizational directory wont matter one way or the other.
Email isn't from an Organizational Account: There are a couple of different ways phishing campaigns can spook emails. The easiest method is to get a free email account that is simular to the legitimate one (e.g. bob.smith.acme@gmail.com .vs bob.smith@acme.com). Another method is to set the information the email displays to be different than the senders (e,g, from: bob.smith@acme.com ( bob.smith.acme@gmail.com)).
Tip: If the email client you use doesn't show the senders full email address, hover over the sender and it should provide you a tool tip that includes the full email address.
Executable File types: Typically an attacker needs to get a user to launch their malware in order take over a host; referred to as "getting code execution". There are a number of file formats that can host the attackers malware. The most common formats include files that have a file extension that ends in: .bat; .exe; .js; .cmd; .ps; .docm; .doc; .docx; .xlsm; .xls; .xlsx; .ppt; .pptm; .pptx Unfortunately, office file formats are in this list. Always use caution when receiving a file from an unverified source.
Tip: If you receive a file with one of these extensions and must open it, ensure it came from a trusted source. Prior to opening any files you should always perform an Anti-Virus scan of the file prior to launching it. If it is flagged as having a virus or malicious, contact your Information Security Officer immediately.
Pop-ups = Caution: It you open a file and receive a pop-up message requesting permission to launch something; Stop - Read, Think! The operating system manufactures' put this warning in place to alert you to unexpected or privileged access request is pending. Ask yourself, is this normal behavior for this type of file? If you open a Word Document and it ask you to Launch Cmd.exe - freeze; its likely malware trying to launch.
Tip: If you get a pop-up or unusual prompt from a file once launched, stop and seek service desk assistance before proceeding.
Suspect Processes: If you suspect that something odd is occurring on your system, consider reviewing the running processes for unusual child processes. This assumes you are familiar with what normally is running on your system. Often malware will piggy-back (hollow) a legitimate process and inject itself so it can spawn a child process to run. While it could take years of experience to be good at this, try using Microsoft Systernals Process Explorer to identify odd processes.
Tip: Open Process Explorer | Select Columns | Check Verified Signer; Image Path; VirusTotal | Options | VirusTotal.com | Check VirusTotal.com | Wait for VirusTotal Column to update. Any file with a digit > 0/X requires further review.
(e.g. time-sync-notifier c:\windows\tmp\tdm.exe 3/65)
Another method you can use is to observe the remote connections running on your system in an attempt to detect an executable or connection that appears suspect. Again this assumes you know what look right on your host. Get-foreign-connections.ps1.
Tip: This is a Powershell script that requires an Admin Powershell Console to run properly.
Generally speaking, people are social beings. We are naturally wired to help each other and share information. This is great when the recipient is good natured and terrible when they are collecting information for social engineering attacks against the network. We can help inhibit social engineering while still assisting our customers by following a few simple steps:
1. Never use your work email on social media website unless you are directed to by management. If you must provide an email address, ask your IT department to create a distribution list that is generalized to its purpose (e.g. Customer Assistance; Fraud Reporting; etc...).
2. Do not post your phone number on any publically accessible site. Establish general business unit phone numbers for public sites and provide those alternatively
3. Never post your name and email address on any publically assessable site; this is how spammers and phishing campaigns target users. This includes government sponsored directories and conference sites.
4. Never like or friend someone unless you verify you know them or review their profile to determine if its fake. These signs can include few known friends, a short age since creation, or few posts over a long period of time.
1. Never link or otherwise cross post between your professional persona and personal persona. This can lead to social targeting include a technique called DOXING or SWATING. These actions are undertaken by hacktivists and other threat actors who may not agree with the position take by the government, your agency, or yourself. These action can both expose you and your family to professional and personal safety risks.
2. Never use the same password or recovery pin on both professional and personal sites. A compromise of one can lead to both!
State policy requires agencies to follow a prescribed process when information security incidents occur. Typically, it is each agency’s Information Security Officer’s (ISO) responsibility to notify the proper authorities. However, regardless of the reporting individual, ALL State of California Agencies, Departments, Boards, Panels, and other entities are required to perform the prescribed process includes the following steps:
1. All Incidents will be reported within 60 minutes of detection via the:
Note: Using this system meets the requirements to report to both the California Information Security Office (CISO) and the California Highway Patrol (CHP) Computer Crimes Investigation Unit (CCIU). If you have a situation that is Law Enforcement Sensitive or involves an ongoing criminal investigation, contact the California Highway Patrol (CHP) Computer Crimes Investigation Unit (CCIU) directly for guidance.
1. Loss or Compromise of State Data or Processing Resources (includes electronic, paper, or any other medium)
2. Criminal Activity - Use of a state information asset in commission of a crime. This includes situations involving Unauthorized Access; Attacks; Inappropriate Use; Outages or Disruptions (> 2 hrs); Theft or distruction of government property, and any incident that violates privacy of information security policies of the agency.
3. Any event cybersecurity related event adversely impacting a state activity that generates local, regional, or national media coverage.