Posted October 11, 2016
Today’s blog is a guest post from Larry Larsen, Director of Cybersecurity at Apple Federal Credit Union. He discusses NCSAM’s week 2 (Oct. 10-14) theme of creating a culture of cybersecurity in the workplace and the importance of cyber training for all employees. Follow Apple FCU on Facebook to learn more about.
It seems like every time the news comes on, there’s another story about a corporation, department store, or government agency getting breached through their computer networks. Most of the time it’s because somebody fell for a “phishing” scam in their email inbox.
Phishing is effective and criminals can’t get enough.
What exactly IS phishing? Basically, it’s a high-tech form of “social engineering,” which is simply the act of manipulating someone into doing something they shouldn’t be doing, or something that benefits the trickster instead of the victim. Remember how Tom Sawyer fooled his friends into whitewashing Aunt Polly’s fence while he sat back and watched? That was social engineering at its finest.
Phishing is a very effective method for computer criminals to gain access to a target’s networks and information, because it aims to take advantage of the average person’s basic instincts to please, protect, and react out of greed or fear. Many recent scams offer the recipient large sums of money, either from winning a contest, or as fees to assist the sender in some sort of complex international financial transaction. Some of the more common phishing attacks are designed to simply collect your credit card information through bogus online transactions, using famous brand sunglasses or popular travel destinations, all at big discounts, as attractive bait.
Other effective social engineering scams use the telephone to spoof government agencies such as the IRS, or well-known companies like Microsoft, warning the victims that they owe large sums of money, or offering to fix a non-existent infection on their computer. That’s a topic for another time, but let me just confirm it now: the IRS and Microsoft will never, ever, EVER call with such claims and demand money.
The amount of phishing traffic received by an organization on any given day is staggering. At Apple Federal Credit Union, more than 40 percent of our average inbound email traffic is caught by our spam filters as suspicious or malicious, and that number can fluctuate based on what’s happening in the news or around the world. We’ve seen floods of phishing emails following natural disasters, asking for donations and then stealing from those who fall for it, creating a new category of victim. It’s disgusting, but the bad guys know it works.
Since phishing attacks exploit human behavior, the most effective way to protect against it is to modify that behavior. In the financial industry, we have a bit of an advantage in that our members already have the instinct to protect their assets, at least in the real world. They know to lock up their valuables in safe deposit boxes and keep money in their credit union accounts instead of under the mattress. But many haven’t taken the step of extending that attitude to their computers; that’s where we, as security professionals, have to step up to the front of the classroom.
Apple FCU is very big on training and education, for our members as well as our employees from the top down. A recent survey of more than 600 corporate decision makers showed that 60 percent of those respondents felt employees had very little cyber security knowledge, even though they had access to training programs. Apple FCU combats this by educating our employees – even our executives – from the get-go. I teach a monthly class on cyber security for our new hires, using a “train the trainer” approach. We discuss how social engineering works and how to defend against it in the cyber realm, as well as the brick and mortar world of our branches. More importantly, we discuss ways in which we can bring this message to our members, to safeguard them and their families. I’ve even provided guidance to members who have fallen for a scam and don’t know where else to turn.
All of these efforts provide a foundation for our members to start thinking about being as secure online as they feel in our physical branches. Like our grandparents never worried about locking their doors at night, or where the kids were playing after dark, or whether they could trust the girl next door to babysit, nowadays, it’s changed. We all lock our doors and windows, we track our kids on their phones, and we pay for background checks on our caregivers. It’s become second nature, part and parcel of our daily routines.
We must do the same to protect ourselves online. We must stress that message to our members – if you don’t know anyone in the UK, you shouldn’t assume someone there is now giving you money. Do you always pay your taxes and are now confused why the IRS says you owe them? Don’t blindly provide any information. It seems simple, but the bad guys are good at what they do.Trust, as the old man said, but verify.
Established in 1956 by teachers, Apple Federal Credit Union is ranked as a top 100 credit union nationwide, serving more than 180,000 members with $2.1 billion in assets. As a not-for-profit, member-owned financial cooperative, Apple FCU serves a diverse community of local education systems and anyone who lives or works in Fairfax, Frederick (VA) and Prince William counties. Members enjoy competitive rates, as well as fair and honest products and services, within a trusted environment. Apple maximizes membership value by offering mortgages, auto loans, credit cards, checking options, online and mobile access options and an array of other financial services. The Credit Union is fully committed to making a positive impact within the region, not only in financial services, but also in community involvement, financial literacy and charitable giving. To learn more about Apple FCU, visit AppleFCU.org. Federally insured by the NCUA. Equal Opportunity Lender.
You May Also Be Interested In…
- [WHITE PAPER] Four Steps to Effectively Protecting Your Organization from Phishing Attacks
- [DATA FEED] LookingGlass Cyveillance Phishing URL
- [THREAT INTELLIGENCE SERVICE] Phishing Detection
- [SOLUTION] Dynamic Threat Defense