What You Need to Know About Phishing Scams (And How to Avoid Getting Hooked)
What You Need to Know About Phishing Scams (And How to Avoid Getting Hooked)

What You Need to Know About Phishing Scams (And How to Avoid Getting Hooked)

We have a tendency to treat our online activity like the safe, convenient space it feels like. Most people just aren’t on guard when surfing the web in their pajamas. The easy connectivity of the digital world can make you think you are anonymous and secure—like you’re watching the world from the security of your home window.

“So much of our lives are lived online,” says Brianna Jensen, identity theft expert at A Secure Life. “It can be easy to develop a false sense of security and to believe it won’t happen to us.” Many people don’t think twice about phishing scams or other forms of theft or crime online until they fall for one. But in this case, ignorance is definitely not bliss.

“Millions of new phishing attempts are launched each week,” says John Biglin, CEO of Interphase Systems. “Most don’t specifically target ‘you,’ but rather target anyone who will fall for it.” Biglin says too many people think they are unlikely to be a target, and therefore, ignore precautions, whereas phishing attacks are mostly automated and not looking specifically for individual users.

When you know what to look for—and treat your online time with certain precautions, you’ll have a better chance of avoiding phishing scams and their requisite fallout. So what are phishing scams specifically? We asked experts in cyber security to share what they wish most people knew about these attacks.

What are phishing scams?

“Phishing scams are the most widely used form of cyber-attack,” says Michael Lester, CISO and chairman of Legacy Armor. Though there are many varieties of phishing, the most common appearance is via email.

It goes something like this—an email appears in your inbox. Maybe your spam filters remove it; maybe they don’t. It is formatted to be something people will want to open. It might sound like it’s from an important financial or education institution. Maybe it appears to be from your boss or someone wanting to hire you. You read the email and it directs you to follow a link. If you click that link, all manner of bad things might happen.

Many phishing scams work by tricking recipients into revealing valuable information, such as social security numbers, credit card information or usernames and passwords. Others work by directing users to a phishing site, which might download malware onto their computers or cause other kinds of cyber mischief.

The average email user might know not to click on suspicious looking links. But since these attacks can be automated and sent in huge waves, the odds increase that someone clicks through and scammers get what they are after.

“It’s the cheapest way to attack and is therefore your largest cyber security risk,” says Dmitri Bulkhukov, CEO of Stealth Mail. Even the stuff that makes headlines—those really serious data breaches often began with a phishing attack and one person clicking on a link.

“Phishing is one of the most common types of digital crime,” Jensen says. “One major consequence of phishing is identity theft. More than 25,000 victims submitted reports to the FBI in 2017.”

Why are phishing scams such a problem?

Phishing scams are prevalent today for a reason. “They are fast, easy, inexpensive and still yield results,” Lester says. “They play on people’s desires.” Lester runs phishing tests for security and “catches” people by offering free coupons for pizza or flash news updates.

“Phishing attacks can be much, much more sophisticated than you can imagine,” Lester says. “Even security professionals fall for one every now and again.” While email providers try to catch and filter phishing emails into a spam folder, plenty will get through their nets. Lester says a well-designed phishing scam can bypass many common security checks.

“A hyperlink embedded in a PDF that is sent as an attachment may not trigger a scanning system,” he points out. “Clicking on a link initiates contact from inside. This bypasses firewall rules that may block the site if it tried to access your network directly.”

Bulkhukov explains that phishing scams work for two main reasons. First of all, email senders can pretend to be anyone—the CEO of your company, your banker—anyone they think people will respond to. “Second, when an email contains a link to a sale, discount or an interesting piece of content, people can be caught off-guard.”

Phishing scam tactics today

“By now, everyone has probably heard the jokes about Nigerian princes who have millions in hidden funds just waiting to be wired into the U.S.,” says Troy Wilkinson CEO of Axiom Cyber Solutions. “The reason those phishing scams were so successful and have had so many variations from princes to Nelson Mandela is that people have continued to fall victim.”

But Wilkinson points out that scammers continually refine and tailor their messages—even hiring translators to make the English grammar and colloquial wording more accurate. “And with the onset of social media sites, scammers are able to more carefully craft their victimization techniques.”

So what are some of these techniques? Phishing scams can take on a variety of forms. Knowing about some of them might help you recognize these scams when they appear.

Technical support scams

Phishing schemes might not directly request your personal information, according to Jensen. Sometimes scammers pose as customer support or technical support talking you through a made-up (or even real) problem. In the course of these conversations, they ask for data in order to resolve the issue and take advantage that way.


“Even savvy computer users might not know about man-in-the-browser (MITB) attacks,” Bulkhukov says. He explains that MITB attacks use a proxy Trojan horse to infect a web browser (e.g., Internet Explorer, Firefox, Chrome, etc.), which materially altering the webpages or transactions when users engage in them. For example, an infected user might enter sensitive transaction information with a bank website—this information is captured by scammers. The MITB exploit would still display accurate transaction confirmation info to the user, but behind the scenes will change the transaction amounts being sent to the bank—this middle layer gives the impression to both bank and user that the transaction was legitimate.

“Some finance professionals actually view this as the greatest threat to online banking,” Bulkhukov says.

Your loved one needs help in an emergency

A popular phishing scam has been going around on Facebook where scammers create fake profiles, befriend friends and family and plead with them to send money because of an emergency, according to Wilkinson. “What parent, grandparent, aunt, uncle or loved one would turn a blind eye to helping a family member in desperate need of assistance?”

In some cases, Wilkinson adds, the accounts might even be genuine because a scammer has gained access to someone’s profile or email.

You’ve been hacked!

“Scammers will often try to scare their victims,” Wilkinson says. “A recent terrible scam trying to trick people out of money involves the use of a real, stolen password along with a threatening email.”

In this email, hackers say they have compromised the victim’s computer, gotten into their webcam and recorded them—or caught them visiting websites that they wouldn’t want people to know about. When they demand money to keep the information secret, victims panic.

Spoofing web domains

A slight misspelling in an email address or a web domain might trick a few victims even if they hover over the link to see the URL it leads to. “Cyber-criminals have gotten good at spoofing email addresses and domains,” Wilkinson says. “For instance, can you spot the difference between ‘www.bankofamerica.com’ and ‘www.baknofamerica.com’? A lot of people will miss the typo in the second one.”

Phishing beyond email

Phishing scams aren’t exclusively for email, Jensen says. Texts, phone calls, social media—even apps like Skype can put you in the path of a phishing scam. If your bank or a government representative calls you out of the blue, telling you something is wrong and they need information right now—be skeptical and take precautions.

6 Smart tips for avoiding phishing scams.

Though these scams are extremely prevalent, taking a few precautions and knowing what to look for can help you avoid falling into their trap. Our experts offered some tips.

1. Be wary of emails you weren’t expecting

Since scammers can customize their address to appear legitimate, it’s useful to be skeptical and slow down when you get an email you weren’t expecting, Lester says. “Think before you click. Examine the email. Did you expect it? Do you recognize it?” Lester says if you have any doubts, contact your company’s security department or avoid the email and look up the institution in your browser directly to access an account.

2. Don’t confirm sensitive information online

In general, your banks and credit card companies don’t communicate via email, Jensen says. “You should never be asked to click a link or respond with sensitive info.” And even if it seems convenient, don’t send personal information in an email response.

If you are on a website that is prompting you to fill in financial information, Jensen suggests looking for the lock icon in the URL address bar. He advises users to never enter information to a site URL that doesn’t begin with ‘https’.

3. Keep software updated

Software companies are constantly looking out for weaknesses and updating any problems or loopholes scammers might utilize. “Keep your operating system and other software updated regularly and quickly after critical patches are released,” Biglin says. “And make sure your network firewall, antivirus and antimalware software are both on and updated.”

4. Never click on links or attachments from unknown senders

Sophisticated attackers can use “crypting” to avoid detection by anti-virus programs, according to Bulkhukov. So you can’t entirely rely on phishing emails getting filtered out. Again, be cautious of clicking links, even if the sender looks legitimate. Bulkhukov suggests having a separate email for your business correspondence or banking and your internet subscriptions.

5. Avoid pop-ups

“Many pop-ups act as if they are legitimate, and certainly some are, but many are driven by third-party sources,” Biglin says. This makes them vulnerable to phishing activity. “Do not click ‘OK ‘or even ‘Cancel’ because they are both buttons that could have bad links in them.” Instead close the browser tab or carefully click the “X” in the top right corner—if you’re not sure what to click, force quit your browser with the keyboard commands: [CTRL+ALT+DEL] or [Command+Option+Esc].

6. Slow down.

Scammers thrive on creating a sense of urgency in their victims. If you get a phone call or see an email that’s full of urgency, be extremely wary and go slowly. When people react too quickly, they give away information before they’ve had the chance to think.

“If you get an email asking you to send money to someone in trouble, get verbal confirmation that it is really them,” Wilkinson says. “Scammers will try to say that they’ve had their phone stolen or can’t talk, but insist on speaking to them.”

If you get correspondence threatening you or implying that you are in trouble, take enough time to hang up the phone or leave your inbox for a few minutes to research. Wilkinson says you should be inherently suspicious of all emails asking for money, changing your account credentials or deals that sound too good to be true.

Creating security in the digital world

As you can see, a large part of avoiding phishing scams is simply knowing about them. The other essential component is trusting in the security measures software engineers, companies and cyber security experts build to protect you on their platforms.

As phishing scams and cybercrimes get more sophisticated, the world of cyber security is rising up to meet the challenge. But keeping your information safe while still engaging in digital tools is growing more and more important. Check out our article, “What Is Cyber Security? The Facts You Need to Know About This Fast-Growing Field,” to see just how much these professionals take on.

Source link

Everything You Need to Know About Becoming a Cyber Security Analyst
Everything You Need to Know About Becoming a Cyber Security Analyst

Everything You Need to Know About Becoming a Cyber Security Analyst

For someone who’s interested in technology, cyber security probably sounds like an appealing career focus. The much-faster-than-average projected employment growth and above average earning potential as reported by the Bureau of Labor Statistics (BLS) is enough to catch your attention.1

But when you add in the fact that your work would revolve around building IT defense systems and safeguarding valuable information from some of the world’s worst cyber criminals, it’s hard not to get excited about the cyber security analyst job description.

That being said, you may need some clarification on the details. Even if this career path checks a lot of important boxes, you’ll want to know as much as possible about what you’re getting into and what it takes to become a cyber security analyst.

We dove into the data and secured insider insight from a seasoned expert to help you understand everything you need to know about cyber security analyst jobs and how to get established in this growing field.

Why is cyber security so important?

If you’ve been at all invested in the world of technology, you know cyber security is a big deal. Even the general population can hardly miss the headlines surrounding cybercrime and data breaches. But shockingly, many organizations and individuals are very slow on the uptake when it comes to protecting their own digital security.

“I was surprised at the level of apathy about cyber security decision-makers,” says Greg Scott, author and cyber security expert. “Even after all the headlines, people still say they aren’t carrying national security secrets, and that nobody cares enough about them to attack them.”

In reality, there are loads of ways a hacker can utilize and monetize even the most innocuous information. Through identity theft, intercepting your tax refund or even stealing your health insurance for medical coverage, cyber criminals come up with all sorts of creative ways to profit from information most people don’t take sufficient lengths to protect. This makes everyone a target.

“The public cyber security education gap is larger than the Grand Canyon,” Scott says. “It’s a huge opportunity and a huge threat.” He says one of his favorite parts of working in cyber security is seeing people’s reactions when they realize how vulnerable they are without taking precautions. “The most rewarding times are when the message finally gets through and people’s eyes light up.”

What does a cyber security analyst do?

Cyber security analysts (also called information security analysts) plan and carry out security measures to protect a company’s computer networks and systems, according to the BLS.1 They keep constant tabs on threats and monitor their organization’s networks for any breaches in security.

A typical cyber security analyst job description includes installing firewall and encryption tools, reporting breaches or weak spots, researching IT trends, educating the rest of the company on security—and even simulating security attacks to find potential vulnerabilities.

Cyber security analysts will also plan for trouble, creating contingency plans that the company will implement in case of a successful attack. Since cyber attackers are constantly using new tools and strategies, cyber security analysts need to stay informed about the weapons out there to mount a strong defense.

Additionally, information security professionals may assist in spreading the word and educating members of an organization about security risks and best practices, which makes perfect sense. Even the most technically sound and secure systems can be undermined by a user with the right access level acting foolishly.

Cyber security analyst salary and job outlook

With the prevalence of threats and breaches out there today, it’s no surprise that cyber security jobs are on the rise. What might surprise you is just how fast these opportunities are projected to grow. The BLS projects cyber security analyst jobs to grow 31 percent through 2029, which is more than seven times faster than the average for all occupations!1

This demand translates well when it comes to a typical cyber security analyst salary. The BLS states the median annual salary for these professionals in 2019 was $99,730.1

Important skills for cyber security analysts

Cyber security analysts need a healthy mix of hard and soft skills. We used real-time job analysis software to examine more than 170,000 cyber security analyst jobs posted over the past year.2 This data helped us determine what skills employers are seeking in candidates.

Top technical skills for cyber security analysts2

  • Information systems
  • Linux
  • Network security
  • Python®
  • Project management
  • Information assurance
  • Cryptography
  • NIST Cybersecurity Framework
  • Vulnerability assessment
  • Penetration testing

Top transferable skills for cyber security analysts2

  • Communication
  • Teamwork
  • Research
  • Planning
  • Problem solving
  • Writing
  • Troubleshooting
  • Attention to detail
  • Microsoft Office®
  • Organization

Scott emphasizes that no matter what you bring to the table, acquiring new skills will be a constant in your cyber security analyst career. “Of course your technical know-how is important. If you want success in your career, you’ll learn how to learn for a living,” he says. “But your soft skills—especially your ability to communicate—are equally as important.”

How to become a cyber security analyst

If you’re liking what you’re hearing about the cyber security job description, projected growth and earning potential, the next logical question is “How do you become a cyber security analyst?”

Given that this specialized area of information technology is relatively new, the path to working in this field isn’t quite as clear cut as others. Many information security professionals in the field today started out in more generalized IT roles and made a transition. This route is still pretty common—it makes sense for cyber security analysts to have a strong background in the design and operations of computer networks and systems.

Professionals in this field usually have at least a bachelor’s degree in Cyber Security or a related field, according to the BLS.1 Our analysis of cyber security analyst jobs supports this claim, with 85 percent of employers seeking candidates with a bachelor’s degree.3

Aspiring analysts should know that there are also plenty of information security certifications out there that can boost your credibility to potential employers. Information security certification, like the Certified Information Systems Auditor® (CISA) and CompTIA® Cybersecurity Analyst (CySA+) are excellent options for verifying your cyber security knowledge.

Analyzing your cyber security potential

Do you think this career matches up with what you are looking for? Cyber security analysts are certainly sought after in the Wild West of today’s digital landscape. If you could see yourself delving into the nuts and bolts of protecting information systems, or if you are the kind of person who could become passionate about the best defenses out there, then this might be the perfect choice for you.

But like any big change, embarking on a cyber security analyst career requires some investment and consideration. Take the next step in your research by checking out our article, “Is a Cyber Security Degree Worth It? The Facts You Can’t Ignore.”

1Bureau of Labor Statistics, U.S. Department of Labor, Occupational Outlook Handbook, [career information accessed October 2020] www.bls.gov/ooh/. Salary data represents national, averaged earnings for the occupations listed and includes workers at all levels of education and experience. This data does not represent starting salaries and employment conditions in your area may vary.
2Burning-Glass.com (analysis of 170,700 information security analyst job postings, Oct. 01, 2019 – Sep. 30, 2020).
3Burning-Glass.com (analysis of 117,978 information security analyst job postings by education level, Oct. 01, 2019 – Sep. 30, 2020).

CompTIA Cybersecurity Analyst (CySA+) is a registered trademark of CompTIA Properties, LLC.
Certified Information Systems Auditor (CISA) is a registered trademark of ISACA.
Microsoft Office is a registered trademark of Microsoft, Inc.
Python is a registered trademark of the Python Software Foundation, Inc.

EDITOR’S NOTE: This article was originally published in 2018. It has since been updated to include information relevant to 2020. Insight from Greg Scott remains from original article.

Source link