What compels your click?
By now most of us recognize obvious spam emails that invite you to view celebrity gossip news or lure you in via offers of free travel or apps. We know that these sites are just a path to disappointment and headache, with quick clicks that lead your PC down an internet dark alley toward viruses or ransomware.
With every passing year, however, children and new students go online and confront the vastness of the internet, with all the benefits and perils it brings. As such, continued messaging is essential to educate new users of all threats, as well as inform veteran users of emerging and evolving hacker strategies.
Our recent blog on macro-laden MS Office documents addressed how were all busy and focused on just getting through our day, which might lead to letting our guard down when it comes to infected emails sent from seemingly legitimate sources.
Along with phishing spam, Education administrators are saddled with numerous Cybersecurity challenges:
- Warding off aggressive, persistent hackers — Carnegie Mellon recently disclosed that their network gets hit with a 1,000 attacks / minute on a normal day
- Protecting databases that house all manner of confidential student and employee personal information
- Protecting payment systems in the post office, cafeteria, bookstore, athletic arenas, etc
- New students coming onboard the network with the latest and greatest smartphone or tablet; primarily concerned with device features and social connections
These new students are potentially ripe phishing targets given that 1) theyve not yet developed a persistent security focus and 2) can be influenced by persons of authority such as their parents, professions, or school administrators.
As organizations implement a variety of cyber tools and continue to refine security policies, hackers have kept apace. Knowing their potential victims particular influence points, deploying tailored (vs. wide spray & pray) messaging, hackers have evolved their methods to more effectively extract confidential information or funds.
If hackers gain access to a student list with any personal attributes, they can rig up legitimate looking emails with school logo, correct professor name, etc and then request clickthroughs in the name of compliance acknowledgements of school policy, (false) alerts of malware, or the need to review assignments or test grades.
On the Corporate side, how many of us really stop to think whether we should open up a link sent from our manager or an executive or HR? Its commonplace now to conduct phishing exercises, but organizations need to progress beyond citing Nigerian 419, easy investments, or other obvious spam scenarios. Busy workers continue to click through to view (false) management performance reviews or changes in HR policy, as well as fulfilling funds wiring requests sent by hackers posting as an account holder, without double-checking the authenticity of that request.
Lastly, its not uncommon for IT workers across all verticals to solicit advice from their peers in technical web support groups. Hackers can monitor those groups, distilling info such as real name, email, place of work, etc. From this gleaned public personal info hackers can then do further research on social media or other platforms to understand your specific areas of interest or security pain points.
Once hackers develop a profile supplemented with your family member names, pet names, city of residence, etc., they now have inside leverage to create spoofed personal messages that resonate with your concerns, intended to lower your guard and ultimately compel your click.
Just as the Art of War counseled military leaders to understand the ways and methods of their enemies, todays internet users have to be vigilant of persistent hacker adversaries. We need to understand what they do so we can limit their understanding of who we are, mitigating social-engineering opportunities. Dont be the low hanging hack-opportunity fruit on the tree.
About the Author
Get A Free Cyber Risk Report
Hackers don’t rest, neither should you. Identify your organization’s cybersecurity weaknesses before hackers do. Upon filling out this brief form you will be contacted by one of our representatives to generate a tailored report.