Tag Archive for: “Phishing”

A Breakup Letter to Bad Cybersecurity Habits (Featuring Makayla Sileo)

Bad Cybersecurity Habits - Sileo

Cybersecurity habits are a lot like dating – you have to weed out the bad to make room for the good. As we approach National Cybersecurity Awareness Month and my busiest speaking season, my radically creative daughter Makayla (💜) wrote a series of Breakup Letters to all of the bad cybersecurity habits that lead to huge organizational losses and reputational damage. To help protect yourself and your business, here are a few Breakup Letter Beginnings (and my suggestions on how to change the relationship) to get you started: 

Dear Guessable Passwords (Easy Love)

It’s not you, it’s me. I can’t keep blaming you for my mistakes. I was seduced by your simplicity, lured into a false sense of security. Plus, I just love using my puppy’s name as my passcode! You were predictable and I thought I wanted that. But in all honesty, I know now that I am the problem. Starting today, I will make the effort to create long and strong passwords using a password manager to keep cyber criminals out of the middle of our private data.  My newfound confidence will end in better relationships for both of us. So long. 

Dear Re-Used Passcodes (Predictable Love)

I feel like our relationship is lacking the spark it used to have. We both deserve better. I’m looking for a more complex interaction, one that challenges me. So I am leaving you, same-ol, same-ol passphrase, for two-step logins, which will keep even the craftiest of hackers out of the middle of my private relationships. Now that’s what I call a spicy upgrade! Au revoir. 

Dear Phishing Links (Manipulative Love)

I was intrigued by all that you had to offer. I got lost in your charm and smooth ways. I should’ve listened to my gut that screamed “Bad news! Do not engage!” Your calls are the “u up?” texts that I can’t stop answering. You’ve found sneaky ways to get me to pick up and open up and then you use my vulnerabilities against me. I’m done playing your phishy little games. Starting today, I will only engage with links, attachments, and requests that I trust deeply and am expecting. Consider yourself off the hook! 

Dear Free WiFi Hotspots (Convenient Love)

I thought you would always be there for me when I needed you most. I was a romantic once, assuming our connection was a safe one. I can see now that I deserve a partner I can trust over simple convenience. I’m ready to settle down with a soulmate who communicates in safe ways, like using the cellular data connection on our smartphones or demanding that we protect our interests by installing a Virtual Private Network (VPN) on all of our devices. Over and out, Hotty. 

Dear Eavesdropping Smart Devices (Clingy Love),

I think it’s time I go out on my own. Your constant tracking and sharing of my every move and desire has crossed the line. Our connection–once filled with convenience–has become suffocating and invasive. I am reclaiming my freedom. Am I scared to find my way in a world without you? Yes. But I know I am safer navigating life on my own than being stalked by you. Going forward, I promise to actually be smart about how I connect smart devices to the Internet, to change my privacy and security defaults and to limit location and behavior sharing on devices like my smartphone. This, my love, is where I go dark. Night, night.

Dear Gratuitous Social Media Sharing (PDA Love)

Enough with the public displays of affection. I don’t want the general public knowing every detail of my personal life. It’s become too unsettling knowing that nothing is private anymore. If I want to share my triumphs and defeats, I will communicate with you directly, via text, email, or private DMs. You deserve my full integrity, so I am limiting what I share. Duck face no more.

Dear Neglected Software Updates (Missed Love),  

Our relationship has been a rollercoaster of missed opportunities. You–with your security patches and bug fixes–always doing your best to make my life better, while I foolishly ignored your messages. I should’ve known you were there the whole time. Please give me a second chance… I promise to upgrade my software every chance I get from today forward. Because our relationship is all about growth and evolution. Please take me back. 

___________________________

Looking for a creative way to engage your audience to care more about cybersecurity and breakup with their bad cybersecurity habits? Call us directly to learn how John will humorously update your crowd on the latest cyber threats and simple solutions. Call 303.777.3221 or fill out our Contact Form to connect with Sue Bob Dean (yes, that’s a joke), John’s business manager extraordinaire.

John Sileo is a Hall of Fame Keynote Speaker who educates audiences on how cybersecurity has evolved and how they can remain ahead of trends in cybercrime. He is proud to have spoken at the Pentagon and Amazon, written four books on cybersecurity, and been inducted into the National Speakers Hall of Fame. He has appeared on 60 Minutes, NBC, ABC, Fox, CNN, Rachael Ray, and Anderson Cooper. John’s work has been quoted and published in The Wall Street Journal, The Washington Post, USA Today, and Kiplinger’s. But John is most proud of being an unforgiving helicopter dad to his two daughters, Sophie and Makayla. 

Why Is Cybersecurity Awareness Training Important?

 

Why is cybersecurity awareness training important? Just as ships rely on lighthouses to steer clear of dangerous rocks, organizations need cybersecurity awareness training to protect their digital assets. By illuminating threats lurking in the dark, awareness training equips employees with the knowledge they need.

As a lighthouse provides illumination for navigation, trainings light the way for employees, executives and boards alike to make informed decisions about cyber defense and identify potential risks. Let’s take a closer look at why cybersecurity awareness training makes all the difference.

7 Sources of Light That Cybersecurity Awareness Training Provides
Cyber Threats Equips employees with the tools to identify, avoid, and stop cyber threats, from malware to ransomware, hackers to fraudsters.
Social Engineering Enables employees to recognize the suspicious, manipulative and malicious behavior of bad actors and respond appropriately.
Sensitive Data Educates employees about the importance of protecting sensitive data and adopting data security best practices as well as the stakes of failing to do so.
Insider Threats Sends a strong message to any potential malicious insiders that the organization is watching, thereby reducing the likelihood and impact of insider threats.
Compliance Ensures employees and executives are aware of their obligations and responsibilities under cybersecurity regulations and standards.
Incident Response Enables employees to respond promptly and appropriately to security incidents to minimize and contain damage.
Human Error Drastically reduces the 60%+ chance that a breach is due to unwitting human error rather than intentionally malicious behavior.

Protection against cyber threats: Cybersecurity awareness training is important because it helps employees understand the various types of cyber threats, such as phishing attacks, malware infections, ransomware, zero-day exploits and social engineering. By educating employees about what may be lurking at sea, they are better equipped to identify and avoid risks, reducing the chances of falling victim to cyber-attacks and identity theft of customer information.

Defense against social engineering attacks: Social engineering attacks involve manipulating individuals to gain unauthorized access to systems or sensitive information. Cybersecurity training raises awareness about standard social engineering techniques, such as pretexting, baiting, or impersonation. This knowledge enables employees to recognize suspicious behavior and respond appropriately, minimizing the chances of falling prey to such attacks.

Protection of sensitive information: Organizations handle a significant amount of sensitive data, including personal, financial, and proprietary information. Cybersecurity awareness training emphasizes the importance of protecting this information and educates employees on best practices such as strong password management, data encryption, secure file sharing, and data classification. Implementing these best practices reduces the risk of data breaches and unauthorized access.

Mitigation of insider threats: Insider threats can be unintentional or malicious, where employees inadvertently or intentionally compromise security. Cybersecurity training helps create a security culture within organizations, promoting responsible behavior and ensuring employees understand their roles and responsibilities in safeguarding sensitive information. It also sends a strong signal that the organization is mindful of insider threats, and is watching closely. By increasing awareness, organizations can reduce the likelihood of insider incidents and their potential impact.

Compliance with regulations and standards: Many industries are subject to specific cybersecurity regulations and standards, such as the General Data Protection Regulation, the Health Insurance Portability and Accountability Act, and the Payment Card Industry Data Security Standard. Cybersecurity awareness training ensures that employees know their obligations and responsibilities under these regulations, reducing the risk of non-compliance and associated penalties.

Incident response and reporting: In a cybersecurity incident, employees who have received cybersecurity training are more likely to respond promptly and appropriately. They will know how to report incidents, whom to contact, and how to limit the damage. This quick response can significantly reduce the impact of a cyber-attack and help in the recovery process.

Minimizing human error: Human error is a primary driver behind a massive number of successful cyber attacks. There is no malicious intent in these cases, just a lack of knowledge and proper training. This is one of the easiest, least expensive types of light an organization can shine on their data security.

Practical skills such as recognizing phishing attempts, creating strong passwords, and identifying malicious websites act as a lighthouse, allowing employees to steer clear of danger and make informed choices. Training programs enable them to protect sensitive information and contribute to a safer online environment.

Best Cybersecurity Awareness Training 

The best cybersecurity awareness training can vary depending on an organization’s needs and goals. However, an effective cybersecurity awareness training program includes the following elements:

  • Comprehensive coverage: Training should cover a wide range of cybersecurity topics, including password security, phishing attacks, social engineering, malware prevention, safe browsing practices, and data protection. That’s why lighthouses are more effective than, say, a flashlight haphazardly duck taped to a pole. Range matters.
  • Engaging content: The training should be exciting and interactive to keep participants interested and motivated. This can include videos, quizzes, real-life scenarios, and gamification elements.
  • Regular updates: Cybersecurity threats and best practices evolve rapidly, so the training program should be up-to-date to reflect the latest trends and vulnerabilities. Training programs must regularly update their content to ensure participants have the latest knowledge and techniques to recognize and counter emerging threats.
  • Customization: The training should be tailored to the specific needs and roles of the participants. Different departments may have varying cybersecurity risks and responsibilities, so the training should address these differences.
  • Ongoing reinforcement: Like the beacon on a lighthouse, cybersecurity awareness is not a one-time event but an ongoing, constantly evolving process. The training program should incorporate regular, bite-sized reminders, newsletters, and follow-up sessions to reinforce key concepts and ensure participants retain the knowledge over time.

To help you navigate the turbulent digital seas, award-winning main-stage speaker John Sileo offers comprehensive cybersecurity awareness training that is engaging, cutting-edge, and customized for your needs and goals. With a humorous live-hacking demonstration and powerful lessons learned from losing his business to cybercrime, he connects with your employees and drives home security awareness training that sticks.

John Sileo is an award-winning cybersecurity keynote speaker who has entertained and informed audiences for two decades. He is proud to have spoken at the Pentagon and Amazon, written four books on cybersecurity, and been inducted into the National Speakers Hall of Fame. He has appeared on 60 Minutes, NBC, ABC, Fox, CNN, Rachael Ray, and Anderson Cooper. John’s work has been quoted and published in The Wall Street Journal, The Washington Post, USA Today, and Kiplinger’s.

Looking for a customized speech to make your next event unforgettable? Call 303.777.3221 or fill out our CONTACT FORM to connect with Sue, our business manager extraordinaire. She’ll work with you to brainstorm ideas and explore how John can tailor his speech to fit your needs perfectly.

Travel Phishing: If It Seems Fishy, It Might Actually Be Phishy

travel-phishing

It is summertime which means that the beach is calling. Unfortunately, so are travel phishing scammers. 

The change in season brings an influx of travel-based scams and unfortunately, our eagerness to book the next vacation is making us more vulnerable to fraud. 

If there is one thing we know about humans, it is that we love bargains. Especially when it is masked as an all-inclusive buffet + wine tasting + ocean-view deal. 

But booking with caution now will save you a lot of stress later. That way, you won’t be mid-margarita when your bank calls to inform you that your identity was stolen and your child’s college fund just bought a lifetime supply of steak and an alarming amount of inflatable pool flamingos. (Or in my ID theft case, an expensive house in Boca Raton.)

In this article we dive into the hottest scams and how to keep cool this season… 

 How Travel Phishing Scams Trick Us

Email Spoofing Scammers are experts at making emails look genuine by mimicking the logos and formatting of real companies. So double check those emails from travel agencies, airlines, and hotel booking websites.
Social Media Lures This includes fake promotions and contests, influencer impersonation, and malicious downloads disguised as links to exclusive deals or apps.
Vendor Compromise Attacks Scammers may attack travel agencies, booking platforms, or tour operators to gain unauthorized access to sensitive customer information.
HR Department Impersonations and Credential-Harvesting Scams Hackers gather personal info through these conversations to later sell this data to the dark web.
Chat GPT AI is making phishing attempts more convincing and therefore harder to detect.
Urgency and Fear Tactics By putting pressure on victims to take immediate action (“limited time only!”) scammers hope to bypass your critical thinking.
Social Engineering By impersonating customer service representatives or travel agents, hackers may be using emotional and psychological manipulation tactics to request money and/or information.

What You Can Do About Travel Cyberattacks

  1. Be skeptical of unsolicited promotions, contests, or giveaways. Trust your instinct. If it seems fishy, it’s likely phishing.
  2. Stay informed about common travel phishing scams.
  3. Double check website URLS. Make sure it is spelled properly, HTTPS encryption, and trust indicators like padlock symbols.
  4. Enable two factor authentication to travel related accounts. This adds an extra layer of security by sending a code to your mobile device.
  5. Verify account authenticity. Check for verification badges and signs of legitimacy on social media accounts. Cross-check by doing independent research.
  6. Be careful where you click. Web-based threats are getting harder to detect. Take a few extra minutes to research the company before clicking on any links.
  7. Be selective about who you share your personal information with. AI chatbots will steal valuable credentials if you are too quick to trust them.
  8. Don’t use free public wifi or charging stations. Why? Because if something is convenient to you, it likely is convenient to hackers as well. So go ahead and pack that extra battery pack and buy the larger data plan.

So next time you might see a bargain and think “this is too good to be true”, it likely is. Sorry. However, there is hope! Cautious booking means carefree vacationing. By remaining vigilant, staying informed, verifying authenticity, and adopting secure practices, you can navigate the travel landscape confidently, ensuring that your vacations remain moments of joy rather than becoming tales of travel phishing woe. 

Safe travels!

John Sileo is an award-winning cybersecurity keynote speaker who has entertained and informed audiences for two decades. He is proud to have spoken at the Pentagon and Amazon, written four books on cybersecurity, and been inducted into the National Speakers Hall of Fame. He has appeared on 60 Minutes, NBC, ABC, Fox, CNN, Rachael Ray, and Anderson Cooper. John’s work has been quoted and published in The Wall Street Journal, The Washington Post, USA Today, and Kiplinger’s. John’s greatest joy is spending time in the mountains with his amazing wife and adventurous daughters. 

Looking for a customized speech to make your next event unforgettable? Call 303.777.3221 or fill out our CONTACT FORM to connect with Sue, our business manager extraordinaire. She’ll work with you to brainstorm ideas and explore how John can tailor his speech to fit your needs perfectly.

12 Days to a Safe Christmas: Day 10 – Beware the Phony Santa Claus Comin’ to Town

Holiday Security Tips: On the tenth day of Christmas, the experts gave to me, 10 trusted charities

Because you tend to be more giving throughout the holidays, scammers target you during this time of year. Whether they are asking for a donation to a charity, promising free iPads, claiming to be a friend in need, or are asking you to click on something outrageous or out of character, don’t fall for it.

Solution: Keep your eyes open for these common holiday scams

  • Phishing. Thieves, or hackers as they are more commonly known, will send emails that look like they are legitimately sent from a charitable organization when in real-life these are fake web sites that are designed to steal credit card information, donations and your identity. To donate, call or visit the website of a reputable charitable organization.
  • Click Jacking. Click Jacking is a type of social spam. After taking over a friend’s Facebook account, the spammer posts a message on your friend’s Facebook or Twitter page offering free gifts or recommending you donate. Since it looks like a friend has endorsed the post, it’s much easier to fall for the scam. If it’s not believable or out of character, don’t click, as it’s likely to install Malware on your system.
  • Charity or Friends-in-Distress Scams. Never send money (via check, cash or electronically) based solely on a wall post, email or phone call. Only donate to known charities and only when you have initiated the gift. Respond to wall posts, emails or phone calls for charity by contacting the charity on a reputable phone number or website.

The song tells you that you’d better not pout and better not cry; you won’t have to do either if you just watch out! On the eleventh day of Christmas…

To review our tips from previous days, click here.

 

About Cybersecurity Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a cybersecurity think tank, in Lakewood, Colorado, and an award-winning author, keynote speaker and expert on technology, cybersecurity, and tech/life balance. He energizes conferences, corporate trainings and main-stage events by making security fun and engaging. His clients include the Pentagon, Schwab, and organizations of all sizes. John got started in cybersecurity when he lost everything, including his $2 million business, to cybercrime. Since then, he has shared his experiences on 60 Minutes, Anderson Cooper, and even while cooking meatballs with Rachel Ray. Contact John directly to see how he can customize his presentations to your audience.

Don’t Get Hooked With Phishing Scams

Common Phishing Scenarios:

“Your account has been suspended” or “We suspect fraudulent activity on your account” or “You’ve won a contest” or “We owe you a refund”

If you’ve ever received an email, voicemail or text with a message like one of the above, you know how visceral your reaction can be. And chances are very high that the message is a fake.

Just as fishing is one of the oldest occupations around, phishing is one of the oldest scams around. Ever since email was invented, thieves have been phishing to get your information by cleverly impersonating a business or an acquaintance. They hope to trick you into giving out your personal information or opening a link or an attachment that downloads malware onto your computer so that they can gain access all of your data.

Even though it’s been around for a while, it still works with alarming regularity. Almost 90% of all corporate data breach is the result of a phishing attack.  The ten companies that are targeted most often by phishers are attacked constantly, sometimes more than 1,000 times per month.  It’s always good to have a refresher of how to prevent getting hooked!

What to look for:

  • Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but may contain a mismatched URL (may vary in spelling like Annazon.com) or the URL contains a misleading domain name. (.com vs. .net). Use the hover technique to verify legitimacy.
  • Beware if you receive unsolicited (or out of character) phone calls, visits, or email messages often with an urgent request or threatening punitive action if you don’t respond.
  • Think twice if a company that seems legitimate asks you to confirm or provide personal information (credit card and bank account numbers, Social Security numbers, passwords, etc.). Remember–legitimate companies don’t ask you to send sensitive information through insecure channels.

How to prevent/avoid phishing (It’s a lot, but every single tip matters!)

  • Never open email from an untrusted source and don’t open unexpected email attachments or instant message download links.
  • Don’t trust links in an email. Right click on the link to make sure it’s valid. Better yet, type in the real website address into a web browser.
  • Never give out personal or financial information upon email request.
  • Look carefully at the web address.
  • Be suspicious of unsolicited phone calls, visits, or email messages.
  • Don’t call company phone numbers in emails or instant messages. Check a reliable source such as a phone book or credit card statement.
  • If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.
  • Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic
  • Take advantage of any anti-phishing features offered by your email client and web browser.
  • Only provide personal or financial information through an organization’s website if you typed in the web address yourself and you see signals that the site is secure, like a URL that begins https (the “s” stands for secure). Unfortunately, no indicator is foolproof; some phishers have forged security icons.
  • Report phishing email to reportphishing@antiphishing.org

There is also SMiShing (fraud through SMS on your phone), Vishing (fraudulent voice calls) and Spear Phishing (customized email that appears to be from an individual or business that you know). As soon as a new method of communication is invented, I guarantee the fraudsters will be using it, so there will be a new term for that, too!

One of the most profitable steps you can take inside of your organization is training your people to detect phishing scams. They are a hacker’s first and favorite tool to separate you and your data.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Beware Cyber Security Grinches & Holiday Scams

[youtube https://www.youtube.com/watch?v=gERBwp1o-yE&rel=0]

‘Tis the season to receive holiday scams in your email, on your Facebook page and via text. But you won’t be singing tra la la la la if you click on links that install malware on your computer! More and more of us seem to be conducting our holiday shopping online, and the cyber security Grinches are taking advantage of this new-found holiday convenience. There are several varieties of holiday scams that seem to come around each year.

The first red flag might be the Subject line of the email: “Order Confirmation”, “Acknowledgement of Order”, “Order Status”, “Thanks for Your Order”, “Problem With Your Order”, “Delivery Failure”, “Canceling Your Scheduled Delivery”, etc. It may tell you that an order is ready for you and you just need to click on the link to get the information about how to redeem it. Or, it may play on your fear of not getting a package out before Christmas and say you haven’t provided a correct address – this is a fear-based holiday scam.

Holiday scams usually appear to come from well-known companies, are VERY realistic looking and even use actual logos.

Once you click on the link, however, malware is installed on your computer that may gather email credentials, credit card data, logins and passwords in addition to making your computer a magnet for junk mail. It can also deploy a scanning technology that uses your computer to scan websites for vulnerabilities and then hack them!

Cyber Grinch or Real Deal? How to Tell the Difference…

If you do receive an email, scammy or otherwise, even if you did indeed order from that store, follow these steps:

  1. DO NOT CLICK ON ANY LINKS IN THE EMAIL!
  2. Instead, open your web browser and type in the merchant site and log in to your account (which you had to establish to order from them).
  3. If it the email you received was about a legitimate order, they will provide you with an order or reference number which you can type into their website to verify activity.

In other words, verify that the email is legitimate by going directly to the site; don’t depend on the email. If for some reason you did click on a link that brought you to a website, make sure that you don’t click any more times on that site, and don’t fill out any information that they might be requesting.

(For more solutions to common scams related to the holidays, or really, all year long, check out our entire 12 Days to a Safe Christmas blog series.)

When not protecting readers around the holidays, John Sileo is an an award-winning author and keynote speaker on identity theft, cyber security, internet privacy & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.
[youtube https://www.youtube.com/watch?v=B1st4gzcdLs&rel=0]