Recognizing and Avoiding Common Cyber Attacks 

Like driving a vehicle, accessing the internet in some capacity or another is a necessity for most people. And both activities bring inherent risks. In fact, according to the United States Cybersecurity and Infrastructure Security Agency, one in three homes with computers are infected with malicious software. And 65% of Americans who go online receive at least one online scam offer. But just as you can learn to drive defensively, learning how to identify and avoid cyber attacks can help you protect yourself and your information from malicious cyber actors.  While many cyber threats can be automatically mitigated via antivirus services, firewalls, or other protective measures, the most dangerous cyber threats often take advantage of the human element to get around these automated defenses.  Some involve direct interaction with the victim (these generally fall under the category of social engineering) and some lay a trap and hope an unsuspecting user takes the bait (for example, bogus apps available in unregulated app stores). We will cover both types of threats and how you can avoid them. We'll also take a look at password reuse, the threat it poses, and how to avoid this mistake. 

Social Engineering

Social engineering is a term used to describe a wide variety of malicious activities with a similar, basic approach – engaging a victim directly (either via email, SMS, phone call, or other method) to get them to provide sensitive information or interact with a website designed to infect their computer with malware. While all of these involve leveraging the human element of an attack, the methods and warning signs vary. So, let’s take a look at the main types of social engineering.  Phishing This is the most common form of cyber attack with approximately 3.4 billion phishing emails sent every day. These are emails designed to look like they are coming from a legitimate sender and will leverage different topics or approaches, known as “lures,” to try and trick the recipient into engaging with the email.  These lures may leverage recent events such as holidays or natural disasters to draw attention, may claim to be from a business stating your account has been compromised, or include a fake “invoice” for a recent expensive purchase with limited time to contest the charge if inaccurate. These emails are meant to place psychological pressure on the recipient to respond, either out of interest or to ensure that they aren’t the victim of some other fraud.  How you can protect yourself from phishing attacks Historically, one of the easiest signs to spot a phishing email was poor grammar and spelling. However, with the spread of ChatGPT and other large language models, threat actors can now create very convincing and grammatically accurate emails that are much more difficult to detect.  Instead, the best approach is to approach any emails that don’t come from trusted senders with caution – and follow these best practices: 

• Make sure to check the full sender information in any email requesting that you click on a link or call into a customer support center.  For example, you may receive an email from a familiar company, but if you check the sender’s actual email address, it may be coming from a different domain, as in the example below: 

• Don’t click on any links in emails coming from unrecognized senders. 
• When in doubt, contact the company that purportedly sent the email directly, and use contact information you separately obtain from the company’s main website to confirm the email is legitimate. 
• Let your password manager help. If your password manager is set to autofill for known accounts but does not autofill your information for a website you visit, this may indicate a phishing site. 

Vishing Vishing is a portmanteau of “voice phishing” and is the verbal equivalent of phishing.  These typically involve a threat actor calling a victim and claiming to be from a reputable company, law enforcement, or a tax agency in an attempt to get the individual to provide sensitive information, including credit card or social security numbers, passwords, or financial data.  How you can potentially protect yourself from vishing attacks

• Allow callers from phone numbers you don’t recognize to leave you a voicemail. 
• Contact the company or agency the caller is purporting to be from directly to confirm the issue is legitimate.  Call a number posted on the company or agency’s main website rather than calling any number provided by the potential visher. 

Smishing Smishing is similar to vishing and phishing, but threat actors use SMS messages (texts) to target the victims. Some texts may include links to malicious sites while others may claim to be from a law enforcement agency, a mail or delivery service, or a legitimate company. These text messages may warn you that your account has been hacked and ask that you log in (to a false phishing site) in order to collect your credentials.   Another widespread tactic involves the threat actor sending a text to an individual claiming to be a senior leader in the recipient’s workplace asking them to purchase a gift card on their behalf.  These texts frequently include the claim that the senior leader is engaged in a meeting, can’t do it themselves, and requests immediate assistance. This last tactic is designed to make the recipient feel a sense of urgency in the hopes they will act without fully processing the potential threat.  How to avoid smishing attacks

• Don’t respond to or click on any links in unsolicited text messages. 
• Verify the sender directly before taking any action. 
• Delete and, when possible, report any smishing messages to your cellular service provider and/or the company the text claims to be from. 

Malicious Applications

Some threat actors develop applications (apps) that resemble known and trusted brands in an attempt to steal information and/or deliver malware to a user’s mobile device or computer. These apps are designed to look identical to the official app and may be difficult to identify. However, there are steps you can take to avoid falling victim to one of these clones: 

• Only use official app stores like the Apple App Store or Google Play. 
• Verify the developer of the app. For instance, LastPass lists LogMeIn, Inc. as its developer on the Apple App Store and GoTo Technologies on the Google Play store.  Any other developer or publisher would be an indicator that the app is likely malicious. 
• Check the app description for grammatical or spelling errors. 

Password Reuse

According to LastPass’ 2022 Psychology of Passwords report, nearly 62% of people reuse some variation of a single password, and even among individuals who had received training on the dangers of password reuse, only 31% of those individuals stopped reusing passwords and 25% started using a password manager. This is particularly dangerous when these passwords are exposed as threat actors will use these stolen credentials in their attacks; according to the 2023 Verizon Data Breach Investigations Report, 86% of basic web application attacks that resulted in breaches involved the use of stolen credentials. The best thing you can do is to create unique and complex passwords for every account, and you can leverage a password manager to do this. As the move to passwordless authentication gets closer, it’s also best to choose a password manager that can help seamlessly adopt this new technology.  While cyber threats are everywhere, being aware of the most common types and taking these simple steps to avoid them can help protect yourself, your family, and your business against data breaches or other cyber attacks.