Training for the Evolving Landscape of Online Security Threats
At FinTrust, we take security training very seriously. We want you to know that while dealing with your personal information we hold ourselves to the highest standards of online and offline security. Our IT security infrastructure is state of the art, and we constantly monitor, apply updates, and adapt our strategy based on what is happening in real-time. We will continue to use secure email for any correspondents containing your personal information. Download instructions on how to use our Fsecure email.
A big part of our security plan is about training our entire staff on how to recognize online attacks, and what to do when they come across something suspicious. In July, we conducted a mandatory firm learning session. We regularly discuss cyber security at our firm, and we make it a point to be sure that each team member knows exactly how to handle common and uncommon scenarios.
Here are a few of the key learnings from our training. You may find these helpful in your own personal and work security efforts.
1. Do not use public wi-fi.
Public wi-fi includes any wi-fi network that is not a private network at your work or your home. Many of these networks are not password protected, and even if they are protected, the password is typically known by many. Any information you share on these networks can be intercepted by malicious hackers.
Real world scenario: You have your phone set to automatically connect to wi-fi. This is great at your home if you have a password protected private network, but what if you walk into a coffee shop with an unsecured network? While sipping coffee, you do a little shopping online. If you are shopping on a smaller unsecure site, on a public wi-fi network, your information can be easily visible to malicious hackers.
What to do: Do not set your phone or laptop to automatically connect to public wi-fi. Use your mobile provider’s network instead. Use the 4G internet connection on your phone to create a password protected hot-spot. You can then connect your laptop to this wi-fi hot-spot. You can also add a VPN to your device or laptop. This adds a layer of encryption to your connection.
Learn more with this helpful video from ThioJoe:
2. Know how to recognize a Phishing email
In the workplace, your best defense against hacking is being sure that each person knows how to recognize an attack. What may seem obvious, can still trick even the best employees if they are very busy or particularly stressed. Some of the latest trends in Phishing scams include: mimicking an email from IT or your Network admin, fake emails requesting a password reset, fake emails from a document sharing software specifically Office 365 programs.
Real World scenario: While reading through your 57 new emails on Tuesday morning, you see what looks like a new document shared by a team member. You weren’t expecting this file, but you do regularly share files with this person. You are busy, and you know the person who shared the file is on a call right now, so you go ahead and click the file instead of confirming that the file is actually from them. You are directed to what looks like the Office 365 login page, and you enter your password to view the file.
This is a very common technique that hackers use. They spoof the email from one of your contacts; or they spoof an email from a file sharing program that you use, and they also spoof the landing page. Once you enter your password on the fake landing page, the hacker can then forward you to the real page that you were expecting. You may not even know that you just gave your password to a malicious hacker.
What to do: Never click on a link from an email if you aren’t 100% sure it isn’t malicious. Check with the person who sent you the email before opening anything that you weren’t expecting, even if it looks legitimate. Create a workplace culture (like the one at FinTrust) where this is accepted and encouraged. Know what an email from your IT department looks like; if you receive an email that says it is from them, but doesn’t look quite right, call them! Never click a password reset email that you didn’t request. Also, if you ever receive an email at home that you weren’t expecting, and it is asking you to click on a link (even if it is from a FinTrust team member), always call the sender to verify the email before you click on the link!
Here’s a great video with real examples from CSO:
3. Only open emails that you are expecting.
Real World Scenario: Your mom sends you an email asking you to read through a word document for her. Does your mom usually send you emails with word documents attached? If she doesn’t, and suddenly you get one from her, it is likely that her email is being spoofed.
What to do: If you receive an email that you are not expecting at work, notify your network administrator. If you receive an email like this in either your work or your personal email account, you should 1) not open the email or open any links or attachments, 2) delete the email from your inbox and trash, 3) change your password, and 4) call the spoofed sender and tell them to change their password as well.