This is the forth blog in the Cyber Security Awareness Month series; view all here.
Written by Mr. Densmore Bartly, assistant information system security officer at USCG Base National Capital Region (NCR)
Large organizations like the U.S. Coast Guard require a large workforce to successfully carry out day to day missions. The large number of people employed puts the Coast Guard at high risk for Social Engineering attacks. Social Engineering is an attack technique that relies heavily on manipulating and/or tricking people into breaking normal security procedures by divulging sensitive information to unauthorized persons. Cyber criminals frequently use these social engineering techniques in their attempts to acquire information that would allow the cyber criminal to gain access to Coast Guard networks and sensitive information. Two social engineering attacks have been especially successful and on the increase—Phishing and Vishing.
Phishing is when cyber criminals use the Internet to impersonate a legitimate business or employee in an attempt to trick you into giving out sensitive information. Phishing attacks are normally carried out using email messages containing web links that will take you to the cyber criminal’s website, where your information can be stolen. The content of the email will be designed to play on your concerns so that you will act without examining the email closely. Stolen information can often consist of your CGOne username and password, which will give an attacker access to Coast Guard networks. Examples of phishing messages include:
“Your computer requires routine maintenance. Please click the link below and confirm your identity and password”, and “During our regular verification of accounts, we couldn’t verify your information. Please click here to update and verify your information.”
Vishing, or Voice Phishing, is the practice of using social engineering over the telephone or voice message to trick call recipients into divulging private personal and financial information or user credentials that will give a cyber criminal access to your neetwork. Often, criminals who use vishing will pose as a tech support member or a known manager in the organization.
Phishing and Vishing are among the most successful and costly cyber attacks. Coast Guard reporting of both email and telephonic phishing has increased over the last 12 months. Coast Guard members have received phone calls requesting access to workstations, faxes, and printers. Some cyber criminals go to great lengths to create elaborate and legitimate sounding stories in hopes to gain the member’s trust and access to sensitive information. Recent hacks and data breaches of U.S. companies you’ve heard about in the news were successfully conducted using these types of phishing attacks. To reduce the risk posed by these attacks, take the following steps:
- Delete email and text messages that ask you to confirm or provide personal information (credit card and bank account numbers, Social Security numbers, passwords, etc.). Legitimate Coast Guard support personnel won’t ask for this information via email or text. If you’re concerned about a personal account or computer system, call the published number (not the one given in the phishing message) so that you know you are speaking to the legitimate agency.
- Treat all unsolicited phone calls with suspicion. Do not provide any computer system or personal information unless you are certain it is a person who can be trusted through validation. If you suspect you are on the phone with someone phishing for sensitive information, record information about the call (to include time, date, name given, purported company name and reason for call). Report this information to your Command Security Officer (CSO).
- Follow guidelines in the annual Federal Cyber Awareness Challenge (FCAC) Security training and best practices by looking for required digital signatures on emails with any links or attachments. If in doubt, call the sender to verify the link or attachment. If you see a link in a suspicious email message, don’t click on it. Instead, rest your mouse cursor over the link (but don’t click) to see if the address matches the link that was typed in the message. If you receive a suspicious email, contact the CGCYBER Security Operations Center (CSOC) at: email@example.com (UNCLASS), firstname.lastname@example.org (SIPRNET), or toll free at 866-424-2478.
- Additionally, CG members should use these same mitigation techniques to protect their personal computer, finances, and information. Notify local law enforcement of incidents affecting personal information and accounts and file complaint reports to the Federal Trade Commission and the Internet Crime Complaint Center.
Phishing via email and telephone is a remarkably effective cyber attack technique, and its use to gain access to secure information and networks is unlikely to decline in the near future. In addition to the above reporting requirements, any incidents involving the USCG Cyber Domain (CG telephone and networks) should be reported through local chain-of-command security officer and to the CGCYBER Security Operations Center (CSOC). The CSOC will coordinate response actions. No matter how small of a situation you should always report it. Trend analysis helps CGCYBER to prevent and mitigate this type of threat.
Click here for more information on dealing with phishing scams.