If your business is not addressing spoofing in its cyber awareness program, it should be. What is spoofing? According to the Government of Canada Get Cyber Safe website, spoofing is: “a tactic in which a cyber criminal disguises malicious communication or activity as something from a trusted source. Cyber criminals use spoofing to fool victims into giving up sensitive information or money or downloading malware.” Typically, a cyber criminal could spoof an email address, website or phone number.
Any organization can be spoofed. The FBI recently posted a warning that “it has observed cybercriminals registering “numerous domains spoofing legitimate FBI websites.” Graham Cluley posted about this in he recent blog: “a user tricked into visiting a lookalike FBI website might be lulled into a false sense of security and mistakenly enter personal information, or be tricked into downloading malicious content onto their computer.” Cluley also posted a list from the FBI of the spoofed domains to help inform users.
This time of year also brings about the usual warnings about cyber spoofing with black Friday/cyber Monday sales about to begin. The UK’s National Cyber Security Centre (NCSC) has issued refreshed security guidance for online shoppers, with the warning that “at this time of year, our inboxes are filling up with promotional emails promising incredible deals, making it hard to tell real bargains from scams.” While this warning is from the UK, you can expect to see the same types of scams in Canada, the USA and around the world.
When we think of spoofing, we tend to think of something that affects consumers, i.e.; they clicked on a bad link and downloaded malware on their computer, or they logged into a fake banking app and gave away their credentials. The problem of course is consumers don’t operate in a vacuum. They work for businesses like yours. With many workers working from home due to COVID-19, and the line between workplace device and personal device being blurred, spoofing of this nature can have an impact on your business.
So how do you address the impact? Some basic tenants of cyber awareness training can help. The FBI makes the following recommendations:
- Verify the spelling of web addresses, websites, and email addresses that look trustworthy but may be imitations of legitimate election websites.
- Ensure operating systems and applications are up-to-date.
- Update anti-malware and anti-virus software and conduct regular network scans.
- Do not enable macros on documents downloaded from an email unless absolutely necessary, and after ensuring the file is not malicious.
- Do not open emails or attachments from unknown individuals. Do not communicate with unsolicited email senders.
- Never provide personal information of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
- Use strong two-factor authentication if possible, using biometrics, hardware tokens, or authentication apps.
- Use domain whitelisting to allow outgoing network traffic to websites that are deemed safe.
- Disable or remove unneeded software applications
- Verify that the website you visit has a Secure Sockets Layer (SSL) certificate.