Let us discuss the differences between the viruses of yesteryear and the highly-developed cyber intrusions of today, when we must be on the lookout for sophisticated attacks and those delivered via “social engineering.” How can you best defend yourself? Read on.
COMPUTER VIRUSES
Most manufacturers set up the administrator account on routers with the same username and password for every piece of equipment they sell, so log in and change those before a hacker does it for you.
In a nutshell, a computer virus is a type of malicious code or program written to alter the way a computer operates, and is designed to spread from one computer to another. Viruses need a computer file to act as the host of the virus, and the device receiving said file will become infected with the virus. Typically, viruses are transmitted via email attachments or from websites that may have been unknowingly attacked with malicious code injected onto their pages. After all, the reality is that successful viruses are often spread due to dumb luck or operator error.
Typically, the best way to avoid catching a computer virus includes not clicking attachments to emails without first vetting the source and nature of the attachment. An email from a trusted colleague, but with odd phrasing, is a red flag, as is an email from an unknown source offering attached materials. You should also be wary of clicking on pop-up ads, while using strong passwords, keeping your software up to date and installing some antivirus software.
PHISHING
Phishing is defined as a type of “social engineering” attack often used to steal user data, including login credentials and credit card numbers. Phishing, much like a virus, occurs when “hackers” masquerading as someone you think you can trust spoof an email address or use a legitimate company’s logo to trick victims into opening an email, instant message or text that has an attachment containing a malicious link. The main difference between a virus and phishing is that instead of just slowing down your PC, or showing you annoying pop-up advertisements, phishing can compromise your personal data, leading to such things as identity theft.
SPEAR PHISHING
While phishing is similar to viruses, in that both are transmitted via mass dissemination and playing the odds that a few recipients will infect themselves, spear phishing is much more targeted, aimed at public figures like a celebrity or the CEO of a multinational conglomerate. Phishing attacks can also target employees with specific company email addresses. All the hacker is looking for is a way into the victim’s network, to cause damage throughout the company or their own finances.
RANSOMWARE
While having your identity stolen is definitely something to be avoided, ransomware can literally be a national security issue. If you have poor internet habits when it comes to your personal email at home, there is an excellent chance that you’ll engage in the same behavior at work, which can lead to problems that go far beyond your own personal detriment.
When hackers utilize phishing or spear phishing, a primary goal can be to have the recipient inadvertently install malicious software (malware) on their PC or company network. This malware may then encrypt the victim’s files so their network or PC no longer works. Then, hackers demand a ransom to restore access to the data upon payment. Hackers typically ask for payment via Bitcoin or a gift card.
If you need an example of how serious spear phishing can be, just think back a couple of months ago to the Colonial Pipeline shutdown, or the JBS meatpacking plants hack.
SO, WHAT CAN YOU DO?
You would think that after 30 years of having the internet around, people would know by now that it’s not a good idea to click on suspicious links. But such is not the case. Fortunately, there are additional precautions you can take to prevent being infected:
- If you have an email program that allows you to set a maximum file size for email attachments, use it, and set it low. You can always override the setting if needed.
- If your bank calls you and asks you to verify your account number, hang up. Call the number on the back of your bank card if you are concerned it was a legitimate call, but know that your bank will never ask you for information like that when they initiate the call.
- If the IRS calls and says you owe them money that can be paid via Western Union or a gift card to Target Stores, hang up.
- Update your passwords often—and avoid playing those quizzes you find on social media sites, as many of them are basically fishing for your answers to security questions.
- Be careful about the sites you visit. If you are giving any kind of personal information to them, be sure the page’s URL begins with https:// for peace of mind.
While the above suggestions may seem like common sense to you, these are all security issues that happen daily. However, one of the most important items in maintaining your network security is the Wi-Fi router in your home. Cyber criminals are known to drive through neighborhoods looking for vulnerable routers, and if they find yours, network security can be almost impossible to maintain. Luckily, it is very easy to secure your network from outsiders:
- The most obvious method of maintaining your home’s network security is to create a difficult password to access your network, but beyond that, do not give out your password to visitors; if you must for one reason or another, change your password after they leave. The reality is, you should regularly change said password whether you give it out to others or not.
- Since hackers cruise neighborhoods looking for vulnerable routers, do yourself a favor and hide your router. Most manufacturers set up the administrator account on routers with the same username and password for every piece of equipment they sell, so log in and change those before a hacker does it for you and locks you out of your own router.
- While you are at it, change your network name and hide your network so that it does not appear on the list of available networks. Doing this will require that anyone accessing your network know the exact name of the network in order for it to become visible.
- If your router allows remote access, turn that off. And while this should go without saying, you should ensure your router’s firmware is kept up to date. While one would expect this would be done automatically, when you are changing your password, you should confirm the change has taken effect.
TAKE YOUR GOOD HABITS TO WORK
You can take many of these suggestions to work with you and help keep your business network safe. For instance, if you offer an online shopping cart for customers, you should keep track of things like IP addresses that consistently come up with fraudulent attempted sales. IP addresses will point to the part of the world your “customer” is coming from.
Sometimes it just makes sense to block an entire range of IP addresses. Granted, you might block all of Nigeria due to an inordinate number of fraudulent purchases and as a result miss the two or three legitimate sales, but you must weigh the odds.
Similarly, if you notice that someone is attempting to guess a correct credit card number or the associated Card Verification Value (CVV), it could be in your best interest to block the credit card number, or an entire range of credit card numbers.
Do not hesitate to utilize CAPTCHA on your payments page. While a hacker may use a script to automatically run credit card numbers until it stumbles across one that works, CAPTCHA will require human intervention, which may make it more trouble than it is worth to the hacker.
Finally, keep your software, firmware and patches current. A few months ago, it was revealed that Wi-Fi has had a built-in vulnerability since it was invented in 1997. If that does not convince you to pay attention to your security updates, I am not sure what will. It can be a scary world out there, but hackers rely on the uninformed. Don’t let that be you.
Jonathan Corona has over 15 years of experience in the electronic payments industry. As MobiusPay’s COO, Corona is primarily responsible for day-to-day operations as well as reviewing and advising merchants on a multitude of compliance standards set forth by the card associations. MobiusPay specializes in merchant accounts in the U.S., EU and Asia. Follow them @MobiusPay on Twitter, Facebook and IG.
