A hard truth: humans are the first and weakest link in the cybersecurity chain. So, it might sound cliché but cybersecurity really is a state of mind – or, perhaps it is better described as a set of behaviors that develop a mindset. Having a vigilant mindset around technology is critical to building good security behaviors to prevent you from becoming a victim of cybercrime or identity theft.
The skeptic’s eye
Good personal cybersecurity requires a familiarity with age-old scams used by hucksters for centuries, and a healthy skepticism about what you see and hear online, over the phone, even in your text messages. Technology might be the new method of delivery, but the psychology, messaging, and manipulation tactics behind social engineering are tried-and-true techniques playing on weaknesses in the human psyche.
There is a short but concise video by IDG TECHTalk on this topic and a longer video called The Dark Arts of Social Engineering by Jen Fox, a social engineering expert. You should watch them.
Pressing pause
The single best thing you can do when encountering something stimulating is to take a pause. Threats can manifest in a lot of different ways – an email asking for personal information, a phone call from an unknown technical help desk that seems too urgent, a text message notifying you of a package delivery when you have not ordered anything. All are moments where you have an opportunity to stop a scam artist or phisher in their tracks.
Imagine a stranger comes knocking on your door asking you to cash a check for them, or they are soliciting your username and password for your bank account. Would you take them down to your bank or let them log in to your account, no questions asked? Or, would you tell them to take a hike? The response you have to a face-to-face encounter should be the same as if you receive an “urgent” email about your bank account, or from someone claiming to be from PayPal, or a text message from “Amazon” saying you have an unclaimed package. The same principles you use in the real world apply when dealing with scammers and fraudsters in the digital world.
For more information on how to identify and report phishing or scam emails, check out the Information Security Office’s Phishbowl.
Dirty passwords
The average American has more than 30 online accounts, according to the internet breach research website www.haveibeenpwnd.com. The most common password of 2020 according to Nordpass, which conducted research on over 275 million passwords from known breaches, was “123456.” The top 20 list includes other gems such as “picture1” and the ever ubiquitous “password.”
When you add in the all-too-common practice of password reuse, you see a very troubling picture: millions of people with multiple accounts, all using and reusing the worst passwords possible. This is critically poor cyber hygiene on a national level. Updating and strengthening your passwords is perhaps the most impactful thing you can do to strengthen your personal cybersecurity.
Cleaning up
Cleaning up login credentials on your accounts is the first line of defense against an attack or compromise. Password managers are your best friend here, and all Bobcats get a free premium personal account with LastPass, an industry-leading, end-to-end encrypted password manager. LastPass will help you collect, analyze, and strengthen passwords on any account you store in the secure vault. Additionally, it can help manage your online identity, payment information, and monitor your identity on the dark web.
The very next thing to do is begin changing passwords on your most important accounts and store them in your password manager. This will be a process, but once it is done, you will have peace of mind, and a stronger personal security posture.
Finally, set up multi-factor authentication (or MFA) on as many accounts as you are able. Bobcats are enrolled in Duo MFA by default and the app can be used for any of your online accounts that support MFA. Make sure you create backup keys for your accounts in case you ever switch phones without backing up. If you don’t, and you upgrade to a new phone, your phone might lose the information needed to authenticate and then you would be locked out of your accounts, requiring a lengthy reset process. You can set up multiple authentication factors to avoid this complication.
Staying safe
Phishing attacks and scams are everywhere – they work, they create real victims, and they take many different forms: phishing emails, tax and social security phone scams, vehicle warranty expiration voicemail scams, and the popular Amazon and UPS delivery notification texts with phishing links. Phishing has become ubiquitous and persistent, growing in volume each year, and attackers are getting better and better at making convincing fakes.
Being able to identify scams and phishing can help keep you from becoming a victim of fraud or identity theft. Thankfully, these attacks can be disrupted by keeping our emotions in check when we encounter stimuli designed to trigger our most exploitable behaviors. Securing our devices and accounts with the right security and managing our reactions to stimuli is our best bet for staying safe in an evolving security landscape.
Joel Ausanka Reese is an IT Projects Coordinator in the Information Security Office.
