Episode notes
Stay vigilant and protect yourself from cybercriminals. Join Caleb Cole (Manager of Information Security) and Daniel Gowing (Information Security Analyst) as they discuss how to spot social engineering attacks and defend against them.
Stay vigilant and protect yourself from cybercriminals. Join Caleb Cole (Manager of Information Security) and Daniel Gowing (Information Security Analyst) as they discuss how to spot social engineering attacks and defend against them.
[00:00:00] Welcome back to the Sound Cents Podcast. I'm Jessica Quindlen. Today we have part two of our cybersecurity conversation, diving into social media, smishing and phishing. Enjoy.
Jessica Quindlen: What are some of the common signs for phishing emails and how can people verify that an email is legitimate and not fall victim to a scam?
Caleb Cole: That's a tough one.
Daniel Gowing: I'd say if you asked me five years ago, things would be like misspelled words, poor grammar.
Jessica Quindlen: Email addresses that are wild.
Daniel Gowing: But as we talked about with generative AI this becoming more of a business model for attackers, the sophistication level has increased dramatically. And while still, yes, bad grammar, poor spelling are signs, they are often not present any longer.
Caleb Cole: I would almost argue it at this stage of the game that minor grammar and typographical errors are more indicative of an actual natural language speaker and writer.[00:01:00]
Jessica Quindlen: Who's just typing fast.
Caleb Cole: Right, because how many times have you received an email from a Director or a VP and it's like, oh.
Jessica Quindlen: 100%. I received one earlier today. I was like, oh!
Caleb Cole: Right, it happens all the time. Whereas these computer tools that are being heavily leveraged, they're being written more and more to avoid all those types of errors altogether. Which is really an odd way of thinking of it, like if it looks too perfect, maybe it is, but we're kind of getting into a new paradigm where that's becoming more the case.
One of the really tricky things, and to your point about the email addresses, is email addresses themselves are actually really easy to imitate or spoof is what we call it. If I know what I'm doing, I can craft an email such that you're never going to see where I sent it from. You're just going to see where I'm telling you it came from, and I can make it look like anybody if I really want to. I think more than not these days, the most important thing to look out for is any embedded links in a document [00:02:00] and just understanding what the URLs themselves mean and where they go.
And this gets into probably a lot more than what most normal users really want to learn about top level domains and how URLs are constructed and what's a page versus a subpage versus content. But knowing that a “.com” is a top level domain. And that's different than “.cm,” which is an available one that can be used to imitate “.coms” because a lot of times people don't read the entire thing. They see the “C” and the “M” the brain fills in the middle and they just click on it anyway.
Or understanding things like if the URL itself ends in a “.rs” or “.hk,” those are top level domains from other countries and does it make sense for you to be receiving an email with a link to a Russian website or to a website hosted in Hong Kong?
If it does, okay, but if it doesn't, think about what you're doing.[00:03:00] And then the other part of it is a lot of times before even you get to that top level domain, the “.com,” Ent.com is a good example. Ent.com is the main domain of that. And anything within that is likely going to be Ent.com/security. That's a page below there.
Or in the case of banking, you know, you might see online.ent.com. That's a subdomain of the Ent.com domain. Well, a lot of times what the bad guys will try to do is make things look like their subdomains or domains, but they're putting them in different places, usually in the dot part before the dot. So it might be onlineent.com to try to get you to not think about it and just read it and react.
Daniel Gowing: I'd say the other big thing even beyond links is just understanding the content of the message. Does it make sense from who it's from? Does the sense of urgency match your relationship with the person?
[00:04:00] Things like that, especially when it's from another individual. Is this a human that you interact with regularly? Do they normally speak like this? Are these requests normal? Can you verify in another way? If you can stand up and go walk over to them and say, “Hey, did you send this to me?” do that. If you can pick up the phone and not calling a phone number that's listed in that same message, but if you have their phone number outside that's a great way to just verify, “Hey, is this from you?”
Jessica Quindlen: I love that. How can members contribute to the cybersecurity of their financial institution?
Caleb Cole: One of the best things is, you know, we stole the tagline from the Department of Homeland Security from many years ago. We use it internally all the time. “If you see something, say something.” If something looks suspicious, if it doesn't feel right, if there's just something off about it, report it.
Because at the end of the day, we'd rather things get reported that turn out to be completely innocuous. [00:05:00] You know, we would call that a false positive than for things that are actually bad and malicious to not get reported at all and then people to get taken advantage of. That's the worst-case scenario.
Yeah, reporting is really important. And just understand what makes sense. What's normal versus not.
Jessica Quindlen: Right. And I think there's a level of report, and even if you're wrong, at least you reported it. You're not going to offend a company because you reported, because you thought something was weird. You know, it's better to do that than not report it. And then people get scammed, or something happens.
Caleb Cole: Yeah, we never want to see anybody get scammed or have fraudulent activity. An account or account takeovers or identity theft anything like that. And if you're worried about “oh, I'm not sure,” just report it.
Jessica Quindlen: So let's switch gears to social media. So many are on social media. Can you explain social engineering on social media and some of the best practices for staying safe? Because I [00:06:00] think at least just from my perspective, there's this balance of sharing your life and your joys and all of that, but also being insanely vulnerable.
In doing so, but we live in an age of social media and people aren't just going to delete their accounts.
Daniel Gowing: I was going to say, you're talking to someone that has no social media presence over here.
Jessica Quindlen: I'm always fascinated by folks who have no social media.
Caleb Cole: You just won't see it.
Jessica Quindlen: I see. So then why have it?
Caleb Cole: Beyond just the two-factor authentication, which Facebook and YouTube you know, all of the main sites out there, they all support two-factor authentication, strong passwords.
That's also a super critical thing. But beyond that, make sure your privacy settings are set so that only the people that you want to see your social media presence can. Now, if you're like me and you value, you know, your personal content, privacy. I [00:07:00] make fun of my wife pretty frequently cause she's got like, I don't know, seven, 800 friends.
You can't see my air quotes again, but I'm making them. She has all these friends on Facebook and I'm like, do you even know any of these people? And she knows some of them to some degree. And some of them, it's just people that know her through some of her outside activities, but she doesn't necessarily interact with a lot.
Jessica Quindlen: I have 1,954 friends on Facebook.
Daniel Gowing: How many of them could you name off the top of your head?
Jessica Quindlen: Not that many at all, but this is when you travel a lot in your twenties and you do a lot of theater and a lot of different things. You meet a lot of people.
Caleb Cole: Would you be shocked to find out that I have less than 100?
Jessica Quindlen: Not even a little bit. I'm actually shocked you're even close to a triple figure there. Triple digits.
Caleb Cole: I know a few people. Most of them are family.
Jessica Quindlen: That's okay. That's who you want to see your stuff?
Caleb Cole: Exactly.And then some really close friends that I have.
Jessica Quindlen: Are you on social media?
Daniel Gowing: Yes, I am a technically on. I look at other people's social media and so I have to have an account for that.
Jessica Quindlen: Which is valid. Yes. And I also think we are all parents in different stages of [00:08:00] parenthood, but I also like looking forward now I'm on social for that as well. So I can monitor their behavior.
Caleb Cole: In those privacy settings, right? There are usually three levels. Sometimes they're a little bit more, but it's generally friends.
That's only the people that you're friends with. So my less than 100 people and your 1,900 people, they can see what you post and only they can see what you post. And then it moves to friends of friends. So that's that secondary circle, right? That can get pretty big, especially if you've got 1,900 friends. Your friends of friends could, in theory, be in the tens of thousands.
Jessica Quindlen: Right, absolutely.
Caleb Cole: Maybe more, because if all of them also have 1,900 friends.
Jessica Quindlen: Yeah, the math adds up really fast.
Caleb Cole: And then there's public. And I recommend to anybody, unless you are a social media presence and you're crafting some sort of curated personal brand.
Jessica Quindlen: It's your job.
Caleb Cole: You're going to be an influencer. Yeah, exactly. Don't ever put your settings on public. [00:09:00] Because that is where the really dangerous side of this world comes into play. The social engineering aspect, there is a reconnaissance methodology. It's called OSINT or open-source intelligence gathering.
And this is just somebody who understands this world and security or the opposite side of it and being in the bad guy sphere of things. Just being able to go and see what you've published out on the internet, you know, that's public and for all the world to see, you'd actually be shocked at how much is out there on any individual person and it's really difficult to wrangle once it's already out there.
You know, the old saying goes, once it's on the internet, it's forever. It doesn't just apply to pictures, it's anything that you've put out there. It doesn't really go away. There are some websites, even legitimate ones like Google, you can go and say, “oh, there's this stuff, I want you to pull it down” and there are processes and that's not even perfect.
[00:10:00] They can only do so much. But you know, that's the best thing I would say for social media to prevent social engineering types of attacks at all. Just limit who can see your information.
Daniel Gowing: Yeah, I think on the flip side of pulling information out of social media there is a strong possibility of things like phishing attempts social engineering through the social media platform as well.
And so, treating it as anyone unknown as potentially a bad person trying to gain more information than they should. Trying to get in contact with you in a way that they shouldn't. Be highly skeptical on the internet.
Caleb Cole: Yeah. That reminds me. There's a really common thing. I still see it all the time more than I think I should be, but you know, especially with Facebook is account personation, right?
It's really easy for anyone that knows how. I can go, I can steal pictures from any of your accounts. I can post them as my own. I can create a new account imitating yours with a same or similar name [00:11:00] and publish it. And if I have done some other types of open-source stuff or if you have certain information that you've left public like your friends list that you probably shouldn't.
Well, I can go and start sending new friend requests to all of your friends. And then they, I see this all the time. Why is my grandma sending me a friend request we've been friends for years and it's like oh great pick up the phone. “Hey, so I think somebody stole your information and you probably are going to want to follow some steps.”
And I like to direct people to Facebook's instructions. Their instructions are great. I've probably directed five people in the last year to that.
Jessica Quindlen: Well, it's interesting too with, oh, sorry. Just with social media. The handles can't copy themselves, the URLs, et cetera.
But the names, obviously there are more than one John Smith in the world. So it's really easy because you're not misspelling my name. You're actually fully [00:12:00] copying my name. It's just the URL is obviously different, which who's paying attention to that?
Caleb Cole: Very few people do.
Jessica Quindlen: So for social media, obviously, you know any unsolicited friend requests, ignore requests for money, things like that. Is there anything else around social media that you would want people to know?
Caleb Cole: You know, I err on the side of caution.
I have a t-shirt at home that says paranoia is your friend because I work in security. We see so much bad stuff happening in the world that most people don't. It's hard to not get a little bit jaded.
Jessica Quindlen: Absolutely. I can only imagine.
Caleb Cole: But I would say one of the worst things I see people doing is going on vacation or leaving your home unoccupied for periods of time and telling the entire world about it. Ah, yes. These are, “hey, we're leaving, we're going to be gone these dates.” It’s like, “hey, come on over to my house and steal everything that I have while I'm gone.” Vacation pics and stuff aside, that's fine. Maybe just wait till you get home.
Jessica Quindlen: Right, and after the fact, it's great because now you're home and safe. Yeah. I see. Okay. So just [00:13:00] watch what you're sharing.
Caleb Cole: Yeah, exactly. At the end of the day, in our department, we talk about it a lot just at an organizational standpoint, but even as an individual standpoint, make yourself a hard target. Because at the end of the day, human beings naturally will take the path of least resistance, even the attackers. They don't want to have to jump through all kinds of hoops.
Jessica Quindlen: They don't want to work that hard.
Caleb Cole: Exactly. It's all about return on investment, right? The least amount of work I can do for the biggest amount of reward that I can get. So, if you're an easy target, you're going to be an easy target.
Jessica Quindlen: Right. That makes sense. Is there anything else either of you would like to add for Cybersecurity Awareness Month?
Daniel Gowing: I'd say it seems really hard at the outset to be cyber-secure. Just the mindset of like, “oh, I know nothing about IT. I don't know how to do anything besides for push the power button on my computer. I can work my phone and I have a limited capacity.” But it's really not that difficult to be [00:14:00] secure.
Caleb Cole: Yeah, that's a good point.
Daniel Gowing: I think if you if you take the appropriate steps and you're just mindful as you use technology, which I would hope everyone that's using technology is mindful of the way in which they're using it. It is remarkably easy to do it the right way.
Jessica Quindlen: I love that. I think it can be daunting.
Caleb Cole: I think to a degree it sounds like it to Daniel's point. It's always worth it. And I think I would just add to that. Don't ever make the excuse that it's not worth taking the couple of extra minutes or couple of extra time because you won't be the target. Nobody's interested in your information.
Your information is just as important and valuable to the attackers as anybody else's. And if you can make yourself a hard target, they'll go after someone else.
Jessica Quindlen: Right. I love that. Well, that brings us to the end of our show. Caleb, Daniel, thanks so much for being here.
Caleb Cole: Certainly. Thanks for having us.
Jessica Quindlen: Yes. Thank you for listening to Sound Cents from Ent Credit Union. Please be sure to follow us as well as rate and review us. I'm Jessica [00:15:00] Quindlen. I will see you next week. Same time, same place.
PLEASE NOTE: The information presented in this episode is intended to be used for informational purposes only and should not be considered advice. Consult a financial, tax or legal professional to see if the information provided in this episode is suitable for your situation.
Information stated is current as of the time of recording and may be subject to change in the future.
Third party products and services mentioned in the podcast are done so for informational purposes only and should not be considered endorsements or affiliations unless stated otherwise.
Any opinions of guests or third parties on the podcast are strictly their own and do not represent Ent Credit Union.
Ent Credit Union is insured by the NCUA and is an equal housing opportunity lender. Visit Ent.com for more information.
You are leaving Ent’s website and navigating to an Ent partner site. Ent does not contribute to the content displayed on this website and does not legally represent you or the third party in transactions conducted via the linked website. Please be aware that information security, ADA accessibility, and privacy policies may differ from those practiced by Ent.
We want you to know: You are linking to a third party website that is not controlled or owned by Ent. Ent does not contribute to the content displayed on this website and does not legally endorse services or represent you or the third party in transactions conducted via these linked websites.Please be aware that information security, ADA accessibility, and privacy policies may differ from those practiced by Ent.