Letter from the CISO, Vol 3 Issue 12
Washington University Community:
I sometimes fear that all the scary cybercrime stories I share will lose their motivating impact. And then I hear something even scarier.
The scariest attack yet…
The scariest attack I’ve heard to date is one in which people appear to receive a call from their child, parent, or other loved one. But it isn’t their loved one. It’s someone with a story to tell about some bad thing that happened, or is about to happen, to the loved one. For example, they could be injured and need a blood transfusion, for which payment may be required, or they are being held for ransom.
This type of cyber-scam attack obviously requires significant effort: identifying a victim, their phone number, and then mapping their loved ones and their phone numbers. But technically, spoofing (impersonating) the loved one’s phone number is relatively easy, and all that’s needed is a heartless, criminal mind and soul.
Three “U”-words are key
This attack takes advantage of three words beginning with the letter “U”, which are also key to detecting many cyber con attacks.
In short, if a message or request is “Urgent,”“Unexpected,” or “Unusual,” we should immediately suspect that it might be a cyber con job in the making. Let’s examine each in more detail.
Urgent
Urgency is a common theme employed by cybercriminals. Attackers create a sense of imminent danger or pressing need to compel victims to act quickly without thinking critically. Sometimes this is called “hijacking your amygdala,” the part of your brain responsible for reflexive fight or flight reactions. Urgent messages, limited timeframe offers, or threats are used to instill fear and apply pressure. The urgency creates a heightened emotional state making us more susceptible to make impulsive decisions.
For example, consider an email claiming to be from a bank stating that urgent action is needed to prevent account suspension. Alternatively, we may receive an email claiming to be billing us for a moving traffic violation or some anti-virus software we don’t use. Driven by the fear of losing access to our funds, we may hastily click on a provided link or divulge personal information without questioning the legitimacy of the email.
By recognizing this sense of urgency, we can pause, verify the message’s authenticity through alternative means – like opening the banks app on your phone, or going to a web-browser, entering the bank’s website, and logging in, but not clicking on the links in the message to find the website – and avoid falling victim to the attack.
Unexpected
Some cons are so unexpected they are easy to spot. Like the guy offering to sell you a used car warranty for a car you got rid of 10 years ago. Or the “Nigerian Prince” or Army officer who needs your help transferring a large sum of money, promising a rich commission for your help transferring the money.
But some scams are more subtle. If you are selling something online, and the buyer “accidentally” sends you way too much money, verify the legitimacy of the funds with your bank before sending them your product or a refund of the balance. Con artists love to send checks that look good at first, but eventually bounce, while asking you to Venmo them the excess they sent you, which you won’t be able to get back.
You should also treat any communications from government agencies or big companies as unexpected. Just because the caller-id shows their name and even their legitimate number, they’re almost certainly scammers impersonating the real companies.
Unusual
Consider any irregularity or deviation from the normal patterns that individuals encounter in their daily lives unusual. Attackers take advantage of unusualness by presenting scenarios or requests that also deviate from what is expected, causing victims to drop their guard.
For instance, a phone call from someone claiming to be an IT support technician asking for sensitive login credentials might seem unusual, as one would not anticipate such a call. The attacker leverages this feeling of unease and exploits the victim’s inclination to comply with requests from perceived authority figures or professionals. Recognizing the unusualness of the situation, individuals should exercise caution and verify the legitimacy of such requests before sharing any sensitive information.
The more the caller tells you not to talk to anyone about the situation – the more you should be suspicious.
But what if they really are who they say they are?
How can you tell if the call is real or not?
With family members, close friends and co-workers – assuming they aren’t allegedly unconscious – ask for your agreed code word. In my February 2024 column (Vol 3 Issue 9), I provide details about how valuable pre-agreed code words can protect you against even very sophisticated AI-enhanced (and other) attacks.
What if you don’t have a code word or the person is alleged to be unconscious?
If the bad person is claiming to have taken someone hostage, have someone else call your person’s phone on another line. Chances are the criminals are only spoofing the phone number, and when you call it, you’ll get your person, not the criminal, and you can then hang up.
(Note: It is possible for criminals to con phone companies into transferring a phone number to a different device, at which point you would get the criminal, but this is relatively difficult and rare.)
If the potential bad guy is claiming to be from a legitimate organization, ask for their contact details and then look up the organizations real phone number. Make sure it isn’t from an advertisement on the internet, and either call them on another line, or hang up and call them back.
Call to action
Be vigilant, skeptical, and even a little bit paranoid. After all, since real con artists are, in fact, out to get you, is it really paranoia?
Recognize that any or all of the 3 “U”s suggest that you should take your suspicion to a new and higher level. If they’re telling you something is urgent, hang up. Ask them to call you back in an hour.
You can also always call your cyber security buddy to help you think things through and deal with the emotional stress.
If you need help with any of these ideas, please contact the Office of Information Security at infosec@wustl.edu.
Thank you for reading my column, and for being members of the university’s Information Security team!
Good luck and be careful out there!
-Chris Shull, CISO