Letter from the CISO, Vol 3 Issue 10
Washington University Community:
Criminals keep inventing new con attacks
I recently saw a news report about a Mexican drug cartel that has gotten into the business of helping elderly Americans get out of the timeshare vacation contracts. This sounds like a good thing. Unfortunately, it is just the story they use to con the person and drain their bank accounts and retirement savings.
Like all “con” jobs, it works by allowing malicious actors to gain the confidence or trust of the victim. Whether it involves cryptocurrency, romantic interests, job opportunities, family or friends in peril, or timeshare contracts, it is important to remain vigilant, skeptical, and a little paranoid.
The first step to avoid becoming a victim…
Our theme this month is “Healthy & Safe – We’ve Got Your Back.” And the best way for WashU’s Office of Information Security to protect your back is to help you recognize threats for yourself and teach you how to help your family and friends recognize them.
Being aware of sinister tactics is a classic case of an ounce of protection being worth a ton of cure. By reporting a phishing message (using the Phish Report button in Outlook), you empower us to quickly assess the risk, let you know whether a message is legitimate or a threat, and enable us to remove similar threats from all WashU mailboxes. Further, we can also make life difficult for attackers by getting their phishing email accounts shut down.
As I say every month, being vigilant, skeptical, and a little paranoid are the foundation for self-protection, without which any one of us could be duped.
The second step to avoid becoming a victim…
In the bad old days, society blamed victims of cyber (and other) crimes for not being smart or careful enough to avoid phishing messages and other cyber-attacks. In the worst cases, victims were accused of somehow “asking for it,” even when the “it” involved the worst kinds of harm.
With respect to cybercrime, some companies went as far as to punish and embarrass employees who fell for phishing simulations, even when they offered no, minimal, and generally awful training on how to recognize, report, and avoid phishing attacks.
The WashU Office of Information Security is working hard to encourage people to talk about cybercrime, including the attacks they fell for and the ones they almost fell for. If you can report attacks quickly, whether it was successful or not, we are able to minimize the harm that follows.
But what if the victim refuses to see they are a victim…
One of the most disturbing aspects of cybercrime and confidence attacks is the way malicious actors gain the trust of their victims and isolate them from anyone and everyone who could help them see what is really happening.
Victims who believe an online contact is a genuine romantic interest, prospective employer, IRS agent, or sheriff’s deputy are often very difficult to convince that the other person is really a con artist who duped them out of $10,000s or even $100,000s. Furthermore, these malicious actors can deceive people into divulging sensitive, personal information – about themselves and even others – using tactics such as impersonation, outright deception, and psychological manipulation.
I recently heard of a person who allegedly received a call from the fraud department of their bank. Suspicious of the exchange, the individual hung up and called their bank using the number on the back of their credit card. Unfortunately, the anti-fraud people who answered the call didn’t seem to know anything about their situation, so the customer hung up frustrated. They were relieved when the original people called back “from the bank’s number” and started to “help” again. Regrettably, because it is easy to spoof phone numbers, the cybercriminals persisted until all bank accounts were emptied. While this is an extreme case, it is important to note that it can happen. And it is up to us to pay attention.
Call to action
What can you do?
First, get together with your family and closest, trusted friends, and share stories about cyber con artists taking advantage of smart, well-intentioned people.
Second, make them promise to call you if they ever have a problem with something like this and listen to your clear-eyed advice. Highlight the growing significance of this aspect, particularly when the con artist emphasizes keeping it a secret from others, invariably for their own protection! This is one of the tricks they use to isolate people from help. Last August, in Letter from the CISO, Vol 3 Issue 3, I encouraged everyone to find a “cyber security buddy” and I reiterate that advice.
Third, maintain a vigilant attitude toward the broad range of potential scams that can be perpetrated. Scams could encompass everything from fake traffic tickets and license revocation threats to IRS and romance-related schemes.
If you need help with any of these ideas, please contact the Office of Information Security.
Thank you for reading my column and for being members of the university’s information security team!
Good luck, and be careful out there!
-Chris Shull, CISO