Letter from the CISO, Vol 4 Issue 7
WashU Community:
Your mission for the holidays…
The Mission Impossible TV series and movies often begin with “Your mission, should you choose to accept it…”
As we approach the winter break and holidays, I propose you accept the mission of helping your family and friends improve their cyber security. These aren’t new ideas. Frequent readers of this column will find them very familiar. What’s new is the mission to help as many of your family members and friends as possible become a little more secure.
Don’t try to fix everything. Just focus on the following:
Being vigilant, skeptical, and a little paranoid
Start by emphasizing how important it is for everyone to be and remain vigilant, skeptical, and a little bit paranoid.
Some people will say they don’t need to worry because they don’t have any enemies, their enemies would never resort to cyber-attacks, or there’s nothing special about them. But malicious actors don’t care who you are. Whether you are rich or important, they are out to get anyone and everyone they can!
Their creativity and tenacity are limitless, spawning labels for their attacks like cat phishing, romance scams, sextortion, and pig butchering. They use email, social media, text messages, and even voice calls to connect with you. Some attackers threaten and create a great sense urgency to hijack your amygdala – the part of the brain responsible for reflexive, non-analytic reactions – so they can cash out quickly. Others spend a lot of time building a relationship and high level of trust. Over the long run, this works to extract as much money from their victims as possible. Often, they are so manipulative that after a victim’s life savings have been stolen, they refuse to believe they’ve been conned.
For young people, emphasize the importance of asking for help if they get in trouble. Some families have a “no questions, no recriminations” policy for children when calling for help. This policy applies when they call for a ride in scary or dangerous situation – like if their driver isn’t sober. It is similarly beneficial for children to know they can safely ask for help if someone they thought was a friend is blackmailing them. The blackmail could be over embarrassing, explicit photos, or anything else. In some cases, the photos may be genuine. In others, they may be deepfakes. In either scenario, having a safe way to get help is critical.
In even worse news, skilled attackers are using artificial intelligence to generate legitimate-looking material and convincing attacks.
Secret codes and phrases
Establish a secret code word or phrase to verify identities. Whether it is a text message or phone call from a public defender, law enforcement officer, or kidnapper asking for money, you can verify their claim by asking for your family’s code word or phrase. If the caller can’t provide it, you’ll know they aren’t really in touch with your loved one or friend.
By the way, law enforcement never calls to say the FBI, IRS, sheriff, or local police are on their way to arrest you, “unless you Venmo some legal fees” or “pay your back taxes with gift cards.”
Cyber security buddies
Please also set up your family members and friends with a “cyber security buddy” they can call when something strange is happening.
Whether a situation is too good to be true or just a bit odd, everyone should commit to getting a second opinion. Even if doing so seems a little paranoid, that’s what we’re aiming for. It is far better to check than to be sorry you didn’t.
It’s also okay to call after a scam. In many cases, misdirected and fraudulent money transfers can be clawed back by the FBI if promptly reported.
This is not the case for Zelle, Venmo, CashApp, and other instant cash transfer applications, so be sure to use them only with people you know. When in doubt, call your Cyber Security Buddy, and collaborate to verify the requestor’s identity.
I wrote more about the benefits of Cyber Security Buddies in this column.
You are the cyberhero of your circle
By reading this column, you probably know more about cyber security than most of your friends and family.
By accepting this mission, you are making the world a better place.
If you need help with any of these ideas, please contact the Office of Information Security.
Thank you for reading my column, and for being members of the university’s Information Security team!
Good luck and be careful out there!
-Chris Shull, CISO