On February 5th, we had Christian Lloyd-Kohls from the Canadian Centre for Cyber Security facilitate a highly informative session on phishing, malware, and social engineering.
Here are some key takeaways:
Phishing
Tricking you into clicking a malicious link, downloading malware, or sharing sensitive information – all with the goal of obtaining sensitive personal information.
Forms:
- Spear phishing: personalized and targeted.
- Whaling: targeting executives.
- Vishing: voice phishing via calls
- Spoofing: forging websites/emails/phone numbers (e.g. when it looks like an email is coming from PayPal but actually isn’t).
- Smishing: SMS/text message
Watch out for:
- Anything too good to be true
- Urgent request/threatening language
- Unexpected emails
- Suspicious/unexpected Attachments
- Potentially fake websites
- Information mismatch, unprofessional design, or different fonts (could be altercated documents or poorly edited websites)
- Hidden links
- Log-in pages
- Disclosing sensitive information on social media. For example:
- “If you had to marry your spouse where you met them, where would your wedding have been”
- “Your rockstar name is your middle name and the first car you had”
- “Name a song that takes you back to highschool”
- Everybody’s first job was McDonalds, prove me wrong!
- Free Wifi, especially if they require creating a login.
Recommendations:
- Avoid opening links from emails/text. Instead, go to the actual website and try to find the message/notification there, or call the related company to inquire.
- Report suspicious text messages to 7726 (SPAM).
- Always keep devices & applications updated. Updates are often security related and might not just be functional.
Social Engineering
Fraudsters even go so far as to set up fake ads mimicking real companies to offer promotions or false sales to get your information.
Watch out for:
- Typos – e.g. wealhsimple instead of Wealthsimple
- False websites – e.g. directing to a .net or other domain suffix when it should be .com/.ca or otherwise.
AI & Cyber threats
AI is making it harder to detect:
- Less grammatical mistakes.
- Deepfake voices & even live video calls.
Recommendations:
- Watch out for Urgent request/threatening language.
- Call the person back to verify instead of accepting their call/joining their meeting.
Misc advice:
- Use complicated and different passwords as much as possible.
- Use a password manager tool if it’s getting overwhelming.
- On top of that, for extra security, if you’re concerned about the tool itself getting compromised, add an extra character (or more), and don’t save it, to the automatically generated passwords you use.
- Be wary of apps that request access to an excessive amount of information.
Resources:
