Concepts and terminology differ between the physical and cyberworld. In an attempt to define new terms, IT professionals often come up with terms that confuse and romanticize instead of inform.
For instance, a scam artist in the physical world approaches you to perpetuate fraud against you and others. In the cyberworld, you probably cannot claim to have been approached by a scam artist. However, if I ask if you have been attacked by a hacker, you likely will either admit you have been a victim or breathe with a sigh of relief that you have been safe from attack.
When I was a young software developer, hackers were held in the highest esteem. They were experts who could write straight-line production software, with comments, that compiled and ran without bugs. I have met some original hackers who had achieved proficiency in C++, Assembly, Microcode and Fortran. They were the elite of the elite. This term has now been reduced to glamorizing people who gain access to systems as a result of the ignorance or lack of diligence of others. Many victims are people who have not maintained a proper cybersecurity posture rather than being powerful technology experts. To be fair, some hackers who exist today are worthy adversaries with the same type of expertise as the original hackers. But mostly, today’s hackers are just working to hit a big financial jackpot or embarrass someone important.
Oftentimes, fraud is associated with finance, but fraud is actually any sort of misrepresentation from which another can benefit. Acts of fraud may intend to embarrass you, harass you or obtain some financial gain. So, when individuals begin a phishing campaign against the common man or go whaling for senior officers in an organization, they are likely just committing fraud.
Fraud also does not seem to be going away anytime soon. I have always told customers that any behavior you see in the physical world will manifest itself in the cyberworld in some form. We are now seeing orchestrated attacks using telephone calls, emails and texts. Crossing media sources to send a message allows victims to believe the perpetrators may be credible. To prevent becoming a victim, it is important that everyone understands cybersecurity in the following ways:
- Always know the person, the business and the site you are interacting with in the cyberworld. Remember, no one in the world besides your close friends and family loves you. You are not going to be a Nigerian oil tycoon and no one who was removed from a government office is going to share millions of dollars with you.
- If you are unsure if you know who is reaching out to you, be honest about it. That person may try to provide more information about themselves and you will be able confirm whether you do know them or have never heard of them. If you have never interacted with them before, disengage. This is particularly important in social media. If your social media account security settings are not set properly, befriending or connecting with an unknown person could allow that person to compromise your account and everyone else’s accounts in your network. Today, collecting unknown friends is far too dangerous.
- Be vigilant about reading the domain name on emails and URLs. The URL appears in the search bar of the browser and is the location, or web service, to which you are connected. It also appears in email addresses after the @ symbol. It is important to read the whole email address because, many times, the beginning will look like a valid domain name. However, the end may include different variations to fool you into trusting that you are visiting the correct site. For instance, if the domain name you are expecting to receive information from is getwellnow.com and you see getwellnow.com.no or .tv or .now, this could be a spoof site.
Criminals will always perpetuate scams and take advantage of those who are not prepared. Because of this, security professionals should remember security is not an abstraction of technology with made up names; it is actually a function to keep individuals and organizations safe from falling victim to cybercrimes. Professionals should continue to train and inform as new approaches are adopted by cybercriminals. Keeping cybersecurity concepts simple and understandable makes security programs more relatable overall.
Bruce R. Wilkins, CISA, CRISC, CISM, CGEIT, CISSP, is the chief executive officer of TWM Associates Inc. In this capacity, Wilkins provides his customers with secure engineering solutions for innovative technology and cost-reducing approaches to existing security programs.