It’s that time of year again, when our minds turn to office parties, shutdowns and travelling home to see loved ones. And, as we wind down for the holidays, the generosity of the season can make employees more inclined to let their guards down too. Sadly, cybercriminals are opportunists, and they don’t take time off.
Let’s look at some common pitfalls and best practises to reduce the chance of incidents this year end.1. Out of Office notifications
As a professional courtesy, most of us set ‘Out of Office’ notifications when we’re heading off for a break. Letting others in our network know that we won’t be attending to emails, when we’ll be back, and who to speak to in our absence. They’re also a psychological relief that allow us to set aside our professional obligations as we head out for much-needed R&R and time with family and friends.
But there is a down-side; all that information, regardless of how seemingly innocuous and well-intentioned, is perfect fodder for cybercriminals looking to boost the success rate of their campaigns with highly accurate, socially engineered attacks. Especially if you go the extra mile in your OOO messages and over-share, telling strangers that you’ll be sitting on a beach or heading home overseas to see family.
With that one simple ‘Out of Office’ message, a cybercriminal can register an account that is remarkably similar to yours, changing a couple of characters in the URL, and masking the sender name so that it looks the same as yours.
They can then send your contacts emails out of hours, at a time that fits with your holiday destination in a faraway time zone and add some personalisation that makes the note feel spookily realistic.
‘Hey Jo, sorry to be bothering you back in the office at this hour while I’m here sipping cocktails by the pool in the midday sun. Wondering if I can ask a quick favour? There’s something that I neglected to attend to in my rush to getaway.’
If it’s well known that a senior manager was heading to the south of Spain or Bali, how many employees would think twice before agreeing to help out with the request?
In this scenario, there is no breach and no malicious attachment or dangerous link required. It’s just a simple text-based message crafted with some inside knowledge garnered from an Out of Office reply. Imagine how much more powerful that scam becomes if the manager being spoofed is very senior, like an executive, VP or C-level, and in a larger organisation where teams are less intimate. Even worse, what if the cybercriminals had actually infiltrated an account and were sending the request from a legitimate email address?
Some small adjustments to your ‘Out of Office’ notification can help to blunt these attacks, while still affording the professional courtesy to others in your network.
- Create a different ‘Out of Office’ message for internal and external contacts.
- External contacts need less information. Keep it short and sweet, and let them know that you’re currently unavailable and will reply upon your return. Even better, send a more detailed email to your closer team mates and contacts directly before you head away, sharing as much detail as you like with them about where you’re going and for how long, and who they should speak to in your absence.
- Remove personal information.
- Strangers don’t need your mobile number, other team member info or an alternate email address.
- Don’t include details of your trip or leave.
- Be it a conference, holiday, birth or death, there’s no need to include why you’re out of the office.
- Don’t mention co-workers by name or title.
- Leave out names and titles for alternate points of contact, and opt for generic business email addresses in case of emergencies. Shared mailboxes are ideal, like support@, finance@ or marketing@. It means that the email will be attended to if it’s urgent, but it doesn’t divulge information about individuals and reporting lines that could be exploited in an attack.
Here’s an example that gives less away to bad actors but still acknowledges the seasonal disruption that’s likely to impact your reply:
“Thank you for your email, and happy holidays. My access to emails may be intermittent at this time, so my response may also be delayed. If the matter is urgent, please contact email@example.com and your email will be directed to an appropriate team member.”
2. Public Wi-Fi hotspots
Passing time in airport lounges, accessing free Wi-Fi in a hotel or restaurant, or checking for better deals when you’re out hunting for bargains during the holiday sales – there are loads of reasons why you might be tempted to hop onto a public Wi-Fi network during the holidays. But think twice if you do.
Public Wi-Fi hotspots are often free and unsecured, so they’re attractive to cybercriminals who can use them to steal sensitive information like passwords, banking information and personal details for identity theft, or to distribute malware and viruses onto devices.
Using a VPN or accessing secured public networks that require a password are better options. But if you must use a public Wi-Fi network, don’t access any sensitive services like an online banking portal, switch off file sharing and auto-connect, and check that the sites that you’re accessing are secured, HTTPS websites.
Finally, be sure that the public Wi-Fi that you’re accessing is the real deal. One tactic employed by shifty cybercriminals is to create their own public free Wi-Fi networks, called rogue networks, often with obscure names, or with names that mimic the official networks that people are joining, so that they can eavesdrop on all of the data that’s passing over the network.
3. Stray USB drives
If you spot a stray USB drive lying around, resist the temptation to stick in into your laptop to see what’s on it, or to save a few files. Loading USB or thumb drives with malware and scattering them around in public places for unsuspecting victims to stumble upon is another common tactic employed by cybercriminals.
As soon as you plug the USB drive into your machine, the bad actors can silently install malicious code designed to steal and exfiltrate your data and credentials, to spy on your activity, be it recording your keystrokes or access to your camera, or to grant themselves remote access.
4. Avoid the Rush to Sign Off
Slow down! Year end is often a mad scramble to get things done, with last minute loose ends to tie off on projects and actions to take care of before the upcoming days and weeks when you’ll be away. Ironically, preparing for a break can be a very stressful and anxious time.
Elizabeth Grace Saunders is a Time Management Coach and shares advice for managing the stress that leave can trigger in this HBR article.
She says, “I’ve observed that pre-vacation work stress typically falls into two buckets: completing work before your departure and being away from the office. Both of these categories can trigger guilt and even fear. Many people worry that if they’re not always available, something horrible will happen at work.”
But a lack of time and clear thinking makes us easy prey for cybercriminals. Rushing through tasks and trying to clear your unread emails all before you switch off, can make employees vulnerable to phishing and similar cyber-attacks.
In her HBR article, Elizabeth Grace Saunders offers these four steps
- Plan ahead
- Partner with peers
- Decide to wait, and
- Switch off
Set aside time in your calendar to get properly organised before you leave, and make arrangements with teammates who can share the load while you’re away.
5. Unattended devices
Never leave your device, be it a smartphone, laptop, desktop or any storage media, unattended. It’s an open invitation to bad actors with malicious intentions. And, always ensure that your devices are locked and with multi-factor authentication (MFA) enabled, and that any sensitive data is secured with passwords and encryption.
We’ve all seen the cheesy office slogans like ‘CTRL-ALT-DELETE before you leave your seat.’ They’re there for a reason, to make sure that you don’t leave the door open for a malicious bad actor that’s lurking, seeking to gain unauthorized access to your device, ergo, your company network, data and systems. It could even be a malicious insider that takes the opportunity to access your machine while the office is quiet over the holidays.
Furthermore, adjust your notification settings so that alerts aren’t visible and other services aren’t accessible when your device is locked. For example, simply scroll the notification centre alerts that are visible on most iPhones without access to passcodes or any other special device access, and they can reveal which services you’re subscribed to, recent transactions, upcoming appointments, who your contacts are, missed calls and messages, where your contacts are and other insights into your movements and network over the past few days. It’s enough to give a bad guy the upper hand when it comes to crafting their next assault.
6. Shut down devices
When you’re heading off on leave, it’s also a good idea to shut down all of your devices so that they’re inactive and disconnected from the network. A principal tenet of cybersecurity is to adopt an assume breach mindset, and in this case, you will be preventing a bad actor from accessing systems and/or exfiltrating data while you’re away.
It’s a simple step but one that many of us often neglect. It also has the added benefit of being good for the climate and for your wallet, in that you’ll be reducing unnecessary energy consumption and carbon emissions in the process.
7. Avoid Oversharing on Social Media
Just like with your Out of Office messages, social media is a happy hunting ground for cybercriminals who are looking to learn vital information about your movements and your network to assist in crafting their next cyberattack.
If you haven’t already done so, adjust the settings on your accounts to restrict public access to your posts, so only people who are known friends or connections can follow your updates.
Even with access to your posts restricted, there’s a good chance that some of your connections are distant colleagues or associates, or perhaps even people that you don’t really know. For that reason, limit the amount of information that you’re sharing, especially if it’s signalling that you’ll be away or out of town, where you’re going and how long for. It’s safest to share updates upon your return.
This advice applies to both your personal and professional life, and protects your physical and digital assets. Bad guys would love to know that you’ll be away for the holidays. Think of the Joe Pesci character, Harry Lime, in Home Alone, casing neighbourhoods to figure out which houses will be unattended and for how long. Just as well Kevin, AKA Macauley Culkin, was home alone to spoil his plans.
The same is true of the digital realm, where bad guys will see your time away as an opportunity to target your connections in an attempt to gain access to assets, data and networks.
They’ll also take whatever other information they can glean, like birthdays and pet names, as hints to help them crack your account passwords.
8. Unexpected Calls & Emails
We can all get out of our routines in the holidays, maybe because we’re away on leave, or even when we’re still in the office because we’re covering for colleagues that are away.
It often means juggling unfamiliar tasks and engaging with new and different people. But don’t let that sense of laissez-faire compromise your better judgement. If something is strange, unusual, or out of the ordinary, treat it as such. Cybercriminals thrive with the element of surprise. That can mean catching someone out with an unexpected call or email, hoping for someone with a willingness to bend the rules or even a best intentioned, good old fashioned ‘can do’ attitude that can get them into hot water.
Here are a couple of simple examples, like if someone calls into your team claiming that their Store Manager is on leave, but they need a delivery, a special order or order varied. Especially if it’s to be delivered to a new address, take some time to pause and don’t bypass your normal processes. Likewise, if someone contacts your finance team asking to update account information for the payment of an invoice, or to make a change to personal info for payroll.
Don’t let the holidays derail your normal processes and procedures to ensure safe business operations. The last thing you need is a cyber incident to spoil the holiday break. They’re a nightmare to remediate at the best of times, let alone when your team aren’t at full strength.
9. End of Year Backups
Backups should be a part of your regular routine, which could mean they’re performed hourly, daily, weekly, or even monthly. But if they occur any less frequently than that, there’s never been a better time than at the end of the year. Whether you’re heading off on leave, or if you’re staying on as skeleton crew through the break, it’s a perfect time to make copies of all of your data and files.
Good practise is to follow the 3-2-1 rule, which is to make three copies of your data, on two different types of storage media, and with one of the backups stored offsite. Some recommend taking it one step further still, suggesting that you store two copies offsite, one of them offline and offsite, and another in the cloud.
10. Software Updates
Finally, just like with backups, regularly installing software updates and patching your services should be a routine part of your day-to-day operations, but if not, now is the time. We recommend that you aim to install all software updates before you shut down your devices and take them offline, and then perform a further series of updates when you return after the holidays.
Bad actors take advantage of vulnerabilities in software, and zero-day threats are the perfect foray into your network via unpatched services. Especially at a time when those services may not be monitored, or where your team may be operating on a skeleton crew and less likely to spot suspicious activity.
We wish you and yours a cyber safe and happy holiday season, and we hope that some of these tips serve to keep you and your team safe from harm, and at the very least that they help you to rest easier with the peace of mind that you’ve taken all of the necessary precautions before winding down for some relaxation and time with loved ones.
Many businesses wait until after an incident or a near miss before turning to MailGuard, often because of a malicious email that was completely preventable. If unwanted emails are a problem for your business, don’t wait until it’s too late.
Reach out to our team for a confidential discussion by emailing firstname.lastname@example.org or calling 1300 30 44 30.
One email is all that it takes
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.