Be cyber smart this holiday season
The holiday season is upon us – bringing with it an inbox full of party invites, well wishes, special deals and holiday discounts. And while the season is a time for joy and cheer, the flood of the inbox and hussle of the holidays presents a unique opportunity for cybersecurity threats to disrupt the season.
That’s because most cyber attacks rely on social engineering. In terms of information security, social engineering refers to the manipulation of people into performing actions or divulging confidential information for the purpose of fraud, system access, and more.
One of the most common forms of social engineering happens through phishing, a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution. These lures often lead individuals to providing sensitive data such as personally identifiable information, banking and credit card details and passwords.
To help our community stay vigilant against these malicious attacks, we’re sharing some of the most common forms of phishing schemes and ways for our community to stay secure:
- Remember, deals that look too good to be true often are. Protect your credit card information and account information by not “auto saving” as a key way to keep your financial information secure.
- Social media scams that link to great deals or incredible holiday events can often lead to information attacks. Ignore unsolicited messages from people you don’t know or aren’t connected to on social media, especially messages with links.
- If you receive generic “customer” emails promising deals, giveaways, vacations or any other emails from unfamiliar senders linking to something attractive or urgent, it’s likely a phishing email. Email reportphish@asu.edu to report any phishing probes you receive on your ASU account.
- One of the more recent holiday phishing schemes promises work-from-home opportunities and easy, “no experience necessary” positions that can begin right after the holidays, with high levels of pay.
- New devices often come as gifts during the holidays, and we quickly download new games and apps to set up the new smartphone or tablet. Be cautious of free games or apps, especially those not verified by big brands like Apple or Google. They often require permission to access more data on your phone than you might want to give away.
More tips to avoid phishing now and in the future
Beyond this holiday context for phishing scams, there are some constant steps you can take to protect your information.
- Create a strong password: although no password is uncrackable, increasing the length and complexity of a password can make it more difficult to crack it. They are at their strongest when they are over 14 characters long. A good strategy to create a password is to select four or five unrelated words that are strung together by a special character; think along the lines of horse-blue-rain-earphones – of course, please don’t go using this exact password now.
- Also be sure to vary your passwords from account to account. Changing them up prevents one breach to turn into many!
- Multi-factor authentication, where you combine something you know (a password) with something you have (a phone) to access personal information, is required at ASU. But most every service and account elsewhere provide the option, so take advantage of that extra layer of protection.
- Avoid malware by not clicking suspicious links, even on potentially legitimate sites. Keeping antivirus software up-to-date will also help defend your device, especially against “keylogger” software that tracks your every keyboard input and can use that data to access your information.
Industry insight: Two forms of “phishing” to watch out for
‘Smishing’ is on the rise. Smishing is a type of phishing “in which an attacker uses a compelling text message to trick targeted recipients into clicking a link and sending the attacker private information or downloading malicious programs to a smartphone,” according to Proofpoint. Popular examples include receiving a text message from an unknown number with a link to claim a prize, take a survey, urgent message about your bank or accounts, and more.
See an example of smishing using an urgent message from "a bank" below:
‘Vishing’ is making a comeback. Vishing is short for "voice phishing," which involves defrauding people over the phone, enticing them to divulge sensitive information. As with other forms of phishing, the attacker attempts to grab the victim's data and use it for their own benefit—typically, to gain a financial advantage.
Keeping ourselves and community secure
Acting quickly when a threat occurs, even after taking these precautions, is key. As mentioned, email reportphish@asu.edu to report any phishing probes you receive on your ASU account. You can also visit getprotected.asu.edu for more information about cybersecurity.