Estimated Reading Time: 6 minutes
Unfortunately, protecting yourself against malicious threats online is constant battle in this day and age. Security researchers and media outlets have a seemingly never-ending list of topics and events to cover—driving a constant pressure and awareness that we’re not safe online.
And in large part, they’re right. Data breaches, new ransomware, massive botnets, and crippling DDoS attacks grow in impact year after year. And while new technologies, services, and toolkits provide new cybersecurity tools that lower the cost and bar of entry for businesses and security professionals—they do so equally for bad actors.
Some people would relish in the prediction of “more malware” for the coming year. This could certainly be considered good news for opportunistic cybercriminals and state-sponsored cyber agencies who benefit from widespread security holes and rely on shady methods to steal data and identities.
But for the majority of workers, this shouldn’t be paralyzing and stress-inducing. It should just be a wake-up call—that we need to be more vigilant with we interact on the web.
Security research shows that more and more people fall victim to phishing attacks each year and that human error and misconfigured infrastructure accounts for the majority of security incidents.
Phishing attacks are becoming more and more sophisticated. Just earlier this month, the “Modlishka” toolkit demonstrated a reverse proxy that all but eliminates the bulk of effort required to impersonate a legitimate website. In the short demo video, it also blew through two-factor authentication (2FA), a security that too many still put too much trust in (particularly with how easy it is to spoof SMS).
Don’t fret. This blog will cover the basics for staying safe within your web browser.
How to Stay Safe Within Your Web Browser Behavior
So, to start off 2019, let’s take a moment to review basic security practices that you (and your employees) can follow to improve safety online—and hopefully spot fake/malicious websites such as the phishing attacks that will inevitably arise in those news headlines.
Always Check the URL to Verify the Hostname.
This cannot be understated. The #1 WAY to spot phishing websites remains checking the domain/hostname/URL. Especially if you did not manually type in the URL, check to be sure that the URL matches EXACTLY. Google, Apple, Microsoft, Salesforce… Whatever it is. Check the hostname. For more on that, see our article:
Be Wary of Domain, Bit, or Typosquatting.
One of the common deception methods is for a false site to look like a legitimate site but have a .com domain instead of .org, .gov or another one you expect. An impostor using bitly or tinyurl, which produces abbreviated domain shortcuts, can also make it difficult to know if a site is correct unless you actually visit it.
Always Check for a Secured Connection.
As of July 2018, Google began marking sites that don’t use HTTPS security protocol as “not secure.” This means that seeing HTTP not HTTPS in a site URL is a red flag that either a site is fake or the owners haven’t taken the effort to migrate properly. You can also check a site’s security status by clicking on the padlock just to the left of the url: this also gives information about security certificates and cookies. It’s important to remember that any information you enter into your browser will be transmitted out into the world. If you do not have a secured (encrypted) connection to the computer/website you’re visiting—the information will not be private.
Check the Connection AND Hostname.
It’s important that BOTH a secured connection and a verified hostname be verified. Many still believe that the green padlock alone means they are safe—but that just shows that traffic is encrypted and not where it’s going. In a report from Phishlabs, it’s been found that nearly half of all phishing sites now bear the padlock.
Visit Sites Directly.
In other words—don’t enter credentials on sites you didn’t manually visit/verify. Phishing attacks primarily start via a redirected link delivered in emails, text messages, and other formats. You can prevent this by using emails and texts as notifications only and purposefully, manually, visiting sites on your own to verify.
Look for Typographical and Other Errors.
A few stray spelling or grammar mistakes can be a little disappointing, especially if you’re a word enthusiast, but not necessarily a sign of a false site. However, a lot of poorly written sentences that read like a bad translation, have incorrect colors or incomplete logos, or generally doesn’t look like you’re used to, should all be considered suspect. However, not seeing these more obvious clues doesn’t necessarily mean that it’s automatically legitimate—scammers can still use other phishing methods, sometimes even pictures of shields so it looks like there is full SSL protection.
Remain Doubtful (Trust Nothing).
Encourage employees to think critically in terms of the emails and texts they receive, any special banner advertisement offers they see, any sites they visit or links they click on. A legitimate site likely isn’t going to ask for personal or financial information, or include unusual instructions such as downloading and running a certain file to proceed. Smart security training should include instructions on how and why to be cautious and who in the company to contact if someone isn’t certain about something. Likewise, employees should be trained to alert appropriate people if an emergency does happen, such as a ransomware attack or even a pop-up warning about possible vulnerabilities. Some of these messages are designed to insert false urgency and cause panicked people to click on the wrong links, visit unsafe sites, or download malware disguised and important patches and updates.
Remain Vigilant and Proactive With These Practices
Beyond these internal training guidelines, companies can also practice other security strategies in any sites and individual pages they design for the public or clients/customers.
The goal is to make sure any visitors have full confidence that any data your site requests will be protected, and that they won’t experience any security risks by visiting.
Require Use a Password Manager.
Don’t try to remember all of those company passwords or rely on a spreadsheet to manage them. The automatically generated passwords and features provided by a password manager use the best available cryptography and will keep you safer than anything you could do on your own. Start saving all of your credentials in a password manager. It will save you a lot of stress and time, and it’s far more secure than the alternative.
Require Multi-Factor Authentication.
Traditional username/password protocols are becoming downright antiquated, or at least easier to hack or access by impostors. But adding at least one more step to the process can add extra security. This could include one more identifying question that only the authorized user would know.
Train/Require Employees to Use a VPN on ANY Public or Unsecured Network.
You really can’t know who’s snooping on traffic or up to no good on public and unsecured networks. If you have to be online and view/send business information—always use a trusted Virtual Private Network to create an encrypted tunnel and secure your sessions.
Add Layers of Security Permissions for Different Levels of Access.
Encourage your developers or security team to create different authorization levels. For instance, registered users may be able to access a few pages that pertain to them but not the larger network or more sensitive information. This may not stop the serious hackers but will at least create a higher bar of entry.
Implement DNS and Full-Path URL Filtering Technologies.
In addition to your anti-virus, spam filters, and other network protections—DNS and full path URL filtering technologies are wholly managed security features designed to keep you and the rest of your company safe from all manner of online threats.
No matter how much you may pride yourself on being suspicious of strange sites— data tells us that it’s only a matter of time before you get in a hurry or forget something simple and fall victim to a security threat. All the while, cybercriminals have an increasing repertoire of sophisticated tools at the ready.
There are plenty of security concerns for companies in 2019. New phishing techniques and technologies are chief among the threat list. At the same time, general advice about being cautious seems to never go out of style.
For more information about keeping your organization safe from phishing attacks, check out our blog: 9 Tips to Improve Your Organization’s Security Against Mobile Phishing Attacks.