What are the 12 top strategic technology trends, 2022 — and why are they valuable?
Download the eBook to see how your peers are putting these trends into action and next steps for your organization.
Trend 1: Data Fabric
Data fabric provides a flexible, resilient integration of data sources across platforms and business users, making data available everywhere it’s needed regardless where the data lives.
Data fabric can use analytics to learn and actively recommend where data should be used and changed. This can reduce data management efforts by up to 70%.
Trend 2: Cybersecurity Mesh
Cybersecurity mesh is a flexible, composable architecture that integrates widely distributed and disparate security services.
Cybersecurity mesh enables best-of-breed, stand-alone security solutions to work together to improve overall security while moving control points closer to the assets they’re designed to protect. It can quickly and reliably verify identity, context and policy adherence across cloud and noncloud environments.
Trend 3: Privacy-Enhancing Computation
Privacy-enhancing computation secures the processing of personal data in untrusted environments — which is increasingly critical due to evolving privacy and data protection laws as well as growing consumer concerns.
Privacy-enhancing computation utilizes a variety of privacy-protection techniques to allow value to be extracted from data while still meeting compliance requirements.
Trend 4: Cloud-Native Platforms
Cloud-native platforms are technologies that allow you to build new application architectures that are resilient, elastic and agile — enabling you to respond to rapid digital change.
Cloud-native platforms improve on the traditional lift-and-shift approach to cloud, which fails to take advantage of the benefits of cloud and adds complexity to maintenance.
Trend 5: Composable Applications
Composable applications are built from business-centric modular components.
Composable applications make it easier to use and reuse code, accelerating the time to market for new software solutions and releasing enterprise value.
Trend 6: Decision Intelligence
Decision intelligence is a practical approach to improve organizational decision making. It models each decision as a set of processes, using intelligence and analytics to inform, learn from and refine decisions.
Decision intelligence can support and enhance human decision making and, potentially, automate it through the use of augmented analytics, simulations and AI.
Trend 7: Hyperautomation
Hyperautomation is a disciplined, business-driven approach to rapidly identify, vet and automate as many business and IT processes as possible.
Hyperautomation enables scalability, remote operation and business model disruption.
Trend 8: AI Engineering
AI engineering automates updates to data, models and applications to streamline AI delivery.
Combined with strong AI governance, AI engineering will operationalize the delivery of AI to ensure its ongoing business value.
Trend 9: Distributed Enterprises
Distributed enterprises reflect a digital-first, remote-first business model to improve employee experiences, digitalize consumer and partner touchpoints, and build out product experiences.
Distributed enterprises better serve the needs of remote employees and consumers, who are fueling demand for virtual services and hybrid workplaces.
Trend 10: Total Experience
Total experience is a business strategy that integrates employee experience, customer experience, user experience and multiexperience across multiple touchpoints to accelerate growth.
Total experience can drive greater customer and employee confidence, satisfaction, loyalty and advocacy through holistic management of stakeholder experiences.
Trend 11: Autonomic Systems
Autonomic systems are self-managed physical or software systems that learn from their environments and dynamically modify their own algorithms in real time to optimize their behavior in complex ecosystems.
Autonomic systems create an agile set of technology capabilities that are able to support new requirements and situations, optimize performance and defend against attacks without human intervention.
Trend 12: Generative AI
Generative AI learns about artifacts from data, and generates innovative new creations that are similar to the original but doesn’t repeat it.
Generative AI has the potential to create new forms of creative content, such as video, and accelerate R&D cycles in fields ranging from medicine to product creation.
How the technology trends drive digital business
The top strategic technology trends will accelerate digital capabilities and drive growth by solving common business challenges for CIOs and technology executives. They offer a roadmap to differentiating your organization from peers, fulfilling business objectives and positioning CIOs and IT executives as strategic partners in the organization.
Each delivers one of three main outcomes:
Engineering Trust: Technologies in this segment create a more resilient and efficient IT foundation by ensuring data is integrated and processed more securely across cloud and non-cloud environments, to deliver cost-efficient scaling of the IT foundation.
Sculpting Change: By releasing the creative new-technology solutions in this area, you can scale and accelerate your organization’s digitalization. These technology trends allow you to respond to the increasing pace of change by creating applications more rapidly to automate business activities, optimize artificial intelligence (AI) and enable faster smarter decisions.
Accelerating Growth: By capitalizing on strategic technology trends in this segment, you’re unleashing IT force multipliers that will win business and market share. Together, these trends enable you to maximize value creation and enhance digital capabilities.
Security and risk management leaders should focus on these 10 security projects to drive business-value and reduce risk for the business.
September 15, 2020 Contributor: Kasey Panetta
“Are you trying to ensure security for your remote workforce but don’t want to hinder business productivity?” “Are you struggling with identifying risks and gaps in security capabilities?” “Where should CISOs focus time and resources?”
Security and risk management experts constantly ask these questions, but the real question should be what projects will drive the most business value and reduce risk for the organization in a constantly shifting security landscape.
“We can spend too much precious time overanalyzing choices we make about security, striving for this notion of perfect protection that just simply does not exist,” said Brian Reed, Sr. Director Analyst, during the virtual Gartner Security & Risk Management Summit, 2020. “We must look beyond basic protection decisions and improve organizational resilience through innovative approaches to detection and response, and ultimately, recovery from security incidents. The key is to prioritize business enablement and reduce risk — and communicate those priorities effectively to the business.
This year’s top 10 security projects, based on Gartner forecasts and adjusted for the impact of COVID-19 — feature eight new projects, focused heavily on risk management and understanding process breakdowns. These projects, which aren’t listed in order of importance, can be executed independently.
No. 1: Securing your remote workforce
Focus on business requirements and understand how users and groups access data and applications. Now that a few months have passed since the initial remote push, it’s time for a needs assessment and review of what has changed to determine if access levels are correct and whether any security measures are actually impeding work.
No. 2: Risk-based vulnerability management
Don’t try to patch everything; focus on vulnerabilities that are actually exploitable. Go beyond a bulk assessment of threats and use threat intelligence, attacker activity and internal asset criticality to provide a better view of real organizational risk.
No. 3: Extended detection and response (XDR)
XDR is a unified security and incident response platform that collects and correlates data from multiple proprietary components. The platform-level integration occurs at the point of deployment rather than being added in later. This consolidates multiple security products into one and may help provide better overall security outcomes. Organizations should consider using this technology to simplify and streamline security.
No. 4: Cloud security posture management
Organizations need to ensure common controls across IaaS and PaaS, as well as support automated assessment and remediation. Cloud applications are extremely dynamic and need an automated DevSecOps style of security. It can be challenging to secure the public cloud without a means to ensure policy uniformity across cloud security approaches.
Read more: Top Actions From Gartner Hype Cycle for Cloud Security, 2020
No. 5: Simplify cloud access controls
Cloud access controls typically are done through a CASB. They offer real-time enforcement through an in-line proxy that can provide policy enforcement and active blocking. CASBs also offer flexibility by, for example, starting out in monitoring mode to better ensure fidelity of traffic and understand security access.
No. 6: DMARC
Organizations use email as the single source of verification, and users struggle to determine real messages from fakes. DMARC, or domain-based message authentication, reporting and conformance, is an email authentication policy. DMARC is not a total solution for email security, and should be one piece of a holistic security approach. However, it can offer an additional layer of trust and verification with the sender’s domain. DMARC can help domain spoofing but will not address all email security issues.
No. 7: Passwordless authentication
While employees may not think twice about using the same password for their work computer as they do for the personal email, it can cause major security headaches. Passwordless authentication, which can functionally work in a few different ways, offers a better solution for security. The goal should be to increase trust and improve the user experience.
No. 8: Data classification and protection
All data is not the same. A one-size-fits-all security approach will create areas of too much security and others of too little, increasing the risk for the organization. Start with policies and definitions to get the process right before beginning to layer in the security technologies.
No. 9: Workforce competencies assessment
Install the right people with the right skills in the right roles. It’s critical but challenging to combine hard technical skills with softer leadership expertise. There are no perfect candidates, but you can identify five or six must-have competencies for each project. Assess competencies in a range of ways, including cyber-ranging and cybersimulations and softer skill assessments.
No. 10: Automating security risk assessments
This is one way to help security teams understand risks related to security operations, new projects or program-level risk. Risk assessment tends to be either skipped entirely or done on a limited basis. These assessments will allow for limited risk automation and visibility into where risk gaps exist.
Reference: Gartner.com https://www.gartner.com/smarterwithgartner/gartner-top-security-projects-for-2020-2021/
We help you continuously fight phishing where it hurts the most... inside your inbox.
The best time to stop phishing emails is before they hit the mailbox, yet 25% of attacks get past existing defenses. With 82 seconds on average until the first click is lured, the second best time is now.
IRONSCALES is a comprehensive pre-post-delivery platform designed to quickly detect bad emails slipping through the prevention layer and responding to them automatically in seconds, blocking them for good.
Leveraging on both AI and real-time human intelligence with the speed and simplicity to stay ahead of new threats.
Top 10 Security Projects for 2019
Published: 11 February 2019 ID: G00378651
Security and risk management leaders should implement or improve upon these top 10 security projects in 2019. The projects selected are supported by technologies available today, address the changing needs of cybersecurity and support a CARTA strategic approach through risk prioritization.
Top 10 Security Projects for 2019
Privileged Access Management
CARTA-Inspired Vulnerability Management
Detection and Response
Cloud Security Posture Management
Cloud Access Security Broker
Business Email Compromise
Dark Data Discovery
Security Incident Response
Security Rating Services
Gartner Top 10 Security Projects for 2018
June 6, 2018
Contributor: Jill Beadle
CISOs should focus on these ten security projects to reduce risk and make a large impact on the business.
The new chief information security officer (CISO) of a global bank is overwhelmed by his list of to dos. He knows he can’t do everything, but struggles to narrow down the endless list of potential security projects.
“Focus on projects that reduce the most amount of risk and have the largest business impact,” said Gartner vice president and distinguished analyst Neil MacDonald, during the 2018 Gartner Security and Risk Management Summit in National Harbor, MD.
To help CISOs get started, MacDonald shared Gartner’s top 10 list of new projects for security teams to explore in 2018. “These are projects, not programs, with real supporting technologies,” explained MacDonald. He added that they are new to most CISOs, with enterprise adoption at less than 50%.
Neil MacDonald, Gartner vice president and distinguished analyst, explains the Gartner top 10 security projects for CISOs to focus at the Gartner Security and Risk Management Summit 2018.
No. 1: Privileged account management
This project is intended to make it harder for attackers to access privileged accounts and should allow security teams to monitor behaviors for unusual access. At a minimum, CISOs should institute mandatory multifactor authentication (MFA) for all administrators. It is also recommended that CISOs use MFA for third-party access, such as contractors.
Tip: Phase in using a risk-based approach (high value, high risk) systems first. Monitor behaviors.
No. 2: CARTA-inspired vulnerability management
Inspired by the Gartner continuous adaptive risk and trust assessment (CARTA) approach, this project is a great way to tackle vulnerability management and has significant risk reduction potential. Consider exploring when the patching process is broken and IT operations is unable to keep up with the number of vulnerabilities. You can’t patch everything, but you can significantly reduce risk by prioritizing risk management efforts.
Tip: Require your virtual assistant/virtual machine vendor to provide this and consider mitigating controls in your analysis, such as firewalls.
No. 3: Active anti phishing
Aimed at organizations that continue to experience successful phishing attacks against their employees. This requires a three-pronged strategy: technical controls, end-user controls and process redesign. Use technical controls to block as many phishing attacks as possible. But make users an active part of the defense strategy.
Tips: Don’t single out groups or individuals for doing the wrong thing; spotlight those who exhibit the right behaviors. Ask your email security vendor if they can undertake this project. If not, why?
No. 4: Application control on server workloads
Organizations looking for a “default deny” or zero trust posture for server workloads should consider this option. This project uses application control to block the majority of malware as most malware is not whitelisted. “This is a very powerful security posture,” said MacDonald. It has proven to be successful against Spectre and Meltdown.
Tip: Combine with comprehensive memory protection. Is an excellent project for the Internet of Things (IoT) and systems that no longer have vendor support.
No. 5: Microsegmentation and flow visibility
This project is well-suited for organizations with flat network topologies — both on-premise and infrastructure as a service (IaaS) — that want visibility and control of traffic flows within data centers. The goal is to thwart the lateral spread of data center attacks. “If and when the bad guys get in, they can’t move unimpeded,” explained MacDonald.
Tip: Make visibility the starting point for segmentation, but don’t over segment. Start with critical applications and require your vendors to support native segmentation.
No. 6: Detection and response
This project is for organizations that know compromise is inevitable and are looking for endpoint, network or user-based approaches for advanced threat detection, investigation and response capabilities. There are three variants from which to choose:
Endpoint protection platforms (EPP) + endpoint detection and response (EDR)
User and entity behavior analytics (UEBA)
The latter is a small but emerging market ideal for organizations looking for in-depth ways to strengthen their threat detection mechanisms with high-fidelity events.
Tip: Pressure EPP vendors to deliver EDR and security information and event management (SIEM) vendors to provide UEBA capabilities. Require a rich portfolio of deception targets. Consider MDR “lite” services directly from the vendor.
No. 7: Cloud security posture management (CSPM)
This should be considered by organizations in search of a comprehensive, automated assessment of their IaaS/platform as a service (PaaS) cloud security posture to identify areas of excessive risk. Organizations can choose from several vendors including cloud access security brokers (CASBs).
Tip: If you have a single IaaS look to Amazon and Microsoft first. Make this a requirement for your CASB vendor.
No. 8: Automated security scanning
This project is for organizations that want to integrate security controls into DevOps-style workflows. Begin with an open source software composition analysis and integrate testing as a seamless part of DevSecOps workflows, including containers.
Tip: Don’t make developers switch tools. Require full application programming interface (API) enablement for automation.
No. 9: Cloud access security broker (CASB)
This project is for organizations with a mobile workforce looking for a control point for visibility and policy-based management of multiple-enterprise, cloud-based services.
Tip: Start with discovery to justify the project. Weight-sensitive data discovery and monitoring as a critical use case for 2018 and 2019.
No. 10: Software-defined perimeter
This project is aimed at organizations that want to reduce the surface area of attacks by limiting the exposure of digital systems and information to only named sets of external partners, remote workers and contractors.
Tip: Re-evaluate risk of legacy virtual private network (VPN)-based access. Pilot a deployment in 2018 using a digital business service linked to partners as a use case.
October 23, 2018
Phishing attacks becoming more targeted, phishers love Microsoft the most
Microsoft remains ensconced on the top of the list of brands impersonated by phishers in North America, Vade Secure has revealed.
Phishers’ favorite targets
The company compiles a list of the top 25 “phishers’ favorites” each quarter by tallying the number of new phishing URLs they detect.
In Q3 2018, Microsoft and PayPal have retained the two top places, and Netflix, Bank of America and Wells Fargo occupy the next three.
It’s pretty obvious why Microsoft and PayPal are loved by phishers: the primary goal of Microsoft phishing attacks is to harvest Office 365 credentials.
“With a single set of credentials, hackers can gain access to a treasure trove of confidential files, data, and contacts stored in Office 365 apps. Moreover, hackers can use these compromised Office 365 accounts to launch additional attacks, including spear phishing, malware, and, increasingly, insider attacks targeting other users within the same organization,” the company explains.
They also warn about a marked increase of phishing emails pretending that the recipient has received a link to a file on OneDrive or SharePoint, and has to sign in to access the file.
PayPal credentials give phishers immediate financial payback. Netflix accounts are valuable for the payment card info contained in it, and as goods to be sold on the dark web (although, sometimes, phishers are after much more than that).
Facebook has dropped from the top 5 (to the 6th place), while Chase has hopped over 11 entries and is now in 7th.
The company pointed out that, in terms of volume, cloud and financial services combined represent nearly three-quarters of all phishing URLs.
“While both industries saw solid double-digit quarter-over-quarter growth (22.5% and 36.7% respectively), internet/telco saw the largest percentage growth of 46.3%, again thanks to the growth in Comcast phishing pages. Social media was the only industry to see a decline, reflecting the steep drop in Facebook phishing.”
New entries on the list are Comcast, NBC, AmEx and CIBC, while ING, RBC, BT and Amazon have dropped from the top 25.
“Amazon’s disappearence from the list likely has little to do with Amazon itself,” Adrien Gendre, CEO of Vade Secure North America, told Help Net Security.
“Most phishing attacks are coordinated by a small number of cybercriminal organizations who pick their target based on the profitability. When one target rises in popularity, another decreases. It doesn’t mean that Amazon is not interesting anymore to hackers; it’s just that other brands are currently more profitable to phish.”
Other interesting insights
The analysis of these latest phishing URLs also shows that:
Microsoft phishing emails are predominantly delivered during the working week (Tuesdays and Thursdays are preferred).
Bank of America phishers cash in on weekends, when bank branches and customer service lines are closed.
Netflix phishers prefer Sundays, likely because many new seasons of shows are released often on Fridays, and users are looking forward to watching them during the weekend. An email warning about a supposedly blocked account when users just want to watch something and relax is likely to improve the success of the phishing attack.
Also: phishing is on the rise. The total number of new phishing URLs across the 86 brands Vade Secure tracked rose 20.4% in Q3. Worryingly, phishing attacks are also becoming more targeted.
“When we correlated the number of phishing URLs against the number of phishing emails blocked by our filter engine, we found that the number of emails sent per URL dropped more than 64% in Q3. This suggests that hackers are using each URL in fewer emails in order to avoid by reputation-based security defenses,” the company noted.
“In fact, we’ve seen sophisticated phishing attacks where each email contains a unique URL, essentially guaranteeing that they will bypass traditional email security tools.”
Here’s Why Business Email Compromise Is Still Driving Executive Identity Theft
September 12, 2018 | By Bob Sullivan
All it took was access to a lawyer’s email, and suddenly, almost $532,000 was in the wrong hands.
This business email compromise (BEC) scam began simply: A criminal in Los Angeles named Ochenetchouwe Adegor Ederaine, Jr. gained access to a real estate lawyer’s email and sent fake messages to a buyer, according to the U.S. Department of Justice. Soon after, the purchaser sent that six-figure payment to a bank account controlled by Ederaine — one of 23 he had set up at various California financial institutions using six different false identities.
He used this same kind of attack over and over between March 2016 and November 2017 before federal authorities caught up with him. The scheme worked for as long as it did because the criminal didn’t compromise just any email accounts — he carefully selected his targets to maximize his chances for success.
A Persistent Problem
Impostors are tricking workers into sending money to rogue bank accounts at an alarming rate. From December 2016 to May 2018, the FBI observed a 136 percent increase in losses to BEC scams. This type of attack has been reported in all 50 states and in 150 countries.
The real estate sector is particularly at risk, and criminals like Ederaine are making off with huge sums. From 2015 to 2017, the number of real estate transaction incidents increased by more than 1,110 percent, and losses reported to the FBI ballooned by almost 2,000 percent.
The basic strategy is simple and, according to another FBI report, the crime has been observed in five basic flavors:
Invoice schemes — Criminals pretend to be suppliers, create a mock invoice and trick firms into payment.
Account compromise — Criminals impersonate an authority figure in an organization and order someone to make a payment.
Attorney impersonations — Criminals convince victims to remit payment to a bogus account.
CEO fraud — This is similar to an account compromise, but with the added heft of an order appearing to come from the top position in an organization.
Data theft — Criminals target human resources workers and trick them into coughing up tax statements and other personal information.
Why Business Email Compromise Is Less Obvious Than You Think
Like many scams, BEC often appears obvious in hindsight. A person reading a story about an incident is already in an antifraud mindset, but busy workers are often targeted at just the wrong time, and anyone can suffer a momentary lapse. That’s why defense against BEC requires multiple layers.
Many of these attacks are skillfully crafted. Criminals lurking on websites and social media can uncover plenty of fodder for fine-tuned spear phishing emails: who suppliers are, what the management structure is, who is receiving new business pitches or expansion plans, etc. Executive travel plans are particularly useful for scenarios like this since the urgency of a task can be inflated from abroad: “I’m in London and we need to make a payment ASAP to this supplier or we risk losing it. Don’t delay — please wire these funds immediately.”
New Dog, Old Tricks
Whatever the cover story might be, most BEC scams are just modern twists on old tricks to convince victims to wire money overseas. Controls around wiring funds should be constantly examined and guarded, lest criminals learn to mimic those controls. Two-party transaction authorization ensures that a second pair of eyes examines each payment for signs of trouble.
Watch where is the money going; some destinations should raise red flags. The FBI noted that banks in China and Hong Kong remain the primary destinations for fraudulent funds. Banks in the U.K., Mexico and Turkey are also frequently used, but Ederaine’s scam showed that criminals are also using U.S. banks to hold stolen funds.
To prepare your enterprise for a potential attack, consider conducting phishing simulation exercises and penetration testing to generate insights into your current security posture and employees’ cyber awareness. Combined with technological defenses such as vulnerability scanning and firewall protections, you can establish a layered defense to ensure that threat actors don’t get their hands on your critical assets.
Bob Sullivan is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller
Business e-mail impersonation scams on the rise
The police believe that scammers may have hacked into the e-mail accounts of the victims or their suppliers to monitor correspondence between both parties.
THE NEW PAPER
PUBLISHED 12 Sept 2018
More than 200 reports on business e-mail impersonation scams were made between January and July this year, said the police in a statement yesterday.
This is an increase of 9.7 per cent compared with the number of reports made over the same period last year.
According to the police, such scams typically target businesses with overseas dealings that use e-mail as their main mode of communication.
The police believe the scammers may have hacked into the e-mail accounts of the victims or their suppliers to monitor correspondence between both parties.
The scammers would look out for any ongoing negotiations or discussions on sales and purchase transactions, so as to impersonate the supplier.
Using the supplier's e-mail account or a spoofed e-mail account that closely resembles that of the supplier, the scammers would then request business payments to be made to a bank account they controlled.
This is an increase of 9.7 Percent increase in business e-mail impersonation scams between January and July this year, compared with the number of reports made over the same period last year.
Victims of such scams were often deceived into transferring the money, believing that the payments were being made to their regular business partners.
The victims would realise they had fallen prey to the scam only when their suppliers informed them that they did not receive the money.
Spoofed e-mail addresses often include slight misspellings or replacement of letters which may not be obvious at first glance, warned the police in their statement. For example, "firstname.lastname@example.org" instead of "email@example.com".
In some cases, the scammers may closely mimic the e-mails of the real suppliers by using the same business logos, links to the company's website or messaging format.
Last month, a fake e-mail was sent to former minister of state Teo Ser Luck, claiming to be from Speaker of Parliament Tan Chuan-Jin.
The fake e-mail had been a case of someone spoofing Mr Tan's name using another e-mail address.
The police advise that businesses adopt the following preventive measures:
• Be mindful of any new or sudden changes in payment instructions and bank accounts. Always verify these instructions by calling your business partners on trusted numbers. Previously known phone numbers should be used instead of the numbers provided in the fraudulent e-mail.
• Educate your employees on this scam, especially those who are responsible for making fund transfers.
• Prevent your e-mail account from being hacked by using strong passwords, changing them regularly and enabling two-factor authentication (2FA) where possible. Consider installing e-mail protection software that can detect fraudulent e-mails.
• Install anti-virus, anti-spyware/malware, and firewall on your computer, and keep them updated. Also use the latest computer Operating System (OS) and keep them updated when new patches are available.
Businesses that have been affected by the scam should call their banks immediately to recall the funds.
To seek scam-related advice, you may call the anti-scam helpline on 1800-722-6688 or go to www.scamalert.sg.
SC Media US > News > Email security > BEC fraud burgeoning despite training
August 30, 2018
BEC fraud burgeoning despite training
BEC fraud burgeoning despite training
Business email compromises (BEC) — commonly referred to as CEO Fraud because the CEO's identity is being impersonated — continues to grow and, more significantly, succeed due to the simplicity and urgency of the attacks, according to recent study from Barracuda of some 3,000 attacks.
The study, published today, notes that of the 3,000 attacks studied, some 60 percent do not contain any phishing links.
The goal of BEC attacks is to socially engineer the recipient to take a specific action, such as a wire transfer or to send personally identifiable information that can be used for identity theft rather than to introduce malware. In some cases, the request is something much more benign such as asking a janitor to unlock a door that later will be used for physical entry into a facility. While the CEO is most often the employee being impersonated, the report says, various C-level employees have that distinction, with the CFO and human resources as other key targets. Recipients of the emails could be anyone in the company.
A smaller percentage of initial BEC attacks are used to gauge the recipient's willingness to be helpful, which is crucial for an attacker trying to socially engineer a potential target. The more willing a target is to help, the easier it is to compromise the systems.
“The ability of these criminal groups to compromise legitimate business e-mail accounts is staggering,” Martin Licciardo, special agent in the FBI Washington Field Office, said in a post on the FBI's official website recently. “They are experts at deception. The FBI takes the BEC threat very seriously.”
The FBI's recommendation on defending against BEC includes this one, simple recommendation: “The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO's office or speaking to him or her directly on the phone. Don't rely on e-mail alone,” Licciardo said.
Cyber Tip - Spot Signs Of Phishing
by Gosafeonline | 23 April 2018
When you learn to spot the signs of phishing, you can better protect yourself and your loved ones against phishing scams.
Phishing is a method in which cyber criminals use to fraudulently obtain your personal and financial information such as your login details, bank account numbers and credit card numbers. They often disguise themselves as a legitimate individual or reputable organisation in email, instant messaging and other communication channels. Once cyber criminals obtain your personal information, they could gain access to your online accounts, and even impersonate you to scam the people around you, such as your family, friends and business partners.
As cyber criminals come up with increasingly convincing and sophisticated methods of phishing, we must be prepared for what might come our way. To prevent yourself from becoming a victim of phishing scams, learn to spot the signs of phishing.
How to Spot the Signs of Phishing
Here are six signs to look out for when you encounter a potential phishing scam:
Mismatched and misleading information
Cyber criminals will attempt to mislead you into believing that the information you see is genuine. To ensure you do not fall for their tricks, study the information closely.
For emails, look out for a sender’s email address that may look similar to a company’s official email address. Hover your mouse cursor over links in emails. When your mouse cursor hovers over a link, a small window will appear above the link to show you the actual URL, which is the real destination of the link. If the links are mismatched, it is a strong indicator that something ‘phishy’ is going on. If you are using a mobile device, long-press the link to display a window with the actual URL. Be careful not to tap and open the link!
For websites, don’t be deceived by how they look. Cyber criminals can easily create phishing websites that are visually similar to legitimate websites. To distinguish the two, take note of the URL in the address bar of your web browser. Cyber criminals often use tricks such as substituting letters in a URL to mislead you into thinking that you are on a legitimate website e.g. www.paypa1.com instead of www.paypal.com.
Use of urgent or threatening language
By pressuring you to reply quickly or issuing ultimatums, criminals hope to instil panic and fear to trick you into providing confidential information. Be wary of emails with phrases such as ‘urgent action required’ or ‘your account will be terminated’. If you have good reason to believe it is a scam, delete the message immediately.
Promises of attractive rewards
False offers of amazing deals or unbelievable prizes are commonly used by cyber criminals to encourage you to act immediately. If you all you need to do is to click on a pop-up or complete an email survey to win a free trip to Europe, it is safe to presume that it is a phishing scam. Remember the old adage, ‘If it sounds too good to be true, it probably is’.
Requests for confidential information
Most organisations will never ask for your personal information such as NRIC, login credentials and credit card details to be sent over the Internet. If the sender claims to be from your bank and requests for your bank account number, it should raise a red flag immediately. When in doubt, contact the company directly to clarify, but be sure not to use the contact information provided in the email.
Cyber criminals often test their luck by sending mass emails to large groups of people, in hopes that someone response. If you receive an email about an invoice for an item you did not purchase, do not click on the links and attachments and delete the email immediately.
Cyber criminals include attachments in their emails as a method to infect a user’s device with malware and steal their data. It may be instinctive to open attachments we receive but it is important to exercise caution. Look out for suspicious attachment names and file types. If the attachment is for something you have no recollection of or uses an uncommon file type such as .exe, trash it.
By keeping these six signs in mind and remaining vigilant at all times, you can avoid falling for phishing scams.
If you are a victim of a phishing scam, here’s what you can do:
Change your password immediately. If the revealed password is used on your other accounts, change those too. When creating a new password, be sure to use a different password for each of your online accounts.
Run a full system scan with your anti-virus software if you have clicked on a link or opened an attachment.
Alert your bank promptly if you have revealed your banking details or credit card credentials.
Keep an eye on all of your accounts for suspicious activity such as unauthorised purchases or withdrawals.
Lodge a police report if you incur any monetary loss.
Report the phishing attempt to the organisation that was misrepresented and the Singapore Computer Emergency Response Team (SingCERT) at firstname.lastname@example.org.