The National Counterintelligence and Security Center is urging those personnel impacted by the Office of Personnel Management data breaches to protect their personally identifiable information from exploitation.
The NCSC and OPM are promoting educational materials that explain how not to be lured into a trap by foreign intelligence services, as well as how to protect financial accounts and cybersecurity tips.
The NCSC cautions that personnel could be targeted because of the privileged information they possess or their involvement in activities of interest to foreign governments, criminals and extremists.
In particular, the NCSC is advising personnel to be on guard against phishing attempts.
Cybercriminals will use every trick available to gain valuable information from you. That’s why you need to know about phishing. Phishing employs social engineering tactics meant to defraud you with the ultimate goal of using your stolen information to gain access to your identity and even your money. The NCSC describes three types of phishing schemes:
PHISHING is the use of email messages, websites, and text messages laced with malicious software that, once downloaded to your personal computer, steals your personal identification information.
SPEAR PHISHING involves the use of targeted phishing tactics which seek to defraud specific organizations or users of confidential or sensitive data through email spoofs and fraudulent hyperlinks.
WHALING involves the use of phishing and spear phishing tactics to defraud prominent high-ranking individuals such as senior executives and members of leadership teams; also known as The Big Catch.”
A phishing attack has three characteristics: a LURE, a HOOK, and a CATCH.
A LURE is an enticement delivered through email encouraging you to follow a spoofed hyperlink to a malicious website — also known as a hook. It could also be in the form of an executable file hidden in an attachment that you are tempted to open, thereby launching a malicious process on your computer.
A HOOK is a malicious website, provided within the emailed lure, designed to look and feel like a legitimate site. The hook asks you to disclose personal information once you reach it.
A CATCH occurs when the originator of the phishing message uses the information collected from the lure and hook to steal your funds and identity.
The NCSC points to statistics to emphasize the need for caution:
Sixty percent of targeted phishing attacks used the name of a financial institution to gain access, according to
Ninety-one percent of targeted attack campaigns use spear phishing tactics, according to Phishing Box.
Phishing and social engineering attacks resulted in the compromise of over 552 million identities, according to the 2015 Internet Security Threat Report by Symantec.
What you can do
-- Be suspicious of emails containing “urgent” requests for personal information, multiple spelling mistakes, and poor grammar.
-- Do not open links sent through suspicious emails, instant messages, or text messages.
-- Avoid filling out any forms in email messages that ask for personal information.
-- Always use a secure website when submitting credit card or other sensitive information via the Internet. Cybercriminals are now able to spoof “https://” — so enter website addresses manually to avoid malicious links.
Download the NCSC’s pamphlet Your Personal Information: Protecting it from Exploitation
Federal Trade Commission – www.identitytheft.gov
National Counterintelligence and Security Center – NCSC.gov