The recent hack on the U.S. Office Of Personnel Management (OPM), which was one of the most serious government cyber attacks of all time, teaches us all some lessons that the mortgage industry should take to heart.
Since the mortgage industry deals with the same kind of sensitive financial information that the OPM had in its database, we can glean some insight from the security breach. While OPM employees will possibly be affected for a long time to come, people just starting out in life may have a mortgage for the next ten, twenty, or thirty years. That's a large part of a person's life, and it can seem a lot longer if that person's Personally Identifying Information (PII) has been compromised.
One of the popular ways that attackers compromise computer systems is through spear phishing. Spear phishing is sending an attachment or a link via email to the employee of a target company in the hope that the employee will open the attachment or click the offered link, thereby introducing a virus or backdoor into the company's computer systems.
Sometimes the approaches are so amateur that the attempts are a bit funny. But the attackers are becoming ever more sophisticated, and not all of the attacks are easy to spot. Many attackers start with publicly available information to craft their phishing emails. This publicly available information may include the names of corporate officers. Suppose you receive an email with the CEO's name as the sender. These are a bit trickier to identify as a suspicious emails than the obvious Nigerian 401 scams.
As spear-fishing emails become more sophisticated, you want to be able to safeguard yourself and your sensitive information. Here are five ways to avoid becoming the victim of a malicious email attachment:
- When in doubt, don't open it directly. Save the unopened file to a secure location and run a manual virus scan on it.
- Follow policy. One of the first things that malicious software does, even before it begins to steal information from the company, is protect itself. This may mean replicating itself so that virus scanners cannot find it, or creating an administrator account on the compromised system so that a hacker can get back in even if they are discovered and kicked out. Follow your corporate IT policy to make sure that you do not open even one malicious attachment even once.
- Use a trusted WaaS. Even if you follow protocol, that might not be enough. Using a WaaS, like MortgageWorkSpace ensures that you are secure, even if you are working remotely. MortgageWorkSpace is like having an all-knowing administrator with you at all times, informing you as to whether or not an action or a website is safe.
- Don't assume that "a hacker wouldn't know that." One time a consultant surprised an employee by sending an email to an officer whose email address he did not have any reason to have. That company used the format email@example.com for their email, and figuring out the officer's email address was not difficult. It's not hard for a hacker, either. Your email address, and the addresses of officers in your company are not top secret. They available on the internet and hackers probably have them.
- Recognize the signs. Be especially concerned about emails with suspicious file types attached. For example, an Excel spreadsheet ends in .xls, but a file called spreadsheet.xls.scr does not end in .xls. (.scr in fact is an executable file extension in Windows and is probably a malicious attachment). The same goes for .exes and .coms. For example, vacation-pictures.jpg.exe is not a JPEG graphic, it is an executable and is very suspicious.
As hackers get more sophisticated, so does virus scanning software. Updated virus software is important, but the most effective way to block suspicious email attachments remains an informed user doing the right thing and using a trusted WaaS. Being an informed user means both knowing what best practice is, what to look for, and how to react when you see it. For more information on security best practices, please contact us.