End User’s Guide to a 0

Clean Inbox
14.5 billion spam messages are sent every day in the U.S.

COMMON TYPES INCLUDE:

2.5%

26.5% Financial Scams and Fraud

That’s 45%
36%

Advertising Adult-Related
of all emails sent. 31.7%

! 9 WAYS TO KEEP SPAM

OUT OF YOUR INBOX
1 Junk the Junk:
Delete junk emails before opening them, and disable automatic image download.

2 Use Your Email’s Built-In Spam Filter:

These are included in most popular email services.

3 Choose a “Less-Guessable” Email Address:

Spammers use sophisticated name-generating bots that churn out billions of possible email
address combinations. Beat the robots and choose a complex or unusual email address.

4 Be Cautious When Giving Out Your Email Address:

Do not post your email address on websites or social media profiles.

5 Get a Throwaway Email Address

Use this email when you only need an email address to post a message in a forum or join a group.
There are many free, disposable email address services to choose from.

6 Use Anti-spam and Antivirus Software:

There are many anti-spam protection services for individuals and businesses.

7 Train Your Spam Filter

Flag all spam that makes it through your filter.

8 Unsubscribe from Mailing Lists

Get rid of time wasters and declutter your inbox.

9 Never Reply to a Spammer:

Your reply verifies your email is valid.

© 2019 Infosec. All rights reserved.

COMMON TYPES OF
PHISHING ATTACKS
A CC OUN T V E R I FI CA TI ON

• Appears to come from a well-known company like Netflix and asks

you to sign in and correct an issue with your account
• Link points to a website pretending to be a company’s legitimate site and
asks for your login credentials
• TIP: Do not click any links in the email — directly log in to your account by typing the
address into your web browser. If you are unable to log in, contact the service using
official contact information.

CLOUD FI LE S H A R I N G

• Contains a link to what appears to be a shared file on Google Docs,

Dropbox or another file-sharing site
• Link points to a page pretending to be a file-sharing site and requests you log in
• TIP: Do not click any links in the email. Instead, log in to your account and find the
shared file by name. Remember to verify sender identity and use established
Cloud file sharing services.

DOCUS I G N

• Comes from a domain similar to the DocuSign domain

• Link will prompt you to sign in to view the document, giving
attackers control of your inbox
• TIP: DocuSign never attaches items to email — attachments are likely malicious.
Instead, access documents directly at www.docusign.com.

FA KE I N V OI CE

• Contains a document presented as an unpaid invoice and claims service

will be terminated if invoice is not paid
• Targets individuals (by pretending to be a retailer) or businesses
(by impersonating a vendor or supplier)
• TIP: Do not reply to the email. Contact the vendor/service directly using official
contact information before submitting payment.

DELI V E R Y N OTI FI CA TI ON

• Appears to come from a popular delivery service (FedEx, UPS, etc.) or online
retailer and includes a delivery notification with a malicious link or attachment
• TIP: Do not click links or open attachments in unexpected delivery notifications.
Instead, visit the delivery service's official website and enter the tracking
information, or call the delivery service's official phone number.

T AX SCA M

• Appears to come from a government tax revenue agency (e.g., IRS in the U.S.)
• Claims you are delinquent on your taxes and provides a means to fix the issue before
additional fines or legal actions are pursued
• TIP: Never share personal or financial information via email. Only use official
communication channels to contact revenue agencies.

© 2019 Infosec. All rights reserved.

 SPAM EMAIL OR
PHISHING ATTACK?
Use this guide to determine if unwanted emails in your inbox are phishing attacks or spam.

PHISHING ATTACK SPAM EMAIL

Want your information: credit card Unwanted advertisements for
number, password, bank account, etc. products or services
Often targeted: Sent to a specific Always broad:
individual or group and contains Sent to millions of recipients
relevant information, e.g., your name
Include links to mostly legitimate
Include malicious links to fake websites offering products or services
websites or malware downloads
Does not contain attachments
May contain malicious attachments
Does not require immediate action
Has a sense of urgency
Should be marked as spam and deleted
Should be deleted and reported

Some spam emails (2.3%) are also phishing attacks.

SHARED TRAITS
Unsolicited
You didn’t ask for the email

Harmful
Both either attempt to steal your information or waste your time

Illegitimate
Use techniques like spoofing to make it to your inbox
© 2019 Infosec. All rights reserved.
HOW T O R EC O G N I Z E A

MALICIOUS ATTACHMENT
You received an email with an attachment. Do you download it?
Follow these steps to make a safe decision.

READ WARNINGS

»» If your email service or antivirus software warned the attachment is dangerous, DO NOT DOWNLOAD!
»» Some hackers will "warn" you that you should ignore such alerts. This is a trick!
NEVER IGNORE MALWARE ALERTS

EXAMINE MESSAGE

»» Did it come from a legitimate source?

»» Does the content of the email look normal?
»» Would you expect an attachment from this sender?
»» If you answered NO to any of these, the attachment is likely MALICIOUS

INSPECT FILE EXTENSION

Take a look at the file extension (the part that follows the dot). Be suspicious of the following extensions:

.EXE
»» DO NOT DOWNLOAD! This is an executable file
»» Most email clients block .EXE attachments
.ZIP, .7z, .RAR and other archived files
»» Archiving is a common way to hide malware from antivirus
»» Be extra suspicious of password-protected archives
DOCM, XLSM, PPTM
»» These documents contain MACROS, or scripts hackers often use to run malicious code
UNKNOWN or MISSING EXTENSIONS
»» If you don't recognize the extension DO NOT TRY OPENING THE FILE!

USE CAUTION

»» Even if a file is a simple DOC or PDF document, think twice before opening it
»» If you can, contact the sender using an alternative channel (email or IM) to verify
»» Use your email client Preview feature before downloading
»» Make sure that all software you use for viewing documents has the latest
security patches installed

© 2019 Infosec. All rights reserved.

 9 BEC Attack Red Flags
Business Email Compromise

Jane Doe
to you

2
from: JaneDoe@gmail.com
reply-to: JoePhish263@gma

“Reply to” email address does Vendor payment requests

not match “From” email address from a new email address

JULY

0000
10
00
0
0000
101
0010
0101 3 4
Requests for payment at
Vendor payment requests with new routing the end of the day, or before
numbers and/or account numbers weekends and/or holidays

5
6 MovieFLix
<FlixMove_@gmail.com>
to you
Please update your payment
method immediately.
Click Here

Requests for wire transfers

to a new account Any “urgent” or “confidential”
requests for payment

7 8
$$$
???
Requests for payment
without justification Requests for payment to
a personal account

The best way to stop a BEC attack is to

9 evaluate every request for money or
sensitive data carefully.

Requests for payments

of unusual amounts
© 2019 Infosec. All rights reserved.
 A USER’S GUIDE:
WAYS TO PROTECT YOUR
PERSONAL DATA

1 2
Don’t click that link! Use two-factor
What to do: Don’t click links in authentication
emails. Instead, type the URL you
What to do: Use a second
want directly into the browser.
factor for logging into accounts.
Why: According to Microsoft, phishing
Why: If you have a robust two
is still the number one favorite method
or multi-factor in place, you are
of cyber-attacks.
much less likely to lose personal
data due to phishing.

3 4
Delete recorded conversations Keep it clean — delete old files
What to do: Regularly delete any recorded What to do: Make sure you keep data replication to a
conversations used by your personal assistant. minimum. Delete old files you don’t use.
Why: There have been cases where Alexa Why: There can never be 100% security,
revealed personal data to unknown persons but reducing the places that can be
without consent. compromised helps lessen your risk.

5
Be less social

6
What to do: Minimize the
amount of personal data you
have on social media platforms.
Don’t sync for sync’s sake
What to do: Disable automatic file and
Why: Information like your pet’s
media sharing whenever possible.
name or mother’s maiden name is
sometimes used to recover Why: A lot of devices set up cloud syncing
account logins. Don’t give hackers an easy when you first configure the device. Check if you really
way into your online accounts! want to store these data in the cloud.

7 8
Keep off the beaten track Let sleeping Bluetooth lie
What to do: Disable location tracking What to do: If you are not using Bluetooth, switch it off.
on each app.
Why: Bluetooth vulnerabilities can allow data to be
Why: A recent study of almost 1 siphoned off your device.
million Android phones demonstrated
that apps regularly harvested tracking
data.

9 10
Encrypt stored data Patch your devices
What to do: Encrypt any data you store on hard drives and What to do: Keep your
use an email encryption tool if you share personal data. computers and mobile devices
Why: Encryption is a layer of protection patched and up to date.
that can prevent lost or stolen data from Why: Software vulnerabilities allow
being exposed. malware to infect your device, which can steal
data and login credentials.

Sources 6. Woman says her Amazon device recorded private conversation, sent it
1. Stolen PII & Ramifications: Identity Theft and Fraud on the Dark Web, out to random contact, KIRO 7
Armor Blog 7. Binns, R., et.al., Third Party Tracking in the Mobile Ecosystem,
2. Identity Fraud Hits All Time High With 16.7 Million U.S. Victims in 2017, Association for Computing Machinery
Javelin Research 8. The Attack Vector “BlueBorne” Exposes Almost Every Connected
3. Security Intelligence Report (SIR), Microsoft Device, Armis
4. 2018 Data Breach Investigations Report, Verizon 9. Breach Level Index, Gemalto
5. Alexa user gets access to 1,700 audio files from a stranger, TechCrunch

© 2019 Infosec. All rights reserved.

Top 10 Tips for Password Security

20
Know your guidelines Longer is better
Your organization has its own policies for New research says longer passwords
password security. Know them and push are harder to guess. “Wine” is short;
them to the limits! If they allow passwords “1998dontdrinkwinewithbadchee$e-
of 8-20 characters, always make it 20. 2002worstweddingEVER” is long.

Think phrases, not words

Uncommon sense A space is just another character in a
IGUANACOLOSSUS
Substitute uncommon words for string, so long phrases with spaces are space
common ones. Try to avoid words DINOSAUR effectively single unsearchable words.
found in dictionaries, if possible. A phrase like “dinosaurs don’t dance
disco” is unique and memorable!

Choose something Don’t write it down

only you know Put down the Post-Its! Choose a
Think of something that makes sense password you can remember without
only to you. This could be a private joke, writing it down. If you absolutely have to
a childhood nickname or an association write some down, write down a hint that
only you would make. would only make sense to you.

Don’t repeat
Never share passwords
Don’t reuse passwords. If you’ve already
Passwords are like toothbrushes.
used a password for another account, or
Change them regularly and never
used it previously for the same account,
share them with anyone!
invent a new password.

If it hasn’t
worked before … Don’t use common substitutions
Password1
Know your common passwords. E 3 It’s become common practice to replace
123456 “Password1,” “123456,” “admin” letters with similar-looking numbers and
L 1
and “qwerty” are all common symbols. These are known substitutions
admin
passwords that hackers will and will not help make a password stronger.
always guess.

Learn more at infosecinstitute.com ©2019 Infosec, Inc. All rights reserved.

Protecting Devices & Media
Top Eight Tips

When it comes to information storage, media can mean anything from

computers and hard drives to printouts. Here are some top tips for
protecting all forms of devices and information media.

Determine your priorities
Know what devices and media hold the
most sensitive information, and stack
your priorities accordingly. Some may
need more protection than others.
Be familiar with the
rules and regulations
Your organization and industry may have
special regulations related to information
handling. It’s important to follow the special
rules related to the devices, media and
information you deal with.
Encrypt files and devices
Encryption encodes data so that it can’t
be read without a special password.
Even if an attacker steals the whole
device, they won’t be able to read an
encrypted file.

Lock up sensitive information Use strong passwords

Media containing sensitive information should be locked Strong passwords are key to protecting devices and
up and carefully monitored. Keep a clean desk and don’t the information on them. Use long passwords and
passphrases composed of uncommon words.
leave papers or removable drives lying around.

Keep your system and Keep regular backups Destroy when no

antivirus updated
An out-of-date device may have
security flaws that attackers can exploit.
Your software and antivirus should be
updated regularly via official updates
from the manufacturer.
In case of disaster, backups are a
longer needed
lifesaver! Important information should be At the end of the information life cycle,
copiedonto an authorized and secure backup information should be destroyed
location and stored separately. when no longer needed.

Learn more at infosecinstitute.com ©2019 Infosec, Inc. All rights reserved.

 When you’re ahead of the game,
you can’t be gamed.
10 Ways to Be Cyber-Secure at Home

Identify your perimeter

Less is more! The fewer connected devices and entry Secure your
points you have, the safer your network is. Wi-Fi network
Routers often have default
credentials that people don’t know about.
Update software and devices regularly
Disable the “remote configuration” option
Regular updates make you less vulnerable to attack. in your router and change both your Wi-Fi
Only download updates from the manufacturer and password and your router password.
enable auto-updates when possible.

Watch out for insecure websites

Always use HTTPS for sensitive communications. Don’t ignore browser warnings and always
remember to check the website address carefully for misspellings and oddly-placed letters or
numbers. When in doubt, manually enter the URL in your browser.

Back up
your files Don’t download carelessly
Backups save your Files can contain malware, and websites aren’t always
information if your device breaks or is what they appear to be. Always verify sender identity
taken over by an attacker. Back up files to a before downloading files and remember: If it comes
removable device that can be locked away from an oddly-spelled email or is hosted on a site that
safely, such as a CD or flash drive. makes your browser generate a warning, stay away!

Encrypt devices to deter thieves

Encryption renders files unreadable without the correct key. Some devices offer the option to
encrypt individual files or the entire device. Consider which solution suits your needs best.

Practice Always use antivirus software

password safety
Antivirus needs updates, too! Set it to auto-update.
Choose long passwords
containing uncommon words.
Use unique passwords for sensitive
accounts and a Keep yourself informed
password manager
New cybersecurity bugs and attacks pop up every week.
to help you remember
Staying informed about the latest threats will help you be safe!
them.

Learn more at infosecinstitute.com ©2019 Infosec, Inc. All rights reserved.

 Ten Tips for
Physical Security

1 6
LOCK DOWN DEVICES
Place tablets and phones in a locked
drawer when not in use. Never leave
unsecured devices unattended!
DON’T LET PEOPLE FOLLOW YOU IN
Entering the building is the first step for
many attackers. Everyone who needs to
be there has their own key card; don’t let
strangers persuade you to let them in!

2 USE ENCRYPTION
BE AWARE OF SOCIAL ENGINEERING
Many devices will offer the option
to encrypt a file or the whole device.
Encryption means that even if someone
7 Social engineers deceive people in
order to manipulate them into giving
steals the device, they can’t read your out valuable information or making
files. mistakes. Be aware of the common social
engineering tricks, such as pretending to
be a delivery person to access a building.

3 KEEP A CLEAN DESK

Notes, devices and documents can convey
BACKUP FILES

8
sensitive information. Keeping everything
locked up and out of sight will help keep
that information out of an intruder’s
hands.
Mistakes or accidents will happen,
and something will get lost, broken or
destroyed. Keeping regular backups will
save you from having to redo your work.

4 PICK UP YOUR PRINT JOBS ASAP

Printouts often contain sensitive
9 KNOW GOVERNMENT AND
information. Be sure to pick up your print WORKPLACE POLICIES
jobs right away. Your industry may fall under special
government regulations for physical
security. It’s important to know the
policies that apply to your situation,

5 DESTROY BEFORE DISCARDING

Documents and electronic files need to
whether they were put in place by the
company or the government.
be destroyed before the medium itself is
thrown out or recycled.

10
KEEP AN EYE OUT
Be aware of your surroundings. Intruders
may eavesdrop or spy on you over your
shoulder! If entering a PIN on a pad, shield
the pad with your hand.

Learn more at infosecinstitute.com ©2019 Infosec, Inc. All rights reserved.

Knowledge is your best defense.
Recognize and Combat Social Engineering

CYBERCRIMINALS YOU

Want access to something sensitive Examine all links and attachments

They want your boss’s information or the number of an account, or You may receive innocent-looking links or attachments which actually
even want to get into the building. Stand firm and ask for proof of contain malware; examine carefully and don’t click unless you’re
identification. certain it’s safe.

Exert pressure on you Don’t use their contact methods

Social engineers want you to act without thinking. If someone is If a message might be from an impostor, contact the real person or
pressuring you to do something without giving you time to consider it, organization through a known, safe method, such as a public phone
that’s a sign of a social engineer. number.

Send offers too good to be true Escalate

You’ve won the lottery! Or not. If an offer or opportunity seems too If someone’s story sounds fishy or they can’t prove who they are, pass
good to be true — it probably is. the issue — and your concerns — up the chain of command.

Pretend to be a client or authority figure Don’t let yourself be bullied

Social engineers will impersonate clients, bosses, friends, family or Social engineers may try to intimidate, emotionally blackmail or
others who may be able to influence you. Always take extra steps to threaten you. Don’t let it faze you.
prove their identity!

Don’t share information an attacker could use

Are unwilling to prove identity
If you share personal or sensitive information online, an attacker can
A social engineer will often deflect or get angry when asked to prove harvest it for use in impersonation or attacks.
their identity. They may try to stop you from contacting other people
for verification or refuse to give proof.

Learn more at infosecinstitute.com ©2019 Infosec, Inc. All rights reserved.

 Tips for Spotting
SMiShing and Vishing

Look out for social engineering
The attacker’s goal is often to convince you
to talk to them so they can trick you into
sharing sensitive information.
Be aware that urgency is a red flag
Attackers want you to react fast, without thinking about
the consequences. Their phone calls and texts are made
to provoke — claiming importance, danger or disaster.
Don’t use their contact methods
If you suspect SMS phishing or voice phishing, don’t
contact them back using the methods they provide.
Use an official phone number or website.

Remember that your phone can get malware

Getting malware onto your phone is one way attackers may
Don’t assume automated calls are legitimate
breach a network. Always have antivirus on your mobile device! Some attackers will use text-to-speech devices or voice
filters to sound like the automated calls used by legitimate
organizations. Never assume a call is legitimate because
it sounds automated.
Remember that caller ID is not foolproof
Attackers are capable of spoofing caller ID to fool their
targets. Never rely on caller ID alone to prove identity.
If you suspect SMiShing or
vishing, report it immediately
Look out for common attacks SMiShing and vishing can lead to holes in the overall
security network and result in major breaches or losses.
Fake security notifications and messages from government
Always report suspected attacks to your supervisor.
agencies are two common forms of SMiShing attacks. Vishers may
impersonate government agencies, bill collectors, banks and others.

Don’t click on links or download any

Don’t show your hand software updates or apps from texts
Keep your cards close to your chest. Never reveal sensitive Updates will never arrive via text message! Never click
information to someone who has called you. Call the organization on a link in a text. Use a search engine or a bookmark to
back via an official number in order to fulfill information requests. navigate to the site instead.

Learn more at infosecinstitute.com ©2019 Infosec, Inc. All rights reserved.

Learn more at infosecinstitute.com ©2019 Infosec, Inc. All rights reserved.
 Tips to Recognize &
Prevent Insider Threats

THEM YOU

Are malicious OR misguided Know and follow

Internal breaches can be intentional or
unintentional. Insider threats can be
malicious (deliberately causing damage)
or accidental (making mistakes,
forgetting to secure something or
otherwise accidentally causing damage).
security procedures
Accidental insiders can cause breaches
not through malice, but because they
make mistakes. Following established
procedures, and noticing when
procedures aren’t followed by others,
can prevent potential mistakes.

May be anyone
It’s not just the everyday employees
or higher-ups! An insider threat may
be a contractor, a consultant, a
vendor or a former employee.
Act out of the ordinary
They seek to work unusual hours,
ask for access to restricted
information or brag about sudden,
mysterious financial windfalls.
Report suspicious behavior
If someone is acting suspicious or
dangerous, management needs to know.
Share your concerns with your supervisor.
By reporting small signs, you could stop a
problem before it becomes a disaster.
Trust but verify
If you suspect someone is an insider,
be cautious. Verify their claims and
maintain security until you can be
certain of the situation: never share
your password or access with a
potential insider.

May have different
motivations
Money may not be the only obvious
motivation. Malicious insiders may
be motivated by perceived slights,
political or religious leanings, job
dissatisfaction or revenge.
Violate policies
Insiders violate policies by definition,
either knowingly or unknowingly.
Policies are put in place to protect
customers, data and the company,
and an insider’s damage to the
company will violate those policies.
Practice good physical
security and cybersecurity
Maintain a clean environment,
lock up sensitive documents and
password-protect and encrypt
important files.
Know the signs of a
disgruntled employee
Is someone picking fights with
coworkers or angling to get fired?
A disgruntled employee is one who
may become an insider threat.

Learn more at infosecinstitute.com ©2019 Infosec, Inc. All rights reserved.

 DON’T TAKE THE BAIT

Hooked again? Not so fast! Phishing emails want you to take the bait, but all it takes is one person
to spot the hook and this phishy specimen has to cut it out. He’s gonna offer you money, fame,
fortune — but he can’t give you straight answers, so send this phish back to the deep end.

© 2019 Infosec. All rights reserved.

 PUMP UP YOUR PASSWORD

PASSWORD
SECURITY
When it comes to security, one password does a lot of heavy lifting. Pump up your password by picking long, uncommon
words that other people won’t think of, and let that strong password take some of the weight off your shoulders.

© 2019 Infosec. All rights reserved.

 SMALL DEVICE. BIG PROBLEM.

MOBILE
SECURITY
It’s out of control! If an enemy hacks into your phone or mobile device, the information they get from it can cause destruction
and danger much bigger than your pocket-sized phone. Practice smart mobile security by using antivirus and never sharing
your passwords, and trip this monster up before its rampage can begin.

© 2019 Infosec. All rights reserved.

 WELCOME TO THE LABYRINTH

E B
B
A
SSA F
F E
E W
W E

O W S I N G
B R
Tricks and traps! In the maze of the internet, exploring may reveal wonders or lead you into dangerous depths.
As you search, move slowly and don’t let yourself be tricked by dead ends and f ake friends — or your computer
may be caught in a trap you never saw coming.

© 2019 Infosec. All rights reserved.

 THEY’RE IN!

REMOVABLE MEDIA
They’re already inside! Removable media devices can be planted for unsuspecting employees to take. Stop these
infiltrators in their tracks by turning over discovered CDs and USB drives to your security or IT departments.

© 2019 Infosec. All rights reserved.

 WHOSE TUNE ARE YOU DANCING TO?

SOCIAL ENGINEERING
They want you to dance to their tune. Social engineers know what they want from you and your company, and
they’ll tell any lie they need to in order to make it happen. But you can cut the strings. Never take anything at
face value and always double-check the story they’re telling you, and there’s nothing this puppeteer can do.

© 2019 Infosec. All rights reserved.

 WOULD YOU LET A STRANGER IN?

PHYSICAL SECURITY
What if you saw someone struggling to open a restricted door? Or asking to use your login
just for a minute? Keep your office and building secure by never opening the door
for unauthorized personnel … Because it only takes one mistake to let in danger.

© 2019 Infosec. All rights reserved.

 SECURITY — THE ONLY CURE

M A LWA R E
It’s dangerous … and it’s spreading. Before you know it, your system is infected by the newest and most destructive
computer virus. The only weapon that can fight it is the human brain! Use your smarts and caution to avoid suspicious
downloads and phony browser warnings, and this infection will have no one to infect.

© 2019 Infosec. All rights reserved.

 HOME, BUT NOT ALONE

When work comes home with you, it can cause a mess. Remote workers can still be targeted by attackers going after
company data, and that could mean you fighting dangers coming in through your own network. Kick out the intruders by
using strong Wi-Fi and router passwords, and lock the door with a VPN. Then you can be sure you’re really home alone.

© 2019 Infosec. All rights reserved.