If you have financial and social media accounts, you have likely received a security notification when it detects “unusual” activity.
This security notification can also be spoofed and used by cybercriminals to trick you into providing your phone number, email addy, and password.
And the enterprising ones will send a fake security notification to corporate users, to mine corporate data. As soon as access is freely given, cyber attackers have various means to make money from the mined data.
Example of a fake security notification
Here’s an example provided by Kaspersky. Cybercriminals usually create exact copies of a real message. However, if attackers are hunting for access to an internal system, they often have to use their imagination as they might not know how the email should appear.
According to Kasperskys’ security experts
“Everything about this message looks ridiculous, from the incorrect language to the rather dubious logic — it seems to be at once about linking a new phone number and about sending a password reset code. Nor does the “support” e-mail address lend credibility to the message: there is no plausible reason why a support mailbox should be located on a foreign domain (let alone a Chinese one).”
The cybercriminals are hoping that their victim, fearing for the security of their account, will click the red DON’T SEND CODE button.
What HR should include in their digital safe spaces program.
- Never click on links in automatic security notifications, whether real looking or not, unless verified by your IT department.
- On receiving a notification, check the security settings and linked details, do so by opening the website in the browser manually.
- A clumsily worded notification (as in the example) is a red flag and best ignored and deleted.
- When a security notification is received, even though it looks legit, always notify your IT department; it may be a sign of a targeted attack.
Dwayne, bro, do you have other info sec tips in mind?