Everyone makes mistakes, but when something as simple as a single click can have ruinous impacts on your identity, your bank account, and your business, the stakes get a lot higher. All it takes is one simple click on a malicious link in an email, text message, or on a website or application (and, in fairness, a double click on a malicious attachment) and it can take weeks, months, or even years to recover—if recovery is even possible. If you make the same mistake on the corporate network, the ramifications can be business-ending, cost tens of thousands of dollars to mitigate, or make the headlines for yet another security breach.
If one malicious clickbait scam may destroy you and your business, then why are so many people still making this mistake? This blog discusses the challenges with malicious links and attachments, the best ways to recognize them when they do appear, and how their impacts can be significantly reduced, if not altogether mitigated, by following simple cybersecurity hygiene guidelines.
Why it is so easy to fall for clickbait scams?
Whatever you want to call them—scammers, cybercriminals, hackers, attackers, or threat actors (and technically there is a difference)—their goals are fairly similar. They want to find the easiest path to compromise your identity or penetrate your company’s network. Malicious links are the keys to the kingdom for them. With it, they are most likely to do one of two things:
1. Sabotage: spread malware infections, etc. to disrupt or corrupt data, causing harm or inconvenience to you or your company (this can be detrimental to an organization).
2. Theft: lure an unsuspecting user to expose valuables, such as data, identities, or money, or to grant an access point to restricted systems or through which they can move laterally to gain access to restricted information or systems.
Attacks can happen online, in-person, and via other interactions on virtually any electronic device used for communications. This makes for a lucrative business model for threat actors. These organized crime units operate as “businesses” in geolocations that are out of the jurisdictions of law enforcement. They target foreign governments, people, and organizations with ransomware, blackmail, extortion, and other devious schemes. The results are profitable for anyone willing to forgo their morals or operate under the guise of patriotism for their nation state.
This is all because a seemingly innocuous little clickbait link can accomplish so much for the threat actor. It is highly advantageous for them to compel you to click it. This is called social engineering and uses myriad traits to bait you to click. In information security, social engineering is also known as “human hacking” because it involves psychologically manipulating people into performing actions or divulging confidential information, and then exploiting the mistake to gain inappropriate access to private information, assets, or other resources of value.
Social engineering scams leverage an understanding of the way people think and act to manipulate a user’s behavior. All the threat actor needs to do is understand what drives a user’s actions. With that knowledge, they can use deceptive tactics, like making them believe the email or website is real, the source is trustworthy, and that it is urgent to perform an action. They may also try to insight a heightened emotional response from you (fear, anger, excitement, curiosity, guilt, sadness) because humans are far more likely to take irrational or risky actions when they are in an undesirable emotional state.
Threat actors will also try to exploit a user's lack of knowledge, which is why many social engineering schemes sit at the forefront of cyberthreat innovation, where they can exploit vulnerabilities before many consumers even have the knowledge to look for them. Drive-by downloads and watering hole threats are good examples of these attack vectors. Additionally, users who don’t realize the full value of their personal data, like their phone number or birthdate, will be a lot less guarded about disclosing this information, and they often don’t have the hindsight to protect themselves and their information from targeted attacks using these highly personalized tactics.
How can I tell a good link from a malicious link?
For the end user, determining if the email is malicious (links or attachments) can be tricky, but there are some basic practices anyone can implement to spot the schemes. Here are the top five most cybersecurity experts will recommend.
- Watch for mistakes and the odd display, construction, or formatting of the email, including misspellings, typos, poor grammar, or suspicious link or file names. The presence of these can help the end user determine if the message is deceptive. The context of the message or the time it was sent can also help to tip you off, including malformed times and dates. Likewise, irregularities in the URL, poor image quality, and outdated logos can all indicate the email is malicious or if you have been linked to a fraudulent website (and should leave immediately).
- Inspect the sender’s email address. If you receive a suspicious message—or any message asking you to click a link or download a document, check to see if it is coming from a legitimate email address, or review your company’s global address list or the social media profile that sent the message. Email addresses that are very clearly incorrect, or that would not be associated with a business account, are a clear giveaway. Additionally, watch for the more detailed imitators. Fake social media accounts and email addresses that mimic the legitimate versions are a growing trend, and substituting numbers or symbols for letters can make them difficult to determine their authenticity. For example, using 0 for O or + for t can fool most individuals who choose not to perform a detailed inspection of the address.
- Prove or validate the identity of the sender. If you receive a suspicious email or message from a seemingly legitimate source, you can try contacting the source through an alternative communication vehicle, like a phone call. For instance, if you get a message claiming to be from your bank, call your bank to inquire about the message. If you get a notification about an online account, avoid the email and log into your account through your usual, verified process to determine if it could be a legitimate notification or if it is an attempt at a scam. Don’t click on the link in the email; navigate to the website on your own.
- Pay attention to your emotions. If the message triggers a curious, fearful, or negative response, consider your elevated emotional response a red flag. Emails can be just as threatening as being accosted, and keeping calm is crucial to determining a scam versus reality.
- Be wary of volunteering information—even basic data like your email address or phone number could leave you vulnerable. If it sounds too good to be true, it probably is. Giveaways and incentives are strong motivators, and thus common targeting methods and attack drivers. As a rule of thumb, never disclose your personally identifiable information to unknown or untrusted sources – especially over the phone or Internet.
What’s the best defense against a malicious URL?
Knowing how to identify and avoid (or better yet, report) a malicious link is an important preventative strategy, but occasionally we all make a mistake. Whether the email or website looks real or fails to trigger our “fight or flight” response, we are never 100% secure in our ability to spot a bad link. A good cybersecurity hygiene can safeguard you when preventative education, training, and identification fails.
Cyber hygiene, or cybersecurity hygiene, is a set of practices organizations and individuals perform regularly to maintain the health and security of users, devices, networks, clouds, and data. It isn’t unlike our own personal hygiene. Showering frequently and brushing (and flossing) our teeth are the precautionary measures we take to prevent the spread of disease, reduce the risk of cavities, and overall maintain our physical health. In the same way, organizations can follow basic cybersecurity actions regularly to prevent data breaches and other security incidents.
Good cybersecurity balances routine procedures to ensure your computer is operating correctly and that you (as a user) are operating it safely. By maintaining good cyber hygiene, the risk of security incidents, data compromise and loss, operational interruptions and downtime, financial loss and government fines, damage to reputation, and legal liability risks are all minimized. Furthermore, the impacts of a malicious click can be significantly reduced, and the most common attacks can be thwarted by implementing simple concepts like least privilege.
In other words, when something does go wrong, your cybersecurity hygiene makes the difference between the link you clicked doing nothing at all, or beginning a devastating compromise of you, your computer, and your company. This is because basic tenants, like the removal of administrative rights, can stop the injection and execution of malware since the malicious code does not have enough privileges to execute in the context of the identity that is interactively using the system. This is just one example, but many other basic cybersecurity hygiene concepts are important to minimize this risk, including vulnerability and patch management and enhanced detection and response (EDR) solutions. All together, they form the basis for a five step model for endpoint cybersecurity hygiene and may protect an end user after they make a mistake.
What are 4 of the best practices for maintaining good cybersecurity hygiene?
Here are some basic cybersecurity hygiene practices you can implement now to keep you safe even after you’ve clicked a malicious link:
1. Allow the operating system and applications to apply recommended security updates or ensure your organization is applying them in a timely manner after public disclosure. This will help prevent exploitation of any known vulnerabilities associated with clicking an errant link or opening a malicious file.
2. Ensure your anti-virus solution is properly licensed, receiving updates, and periodically scanning your system for dormant malware or advanced persistent threats.
3. Interact with your computer as a standard user and not an administrator for daily activities. This concept of least privilege will thwart malware that needs administrative privileges to infect your computer. This one method is by far the most effective at stopping an attack and is recommended by cyber insurance carriers and regulatory compliance bodies alike.
4. Ditch your old computer. If your operating system is end of life, like Windows 7 or Windows XP, consider updating or replacing your system - an end-of-life system is not receiving security patches any longer, and odds are the antivirus vendor is no longer providing updates since it has been depreciated. It is just not a safe device to have on the Internet, and hackers know this. Vulnerabilities and exploits are easy targets since end users have no way of mitigating the risks. If you cannot afford to replace the hardware, and it is not compatible with a newer operating system, consider initiatives like Google Chrome OS Flex to modernize your operating system and stay protected.
Why does cybersecurity hygiene matter if I click on a link?
In an ideal scenario, when you identify a phishing email or visit a fraudulent website, based on your training, you will be able to recognize the potential threat. You’ll then close the web page or email and report the threat to your information security department for analysis and to prevent others from receiving the same content, and if needed, have your asset assessed for additional threats. As more devious tactics come into play, however, it can become more and more difficult to spot malicious intent in something as simple as a hyperlink. This is why good cybersecurity hygiene is so important.
Let’s walk through a malicious link and click scenario so we can see where good cybersecurity hygiene comes into play, and the impact it can have on the situation.
The scenario: You open a phishing email or visit a fraudulent website and click on a malicious link. The results could compromise you and your entire organization….
|Bad hygiene||Good Hygiene|
|That link attempts to infect your computer with malware when it is clicked||That link attempts to infect your computer with malware and you see odd behavior on your system Immediately disconnect from the network or Internet and inform your information security department.|
|The malware exploits the unpatched vulnerabilities in your operating system, browser, or associated third party application and infects your system with a virus.||Your system should be regularly patched, and all vulnerabilities should be remediated so that malware cannot continue to exploit your system or others on the network.|
|Your anti-virus software is outdated and fails to detect a particular virus, allowing it to execute on your system.||Your anti-virus is up to date, which allows it to detect and eradicate the virus before it can execute. In addition, if your anti-virus solution contains EDR capabilities, any additional threats from the malware can be identified promptly even if the virus tries to obfuscate its signature.|
|You have full admin rights on your system, which means you can execute anything on your computer, change critical settings, and even uninstall security applications designed to protect your system.||You’ve removed administrative rights and are interacting with standard user privileges. This means the system has safeguarded the account that does have administrative privileges and has thereby mitigated 88% of your Microsoft vulnerabilities. This prevents most exploits from executing on your computer, therefore blocking the attack.|
|Your computer can openly share files, printers, video, with other systems on your network. Lateral movement between systems is wide open and ransomware or other vulnerabilities can be leveraged in an attack.||Lateral movement between all assets on a network are restricted and any peer-to-peer communications have been disabled. This prevents the malware and ransomware from spreading unattended from system to system.|
|A user can launch a remote access session (RDP, SSH, VNC, etc.) to a system anywhere with just a username and password. These open ports can be used during an attack and malware can be injected once a session is active.||Your remote access sessions all use multi-factor authentication (MFA) and follow the concepts of least privilege. The assets accepting remote access do not have any public listening ports to initiate the session. These ports can thus not be used during an attack and malware cannot be injected into an active session.|
Why cybersecurity hygiene and a watchful eye can help block clickbait phishing scams
The risk is real. Everything from stealing your passwords to encrypting all your files (in the form of ransomware) are potential outcomes if you have poor cybersecurity hygiene. Cybercriminals are highly motivated to trick you into believing their malicious messages, and it can be easy to make a mistake. All it takes is one click on a bad link and the results can be devasting. However, by education and training to identify these fraudulent links, emails, and websites in the first place, and by following basic cybersecurity hygiene, you can mitigate most of the risk.
While this blog’s recommendations are not a 100% solution, these are the best things we can do to protect ourselves and our organizations if we do make a mistake. Our best recommendation is always training and education to prevent an erroneous click, but when it does happen, good hygiene, including the removal of administrative privileges, will be your best defense.
Endpoint Privilege Management (EPM) can help improve cybersecurity hygiene and protect users, and organizations, from simple mistakes (clickbait, malicious links, etc.) by removing admin rights and providing context-based application protection. Click here for more information about how you can get started.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.