Welcome to the latest issue of Cyber Insights! In this edition we discuss the latest scam involving ChatGPT, unpack the most recent security breaches and share some tips about Pretexting including what it is and what to look out for!
Current Scams
ChatGPT, an artificial intelligence (AI) chatbot created by OpenAI, has risen in popularity since its release last year. Now, cybercriminals are using ChatGPT’s popularity to lure you into phishing scams. In one of these scams, cybercriminals try to trick you with a fake new ChatGPT feature.
The scam starts with a phishing email informing you that ChatGPT has a new feature to help you invest in the stock market. If you click the link in the email, you’ll be taken to a spoofed ChatGPT website and prompted to enter your contact information. Then, a representative will call you and request that you submit a payment to open your investment account. Unfortunately, if you submit a payment, that money won’t help you invest in the stock market. Instead, cybercriminals will steal it to invest in their malicious pursuits.
Follow the tips below to stay safe from similar scams:
- Before you click a link, hover your mouse over it. Then, ensure that the link leads to a legitimate, safe website that corresponds with the content in the related email.
- Be cautious of unexpected investment opportunities. Remember, if something seems too good to be true, it probably is!
Never submit payments to a bank account provided in an email, text message, or phone conversation. Instead, navigate to the organization’s official website to submit a secure payment.
Security Breaches
Exploit: Supply Chain Attack
The Good Guys: Discount Retailer
Risk to Business: SEVERE
Discount warehouse retailer The Good Guys have experienced a data breach due to an incident at a service provider. The company is contacting 1.85 million past and present members of its Concierge loyalty program to let them know that some of their personal information may have been exposed in 2021 in an incident at the company that ran Good Guys’ loyalty program, Pegasus Group Australia (now called My Rewards). A Good Guys spokesperson said the company no longer has a relationship with My Rewards. The company said that no customer data like identity documents or financial information such as driver’s license, passport or credit card data was exposed in this breach.
Exploit: Human Error
National Health Service (NHS): Government Agency
Risk to Business: Moderate
Britain’s National Health Service (NHS) has experienced a data leak caused by an employee error. Around 14,000 employees at The Liverpool University Hospital Foundation Trust (LUHFT) have been informed that their personal data may have been exposed because of any employee blunder. In the incident, an employee mistakenly sent an Excel file to hundreds of NHS managers and 24 external accounts containing personal and sensitive payroll information. Impacted workers have been informed in a letter of apology, and the incident has been reported to the Information Commissioner’s Office.
Cybersecurity Tips
Pretexting
Pretexting is when the bad guys create a false scenario using a made-up identity or pose as someone you know to manipulate you into divulging personal or sensitive information. For example, they often pose as bank or credit card company employees or even as coworkers.
How it Works: Common Tactics of Influence
The bad guys will try to persuade you to let your guard down and giving them what they’re looking for. Often, they don’t even need information specific to your organization to trick you.
See below for an example of two common tactics used to influence victims in pretexting scenarios:
- Influence by Authority
For example, you receive a call at work from someone demanding immediate assistance, using an aggressive and authoritative tone. This person establishes their authority by using an executive-level or official-sounding “job title”. They may even insult you for not being familiar with “who they are”. These scare tactics alone often sway victims into giving away sensitive information or complying with a request.
It’s human nature to act in a responsive manner around someone of authority, but don’t fall victim to false claims of authority!
- Influence by Obligation
For example, you receive a call from someone posing as a member of your IT department. The bad guy tells you they’ve found malicious activity on your work computer and begin questioning your recent browsing history–implying that you’ve reached a malicious website and have put the company in danger as a result. Then, they demand you update your password with a more “secure” password which they provide.
Would you feel obligated to comply with their instructions? Many unsuspecting individuals would–but don’t fall victim to a false sense of obligation!
How Can I Avoid Falling Victim to Pretexting Scenarios?
Remember the following to help protect your organisation against pretexting scenarios:
- Never give out sensitive information over the phone, online, or by email unless you are absolutely sure you know who you’re dealing with or you initiated contact with the individual.
- If the caller claims to be an employee, but their request seems suspicious, verify their identity through a trusted party and let them know you’ll call them back. If the caller questions the need for your verification efforts, explain that you’re following the process required for your position. Maintain a respectful but forceful attitude.
- Make sure you’re familiar with your organisation’s protocols for handling requests for information or ask your supervisor if you need assistance.
Find out more about cybersecurity for your business here or book a complimentary consultation with our Chief Information Security Officer, Chris Haigh here
