In this class, we study the Digital Dark Arts.  

They “are many, varied, ever-changing, and [seemingly] eternal. Fighting them is like fighting a many-headed monster, which, each time a neck is severed, sprouts a head even fiercer and cleverer than before. You are fighting that which is unfixed, mutating, indestructible.”  

Today, should you choose to pay attention and follow the lessons of the illustrious Mistress Minerva, you might just learn a thing or two that’ll put you head (and shoulders) above the rest.  

First things first, let’s review our syllabus.  

Understanding Security Threats 

Class is in session.  

You are here learning to defend yourselves against that which cannot easily be seen.  

Dark creatures abound on the Internet. As we progress through our lessons, we’ll seek to identify and uncover them — all the while discovering what incantations and ingredients best keep their dastardly deeds at bay.  

These shadowy cybernauts seek to prey on us by accessing and damaging computers and networks. They revel in their ill-begotten spoils — in your business, personal, financial, or even medical information. And once they have it in hand, the damage has been done — no matter whether they’re holding it for ransom or auctioning it off to another digital shade. 

The average attack costs small to medium businesses $18,000. In the U.S. alone, 40% of cyberattacks swindle their victims to the cool tune of $25,000+, an 80% increase over last year. 

And do not be so naive as to think that all a cyberattack could cost you is money. As the professional sector is so often the target, both your reputation and customer base are at stake.  

In 2021, Norton discovered that 53% of mu—, I mean, adults, are more worried than ever about being a victim of cybercrime. Despite this, as of March 2022, 51% of SMBs have no protections against cyberattacks.  

As these shadows hone their prowess in performing feats of the darkest digital arts, so too shall we learn to combat them. 

Defend Against Phishing

Remember this: At their cores, cyber attackers are liars.  

They’ll feed you sweet words, send you messages appearing to be from positions of authority, and offer deals too good to be true, all in attempts to ensnare you.  

Their goal? To compromise you. To access your accounts and gain mastery over your assets.  

But how can they achieve such things without certain personal information, like usernames and passwords? 

There’s one vulnerability these silver-tongued, digital serpents know is always exploitable: You.  

These are known as social engineering attacks, and they skirt cybersecurity tools by way of human loopholes.  

Last year, the average cost of phishing attacks reached $4.24 million dollars. And that cost comprises a variety of things, like: 

• Stolen funds or direct monetary loss.
• Damage to brand and reputation.
• Compliance fines and penalties.
• Loss of customers.
• Loss of revenue.
• Cost of response and remediation.
• Legal fees.
• And others.

Do be careful — there are many forms of social engineering attacks. Below, we’ll learn how to identify them.  

A Compendium of Social Engineering Attacks  

• Phishing  
  • Here, digital dark artists use illusion to befuddle, confuse, and fish for your information. 
  • They’ll send emails appearing to be from a legitimate company asking you to update your payment method. Or you’ll receive a text from an unknown number asking that you confirm your next doctor’s appointment by clicking a link. Perhaps they’ll disguise malware or viruses as an unassuming attachment, lulling you into a false sense of security so that you’ll click “Download,” and infect your device.  
  • Phishing attacks are the handiwork of opportunistic cybercriminals — they have no specific target. 
  • Whispers say these attacks are alleged to have been created by a Nigerian prince, though it cannot be confirmed.  
• Spear Phishing
  • Like phishing, but with an intended target, either an individual or a larger organization.  
• Angler Phishing  
  • Fake customer service accounts on social media pose as legitimate business accounts in hopes that you divulge your login information to said service.  
• Whaling
  • A form of spear phishing targeting a high-profile or wealthy person or organization.
  • High-profile targets often equate to larger payouts, so these are especially enticing to those practicing the digital dark arts.
• Smishing
  • Phishing attempts done via SMS/Text.
• Vishing
  • Phishing attempts communicated via telephone.
• Baiting
  • Mind your curiosity. Nefarious cybernauts know that humans are prone to wonder and they use it to their advantage.
    •  Online Baiting Example: A pop-up or landing page claims that you’ve won an incredible amount of money! All you have to do is click a link to claim it. That link is chock-full of malware, unbeknownst to the target.  
    • Offline Baiting Example: Occasionally, our dark artists leave the Internet and enter the physical world. They may leave a non-descript USB stick strategically abandoned in a high-traffic cafeteria of a large business, knowing someone will be curious and plug it into their computer to find out more. But that USB stick is rife with malware — Avada Kedavra your network.
• Piggybacking (AKA Tailgating)  
  • Another form of in-person social engineering. In these scenarios, a scammer attempts to enter a secured premise immediately behind someone who has access.  
  • To prevent it, don’t let anyone into restricted areas after you. Ensure they have ID and make them use it to enter the premises, just as you had to do. 
  • These dark artists do not have your best interests at heart. They anticipate that you’ll be “too nice” to say anything to stop them, thereby giving them access. 
•  Business Email Compromise  
  • Last year, the FBI received almost 20,000 reports of business email compromise. 
  • These attacks range from cyber scammers spoofing emails posing as employees or other trusted persons requesting sensitive information in their emails, to full account compromise. That’s when a hacker gains access to a legitimate account, instead of just spoofing one to look like it.  
• Quid Pro Quo  
  • Fake tech support scams fall firmly into this camp. Someone calls or messages saying that your device is infected, or that you’re eligible for a software upgrade. All you have to do is give them your credentials and they’ll ensure you’re taken care of. Do not believe their lies.  
• Scareware  
  • Fear is a big motivator. Cyber attackers create pop-ups that appear in your browser saying something to the effect of, “Your system/device has been infected! Click here to fix.” 
  • Don’t click, never click. Doing so will ensure your device becomes infected. It’s a self-fulfilling prophecy. 

With only a cursory glance, perhaps you won’t realize these are naught but lies. They’ll send you sweet messages, deals simply too-good-to-be-true, and indiscriminate vagueries to pique your interest and ensnare you.

Use your powers of logic and observation. Ask yourself, “Is this too good to be true?” and “Does this message make sense based on the sender?”, “Do I recognize the sender’s domain name?” and “Why would this person be asking that of me?” If anything seems out of character, think twice about continuing any further.

If you engage positively with them — clicking their links or answering their texts — they win.  

Too much protection isn’t a thing. In addition to reviewing everything with a critical eye, you can use the following tools to keep your website and business email secure.  

Cryptology 

How does information remain secure when it’s communicated over the Internet? 

To answer that, we’ll need to take a step back and understand what happens when you traverse the interwebs.  

Whenever you open up your computer to visit a website you’re quite literally docking into the Internet like a boat would dock at a port. Once someone is docked, they’re then able to communicate information to and from others who are also docked. Ports are numbered differently to indicate their use and properties. These ports are called TCP, or Transmission Control Protocol Ports.  

SSL, or Secure Sockets Layer, is a technology that keeps internet connections secure. It encrypts and protects sensitive information and data as it’s sent between two systems (like your browser and another website or two servers). SSL stops cyber shadows and bots from reading or changing the information being sent between the systems (like credit card information during an e-commerce transaction.) 

Can data be transferred from one server to another without SSL? Sure can. But that’s like dancing with the devilish hackers themselves, exposing your information to any who care to intercept it.  

How can you tell if your connection to a website is secure? 

Look at the URL in the address bar in your browser. You’ll see that the URL starts with one of two things: it’s either HTTP or HTTPS. The HTTPS indicates a secure connection (and it uses port number 443.) HTTP is an unsecure internet protocol, (and uses port number 80.) 

Are you a website owner? It is your responsibility to secure your digital domain, both for you and your site visitors. Do so by purchasing and using SSL on your site.  

Advantages to using SSL: 

• Faster web page loading  
  • HTTPS loads pages faster than HTTP. Who waits around for a webpage to load nowadays when there’s always a competitor around the digital corner whose site might be faster? 
• SEO Improvement  
  • Your site is likely to rank higher in search results if you’re using HTTPS as opposed to HTTP. 
• Stop hackers and bad actors in their tracks  
  • SSL encrypts the data transferred back and forth between two systems. Even if these bad people and bots could somehow see the data being transferred, they won’t know what it says. 
• Maintain PCI Compliance  
  • PCI Compliance stands for Payment Card Industry Compliance. This is required by all credit card companies when making transactions online to further secure and protect against data and identity theft. 
  • Part of the PCI Compliance guidelines is that your site must use HTTPS, which means your SSL certificate needs to be configured on your site before you can accept payments via credit card for purchases. 
• No scary alerts  
  • If you’re using HTTP then chances are your site visitors are receiving notices telling them your website isn’t secure when they land on it. Frankly, this looks bad. It causes them to lose confidence in your site and odds are good they won’t be back. 

Protect Your Properties 

Do you seek the formula for digital security?

I’ll share it with you below. Strict adherence guarantees luck in your online endeavors…

Custodi Domum Digitalis Tuam

• Use strong passwords.  
  • Learn what makes for a strong password right here. 
• Install an SSL certificate.  
  • People are evermore distrustful of “HTTP” in their browsers and for good reason. They want to know you’re doing what you can to protect their information. Your SSL port indicates there’s a secure, encrypted connection keeping their data safe from prying eyes. 
• Use a reputable host.  
  • A reputable host has a proven history of maintaining their customers’ security and is capable of helping you address threats and malware should they occur.  
• Perform regular malware scans.  
  • Who has the time to manually monitor their online security? Sitelock Security protects your website from malware, viruses, hackers, and spam. It scans your site for these malicious things, automatically removing any it finds, and alerts you when something doesn’t look quite right. 
• Backup your site.  
  • Why? Backing up your website is the only guarantee you have that your site can be completely restored if it encounters an egregious issue. 
    • Human error (inadvertently deleting files), malicious cyber hackers, or outdated and unprotected themes and plugins can all introduce risk to your site.  
• Keep WordPress plugins or other site plugins and web apps up to date.  
  • The digital dark arts are ever-evolving. To stay ahead of them, keep your plugins up to date. Not doing so leaves your site vulnerable and open to attack. Not just that, but they can affect your site experience, causing issues for legitimate visitors.  
• Perform regular site audits and tests.  
  • As people, we’re constantly striving to improve ourselves. Why should that be any different for our websites and other digital properties? — Do they not represent us?  
  • This scroll contains the secrets to auditing your digital presence. Use it wisely.  
• Keep your finger on the pulse of your digital health.  

Protect Your Brand 

Digital dark artists understand the power of a name. It’s why they’re gunning for yours.  

Your name is irrevocably yours — it’s part and parcel of your brand — that special thing that makes you, you. It comprises every public-facing facet of yourself, and inversely, what people think of those facets – of you.  

Your personal brand CANNOT survive lies and deception.

This is why cybercriminals will always target it in addition to your digital properties, like your site and social media. If they capture your name, they control your narrative.  

How might they do this? Their nefarious options are legion.  

• Counterfeit websites.  
  • If a customer lands on a fraudulent site and suffers real-world harm (malware on their device, compromised sensitive information) they will always associate it with your name. Would you want to continue doing business with someone if their name alone caused you memories of traumatic events? Probably not.  
• Copyright piracy.  
  • Cyber shadows don’t care for honest work. They’ll illegally reproduce and disseminate your copyrighted materials, hurting your bottom line.  
• Trademark infringement.  
  • To convince others that they are who they say they are, hackers have no qualms about using trademarks in unauthorized manners.  
• Patent theft.  
  • A patent is representative of a great deal of work. Whatever your patent, behind it lies hours of ideation, creation, iteration, and finalization.  
  • A digital dark artist will take the easy route. They’ll do whatever they can to make, use, and sell your products without obtaining a license.  
• Impersonation on social media.  
  • Social media is a fantastic tool for building your brand and connecting with your audience. Until someone else does it for you and deceives your unwitting audience into revealing their private information.  

To protect your brand, follow these steps: 

• Acquire misspellings of your domain.  
  • Cyber hackers purchase variations of domain names in hopes of catching traffic that was intended for your site.  
• Purchase alternate domains/TLDs.  
  • Depending on your business, you might not want your brand name associated with a .sexy or .xxx domain name.  
  • Register those domains before someone else does and uses them to your detriment.  
• Focus on the aesthetics and elements of your brand that establish your authority.  
  • Increase trust in your customers’ inboxes by using a professional email address that matches your domain name. It helps them know they aren’t about to open a spam message and have their system infected with malware.  
  • Refer to this Branding and Website Design Checklist to ensure your brand is cohesive no matter where you are online — your site, your social media, and more.  

Abundant Caution Does No Harm  

It does not do to dwell on a false sense of security and forget the dangers that lurk about the Internet.  

Man the boundaries of your site, social media, and email accounts. Do your duty to protect your site, your customers, your brand, and your name.

And do make sure you aren’t late for class tomorrow.