Phishing Attackers Getting Trickier

Phishing Attackers Getting Trickier


Phishing attacks have become the most common method cyber attackers use to target people at work and at home. Phishing attacks have traditionally been emails sent by cyber attackers to trick you into doing something you should not do, such as opening an infected email attachment, clicking on a malicious link, or sharing your password.

While traditional phishing attacks continue today, many cyber attackers are creating advanced phishing emails that are more customized and harder to detect. They are also using technologies such as text messaging, social media, or even telephone calls to engage and fool you. Here are their latest tricks and how you can spot them.

Cyber Attackers Are Doing Their Research

Phishing emails used to be easier to detect because they were generic messages sent out to millions of random people. Cyber attackers had no idea who would fall victim; they just knew the more emails they sent, the more people they could trick. We could often detect these simpler attacks by looking for odd emails with “Dear Customer” in the beginning, misspellings, or messages that were too good to be true, such as Nigerian princes offering you millions of dollars

Today’s cyber attackers are far more sophisticated. They now research their intended victims to create a more customized attack. Instead of sending out a phishing email to five million people, or appearing to be generic emails sent by corporations, they may send it to just five people and tailor the attack to appear to be sent from someone we know. Cyber attackers do this by:

  • researching our LinkedIn profiles, what we post on social media, or by using information that is publicly available or found on the Dark Web.
  • crafting messages that appear to come from management, coworkers, or vendors you know and work with.
  • learning what your hobbies are and sending a message to you pretending to be someone who shares a mutual interest.
  • determining you have been to a recent conference or just returned from a trip and then crafting an email referencing your travels.

Cyber attackers are actively using other methods to send the same messages, such as texting you or even calling you directly by phone.

How to Detect These More Advanced Phishing Attacks

Because cyber attackers are taking their time and researching their intended victims, it can be more difficult to spot these attacks. The good news is you can still spot them if you know what you are looking for. Ask yourself the following questions before taking action on a suspicious message:

  1. Does the message create a heightened sense of urgency? Are you being pressured to bypass your organization’s security policies? Are you being rushed into making a mistake? The greater the pressure or sense of urgency, the more likely this is an attack.
  2. Does the email or message make sense? Would the CEO of your company urgently text you asking for help? Does your supervisor really need you to rush out and buy gift cards? Why would your bank or credit card company be asking for personal information they should already have about you? If the message seems odd or out of place, it may be an attack.
  3. Are you receiving a work-related email from a trusted coworker or perhaps your supervisor, but the email is using a personal email address such as
  4. Did you receive an email or message from someone you know, but the wording, tone of voice or signature in the message is wrong and unusual?

If a message seems odd or suspicious, it may be an attack. If you want to confirm if an email or message is legitimate, one option is to call the individual or organization sending you the message with a trusted phone number.

You are by far the best defense. Use common sense.





You probably have heard of terms such as virus, Trojan, ransomware, or rootkit when people talk about cyber security. These are different types of malicious programs, called malware, that cyber criminals use to infect computers and devices. Once installed, they can do whatever they want. Learn what malware is, what danger it poses, and most importantly, what you can do to protect yourself from it.

What Is Malware?

Simply put, malware is software–a computer program–used to perform malicious actions. This term is a combination of the words malicious and software. Cyber criminals install malware on your computers or devices to gain control over them. Once installed, malware can enable criminals to spy on your online activities, steal your passwords or files, or use your system to attack others. Malware can even take control of your own files, demanding that you pay a ransom to get them back. Many people believe that malware is a problem only for Windows computers. Unfortunately, malware can infect any device, from Mac computers and smartphones to DVRs and security cameras. The more computers and devices cyber criminals infect, the more money they can make. Therefore, everyone is a target, including you.

Protect Yourself – Stop Malware

You may think that all you have to do is install a security program like anti-virus software and you are safe from getting infected. Unfortunately, anti-virus cannot stop all malware. Cyber criminals are constantly developing new and more sophisticated malware that can evade detection. In turn, anti-virus vendors are constantly updating their products with new capabilities to detect malware. In many ways it has become an arms race, and the bad guys are usually one step ahead. Since you cannot rely on anti-virus alone, here are additional steps you should take to protect yourself:

  • Cyber criminals often infect computers or devices by exploiting vulnerabilities in your software. The more current your software is, the fewer vulnerabilities your systems have and the harder it is for cyber criminals to infect them. Make sure your operating systems, applications, browser and browser plugins, and devices are always updated and current. The easiest way to ensure this is to enable automatic updating whenever possible.
  • A common way cyber criminals infect computers or mobile devices is by creating fake computer programs or mobile apps, posting them on the Internet, and then tricking you into downloading and installing one. Only download and install programs or apps from trusted online stores. Also, stay away from mobile apps that are brand new, have few positive reviews, are rarely updated, or have been downloaded by a small number of people. No longer using a computer program or mobile app? Delete it.
  • Cyber criminals often trick people into installing malware for them. For instance, they might send you an email that looks legitimate and contains an attachment or a link. Perhaps the email appears to come from your bank or a friend. However, if you were to open the attached file or click on the link, you would activate malicious code that installs malware on your system. If a message creates a strong sense of urgency or seems too good to be true, it could be an attack. Be suspicious, common sense is often your best defense.
  • Regularly back up your system and files to Cloud-based services, or store your backups offline, such as on disconnected external drives. This protects your backups in case malware attempts to encrypt or erase them. Backups are critical. They are often the only way you can recover from a malware infection.

Ultimately, the best way to defend against malware is to keep all your software and devices up-to-date, install trusted anti- virus software when possible, and be alert for anyone attempting to trick you into infecting your own system. When all else fails, regular backups are often the only way you can recover.



FROM: SANS Security Awareness

While social media is a fantastic way to communicate, share, and have fun with others, it is also a low-cost way for cyber criminals to trick and take advantage of millions of people. Don’t fall victim to the three most common scams on social media.

Investment Scams

Have you ever seen a post about an investment opportunity that promises a huge return on investment in an extremely quick amount of time with allegedly little to no risk? The reality is, these guarantees are really investment scams. Fraudsters simply steal your money after you pay them. These scams often include ads or success stories from past customers to promote the investments, but those are just fake testimonials to increase your trust. Often these investment scams are about investing in crypto-currencies or real estate, and payment is often made in crypto-currencies or other non-standard payment methods. If an investment seems too good to be true, it most likely is. Remember, there is no such thing as guaranteed, high-return investments. Only invest your money in trusted, well-known resources, not strangers you meet online pushing a get-rich-quick scheme.

Romance Scams

When criminals develop an online relationship with someone they’ve identified as lonely or vulnerable to trick them out of money, this is known as a romance scam. The criminal will use whatever tactics they can to build trust, including exchanging fake photos or sending gifts, then share a tragic story about needing money to pay for expenses such as hospital bills or for travel costs to visit the victim in person. To avoid actually meeting in person, these criminals may say they work in an industry that prevents them from doing so, such as construction, international medicine, or the military. They often request money as a wire transfer or gift cards to get cash quickly and remain anonymous. These types of scams are not only common on social media but with online dating apps. Be careful with people you meet online, take things slowly, and never send money to someone you have only communicated with online.

Additionally, if you believe someone you know may be vulnerable to such an attack or is in an online relationship that raises these flags, offer to help them. Sometimes it can be very difficult for someone engrossed in an emotional connection to see just how dangerous the situation has become.

Online Shopping Scams

Online shopping scams happen when you purchase items online at extremely low or unbelievable prices but never receive them. Tempting ads on social media will promote incredible prices and have links that take you to sites that appear to be legitimate and sell well-known brands, but these sites are often fake. Be wary of websites that have no contact information, broken contact forms, or use personal email addresses. Type the name of the online store or its web address into a search engine to see what others have said about it. Look for terms like “fraud,” “scam,” “never again,” and “fake.” Be very cautious of online promotions or deals that appear too good to be true. It’s far safer to purchase items that may cost slightly more, but from trusted sites that you or your friends have used before.

The good news is: You are your own best defense. You are in control. Just be on alert for scams like these and you will be able to make the most of social media safely and securely.

Learn To Spot “DeepFakes”

Learn To Spot “DeepFakes”


From: SANS Security Awareness

What Are Deepfakes?

The word “deepfake” is a combination of “deep learning” and “fake.” Deepfakes are falsified pictures, videos, or audio recordings. Sometimes the people in them are computer-generated, fake identities that look and sound like they could be real people. Sometimes the people are real, but their images and voices are manipulated into doing and saying things they didn’t do or say. For example, a deepfake video could be used to recreate a celebrity or politician saying something they never said. Using these very lifelike fakes, attackers can spin up an alternate reality where you can’t always trust your eyes and ears.

Some deepfakes have legitimate purposes, like movies bringing deceased actors back to life to recreate a famous character. But cyber attackers are starting to leverage the potential of deepfakes. They deploy them to fool your senses, so they can steal your money, harass people, manipulate voters or political views, or create fake news. In some cases, they have even created sham companies made up of deepfake employees. You must become even more careful of what you believe when reading news or social media in light of these attacks.

The FBI warns that in the future deepfakes will have “more severe and widespread impact due to the sophistication level of the synthetic media used.” Learn to spot the signs of a deepfake to protect yourself from these highly believable simulations. Each form of deepfake — still image, video, and audio — has its own set of flaws that can give it away.

Still Images

The deepfake you may see most often is the phony social media profile picture. The image below is an example of a deepfake from the website Below the image are five different clues that this could be a deepfake. You will notice that these clues are not easy to spot and can be hard to identify:


  1. Background: The background is often blurry or crooked, and may have inconsistent lighting such as pronounced shadows pointing in different directions.
  2. Glasses: Look closely at the connection between the frames and the arms near the temple. Deepfakes often have mismatching connections with slightly different sizes or shapes.
  3. Eyes: Deepfake photos currently used for fake profile pictures appear to have their eyes in the same spot in the frame, resulting in what some call the “deepfake stare.”
  4. Jewelry: Earrings may be amorphous or strangely attached. Necklaces may be embedded into the skin.
  5. Collars and shoulders: Shoulders may be misshapen or unmatching. Collars may be different on each side.


Researchers at the Massachusetts Institute of Technology, MIT, developed a question list to help you figure out if a video is real, noting that deepfakes often can’t “fully represent the natural physics” of a scene or lighting.

  1. Cheeks and forehead: Does the skin appear too smooth or too wrinkly? Is the age of the skin similar to the age of the hair and eyes?
  2. Eyes and eyebrows: Do shadows appear in places that you would expect?
  3. Glasses: Is there any glare? Too much glare? Does the angle of the glare change when the person moves?
  4. Facial hair: Does the facial hair look real? Deepfakes might add or remove a mustache, sideburns, or beard.
  5. Facial moles: Does the mole look real?
  6. Blinking: Does the person blink enough or too much?
  7. Lip size and color: Do the size and color match the rest of the person’s face?


Researchers say technologies like spectrograms can show when voice recordings are fake. But most of us do not have the luxury of a voice analyzer when an attacker calls. Listen for a monotone delivery, odd pitch or emotion, and lack of background noise. Voice fakes can be hard to detect. If you receive an odd call from a legitimate organization, you can verify if the call is real by first hanging up then calling the organization back. Be sure to use a trusted phone number, such as a phone number you already have in your contact list, a phone number printed on a bill or statement from the organization, or the phone number on the organization’s official website.


Be aware that attackers are actively using deepfakes. They can make fake accounts on social media to connect with or create fake videos to influence public opinion. Some are even selling their services on the dark web so other attackers can do the same. We don’t expect you to become a deepfake expert, but if you arm yourself with the basics of identifying the fakes, you’ll be far better at defending yourself. If you suspect you have detected a deepfake, report it to the website or source that is hosting the content.

Cyber Security Dos & Don’ts for Remote Working

Cyber Security Dos & Don’ts for Remote Working


During the past 2 years we’ve seen a huge shift to remote working due to the global health crisis, and despite some cyber security concerns, this may be a trend that will continue even once the pandemic passes. In fact, 74% of companies worldwide plan to encourage the trend of employees working remotely.

While this flexible working arrangement is definitely more convenient, it doesn’t come without its own set of risks — particularly in the realm of cyber security. In order to reduce the chances of your company becoming a target of a security risk or data breach due to people working from their home offices, it is important you reinforce some sound cybersecurity strategies.

Here, then, are some basic dos and don’ts to keep in mind if you are working from home, manage a remote team or full company of remote employees.

DON’T: Use public networks

Some public Wi-Fi networks need a password to log in, but that doesn’t automatically make them safe. Public networks are not secure, meaning other people can have easy access to it and there’s no firewall keeping you safe from malicious entities. One danger is you might end up logging on to a rogue network. This is essentially when a cybercriminal’s rogue hotspot pretends to be a public network, acting as a ‘middleman’ between you and the real network. This allows them to see all online traffic and even credentials you use.

DO: Ask employees to use a VPN

VPNs are a popular cybersecurity tool. While employees may use their own VPNs, some might skimp on it and go for the cheaper or even free ones. There are even fake VPNs out there that might end up stealing your data. Instead, opt for a business VPN, such as the Perimeter 81, which has a server designed for business users. They protect data and business security, not just the employees’. Confidential data and important files can be sent and accessed safely. Aside from security encryption, VPNs act as a proxy to the internet.

DON’T: Rely on just the home office router’s firewall

Home office routers already have default firewalls that keep intruders and third parties from infiltrating your personal gadgets. However, attackers have figured out how to hack them. Consider supplementing your home router firewall with a hardware firewall. It uses PCBs that are designed and manufactured using materials like solder mask, silk screen, and copper all on one board. The small board can accommodate elaborate security functions to ensure your network is safeguarded against external threats.

DO: Update your company’s software

Computer updates aren’t just there to add features and improve existing ones or to give you more speed. Software updates also patch security flaws. After all, cyber criminals are always coming up with new malware and trying to look for security lapses in your organizational IT infrastructure. So before you shrug off that software update notification, think twice as you might be putting your device and your business’s sensitive information at risk.

DON’T: Assume that your business is safe

This is the most important thing you should avoid. As previously mentioned, cybercriminals are always looking for ways to attack businesses and individuals. According to 2021 cybercrime predictions, there is a cyber attack every 11 seconds and it will cost the global economy at least $5.7 billion a year. Truth be told, the perfect security strategy doesn’t exist. However, having enough measures in place can significantly lower your chances of being targeted. It is also important for employees and employers, both, to have some basic level of cyber security training so that they understand what repercussions their actions can have.

DO: Learn about phishing attacks

Executives and cybersecurity professionals aren’t the only ones who need to know how to handle cyber attacks. Unfortunately, even the best VPNs and anti-virus software won’t be able to do anything if employees fall prey to phishing attacks. You can train them by conducting phishing simulation tests, which can help them recognize phishing attacks. On top of this, you can also consider holding internal training or providing them with high quality literature so they can educate themselves on the common cyber threats and attacks mechanisms.

First American State Bank offers a variety of personal banking and lending products to existing and new customers. We value personal banking relationships with our customers and strive to accommodate all your banking needs.

Spot & Stop Messaging Attacks

Spot & Stop Messaging Attacks


From: SANS Security Awareness – JANUARY 2022

Smishing (a portmanteau word combining SMS and phishing) are attacks that occur when cyber attackers use SMS, texting, or similar messaging technologies to trick you into taking an action you should not take. Perhaps they fool you into providing your credit card details, get you to call a phone number to get your banking information, or convince you to fill out an online survey to harvest your personal information. Just like in email phishing attacks, cyber criminals often play on your emotions to get you to act by creating a sense of urgency or curiosity, for example. However, what makes messaging attacks so dangerous is there is far less information and fewer clues in a text than there is in an email, making it much harder for you to detect that something is wrong.

A common scam is a message telling you that you won an iPhone, and you only need to click on a link and fill out a survey to claim it. In reality, there is no phone and the survey is designed to harvest your personal information. Another example would be a message stating that a package could not be delivered with a link to a website where you are asked to provide information needed to complete delivery, including your credit card details to cover “service charges.” In some cases, these sites may even ask you to install an unauthorized mobile app that infects and takes over your device.

Sometimes cyber criminals will even combine phone and messaging attacks. For example, you may get an urgent text message from your bank asking if you authorized an odd payment. The message asks you to reply YES or NO to confirm the payment. If you respond, the cybercriminal now knows you are willing to engage and will call you pretending to be the bank’s fraud department. They will then try to talk you out of your financial and credit card information, or even your bank account’s login and password.


Here are some questions to ask yourself to spot the most common clues of a messaging attack:

  • Does the message create a tremendous sense of urgency attempting to rush or pressure you into taking an action?
  • Is the message taking you to websites that ask for your personal information, credit card, passwords, or other sensitive information they should not have access to?
  • Does the message sound too good to be true? No, you did not really win a new iPhone for free.
  • Does the linked website or service force you to pay using non-standard methods such as Bitcoin, gift cards or Western Union transfers?
  • Does the message ask you for the multi-factor authentication code that was sent to your phone or generated by your banking app?
  • Does the message look like the equivalent of a “wrong number?” If so, do not respond to it or attempt to contact the sender; just delete it.

If you get a message from an official organization that alarms you, call the organization back directly. Don’t use the phone number included in the message, use a trusted phone number instead. For example, if you get a text message from your bank saying there is a problem with your account or credit card, get a trusted phone number on your bank’s website, a billing statement, or from the back of your bank or credit card. Also remember that most government agencies, such as tax or law enforcement agencies, will never contact you via text message, they will only contact you by old fashioned mail.

When it comes to messaging attacks, you are your own best defense.