The Dangers of Cyber Security Complacency
As we enter the summer period, many people find themselves distracted by family gatherings, BBQs, vacations, and well-deserved breaks. While these moments are important for employees to recharge and enjoy well-deserved time with their families, they also present a heightened cyber security risk. A distracted employee is a complacent employee, which is exactly what cyber criminals hope for.
The Hidden Dangers of the Holidays
Research has found that phishing and other forms of cyber attacks spike significantly during public holidays, as well as Summer & Christmas periods, with hackers exploiting distracted employees during this time. Often using social media to be able to profile and target these people. As the summer holidays approach, people become more preoccupied with holidays and holiday planning, often forgetting their essential cyber security training, making them more susceptible to malicious emails, fraudulent websites, and social media scams.
Even an innocent backyard summer BBQ can present its own dangers. Oddly specific, right? Well, this is exactly what happened in 2024 to Linus Tech Tips, one of the largest tech YouTube channels, who fell victim to a phishing scam that compromised its X (formerly Twitter) account.
The Linus Tech Tips Phishing Attack
During a Pool Party and BBQ at his home, Linus Sebastian, the founder and CVO (Chief Vision Officer) of Linus Tech Tips, received an email alert claiming that his Twitter account had been accessed from a suspicious location in Russia.
He clicked on a link in the email to reset his password, assuming it was a legitimate request. The email and the subsequent website he was guided to looked like X (formerly Twitter). It even asked him to confirm information such as an MFA code. Unfortunately, this email and website were both fake, designed to look like X (formerly Twitter) to steal his login and MFA credentials so that cyber criminals could take control of the account for malicious purposes.
As Linus later admitted in a detailed video on the WAN Show about the incident, he wasn’t being careless but was simply distracted. His attention was divided between managing the party, the BBQ, and securing his account.
The email he received seemed urgent and linked directly to a password reset page that appeared genuine at first glance. However, upon further investigation, the URL was suspiciously different from the official X (formerly Twitter) domain. Linus entered his password, but the page continued to ask for more information, such as his email address & phone number, and their two-factor authentication (2FA) code. This was a clear red flag that he overlooked in the heat of the moment, believing it to be part of the security confirmation process.
After entering his credentials, Linus then received a series of legitimate password reset emails, which confused him further. This was the cyber criminals accessing their accounts and resetting the passwords to lock the company out. It wasn’t until later that he realised the attack had been a phishing attempt.
How did this happen?
Linus, like many people who receive regular training on cyber security, thought he was above falling for such scams. He knew the standard advice: always navigate directly to a site to reset your password, rather than clicking a link in an email, and if an email seems urgent, take a breath and assess the situation before acting.
However, a combination of distractions, a convincing email and website design and a sense of urgency around a “suspected login from Russia” within the phishing email contributed to this mistake.
As cyber security expert John Hammond later demonstrated in a detailed analysis, the page contained several subtle flaws, including strange language use, broken links, and an unfamiliar email address that should have been immediate indicators of a scam.
This just goes to show that even the most tech-savvy of individuals can fall victim to phishing attempts, especially when they are distracted.
The Impact of Cyber Security Complacency
This Linus Tech Tips phishing incident highlights the dangers of complacency during the holiday period. Whether you’re busy managing your business, spending time with your family, or simply enjoying a quiet evening, it's easy to overlook the basics of cyber security when you're distracted. Cyber actors thrive on these lapses.
In this case, even by having a complex password and a two-factor authentication code, the attackers were able to receive this data and quickly act upon it before the 2FA code expired.
A more cautious approach, such as manually navigating to the X (formerly Twitter) website to reset your password and not relying on an email link, could have prevented this attack altogether.
How can you protect yourself or your business?
The risks of cyber security complacency are high, especially when you’re caught up in the excitement of holidays, and spending time with family. However, there are several essential steps you should always try to remember to protect yourself:
Be wary of emails and links: Always be suspicious of unsolicited emails, especially those which have an urgent nature, and/or are requesting personal information. If you receive a password reset email or an “urgent” alert, navigate to the website or service manually by typing the URL into your browser (or opening their App) rather than clicking on links in the email.
Use strong, unique passwords: One Password, One Service! We will keep saying this over and over. Do not reuse passwords across multiple sites, especially across similar sites/services such as online shopping and social media. We recommend using a password manager to generate and store strong, unique passwords for each of your accounts.
Enable Two-Factor/Multi-Factor authentication (2FA/MFA): Protect all your accounts with 2FA/MFA wherever possible. This ensures that even if a hacker steals your password, they won’t be able to access your account without the additional factor. However, it is important to consider that in the context of the above phishing attack example, the attackers integrated this request into the attack. Phishing-resistant MFA, which requires an app prompt with an additional biometric authentication, would have been able to protect against this type of attack if X had implemented this feature.
Web Gateway Security: Tools such as Web Gateway Security act as a digital security checkpoint for websites that you visit, sandboxing websites and monitoring for Data Leak Prevention, alerting you to potentially fraudulent websites designed to capture data such as your login information.
Monitor accounts regularly: If you’re going on holiday or taking a break, ensure that you have checks in place to monitor your accounts, including email alerts where your accounts may be logging on from unusual locations, or even impossible location logins where accounts will alert you if you log in from two widely different geographic locations in a short period of time. This can help detect any suspicious activity before it escalates.
DON'T RUSH: As Linus learned the hard way, being rushed or distracted makes you more vulnerable. If you receive an urgent-looking email like the one Linus received, take a breath and carefully evaluate the context of the email, including any links and language, or messages that seem suspicious, even during moments of high stress or excitement. Even an email address can be spoofed, as was seen in the recent Google cyber incident, where emails appeared to come from a validated no-reply@google.com address. If in doubt, navigate directly to the website in question.
How can TwentyFour keep your business protected?
Can we protect ourselves from complacency? Unfortunately, that is down to the individual. However, we can work with businesses to ensure that they have training and solutions in place that can protect them from these types of online threats. The 2024 Linus Tech Tips phishing incident is an important reminder that employees, even the most technical of them, must maintain constant vigilance against cyber threats, even during the summer and holiday seasons.
No one is immune to cyber threats, and complacency can have serious consequences. By taking the proper precautions, you can protect yourself and your business from cyber criminals looking to exploit your distractions.
For more information on how you can keep your business protected from phishing and other cyber security threats, book an appointment or take our FREE Cyber Security Health Check.