No one is immune to cybercrime, but it’s clear in the wake of so many highly publicized, mega data breaches that there is still a need for basic cybersecurity education.
The awareness is particularly important given the number of people who think their online habits are safe enough to protect their data. For example, in our latest Riskiest States Report, 88 percent of those surveyed believe they take the right steps to protect themselves online, while only 10 percent actually demonstrated knowledge of those steps.
The good news is that following a few easy steps can make a big difference in your digital security.
Let’s start with email. The 2019 Verizon Data Breach Investigations Report found that more than 90 percent of malware is distributed via email. Email remains a fairly well-known and popular exploit for cybercriminals because quite simply, it works. But the Verizon report also found that 90 percent of that emailed malware is distributed via macros, something that is not nearly as widely discussed as general email risks, like phishing.
Macros can be found in common office documents like Word or Excel attached to an email that, once opened, trigger a notification prompting you to click to enable the content. Doing so will enable the macro, thereby running a script that will download a malware payload that lets cybercriminals steal or encrypt your data. The emails typically have an air of urgency and appear to be from a trusted source – two ways that criminals trick people into quickly clicking to enable the content without a second thought. For example, an email might claim to be from a delivery service telling you to open the attachment to find out where a long awaited package is located, or from one of your favorite online retailers promising a gift card should you open now to take advantage of a big sale, or a subpoena stating that you are being sued and open the attachment to find out why.
Ideally, you should never enable the macro, but if you’re like most employees who receive hundreds of emails per day, taking the time to carefully review the characteristics of an email before deciding whether or not it’s legit is not usually an option. Webroot’s Mid-Year Threat Report also found that 19 percent of phishing attacks impersonate financial institutions, so it’s understandable that people may fall for a phony email that appears to be from their bank.
Fortunately, disabling macros is free, fast and one of the easiest ways to protect against common cyber threats. For PC users, open up any of the Microsoft Suite applications (i.e. Word, PowerPoint, Excel) and click on File, Options or View, Properties, Options. Scroll to the Trust Center and click on Trust Center Settings. Then click on Macro Settings, check the option to disable all macros without notification and click ok. For Mac users, once you’re in the Microsoft app, click on the name of the app at the top of the screen and go to Preferences. Click Security and check the option to disable all macros without notification. That’s it!
Make sure to take these steps for each account user, as the security options are unique for each. Spending the 30 seconds or so that it takes to disable macros will prevent you from being tricked by preventing the pop-up option completely, so you don’t even have to worry about clicking on the wrong thing and loading malicious content.
Another risk from enabling macros is form-grabbing, which is malware that can steal usernames, email addresses and passwords from forms on your computer. Getting access to that kind of data means criminals can take control of your email account and try to scam your co-workers, friends and family. Further, given that a majority of people reuse passwords across multiple accounts – 63 percent according to our report – and even share passwords, it’s not too difficult for your data to land in the hands of the wrong people.
That’s why it’s also critical to enable two-factor authentication (2FA) on any apps that offer it, including Facebook, Twitter and Instagram. 2FA makes it much more difficult for someone with your username and password to access your account because it requires you to take an additional step to verify your identity. For example, you might be asked to type in a unique code that is sent to your phone via SMS/text or place your thumb print on the home button on an iPhone – two things that a hacker likely would not have.
While most apps nowadays offer 2FA, they require you to enable it. Setting it up varies between Android and Apple devices, but typically you can go into the security settings section, click two-factor authentication, and choose one of the second factor options offered.
Disabling macros and enabling 2FA across all of your devices and apps are two simple, fast and free steps everyone can take to protect from a majority of cyber risks today.
Tyler Moffitt is a senior threat research analyst who stays deeply immersed within the world of malware and antimalware. He is focused on improving the customer experience through his work directly with malware samples, creating antimalware intelligence, writing blogs and testing in-house tools.