Transcript
Transcript: Discover Cyber Security: Morgan's mistake
[The text "Canadian Centre for Cyber Security | Centre canadien pour la cybersécurité" appears onscreen.]
[The text "Canada School of Public Service | École de la fonction publique du Canada" appears onscreen.]
Morgan's Mistake
Social engineering is all about deception.
[Two pieces of paper with "REAL" and "R3AL" written on them swap places.]
There are many ways to trick people into thinking things are legitimate.
[A man has a thought bubble over his head that says, "Which one is the real document?" APPEARING IN SEQUENCE: Laptop with a red warning sign, laptop with a downloading icon, "DOB: 05/21/2002," an engineer working on a computer system.]
Using similar kinds of manipulation online has become a very successful way to get people to take actions they shouldn't take, such as clicking a malicious link, opening a malicious attachment, providing personal information, or making a change to a system they administer. Tricking people like Morgan.
[Morgan, with short blonde hair and a white shirt, sits in front of their computer.]
Meet Morgan.
[Many animated email icons fly into the back of Morgan's computer.]
Morgan gets hundreds of emails every day.
[A laptop screen showing numerous email headings appearing one by one. Most are requests for information; some contain reports, plans or submissions, while others require Morgan to activate something. An email heading appears at the top of the inbox with "New!" next to it; a mouse pointer appears on the bottom right of the screen and moves to click the new email heading. The email opens, and they click on the link to the attachment at the centre of the page.]
Morgan received an email with a quarterly report attached. The email looked as if it had been sent from the Director's personal account. Thinking it was about the branch's results, Morgan opened the attachment.
[A file download icon appears. The laptop screen then switches to a page with code on it and a lock unlocking in front of it.]
Once Morgan opened the attachment, the ransomware installed itself in the network, targeted a database full of important records and encrypted them.
[A threat actor in a burglar outfit appears on the left side of the screen with a speech bubble with money inside.]
The cyber threat actor demanded a ransom of more than $1 million to decrypt and restore access to the information.
[A lock appears on a laptop screen with code on it. It zooms out to show an engineer in a panic; the system is malfunctioning and a client is making an angry call to the human resources department.]
While the database was inaccessible, their department could not provide essential services to people in Canada.
[At the bottom left of the screen, a man is panicking. A thought bubble shows all of his files being compromised. Another man is calling on his phone. At the bottom right of the screen, a phone screen is showing a person using social media.]
People became worried about their personal information and service delays. They called in and commented on social media. This led to a spike in inquiries to the department, causing employees to have to work a lot of overtime.
[Three newspapers appear on screen with the titles "Government REPUTATION at Risk!", "CYBER ATTACK" and "Hundreds of Files Lost!"]
There were news articles describing the attack and the 'embarrassing missteps' that led to it.
[Bullet points appear.]
Morgan could have kept their department safe by learning about social engineering and by recognizing the signs of a phishing scam, such as receiving correspondence at work from a personal email address with which they had not communicated before.
[Green checkmarks appear over the bullet points. Morgan is thinking; there is a grey thought bubble over their head.]
Being asked to open an attachment should have given Morgan pause. They could have confirmed whether or not the attachment was legitimate by calling their director or communicating in some other way.
Don't take the bait. Don't repeat Morgan's mistake.
[This video was co-created by: Canadian Centre for Cyber Security | Centre canadien pour la cybersécurité, Canada School of Public Service | École de la fonction publique du Canada.]
[The Government of Canada logo appears.]
