The Human Factor

If you haven’t noticed a large part of cybersecurity is based on the Human Factor. It is by far the weakest link in the chain of securing your IT environment.  If you choose to ignore this fact and neglect to implement a Cyber Security Awareness Plan then you are risking more than you can imagine. But if you decide that a Cyber Security Awareness Plan is the smart choice and the right thing to do you will not only help keep your Business IT secure but your most valuable asset – your employees – will benefit as well.

Educate your employees to be cyber savvy at work and they will enjoy the benefits at home as well. There are a few ways to get started with your Cyber Security Awareness plan.  I feel the most important first step is to let them know why you are doing it and how they will benefit. This way you are being up front with them that Cyber Security is paramount to the operation of business. You are also showing them their personal and family security is important to you. But it will be hollow succor unless you follow through.

When you implement your Cyber Security Awareness training program make sure you:

    • Explain how they can use your tips and techniques at home to keep their loved ones secure online.
    • Share your experiences and encourage them to participate with ideas.
    • Let them know if they make a mistake the best thing they can to is to report it immediately – don’t try to hide or ignore it.
    • Have them vote for a Cyber Security Awareness Champion. (or you can appoint one)
    • Have a plan to ensure your program will be an ongoing part of your company’s culture.

This is not a definitive list of what you will need to do but it is a good starting point.

If you would like some help teaching your employees to avoid phishing and other scams. This not only helps protect your company but your employee and their family as well from possible scams that can lead to Identity Theft or serious security breaches. Contact us HERE

Amazon Scam | A New Twist

Watch Out for Latest Amazon Scam

This new twist for the Amazon scam. It does not contain any links. It does have an attached file which I am sure includes malicious code.

Do you, your family and your employees know how to spot an email scam or phishing attempt? Someone who is an Amazon affiliate may just fall for this one. There are giveaways that are generally consistent with phishing or scams. This one is no exception.

The most glaring one is the from email address. While the shown name is Amazon Marketplaces which may fool some even though is says Marketplaces – should have been Marketplace. The actual email address is not from the Amazon domain., as shown below.

Amazon Marketplaces <reservations@thebistr********dale.com>

Your Amazon Seller Fees VAT Invoice for 6/2019-ID (New-ID: 112-5591137-4708119)-[05/2019]

Dear email.address.was.here,

Please find enclosed an electronic tax invoice for the month of 6/2019 in HTML format. Please note that this invoice is not a request for payment.

To review your account summary or request other copies of your tax invoices, please log into your Seller Central account.

If you have any questions, please contact Seller Support.

Best regards,

Amazon Payments Services

Learn how you can teach your employees to avoid phishing and other scams. This not only helps protect your company but your employee and their family as well from possible scams that can lead to Identity Theft or serious security breaches. Contact us HERE

Quest Diagnostics Data Breach

Quest Diagnostics Data Breech

The most recent Data breach involves Quest Diagnostics. Quest is among the largest medical testing labs on the planet. The unfortunate thing about this breach is the magnitude. Over 12 million people may have had Personal, financial and other information compromised. What’s more Quest was not the party that was hacked. In fact it was a subcontractor who worked for the company Quest contracted with to handle their billing.

Third Fourth Party

This is really bad in many ways other than the 12 million Quest customers who had their information stolen. While Quest was not hacked they are still seen as the responsible party by the customers. Quest uses Optum360 for its billing collections. Optum360 in turn uses AMCA(American Medical Collection Agency) for those services. Apparently AMCA told quest of the breach in mid May but were unsure of when the breach/hack occurred. The story is longer and more involved than I am going to engage in here, but this is the 30,000 foot overview.

Outsourcing

The point here is that you need to be specific when outsourcing operations. You need to know and agree to exactly who is going to be doing the your work. This is especially true when it involves PII, PHI or Financial information. The reason should be clear. The news and other media top stories all imply on the surface that Quest Diagnostics was the company whose systems were compromised. As you know media always wants the most compelling headlines.  If they were to say AMCA was breached, fewer readers/viewers would pay attention.

My question is who else uses AMCA for their collection services. How many other peoples information may have been stolen. What if anything will AMCA, Optum360 and Quest be required to do if identities are stolen.  Can this information be sold to insurance companies? Could it be used against the victims in the future. Perhaps for health care related situations or to increase their premiums.

Are Your Systems at Risk

The details of the breach are still unknown. The fact remains that no business with an online presence is at risk of their systems being compromised. The biggest threat to most businesses is not of being hacked by some nefarious character. It is from inside its own employee base. It could be a disgruntled employee intent on causing as mush damage as possible. Possibly someone who feels they don’t get paid enough exfiltrates proprietary information and sells it to the competition. The biggest insider threat is an uninformed employee. Careless actions like inserting a thumb drive that is of unknown origin or clicking on a link in an email.

Do you WannaCry

Do you WannaCry?

WannaCry Ransomware

Just the other day I wrote an article about the Top 5 Excuses why businesses do not have a cybersecurity program in place. In that article I mentioned the WannaCry ransomware worm that grew to a worldwide threat in record time.

Guess what?

It’s back. WannaCry aka WannaCrypt 2.0, is back and it is reported to have infected over 75.000 users in Europe on Saturday. That number grew to more than 200,000 by Sunday.

“Wannacry is by no means the biggest threat ever, but my nature (using recent windows vulnerabilities) it targets organizations who set low priorities for IT security, such as hospitals. Historically, only a small percentage of victims pay up. The majority of the damages are in lost productivity or even lost revenue due to customers facing processes breaking.”
WannaCry: What You Need to Know www.securelink.net

Are You a Target

The primary targets are the low hanging fruit businesses. Those who put low priority on securing their systems. At first the criminals were asking a mere $300 to unlock your files. They seem to be upping the ante’ as time passes.  There have been 3 bitcoin accounts identified to be connected with this attack. The criminals had collected in excess of $35,000 by Sunday. I am sure that number has increased dramatically since.

How Big is Your Bankroll?

How much lost revenue can you afford to lose because your customer facing systems are locked down. Your employees, their families and your own family can also be easily affected. What will it cost then? If you do pay their ransom do you really believe you are free from the grips of the perpetrators? It seems to me they will own you forever. Well, at least until a fix is released, maybe.

Learn how you can teach your employees to avoid phishing and other scams. This not only helps protect your company but your employee and their family as well from possible scams that can lead to Identity Theft or serious security breaches. Contact us HERE

Amazon Prime points scam

Scammers try everything like posing as Amazon Prime. With a subject line of ‘Your Amzon-Prime bucks  are expiring’ scammers attempt to elicit a response from unwary people. Once inside you find  they employ urgency to get and use your bucks before its too late.  All designed to get you to click on their link.

The link contains a script that will infect your system with malware. The malware may lay dormant for a long time and you will not even know its there. One day in the future you will be made aware that there is a problem with your device. By that time it is too late. The damage has been done. The malware may have gathered all of your personal info and sent it along to the scammer.

Then its, Congratulations! Your system has been hacked and your Identity has been stolen!

That is why it is so important to be ever vigilant when you are online. Emails and nefarious sites lurk in every corner of the web.

Learn how you can teach your employees to avoid phishing and other scams. This not only helps protect your company but your employee and their family as well from possible scams that can lead to Identity Theft or serious security breaches. Contact us HERE

Password Security

We have all heard password security says we should change our passwords regularly. We also should not ‘reuse’ passwords on different sites. This is sound advice but how many people really follow it. The numbers are shocking. Surveys taken consistently show that over 90% of people know they should not reuse passwords between sites but up to 83% still do.

A survey by Cyclonis confirms these numbers stating “an astounding 83.15% of respondents said they use the same password for multiple sites. …a small but shocking amount of users, 2.20%, said they use the same password for every single website.” You can read the full article at Cyclonis. They also have a nifty tool you can use to see how well you may or may not be doing regarding your password strength and reuse habits.

Businesses need to pay special attention to their password policies. According to an article on Security Boulevard almost 50% of people say there is no difference between the passwords they use at home and those they use at work.

Following a few simple rules can keep your personal information secure.

    • Longer passwords are better. Make sure they are over 8 characters minimum
    • Use Numbers, Special characters and Upper and lower case letters.
    • Replace letters with numbers or special characters. i.e. 3 for E, 5 for S, ! for i
    • Change your passwords regularly.

If you need a bit more encouragement think about it this way. First, if you reuse passwords or even just add a letter or number at the end it does not take any time to crack those passwords. You have to remember time is on the bad guys side. They can just sit back and let their computer do the work, even if it takes their password cracker days to crack.

If they get your email password they have access to all of your emails that have not been deleted. So that probably includes links to your bank, school, work, your kids school and other activities as well as possible purchases you have made.

Once they have the right information you are owned! The majority of people discover identity theft within 3 months but up to 15% of people don’t find out for more than 3 years. The cost to fix everything is tremendous. Not only financial burdens that can escalate to the millions and bankruptcy, there is also emotional stress. In addition you can count on missing days from work and possibly even lawsuits. Your credit will likely suffer as well and is something that you will be paying for for several years after you get everything straightened out.

Most of these problems can be solved or avoided by using a Security Awareness Program that includes a Password policy that can be easily implemented.

Safeguard your business with a Security Awareness Program that will help protect your business and show your employees how they can protect their families too. Contact us HERE

You have a payment in process…

Email Phishing Scams

Below is an email that is just phishy..
FYI As usual, I have disabled URL’s

subject: $41,361.35 sitting in our payment queue

Hey there,

You have a payment in process and will be credited to your account soon…

Amount: $15,102.80

VERIFY PAYMENT NOW <http://pt5.abellacarl.trade/btrevc>

If this email was sent to you by mistake, please ignore it.

Good luck,

Alfie Bentley
Snap Cash Support

This is among the type of spam/scam emails which may catch the unsuspecting person by surprise. Regardless of whether or not it brings a person to a site that downloads any malware, it certainly has the potential to get you put onto another mailing list that may not be so benign.

Among the ‘suspicious’ items in this email is that the unsubscribe link is very far down the page that is full of blank space. It also has a supposed “Report Abuse” link that has the same url as the unsubscribe link as shown below.

Unsubscribe
<http://www.lettermelater.com/unsubscribe.php?mid=1111111&email=********.***>  from this newsletter instantly.

Report Abuse
<http://www.lettermelater.com/unsubscribe.php?mid=1111111&email=********.***>

I suggest simply marking this email as junk/spam and if need be block the senders address.

 

Cell Phone Security

Cell Phone SecurityThere are numerous way that bad actors can track your online usage. If you have ever clicked on an ad and then keep seeing the same ads following you around that is a very popular technique. Many people will put it off to just simple coincidence, but in reality it is far from that. All you have to do sometimes is visit a site and they have you.

This is bad enough on your computer at home but it gets even more creepy when they target your phone.

For the most part legit businesses target you and your surfing habits to make sales to you. This is  marketing. Unfortunately people with bad intentions also use these same methods as do website owners who feel they can scare you into buying something from them. This may be in the form of a pop up window telling you that your device is infected.

Often they will sound a warning siren and even give you a countdown telling you to not close the window and that you need to click on the button to remove the virus or malware. Don’t fall for it. If you do you will likely only be installing exactly what you are trying to get rid of. Close the browsers you have open and install a security app.

There is a simple and effective way to protect your phone however. Install security software or apps. I personally would suggest first checking out what your wireless carrier has to offer. Quite often you can get a security package for free or a few dollars a month added to your monthly bill.

If your carrier does not offer a security service then you can check Google Play Store for a suitable app. You can also try the standard AV/AM providers such as Norton, McAfee, BitDefender or others. Just make sure you do your homework and you will be safer and happier.

Learn how you can teach your employees to avoid phishing and other scams. This not only helps protect your company but your employee and their family as well from possible scams that can lead to Identity Theft or serious security breaches. Contact us HERE

You have been hacked phishing scam and extortion email

This email is particularly bad. In its first iterations I believe it was actually a copied and pasted text where the scammer threatened to proliferate a questionable behavior of you. The claim to have your password and email login info by claiming they sent the email from your own account. They basically just spoofed your email address to make it look like it was sent from your account. Email spoofing is a relatively easy thing to do and it happens more than you think.

This scam in its more recent versions actually have a picture of the email text. They show your their bitcoin account number telling you that you need to deposit bitcoin crypto currency into that account.  They say that it is case sensitive and to avoid making a mistake you should just copy and paste the account number. As soon as you attempt to copy the number to either send them their ‘ransom’ or report them to bitcoin, they have you. The picture has embedded code in it that automatically downloads malicious program to your computer.

There is yet another twist in this scenario. The twist is that many of us today constantly use our cell phones to read out emails. Many cell phones automatically begin downloading images, attachments and other media as soon as you download the email. So many times you don’t have to read or even open the email to have your mobile device compromised.

To help protect from this kind of attack make sure your phone and other devices have the most recent updates for all programs and apps. Also make sure that your anti-malware and anti-virus definitions are up to date.

Learn how you can teach your employees to avoid phishing and other scams. This not only helps protect your company but your employee and their family as well from possible scams that can lead to Identity Theft or serious security breaches. Contact us HERE

Phone Phishing Scammers are Getting Better at Their Craft

If you own a mobile phone, which almost EVERYONE does, you have likely noticed a huge increase in the number of spam calls that you get. The failed Do Not Call system if considered pretty much a joke by everyone. The thing you may not know is the scammers and phone phishers are baiting the hook and you are the target. You can no longer rely on Caller ID to correctly identify any number that calls your number. So what do you do? Use your common sense and these tips to prevent falling victim to these attempts to take advantage of you.

.Mobile phone

1. Legitimate companies will rarely call you and leave their number for you to cal back on. This is one of the biggies. Legit companies that you do business with will likely just leave a message for you to get in touch with them as soon as possible regarding your account. They may tell you to call the number on the back of the card or on your invoice or bill.

2. Phone numbers are easily spoofed. If you do answer the call because caller ID displays a number and the name of the company i.e. (555)555-5555 Wells Fargo, you cannot rely on that information your phone provided you. If it is legit the person on the other end should have no problem if you tell them that you will call them back with the number on the back of the card or on the bill.

Learn how you can teach your employees to avoid phishing and other scams. This not only helps protect your company but your employee and their family as well from possible scams that can lead to Identity Theft or serious security breaches. Contact us HERE

3. Never confirm information to an incoming caller. They are likely to have some of your information that they found online by scraping social media or other sources. They may even have the last four digits of your Social Security Number or even the Credit Card. Just because they know some of the right information doesn’t mean they are a legitimate company representative. Once again they should not have any problems with you calling back. Just ask them for a ticket number so that when you call back you can reference it to the rep who you talk to. Also ask them to make a note in your account that you will call back. If it is a legit call, they should appreciate your caution.

4. If you are expecting a call back from a company let them know that you will get back to them immediately and again request a reference number or ticket number and maybe their representative number.

5. Don’t fall victim to implied urgency. Often a scammer will threaten to cancel your account or proceed with legal action if you do not comply by answering their inquiries. Again revert to telling them you will call them back. Ask for their name or rep number. Then call back the company on a number that you have in your possession.

There are many sad stories of people who have been victimized by phone scams. The scammers are honing their craft every day and targeting unwary people with faked numbers and ID, false urgency and threats.

Don’t become a statistic. Follow the simple steps above and you will be a bit more secure in your dealings with legitimate companies you deal with and can avoid costly mistakes.

Learn how you can teach your employees to avoid phishing and other scams. This not only helps protect your company but your employee and their family as well from possible scams that can lead to Identity Theft or serious security breaches. Contact us HERE