How Does Anyone Avoid Remote Social Engineering?

Social engineering is a method of using human interaction to convince people to break their normal security processes. It can utilize the newest technology, but that isn’t necessary in order to reach a goal. It’s been around since the beginning of time in its physical social engineering and even phone scam form. It’s a con-game for cyber thieves. Today, while physical social engineering is still very much alive and well, remote social engineering is gaining steam due to the availability of information that can be found on the Internet.

Roughly 50% of a social engineer’s time is spent doing research on potential victims. They get a significant portion of this information online. LinkedIn, for example is a wealth of information, as people post their professional history and current professional status there. A social engineer will collect data found from various sites, personal and professional, find weaknesses and use those against their targets.

One tactic that is on the rise is business email compromise or BEC. This scam costs businesses of all sizes over $3.1 Billion per year, according to the FBI’s Internet Crime Complaint Center (IC3). Since January of 2015, this type of crime has increased by 1,300%. Yes, that is the correct figure. It has been reported from within all 50 states and from within 100 countries.

This uses remote social engineering, typically using phishing email, to convince those in an organization to wire large sums of money to the cyber criminals’ bank accounts and/or becoming more common, convincing someone in the company to send human resources information such as W2s. W2 fraud has caught out Seagate and Snapchat recently. This type of scam resulted in tax fraud in 2016 to the tune of $21 billion.

Limit the information you post about your company or its business on the Internet. Even if you do use the security tools available on your social media sites, you should consider all information on the Internet available to the general public.

Remember not to get caught up in how you think a cyber thief should look or sound. People who perform remote social engineering are not restricted to the stereotypical hacker sitting in a dark room at a computer. Now nation-state actors, those wanting to gain trade secrets, and even those just wanting a big payday engage in social engineering tactics and strategies. The motivation is varied for whomever is performing the activity. The most obvious is for financial gain.

Most of the time, the signs that a con is occurring are so subtle that the targets don’t know what is happening. Exploiting the human desire to be helpful by gaining trust on a personal level is how the game is played. Always be aware of who is asking for information and when it’s sensitive and some type of cost is associated. If there is any suspicion at all, just say “No.”

© Copyright 2017 Stickley on Security

FBI Issues Revised PSA Warning of BEC Scams

The FBIs Internet Crime Complaint Center (IC3) issued a public service announcement (I-050417-PSA) recently updating previous warnings about the continued increase in business email compromise (BEC). This is a sophisticated scam that relies upon the victim being tricked into performing a fraudulent wire transfer or giving up other sensitive information such as W-2 details. While the crime can be carried out upon any type of organization, the IC3 particularly warns those who work with foreign suppliers or who regularly perform wire transfers.

In these types of scams, victims are convinced to give up information via E-mail Account Compromise (EAC). The scammers target particular persons who have authority to perform wire transfers. They then send email requesting the action. Often, they will impersonate a manager or someone with significant authority within the organization, such as the CFO.

Any time a request like these are made, it is critical to verify them before taking any action. According to the IC3 updated statistics, there have been over 40,000 BEC/EAC crimes costing over $5.3 billion between October 2013 and December 2016. In the last half of 2016 alone, these scams cost U.S. individuals over $346 million.

These scams can be avoided by taking just a few steps:

-Always have another person verify any wire transfers.

-Confirm with the requestor that he or she did indeed ask for it. Do this by placing a phone call, walking to his or her desk, or sending a new email message.

-Trust your instincts if a request seems strange. The boss would prefer to be questioned before you send off a fraudulent wire transfer.

Use caution about what information you provide on social media and business networking websites such as LinkedIn or Xing. Often, this is exactly how the scammers find out whom to target. If you work in the accounting department, perhaps reconsider putting your title on your profile. Instead, list broad descriptions of your job duties.

According to this recent PSA, the IC3 saw a “50% increase in the number of complaints in 2016 filed by businesses working with dedicated international suppliers.” It also saw a 480% increase in complaints regarding real estate transactions.

© Copyright 2017 Stickley on Security

Are You Eligible for Student Loan Consolidation?

Debtor’s prison was abolished a long time ago, but student loans can feel like a ball and chain for college graduates, burdening them with high monthly payments for years on end. Here’s some good news: the government has authorized changes in federal policy to make federal student loans easier to repay.

If you qualify, you might be able to get an interest rate reduction if you consolidate your loans, and under certain conditions, you might be able to reduce your monthly payments. There are three major elements to the new federal plan: loan consolidation, income-based repayment and consumer protection.

Loan consolidation
Many student loan borrowers have more than one type of loan. This means you have to make more than one payment every month, which is a hassle. The government has proposed a loan consolidation program to encourage people to combine certain types of student loans, which spares you and the government the hassle of multiple payments, and also makes you eligible for a 0.25 percent interest rate reduction on consolidated loans.

Who can consolidate under this program?
The consolidation is being suggested for people who have at least one Federal Family Education Loan and one Federal Direct Loan Program loan. The former loans, FFELs, aren’t being made any more. However, some continue to pay off the FFELs that they received before the program ended.

What are the benefits?
If you qualify, you can consolidate your FFEL loan or loans and your Federal Direct Loan Program loan or loans into a Special Direct Consolidation Loan. If you do so, you will have only one loan to repay. You will be eligible for a 0.25 percent interest rate reduction on the FFEL loans you consolidate. Plus, if you repay the loan through the Education Department’s automatic debit system, you’ll get an additional 0.25 percent off the entire consolidated loan balance.

Do I qualify?
To find out whether you qualify for this program, go to the National Student Loan Data System to look up your loans.

Income-based Repayment
Do I qualify for income-based repayment?
Right off the bat, it’s important to ask this question, because this proposal only applies to borrowers who took out their first loans in 2008 or later. You do not qualify if you took out your loans in 2007 or earlier, if you graduated in 2011 or earlier, or if you are already in repayment on your loan.

Yes, I qualify. How does it work?
The proposal speeds up changes that were already in the works for Income-Based Repayment, a plan that has been around since 2007. These changes will cap monthly payments at 10 percent of your discretionary income and will forgive the balance of the debt after 20 years of payments that started in 2014.

Consumer Protection
As you wade through the morass of student loans, two government websites have been launched to help you find your way. The first is Know Before You Owe which can help you compare the costs of different college options. The second, the Student Debt Repayment Assistant, helps people deal with their student loans. The sites were created by the Consumer Financial Protection Bureau and the Department of Education.

BALANCE
Revised January 2016.

Prepare Your Kids for the Real World by Turning Monthly Bills into Lessons

When you’re a kid, a few dollars can seem like all the money in the world. It can take weeks, sometimes months, to save up your allowance. When you finally decide to spend it, you might realize that $10 or $20 isn’t as much as it seems.

As a parent, you can help your children build important money management skills by providing experiences for them at a young age. Leading by example is a good way to start, and it can help instill good values and money habits. However, you’ll also want your children to get their hands dirty.

Open up your books. The value of money is a lesson you learn over time. For young children, games, such as Peter Pig’s Money Counter, or activities that help them identify coins and bills could be a good place to start. Older children may be ready to see how much things really cost. Going over bank or credit card statements, you could explain why you made each purchase and look for savings opportunities.

You can also turn a monthly bill into a teaching moment. Children might not realize how leaving the lights, heat or AC on can affect your monthly bills. You can sit down together and compare each month’s bill to the bill from the previous year. The practice of reviewing and comparing bills can help children understand that their actions have financial consequences.

They’ll also start to learn how much it costs to keep your home comfortable. That’s a valuable lesson, one I didn’t truly learn until I had my first apartment. You could take a similar approach to the groceries or other monthly expenses.

Help your children earn an income. Knowing the numbers is only part of the picture. It’ll be difficult for children to practice managing money if they don’t have any money to manage. But how, when and why children should receive an allowance is a debate for many parents.

Whether you pay a chore-based allowance or offer payment based on extra work, you could use a personal finance app that lets children see how much they’ll earn for each task. There are a variety of apps designed for different age groups, and some let kids create virtual accounts where they can track their earnings, spending and progress towards financial goals.

You can also help children find ways to earn money from outside the family. Organizing a yard sale could be a chance for them to help you clean out the home, practice bargaining and learn valuable lessons in entrepreneurship. Even a lemonade stand or bake sale requires that they buy supplies, work to earn money and put aside some of their earnings to pay for more supplies later.

Make your kids responsible for their bills. With a steady income comes increased responsibility. Make teenagers the boss of a bill, with real consequences for late payments.

The mobile phone or internet bill could be a good place to start. Figure out an appropriate portion for them to take on and require them to pay you each month. If they’re late, they lose internet access or their phone until they can pay their balance. When they don’t have enough saved to pay the bill, offer work opportunities for them to make money.

Once they take responsibility for their first monthly bill, you can also share how you manage the household’s finances. Show them what it’s like to keep multiple bills organized each month, make payments by writing checks or setting up auto-pay. Then explain how late payments can lead to fees, affect your credit and (just like with their phone) get services shut off.

Bottom line: Understanding how much it costs to manage a home and the importance of paying your bills on time can help you avoid costly mistakes. Some people learn these lessons once they’re at college or living on their own, but you can help give your kids a leg up by taking a proactive approach to their financial education.

by Nathaniel Sillin

Facebook and Google Scammed Out of Millions – Stark Reminder That Anyone Can Be a Victim

There is another reminder that businesses, regardless of size should continue to be vigilant with cybersecurity training and awareness programs. Two large and well-known organizations were targeted in a business email compromise (BEC) scam that resulted in significant financial losses to them. While it isn’t the first time BEC has been seen in the news, the amount of money involved and the companies may be surprising.

In March, the U.S. Department of Justice (DOJ) said that someone from overseas created a company impersonating an “Asian-based manufacturer of computer hardware” that just happened to have dealings with Google and Facebook. The Taiwanese computer company, Quanta Computer (Quanta) was identified as the impersonated computer manufacturer.

It was an elaborate and very well planned phishing scam indeed. The suspect, Evaldas Rimasauskas registered and incorporated a company in Latvia using the Quanta name. He then opened and managed bank accounts in Latvia and Cypress. He constructed email messages pretending to be the vendor and sent them to targeted employees at Google and Facebook. The resulting damage was theft of over $100 million from the companies that those employees authorized to be wired to Rimasauskas’ overseas bank accounts.

It is easy to get in a rush and just quickly respond to email messages. Most employees receive anywhere from 50-300 email messages any given day. It is understandable that mistakes are made. However, when it comes to those who have authority to set up or wire money to and from the company financial accounts, it is crucial to confirm any requests for these actions.

Organizations also should have clear processes in place for wire transfers.

These should include:

-A requirement for any transfers to be confirmed by multiple people
-A confirmation step with the vendor or third party contact by telephone or in some other manner besides replying to any messages
-Thorough validation that the sender’s email address is legitimate
-Procedures for what to do should there be a mistake

You might be asking how Rimasauskas knew the employees to target. Consider the amount of and type of information that people publish on their social networking and/or business networking sites. LinkedIn has most, if not all of the information someone attempting a scam such as this one needs. So consider preparing guidelines for them so that they don’t give away so much information.

In a press release regarding this case, acting U.S. Attorney John H. Kim said, “This case should serve as a wake-up call to all companies – even the most sophisticated – that they too can be victims of phishing attacks by cyber criminals.”

© Copyright 2017 Stickley on Security

Google Warns of Wide-Spread Phishing Scam That Can Steal Your Account Info

If you get a request to view or edit a Google Docs file, you should really consider whether you really want to before clicking any links. Google is reporting an ongoing wide-spread phishing scam that will not only give cybercriminals your Google login information, but will also spam your contacts and give them access to your email.

If you have already clicked something, there is some recourse. First, change your Google password and enable multifactor authentication (MFA) if you haven’t already done so. Then, go into the Connected Apps and Sites section and revoke edit access to Google Docs to the unfamiliar account.

The link in the phishing email takes users to a login screen that looks very realistic. However, it grants access to a malicious third-party web app that is named “Google Docs.” That is where access to your account is given to the cybercriminals.

The difference between this phishing scam and others is that it takes advantage of the ability to create non-Google web apps with bogus names.

Google has disabled the offending accounts, according to a statement. It also released an update that it disabled the application as well, but still advises users not to click on links for the time being. More investigations are ongoing in an attempt to get to the bottom of it.

© Copyright 2017 Stickley on Security