New Word Doc Scam Worms Its Way Into Your World

How often do we all get Microsoft Word Docs attached to work and personal emails? The answer seems to be “too often.” It looks like scammers have latched onto this answer and they’re not letting go. Ever more sneaky, cyber crooks continue worming their way into our everyday world. Especially by finding new ways to exploit our trust and our tendencies toward lax security. User beware, this latest scheme targets those everyday Word docs.

It’s a slick trick, even to the tech savvy among us. It looks legit, sounds legit, and it’s anything but legit.

There’s now a feature called Microsoft Dynamic Data Exchange (DDE), and cyber creeps know how to take advantage of DDE. They’ve moved on from sending bogus Word docs which required the user to open them in order to infect a device. Using DDE has opened new doors for cyber thieves.

You now need to beware of receiving attached documents that require a “yes” or “ok” confirmation to download what is really malware, ransomware, and countless other maladies. Do not respond to any such confirmation. The best thing is to immediately close and delete the email. However, if you’re already sucked in, you’ll most likely see 3 prompts pop-up, requiring more “yes” or “no” clicks. Get out as soon as you can and run security software.

You’ll do yourself a solid favor by remembering these security steps and by spreading the word.

-Perhaps the best advice is to know is that legitimate Word docs don’t require any of these malicious steps using popups.

-Never open anything from a sender you don’t know or if the attachment isn’t expected.

-Always use strong passwords and two-factor authorization whenever it’s available.

-Use strong security software from a trusted and legitimate source. It’s not the time to be cheap or download from untrusted sources.

© Copyright 2017 Stickley on Security

AppleInc Text Scam Steals Your Credentials

It may be easy to dismiss this warning as a repeat of a recent story and that is understandable, as you will find out. But don’t, because it is not a duplicate. There is yet another Apple phishing scam bobbing its way around. This one appears in a text message that looks like it’s from “AppleInc” and warns that your Apple ID is about to expire. However, don’t be alarmed. These scammers are also just trying to trick you out of your highly coveted Apple credentials… again.

Inside the text or SMS message is a link that includes a name of something like “appleexpired,” “applelogin,” or maybe even “icloudbobile.” If it’s clicked, you’ll be asked for your login details and then a “server not found” error of some type will appear.

If you want to feel more comfortable about clicking links you receive in texts, email messages, it’s good to know what domains are. At a basic level, this is the part of a website address just before the “.com,” “.org,” .gov,” etc. or in the case of domains registered in other countries, the “co.uk,” “.ca,” “.jp,” etc. and including the “.com.” So for Apple, the domain would be “apple.com” It doesn’t really matter what comes before that, because “apple.com” is the top level of their website and other pages connected to it will stem from that. Therefore, if you see a link that is apple.applexpired.com, which is what the hackers are using in this case, it’s likely not what you are looking for.

Whenever you are asked to verify your account, change details in your accounts, or want to check on a disturbing text you received, go directly into your account and check that way, rather than clicking links. This will ensure you are going to the correct location.

Bookmark the websites you visit frequently, such as your financial institutions, your utility companies, your healthcare sites, your child’s school, etc. to avoid mistyping a name under duress. Typosquatting, or domain jacking, is a strategy hackers use to steal information as well. They will buy domain names that were legitimate and have expired or been abandoned or that are very close to well-known ones hoping you will mistype the name in the browser.

If you did receive this phishing attempt and fell for it, change your Apple ID immediately. Make sure you change passwords on any other sites on which you use the same password. And when you’re doing this, use unique passwords on all of those so hackers won’t be successful with the password reuse strategy.

Fortunately, some companies are taking measures to prevent these types of scams. Google, for example collects the names of these domains and adds them to a list of forged websites and a warning will popup to alert you. However, there are plenty of malicious sites that have not been reported, so always be on the lookout.

© Copyright 2017 Stickley on Security

Payment Processing Company Recently Acquired By PayPal Confirms Breach

Earlier in the summer, the payment service provider PayPal purchased a payment processing company called TIO. This week, it was announced that TIO suffered a data breach of its systems resulting in unauthorized access of a lot of accounts. That’s the bad news. There is some positive news, however. The PayPal systems themselves were not connected to TIO’s and therefore were not affected.

PayPal had suspended operations for TIO as the company looked into the possibility of a data breach. Unfortunately, it was a reality and 1.6 million accounts were affected.

Those with TIO accounts should be on the lookout for targeted phishing email messages. Be particularly suspicious of any of them that ask you to update your account data, particularly login and password information or payment card details. Don’t click on links in such messages. Go directly to your account and modify anything necessary there.

TIO is notifying affected customers and offering free credit monitoring services. If you are one of these customers, take advantage of this service, if you don’t have an active one already. If you do, pay attention to the expiration date of that one and try to stack them so you are consistently covered.

Remember that if you have applied a credit freeze to your reports, a credit monitoring service will not be of value. That is because they must acquire your credit report to monitor it. Don’t unfreeze credit just for this. However, if you haven’t frozen your reports and would like to, activate the credit monitoring service first, then freeze them.

Freezing your credit reports will eliminate the possibility of anyone opening credit in your name. This includes you. So, take note of this before doing so. Also, some states allow the bureaus to charge for the initial freeze and to unfreeze and refreeze. If you are actively seeking credit, this may not be the option for you.

PayPal is taking additional actions to secure the TIO systems. For more information and updates, check out the TIO website.

© Copyright 2017 Stickley on Security

Charitable Scams Pop Up For the Holidays

The holidays are a time for cheer and a time for giving, and bring out human empathy and the desire to help those less fortunate. Cybercriminals are not new to this concept and often take advantage of people’s sense of caring. They seem to lack this empathetic trait and will do whatever it takes to prey on the giving spirit of humans around the holiday.

If you want to donate money to charitable causes, follow a few guidelines to keep your information safe and to make sure your donation goes to the right place.

– Take some time to research the charities first. Make sure it’s reputable and legitimate.

– Don’t give cash to people that show up at your door asking for funds for their charity. Get some literature or contact information from them and research the organization. If you feel good about it, you can donate online or use their contact information to get back in touch.

– If someone shows up at your door claiming to represent a charity, call the organization and ask if the solicitor is authorized to ask for donations on its behalf.

– If you get an unsolicited phone call or email message, don’t provide any information to someone who calls you out of the blue. Get a phone number off the Internet and call them back. Don’t use email addresses or phone numbers given to you by an unsolicited caller.

– Preferably, don’t give cash donations. Keep records of any donations made in case you need to report a scam.

– Don’t wire money or provide funds in the form of gift cards or pre-paid cards. Actual charities will not ask for these.

Look on websites that provide information on various charities, complaints about them, and how they use charitable contributions before giving.

The FTC provides some tips on how to identify charity scams:

– It refuses to provide detailed information about identity, mission, costs, and/or how the donation will be used.

– It refuses to provide proof that the contribution is tax deductible.

– It uses a name that is very similar to that of a better-known and reputable organization.

– It thanks you for a pledge you don’t remember making or know you didn’t make and subsequently uses that to try to convince you to “give again.”

– It uses high-pressure tactics such as asking for your donation immediately, without giving you any time to think about it or do your own research.

– It offers to send someone immediately to collect your donation.

– It makes a guarantee of winning a sweepstakes in exchange for a contribution. You never have to make any type of donation to be eligible to win a sweepstakes.
That’s the law.

If you have been or suspect you may have been the victim of a charity scam, contact the FTC and report it. Information can be found on the FTC Complaint Assistant page of the FTC’s website. And remember that charities and non-profit organizations will gladly accept your donations year-round. So, there is no need to feel rushed with respect to what organization you should give.

© Copyright 2017 Stickley on Security

Don’t Trust Your Trusted Facebook Friends


When one of the world’s massive social media sites offers an impenetrable way for account holders to regain a forgotten password and/or security question when they don’t have access to their registered email account, what could possibly go wrong?

Rest assured the Kings of Spam-a-lot reign supreme. They’ve wormed their way into this “foolproof” way to safely gain access to your Facebook account, or even help a friend with their account. Facebook developed a “Trusted Friend” option to help those locked-out users. What was once a happy idea has twisted tragically against Facebook users.

According to ACCESSNOW, this is how the Facebook phishing scam plays out:

– You get a message from an attacker on Facebook Messenger, who is using the compromised account of someone on your Friends list.

– The attacker asks for your help recovering his account, explaining that you are listed as one of his Trusted Contacts on Facebook, and tells you that you will receive a code for recovering his account.

– Then the attacker triggers the “I forgot my password” feature for your Facebook account and requests a recovery code.

– In an effort to help, you send the code you’ve just received to your “friend.”

– Using the code, the attacker can now steal your account from you, and use it to victimize other people.
Now that we know how it works against us, how can we make it work for us?

– If you receive a message from your friend on Facebook Messenger asking for the code to get back into her account, don’t assume it’s legitimate. A simple phone call to your friend will confirm or deny the request.

– Take the time to verify the email sender, hover over the source, make sure spellings are correct, and never immediately act without thinking and thoroughly vetting the source.

– If you’re suspicious your Facebook account has been hit, go directly to facebook.com/hacked, then click “My Account Is Compromised.” Follow the indicated steps to find your answer.

Also use Facebook’s Security Checkup tool, which helps fortify your account security settings.

© Copyright 2017 Stickley on Security

The Top Three Things Most People Don’t Know About Personal Finance

Do you feel financially secure?

According to a recent survey, 47 percent of Americans are confident about their financial health. However, when pressed with a financial quiz, only six percent of respondents passed.

If that number leaves you wanting to brush up on your financial concepts, you can start with three facts that people got wrong most often.

1. The typical married couple will spend $265K on health costs in retirement

Does this number sound high to you? You’re not alone. Most of the participants in the quiz dramatically underestimated how much retired couples need to afford medical costs (and this is with Medicare coverage and supplemental insurance).

Remember, it’s never too late to start a retirement savings account. If you delayed saving for your post-career life, you can always play catch up by contributing a larger sum every month.

2. The typical 65-year-old woman will live another 23 years (another 20 years for a man)

According to the Social Security Administration, men and women are expected to live well into their 80s. While contemplating your life span isn’t the most fun way to spend an afternoon, it can be helpful when planning your retirement savings. Make sure that you account for 20 years of expenses once you begin your life’s third act.

3. The annual rate of inflation for college tuition is eight percent

College isn’t getting any cheaper. In fact, at eight percent inflation, tuition for higher education doubles every nine years. Let this be a wake-up call if you or your kids plan on attending college in the future—you’ll most likely need to apply for a student loan.