We Are Still Not Great at Spotting Phishing Emails

The United States reports more phishing scams than any other country. Software As A Service (SaaS) company, Diligent Corporation wrote that 156 million phishing email messages are sent out each day, with 16 million of them making it past spam and phishing filtering tools. In 2016, approximately 225,000 of these were sent out each month. To determine just how good we are at identifying these, Diligent surveyed over 2,000 people between the ages of 18 and 75 and the bottom line: We are very poor at distinguishing real messages from fake ones.

Two dozen email messages were sent to survey respondents. The goal was to find out just how successful they were at identifying email messages designed to scam them. The following percentages were the success rates as to how often they were tricked based on various details in the message:

– 68.3% if the message appeared to come from a co-worker asking to schedule a meeting.
– 60.8% from a social media site.
– 37.6% from the file-sharing site Dropbox stating a file is being shared with the recipient.
– 26.7% from a software company requesting that an update to an account be made.
– 23.9% from a social media company asking for login details to be changed.
– 22.1% involved a court notice of some type.
– 16.6% were supposedly from banks requesting information in order to restore account access.
– 14.7% appeared to be from the IRS advising the recipients of a tax refund.

As can been seen here, it is not so easy to spot the scams. There are warning signs, that are certainly not guaranteed to be a successful giveaway, but that can give us a few clues:

– Spelling and grammatical errors
– Generic greetings, such as “Dear User”
– The sender is not familiar or the information inside the message doesn’t make a lot of sense
– Requests that make something seem very urgent or that are threatening, such as “if you don’t send money now, your account will be locked”
– Requests for personal or sensitive information
– Something that is too good to be true
– The web address or URL is odd or suspicious
– Requests for money, especially in the form of gift cards or wire transfers
– The details of the message are vague and require the recipient to click on a link or download a file in order to get the missing details

A good rule of thumb for determining if something should be clicked, opened, or personal details sent as a result of an email received is to use common sense. If it is sent from an unfamiliar sender, includes vague details, is unexpected, or just seems suspicious, trust that instinct and put the message in the trash. To verify or change any account details, just go directly to the website login.

Interestingly, the lowest success rate for the email messages were those that claimed “you’re a winner.” Those duped fewer than 3%. The age group that was the best at spotting the fakes were between 45 and 54. The worst were over 65 followed closely by those between 18 and 24.

© Copyright 2017 Stickley on Security

Chinese Adware Annoys and Can Take Over Your Computer

We haven’t heard too much about annoying popup ads or malicious adware lately, but there is a story this week to whet our appetites. Researchers at Check Point have found a neat little program that not only pops ads up all over your screen, but also has the potential to be far more dangerous. So far, Check Point estimates that over 250 million computers have been infected with a malicious adware they are calling Fireball. Researchers tracked it back to a company in Beijing.

This neat little morsel will not only hijack your browser and change your search engine, but will also track your browsing and send the results to a digital marketing firm called Rafotech. Admittedly, it may not necessarily have been initially designed to be malicious, but the researchers discovered that it also installs a backdoor into all of the machines it infects that can potentially be used by whomever is behind it to run remote code, download other malicious files, steal information from the device, or make the device part of a botnet.

Adware alone isn’t necessarily malicious, even if it is really bothersome. However, often it can be used for ill intent. Earlier this year, Google Chrome was used as part of a click fraud scheme and at the end of 2016, it was discovered that malware-as-a-service had been created and is being sold as a package which can provide a quick turn-key solution for anyone wanting to get into that business. While they often are used to market products and services en masse, they are also often used for exactly what Fireball has potential to do.

Always have antimalware and antivirus solutions installed on all devices. It should just be automatic to do this whenever a new computer or mobile device is purchased or acquired. Keep it updated at all times and to make it easier on yourself, enable the automatic update features. If you have downloaded this or another “potentially unwanted product” (PUP), use that antivirus product to get rid of it.

Be careful when downloading free products too. Check Point believes that this PUP was bundled with products called Soso Desktop or FVP Imageviewer, among others. These products aren’t particularly popular in the United States, but are well known in other countries and likely this same product is bundled with some type of freebie that is known in the U.S. and other countries. If there is an option to download add-on products included in software you are installing, make sure it’s unchecked to avoid things like downloading unwanted search engines.

Check Point estimates that one in five corporate networks around the world have at least one infection of Fireball. The number of anticipated infections in the U.S. in miniscule (5.5 million), relatively speaking. The bulk of them are in India and Brazil. Those two countries likely have 25 million infections each.

It’s not clear if those behind Fireball are monetizing it possibly by getting paid from clickthroughs or whenever someone visits sites of its customers. But that’s just a side note as to what this malware is about. The search engine uses results from Yahoo and Google, which could somehow contribute to that goal, but it can’t be verified at the moment.

© Copyright 2017 Stickley on Security

Talking to Aging Parents About Their Finances

Do you know if your parents have a will? If anyone is trying to sell them an annuity? If they are paying all of their bills? If you answered no to these questions, it may be time to have a conversation with them. You may be groaning right now—who enjoys talking about money?—but doing this can help ensure your parents’ well-being.


Many of us struggle to meet our monthly obligations, especially seniors, who often face diminished retirement savings and high medical costs. Ask your parents if they have been unable to pay any bills or purchase essential expenses, like medicine or food. If so, help them explore ways they can revise their spending plan. Are there any expenses that can be cut or reduced, like cable or dining out? Is there any way to increase their income, such as through a part-time job or reverse mortgage?

Encourage your parents to contact the creditors/service providers for any bill they are struggling to pay. (If preferred, you may be able to talk to them yourself with your parents’ permission.) Many creditors offer hardship programs, short-term arrangements that allow you to make smaller payments. Utility companies frequently have payment assistance programs for limited-income customers.

For aging parents suffering from memory problems, bills may go unpaid simply because they forget. Handling the bill payments yourself is one possibility, but if you do not have the time, you may find it helpful to use the services of a Daily Money Manager (DMM). DMMs assist with financial tasks, such as opening and paying bills, balancing checkbooks, and organizing and filling out paperwork. Professional DMMs charge a fee for their services, but low-income seniors may be eligible for free assistance through a volunteer program. (You can contact your local Area Agency on Aging for more information.) Of course, since there is the potential for abuse, you should choose a DMM carefully and periodically check up on his or her work.

Long-Term Care Costs

Some time in the future, your parents will likely reach the point where they are no longer able to live on their own without help. Unless you or a relative plans to care for them, they will have to pay for nursing home, assisted-living, or in-home care. It is not unusual for long-term care costs to exceed $50,000 a year, and Medicare and Medicaid only cover them in limited circumstances.

If your parents do not already have a plan for financing their long-term care, help them create one. Putting aside a set sum each month can help your parents amass a good chunk of change, but if they do not already have a significant amount of savings, it may be difficult to save enough now to completely cover their costs. Besides saving, another option is to purchase long-term care insurance. Many policies cover both nursing home and in-home care costs. The best time to purchase this insurance is when you are in your 50s or 60s. Since there are many different provisions to consider, you and your parents may want to talk with a qualified insurance adviser about what would best meet their needs. Long-term care insurance is expensive, so it can be tempting to go with whoever offers the cheapest policy, but avoid purchasing one from a company with questionable financial health.


Unfortunately, there are many people out there looking to take advantage of others, and seniors are popular targets. If someone is trying to sell your parents an annuity, timeshare, or other investment opportunity, review it in detail to see if it would make sense financially (it probably won’t). Explain to your parents why you think it is not a good investment. If they are getting calls from telemarketers, sign them up on the National Do Not Call Registry (www.donotcall.gov or 888-382-1222). Discuss common scams, such as the promise of lottery winnings if you send a check for taxes, and encourage them to talk to you before sending money to someone.

Estate Planning

The majority of Americans don’t have a will. No one wants to think about death, but having a will ensures your property goes to who you want it to go to and reduces the likelihood of conflict breaking out between surviving relatives. If you are not sure if your parents have one, ask. Those with more complicated financial situations may want to have their will drafted by a lawyer, but others may be able to create one with the aid of a book or computer software.

Even if you know your parents have a will, you can talk to them about whether they feel it is up to date or if they want to make any changes. For example, if they left part of their estate to a sibling and he or she died, they may prefer now to leave their whole estate to their children. Also discuss if they have other estate planning documents, such as durable power of attorney for healthcare and finances.


Could You Turn Your Hobby into a Career?

You can break personal finance into three broad categories: income, expenses and savings. Your personal cash flow statement lists your income and expenses and a common goal is to end each month with a positive balance – with money left over to put into savings.

We often tend to focus on how to make the most with what we have, but don’t forget the third category. With planning, dedication and an understanding of how your skill set could benefit clients, you could make the transition to a more entrepreneurial role and increase your income.

A friend recently shared her experience. She started working out while looking for a way to release stress. Soon, exercise became her hobby. And then her passion. Several years later, she got the necessary training and certifications to go into business for herself as a fitness instructor and personal trainer.

Others have similar experiences. A photography or coding course sparks intrigue, which leads to exploration as a hobbyist and an eventual career or part-time income source. Or later in life you may decide it’s time for something different and start by exploring your interests and then setting off on an entirely new path.

Acknowledge that you may be giving yourself a new job. First, consider whether you really want to turn something you enjoy into a financial pursuit. Some people find that the transition can “ruin” their hobby in a way – it could feel like a chore or job rather than an enjoyable outlet. As long as it doesn’t require a substantial upfront financial investment, testing the water before diving in fully could be a good idea.

With the proper clearance, you can stay at your current role and start a small side business or offer your services as a freelancer to see what the experience will be like (and how much money you can make). You might find that a profitable, or cost-covering, hobby is enough.

Identify ways to make your offering uniquely yours. No matter how hard you try, you can’t will money into existence. It will take a lot of work to make a business succeed and even with a driven entrepreneur at the helm, many businesses don’t make it past the first several years.

But whether you’re creating and selling a physical product or offering a service, you bring a unique set of skills and experiences to the table. Try to figure out how these can distinguish your offerings or add a unique twist that will help potential customers meet their goals.

Businesses succeed for a variety of reasons. They might create something entirely new, figure out how to make something less expensive or more luxurious, put their efforts into customer support or figure out a fun and creative way to advertise their product.

Figure out who your target customers are and what they like. If you’re going to make money you’ll want to identify a target market. Generally, this will be a group of people who want and can afford your offering. Both qualifiers are equally important.

Be brutally honest with yourself. There isn’t always a profitable market, and some hobbies don’t make great businesses.

Working within a proven market – selling something that people already buy – can be a good thing because you know there’s at least some demand. From there, you can figure out the best way to find customers that like the twist or extra touch you’ve put in.

Drawing on my friend’s experience, she has discovered several ways to attract her clients. Some people already have an active lifestyle and don’t necessarily need motivation. For them, she emphasizes her knowledge of fitness and health. She can craft a meal plan that aligns with their physical goals and work with them to improve their form and help prevent injuries.

With clients who are struggling to get started, she emphasizes the value of having an accountability partner. She takes the planning and worry out of working out; they just need to show up.

Are you ready to take action? Managing spending and saving are essential elements of any financial life. With some thought and planning you could grow another essential element – your income – while doing something about which you are passionate.

by Nathaniel Sillin

New Season of Game of Thrones Invites Scams

As excitement for season seven of the hit HBO series Game of Thrones (GOT) ramps up and trailers and teasers are released, scammers will be on their games too. Fans just might get a real short end of the sword, if they aren’t paying attention. In the past, scammers specifically targeted those who tried to pirate the series. It is likely this, and possibly even more scams using the series name, actors, or related information will be making a comeback in the coming weeks.

Watch for “malvertising” using GOT as a lure. Often, scammers will create ads enticing fans to click. Instead of getting an early release of an episode or a behind the scenes video, malware may get downloaded onto the device. At best, you may be taken to a site trying to sell you something you don’t want or need.

While perusing social media, beware of items in the news feeds claiming to show something “not to be missed” or shocking. These are using click bait. They use catch phrases, headlines, or titles to entice you to click on something that is so unbelievable you can’t resist. It’s better if you do resist. These are often scams or whatever is behind the click will put malware on your computer or mobile device.

In a case from last summer, the scammers specifically targeted those pirating the series by impersonating HBO’s piracy firm, IP-Echelon. They asked for a fee to make demands of the company go away. It is unlikely this would ever be offered in an email message from any legitimate company trying to prevent intellectual property from being stolen or misused. Any such language should throw up a red flag.

Popular games and other entertainment are often used as bait for phishing scams. The Olympics, the Superbowl, and other sporting events are always big lures. Scammers also take advantage of tragedies such as the death of a celebrity, musician, or natural disaster.

Last year’s craziness surrounding the Pokémon Go game and subsequent outbreak of malware is an example of how phishers latch onto unsuspecting users and their desire to be entertained.
Avoid clicking any links, advertisements, or attachments that you are not 100% certain are legitimate.

If you are one of those excited viewers that likes to test the legal boundaries, be aware of any email you get with language demanding you pay up using gift cards, money transfers, or Bitcoin. Legitimate legal demands won’t ask for these. If you aren’t; you don’t have to worry about those email messages at all. Just delete them.

© Copyright 2017 Stickley on Security

Your Email Address Can Be Used Against You

We have a lot of passwords to remember these days. It’s understandable that we forget them every now and then. It’s usually pretty simple to get them reset so you can start again. However, while very convenient, this can also be risky. When you forget your password, many websites will allow you to enter your email address to get a link via email to reset it. Nothing else is required. A persistent criminal can use email addresses to get access to accounts like PayPal or even your financial institution, where the payoff could be very big.

Jim Stickley of Stickley on Security wanted to prove this to a group of conference attendees. He wrote an app designed to collect the emails that went out to the users who forgot their passwords. He asked for volunteers who agreed to download an application that appeared to be a WiFi signal booster. They didn’t know what the demonstration was about, but willingly installed the app on their mobile devices knowing it would be of no real harm under those circumstances.

The app stealthily perused the devices and collected information from it, including email addresses. He could simply go to PayPal or Amazon, for example, request a password reset and intercept the emails sent. He then clicked the included links, changed the passwords, and had control of those accounts with no one knowing what happened.

In addition to getting access to certain online accounts, he was also able to peruse everything in the person’s email account. This is significant because there is a lot of information that can prove very valuable to someone who doesn’t have the best intentions.

The conference attendees agreed to be part of the above exercise, but there are thousands of malicious apps available on the Internet from third parties and even in the official app stores that don’t always ask for permission to access your information.

The danger that lurks on the Internet is perhaps not as dangerous as a mugger lurking in a dark alley. However, it does have its own version of that mugger and the dark alley. Read reviews of apps you consider for download and don’t sideload them. Use multifactor authentication (MFA) whenever offered, be skeptical of links and attachments you receive in email messages, and be conservative with the information shared on social meeting and online networking sites.

No one is going to look out for you or your information better than you. So take time to learn about the dangers and how to protect yourself. Stickley had no intention of using the information he gathered for evil. Others aren’t so courteous.

© Copyright 2017 Stickley on Security