Insurance Commissioner Warns of Phone Scam

Female hands holding credit card and making online purchase using mobile phone. Shopping consumerism delivery or internet banking concept. Anti-fraud and financial security concept

Connecticut insurance policy holders are getting an unwelcome holiday gift; credit card fraud. The State Insurance Commissioner is warning of a phone scam in which callers pose as insurance company representatives telling victims their policies are being cancelled. They will ask for credit card numbers in order to reinstate the policy.

If you get a call from anyone stating a policy is expired or cancelled, call your insurance company or agent to confirm. Then, renew or settle the issue with them. Don’t give out credit numbers over the phone unless you initiate the call and are intending to make a purchase.

If you think you may have already been a victim of this, report it to your local law enforcement and your state insurance commissioner.

Currently, this is only being reported as happening in Connecticut. However, no one is immune to phone scams with similar scams continually running across the nation. Always be aware of who is on the other end of the phone when providing sensitive information. This is particularly true during the holidays. Unfortunately, some are more in the taking spirit than the giving one.

© Copyright 2016 Stickley on Security

2016 Security Threat Predictions – Part 3

2016 graphic against composite image of doors opening to reveal beautiful sky

So here we are in Part 3 and the final installment of the “Information Security Threats Predictions 2016” series. As promised, some light at the end of the tunnel.

Investment in security is on the rise. Companies and individuals are becoming more educated on security threats. It’s actually necessary, but also very encouraging. As such, both companies and individuals are making additional investments in cyber security.

The times are changing and people no longer have the “it won’t happen to me” attitude. It likely already has happened to you in some form, be it identity theft, credit card fraud (who hasn’t had their number stolen in a breach over the last couple of years?), or some type of scam. So the public is arming itself with knowledge and products to help keep their identities and money safer.

Firms will be innovative. Often regulation is not desired. However, it’s a fact of life and there is likely to be more. This means those providing products and service will innovate and create new ways of meeting regulations and generally trying to stay ahead of the bad guys. This benefits both companies and individuals. So be on the lookout for exciting new technologies and services to meet these needs.

Collaboration among organizations and countries is improving. We have seen the FBI work with Microsoft and others to put the brakes on the distribution of Reveton ransomware. U.S. and foreign law enforcement also worked together to seize command and control servers of the CryptoLocker ransomware, and to disrupt the Gameover Zeus botnet. Although the criminals are still at large, this collaboration has managed to keep that botnet from encrypting more computers. In addition, Russian security company, Kaspersky has worked with law enforcement in The Netherlands to create a tool for decrypting computers that have been infected ransomware. They have made these tools available to the public with instructions on how to use them. And it’s free!

In addition, international legislators are working together to improve security worldwide. The European Union and the United States face many similar cybercrime issues. Therefore, the two have formed a working group intended to create standards for risk management, increase cybersecurity awareness, and promote the Budapest Convention (the first international treaty which attempts to address computer crime and the Internet on a worldwide basis).

In the words of Martha Stewart, “It’s a good thing.” All of these are progress and are positive. In addition, remember those disappearing acts? Regular phishing in email messages is decreasing, but phishing via instant messaging and social media is on the rise. More good news is that the public is more prepared for it than ever.

As for passwords becoming a thing of the past; it’s happening slowly, in favor of biometrics, for one. However, this means we will need to learn more about security of biometrics and other methods that replace them. And passwords are likely to still hang around for a while, but we can look forward to not having to remember so many of them.

We still need to stay on our toes. It’s not time to let our guards down. It’s an opportunity to learn more and get the hang of what it takes to protect ourselves in this cyber world we now live in.

But don’t despair. It’s all doable. Just don’t stop creating strong passwords and phrases, and make sure you change them often for each online account. Continue being careful about clicking links and attachments in email messages. Keep an eye on your credit reports and payment card charges and report anything strange right away. Research software and apps before downloading them and pass on good Internet use habits to others, including children. After all, sometimes that five-year-old knows more about new technology than we do, so teach them early and they will be well on their way to avoiding becoming victims too.

© Copyright 2016 Stickley on Security

2016 Security Threat Predictions – Part 2

2016 graphic against composite image of doors opening to reveal beautiful sky

In the second part of this three part series, we discuss additional nasty threats on next year’s horizon. It’s not all bad news, however. As these threats take the limelight, others will slowly start fading behind the curtain.

The disappearing acts? Stolen passwords and the use of email for phishing and scams. More of that in Part 3.

Back to the threats.

Everything being connected via the Internet of Things (IoT). From the cars we drive to the toys with which our kids play, it’s all becoming more connected to the Internet. The more this happens, the more risk of cybercrime hitting us. Recently, even Barbie became a spy for the potentially unscrupulous. The risks range from Denial of Service (DoS) attacks to identity theft to watching our kids at play. And that’s pretty scary.

Do This: Ensure everything you connect to the internet is as secure as possible. Change default passwords on devices and change them periodically. Create strong passwords when setting up online accounts and don’t reuse them. Make sure the Internet-connected toys your kids play with (don’t forget those high tech video game consoles) are tightened up and that you are sure you want the information that crosses through the toys to travel out to the Internet. Otherwise, maybe choose “vintage” toys instead.

Advertising isn’t just for marketing folks; malvertising is on the rise. It happened a lot in 2015. Ads are placed all around the perimeters, or even right in front of your view on a webpage. Most of them are legitimately just trying to sell you something or provide you information. However, some are not so pleasant and are hiding malware. It could be ransomware, could be a Trojan, spyware, or scareware; which is the least scary of them all.

Although they can also be real ads, clickbait is often used to entice users to click on nefarious links. These ads are intended to shock users a bit so they will want to see what is behind the curtain. Often they exploit celebrity gossip or current events as a hook. For example, one might claim that if you click, you will see a leaked photo of a naked celebrity or a video of a horrific, highly publicized event.

Do This: If you like seeing them, use caution when clicking. Take an extra moment or two and make sure they are not fake. If there is text, it should be correct use of the language. They should include real logos and are likely related to something you are viewing on the page. If you don’t like seeing them, consider using ad blocking software. These block all advertisements on the web page and also help prevent accidental clicks on potential malvertisements.

As with all of these, it is highly recommended to install anti-malware on all devices connecting to the Internet. There are many options, so do research and find the best one that works for you. When getting apps for mobile devices, make sure you stick to those in the official app stores. And keep all devices updated with the latest versions of whatever you have loaded. If you are using software that is not going to be supported anymore, such as Internet Explorer, upgrade to a supported version or use a different product that does have support.

It is not all gloom and doom, Part 3 will share some good news. Stay tuned.

© Copyright 2016 Stickley on Security

Use Caution when Posting Information on Social Media

Conceptual image about how a smartphone open a door to worldwide information sharing.

Facebook, Twitter, Instagram, Snapchat, LinkedIn. These and many others are all online social networking sites that can lead to lots of sharing and fun, but also carry risks.

Online social networks are not harmless. Anyone participating in a social network online assumes some risk of becoming a victim of a con artist or other criminal. This doesn’t mean don’t participate. It’s part of our society and in some cases an important part of business. It’s fine to use it. Just be aware of the risks and do what it takes to avoid becoming a victim of identity theft.

It’s of significant note that once you put something on the Internet, it is on there forever. It never really disappears and there is nothing preventing your connections from sharing. Once that happens, you lose control of it. You cannot remove or delete it or if you can, it will not be easy or fast. If someone in their network shares it, it will crawl even further into the Internet and there really is little to nothing you can do about it.

Therefore, always know who you are giving access to your personal information and if you don’t want them to share something, ask them not to or just don’t post it. In addition, keep in mind that what you post can reflect on your business relationships as well.

Pay attention to who wants to follow, friend, or share with you. Often cybercriminals will try to connect with people in order to learn about them, bring them into confidence, and then scam them. Often this will come in the form on attachments or links passed on once you are “friends” with that person.

Any information found on the Internet may be used against you for nefarious purposes, so always think about what you post. Hackers of all types troll social networking sites to put together collections of information on specific targets. The information may be used for something completely unrelated to social media, but can do a lot of damage. Besides putting yourself in physical danger your information may be used to create phishing messages and send emails to people who know you including your co-workers. Included in the messages could be malware. Once a link or attachment is clicked, it could unleash something nasty on the network and no one wants to be responsible for that.

A good example where criminals will often go to learn important information about you is LinkedIn. This social networking site is a great way to form business relationships but is also often used by criminals to learn more about an organization’s personnel. For example, LinkedIn can provide a would-be criminal with the employee names, job positions, job responsibilities and even how long an employee has worked at the organization. This information can then be used by the criminal to target “high risk” employees or even be used as part of a larger social engineering campaign.

Because this information is now available to the public, you need to be even more diligent in detecting potentially malicious activity. From suspicious emails to phone calls, just because a person contacting you knows some personal information about you, does not mean they can be trusted. They could have gathered that data from social media sites, so don’t be tricked into giving out even more information or opening links and attachments contained in emails.

Think about how you use social media and how much information you want to share with the world. Because even if you think it’s just your “village” seeing the information, the reality is that it isn’t. It’s everyone, everywhere.

© Copyright 2016 Stickley on Security

2016 Security Threat Predictions – Part 1

2016 graphic against composite image of doors opening to reveal beautiful sky

At Innovation Project 2015, the former National Security Agency (NSA) Director, General Keith Alexander had some pretty dire news to report. Cybercrime is going to get worse, before it gets better. And the experts have a list of threats they think are going to be at the top of the bad list. They also have some ideas that will make it a little less bitter.

In the first two parts of this article series, we discuss the threats. After you have had a moment to soak that up, a separate article will talk about the future mitigation and how security experts think we will all try to stay ahead of the curve. In addition, there are some recommendations on how you can help yourself.

The following are in no particular order. They are all troublesome and all worth attention.

Ransomware becoming a primary form of attack. This type of malware can encrypt and hold your data for ransom. The dollar value to get it decrypted ranges from a few bucks to hundreds. Experts at the security company Norton did a study over a period of one month. The numbers were astonishing. Over 68,000 computers were infected with ransomware. Of those, 2.9% paid the ransom resulting in $394,000 in payouts to cybercriminals…in a single 30-day period. Often this type of malware is loaded from malicious websites that are visited via clicking links in phishing email messages. Other times just accidently typing in an incorrect URL will result in infection.

Do This: Make regular backups of your computer. Then, if this happens to you, a restore can be done quickly and easily without paying a dime. Also make sure anti-malware is installed on all your devices and that it is kept updated. Don’t click links in email messages unless you are 100% certain they are safe. If you do find your files held for ransom, don’t pay the money. That backup will be priceless at that moment and paying it out only encourages more of this criminal activity. Use caution when typing URLs into the browser to avoid accidently doing a “drive-by” and infecting your devices.

Phishing isn’t going away and will become more targeted. Phishing is the top method for getting users to install malware, click links that lead to malicious or undesirable websites, and to extract information from targets. Spearphishing is taking it one step further. These are considered Advanced Persistent Threat (APT) actors. The hackers actually seek out those who can provide the most value to them within an organization or an industry and stick with them over time until they can get what they are after. Often these targets are people with ability to make financial transactions. Business Email Compromise Scams are in this category and recently, the FBI issued a warning to businesses about this very thing. In 2015, this type of crime has resulted in over $1.2 billion in losses and it isn’t expected to decline in the near future.

Do This: Pay attention to what arrives in email messages and don’t click links in them that are not expected. If the sender is unknown, just delete the message immediately. If you are not sure, confirm via voice or separate email with the sender. Look for messages that use incorrect grammar, punctuation, and have typos. Make sure to confirm where links are directing you by hovering over them with the mouse pointer or holding down on them on a smartphone or tablet to see where it actually goes. If it doesn’t make sense to you, skip it. If you make financial transactions for your company, follow a multi-authorization processes before wiring or transferring money and always verify with the requestor via phone or separately composed email messages (in other words, don’t just hit the reply button).

In the next part, we discuss more of the ugly. Don’t worry though. There is a light at the end of this tunnel.

© Copyright 2016 Stickley on Security

IRS Phishing Scams Right on Time for Tax Season

IRSPhishing

It’s no surprise to the U.S. public, nor is it apparently news to the Eastern European hacking community that it’s tax season. That means there will be no shortage of phishing email messages claiming to be from the IRS showing up in our in boxes. In fact, a security researcher from Kaspersky Labs has just warned of one that requests private information be entered into a form claiming to be from the IRS. However, that form is hosted in Eastern Europe, which is not where the IRS hosts forms.

The IRS will not request information from you in an unsolicited email message, phone call, or fax. In fact, on the IRS website, there is an entire page devoted to this topic and it starts with “The IRS doesn’t initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.”

Keep in mind that this is just the start of IRS phishing season, they will be coming at you fast and furious for the next few months. Here is a look at the current scam that is getting way too many people responding.

IRSexample

Always be on the lookout for phishing email messages and scams. Sometimes they will come via the telephone, fax, or even regular mail. However, the IRS just doesn’t work that way.

If you do get a phone call from someone claiming to be from the government, take down his or her name, badge number, and contact details. Then look up the phone number for the office separately by going to the department’s website. Odds are, once you ask for names and phone numbers, the person on the other end of the line will hang up. Just don’t give them any details about yourself.

Never reply to unsolicited and unexpected emails either. It’s not difficult to spoof the return address to make it look legitimate, but in reality, it goes back to hackers somewhere.

Don’t click on attachments or links in unsolicited email messages or from those who are unfamiliar to you. Often, they contain malware.

In the case of this recent scam, the form in the email asks for personal information such as social security number and bank account details. The IRS would like to know when these phishing attempts and scams are going around, so be sure to report it if you receive one.

This isn’t likely the end of these for the season. Keep an eye out and make sure it really is Uncle Sam before you correspond with anyone claiming to be from the IRS.

© Copyright 2016 Stickley on Security