The Real Cost of Cyber Love?

Are you looking for love or friendship and perusing online sites to find it? Have you met someone with a sad story who asks you for money to help him or her out of a situation, to help buy needed supplies while in the military and overseas, or to buy a plane ticket so you can meet in person? Unfortunately, there are many scams where this happens. They are all some variation of what is often referred to as the “sweetheart scam.”

One that has been gaining steam lately combines the sweetheart scam and mobile banking. A lonely heart, let’s call her Eva, falls for someone far away. Let’s call this person Sam. Sam would love to meet Eva face to face. So he asks Eva to make a reservation on an airline so he can visit. He will deposit the money for the fare into her banking account directly, for efficiency. All Sam needs is her bank name and her mobile banking credentials and he will deposit a check directly into the account after he downloads the app. After all, love just can’t wait.

Unfortunately, right after he does it, something goes amiss and he cannot visit after all. He wants that money back, immediately via some type of money transfer service. Eva checks her account and it shows the money he deposit is indeed in her account, so she sends the money right away.

Unfortunately, Eva just got scammed. Sam never intended to meet her. He just wanted cash. You see, when you use mobile deposit with your financial institution, there is a period of time before the deposit is actually approved and funds are available. That time period differs for each financial institution and can range from 24 hours to several days, depending on circumstances. So, even if the mobile deposit says it was successful, the money may not actually be available right away. The check that Sam deposited bounced, of course and Eva was out the cost of a plane ticket.

It’s easy to get caught up in the moment when first meeting someone new. We want to trust people, but no one needs your mobile banking credentials. So keep those a secret no matter how hard a person tugs at your heartstrings. Unfortunately, there are a lot of people out there in the world with bad intentions. Don’t give them information that can be used to steal from you.

In some cases with this scam, if the victim refuses, the scammer threatens to sue or otherwise scare them out of money. Don’t let it happen to you. Keep your money close to your heart and let the scams of the world go.

© Copyright 2017 Stickley on Security

Movie Fans Targeted in iTunes Scam

Movies are a big business and it’s more popular than ever to grab your popcorn and Milk Duds and sit back on the sofa to stream them from iTunes. A recently found scam targets Canadian movie fans by sending a fake Apple invoice for movie rentals, counting on the user to request a refund.

In this case, the invoice purports to have charge for a list of movies that can add up to a rather large sum of money. The movies on the invoice are often those that were released somewhat recently, such as Jack Reacher: Never Go Back and Arrival, making it a bit more believable to potential victims. After the initial shock wears off of the amount on the invoice and the fact that the charges do not belong to the targeted victims, the next reaction is to scan the form for a way to get a refund or dispute charges.


Conveniently, the phishers put a link at the bottom of the document. It supposedly can be clicked to claim a full refund. However, it doesn’t go to Apple. It goes to a website registered in Norway. The information requested in the form that appears wants a lot of personal information, including date of birth, mother’s maiden name, and a social insurance number. Canadians need this last number to access government services. It is not needed to get a refund from Apple or most any other company. These should raise big red flags to the recipients.

The scam was spotted by researchers at security company Fortinet. The fake invoice arrives in an email message that at first glance appears to come from Apple, but if it’s expanded, it shows a strange email address from a Norwegian site. By using the mouse to hover over the link, it looks like a bunch of randomly generated characters, but definitely doesn’t look like an Apple link.

Remember that by taking a minute to check the link destination before clicking it, you can avoid being a victim of phishing. Hovering over them with the mouse pointer works for this, as does holding your finger on the link for a few seconds if you’re using a touch screen device. If the link destination doesn’t make sense to you, it’s probably a fake one.

If you receive something like this that claims false charges to any of your accounts, it’s even better to go directly into your accounts from previously bookmarked links than clicking anything. It’s getting more and more difficult to detect phishing messages, so try to get into a habit of not clicking them and going into accounts separately to avoid becoming the next victim. If all is clear in your account when you check that way, then you can be sure the message you received is indeed phishing.

Apple users are often the targets of phishing these days and not only in email. Smishing is on the rise as well. This is when the scammers use SMS/text messages to trick users (also called “smishing”). So watch for those fake links too.

Another tip for avoiding scams like this is to set charge alerts on your payment cards. You will get a message each time a charge is placed on your card for a limit you set. If you didn’t get an alert for the charges, it’s a clear signal that a phishing attack is at play.

© Copyright 2017 Stickley on Security

Storage Limit Reached Scam Tricks Users Out of Email Credentials

There is a lot of data to store these days. The average user gets somewhere between 50 and 100 email messages per day and that takes up storage space somewhere. It might be stored in the cloud, but it may also be stored on a server in the cold room of the IT department. Wherever it is stored, the servers have limited space. Therefore, most organizations set a limit on how much of a hard drive each person can use. When that limit is reached, it’s time to do a clear out of messages. Scammers are using this tidbit to trick people into giving up email login credentials.

The Better Business Bureau (BBB) reported that its users were receiving an email message that claimed their storage was full and they needed to click an included link to validate the account and add storage. When the link was clicked, a form appeared that requested email address and password. Once the information was entered, the form disappeared and a dialogue box appeared stating that all is well.

Unfortunately, those users gave up their information to someone who could use it to send spam, distribute malware, or to commit some other type of fraud.

There are ways to identify potentially harmful messages.

-Don’t just believe what you see. Scammers can fake anything from a company logo to the sender’s email address with relative ease.

-If an email arrives unexpectedly or by an unknown sender, do not click on links or open files that may be attached to them.

-Use your sixth sense. If something appears to be suspicious, confirm it first. Contact the sender directly from a number you know is accurate or by starting a new email message. Don’t reply to the original one. Walking to the sender’s desk or office may be another option.

-If something is generic, it should be met with suspicion.

-Always be wary of messages that don’t contain your name or other personalized information or references.

-Use unique passwords for each online account you create. This will reduce your risk of password reuse being successful for a cybercriminal.

The subject line reported by the BBB was “[name]@[] update required” and appeared to come from a webmaster domain account. If you receive something similar, confirm its legitimacy with your IT department before taking any action.

© Copyright 2017 Stickley on Security

Study Finds Our Personal Information May be Leaked to Anyone Who Wants It

A company that provides a mobile device gateway product, Wandera, has found that the apps we install on our devices leak a surprising amount of information to anyone who chooses to capture it. It doesn’t take an experienced hacker either, but merely someone who may be sitting in the corner of a café logging traffic crossing an unsecured WiFi connection.

The study found that 200 popular apps were exposing sensitive information, mostly user names and passwords unbeknownst to the users. However, any information that was entered into the apps was subject to being leaked. Nearly 60% of the apps giving away the information were news, sports, or shopping apps; the apps many of us use every day without a second thought.

It’s worth thinking about, however, what information we enter when we download the apps and what apps we do indeed install on our devices. Think about what is asked for in order to put it on the device. A free news app, for example, doesn’t need your social security number or payment card information. It also doesn’t need your age or address. If it doesn’t allow use of the product without it, perhaps it’s wise to choose a different one.

In addition, pay attention to the reviews and number of downloads for any application. If there are very few of them, have a bit of patience and wait for the kinks to be worked out first. When Wandera contacted the developers of the vulnerable apps, some of them did fix them right away. Others didn’t even acknowledge the communication attempts. Reviewers usually will indicate any problems that are found in initial releases and if they are not on the positive side, reconsider if you want to be an early adopter.

Also, because most of the time it was a user name and password that was leaked, don’t re-use passwords across multiple sites and applications. Each one deserves its very own password. Then, if a hacker does get ahold of that information for one app, it doesn’t have it for any others. Password reuse was blamed for some rather high profile incidents such as the “naked celebrity” leak a few years ago. Spotify also accused this as the cause for strange activity on some users’ accounts in 2016.

News, sports, and shopping weren’t the only apps to leak information. Thirty percent (30%) came from travel, entertainment, lifestyle, and technology apps. The biggest offenders were adult sites. Of the top 50 of these types of sites, 80% exposed personal information.

These types of issues with mobile apps likely occur for a variety of reasons. One is possibly the rushed timelines under which developers are often asked to work. It may also be due to bugs in the code or general ignorance of how to make code secure. Whatever it is, it puts user data at risk of being stolen.

© Copyright 2017 Stickley on Security

Google Finds Companies Receive Considerably More Malware in Inboxes Than Individuals

If you read Google’s security blog or were at the recent RSA security conference, you may know that corporate email receives 4.3 times more malware than personal accounts. The biggest targets appear to be chosen based on a few factors including size of the organization, the type of organization, in which sector they do business, and the country of origin.

Non-profits were the biggest targets, receiving 2.3 times more malware than other types of organizations. Education is at 2.1 times as much malware, and government and business followed behind at 1.3 times and 1.0 times respectively. These numbers are as of Q1 2017.

Gooligan was certainly one reason Google may be particularly interested in these numbers and in protecting customer data. This malware infiltrated 1 million Google accounts last year and was able to escalate privileges on Android devices. It also allowed hackers to steal Google account information, install other malicious apps, and do more damage, if they saw fit to do so.

Google recommends using its multifactor authentication (MFA) to add protection to email accounts. This could be a one-time code that is entered in addition to your password that is sent via text, voice messages, or within the Google app for mobile devices. Google has also started supporting security keys. These are additional hardware products that are inserted into the computer’s USB port or use the Bluetooth functionality on mobile devices.

For businesses, consider using their hosted S/MIME feature as well as the TLS encryption indicators. These ensure that only the intended recipient(s) are actually reading the email.

And for everyone, make sure to take time to read those dialogue boxes and warnings that a site might be phishing or trying to execute malware.

Malware wasn’t the only problem Google found geared at companies, although it did find that real estate companies are targeted far more often with malware (10 times more) than others. Phishing attacks and spam were also sent to corporate inboxes 6.2 times and 0.4 times as much respectively. Science related companies in Germany receive 9.6 times for phishing attempts than their counterparts in the U.S. Inboxes in India and Japan receive the most spam.

© Copyright 2017 Stickley on Security

Taxpayers Need an ID Theft Wake-Up Call

Americans remain apathetic about identity theft protection, according to the second annual Tax Season Risk Report, from Scottsdale, Ariz.-based CyberScout, which suggested taxpayers must still take ownership to protect their filings.

While the Internal Revenue Service took steps to reduced tax ID theft a pattern of poor practices leaves much of the public vulnerable.

Most Americans (58%) are not worried about tax fraud in spite of federal reports of 787,000 confirmed identity theft returns in 2016, totaling more than $4 billion in potential fraud.

“We’ve reached an extreme level of cybercrime where identity theft has become the third certainty in life. In tax season, it is crucial that everyone remain vigilant and on high alert to avoid tax related identity theft or phishing schemes,” Adam Levin, founder and chairman of CyberScout, formerly IDT911, and author of Swiped, said.

Having a password protected Wi-Fi connection, a protected mailbox for a physical tax return to be sent, two-factor authentication for tax preparation services and an encrypted USB drive for sensitive tax documents are four of the most basic ways to protect oneself.

“In order to reduce the risk of becoming a tax identity theft victim, consumers need to follow the 3Ms: minimize their risk of exposure, monitor your accounts and your personal identity, and know how to manage the damage,” Levin noted.

“If the worst happens, victims of identity theft should turn to organizations they trust, including their insurance provider, financial services institution, or the HR department of their employer, who offer low-cost or free cyber protection services to protect and restore stolen identities.”

CyberScout also suggested consumers and tax preparers can protect themselves by visiting the federal web site on tax scam alerts to find out about the current scams and cyber-attacks.

Taxpayers, confronted with a variety of scams, should protect themselves by always using long and strong passwords; never authenticate themselves to anyone who contacts them online or by phone, since the IRS will never contact them by those methods; using direct deposit or locked mailboxes for refunds.; and monitoring and protecting personal identity on social media.

These are some of the top tax-season risk behaviors according to CyberScout:

  1. Taxpayers should be more worried than they are. The majority of Americans (58%) are not worried about becoming victims of identity theft during this tax season, a 5% drop from the number of those not worried in 2015 (63%).
  2. Only 35% of taxpayers demand their tax preparer use two-factor authentication to protect personal tax information. The majority (56.5%) did not know if their preparer followed, offered or required this best practice. Two-factor authentication is much more secure than a single password and tax preparers should take this security approach.
  3. Most consumers (80%) have protected their home Wi-Fi networks with a password, but they are relying on it too heavily and need to use more secure storage methods. Only 18% utilize an encrypted USB drive, a secure way to save important documents like tax worksheets, W-2, 1099 or 1040 forms. Another 38% either store tax documents on their computer’s hard drive or in the cloud, approaches that are susceptible to a variety of hacks. Nearly a third report not being sure where they save their tax data or documents and another 14% don’t save their tax documents at all.
  4. One of the safest ways for consumers to file their 2016 tax return is to file online directly with the IRS. Unfortunately, only 48% rely on and trust online tax services. Nearly a quarter of respondents do not trust online tax services because they think they are unsafe, a misperception that sometimes leads to exposure.
  5. A majority of taxpayers have not gotten the message to file early. Nearly half (43%) file by February, but another 57% either planned to file later or didn’t know when they would file. Delaying filing gives tax scammers an opportunity to file ahead of the real taxpayer and scoop up their refund.
  6. Tax return checks headed to home mailboxes are at risk. According to the IRS, more than 70 million taxpayers receive refunds. Of those who expect refunds in the mail, only 29% have a locked mailbox. And while another 20 % planned to be home, 51% risk exposure from unlocked mailboxes and lack of other precautions.
  7. Tax preparation services continue to be a potential avenue for serious harm. Most people (62%) use a tax preparer. Of that group, 50% choose their tax preparer based on reputation or rely on an IRS declared preparer, while the rest were not sure how to judge their credibility, planned to choose someone online, or didn’t vet them at all. This is an area where consumers need to research carefully since pop-up storefronts offering tax preparation services are a common way to scam consumers.

By Roy Urrico