Everyone Knows About Phishing, So Why Are We Still Clicking?

Keeping up with the latest phishing scams and how to avoid them is apparently not fool proof enough. Cyber scammers know how we try to avoid them and they are continually using that knowledge to make phishing more sophisticated and effective.

A Google and University of California study finds a startling 25% to 45% of all phishing emails and bogus phish landing sites are successful. And just how does that happen with so many users aware of the latest and greatest phishing scams? Security experts agree that scammers are getting better and better at making their links appear to be legitimate. These cyber creeps pounce on the slightest weakness on the user’s part. Duplicating and fabricating landing pages or “linking” emails from trusted senders and businesses are only the beginning.

So how can a user not open a very tempting email link from the IRS, for example? Simply by knowing the IRS never uses email to contact Americans about their taxes. Better informed than not, security experts agree that knowledge is your best defense but admit security software is key. Being forewarned isn’t just for phishing anymore. Beware of spyware called a “keylogger” that records keyboard strokes as the user types, easily gaining sensitive financial account and other passwords. Take heart as experts share some very important phishing tips…

– An email link from an unknown sender absolutely needs a closer look. Hover your mouse pointer over the link and check its origination. There’s a huge red flag if the sender address doesn’t match the link address.

– Just because the email looks legitimate from a sender you know, check out the sender first. Faking email addresses is very easy to do.

– No legitimate business or sender will ever ask for sensitive or personal information using email. Also, beware shoddy graphics, misspellings, and poor grammar. Scammers may be crafty, but they’re not all geniuses.

– Always keep programs and security products updated. If scammers are looking for weakness, they can easily spot holes in your security.

– A company or service needs to know if they’re being used by phishing scams. Tell them immediately that something’s not right. Let your email security provider know as well. You can also contact the Federal Trade Commission (FTC) or use the Online Complaint Assistant to report most types of fraud.

– It can’t be stressed enough, create and use passwords wisely. Always use a combination of upper and lower case letters, a few numbers, and special characters. Every password should be a minimum of eight characters.

© Copyright 2017 Stickley on Security

1.8 Million Girl Scouts Take On Cybersecurity

Putting cookies in perspective, Girl Scouts USA (GSUSA) will offer cyber security badges starting in 2018. In a two-pronged approach, GSUSA embraces their growing concern for the safety of its young Scouts online. They also take aim with the significant lack of career focus for girls and women in IT and other sciences. Girl Scouts from 5 to 12 years old will be poised to pin on those 18 new badges in the coming year.

In 2011, the GSUSA challenged the future of its Scouts by reforming their current curriculum. They are partnering with Palo Alto Networks for release of the September 2018 badges. The need to address and empower girls regarding latest social media sites and how to navigate dangerous pitfalls safely and securely is key. As the Scouts continue to move up the awareness chain with age, programs reflect realistic concerns they face. The Daisy’s at age 5 have fun learning with games and how to use a computer. The older Girl Scouts get involved much more directly with current cyber security, ultimately keeping themselves safer online.

The second prong of the cyber security program brings to light the statistics involving the alarming lack of women in the STEM (Science, Technology, Engineering, Math) fields. Earlier this year, a report from the Center for Cyber Safety and Education had some striking news. Only 11% of women currently hold positions involving cyber security and other STEM professions. With 51% of women holding master’s degrees compared to 45% of their diploma-wielding male counterparts, the numbers make even less sense. The GSUSA decided to do something about that.

With Palo Alto’s assistance, Scout STEM training for girls up 12 years old involves more diverse learning methods. Senior Scouts enjoy community involvement, trips involving cybersecurity and all-important mentorships. Knowing what’s behind the psychological “how and why” of threats like phishing work as well as they do ranks right up there with the Car Care badge.

The Girl Scouts are taking on the reality and importance of cyber security head-on. In a year from now, the girls will be proudly boasting their sashes, aware or not that their new security badges may open the door to more than just fun. Their impact on society and women’s equality in STEM professions may alter the world and its perception forever. Adding a new dimension to its ongoing relevance, GSUSA proudly forges into a cyber-scary world. The next time you stop to order a box of troop treats, don’t be surprised to hear “How many boxes would you like, and do you have an anti-virus program on your computer?”

© Copyright 2017 Stickley on Security

Jayden K Smith Is Not Your Friend Nor Does He Want To Be

The reports you have probably read, whether or not you have a Facebook account, about someone named Jayden K. Smith dying to be your friend are indeed true. What does that mean, you ask? There really is a hoax going around that asks Facebook users to spread the word not to connect to a particular “friend.” However, that particular person is not necessarily a hacker, may not even exist, and if you do accept any such requests, it does not mean your account is or ever will be hacked. In fact, that just isn’t the way hacking works.

Before going any further, a few tips. Facebook is a social media platform where you can connect with others, most definitely. However, it should be treated as any other location where there are a lot of strangers. If you are out at a party or at an event, you certainly can meet a lot of people. However, consider whether you would just hand over personal information to them right away. Think about all the information on your Facebook profile and decide if you want strangers to have access to that. Even though someone cannot hack your account merely by friending you, someone certainly can use the information from there to spearphish.

Spearphishing is a tactic used by hackers. They use specific information about a target that they can pick up from social media such as Twitter, LinkedIn, Facebook, Instagram, and others. Then they use it to send email messages or even place phone calls trying to get even more information that is useful to them; information such as payment card information, social security numbers, or in the case of the office, convince the target to perform a fraudulent wire transfer. This happens to those working in departments such as accounting and Human Resources, because those people often have access to sensitive information.

If you are browsing social media and get a friend request from a stranger, it typically is not recommended that you just blindly accept it. Ask your actual friends if perhaps it is a mutual friend that you just don’t immediately recognize before accepting. If no one knows, it could be someone with bad intentions.

In the case of Jayden K. Smith (and previously Anwar Jitou, Linda Smith, Christopher Butterfield, and Jason Allen), these messages are just an annoyance as far as anyone can tell and any request to share them should be ignored. What they do indicate is that people really don’t understand how identity thieves can get information about them or “hack” their accounts. While there are many ways this can happen, just friending someone is not one of them. However, giving them access to what you post on social media can lead to identity theft, fraud, or account access. So always make sure you know who your friends really are when it comes to social media.

© Copyright 2017 Stickley on Security

Verizon Customer Data Left Open For Anyone Who Cared To Look For It

There are nearly 114 million Verizon customers in the United States. Unfortunately, around 14 million of them have just become victims of a potential data breach. The potentiality of it is because the data was found by a researcher on an unsecured Amazon cloud server. And, while it may seem like “old hat” by now to hear of an intrusion, consider that in this one, transcripts of customer service conversations, customer names, the mobile phone numbers, and the PINs that allowed the customers full account access when calling customer service were left unsecured on the server and available for anyone who knew how to retrieve it.

Verizon does not believe the information was accessed by anyone other than the researcher who found it in June. However, the reality is that it is impossible to really know this. The significance is that with the name of the customer, the PIN and the cell number, anyone can contact customer service, possibly convince them they are the subscriber and do other harm

While you might immediately be skeptical about what damage can be done with this information, consider that even if you use multifactor authentication (MFA), many or even most services will send you a text message as that MFA code. If someone has that much information they ultimately can hijack your cell phone and retrieve that MFA code. This means that the possibility to log into your financial accounts and drain them of all funds exists.

Even though this could happen, it does not mean that utilizing any MFA that is available to you is a useless prospect. It is the opposite. Utilizing these services when available still lowers your risk of becoming a fraud victim significantly. Taking advantage of them is always better than not doing so because it is much more effort for someone to get access to those too.

For the time being, Verizon customers should strongly consider changing PINs for their accounts right away. It is unclear at this time if Verizon will require it, but Verizon customers should be proactive and do so anyway. With cell phones being so critical to our lives these days, why give a cybercriminal the opportunity to defraud you unnecessarily.

© Copyright 2017 Stickley on Security

Here’s Why Cybersecurity and Education are So Important

The Internet has become a way of life for most of us. While it might be a breath of fresh air to be “off the grid” for a period of time to rest and reset, it really is difficult to think of not having it available to us at the touch of an app. Because of this, cybercriminals are also finding ways to use it to scam us out of any number of things including to steal our information, to make money or steal it, or even just to cause a disruption in our day.

Last year, there were a reported 6.2 million incidents of cybercrime in the United Kingdom (UK) alone. That’s a lot of trouble being caused using the Internet. Here are several reasons that cybersecurity is more important than ever going forward.

Viruses and malware are more sophisticated and complex than ever.

First, it helps to know the difference between viruses and malware. Viruses are a specific type of malware that is designed to replicate and spread once it’s executed. Malware is a broad term that includes viruses that describes all sorts of malicious programs that are designed to do just about anything. Malware includes, but is not limited to viruses, spyware, ransomware, adware, trojans, worms, potentially unwanted products (PUP), etc.

This is why having an anti-malware product installed and kept updated is so important. The major vendors provide products that cover pretty much all of it to one degree or the other. Shop around and find what works for you.

Scammers are getting better at tricking us into opening malicious attachments or clicking malicious links.

Far gone are the days when it was immediately obvious that an email message was phishing. The scammers are becoming so well-versed at copying logos and language, pretending to be colleagues, and generally making us feel comfortable that we don’t hesitate to open these dangerous files. In fact, a study by Avceto showed that if we think a link or attachment comes from a friend, such as from within social media, we don’t even hesitate to click it. Scammers are even placing phone calls to gain information to scam us (called vishing).

Always take some extra seconds to be 100% sure that whatever you receive in email, by text, or even on the phone is not trying to phish for information. It’s still important to look for those tell-tell signs of phishing, but if you don’t recognize the sender or if you are not expecting a link or attachments, either trash the message, hang up the phone in the case of vishing, or take some time to verify its legitimacy before going further.

So far, 2017 has been the worst on record for data breaches.

A recent Risk Based Security report found that in just the first quarter of 2017 there were over 1,200 data breaches. This is on target to be the worst year for data breaches ever. We have already seen compromises at Kmart, OneLogin, Intercontinental Hotels Group (IHG), Chipotle (again), DocuSign, and Gmail to name just a few.

It’s hard to secure your own data once you give it to others. However, there are some things to be done to help. These include actively monitoring payment card charges and reporting suspicious charges immediately. In addition, get a copy of your credit report from each of the three major reporting agencies every year. Review it closely and report anything that is incorrect or suspicious to them and clear it up as soon as possible. At the website annualcreditreport.com, you can get a free one from each of them individually. For extra caution and to address anomalies sooner, stagger when you order them so you can keep an eye out throughout the whole year.

You can also set charge limit notifications on most payment cards. If you normally don’t spend over $50 in a transaction, activate a notification to be emailed, sent by text, or by phone any time a charge over that amount is made to your card. You can also set these for balance limits. This will help identify potential fraud as soon as it happens.

Business email compromise (BEC) is on the rise and expected to continue.

The FBI continues to warn businesses of this rising crime. The number, according to the last PSA issued by the FBI’s Internet Crime Complaint Center (IC3) has exceeded $3.1 billion. This crime happens when someone in an organization is tricked into sending sensitive information, such as W-2 data to someone impersonating a colleague. Often, they pretend to be an executive. It also occurs when someone with access to perform wire transfers is tricked into wiring money to a thief’s account. Again, an executive is often impersonated to perpetrate this.

There should be checks and balances in place at any organization for performing wire transfers. At least two sets of eyes should approve each request. Pay attention to requests for this task and if the request seems strange, question it. Any executive would prefer that than have money stolen from the company. In addition, sensitive information should never be sent via email. Email is not a secure form of communication and even encryption can be broken. Therefore, consider any email fair game for anyone on the Internet to read it. If you need to get sensitive information to someone not co-located, use a traditional courier or the telephone.

Cybercrime isn’t going away any time soon. Unfortunately, sometimes it seems that the criminals just want to cause us a lot of grief. For example, in the recent WannaCry outbreak where a lot of business was disrupted all around the world, the thief or thieves only made out with about $50,000. So, if you’re on the Internet, being proactive can help protect against these types of crimes.

© Copyright 2017 Stickley on Security

New PayPal Scam Wants a Selfie

As if there aren’t enough PayPal phishing scams already, there is another one that is gaining in popularity. This one implements a technique that has been seen before in a banking Trojan called Acecard. However, while it certainly is after PayPal login credentials, that is probably not all. As part of the verification process for the fake PayPal authentication, it also requires a selfie. But they don’t want a photo of the victims out on the town or with their favorite celebrities.

In this latest version of constantly evolving PayPal scams, websites are set up using legitimate secure certificates (SSL certificates). These are reasonably simple to get these days, so scammers are taking advantage of it. After all, we are more likely to trust a site if it has that padlock or “https:” indicator on it, right?

For this one, users get directed to a site that looks so similar to the legitimate PayPal site, that it’s nearly impossible to tell that it isn’t. Then users are asked for login credentials. A new page appears and additional verification of identity is required. This means entering more details and in one case, a personal address, payment card information and a selfie holding the target’s identification card.

As far as analysts can tell, the information requested is not stored on any servers once it’s submitted. However, it does get emailed to an account on the Russian service Yandex.

It isn’t clear what the criminals intend to do with this information. However, some experts believe they will be used to create accounts on various cryptocurrency exchanges. This link could have been made because often, those also require additional identity verification using selfies with accompanying ID cards. These exchanges can then be used to “launder” money using the stolen identities.

Whatever these selfies will be used for, you can be sure that authorities will be doing their best to track it down.

© Copyright 2017 Stickley on Security