W-2 Fraud Email Scams Still Raking in the Cash

Scam Warning Hacker Device Security Concept

Earlier in 2016 there was an outbreak of business email compromise (BEC) attacks that targeted W-2 information. These types of attacks aren’t particularly difficult to pull off and can be quite lucrative for cyber criminals. After all, the information on a W-2 document is very valuable. In fact, as part of what the Darknet world calls a “fullz” that information can be worth $25-30 per record. A “fullz” includes a collection of information such as name, social security number, date of birth, account numbers, etc. So, if someone gets ahold of 3,000 W-2s, as what happened to the management company Goldkey/PHR in February, it can fetch quite a payoff. That’s why having processes in place to avoid having this happen at your organization is crucial.

BEC in its basic form is when an attacker impersonates an authority within an organization and convinces someone else in that organization to perform some action such as a wire transfer or to provide W-2 information. It is simple, but also incredibly effective. In the first half of the year, more than 70 organizations reported being victims of the W-2 BEC scams, including the Girl Scouts of Gulf Coast Florida, Snapchat, and Seagate. Losses are estimated to be $3 million over the past three years. What is perhaps even more disturbing than the costs, is that this is happening at all.

Employees should not have access to all of the sensitive data in a W-2 or payroll records without some sort of oversight before it can be shared…with anyone. It’s important to put controls in place so that if anyone asks for such information, it’s discussed and approved by multiple people. One of the questions that should be asked is “why does this person need this information?” Then it should be verified with the requestor via voice or some other way that does not include replying to the email request. While email and text are becoming more acceptable ways of communicating everything in any environment, voice interaction goes a long way to prevent scams such as these from being a huge success.

You might feel a bit insecure about asking someone who claims to be the CEO why he or she needs W-2 details, but if it’s legitimate that executive will appreciate the fact that you checked before giving it up to cyber criminals. Many victims of the W-2 fraud have reported being victims of tax fraud, which appears to be the target in these cases. The FBI has reported that the number of identified victims and exposes losses has increased 270% in the past year due to this type of BEC fraud.

© Copyright 2016 Stickley on Security

Six Ways to Save On Your Next Car


Looking for an eco-friendly subcompact or the thrills that come with a sports car? Perhaps the practicality of a sedan or a spacious SUV better fits your needs? No matter what type of vehicle is calling your name, planning your purchase can help you save as much money as possible.

Consider these six savings tips while shopping for your next car. Whether you’re concerned about upfront, monthly or long-term costs, there’s something here that can help you.

1. Look for a fuel-efficient car. Buying a hybrid or all-electric vehicle rather than a gas guzzler could help you save money on long-run fuel costs. Plus, state and federal tax credits might give you some additional upfront savings.

If you’re sticking to a fully gas-powered car, you can still save money by choosing a fuel-efficient model. Once you pick a class of car and determine your budget, use the Environmental Protection Agency’s miles-per-gallon rating for each vehicle to estimate and compare the monthly fuel costs.

2. Compare the long-term costs of different cars. In addition to fuel, consider the long-term costs of maintenance, repairs, insurance, taxes, depreciation, fees and financing.

To help you with the calculations, Kelly Blue Book has a 5-Year Cost to Own tool that lets you compare long-term costs for 2015 and 2016 models. Edmunds’s True Cost to Own® tool does a similar thing for 2010 and newer models.

3. Buy a “new-to-you” car. Buying a used car rather than the equivalent brand-new model can usually save you money. However, you’ll want to look at each used car on an individual basis. Consider how it feels during a test drive and its history if you can access it.

You may be able to buy a warranty for your used car, or you could purchase a certified pre-owned (CPO) car from a dealership. Dealers inspect CPOs before selling them with a manufacturer’s warranty. If you’re not buying a CPO, you could hire a mechanic to perform a pre-purchase inspection. It’s not a guarantee, but the inspection can help ensure you won’t get caught off guard by any unexpected issues.

With the right deal on a used car, you might be able to buy the car outright instead of financing the purchase. By paying cash, you avoid accruing interest, making monthly payments and worrying about loan-origination fees.

4. Negotiate the purchase. Most people don’t enjoy haggling with a car salesperson, but even non-confrontational negotiating tactics can help you save money.

For example, once you pick a make and model, you could shop online for available vehicles at nearby dealerships. Reach out to each dealer’s internet sales team and ask for their best total cost, inclusive of taxes and fees.

Take the lowest offer and ask the other dealers if they can beat it. If one of them can, take your new lowest quote and again ask the rest of the dealers to go lower. Keep going until you get a price that works best for you.

You could use the same tactic with dealerships outside your area. However, you may have to travel and pick up the car or pay to transport it.

Another helpful resource is negotiation services like Authority Auto, which negotiates competitive prices on new and pre-owned cars. For a fee, the online service negotiates each part of the process to get you a better deal and take some of the stress out of the car-buying experience and only charge a percentage of what they save you.

5. Consider leasing instead of purchasing. Taking out a lease is similar to purchasing a long-term rental. You’ll have to return or buy the car at the end of the lease, and you may have to pay fees if you drive too many miles or damage the vehicle.

The lease down payment and monthly payments will be lower than buying the same car outright. However, you can still save money by shopping around and negotiating because the down payment and monthly payments depend on the vehicle’s sale price.

If you like to drive a new car and always want to be under warranty, starting a new lease every few years could make sense. On the other hand, there’s more long-term value in buying if you tend to have a lot of wear and tear on your cars.

6. Use alternative means of transportation. Forgoing the purchase of a car altogether might not work for everyone, but it’s worth considering if you live in a city or don’t regularly drive long distances. Instead of owning a car, you could get around with a mix of carpooling, public transportation, walking and biking. You could also still have access to a car if you join a car-sharing program or use a ride-sharing app or taxi service.

Bottom line
There are many ways to save money on your next car, and you should almost certainly plan your purchase before signing any dotted lines. Start by researching all your options, including living without a car, buying used and leasing. If you decide to purchase a car, you can compare the long-term cost of different makes and models and save money upfront by haggling with sellers.


By Nathaniel Sillin

Protecting Your Loved Ones with Life Insurance


Your life insurance needs will depend on a number of factors, including the size of your family, the nature of your financial obligations, your career stage, and your goals. For example, when you’re young, you may not have a great need for life insurance. However, as you take on more responsibilities and your family grows, your need for life insurance increases.

Here are some questions that can help you start thinking about the amount of life insurance you need:

• What immediate financial expenses (e.g., debt repayment, funeral expenses) would your family face upon your death?

• How much of your salary is devoted to current expenses and future needs?

• How long would your dependents need support if you were to die tomorrow?

• How much money would you want to leave for special situations upon your death, such as funding your children’s education, gifts to charities, or an inheritance for your children?

• What other assets or insurance policies do you have?

Types of life insurance policies

The two basic types of life insurance are term life and permanent (cash value) life. Term policies provide life insurance protection for a specific period of time. If you die during the coverage period, your beneficiary receives the policy’s death benefit. If you live to the end of the term, the policy simply terminates, unless it automatically renews for a new period. Term policies are typically available for periods of 1 to 30 years and may, in some cases, be renewed until you reach age 95. With guaranteed level term insurance, a popular type, both the premium and the amount of coverage remain level for a specific period of time.

Permanent insurance policies offer protection for your entire life, regardless of your health, provided you pay the premium to keep the policy in force. As you pay your premiums, a portion of each payment is placed in the cash-value account. During the early years of the policy, the cash-value contribution is a large portion of each premium payment. As you get older, and the true cost of your insurance increases, the portion of your premium payment devoted to the cash value decreases. The cash value continues to grow–tax deferred–as long as the policy is in force. You can borrow against the cash value, but unpaid policy loans will reduce the death benefit that your beneficiary will receive. If you surrender the policy before you die (i.e., cancel your coverage), you’ll be entitled to receive the cash value, minus any loans and surrender charges.

Many different types of cash-value life insurance are available, including:

• Whole life: You generally make level (equal) premium payments for life. The death benefit and cash value are predetermined and guaranteed (subject to the claims-paying ability and financial strength of the issuing insurance company). Your only action after purchase of the policy is to pay the fixed premium.

• Universal life: You may pay premiums at any time, in any amount (subject to certain limits), as long as the policy expenses and the cost of insurance coverage are met. The amount of insurance coverage can be changed, and the cash value will grow at a declared interest rate, which may vary over time.

• Indexed universal life: This is a form of universal life insurance with excess interest credited to cash values. But unlike universal life insurance, the amount of interest credited is tied to the performance of an equity index, such as the S&P 500.

• Variable life: As with whole life, you pay a level premium for life. However, the death benefit and cash value fluctuate depending on the performance of investments in what are known as subaccounts. A subaccount is a pool of investor funds professionally managed to pursue a stated investment objective. You select the subaccounts in which the cash value should be invested.

• Variable universal life: A combination of universal and variable life. You may pay premiums at any time, in any amount (subject to limits), as long as policy expenses and the cost of insurance coverage are met. The amount of insurance coverage can be changed, and the cash value and death benefit goes up or down based on the performance of investments in the subaccounts.

With so many types of life insurance available, you’re sure to find a policy that meets your needs and your budget.

Choosing and changing your beneficiaries

When you purchase life insurance, you must name a primary beneficiary to receive the proceeds of your insurance policy. Your beneficiary may be a person, corporation, or other legal entity. You may name multiple beneficiaries and specify what percentage of the net death benefit each is to receive. If you name your minor child as a beneficiary, you should also designate an adult as the child’s guardian in your will.

What type of insurance is right for you?

Before deciding whether to buy term or permanent life insurance, consider the policy cost and potential savings that may be available. Also keep in mind that your insurance needs will likely change as your family, job, health, and financial picture change, so you’ll want to build some flexibility into the decision-making process. In any case, here are some common reasons for buying life insurance and which type of insurance may best fit the need.

Mortgage or long-term debt: For most people, the home is one of the most valuable assets and also the source of the largest debt. An untimely death may remove a primary source of income used to pay the mortgage. Term insurance can replace the lost income by providing life insurance for the length of the mortgage. If you die before the mortgage is paid off, the term life insurance pays your beneficiary an amount sufficient to pay the outstanding mortgage balance owed.

Family protection: Your income not only pays for day-to-day expenses, but also provides a source for future costs such as college education expenses and retirement income. Term life insurance of 20 years or longer can take care of immediate cash needs as well as provide income for your survivor’s future needs. Another alternative is cash value life insurance, such as universal life or variable life insurance. The cash value accumulation of these policies can be used to fund future income needs for college or retirement, even if you don’t die.

Small business needs: Small business owners need life insurance to protect their business interest. As a business owner, you need to consider what happens to your business should you die unexpectedly. Life insurance can provide cash needed to buy a deceased partner’s or shareholder’s interest from his or her estate. Life insurance can also be used to compensate for the unexpected death of a key employee.

Review your coverage

Once you purchase a life insurance policy, make sure to periodically review your coverage; over time your needs will change. An insurance agent or financial professional can help you with your review.


Broadridge Investor Communication Solutions, Inc. does not provide investment, tax, or legal advice. The information presented here is not specific to any individual’s personal circumstances.

To the extent that this material concerns tax matters, it is not intended or written to be used, and cannot be used, by a taxpayer for the purpose of avoiding penalties that may be imposed by law. Each taxpayer should seek independent advice from a tax professional based on his or her individual circumstances.
These materials are provided for general information and educational purposes based upon publicly available information from sources believed to be reliable—we cannot assure the accuracy or completeness of these materials. The information in these materials may change at any time and without notice.

Fakebank Malware Evolved to Block Your Phone Calls

Serious young hacker using laptop and mobile phone in dark room

Yet again, a security company has found a version of malware that has evolved to be more damaging. Symantec found a new variant of the Android malware called Fakebank that can delay users from placing a phone call to their financial institutions to report fraud and cancel cards.

This version of Fakebank scans the device for certain banking apps and if it finds one, it will prompt the user to delete that app and install the bad one. Be wary if an app asks you to delete it when you are not expecting it to ask such a thing of you.

The best piece of advice for this one is to avoid downloading apps from sources other than the official app stores for your device. Sideloading, as it’s called adds an additional risk element to anyone wanting to take that chance. This is because those apps don’t typically go through as much security scrutiny before they are distributed to users as they do when they are placed into the Google Play or Apple App Store for example.

If fraud or suspicious card activity is noticed on any of your payment cards, contact your financial organization right away to take care of it. If your phone ceases to work, as may happen with this malware, use email or preferably another phone to contact them.

In addition to preventing calls, this new version will also collect banking login data and monitor phone calls. So far, this one has only been seen in South Korea and Russia. However, as with any malware, it’s only a matter of time before it hits the U.S.

© Copyright 2016 Stickley on Security

Study of the Worst Passwords Reveals People Are Not Paying Attention

Cute Daydreaming Girl Next To Floating Hearts with Puppy Within.

Every year someone does a study to find out the worse passwords on the web for a given year. For the first few months of this year, Salted Hash looked at over a quarter of a million passwords and let out a big sigh. No matter how much discussion surrounds how important it is to have strong passwords, how to create them, how it’s important to change them regularly, and to have different ones for each online account, it doesn’t seem to get through. In fact, the number one password in 2013 was exactly the same as the number one password they found; and it’s terrible.

Salted Hash collected phishing logs that the company found on the Dark Web. The sample they examined included companies such as Apple, Microsoft, Google, PayPal, and social media and banking account login details. They hoped to see improvements, but alas, they were sorely disappointed.

People go to great lengths to make sure their homes are protected; deadbolt locks, security systems, big and noisy dogs, for example. But when it comes to protecting online accounts, they seem to think it’s not as important. Yet, if someone with bad intentions gets your online banking or PayPal credentials, the damage could be very significant. It is an intrusion into your financial home.

Take some time to create strong passwords and phrases and to change them regularly. Do this at least quarterly, if not more often. Reusing the same credentials for several years means that if stolen data shows up on the Dark Web two, three or more years after it was stolen, as it did with LinkedIn, someone could still get into your account.

And before you just toss aside the significance of someone getting into your LinkedIn account, think about some of the information that is included in your profile:
•Your name
•Your title or function
•Your city
•Your employer
•Your previous employers
•Referrals that may have useful details
•Your hobbies
•Your email address(es)
•Your connections and often their relationship to you

While this is public, it also makes you trustworthy. And if a cyber criminal wanted to go spear-phishing, he or she would have a lot of information with which to start targeting your connections right there inside LinkedIn from your account.

Of course we don’t need to tell you what can happen if someone gets your four-year-old login credentials to your bank account. So take some time to change it. Use at least eight characters, upper and lower case letters, numbers, and special characters.

The top five passwords in Salted Hash’s list were very uncreative. They included “123456789” and 3 variations of it, but the numbers were still in order. The only diversion off of this path was in the number 4 spot. That was “filosofia.” So, don’t delay. Change your passwords if you haven’t done it within the past three months. Go ahead. Do it right now. We’ll wait.

© Copyright 2016 Stickley on Security

Over 900 Million Android Devices Vulnerable to Quadrooter


Android smart devices are making news again. This time those that were shipped with a Qualcomm chip have four vulnerabilities with which to be concerned. More than 900 million smartphones and tablets are affected by what is being called Quadrooter. Three of these flaws were addressed and fixed in the latest set of security updates from Google. However, one of them won’t be fixed until September. And those that were released by Google haven’t necessarily made it into the releases by individual carriers. This is because carriers have control over when to release them to their users. While most of the time it is shortly after they are provided to them, sometimes they delay releasing them to try to lure people into buying new devices. If you haven’t received a notice for one of the affected Android devices that an update is available, call your carrier and inquire.

If you haven’t updated your Android devices lately, take some time to check if any are available and get at least the three available patches applied. The flaws could allow an attacker to get full control of a vulnerable device; which means he or she would have access to the microphone, the camera, and everything on it.

Fortunately, it would take some effort by the attacker to trick a user into installing a malicious app to be successful. Most Android smartphones at least, don’t allow sideloading of apps (installing them from a location other than the Google Play store), but some malicious apps have still made it past the additional checks and were allowed in. It’s still safer to check the official app store on all devices rather than getting them from other locations.

Some of the devices affected include:

  • Google’s Nexus 5X, Nexus 6, and Nexus 6P
  • HTC’s One M9 and M10
  • Samsung’s Galaxy S7, S7 Edge
  • BlackBerry DTEK50, Priv
  • Blackphone 1 and 2
  • LG G4, G5, V10
  • Motorola New Moto X
  • OnePlus One, 2, and 3
  • Sony Xperia Z Ultra

Remember that when you are looking for apps to install, make sure they are from reputable developers. Check the reviews and make sure there are more than just a few and that they are not all glowing. Sometimes this means they are fake and the app could be malicious. Also check elsewhere online for reviews and information. Sometimes the reviews in the app stores review the app itself and not the company. If there is a complaint about how a company does business, whether via an app, online, or brick and mortar, there will be information on those elsewhere and they may include information on how the app installs malware, if it does.

© Copyright 2016 Stickley on Security