With the likelihood we’ll be spending more time than we thought at home for work and school, we should start off the new year by hardening our defenses against cybercriminals. The basics haven’t changed,Continue reading
That Email ‘Caution’ Notice
As a corporate or non-profit user, you may have noticed that more and more emails from outside your system are being tagged with cautionary notices about . . .Continue reading
COVID Vax Posts Help ID Thieves
You lock your doors. Security cameras ring your house. And then you post pictures of your vaccination cards on Facebook after you get your injection. We regard our vaccinations as an achievement and an encouragement for others to get their shots. Identity thieves are not gonna miss their shot at mining your data.
Let’s be real. The information on most vaccination cards is minimal: your name and your date of birth. Both pieces of information are likely known to many people and organizations who interact with you, and it’s all readily available on public information websites. We won’t get into how many of you don’t make your year of birth available on Facebook for “privacy” reasons. But you do appreciate birthday greetings.
That said, let’s get back to the vaccination cards. I fall into two groups: 1c for my age and 1b for health reasons. If an ID thief is looking for some way to carry out medical fraud, my info is right there. Looking at my age and 1b status, the thief has the makings of a target. The name and date of birth on an official document validates who you are.
The thief can find my home address. Again, it’s public information, but when it’s added to my “dossier,” it’s another piece of a puzzle. I know I have added more clues about me when I shared some of my hospital visits. By and of themselves, each piece is small, but a thief may have enough to start looking at things just to let me know that they know me.
Then comes the phishing email disguised as an offer about some kind of insurance. If I bite by clicking on a link or opening an attachment, the thief can plant some malware to get a lot more information by mining my data. They might even get into my medical records and have enough info to file a false claim for treatment I never had. They might also lock me out of my records by changing all my login credentials and using HIPPA regulations. In short, I can wind up on the hook to pay for treatment I never had, and I can’t get info about the bill.
It’s one scenario about how big data can be mined – legally and illegally – from one small piece.
You can be vulnerable in other ways.
Let’s say you take a car trip somewhere, and you post a picture that includes your car and shows its license plate number. If your car is desirable, a thief can use your license plate number to trace your address – or maybe start observing you. When you leave the car somewhere, such as in a supermarket parking lot, it’s easy enough to get the VIN number through the windshield and then take steps to retitle your car before stealing it and selling it “legitimately.”
Big data makes these examples possible. There’s a lot more out there all the time, and hackers are more sophisticated. Better software tools allow more thieves to gather and analyze data to pinpoint a target and let them commit a larger number of small crimes that add up to decent money.
Our advice is simple: Don’t put any more of your data out there than is absolutely necessary. Be careful about what you photograph and post. Be careful about how you handle email and about the info you provide – even to legitimate businesses and organizations – by email or telephone. Even with those you know, question why they need certain information, such as your Social Security Number. Use common sense.
You can augment your common sense by keeping all your operating system and application software up to date; updates usually include security patches and bug fixes. Install, properly configure and update anti-virus and malware protection software. We can help you install and maintain software. Call us – 973-433-6676 – or email us to set up an appointment.
Oh, and one more thing: Get your COVID vaccination as soon as you can!
Websites and the Need to Know
Why do some companies and organizations, especially non-profits, feel the need to post the names of their entire staffs on their websites? The question came up in a recent conversation with an IT colleague.
Smaller companies and non-profits seem to get hack-attacked more often, and they tend to list everyone in the company or organization on their websites – along with their contact information. If that organization is running “lean and mean,” it could have a lot of people wearing many hats and juggling unrelated tasks. That can create a vulnerability when an outsider can distract a busy worker who has access to sensitive information.
Here’s a possible scenario that illustrates the problem.
When you list the contact info for the bookkeeper, you may be listing it for an employee who has access to all the organization’s financial data but has no need for public contact. A hacker doesn’t need to be especially skillful to use the bookkeeper’s email address to launch a phishing attack in a variety of ways. The most obvious, of course, would be to spoof a bank. But it could also be a spoof email from someone connected with the organization who is looking for something, such as wanting to know if a check was deposited.
If the bookkeeper responds to the bogus bank link or the spoofed email, it could open the door to getting more financial information or sensitive data – not only from your organization but from every person or organization you deal with.
Why take the risk? If you limit names and contact information to those whose duties involve some aspect of public contact, you can limit your exposure. If someone really needs to contact your bookkeeper, for example, they can call a general phone number for the organization where a gatekeeper can determine if it’s a legitimate call or can “take a message” so the bookkeeper or another employee can return the call. If the contact is made by email, it can go to a general mailbox, where a gatekeeper can read it and distribute it appropriately.
If you limit contact info in a small company or non-profit to the C-Suite, you can limit your exposure to hacking, ransomware and other vulnerabilities. If people outside your organization need to contact specific individuals, that information can be provided privately.
We can help. Call us – 973-433-6676 – or email us to help you set up appropriate email addresses and work with your web designer to make your website more secure.
“Buyer Beware!” is a more important warning than ever before if you’re buying phones, computers, tablets and other electronic devices online. We all like online bargains, but the looting that took place as peaceful demonstrations fell apart will put a lot of stolen goods on the market. It’s a fact of life – not a political or social statement. Here’s what you need to know.
First, mobile phones, tablets and computers have built-in tracking. If the merchant from whom the devices were stolen reports the identifying information to the manufacturer, a message can be displayed as soon as the device is connected to any kind of network. It will tell the user that the device is stolen and cannot be put into service.
Second, in all likelihood, if you bought tainted goods on the internet, you bought it from a less-than-reputable seller, which means you won’t get any support from the manufacturer or a cellular network carrier. We can’t say for sure, but a manufacturer or merchant who knows where a stolen device is could initiate action to get it back.
Third, if you used a credit card, your account information is now in the hands of people who can monetize it at some point.
In short, you’ll have no consumer protection, and you could have a lot of liabilities. That puts the onus squarely on you to make sure you visit only legitimate merchant websites and buy from legitimate sellers.
Everyone can expect to be bombarded with offers from sellers, legitimate or not. We’ve been bombarded for years. Some offers come through phishing expeditions, which can look legitimate but may have one slight change from a seller that might be familiar to you. You might see an ad on a website, and that can be a tough call. Huge businesses have been built – legitimately – by tracking your browsing history and then sending you ads. It’s easy for a “fencing” operation to set up a website that has every appearance of legitimacy.
Our advice is simple. Only click on links that you are 100 percent sure are legitimate websites. Only buy electronics from legitimate sources. They may be well-known retailers as well as vendors vetted and supported by services such as Amazon. You can be reasonably assured you are getting a legitimate product and that your credit card information will be properly protected. And if your product is defective or not what you expected, you should be able to exchange or return it within a clearly stated policy.
If you have any questions about a product you’re shopping for, don’t hesitate to ask us about its properties or things to look for in a seller. Call us – 973-433-6676 – or email us if you have any questions.
What Are Your Biggest Online Threats in 2020?
Cyberthreats will be coming at you – and any person or organization with whom you have an online relationship – with increasing speed and sophistication. For some, it might feel like you’re living inside an online fantasy game, but it’s real life. Here’s what to look for.
Phishing and Social Engineering
There’s nothing new about phishing, where cybercriminals try to obtain sensitive information, like passwords or financial information, usually by using links in emails to install malware to breach your system. Non-profits have been major targets because they don’t have alert systems built into network infrastructures, but any business, governmental organization or individual can be hit. We’ve discussed the need to be highly aware of what you’re clicking and to exercise extreme caution. As an individual user, you have control.
At businesses, it’s a bigger chore to combat phishing. Attacks enable hackers to steal user logins, credit card credentials and other types of personal financial information, as well as gain access to private databases.
Going hand-in-hand with phishing is social engineering, which can cover a multitude of attacks such as disinformation and deep fakes spread by social media. We see this as one of the biggest threats you face this year.
Social media makes it easier to spread disinformation faster than anyone can send out the facts to repudiate fakery or misrepresentation. Deep fakes relate to fake images and videos being created by deep learning techniques. We’ve seen them in the political arena and can expect more them to be leveraged as a tool to attempt to discredit candidates and push inaccurate political messages to voters via social media. We’ll also see them in ransomware, showing targets realistic videos of themselves in compromising situations. We’ll also see more spoofing in business email with deep fakes used to add a further degree of realism to the request to transfer money.
Ransomware attacks cost billions of dollars every year, as hackers literally kidnap an individual or organization’s databases and hold all of the information for ransom. The rise of cryptocurrencies such as Bitcoin spurred ransomware attacks by allowing ransom demands to be paid anonymously. As companies build stronger defenses against ransomware, some experts believe hackers will increasingly target other potentially profitable ransomware victims such as high-net-worth individuals.
Third-Party Vulnerabilities (IoT, Cloud, Supply Chain)
This is a tough threat to ward off because you have some control over your vulnerabilities but not all of them. With the Internet of Things (IoT), you have control. Make sure that you change every default username and password for every device you connect to your network and have a strong network password and firewall. I have little sympathy for people whose systems are hacked because they didn’t take the proper setup steps to prevent invasion.
The cloud is as safe as you can get, especially with large, reputable service providers. They have the resources to deploy the most advanced security measures and multiple services to protect your data. Our advice here is to use a top-rated cloud service provider and make sure you have protected your network, just you would to maintain IoT security.
The supply chain is tough. With so many companies using the internet to fulfill product orders, manage vendors and customers and provide financial services, each one of them can rely on hundreds of vendors. You rely on all of them to keep your data safe, and that can make any one of them the weakest link in your security. Your best defense is to take every security precaution you can, such as keeping your software and hardware up to date, using common sense on what you click, and letting others know when you have concerns about their security.
We have only begun to see the impact insiders can have on organizations as well as national and global security. While the news focuses on dangerous insiders exfiltrating data to foreign governments and terrorist organizations, you need to focus on your business – and your business partners. In all likelihood, your biggest threats will be data theft for monetary purposes – similar to effects of ransomware – or some disruption of your business by a disgruntled or careless employee.
5G’s Unprecedented Data-Theft Speeds
5G cellular technology promises unprecedented speed to make it possible to have more effective infrastructure, autonomous vehicles, faster emergency response and greatly improved telemedicine. It will be almost entirely software-driven; you’ll need hardware capable of handling it. Because it will be software-driven, it will be susceptible to hacks. You’ll need to follow safe internet practices and hope that everyone else does, too. There’s not much you can do technologically in the grand scheme of things, but you can and should demand that large organizations and governments take steps to protect 5G networks.
We can help you make sure you have the knowledge and systems in place to protect your systems from cyberthreats. Contact us by phone – 973-433-6676 – or email to discuss your needs.
Fraud’s Warning Signs
Anyone who tries to defraud you online – or even on the telephone – is literally banking your carelessness. Take a good look at emails and links and listen carefully on the phone. You can spot the fraud, and if you’re not sure, disengage and call the person you think contacted you – on the telephone – or send a new email, totally separate from the thread.
It’s important to be on “high alert” because the hackers and scammers are at the top of their game, and their targets include trusted advisors, such as accountants and tax preparers. We should state that these people should have secure systems in place and should know not to send or request sensitive, confidential information through email.
But at the end of the day, you need to take ownership of your privacy, so here are some tipoffs that a communication might not secure or might be out-and-out fraudulent.
First, does your accountant normally contact you by email? If not, that ought to raise a red flag. Second, can you absolutely verify that the email is from your accountant? While some email systems are good at spotting something fishy (or phishy), a scammer is betting that you’re not going to pay attention. Check the properties of an email address. It could very well be that cybercriminals were able to recreate the look and feel of an email from your accountant, but unless they actually got into the accountant’s server, a phony email will have a phony email address.
Attachments can be another tipoff to fraud. You should be suspicious if you get an email with attachments that are supposed to be forms, such as a tax form you need to fill out or a return to verify, are you being asked to provide your Social Security number and maybe your birthday? Can you open it without having to go to a secure website and enter a password? That doesn’t pass our initial smell test.
If your accountant does contact you about sensitive information or forms, are you referred to a secure website? Do you have that link with your access credentials safely stored? In a safe world, you can log into your account by entering the website address from your browser and entering your credentials.
If something doesn’t look right, you should always be able to call your accountant on the telephone.
And just to go one step farther this spring, here are some other things to be wary of.
Are you getting emails supposedly from someone you haven’t heard from in ages? And does have a short subject line, such as “hi”, with no message but a link? That’s a sign of fraud and clicking the link could open a breach in your system that can expose your sensitive data.
Are you getting Facebook friend requests from people who are already your friends? That’s generally a fraudulent request by someone looking to get into your system.
Anyone using fraudulent methods to get into your computer system may also be planting some kind of virus or malware to help infect other computers. If you think you may have clicked a link by mistake that could lead to a breach of your system, shut down your computer and disconnect it from the internet. Then call us – 973-433-6676 – so that we can apply our tools and expertise to minimize the damage and clean up your system.
Tax Season: The Next Scam Season
I don’t know whether more money changes hands during the holiday shopping season or during tax season, but a lot is at stake between now and April 17 as people prepare tax returns. It’s a busy time of year for scammers, most of whom want to use fraudulent information to get your tax return money.
Probably one of the most common scams is someone calling from the IRS to say you owe back taxes. This happens every year and all year long, too. But there’s just one thing we want to remind you about, even if you know it: The IRS does not contact you by phone. Nor does the IRS contact you by email, a form of communications a scammer will use in a phishing expedition. The IRS sends you a letter.
The other scams you are likely to encounter are calls or emails from people or companies offering to prepare your tax returns and even provide you with an advance on your refund. The email scams are more insidious because if you click on a link, it could automatically trigger a breach of your computer that reveals sensitive information. If you follow through on a phone call or link, the scammer is going to request your Social Security number and other info that goes on a tax return. If the scammer is offering to advance you money from an expected refund, they’ll want your banking info, too. Once a scammer has this and other personal information, it’s easy to get credit cards and loans and commit crimes in your name.
From a computing point of view, we again remind you not to open emails from people you don’t know who offer help during the tax season. Delete them immediately. Do the same with an email from someone you know that seems out of context because it’s so easy to spoof an email address. For example, would you really expect Norman Rosenthal or Sterling Rose to prepare your taxes?
You can protect business and home networks and computers by making sure you have new, strong passwords for all networks and accounts. Strong passwords are long and contain a combination of upper- and lower-case letters, numerals and special characters. With the breach at Equifax, the risk of fraud is higher, and one of the problems it can lead to is that someone will file your tax return before you do.
With protection in place, you can use the internet for all of your tax-related activity, starting with IRS’s official website https://www.irs.gov/. In addition to being able to get tax forms and answers to questions, you’ll find links to help you find and verify information about tax preparers, including 10 tips for choosing one.
If you are preparing your own taxes, we recommend you use one of the established software providers to reduce your risk of a security breach, especially when you file online.
While we don’t prepare taxes, we can help you keep your networks and computers secure. Call us – 973-433-6676 – if you think your system may have been compromised. Call us or email us if you have any questions about system security or security settings for any software you use for tax preparation and filing.
Following the Money Conversations
Money is the only reason somebody steals information. Some 70 percent of the emails that lead to information theft are related to either financial institutions, businesses or something that mentions money in the subject line. Another 20 percent are related to espionage, and 5 percent are related to employee grudges. In most cases, curiosity kills your security.
Phishing expeditions are still one of the most effective ways for hackers to get into a computer system, and that’s because people have insatiable curiosity, especially when it comes to money. We’ve told you time and time again to be very careful about the links you click on from within an email. It is so easy for a hacker to mimic the logo of any bank or financial institution and to create an email address that can be close enough to looking real that you won’t notice it’s a fake in your haste to check out a great offer or respond to a dire warning.
So, as we’ve mentioned ad nausea, your curiosity could open the door to a Trojan horse virus that will enable someone to get into your computer. And once they do that, they can insert themselves into your financial conversations. To whom are you talking about money? Is it your financial advisor? Is it an attorney or a CPA? Is it your bank, credit card company or several merchants? They can identify every single one of them just by looking at your email. After all, you keep thousands of them in your Outlook application or on a website – which they can easily find once they get into your computer.
How will they put your email conversations to work for them? Well, let’s see. There’s your financial advisor, who’s been talking to you about your 401(k). Hmm. That’s good. Bet you have the password for that account stored on your computer. That makes it easy.
But wait, what if you “forgot” your password. The hacker can go to the website with your 401(k) and use your email address to reset the password. If that security is lax – say, for example, there’s no two-factor authentication – the hacker can have your email address routed to his, and now he’s in your account and can clean it out.
Of course, that could be just part of his haul. He knows who your financial advisor is, and maybe their system isn’t 100 percent locked down. You can imagine the fallout.
What if you’re involved in a large business transaction, such as buying a business or even a house? Your attorney may be dealing with a financial institution or two – even through another attorney. Again, a hacker can insert himself in a conversation with any party connected to the money, spoofing your email address or that of anyone involved. And once the hacker is into that next system, it opens more doors.
Just to add to your “watch list” when checking your email, also be wary of somebody sending you updated files that you are not expecting. We have a client who clicked on a PDF and wound up with an infected computer. Fortunately, it caused a major inconvenience more than anything else. Because all of the client’s files were backed up offsite, we had to wipe the computer clean and then find the infected files to delete from the backup. We were able to fully restore everything after that, but it took 18 hours.
So, let’s recap the steps you need to take:
- Look before you click. Do I get this kind of email message from this sender on a regular basis? Is this an offer that’s too good to be true? Is there anything that looks just the least bit out of the ordinary – even if it’s from a sender I know and trust? Remember, you can always access the sender’s website from your Internet browser instead of the email, or you can pick up the telephone and call a company or a person.
- If something looks odd even before you open the email, just delete it. I am amazed at how many people just let something suspicious just sit there.
- Don’t conduct financial business or visit passworded sites while on a public Wi-Fi network. Non-secured networks can be viewed by anyone from anywhere.
- Be very careful with flash drives. Someone can use one to invade your computer. If you are running a good anti-virus or anti-malware program, it should intercept any external device and give you the option to scan it.
- Keep your anti-virus and anti-malware software up to date. And make sure they’re both running.
Finally, if you suspect your computer has been infected with a virus, call us immediately at 973-433-6676. We can assess your system and begin the process of restoring its health. If you have any questions about online security, call us or email us. We all have too much at stake.
Two More Tips to Protect Your Money
- When you travel by air, don’t just throw your boarding pass in the first trash bin you find in the terminal. The barcode on the pass has a wealth of information, including your frequent flyer account information – and any other personal information in that database – and your itinerary, which can let somebody know how far away from home you are and how long you will be away. If you can’t shred it, tear it into pieces that also separate the barcode and throw them into different trash bins.
- Check all of your financial accounts frequently, especially with business bank accounts. When you have a lot of money coming in and going out electronically, that means a lot bank treasury departments are accessing your account. If you monitor the accounts regularly, you have a much better chance of catching fraudulent activity.