The IT Guy Stumbles, Too

Those of us in the IT field are subject to the same pressures as everyone else, and we can stumble just as easily as anyone when we’re rushing to leave on vacation – or a business trip. Here’s the story of how I almost blew it – and I’m stickin’ to it. Let it serve as a lesson for you.

It was the Friday before we were leaving for our latest (hopefully not last) family vacation (Charlie will be college-age next summer), and I was in a rush to close all our business and personal affairs before leaving the next morning. I got a call on our home landline purporting to be the bank for our main credit card wanting to question charges from Walmart and Malaysian Airlines. With one foot out the door, I wasn’t thinking straight. They said I could have a new card in three or four days, but I said I needed one tomorrow morning because we were leaving for vacation. When the caller said they’d need a supervisor to call me back, I started to think maybe the call wasn’t legit.

This was a prime example of how we get caught. Credit card fraud is a major problem that’s hit just about everyone in the world. A call like that is no surprise. When I took a deep breath, I hung up the phone, went online to my bank, and looked at my account. There were no pending charges from either place. Had I stayed on the phone call, well, I don’t want to think about it.

One problem with phone calls today is that even if you see a symbol, such as a checkmark (√) or a V in parentheses (V), it may be a spoof. It’s easy to spoof any phone number, so don’t believe it is legitimate because you see a symbol. We don’t pay attention to possible pitfalls when we’re rushing to get things done before a vacation or a business trip. We need to take a deep breath and step back before we act. Otherwise, we could come back to empty bank accounts.

One of our clients almost made a similar mistake when they got a text message about an ambulance bill. The client had gone to an urgent care, and doctors there determined they should be taken by ambulance to the emergency room. The text said their insurance carrier had declined the claim, and there was a link they could use to pay the bill. After staring at the text – after almost clicking the link to see what was going on, they looked on their carrier’s website and found no mention of the ambulance ride. The really scary part is how someone knew our client had an ambulance ride from a specific company on a particular date.

If you do make a mistake, you should call your credit company’s or bank’s fraud line and report it immediately. If you can’t get through, go online through your browser and file a report. You can usually block action on your credit card with the click of a button.

If you fear a breach, you can call us – 973-433-6676 – or email us for help. We can start to put the pieces of your puzzle together to see where your system may have been breached through your computer or mobile device and help you rebuild your security system.

Email in Disguise

The trend of getting voicemail messages through email is opening new doors for hackers to enter computer systems. Scammers are using email with spoofed addresses to hack into business operations, such as wiring money. Today’s office environment provides a perfect setup for a hacker: You hit people when they’re juggling multiple tasks, and you come across as a colleague or customer in an expected environment. We have two examples from our client experiences that show how easy it is for a problem to go undetected. And we have some tips to strengthen your security.

The problem with the voicemails happened while we were on vacation in Hawaii, which has a six-hour time difference with New Jersey. Our client reported getting emails about missed calls – which could have been generated by their voicemail/email system. It’s a growing trend to handle voicemails because phone and email run on the same networks, and sometimes it’s more effective for an employee to click a link and return the call while the message is on the screen.

And that’s how this problem showed up. Every time our client clicked on the link, nothing happened. When we got back from vacation, our first job was to install a new computer for the client. Everything went as planned, but then we got a call that the client only had 11 emails in the system. To make a long story short, it took all day to find all of the emails in a “recovery for deleted emails” folder and restore them – all 75,000 of them. The time was lengthened because we needed to sort them to cull the voice-mail files.

We changed the password immediately to cover the possibility the computer may have been hacked. After that was done, we got a call that our client couldn’t click to return numbers left in voicemails. I left a voicemail, and we were able to get a return call.

The likely issue is that someone from the outside spoofed a known and trusted phone number. The lesson here is that if it happens a second time, don’t click the link. While you may not know if you were hacked or fooled by some malware, you should know that something is wrong and needs attention. The earlier you let us know about it, the sooner we can work with you to mitigate the problem and minimize damage.

A second incident could have been catastrophic. Again, we awoke to find several urgent emails from a client that regularly wires large sums of money to entities worldwide. The incident occurred July 1, when they were preparing to wire nearly $100,000 to an entity. The entity to which they were wiring the money said they hadn’t received their wire in April. That raised alarms. We learned that the amount of money in both transfers was consistent, and the entity to which the money was to be wired could change names from time to time. Everything with the April and July transfers seemed to be within the realm of normal operations.

While we couldn’t get the April money back (the client had insurance to cover it), they were able to halt the July transfer. At the same time, we worked with them to develop new policies to help double-check money-wiring instructions and monitor the process better.

Among the key takeaways from these incidents, you should always be on guard because hackers and cyberthieves are getting much, much better at disguising their identities. When it comes to VOIP and cellular voicemails, it becomes way too easy to click on a number to return a call. That click could direct you to a link that installs some kind of malware. You can write down the phone number and initiate a phone call – much in the same way you can open a browser and go to a website instead of clicking on a suspicious link. In a related matter, the Federal Communications Commission (FCC) is about to force telephone carriers to verify the phone number location of incoming calls. This should reduce – at least for now – phone number spoofing.

Also, be vigilant about looking for anything that looks like a change in your operations or the entities you deal with. Don’t hesitate to pick up the phone and call somebody to verify instructions.

We can help you fight fraud and mitigate security issues in a number of ways, including security assessments and developing and installing rules and policies for critical operations. Call us – 973-433-6676 – or email us for an appointment.

Password Agony; No Ecstasy

Passwords are a total pain. Upper- and lower-case letters, numbers and special characters in one password are likely unbreakable over the course of a lifetime. But just to be safe, you’re required to change them periodically – without repeating one you’ve previously used for a website. And if you go to extremes, well, it is possible that someone can beat you over the head and hold your finger or an open eye in front your phone and access your bank account. A password manager could relieve that pain.

Password managers are applications on your computers and devices to access a database where your passwords are stored. One of the big pains they relieve is the need to remember multiple complex combinations of letters, numbers and characters that – to be effective – are totally random. Almost all password managers let you create a master password for access to your identity vault, and then the password manager fills in individual user IDs and passwords for the sites and apps you use. One benefit is that you can give each site or app a different, complex and hard-to-remember password. They also relieve the burden of making required password changes for websites by generating a new one.

For those of you thinking several steps ahead, you are not tied to a password manager forever. You can always download the database with your passwords and user names, allowing you to leave the service and change passwords at each website as needed.

Of course, there’s some risk to a password manager. If a hacker gains access to your master password, all your accounts are open to plundering. Likewise, if a hacker manages to breach the central vault of the password management company, it’s possible that millions of account credentials could be stolen in a single hack.

Good password managers have defenses for both possibilities. Most employ multifactor authentication, so access is granted only with both a correct password and a correct authentication code. That code exists only on a device you own, limiting the ability for someone on the other side of the world to gain access to your information. They also encrypt your password information locally, before it ever leaves your devices, on the servers operated by the vendors. In most cases, this is strong enough.

You have a lot of choices for password managers. We happen to like Dashlane, which gets strong reviews from sources such as PC Magazine, Tom’s Guide, and CNET. You can find more than enough reviews of Dashlane and other program managers, some subscription-based and some free. You should remember that we’re not always enamored with free programs, but regardless of price, here are some things to consider.

Your password manager should secure your data on your machine and in the cloud with an industry-accepted, tough form of encryption that’s widely used today. Along that line, it’s good to have a password manager that scans the dark web to make sure you haven’t been compromised.

It should work across multiple platforms with software for Windows, macOS, Android and iOS, and you should be able to install it on an unlimited number of devices for a single (usually paid) account, store an unlimited number of passwords and generate new, strong passwords for you, even on a mobile device. We like one that can alert you to data breaches and give you a two-factor authentication option for master passwords. Some will offer to save personal information, such as personal details, credit-card numbers and other frequently used information to quickly fill out online forms. While this is optional, it may be safer than letting a website save your credit-card information.

While no password manager can recover your master password if you forget it, it’s helpful to have one that lets you reset your password. Another good feature is one that lets you provide an emergency contact so that a trusted person can access your websites and apps if you are unable to do so.

Choosing a password manager and setting it up can be daunting tasks, but we can help. Call us – 973-433-6676 – or email us for answers to your questions or to walk through the setup.

Who Really Sent That Email?

We’re seeing a pattern in security problems caused by “fake emails.” Although the pattern is not restricted to business emails, they seem to show up more frequently in offices. Here’s what’s happening.

Just like good marketers, email spoofers and hackers have noticed that Wednesdays and Thursdays are “light days” for email traffic. If someone who’s not overwhelmed by email gets no messages (OK, this might be theoretical), it doesn’t raise eyebrows because they’re not accustomed to a huge number of messages. When traffic gets back to its normal level on Friday, nobody bats an eye or says anything. That leaves the hackers free to move about.

What we’ve found when that happens is that a hacker has created a rule to move email messages to a place where they can do their dirty work. One of their tricks is to change a log-in to a fake website that looks like one you frequently visit. When your password is not accepted, you have them send you a link to change your password. When you sign into the fake site with the real password, they can use it to update your info on the real site and keep all of the function for themselves.

That “password” scenario is the one that seems to be most common way for hackers to gain their access, and as in most cases, the cybercriminals count on the fact that you’ll be too busy to notice anything unusual – and that you won’t say anything until well after the fact.

While offices – even SOHO businesses – seem more susceptible to this type of attack, anyone can be a victim. Here are a couple of telltale signs that you might be under attack.

The first is that you get an email that directs you to a website that you can’t log into because your password is invalid. If you use a “master password” application, that should tip you off right away. If you enter passwords for your sites and have them written down in a safe place, consult your records. If you can’t enter a password that you firmly believe is correct, that should be a tipoff, too.

The second telltale sign is that people got messages that looked like they were coming from their office’s email system. To see if something like that is a fake message, you have to find the IP address for the computer. If it didn’t come from your computer system, that could be the tipoff, but not always. In one case we had to solve, a New Jersey company was victimized by a New York IP address, but that didn’t raise any concerns at first because the company does a lot of business with New York IP addresses.

We can use a number of tools to help pin down the IP address from where the email originated, and the earlier we can get on the case, the better the chances of resolving your issue. If you want us to look at a message, you need to follow this procedure:

  1. Drag the message from your email inbox to your desktop. You’ll see it as an envelope.
  2. Email us that envelope as an attachment.

If you are convinced you have a threatening email, call us right away – 973-433-6676 – so that we can ask you a few “yes or no” questions and help you take appropriate steps before the consequences get really costly. If your questions aren’t urgent, email us for answers or to set up an appointment to talk. Email security problems will only get worse as time goes on.

Spoofs and Email Management

Spoofing email addresses is so common that you might as well accept the fact that you have to scrutinize every message you get. With our switch to a new Office 365 management portal, many clients have been getting emails allegedly from Microsoft, and some are more obvious spoofs than others. It might be time to look at your email management processes.

Hackers use spoofing as a way to get into your computer or network. They are relying on your carelessness to click a link that allows them to introduce some sort of malware that will give them access to your critical personal or corporate data and your address book or contact list. Once they get in there, they can replicate the same message that snared you and hope they get lucky with a few more careless people.

To clean out the malware, we need to isolate the message to see what the hacker is spreading through your system. We’ve received a number of calls from clients in the past few weeks about problems with spoofing, and our issue has been the size of clients’ email folders. Simply put, when there are 100,000 messages stored in the inbox, finding the spoofed message that caused the problem can be extremely time-consuming.

In all likelihood, you’ve run into a similar problem when trying to find a specific message. Outlook gives you some search parameters for finding any message you may have saved, but because of the way most people search, you get a lot more possibilities, and that still slows down your search. And, of course, the more messages you have stored in one place, the longer it takes your program and you to find the message you want.

Setting up an email management system can make your searches more efficient, and it can also help you or any IT support team isolate a message that might be causing a problem with your system. Again, Outlook has a few tools, but you might want to start by creating a system of subfolders within your inbox. For example, I file all emails by client, and within each client, I file them by the year. That makes it easy to get to a place to find a message I want to retrieve. It’s similar to the way most of you would set up folders for documents, photos and videos, and business records.

Of course, that system is only as good as the effort you put into moving messages to folders. If you suffer from a severe case of email overload, you may want to consider an archiving program that works on the back end of your email program. It can be especially helpful for a business, particularly where employees deal with multiple people from the same organization. For as little as $3 per month, it can set up and execute a system that even isolates people within a company, making it easier for you or anyone in your organization to get to a specific message to resolve any kind of problem – customer service or malware.

While home users may not be concerned with customer service issues, there are times when you need to find a message to resolve a problem, and good organization can make a busy life a little less hectic. We can help you set up set up Outlook folders or find and set up an archiving system that works best for your needs. Give us a call – 973-433-6676 – or email us to discuss your email management issues and explore the most appropriate solutions.

Safe Travels, Safe Wi-Fi

It’s getting near spring-break time, and summer vacations will soon follow. You may have seen the reports about wi-fi issues and data security. One of the biggest problems you face is how easy it is to log onto a “fake” wi-fi network – a network that is neither part or your hotel’s system nor secure. But if you pay attention and follow a few simple tips, you can safely stream your favorite content and handle some routine email tasks.

The first and most obvious thing to do is make sure you understand your hotel’s or resort’s log-in information when you check in. Get the proper names of any network that the hotel makes available for you. Then, when you try to log in when you get to your room or sit down at the pool, you can pick out that network from the many that will display when your computers or devices search for the network. Don’t be surprised to see several networks that have spellings or character-and-number sequences that are similar to the networks you were given at check-in.

When you go to log in to the network you’ve selected, you’ll likely be asked for your name and room number. Tip No. 1, don’t enter a correct room number or even a correct name. Misspell your name, if you want. If the network lets you in, then you are not on a legitimate network. If you are denied access with your incorrect info, you should feel confident the network is OK.

Depending on the property’s size and network setup, you may be required to log onto multiple networks. Follow the log-in test for each network. And, most important, make sure everyone in your family or travel group follows that procedure because the breach of one computer or device could compromise everyone in the group.

Also, be aware of network names and connections as you float around. You or one of your family members could inadvertently wind up on an open, unsecured network that can be used to breach your computers or devices to steal information. Tip No. 2, you might want to consider disconnecting from the network when you finish your online session.

Tip No. 3, don’t use a wi-fi network conduct online business, such as credit-card purchases or accessing your bank accounts. You should also avoid wi-fi for logging onto sites related to your health or finances. Instead, use your cellular network. It’s much safer. That may require you to make some additional arrangements with your cellular carrier or to buy and install a SIM card with a data plan for service. However, it’s well worth the time and expense.

Personally, when I travel, I “hotspot” my computer in connection with my cell phone number. It can be expensive (though that’s a relative term), but it removes me from the wi-fi network. So far, hackers have not breached the cellular networks.

Just as a related point, if you are going to depend more on cellular data, make sure you have a plan that will cover your use, and make sure everyone who uses your plan knows its limits. If you’re streaming a lot of video content or gaming, data gets sucked up faster than you can imagine, and charges for exceeding your plan’s limits can be steep.

We can help you prepare for an internet-safe trip or make sure your systems are secure whenever you go remote near your home or office. Call us – 973-433-6676 – or email us to set up an appointment to look at your systems (we can do a lot remotely) and answer your questions.

Fraud’s Warning Signs

Anyone who tries to defraud you online – or even on the telephone – is literally banking your carelessness. Take a good look at emails and links and listen carefully on the phone. You can spot the fraud, and if you’re not sure, disengage and call the person you think contacted you – on the telephone – or send a new email, totally separate from the thread.

It’s important to be on “high alert” because the hackers and scammers are at the top of their game, and their targets include trusted advisors, such as accountants and tax preparers. We should state that these people should have secure systems in place and should know not to send or request sensitive, confidential information through email.

But at the end of the day, you need to take ownership of your privacy, so here are some tipoffs that a communication might not secure or might be out-and-out fraudulent.

First, does your accountant normally contact you by email? If not, that ought to raise a red flag. Second, can you absolutely verify that the email is from your accountant? While some email systems are good at spotting something fishy (or phishy), a scammer is betting that you’re not going to pay attention. Check the properties of an email address. It could very well be that cybercriminals were able to recreate the look and feel of an email from your accountant, but unless they actually got into the accountant’s server, a phony email will have a phony email address.

Attachments can be another tipoff to fraud. You should be suspicious if you get an email with attachments that are supposed to be forms, such as a tax form you need to fill out or a return to verify, are you being asked to provide your Social Security number and maybe your birthday? Can you open it without having to go to a secure website and enter a password? That doesn’t pass our initial smell test.

If your accountant does contact you about sensitive information or forms, are you referred to a secure website? Do you have that link with your access credentials safely stored? In a safe world, you can log into your account by entering the website address from your browser and entering your credentials.

If something doesn’t look right, you should always be able to call your accountant on the telephone.

And just to go one step farther this spring, here are some other things to be wary of.

Are you getting emails supposedly from someone you haven’t heard from in ages? And does have a short subject line, such as “hi”, with no message but a link? That’s a sign of fraud and clicking the link could open a breach in your system that can expose your sensitive data.

Are you getting Facebook friend requests from people who are already your friends? That’s generally a fraudulent request by someone looking to get into your system.

Anyone using fraudulent methods to get into your computer system may also be planting some kind of virus or malware to help infect other computers. If you think you may have clicked a link by mistake that could lead to a breach of your system, shut down your computer and disconnect it from the internet. Then call us – 973-433-6676 – so that we can apply our tools and expertise to minimize the damage and clean up your system.

Tax Season: The Next Scam Season

I don’t know whether more money changes hands during the holiday shopping season or during tax season, but a lot is at stake between now and April 17 as people prepare tax returns. It’s a busy time of year for scammers, most of whom want to use fraudulent information to get your tax return money.

Probably one of the most common scams is someone calling from the IRS to say you owe back taxes. This happens every year and all year long, too. But there’s just one thing we want to remind you about, even if you know it: The IRS does not contact you by phone. Nor does the IRS contact you by email, a form of communications a scammer will use in a phishing expedition. The IRS sends you a letter.

The other scams you are likely to encounter are calls or emails from people or companies offering to prepare your tax returns and even provide you with an advance on your refund. The email scams are more insidious because if you click on a link, it could automatically trigger a breach of your computer that reveals sensitive information. If you follow through on a phone call or link, the scammer is going to request your Social Security number and other info that goes on a tax return. If the scammer is offering to advance you money from an expected refund, they’ll want your banking info, too. Once a scammer has this and other personal information, it’s easy to get credit cards and loans and commit crimes in your name.

From a computing point of view, we again remind you not to open emails from people you don’t know who offer help during the tax season. Delete them immediately. Do the same with an email from someone you know that seems out of context because it’s so easy to spoof an email address. For example, would you really expect Norman Rosenthal or Sterling Rose to prepare your taxes?

You can protect business and home networks and computers by making sure you have new, strong passwords for all networks and accounts. Strong passwords are long and contain a combination of upper- and lower-case letters, numerals and special characters. With the breach at Equifax, the risk of fraud is higher, and one of the problems it can lead to is that someone will file your tax return before you do.

With protection in place, you can use the internet for all of your tax-related activity, starting with IRS’s official website https://www.irs.gov/. In addition to being able to get tax forms and answers to questions, you’ll find links to help you find and verify information about tax preparers, including 10 tips for choosing one.

If you are preparing your own taxes, we recommend you use one of the established software providers to reduce your risk of a security breach, especially when you file online.

While we don’t prepare taxes, we can help you keep your networks and computers secure. Call us – 973-433-6676 – if you think your system may have been compromised. Call us or email us if you have any questions about system security or security settings for any software you use for tax preparation and filing.

Nomorobo = No More Robo Calls? We Hope It Adds Up

If you’re tired of robo calls and caught in the web of spoofed telephone numbers, Nomorobo might be the app for you. It is for us. It’s one product to help you manage your telephone.

For most of us, robocalls are a major annoyance. Even when you don’t pick up the phone, they ring and ring until your answering machine picks it up, and then you need to follow whatever instructions your answering machines provide to get rid the message.

For many others, however, robocalls are an expensive trap. Scammers posing as IRS agents steal millions every year, despite regular warnings from the real IRS that its agents will never contact you by phone if you owe them money. They send a letter first, and they tell people that if they have questions about whether they owe taxes, they should call the IRS toll-free phone number.

At one time, you could register your phone number with the FCC (Federal Communications Commission) to block robocalls and telemarketers representing companies with which you did not have a relationship. But VOIP (voice over internet protocol) technology made it cheap and easy for scammers operating outside the US to make long-distance calls that look like domestic calls. Essentially, the same technology that gives you a free Google Voice number gives scammers and thieves the ability to reach you under false pretense. How ridiculous can it get? You can get a call from a device identified as your own phone.

As phone carriers and the FCC went ‘round and ‘round in pointing fingers and passing along suggestions for the “other side,” the logjam broke when the FCC allowed the phone companies to block robocalls. One of the industry’s concerns was that it would block legitimate phone numbers, including those used by emergency-notification organizations.

Here’s where Nomorobo stepped in to fill the breach. It won a $25,000 cash prize from the Federal Trade Commission in 2013 for figuring how to stop robo calls. The system reroutes calls to your phone number to a service that checks the incoming phone number against a database that whitelists the good guys and blacklists the bad guys. Once you sign up for Nomorobo, you need to wait until the second ring to pick up the phone. Nomorobo uses the first ring to check the incoming number against its database. If you don’t get a second ring, then you know a robo call was blocked.

In a perfect world, good calls, such as those from emergency-related organizations get through. Of course, the world is not perfect, but it is “trainable.” If you experience any problems, such as a school closing or a call from a hospital, you can report it at www.nomorobo.com/report under “A Valid Number That Was Blocked Incorrectly” and correct the database. The service won’t block charity calls, but it can block political calls. You can enable or disable this feature by clicking “Edit” next to your number.

Nomorobo is free for landlines, and it supports most carriers. It has an iOS app that costs $1.99 per month, and it plans to have an Android app soon. The company has an online help desk that covers most questions users would have about using its system or deleting it.

Nomorobo has plenty of company in the robo-blocking space, and you might find one you like better. One place to start your search is the CTIA website product listings. CTIA represents many wireless telecom companies in the US. If you have any questions about selecting a call blocker or installing on a landline or mobile device, we’re here to help. Just call us – 973-433-6676 – or email us.

Don’t Wait When Hacked

A client got hacked at 5 p.m. and discovered it at 8 p.m. They waited until the next morning to call us. Our advice to them was to shut down their system. Our advice to you is don’t wait – but please use some common sense. We don’t appreciate calls at 5:30 in the morning because you can’t connect to the internet or get your email, but a hack is a whole other story.

If you think you’ve been hacked, shut down – as in “power off” – your computer or your system immediately. If nothing’s running or connected, nothing more can be taken from you, nor can anyone get deeper into your system. Once you call us, we can examine every part of your system and help you take steps to secure it before you and everyone in your business or home goes back online.

If we’ve learned anything from news reports, no system is immune from attack. But there are a number of steps you can take to make an intrusion more difficult – and for small businesses and homes, they may be enough to deter anyone from making a huge effort to invade your system.

In the case of the client who was hacked, he did not have administrative rights to his computer – and that was a big help in minimizing the damage. Administrative rights give those who have them the authority to make all sorts of changes to a computer or a group of networked computers. In addition to adding and removing programs and managing data files, administrative rights can be used to grant permission to other users to perform all of those actions.

In a small business, it makes sense to give several people administrative rights to keep business flowing smoothly. Even if you have automated systems to take care of certain functions, you may need to give people permission to do certain things. However, you need to pay attention to security to benefit from the convenience of this flexibility. We recommend:

  • Keep the number of people who need administrative rights to a bare minimum.
  • Make sure those people change passwords frequently and that they use strong passwords.
  • Limit permissions to certain functions to prevent a hacker from getting carte blanche to your entire system.
  • Set up separate users and log-in credentials for performing administrative functions and delete them after those functions are performed.

The same recommendations can apply to a home computer or home network, with the requirement that children and seniors should not have the ability to install or remove programs.

We also can repeat steps we’ve suggested before:

  • Do not use any simple usernames and passwords for any piece of equipment that is connected to the internet. Every device has a default name and password, and hackers know them all.
  • Use strong passwords and change them often. Strong passwords are usually complex passwords. Hackers have software to figure out certain patterns of numbers and letters, and they can pick up information about anyone from public records. Try not to relate your passwords to that information, but for any password, use a combination of upper and lower case letters, numbers and special characters.
  • Download and install updates from the publishers of your application software. In most cases, the updates contain bug fixes and patches to improve the security of your applications.
  • Keep your anti-virus and malware software up to date and active.

Again, if you get hacked, don’t wait to call us. Time is of the essence. Shut down everything and call 973-433-6676 for immediate help.

Of course, preventive measures offer the best protection. Call us or email us to arrange a security audit of your system. And don’t wait until you’re hacked to do it.