Phishing is Getting Fishier

If you are like most people, you have undoubtedly received an email that has asked you to click on a link. Did you click it?

If you did, no worries, you are just like 99% of internet users – everyone has clicked a link before, it is pretty normal. But, in some situations, you may have found that the link took you to a new or maybe spoofed website where you might be asked to do “something”, i.e. enter some information or even login to an account. Once you entered your username and password, they have it…

If you have ever done so, you were likely a victim of what is known as a phishing attack, and these attacks are getting fishier all of the time.

A What? Phish? Fish?

It’s called a phishing attack, and yes, it’s a play on words. When you fish, you throw a hook and worm into the water and hope you catch something. Hackers do the same when they phish.

Except, their hook and worm, in this case, is an carefully crafted email – designed to look like something you should get – which hackers hope you are going open…its then, that they can reel you in.

There are a few different types of phishing:

  • Spoofed websites – Hackers phish by using social engineering. Basically, they will send a scam email that leads to a website that looks very familiar. However, it’s actually a spoof, or imitation, that is designed to collect credit card data, usernames and passwords.
  • Phishing “in the middle” – With this type of phishing, a cybercriminal will create a place on the internet that will essentially collect, or capture, the information you are sending to a legitimate website.
  • Phishing by Pharming – With phishing by pharming, the bad guys set up a spoof website, and redirect traffic from other legitimate sites to the spoof site.
  • Phishing leading to a virus – This is probably the worst phish as it can give a criminal full control over your device. The socially engineered phish is designed to get you to click a link to infect your device.

Can You Protect Yourself from Phishing?

Yes, the standard rule is “don’t click links in the body of emails”. That being said, there are emails you can click the link and others you shouldn’t. For example, if I’ve just just signed up for a new website and a confirmation email is then sent to me, I’ll click that link. Or if I’m in ongoing dialog with a trusted colleague who needs me to click a link, I will. Otherwise, I don’t click links in email promotions, ads or even e-statements. I’ll go directly to the website via my password manager or a Google search.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video

Be aware of all these Confidence Crimes

Criminals have a reliance on tricking victims to get access to account information, like passwords. This is known as social engineering, and is also called a “confidence crime.” These come in many forms:

Do Not Take the Bait of These Phishermen

  • A phishing email that targets a specific person is known as spear-phishing. A spear-phishing email looks like an email that might come from a legitimate company to a specific person. For example, a thief might send a fake email to a company’s employee who handles money or IT. It looks like the email is from the CEO of the company, and it asks the employee for sensitive information, such as the password for a financial account or to transfer funds somewhere.
  • Telephones are used for phishing, too, also called “vishing,” which is a combination of phishing and voicemail.
  • Fake invoices are also popular among hackers and scammers. In this case, a fake invoice is sent to a company that looks like one from a legitimate vendor. Accounting pays the invoice, but the payment actually goes to a hacker.
  • Another scam is when a bad guy leaves a random USB drive around the office or in a parking lot. His hope is that someone will find it, get nosy, and insert it into their computer. When they do, it releases malware onto the network.
  • Cyber criminals also might try to impersonate a vendor or company employee to get access to business information.
  • If someone calls, if you get an email, if the doorbell rings, or if someone enters your office, always look at it with suspicion.

Be thoughtful about security:

  • Set up all bank accounts with two-factor authentication. All web-based email accounts should have two factor authentication. This way, even if a hacker gets your password, they still can’t access your accounts.
  • Train staff to be careful about what they post on social media, such as the nickname the CEO goes by in the office.
  • Do not click any link inside of an email. These often contain viruses that can install themselves on your network.
  • Any requests for money or other sensitive data should be verified over the phone or in-person. Never just give the information in an email.
  • All money transfers should require not one, but two signatures.
  • Make sure all employees are fully trained to recognize a phishing attempt. Also, make sure to stage phishing simulation attempts to make sure they are following protocol.
  • Help people understand the importance of looking out for things like a new email address for the CEO or Kathy in accounting suddenly signing her name Kathi.
  • Also, teach staff to report any uncharacteristic behaviors with long-time vendors or even fellow coworkers.

I once presented a security awareness program to a company that was almost defrauded. They hired me because of an email accounting had received from the CEO. The CEO sent a nice proper letter to accounting requesting payment be made to a specific known vendor.

A number of things were wrong with the email. First and foremost, like I mentioned, the email was nice and proper. Apparently the CEO isn’t all that nice, is somewhat of a bully, and all his communications are laden with profanity. So the red flags, where the fact that the email was nice. Imagine.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

10 Huge Home Security Mistakes

Though it would be nice to think that you can fix something if you make a mistake, there are some where there is just no going back. And in some cases, these mistakes can be tragic. Here are some of the biggest mistakes that people make with their home security:

  1. Leaving Doors Unlocked – It only takes two seconds to lock your door. It should be a habit. It doesn’t matter if you are just gardening in the backyard or running to the store for 5 minutes in the middle of the afternoon, lock the door. Often, a burglar rings the doorbell. If there is no answer, they jiggle the knob. If the door opens, he lets himself in and starts ransacking the place. They can do the same thing with windows.
  2. Not Setting Alarms – You shouldn’t assume that a break in only occurs when you are gone. A guy high on crack won’t care if you are home or not. So, keep your alarm on when you are home, and only disable it when you have to go out momentarily.
  3. Being Too Cheap – Don’t settle for a cheap lock. Locks can be easily picked by using what’s called a “bump key”. Remember, you get what you pay for. So, spend the cash on a good lock. There is a dramatic difference between a lock that costs $20 and one that costs $60.
  4. Keeping a Ladder in the Yard – Keeping a ladder in your yard is almost the exact same thing as leaving your door right open with a “Welcome Burglar” sign on your home. A bad guy can easily use that ladder to get into your home. At least lock up the ladder.
  5. Hiding Keys – Even the dumbest criminals know that people hide house keys under fake rocks, flower pots, and welcome mats. Instead, make the small investment into a keyless lock. Or buy a lock box.
  6. Putting Your Valuables on Display – Use caution when you display expensive items. This is especially the case if you can see them from the window. If you can’t move these items, make sure to keep the shades down.
  7. Keeping Your Garage Unlocked – Don’t just leave your garage open or unlocked. There is a lot of valuable stuff in there, and a burglar might even gain access to your house via the garage.
  8. Not Using Lights at Night – A dark yard or home is a sign that no one is home. In other words, the perfect time for a thief to get into your house. So, set up timed and motion sensitive lighting on the exterior and interior of the home. Also, leave a radio or television on when you are gone.
  9. Leaving Deliveries Out or Not Cleaning the Yard – A sure sign that you are gone, and your home is open for burglars, is a pile of mail or newspapers. It’s also a sign if your lawn is overgrown. So, ask someone to grab your mail, park in your driveway and mow your lawn when you are on vacation.
  10. Displaying Their Good Trash – If you see a neighbor place a large Sony box with a television printed on it or a Dell cardboard box on the curb, you can easily deduce that they just got high end electronics. Robbers know this, and they know that something very valuable is in the home they can sell for drugs.

Bonus…#11…Putting their Life on Social Media – Do not post on social media when you are on a trip. Save it for when you are home. Why? Because burglars are looking for those posts, too.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

5 Digital Security Tips That You Should Always Beware Of

Hackers are out there, and they have their eyes on YOU! So, you are the first line of defense against them. Do you know how to make your smart phone or computer more difficult for hackers to access? Here’s five tips to help:

Password Information

  • You would think that these days, everyone would know how to create and use a strong password, but people don’t. Every online account you have should have a strong, long password made of a combination of symbols, letters, and numbers. You should also use a different password for each account.
  • A good, strong password is at least 8-12 characters in length. It is also made up of both upper case and lower-case letters, symbols and numbers. Make sure it doesn’t spell anything, either. Example: “yi&H3bL*f#2S” However a phrase will do to. Such as iLike1ceCream!
  • Activate two-factor authentication on every account you can. This way, even if your password gets into the wrong hands, the hacker can’t get in unless they also have access to your smartphone.

Understand the Cloud

  • Yes, the cloud is pretty cool, but it is still vulnerable. The cloud, essentially is just internet connected servers that sit in climate controlled secure facilities. These are generally secure. However, if your device doesn’t have the best security, the data in the cloud becomes vulnerable through your device. Example: your bank which is cloud based, is unlikely to get hacked, but your PC is. If you don’t use security software, or if you don’t update your software, cloud security doesn’t matter much.
  • Since the cloud is a huge source of data, a lot can go wrong. So, should you rely on the cloud to protect you or should you protect yourself? Feel good that in general whatever cloud serve you are using is secure. But if you are downloading pirated content and shady software, then cloud security will not protect you.

New Devices Don’t Mean Safe Devices

  • Many believe that if they have a new device that it is perfectly safe. This isn’t true. Androids and Macs need antivirus just like PCs need antivirus. And right out of the box, all devices operating systems, browsers and software should be updated.

Antivirus Software is Great, But Not Perfect

  • Yes, it’s awesome to have good antivirus software, but it’s not the only thing you have to do to keep your device safe. Think of your antivirus software as an exterminator. Like a pest control expert in your home, they get out the vast majority of insects when you call them. However, they can’t 100% eradicate every single egg, larvae, and bug. Free antivirus software is the same. It does a great job for the most part, but it won’t get everything. Free antivirus doesn’t come with a firewall, antispyware, antiphishing or other fundamental security tools. A paid service will generally accomplish this.
  • Ask yourself this: would you want your bank using free antivirus software? Then why do you?

Updating Your System

 It can get annoying when your system alerts you with a pop-up to update your software, but don’t hit “remind me later.” In most cases, this update contains important security patches that you need to install to be safe. It’s best to allow automatic updates on every device.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Are You Taking Responsibility for Your Personal Safety?

For the most part, the local police department does not prevent most assaults or burglaries. That would require a cop to be everywhere all at once. Not happening. However, they do their best to capture and arrest those who commit these crimes. And, preventing crimes goes way beyond getting a home security system or making sure your doors are locked and your lights are on timers. But this is a start. The truth is, your personal security and preventing crimes starts with you. It begins with taking responsibility for your property and your personal safety.

Civilized Conditioning

You might have heard of civilized conditioning. Civilized conditioning is what mom and dad teach you about being a civilized human in a civilized society. That means not hitting, harming, biting etc. Just be nice and in general, respect authority.

You have probably (hopefully) been taught that it’s not okay to hurt other people, and this, of course, is a great thing. Most of us have been taught this from the time we were small children. This type of conditioning allows each of us to successfully get along with others in a society, but it also causes us to do nothing when we need to.

Civilized conditioning has had a negative impact on our ability to take responsibility for our personal security. This is really a double-edged sword. Sure, it helps to keep us under control when we are tempted to get violent with another person. But, it also prevents us from using a violent stance when we need to.

We are all aware that there are people out there who we could say are uncivilized. These people don’t have the same boundaries as the rest of us. When we come across those people, we have to take responsibility for our own safety. That might mean being violent.

You Are On Your Own

Bad things happen all of the time. Consider, for instance, installing a home security system. This is a great start and helps you to take responsibility for the safety of your property, your family, and yourself. Also, consider a self-defense class. There are several options for these classes from local courses and books to videos and online training. Additionally, teach your children self-defense skills. Even children as young as 5-years- old are definitely capable of learning techniques that can protect them. Finally, teach responsibility. You can’t always rely on the government or the police to protect you. Instead, rely on yourself.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.