The ‘Zelle Fraud’ Scam: What it Is and How to Avoid it

Zelle is one of the most famous platforms to quickly send money to loved ones, friends, and family. However, now cybercriminals are taking advantage of it to get people’s account information.

Zelle Fraud scamUsing clever tactics to fool clients, fraudsters are now taking advantage of the existence of Zelle to get customers to give them their account information. Once the person does, they quickly proceed to transfer the funds through this person-to-person platform.

Stories of people being scammed and losing money have alarmed some Zelle users, which is why clients must be careful with any suspicious message they get. This is especially the case if they’re supposed to respond with sensitive information like their account username or a one-time passcode. Here’s all about the ‘Zelle Fraud’ scam and how people can avoid it:

How it Works

Users first receive a text message that says someone else tried to transfer money to them using Zelle. People are supposed to answer ‘yes’ or ‘no,’ but regardless of what they answer, if they reply, they will soon receive a call from the scammer.

Overall, scammers want to talk to the person until they get the information they want. Therefore, they will use intelligent strategies to ask the client for their data, and once they get it, they will perform quick transactions in a matter of seconds. This can be a financial catastrophe for the person.

The number of the caller is spoofed, so people might think it’s the bank calling them. Once they pick up the phone, the fraudster will ask numerous questions to ‘verify the identity’ of the person, and this is how they get their banking information.

Fraudsters usually ask questions such as the following:

  • “I need to make sure I’m speaking to the right person. Can you tell me your username?”
  • “I need to ask a few questions to verify your identity. Can I have your username?”
  • “Please, tell me your username, so I can verify your identity.”

Once the client gives the fraudster their username, the scammer will try to get the password by using the ‘forgot my password’ feature or even get you to cough it up. After that, they will typically tell them something along the lines of ‘I’ll send you the passcode and I want you to read it back to me.’

To complete the password reset process, the fraudster uses the code. After changing the client’s banking password, they use Zelle to transfer the funds to other accounts.

An essential part of understanding how the Zelle Fraud works is realizing that fraudsters don’t need the person’s bank account password at first. If they have their username and get the person to read them the one-time code they got via email, the scammers are able to quickly change their password and transfer money to different accounts using Zelle.

Furthermore, in many cases, victims of these fraudulent actions didn’t know what Zelle was and had no idea that it was a platform to move money.

Numerous banks and credit unions offer Zelle as a default part of their online banking services. Clients don’t necessarily need to request it – it’s just there, and people unknowingly fall for these scams without understanding what’s going on.

Fraud losses can escalate quickly in a matter of days, due to the number of clients that can become victims in very little time.

What Zelle Is Doing

To combat these issues, Zelle has introduced a way to authenticate transactions using their details. The person must send a text containing the payee and dollar amount of the Zelle transfer, and the member must reply to the text to authorize the transfer.

Nonetheless, fraudsters have found a way around these security measures as well. Otsuka said that scammers might stay on the phone with the person until they get both their username and a two-step authentication passcode to be able to log into their accounts.

After that, the fraudster tells the clients that they’ll receive a Zelle transfer details through text and that they must reply to authorize the transaction. If the client asks about the purpose of this, they will tell them that it will reverse the fraudulent movement of their funds.

Clients will call customer support, explain what happened, and try to get credit-card protection. However, they often face disappointment, and in the worst cases, financial ruin. In many cases, banks representatives have stated that the banks are not required to reimburse the customer for these phishing schemes.

Bank clients must be aware of the fact that they’re entitled to Regulation E protection, and banks must refund the stolen money.

How to Handle This

Bank clients must know that they have Regulation E protection. Therefore, even if they were manipulated into giving out their login details, the bank “should” give back the stolen funds.  Clients expect a sense of security and protection when they put their assets in a specific company. Thus, the bank must fulfill their expectations.

When a client signs up with a financial company, their data and privacy must be secure (and no one should have access to them without their consent). At the same time, the bank must protect them from fraud, errors in payments, provide them with trustworthy customer service whenever they need it, and representatives should treat them equally and respect their rights. But as we know, this is not always the case, and often when the client is victimized, because of their own error, the banks turn their head the other way.

Lastly, people should never forget the ‘Hang Up, Look Up, Call Back,’ motto. If someone suspects that they’re receiving a possibly fraudulent call, they should kindly tell the caller that they’ll hang it up.

Since most fraudsters claim they’re from a company the person knows, the client must look at the company phone numbers and see if they’re receiving calls from them. Then, customers should actually phone the company and ask if they have been calling.

Even though this is not a way to absolutely prevent scams from happening, it’s an effective strategy to avoid them. Fraudsters rely on people’s innocence to provide sensitive information when reputable companies ask for it, which is why customers must try to avoid giving it away so easily unless they’re sure that it’s the company they hired.

Robert is a security expert and private investigator with 30+ years experience, #1 Best Selling Amazon.com author of 5 books, and the architect of the CSI Protection certification; a Cyber Social Identity and Personal Protection security awareness training program. He is a frequent speaker and media commentator, and CEO of Safr.Me and Head Trainer at ProtectNowLLC.com. Robert has been featured on CNN, Fox News, CNBC, MSNBC, ABC World News Tonight, NBC Nightline, CBS Early Show, Today Show, Good Morning America and in the NY Times, Wall Street Journal, Time Magazine, Fortune, Forbes, Entrepreneur and many more.

Here’s Why You Need Identity, Privacy, and Device Protection

Our philosophy has always been “all security is personal”. So, whether you are a front line administrator, a CISO, or a CEO, the security of your organization begins with you and your person. If you don’t have your own personal security in order, how do you expect your business data to be secured? It starts with you.

People are often anxious about the security of their personal information and online accounts. Cybercriminals are finding new ways to invade your privacy which is why you need comprehensive protection to keep you safe online.

Here are some protection and privacy best practices that you can use to keep your identity and sensitive information away from prying eyes and restore your faith in technology.

Device Protection

Device protection refers to the measures you take to protect your hardware or physical devices from intruders and potentially harmful software, such as malware, adware, and viruses.

Protect Your Hardware

This may sound simplistic, but knowing where your smartphones, computers, iPads, and gaming consoles are and never allowing people you don’t know to use them are the first steps in protecting them.

Ensure that you protect your devices with a password to ensure that your photos, banking apps, and text messages stored on them are inaccessible if you lose your phone at a concert or leave your tablet in a restaurant. You’d be amazed at how many people don’t have a password in their mobile phone.

Back Up

It’s also a good idea to back up your files regularly so that your images, videos, and documents are lost if your laptop / phone  crashes or is stolen. Use a combination of Google, Apple, online backup services and local external hard drives, and sync software.

Protection Against Malicious Software by Updating

To keep your device safe, you’ll also have to protect it from malicious threats. There are many ways for malware and viruses to get onto your devices, including phishing scams, suspicious websites, questionable downloads, and clicking on advertisements.

When browsing sites that seem unreliable, use caution, and apply common sense when clicking on links.

Updating operating systems, browser, and various software programs, is necessary to keep your data and devices secure. These updates are for functionality purposes, but more often are critical for security updates, when and where at vulnerabilities are discovered by researchers.

Privacy Protection

Protecting your privacy involves preventing advertisers, fraudsters, and other unscrupulous organizations from obtaining access to the information you’d prefer to keep private.

It only takes a few careful modifications to your regular browsing, emailing, and social media activities to increase your internet privacy. Just be thoughtful about where you’re going, what you’re doing, and what personal or sensitive information you may be providing.

Limit What You Share on Social Media

Consider your usage of social media. Do you upload pictures containing information that could be used to identify you? Examples of information that you shouldn’t share online include your:

  • Full name
  • Birthday
  • Physical address
  • Current location

If your profile is freely accessible and anyone can view it, you might want to think about limiting what you post online. Sadly, although your loved ones may like reading your status posts, cybercriminals enjoy them even more.

Fraudsters can learn enough about you in just a few minutes of spying to pass themselves off as you or to target you. Restrict the information you post on social media and restrict the number of people you follow and befriend to those you actually know.

In the end, be thoughtful about what you post, and how a scammer might use it against you, your family, or your business.

Use a VPN

Connecting to a virtual private network (VPN) is another great way to protect your online privacy. By encrypting your connection and keeping your location hidden, a VPN enables you to browse the internet anonymously.

Protecting your privacy with a VPN is essential when using public Wi-Fi at a library, restaurant, or coffee shop.

This is because cyber criminals typically wait around unprotected Wi-Fi networks to spy on users making online purchases or paying bills to gain access to their login information.

Invest in Antivirus Software

Spyware can also threaten your online privacy. Adware, for example, can be used to spy on your online activity to help third parties learn more about your interests and preferences and target you with online ads.

One of the best ways to block spyware is by installing a reliable antivirus application to help you identify and remove malicious software. A reliable antivirus software application to help detect, identify, and remove malware and viruses that could pose a threat to your online security. A paid subscription has multiple layers of protection versus a free antivirus.

Identity Protection

Another type of fraudulent activity to look out for is identity theft. Each time identity theft occurs, dealing with the repercussions can be challenging and may even have an impact on your finances, credit rating, and future ability to obtain loans, credit cards, or mortgages.

Protecting your personal information with care is one approach to keeping your identity safe online. Never provide anyone your Social Security Number via email unless it is absolutely necessary, and you have verified the sender’s identity.

Investing in identity security services that monitors the dark web and notifies you of any suspicious activity that might point to identity theft is a good idea.

Consider getting a credit freeze which locks on your credit report and prevent unauthorized counseling, opened in your name.

Here are some examples of identity theft:

1.    Forging an Identity

The most frequent form of identity theft is when a thief takes a victim’s Social Security number and uses it to create a new false identity.

2.    Creating New Accounts Using Someone Else’s Credentials

When a scammer successfully obtains financial data and personally identifiable information from a user, they can open new accounts such as utility accounts, credit cards, and more using the victim’s good credit rating.

3.    Taking Over Someone Else’s Account

Account takeover occurs when a fraudster takes the victim’s account login information and adds themselves as authorized parties, giving them access to the victim’s banking facilities.

Fortunately, this type of fraudulent activity is steadily decreasing due to the widespread use of EMV chip readers.

4.    Medical Identity Theft

Medical identity theft occurs when fraudsters pose as patients to access certain prescribed drugs and have their medical care covered by the victim.

5.    Corporate Identity Theft

Corporate identity fraud occurs when a criminal tries to issue new lines of credit in the name of a company, sends clients fake bills, and then takes the payments themselves. This type of identity theft is most common in small businesses.

A cybercriminal may still manage to obtain your personally identifiable information even when you follow all the rules.

When a security breach occurs at an establishment with your personal information, you’ll need to find another way to keep your information and banking accounts safe.

Protect Yourself

Considering how many ways there are to target users online, it should come as no surprise that many are uneasy about their safety when surfing the net. Fortunately, you can safeguard your devices, protect your identity, and keep your browsing history away from prying eyes by installing reliable antivirus software.

Keep up with the latest developments, and if a corporation that stores your information is the target of a cyberattack, take swift action to protect your identity and safeguard your account.

Are You a Hard Target for Cyber Criminals? You Must Be

Cyber criminals hate a hard target. In the language of security, a “hard target” is someone difficult to hack, while a “soft target” is someone who is especially vulnerable.

Put yourself in a criminal’s shoes: Which home would you attempt to rob: the one with the back door open or the one with the spotlights and a burglar alarm? Those home security deterrents may not stop a determined criminal, but they send a clear message: This home takes security seriously, and you put yourself at risk if you try to break in.

Cyber criminals think in the same terms. They look for signs that you take security seriously. Some criminal gangs keep databases of known soft targets; you may know someone who is often hacked. All cyber criminals know what signs to look for to see if you pay attention to cyber security. They also know the difference between real cyber security and half-hearted attempts, just as experienced burglars know how to spot fake cameras and alarms.

It is not expensive or difficult to be a hard target. All you need is a little time and a commitment to consider how you approach online interactions. Here are five things you can do right now that will make you a hard target and convince criminals to look for easier victims.

Update your software.

A recent article in The Wall Street Journal certainly caught the eye of cyber criminals. It discussed users who cling to old operating systems and old software because they like certain features or because they do not want to learn a new interface. Some businesses still rely on old operating systems and outdated devices that power critical business functions because they want to avoid the learning curve with new software or because they find upgrading too expensive.

These users and business owners are the ultimate soft target. Criminals have databases of known exploits in old apps, programs and operating systems. They search online to find outdated software that is still in use, then launch attacks to steal passwords, gain access to networks, install ransomware or hijack customer data. Updates should be automatically applied and must be manually applied when auto-updating is not an option. Business owners should note that failure to update systems will void cyber liability insurance policies and trigger violations of the FTC Safeguards Rule. Publicly traded companies and businesses that serve publicly traded clients could face additional penalties under the SEC Disclosure Rule if hackers attack out-of-date systems and software.

If you absolutely must maintain old software or devices, the only safe way to do so is to keep them fully isolated from the Internet. That means no wired or wireless connections that could allow a hacker to access the device.

Change your passwords.

Password and credential theft occur daily. Most people accept it as a fact of life. What most people do not realize is that criminal gangs keep databases of usernames, passwords and other login credentials. These databases are bought and sold on the Dark Web, tested using a variety of methods, then repackaged into verified lists of working credentials. If you change passwords several times a year, you will be seen as a hard target and criminals may stop selling your personal information. Criminals will note that old passwords do not work, and those who act as information brokers may take note of how frequently you change your credentials.

Do not trust. Verify.

If you have ever taken a self-defense or defensive-driving course, you know that one of the first lessons is to question the way you trust. Most people trust unconditionally. They see a yellow line on the road and assume other drivers will respect it. They receive a text that appears to be from a coworker and they respond.

A hard target is vigilant and skeptical. They question everything and develop the ability to sense unusual situations. Instead of assuming that an email, text or phone call are legitimate, they investigate. These skills, which can be developed through cyber security awareness training, make the hard target nearly invulnerable to business email compromise and pretexting attacks.

Anyone can begin to develop these skills by questioning how easily they trust, and why. Criminals prey on trust to steal credentials and cash and to reroute valuable deliveries. Businesses can develop protocols to limit these attacks, but it ultimately falls on individuals to recognize unusual behavior and have the confidence to investigate it. When in doubt about a text or email request, do not respond to it. Reach out to the source at a known phone number and verify the request.

Use multi-factor authentication.

You should be familiar with two-factor authentication, which sends a code to your phone or a verified email address to allow you to log in to services. You may be less familiar with multi-factor authentication, such as biometric logins on devices or apps that check for the presence of your phone before authorizing a financial transaction.

Whenever, and however, multi-factor authentication is offered, take advantage of it. This makes you a very hard target to hack, and shows criminals that you take cyber security seriously. When criminals discover that you have multi-factor authentication enabled, they may stop attempting to hack your accounts and stop sharing your credentials online.

Report successful hacks and data breaches to law enforcement.

Here are two things you must understand about cyber criminals: They want to avoid exposure and they talk to each other. When criminals successfully claim a ransom from a business, steal data. steal money or gain access to networks and systems, they share that information with other criminals in online forums. You may believe that failing to report a cyber crime keeps the knowledge of that crime between you and the hackers, but it does not. Hackers tell other hackers what they did, who you are and how you failed to alert anyone. That invites more hackers to attack you. To be a hard target, you must communicate as loudly as possible. Tell law enforcement. Tell professional associations. Tell colleagues at other organizations. Tell the press. Share everything you know about how you were hacked and how you responded. Cyber criminals do not want the publicity, and they do not want their methods compromised. In the best-case scenario, law enforcement may make an arrest, thwart a future attack or help you regain lost money. In most cases, you will simply be contributing to a shared knowledge base that makes it harder for criminals to operate.

A Hard Target Still Faces Two Types of Cyber Attacks

Making yourself a hard target will deter cyber criminals and reduce the amount of fraud you encounter. There are two additional categories of cyber attacks that you may face, depending on who you are and what you do.

  1. Spam attacks. Inexperienced and unskilled criminals still send mass emails claiming that you have inherited millions from a deceased prince, that your package cannot be delivered or that your account has been deactivated. You will also encounter browser takeovers online from time to time. As a hard target, you will know that these are very unsophisticated, broad-based attacks designed to catch the unwary. They are not targeted and they are not personal. If you have developed a healthy level of skepticism, you will find it easy to ignore them.
  2. Spear phishing and AI-powered attacks. Depending on what you do, where you work or whom you work with, you could be a high-value target for cyber criminals. You likely know if you fall into this category, and you should have received additional cyber security and anti-phishing training. The main question you need to ask is whether you are as vigilant in your personal cyber security as you are on the job, and whether you take steps to help your loved ones maintain good cyber habits. High-value targets are closely watched by cyber criminals, who may use sophisticated methods to attack your personal devices, or people you know, as a means of getting to you.

If you have a few minutes to work toward becoming a hard target, take our free E-Mail Safety Crash Course. Adapted from our comprehensive Cyber, Social, Identity Protection Certification program, this video module offers immediate steps you can take to thwart cyber attacks on any email platform, as well as advice on how to identify suspicious emails.

Know When and How to Stop Ransomware Attacks

Ransomware attacks are on the rise and small businesses are on the menu.  The 2023 State of Ransomware report from Malwarebytes Labs finds that the United States saw 1,462 attacks between July 1, 2022, and June 31, 2023. This accounted for 43% of all ransomware attacks around the world, with these attacks doubling in frequency between January and June 2023, compared with the previous 6-month period.

While the Vacant Land Scam and Business Email Compromise may be — and should be — top of mind for most small-business owners and employees, ransomware must also be on the threat radar. School districts were among the top ransomware targets in August 2023, in part because criminals have shifted their focus away from large corporations with strong protections and toward public and private organizations with heavy third-party dependencies and softer cyber security.

When Are You Most Vulnerable to Ransomware Attacks?

Note that the question is not, “Who is most vulnerable,” because criminals are actively looking for the softest targets available. It does not matter what you do or in what sector. If you have user data or online systems that are critical to the operation of your organization, ransomware hackers have their eyes on you. You are particularly vulnerable if criminals believe you will pay their ransom to get your systems back online quickly, or if they believe you will not contact law enforcement out of a fear of reputational harm. Couple one or both of those realities with a lot of external vendors, off-the-shelf software and poor password protections and you can expect hackers to come after you.

Ransomware attacks begin with a hacker gaining enough access to your systems to install software. There are a few methods criminals use to achieve this:

  1. Zero-Day Exploits: These attacks target vulnerabilities in software or communications between devices that allow criminals to install a ransomware package. Any time you change software vendors or hosting services, install new software or update software, you are potentially vulnerable to attack. Cheap thumb drives may also come with malware, making new drives a threat the first time you use them.
  2. Phishing: Criminals will use a variety of phishing techniques to attempt to steal login credentials. These can include emails directing employees to sites that download malware, phony client emails or pretexting attacks where criminals claim to be a coworker or supervisor. You are most vulnerable when new employees gain access to your systems, which makes it essential to include cyber security education during every employee’s first day on the job.
  3. Code Injections: Criminals may attempt to load malicious code via vulnerabilities on your website or during communications between your devices and a third party. You are most vulnerable if you do not keep up with security updates and patches, and if you do not employ encrypted communications with all third parties.

Determined hackers may also use less-sophisticated methods to gain access to your systems if they know where to look. Credential Stuffing, where hackers attempt to use passwords stolen in other online breaches; Credential Spray,  which involves matching known usernames with a variety of common passwords, and Brute Force, where criminals use automated systems to flood a site with username and password combinations, are among the techniques hackers may attempt.

Ransomware Attacks Are Rarely Immediate

One key aspect of ransomware attacks has changed: hackers seldom install their malware right away. Instead, hackers will loiter in your compromised systems for a period of time. They may attempt to gain access to other systems, or they may make small changes to see if you are paying attention. In some cases, hackers will wait until a period when you are particularly vulnerable, such as the start of a new school year or an active business cycle, so that their attack causes the greatest disruption possible.

The period between criminal access and ransomware deployment is your opportunity to stop the attack, but this will only happen if you are vigilant and have the right monitoring systems in place.

  • Review login data. Keep track of any new devices that log on to your network. If a login looks unusual, reach out directly to the user to see if they logged in from a new device or location.
  • Look for unusual data-transfer activity. Ransomware packages must be deployed and installed on at least one device in your organization. Hackers may also exfiltrate significant amounts of your data before they launch a ransomware attack if they plan to blackmail you by posting it on the Dark Web, or if they plan to sell it to other hackers. These data transfers leave a digital trail that you may be able to spot. Large volumes of data moving at an unusual time or to an unexpected location should be a red flag that triggers immediate response.
  • Scan for software installs or changes to critical system files. Hackers may upload a small, innocuous file or make a small update to a core system file before they deploy malware. This is a test designed to see if your systems can detect their activity.

You can stop ransomware attempts in their tracks if you have the right monitors in place, and if someone is watching them. Your systems should be set up to send automatic alerts when they detect anything unusual, and you should have protocols in place to follow up on these alerts.

How to Mitigate and Respond to Ransomware Attacks

Sophos reports the average ransomware payment in 2023 as $1.54 million. The mean recovery cost was $1.6 million if the ransom was not paid. Every employee and organizational leader should be aware of these numbers. The days of swatting away hackers with a few thousand dollars in Bitcoin are over. Ransomware is a big-money business for criminals, which is why attacks continue to rise.

There are a few things you can do before and during a ransomware attack to protect your data, your systems and your business:

  1. Make two-factor authentication mandatory. This stops all but the most determined ransomware hackers.
  2. Train employees to never share login codes. Under no circumstances should a two-factor code be shared with anyone. From their first moments at work, employees need to understand that cyber security is part of their job and failure to follow protocols comes with consequences.
  3. Create backups of your data and your systems on a regular basis. These should be stored on devices that are not connected to your networks, and you should plan to keep backups for 120 days. In the event of a ransomware attack, you can use these backups to restore a clean version of your systems and lock the criminals out.
  4. Contact law enforcement. Criminals rely on compliant victims. You may believe that paying the ransom and moving on is the best course of action, but this is precisely what hackers want. By reporting the attack, you achieve two goals: First, you may be able to recover some or all of the stolen funds in the event that you must pay a ransom. Second, you raise awareness of criminal activity that law enforcement can use to stop future attacks and identify criminals. Be aware that ransomware attacks remain a very high priority for state and Federal law-enforcement agencies. If you have been discouraged from reporting cyber crimes by lax response in the past, you will be pleasantly surprised by the support you receive following a ransomware attack.

As always, the best protection is prevention, and the key to prevention is cyber security employee training alongside strong cyber security practices and protocols. Protect Now can help your small business prevent and mitigate attacks. To learn more, contact us online or call us at 1-800-658-8311.

Credential Stuffing: What It Is and Why You Should Be Concerned

A recent credential stuffing attack on 23andme.com left most people bemused, if they noticed it at all. A similarly muted response followed the leak of millions of user records on known hacker forums. What is a hacker going to do with your ancestral history? The answer may surprise you and should concern you if you are lax about password security.

Anatomy of a Credential Stuffing Attack

A credential stuffing attack occurs when a hacker takes stolen login data from the Dark Web, such as a username and password stolen from a previous attack, and uses it to try and gain access to other online accounts. In the simplest terms, it works like this:

  1. A criminal steals, buys or finds usernames and passwords online.
  2. The criminal attempts to access an account on a popular site using the stolen usernames and passwords. This can be done slowly, one set of credentials at a time. The attack on 23andMe.com, which led to the compromise of millions of credentials, may have been automated.
  3. Credentials that work, that is, username and password combinations that give the criminal access to the account, get marked as “working” or valid.
  4. The criminal creates a new database of working credentials and offers it for sale via the Dark Web or hacker forums.

If you are the target of a credential stuffing attack, a hacker now knows two things about you: You use the same credentials on multiple sites and you do not update your passwords frequently. The next criminal in line, who buys the stolen, working logins, may attempt to access shopping sites, your email accounts or your bank accounts.

Why Was 23andMe Targeted?

Criminals target sites like 23andMe because they are popular. In its second-quarter financial report, 23andMe.com reported more than 14 million users. For criminals hoping to validate stolen logins, a popular site is a good place to start. Criminals are not necessarily interested in hijacking someone’s 23andMe account, but they are interested in finding out if username and password combinations work. Hackers can then prove that they gained access to the accounts by posting some data that would only be available to the account holder; in the case of 23andMe, this was information about clients’ genetic history, which is only shared on an individual basis with registered users.

That proof increases the value of the records. Criminals assume that people who use the same username and password on more than one site likely use it on additional sites, which may include Amazon, eBay, Facebook or banking sites. Armed with working passwords, criminals can then attempt to hijack the accounts that they truly want. For the hacker who carries out a credential stuffing attack, the reward comes from selling data.

Most of the top websites in the United States have protections in place to prevent large-scale credential stuffing attacks, which makes the 23andMe.com attack unusual. It is possible that the site was targeted because it offered a combination of a large user base and vulnerability to automated attacks, allowing hackers to test millions of potential username and password combinations. The most-visited websites, and nearly all financial services sites, have safeguards in place to prevent hackers from testing more than a few credentials at a time.

If you are a high-value target, such as someone with a large bank balance, access to large volumes of personal data, access to corporate or public-sector infrastructure or the ability to authorize wire transfers, you are particularly vulnerable to a targeted credential stuffing attack. Criminals will mine databases of validated credentials looking for a few people, identified by their usernames or email addresses, that are high-reward targets. They will then attempt to use stolen credentials across several popular sites to find shared passwords. Because they only try a few credentials at a time, systems that block mass attacks fail.

Should I Be Concerned, and What Should I Do?

Anyone who used 23andMe for a DNA test or opened an account on the site should change that password immediately. If you used the same password on other sites, it should also be changed immediately. The nature and extent of the 23andMe attack, including the number of logins compromised, remain unknown, which makes the potential threat to individuals unknown.

There are a number of additional steps you should take, whether impacted by 23andMe or not, to protect your online accounts from hijacking.

  1. Enable two-factor authentication. This is the strongest measure you can take against account hijacking. Even if criminals get your username and password, they will not be able to access the one-time code needed to complete a login. Two-factor authentication is a must for your email and financial logins, and you may want to avoid websites that do not provide it as an option.
  2. Sign up for account access notifications. Many of the web’s most popular sites, including Microsoft, Gmail and Disney properties, will send you an alert if your account is accessed from a new device. Always enable this notification when it is offered, as it will alert you if criminals attempt to access your accounts. If you receive an alert about activity that you do not recognize, immediately change that password and enable two-factor authentication.
  3. Close and delete accounts for services you no longer use. Some sites and service providers will offer to keep your account in a suspended state, hoping that you will return in the future. Reject this convenience and insist that all of your account data, including login information, be removed when you close your account. To ensure that this has been done, attempt to log in to the account with your canceled username and password. If the system does not recognize it, you can consider the account fully closed. Old accounts are a significant vulnerability, because you may not be aware that your credentials were stolen during a cyber attack.
  4. Never use the same password or username across multiple accounts. Avoid small variations as well, as a determined hacker could crack your code with a set of your usernames and passwords. As a hard rule, it should take a hacker more than 5 tries to guess your password, as many sites will suspend access to your account after 3 or 4 failed login attempts. Assume that criminals have stolen your credentials from multiple sites and avoid passwords with patterns; for example, if you use passwords such as Magnolia1, Magnolia 2 and Magnolia 3 on different sites, a criminal can very easily figure out that pattern and make an accurate guess about other passwords.
  5. Consider a password manager. Next to two-factor authentication, password managers are the best way to keep your logins safe, but the most robust options come with monthly fees. If you are a high-value target, the extra expense may be necessary. Businesses that use password managers should consider offering them for employees’ personal devices as a perk. While there may be a small amount of additional overhead, this will cost far less than the work hours lost by an employee who has to recover from a cyber attack. This also plugs a potential path for phishing and pretexting attacks.

The more difficult you make life for criminals, the more likely they are to leave you alone. Password protection should be your highest priority, as poor password hygiene opens the door to attacks that could devastate your finances or your business. If you need some practical advice for protecting your email, check out our free E-mail Safety Crash Course Elearning video. If you have larger cyber security needs, please contact us online or call us at 1-800-658-8311.

Are Backup Files the Missing Link in Your Cyber Security?

Do you have backup files for your critical business data and software? Where are they stored? How often are they updated?

Are Backup Files the Missing Link in Your Cyber Security?During Cyber Security Awareness Month, you should be asking these three critical questions. Too often, business leaders and employees see cyber security as an ongoing battle against phishing, business email compromise and other direct scams. While these are core concerns in cyber security, data safety is also essential. You can train your people to stop pretexting attacks, but that training is of no value when a hacker encrypts or steals all of your business data, shutting down your operations. Even the most experienced IT professionals can have a blind spot when it comes to data backups.

Cloud Backup Files Are Not Enough

The default choice for many businesses is cloud backup, which is simple to implement and easy to access. The convenience of cloud backup files can obscure a significant risk: Cloud services can be hacked. If your only backups exist on a server, and that server is compromised, your backup data are gone. You may have done enough to qualify for a cyber liability insurance or business interruption insurance claim, but you still lack the data you need to run your business.

Cloud backup files should be part of your cyber security protocols, but they should not be your only path to data recovery. Backups on a solid-state device, such as a USB drive or an external hard drive, are also necessary for the following reasons:

  1. Your cloud backups can be compromised. Hackers may encrypt or steal your data from your cloud backup provider, or compromise your cloud provider’s operations, preventing you from accessing data.
  2.  Backup files may contain malware. Cyber criminals are more patient than most people realize. It is rare for them to gain access and immediately deploy malware or ransomware. Instead, they will lurk for weeks, sometimes months, waiting to deploy an attack. If criminals launch a ransomware attack that encrypts all your files and you attempt to restore a recent backup, there is a good chance it will fail to solve the problem.
  3. Cloud backup files may be incomplete. Creating a daily cloud backup is a good practice, but daily backups typically get purged after a few weeks to make room for newer backups. If you need data that is more than a month old, it may not be available. Your cloud backups may also be limited in scope; they may save daily data, but not the software you need to access that data.

Best Practices for Backup Files

Backup files are a crucial part of your overall cyber resilience. In the event of a ransomware attack, backup files may allow you to restore systems and avoid paying a ransom. In the event of data loss or exfiltration, backups may allow you to determine exactly what data were stolen, which can help you comply with new SEC Disclosure Requirements. Backups may also help cyber security professionals identify the timeline and methods used in a cyber attack.

Here are five things every organization should do to incorporate backup files in a cyber resilience plan:

  1. Employ cloud backups wherever they are offered. Even with their limitations, cloud backups offer the simplest option for daily data and system protection. Set up daily backups for your website, business data and cloud-based services that you use. Be sure that data are encrypted and take note of what is and is not backed up; for example, a website backup may include the core elements of the site and exclude add-ons, plugins and custom code. Cloud services may back up your business data but not any customizations you have made to your cloud environment. When in doubt, ask your service provider for a full list of what is and is not backed up. Ask how long data are retained as well, and make a note of that timeline. If you have to pay a little extra for daily backups or longer data storage, it may be a worthwhile investment.
  2. Create solid-state backups of business data. At least once a week, essential business data should be downloaded to spreadsheets and stored on a USB device or external drive. Once the storage device is full, label it with a date and keep it in a secure area in your office under lock and key. Restrict access to these backups to IT staff and senior leadership, and allow access only if critical systems are compromised and data become unrecoverable. Note that backups containing personal information may need to be erased or destroyed to maintain compliance with the FTC Safeguards Rule.
  3. Maintain a physical file of critical business data. This should include information that you need to keep your business running, including client names, phone numbers, addresses and order or delivery information. To determine what to include, imagine a situation where your  business is without power for several weeks, or where you lack access to your office due to a fire or disaster. What would you need to continue to service your clients, and what functions can you track and complete offline? The physical file can be created in a spreadsheet and printed weekly, or as you add new clients. Like data backups on external drives, information in these files are subject to the FTC Safeguards Rule, so you will need to store the physical files in a secure place, limit access to them and destroy old copies periodically.
  4. Create a System Recovery Image or Recovery Drive. An IOS Recovery Drive will allow you to repair a failing Mac or reinstall your MacOS software. A Windows System Recovery Image is a complete snapshot of your current Windows installation, settings and applications. These recovery images should be created quarterly and stored on a USB or external drive. Use a separate drive for each backup to reduce the risk of malware. These backup files have a practical purpose beyond cyber security: In the event that your primary computer is lost or damaged, you can use them to rebuild your systems on a new device. They can also help you restore systems if your hard drive fails.
  5. Maintain access to your passwords. If you rely on your browser to fill in stored passwords, you could find yourself locked out of critical systems. A cloud-based password manager can provide access, as long as you have a copy of the keys and passwords needed to access it. Consider keeping critical passwords on a written list or in a text file on a USB drive that you store in a secure place, such as a safe or locked drawer. Never store sensitive passwords in emails or files on your hard drive, as cyber criminals will look for these if they gain access to your systems.

Backup files, printouts and drives should be treated with the same care as digital data. They must be kept in a secure place and should be used only when necessary. These additional security measures should not deter you from creating backups. In the event of a ransomware attack, natural disaster or catastrophic damage to a computer, backup files can get you up and running in less than two hours, or provide the information you need to run your business offline until online problems can be addressed.

Large organizations should have protocols in place to create and maintain backups as part of an overall cyber resilience plan. Small businesses and sole proprietors will need to manage backups by themselves, but it is not a complex or overly time-consuming process. If you need guidance on creating system recovery files, or help creating and protecting backup files, please contact us online or call us at 1-800-658-8311.

Real Estate Fraud Is Booming: How Are You Protecting Your Clients?

Data from the Federal Bureau of Investigation (FBI) point to boom times for real estate fraud. In 2022, real estate fraud cost victims $396.9 million, a 13.30% rise from 2021 and an 86.18% rise from 2020. More than $132 million more was lost to real estate fraud in 2022 than to check and credit card fraud, which get the majority of the headlines.

Real Estate Fraud Is Booming: How Are You Protecting Your Clients?As the FBI notes, these crimes can be devastating for individuals, who could lose their life savings or the opportunity to use money from a home sale to purchase another property. Loss of a commission or fee is the least of the worries here. Imagine how you would feel if your actions caused someone to lose everything they had. Imagine what that client will say about you, and the damage this could cause to your business and professional reputation.

Why Is Real Estate Fraud Rising?

Real estate is a preferred target for criminals for one reason: wire fraud. Few other industries move money from individual clients at the level of real estate professionals. A single transaction can be worth $250,000, $500,000 or over $1,000,000. All a criminal has to do is grab one of those transactions for a massive payday.

Sophisticated criminals know that real estate wire transfers are low-risk, high-yield opportunities. Why settle for a few hundred dollars from a stolen credit card when a single wire transfer could be worth hundreds of thousands?

How Real Estate Wire Fraud Works

The majority of real estate wire fraud cases stem from business email compromise (BEC) attacks. You may currently be in the crosshairs of a fraudster and not know it.

These attacks follow a predictable pattern:

  1. A criminal gains access to email accounts for individuals involved in a real estate transaction. This could be an agent, a broker, a banker or an individual buyer or seller.
  2. The criminal waits until the wire transfer is about to take place. They then send an email, either spoofing a real email account or directly from a compromised email, directing the wire transfer to a bank account that they control.
  3. The unwitting real estate professional sends the transfer to the bogus account.
  4. The criminal empties the account as soon as the transfer is complete. They may withdraw cash, transfer the funds to new accounts, convert the money to cryptocurrency or make deposits via large checks.

Around half of the money stolen in wire fraud scams remains in the United States, while the other half routes to offshore banks, with China and Hong Kong as top destinations. Once the money has been moved, there is little that law enforcement can do to recover it, though the recovery rate is higher for money that stays in the United States.

Steps to Take to Prevent Wire Fraud

To protect your clients and your business, you must first acknowledge that you are a target. You transfer life-changing amounts of money using methods that criminals understand and know how to exploit. In the 1800s, criminals went after stagecoaches loaded with cash and valuables, as well as trains. In the 1900s, criminals infiltrated airports and robbed couriers and armored vehicles. In the current era, a single criminal can get a larger payday by intercepting a single wire transfer.

Today’s criminal may have an edge, because the people who moved cash and valuables in the past knew that they were targets and took steps to defend themselves, while the targets of wire fraud may be completely unaware of their vulnerability. Know that criminals are watching you, that they want to steal from you and that it is a matter of when, not if, they will attack.

Understanding this threat will help you recognize risks. Vigilance is the most important tool in cyber security. With that in mind, here are some techniques you can use to prevent wire fraud.

Preventing Real Estate Fraud in Your Business

Be aware that criminals will attempt to gain access to your email, business emails, client emails and the systems you use to transfer funds, such as online banking apps. You may not know that an account has been compromised, and criminals may wait to launch an attack until they see a high-dollar transaction.

1. Enable two-factor authentication. Anyone who has the authority to issue a wire transfer must use some form of two-factor authentication to protect their email and banking logins. This is required for all users of GMail, and should be an option for any software you use. The best form of two-factor authentication sends a code via text message to your phone. Never share these codes with anyone under any circumstances.

2. Monitor network activity. Your in-house or third-party IT support professionals, or a Virtual CISO, should monitor online requests to and from the services you use. In some cases, service providers may do this automatically. Requests that come from unusual locations or at unusual hours, as well as any first-time request from a new location, should be flagged for review. Criminals need to communicate with your servers to send fake emails. Monitoring logins and access requests is one of the best ways to detect criminal intrusions. Monitor for unusual data exchanges as well, as these could signal a cyber attack.

3. Change passwords often, or use a password manager. Criminals like soft targets who do not appear to be aware of cyber security. Changing passwords sends a signal that you take security seriously. Using a password manager sends the same message. Do not expect to deter all criminals engaged in wire fraud with this method, as the lure of a big payout tends to make criminals more persistent and willing to take bigger risks, but do know that these methods will make it much harder for them.

4. Require additional authorization before sending a wire transfer. Set a company-wide protocol that requires a second person within your business to review wire transfers before they are sent. This person should receive a copy of any emails authorizing transfers, including the sender and reply-to lines. A second set of eyes may catch an irregularity that you miss.

Protecting Clients from Wire Fraud

1. Educate clients on wire fraud risks. You may worry that clients will choose someone else if you start talking about wire fraud. In reality, some clients will approach you fully aware of the risks, while others will find your focus on security valuable. As part of your initial meeting with a new client, ask them what they know about wire fraud. Position yourself as knowledgeable and committed to protection.

2. Collect two contact emails and phone numbers, if possible. Make a note of these in the client’s record. Inform the client that no transaction can be authorized without verification via a phone call. When criminals send phony transfer requests, they often include a phone number to call. Ignore this and use the number you have on file. If you cannot reach someone at the primary number, use the secondary number.

3. Establish a password with your clients. This should be communicated only by voice, never by email. It should be something difficult to guess, and potentially meaningful to the client, such as a favorite teacher’s or pet’s name. Tell the client that you will call to verify any transfer request and that you will ask for the password. If the client forgets the password, ask them to come to the office to verify a request in person, or offer to visit them to confirm.

4. Refuse to accept wire transfer instructions via email. If your company policy forbids emailed instructions, and you communicate this clearly to clients, you can ignore every criminal attempt to email transfer instructions. If you receive such an email, you will then know that someone involved in the transaction has had their cyber security compromised.

5. Have the client personally verify transfer receipt. If possible, this step ensures that funds go to the right place. Time is of the essence in stopping wire fraud, as criminals will begin moving the money the moment they have access to it.

Remember that criminals may target your client. Everyone involved in a high-dollar transaction should be on alert for unusual online activity. Warn clients that someone claiming to be you may try to contact them. Setting up client-specific passwords and requiring voice or in-person verification of transfers are two of the best ways to stop criminals from hijacking funds.

Be aware that criminals have access to a growing arsenal of sophisticated tools, including AI-powered deepfake technology that allows them to impersonate someone’s voice in real time from just a few seconds of online audio. While this may seem too sophisticated to affect you, remember that a single transfer worth hundreds of thousands of dollars is strong motivation for criminals.

Real estate fraud seldom makes headlines, but it happens every single day, and it can wipe out your clients finances. To serve your clients professionally, you must make cyber security awareness and training part of your practice. If you need help with training, or with securing your systems against criminals, please call us at 1-8oo-658-8311 or contact us online.

Cybersecurity Awareness Month: 5 Simple Ways to Boost Your Security

October 2023 marks the 20th annual observation of Cybersecurity Awareness Month, an annual declaration from the U.S. Congress and the White House intended to remind individuals and business owners of the importance of cyber security. The month exists to acknowledge that all of us can, and should, do more to stay safe online and to protect our businesses and communities from cyber attacks.

cyber securityThere are two sad but true realities about Cybersecurity Awareness Month. First, if you worry about cyber security, your are not alone. Second, if you take some time to protect yourself, you are in the minority. Norton reported in 2021 that 53% of the people it surveyed did not know how to protect themselves from cyber crime, even though 58% were worried about becoming a victim.

Thinking about cyber security is good, but doing something about it is even better. To help you get Cyber Security Awareness Month started in the right direction, here are 5 very simple things you can do right now, if you have not already, to improve your cyber security.

#1 Enable two-factor authentication on a single account. Despite its incredible effectiveness in blocking attacks and preventing phishing attacks, two-factor or multi-factor authentication use remains spotty, with only 13% of employees at small businesses required to use it, according to Zippia.

If you are among the 1.8 billion Gmail users, you know that two-factor authentication is mandatory, and that is generally unobtrusive and simple to use. Nearly every online service offers some form of two-factor authentication. Pledge to activate at least one of them before the end of October. If you have two-factor authentication on some logins, such as banking apps, but not others, pledge to turn on at least one more during the month. You will gain a very significant boost in your cyber security in exchange for a few seconds of your time. Ultimately, any time you spend responding to two-factor requests will be far less than the time you could spend worrying about your online safety.

#2 Cancel one service you no longer use. Did you sign up for a newsletter you no longer read, or subscribe to a game you no longer play? Most people have a few recurring subscriptions nibbling at their bank account balances each month, even though they never use the service. Is it really worth ending that $1 monthly charge that gives access to the gym?

The answer is yes. Not only do those charges siphon money you could put to better use, they also expose you  to cyber risks. Cyber security professionals often discuss the “threat surface,” which is the number of possible routes an attacker can take to gain access to data or passwords. Good cyber security practices limit the threat surface by eliminating any unnecessary logins or access points to accounts.

Older, forgotten subscriptions and logins are ripe for attack because you may not notice activity coming from them or perceive it as a threat. It only takes a few minutes to cancel a subscription and reduce the size of your threat surface.

#3 Change one password. Your password has been stolen. This is not a hypothetical statement. Nearly every password has been stolen and now circulates on the Dark Web. This is another reason to strongly consider two-factor authentication.

You might think that a criminal gets your password, tries to log in once with it, then throws it away if it does not work. In some cases this is true, but in others, that password gets attached to a profile of you that criminals build from information stolen or scraped from a variety of sources. This is the same kind of profile that companies like Alphabet and Meta build from the data you share with them, but without your authorization and with criminal activity in mind.

There are two types of people who tend to attract this kind of criminal attention. The first group knows that they are targets, because they have access to significant online systems or large amounts of money or data. The second group has no idea that they are vulnerable, because they are soft targets.

Soft targets never change passwords, use the same password in multiple places and rarely activate security features like two-factor authentication. It is very easy for criminals to find soft targets. When they harvest a database of new information, they compare logins and passwords to what they already have. If they see the same passwords again and again associated with the same email address, they know they have a soft target.

Changing a password makes you a harder target. For many people, that can be enough to reduce criminal interest and attention.

#4 Uninstall one app. Is your phone clogged with icons from apps you no longer use? Uninstall one and reduce a bit of digital clutter. For added security, delete your account from that unused app before you uninstall it, which will help to reduce your threat surface.

As a cyber security awareness bonus, think of this when you uninstall that app: Every time you open an account or download an app, you are trusting the cyber security of the company that provides that app or service. Ask yourself if they appear to take security seriously. Ask yourself what happens to your security, and your data, if that company stops supporting the app or goes out of business. If  you think about these things while you delete an unwanted app, there is a good chance you will think about them the next time you download an app.

#5 Update one piece of software. Whether its your browser, your smart phone’s operating system or a plugin on your website, make a point to check for updates and update one thing. If it’s been some time since you updated, you may notice two things: First, you have a lot of updates pending. Second, updates happen in seconds with almost no fuss.

A common theme runs across these five Cyber Security Awareness Month tips: Each is a simple step that will take no more than a few minutes of time and make you more secure online. The hope is that if you do this once, you will see how easy it is and repeat the process until everything is secured, updated or deleted. Remember that every small step you take contributes to stronger overall security.

If you think your personal cyber security awareness needs a boost, consider our Online CSI Protection Certification program. Through a series of videos presented by our Head Trainer Robert Siciliano, you will learn how to recognize and stop cyber attacks, as well as how to approach online interactions with security in mind. You can complete the course at your own pace, and you will retain access to the videos for review whenever you need it, and gain access to additional cyber security support resources. Try our free course on email safety to experience the program for yourself.

Corporate Cyber Security Leadership Is Lacking, Survey Finds

With Cyber Security Awareness month set to kick off on October 1, a new survey finds that the boards of U.S. companies should pay attention. The Wall Street Journal reports that an analysis by software provider Diligent found 88% of companies listed on the S&P 500 have no directors who are cyber security experts.

The survey defined “experts” as those who had served as a Chief Information Security Officer (CISO) or who had technology experience, including those who had previously held senior roles in technology. The survey also found that 52% of companies had at least one member of the Board of Directors with technology experience “adjacent to cyber security.” NightDragon CEO Dave DeWalt, who commissioned the survey with Diligent, said, “This lack of momentum in the boardroom continues to startle me.”

Without Leadership, Cyber Security Will Continue to Fall Short

If 100% of companies listed on the S&P 500 use technology, 100% should have some cyber security expertise on their boards of directors. These boards exist to set company priorities and guide business growth. Without directors who understand the ever-evolving strategies and techniques used by cyber criminals, it is difficult to take their security measures seriously.

New Securities and Exchange Commission cyber attack reporting rules that went into effect on September 5, 2023, may push some companies to pay closer attention to online security. The rules are a step in the right direction, but they fall short in one regard: A provision that would have required companies to detail cyber security experience on their boards was dropped from the final regulations. The SEC dropped this provision amid complaints that a specific level of expertise was not defined in the rules, that an insufficient number of cyber security experts were available to hold director positions and that the requirement might limit diversity on company boards.

In other words, the Federal government backed off a sensible requirement because businesses said they could not find the right people. The gap in leadership starts with Federal regulators, then trickles down to the companies that face cyber threats.

Shareholders Must Take Notice

One benefit of the new SEC reporting rules is a requirement that publicly traded companies report cyber attacks and their impact on business activities. Shareholders should use this information to probe expertise and cyber awareness of the companies whose stock they hold. Effective immediately, a search of a company’s filings in the EDGAR Database will reveal the number and severity of recent cyber attacks for any publicly traded company. Companies that suffer repeated attacks, or that suffer easily preventable attacks, should be held to account on their security practices and training.

Shareholders have the right to question company leadership and to demand change if they feel threats are not adequately addressed. The SEC disclosure rule puts the needed information in shareholders’ hands, but it is only valuable if shareholders use it to demand accountability.

Not every company needs a CISO on its Board of Directors, but every company should strive to have at least one director with significant cyber experience who can evaluate threats and risks. When that expertise is not available, companies must outsource experienced support.

All too often, companies fail to take action until after a cyber attack occurs. Criminals know this and see U.S. businesses as ripe targets for data theft and ransomware extortion. Solving this problem requires every U.S. business to see security as more than occasional employee training and software updates. The larger the company, and the more it relies on technology, the more critical the need for a comprehensive cyber strategy.

Small businesses have a role to play as well, as they are part of the overall “threat surface” for their clients and partners. Many companies have received letters from partners in recent weeks asking about their security practices and protocols as publicly-traded companies ramp up their compliance. If you need help responding to these requests, please contact us online or call us at 1-800-658-8311.

Social Engineering Eyed in High-Profile Casino Attacks

Social engineering may be behind two high-profile attacks on casino operators Ceasar’s and MGM. In an 8-K filing with the Securities and Exchange Commission, Ceasar’s Entertainment reported “a social engineering attack on an outsourced IT support vendor used by the Company.” Hackers were able to steal data from the Ceasar’s loyalty database around September 7, exposing an unknown number of drivers license and Social Security numbers. The Wall Street Journal reported that Ceasar’s paid around half of a $30 million ransom demanded by hackers to restore systems and delete stolen information. In their SEC filing, Ceasar’s noted that there is no guarantee the criminals will delete the data.

Social Engineering Eyed in High-Profile Casino AttacksElsewhere in Las Vegas, MGM systems, including coded room keys, booking systems and slot machines, were turned off following a ransomware attack. Reuters reported that the ransomware attack was attributed to a group known as Scattered Spider, which has previously targeted telecommunications and business outsourcing firms. Scattered Spider is also believed to be behind the Ceasar’s attack.

Anatomy of a Social Engineering Attack

In an interview with TechCrunch, an alleged Scattered Spider spokesperson took credit for the MGM social engineering attack but denied involvement with the Ceasar’s hack. The spokesperson claimed that they had found information on an employee at an MGM IT vendor via LinkedIn, then called the vendor’s help desk to gain access to that person’s account.

Social engineering attacks are targeted. The criminal is typically armed with some information about an individual they are attempting to impersonate or persuade. The most sophisticated attackers can now employ artificial intelligence tools that synthesize an individual’s voice using just a few seconds of online audio. They will then call people who can grant account access, such as bankers or help desks, using the fake voice in real time to try and gain account access. Employees at companies that are high-value targets, such as hospitals, banks, casinos and telecom providers, and third-party vendors that serve these companies are most likely to be targeted with sophisticated attacks. The larger the potential payout, the more sophisticated the attack will be.

Other social engineering scams are clumsier and should trigger immediate red flags. Someone may call claiming to be a vendor or IT staffer and ask the victim to read out a two-factor authentication code over the phone, defeating the protection this authentication offers. Attacks like this are very common and can happen to any employee in any business.

Scattered Spider is not as sophisticated as some criminal gangs and state-sponsored hackers. They are motivated by money and mainly made up of young people, with one report suggesting they deliberately recruit young teens to avoid significant criminal consequences if they get caught. What business owners should know is that groups like Scattered Spider are sophisticated enough if they can trick employees into providing access or divulging information.

Preventing Social Engineering Attacks

As social engineering attacks become more sophisticated, business owners must double down on cyber security employee training and establish firm protocols that guide information or access requests. Individuals have a responsibility as well, as they must limit the discovery of information that criminals can use in social engineering attacks. Here are five things to do now to reduce your risk:

  1. Review your LinkedIn and social media profiles. Do strangers need to know where you work? Does your profile need to be publicly accessible? For a handful of people, the answer is yes, and those individuals generally take steps to separate their public profile from their private and business profiles. For most workers, the answer is no. Follow this simple rule: The more you share, the less visible your profiles should be. Go ahead and cultivate a professional network on LinkedIn, but limit your visibility to people you know.
  2. Change your passwords. Assume your current username and password are available for sale on the Dark Web. They likely are, making it a matter of time before a criminal connects that information to your workplace accounts. Use separate passwords for work and personal accounts and change them every few weeks, at least four times each year. When criminals see passwords changing, they recognize that you take cyber security seriously and may pass you by in favor of an easier target.
  3. Enable two-factor authentication. This should route access codes to a device that is with you at all times. Never, under any circumstances, share one of those access codes with someone. Two-factor authentication remains one of the strongest protections against account hijacking.
  4. Assess your level of risk. Some companies know they are targets, because they have access to money or personal data. Those companies typically have very strict protocols in place to deter social engineering and phishing attacks. Vendors may not have the same level of protection or training, which gives criminals a back door into secured systems. If you have high-value clients, you must adopt their level of cyber security and train every employee to recognize and respond to attempted cyber attacks.
  5. Require review of access attempts. One of the best protocols to put in place is to require a second set of eyes on any attempt to gain access to accounts via phone, text or email. These requests should route to a higher-level employee who is well-versed in social engineering and phishing attempts. When in doubt, protocols should require a call to the phone number on file for the individual as a final step in approving access. Do not call any other number, and do not use redial, as scammers may spoof an individual’s phone number on your devices.

Sophisticated social engineering attacks work because employees trust and want to do a good job. Training must emphasize that security is equally if not more important than customer service. An inconvenienced person may be upset with you briefly. A cyber crime victim will never forget who allowed the attack to happen.

If you need employee training, anti-phishing training, compliance services or guidance on establishing cyber security protocols, please contact us online or call us at 1-800-658-8311.