When and How to Report a Cyber Attack Attempt

Should you report a cyber attack attempt? Even a small, seemingly insignificant one? The answer is almost always yes.

There are two reasons to report a cyber attack. The first is to show cyber criminals that you take security seriously. The second is to gain safety in numbers. The more people who are aware of current attacks and techniques, the harder it is for criminals to operate. Remember that hackers and fraudsters depend on their victims knowing little no nothing about their scams. Spread the word, and you help others defend themselves. When enough people fight back or ignore scam and hacking attempts, criminals move on to easier targets.

When Should I Report a Cyber Attack Attempt?

You should immediately report any cyber attack that occurs at the workplace, targeting your office phone, personal phone, email, text messages or web browsers. You should consider reporting attacks that target your personal email or phone as well, if you believe the attacker obtained information about you online. Senior executives and those who have access to financial or information-management systems should report every attack on any business or personal device.

What looks like a common malware email, such as “Your package could not be delivered,” or “Your account has been suspended,” takes on an added significance if you are a high-value target. Low-level employees may not need to report mass-email phishing and malware attacks, but should report any attack using a business or personal phone number, particularly if the attacker claims to be a co-worker.

Where Should I Report an Attempted Cyber Attack?

The size of your business will determine how you should report the attack.

For mid-size and large companies: You likely have an internal or external specialist who handles your cyber security. Report all attacks to this individual, no matter how small or obvious they may seem. Do not worry about being a nuisance. It is the cyber specialist’s job to determine how significant or widespread an attack may be, and they can only do their job if they have a complete picture of the threats a business faces. Provide as much detail as possible, including screenshots of emails and text messages, if any.

If someone calls or texts you claiming to be a coworker, report this activity immediately. Targeted pretexting attacks are on the rise, with some criminals using sophisticated software to impersonate the voices of business leaders and public figures. These attacks are resource-intensive and require planning. which makes it more likely that a criminal will target multiple individuals within an organization.

For small businesses: If you work in a small business without an in-house cyber security or IT specialist, you have two options:

  1. If you have an external IT specialist, report the attack to them and ask them to monitor your systems for any signs of unusual behavior.
  2. If you do not have an external IT specialist, send an email to all coworkers advising them of the attack. Send a screenshot of the text, email or website and ask if anyone else has received similar messages. If multiple people in a small business report the same attack, it may be a sign that you have been targeted. Strongly consider professional IT support to identify any possible system breaches or data loss if this occurs.

Reporting Attempted Attacks to Law Enforcement

Every successful cyber attack should be reported to local police. Your cyber insurance policy likely requires this. If customer data are stolen, you must report the attack to police and check reporting requirements under the FTC Safeguards Rule, if you qualify as a Financial Institution, and the SEC Disclosure Rule, if you work for or partner with a publicly traded company. Any significant data breach should be reported immediately to your state Attorney General’s office. In the case of a significant data breach or an attack that compromises critical public systems, you should contact the local Federal Bureau of Investigation field office and your state Attorney General, who will provide support and additional guidance on disclosure. Note that in some cases, cyber attacks and data breaches should not be disclosed to the public without first contacting Federal or state officials.

Whether you should report an attempted cyber attack is murkier and depends on the nature of the attack. If you have publicly traded companies among your clients, or clients covered by the FTC Safeguards Rule, you should report targeted pretexting attacks to their IT or cyber security specialists. Criminals may be attempting to harm your partners by attacking their vendors, clients or associates. Law enforcement agencies generally will not handle this reporting for you. You must do it yourself, and you should do it as quickly as possible, as you may have some obligations to report under the Safeguards Rule or SEC Disclosure Rule. When in doubt, reach out.

Where Else Should Attempted Cyber Attacks Be Reported?

If you work for a franchise business, report any cyber attack attempt to your franchisor’s head office immediately. This is especially critical if the attacker attempts to impersonate a senior employer of the business. Criminals may be launching simultaneous attacks against franchisees. Your quick response could prevent significant damage to the business and your fellow franchisees.

If you are part of a trade association, such as a Bar Association or the National Association of REALTORS®, for example, or if you are a member of a state association or Chamber of Commerce, report any cyber attack that targets your business or employees to the senior officials in your area, and to your local and national headquarters. In recent years, there have been surges of criminal cyber activity targeting specific sectors, such as health care or public schools, or specific regions, such as the recent spate of Vacant Land Scam attempts in the Southwest United States. There is no way to know if an attack on your business is isolated or part of a bigger trend. Spreading the word to professional associates may give them the opportunity to stop similar criminal attacks.

 

Would you know what to do during a cyber attack? Download our free Cyber Crime Response Kit, which includes detailed, step-by-step instructions that will help you prevent an attack from spreading, quarantine infected devices and rebuild systems safely. For more detailed guidance on preventing and responding to cyber attacks, please contact us online or call us at 1-800-659-8311.

Lessons Every Worker Can Take from Realtor Safety Month

September 2023 marks the 20th anniversary of the National Association of Realtors’ (NAR) REALTOR® Safety Month. With more than 1,5 million members, the NAR is the largest trade association in the United States, and it has extensive experience working with real estate professionals, law enforcement and government officials to improve on-the-job safety.

Lessons Every Worker Can Take from Realtor Safety MonthIt should surprise no one that real estate brokers, appraisers, salespeople and property managers are victims of violent crime, with 23% reporting that they feared for their safety, or the safety of their personal information, in the 2022 NAR Member Safety Residential Report. That is nearly 1 in 4 individuals who felt threatened on the job,

Safety Month exists to raise awareness of the common dangers faced by these professionals, who often meet with people alone, in remote locations and in empty buildings. Those situations are not unique to the real estate industry. Safety Month guidelines from the NAR are valuable for any worker who interacts with the public, particularly those who visit clients at home or in remote locations, including delivery drivers, rideshare drivers, plumbers, electricians and salespeople.

Understanding and Assessing Risk at Work

Safety Month was created to encourage workers to think about the risks they face on the job and the best ways to manage them. In assessing risk, it can be helpful to think about what motivates criminals and how they choose their victims.

Most criminals seek financial gain and use manipulation, harassment, threats or, if all else fails, violence to get what they want from you. There are some cases where an individual seeks to inflict some kind of personal harm on someone else, but these cases are far rarer than robberies or muggings. You are most likely to be a victim of monetary or property theft on the job.

Criminals prefer easy targets in situations that they can control, away from others. How you present yourself, both in person and online, and how you protect yourself on the job contribute to a criminal’s assessment of your vulnerability. Making yourself a difficult target and limiting the chances for a dangerous encounter will protect you from the majority of criminals.

Here are some practical steps you can take to make criminals think twice about targeting you.

  1. Be mindful of what you share online. Your online profile does more than advertise you to potential clients. It also lets criminals know how vulnerable you are. It is increasingly common for criminals to research their targets online and plan a robbery ahead of time. If you follow good practices for cyber security, which include limiting what you share, regularly changing passwords and enabling two-factor authentication, criminals may move on from you to someone who appears to be an easier target. Personal phone numbers, personal emails and daily schedules should never be shared online.
  2. Always meet new clients in your office or a public place. This will not work for service professionals, such as plumbers and electricians, but it is recommended for all other workers. If you are conducting an assessment or inspection in a remote area, ask to meet in public place nearby and travel to the location from there. This will give you a chance to assess any possible risk.
  3. Travel in pairs. Many service professionals do this with new clients. Bringing someone else reduces risk but does not eliminate it. If you feel that you will be outnumbered by a group of criminals, leave the area.
  4. Ask for a preliminary video conference. Service professionals can ask a potential customer to show them the problem. Real estate professionals and appraisers can ask for a quick video tour of the property. Criminals will not agree to this, either because there is no real problem or because they do not have access to the property.
  5. Keep a second phone exclusively for business use. Carry it along with a personal phone wherever you go. Be sure to check coverage maps when selecting a second phone, so that you can maintain signal wherever you go. In the worst-case scenario, you can throw your business phone at an attacker and run while keeping your personal phone to call for help.
  6. Be mindful of urgency. Criminals often use the pretext of immediate need, or the threat of a lost opportunity, to lure victims into situations they would otherwise avoid. They may contact you late in the day, over the weekend or on a holiday and tell you that you must immediately come to a location to win their business. If you attempt to slow the process down, either by scheduling an appointment the next day or asking for a video tour, criminals will either give up on you or demand that you come anyway. Never let the promise of business overcome your personal safety rules.
  7. Be aware of individuals who lurk. Keep a close eye on people who arrive late to an open house, insist on a showing very late in the day or who shadow you while you do your job. Some curiosity on the part of customers is normal; someone who follows you closely is a potential danger. In this situation, ask for some space so you can do your work or inform the customer that you need to check something outside.
  8. Take a self-defense class. The NAR reports that 40% of Realtors® have completed a self-defense class. Good classes teach the ability to spot dangerous situations as well as how to react to them. It is always better to avoid the confrontation entirely than to know how to handle it.
  9. Carry a self-defense tool. Service professionals will have a truck or van full of things that can be useful in an attack, but salespeople, appraisers and real estate professionals may have little more than a pen and a computer. The best self-defense measures are nonlethal and have an area of effect, such as pepper spray. You will be more likely to use them in a dangerous situation, and they can incapacitate several attackers at once. Be sure to check your state’s rules for licensing and training, as you could face criminal charges if you discharge pepper spray or bear spray, even in self defense.
  10. Report any threatening messages you receive. The 2022 NAR Member Safety Residential Report revealed that 30% of Realtors® who were targeted by criminals received a threatening voice mail, email or text message before the attack. Threatening messages should be taken very seriously by all professionals, and you should take extra precautions after receiving them. The individual who threatens ahead of time is more likely to be motivated by anger or revenge and is simply looking for a chance to attack. This individual wants to harm you, unlike the opportunist criminal who simply wants to steal your phone or money.

Safety Month Exists to Challenge Your Routine

All workers fall into rhythms and routines on the job. Even those who practice good personal and cyber security may get comfortable over time and relax their safety practices in pursuit of efficiency or out of a sense of confidence.

People like to think that they are aware of the risks they face. Some believe they have an instinct that lets them anticipate danger. These mental gaps can put you in threatening situations. Remember that criminals have one job: To find victims and steal from them. They spend all of their time looking for new tactics and honing strategies that succeed.

Safety Month provides an opportunity to think about the risks you face and to retrain yourself in practices that limit risk. This is a good time to review personal protocols, company protocols and cyber security practices. Should you need help with cyber security, or guidance on establishing safe working practices for your business, please contact us online or call us at 1-800-658-8311.

 

Business Email Compromise (BEC) Attack Steals $6 Million from Public School System

The New Haven, Connecticut, school district lost more than $6 million to cyber thieves in a Business Email Compromise (BEC) attack that was discovered only after the real vendor asked why they had not been paid.

ABC News provided details on the attack, which began in May and demonstrated a high level of patience on the part of the hackers.

  1. Criminals gained access to the email account of the school system’s Chief Operating Officer (COO).
  2. Using that email access, the hackers monitored communications for several weeks, identifying vendors.
  3. Phony vendor emails were then sent to the COO, directing payments to bank accounts controlled by the criminals.

Losses included more than $5.9 million in fraudulent payments meant for a school bus company. The FBI was able to recover $3.6 million of the stolen money.

This BEC attack shows a level of sophistication and patience that many business owners and employees do not associate with cyber criminals. By quietly gaining access to a targeted email account and monitoring conversations, criminals were able to gather additional, personalized information they needed to successfully redirect a significant amount of money.

As I noted last month, cyber criminals are using AI to improve their BEC and pretexting attacks. While many attempts at phishing and fraud still bear reconizable signs, employers and employees must be prepared to deal with increasingly sophisticated, personalized and persuasive attacks. Remember that criminals have just one job: to steal from you and hide their ill-gotten gains before they can be recovered. Any unusual action or request from a vendor, even if it seems small, should be investigated.

Simple Tactics Will Stop Sophisticated Business Email Compromise Attacks

The hackers who targeted New Haven’s school system took their time to identify high-value vendors, at the risk of losing access to the compromised COO email account. While this demonstrates a level of sophistication that is unusual, it also proved successful, and hacker groups share their success stories as they refine their criminal strategies.

More BEC attacks like this one will occur. Organizations should follow these simple steps to avoid becoming the next victim:

  1. Mandate two-factor authentication (2FA). Assume that hackers have your usernames and passwords, no matter how careful you are with them, or how frequently you change them. The only reliable way to keep criminals out of your email is to use two-factor authentication that requires you to complete an extra step via a personal device, such as a smart phone, before you can log in. Google now requires 2FA for some of its services. This should be a mandatory policy for every organization and is essential for anyone with access to financial systems or databases of personal information.
  2. Monitor online use regularly. IT departments should always know who is accessing systems and from where. Sophisticated criminals may be able to cover their tracks or spoof a location, but there will still be an unusual increase in access for individual accounts. Systems should be set up to alert both the account user and the IT staff whenever a new device attempts to connect to a network or log in to an email or online service.
  3. Require a second set of eyes on any changes. BEC attacks steal money and goods by diverting them to new accounts or locations. Organizations should put processes in place that mandate internal review of any changes in payment destinations, delivery schedules or delivery locations. Pay very close attention to the Sender of any email requesting a change, as criminals will create phony emails that look legitimate to try and trick their targets.
  4. Mandate voice approval for any changes. When a request to use a new bank account comes up, or a client sends an email asking for a delivery to be rerouted, organizational procedures should require a phone call to that client’s point person. Do not call any number given in a suspect email. Call the number on file for the client or vendor, and ask them if they requested the change. Consider implementing a password that only you and the vendor would know as a means of authorizing any changes.
  5. Limit the visibility of key staff online. Criminals regularly harvest compromised email and business accounts to identify high-value targets who they believe can access personal information or finances. Keeping the identities of key personnel concealed helps to deter this kind of targeting. For individuals who have a high level of visibility, consider setting up a second email account or logins that cannot easily be traced, while maintaining a publicly visible email. For example, a CEO named Joe Smith might have a joesmith@companyname.com email account for public use, but a very different email account, such as 712995abznow@companyname.com for official duties. Criminals will not be able to easily identify the secondary account, though this is not a foolproof solution if the hidden email is not carefully guarded.

Cyber security employee training should be provided to every worker in your organization. The more access and responsibility the employee has, the more critical this training becomes. Protect Now offers CE-eligible training for real estate professionals, as well as online and in-person training for all small- and mid-sized businesses. Contact us online or call us at 1-800-658-8311 to learn more.

The New SEC Disclosure Rule Will Impact Nearly Every U.S. Business

The new Securities and Exchange Commission (SEC )disclosure rule for cyber incidents represents the most sweeping attempt to date to mandate cyber security by the United States government. If you own or work at a publicly traded company, if you handle data provided by a publicly traded company or if you simply supply a publicly traded company, this new rule will impact your business.The New SEC Disclosure Rule Will Impact Nearly Every U.S. Business

What Is the New SEC Disclosure Rule?

As reported by the Federal Bureau of Investigation, the new SEC Disclosure Rule goes into effect on September 5, 2023. In broad terms, it requires the following:

  • Every publicly traded company in the United States must file form 8K to the EDGAR database within 4 days of the discovery or awareness of any cybersecurity incident that has a “material impact” on their business.
  • The United States Attorney General may allow a reporting delay of up to 30 days, with a possible renewal for an additional 30 days, if the cybersecurity incident presents a danger to public safety or national security.
  • The United States Attorney General may allow an additional 60-day delay in reporting only if there is a significant risk to national security.

Publicly traded businesses have the ability to determine whether or not a cybersecurity incident has a material impact on their operations or valuation. In the event that it does, they must report the nature, scope and timing of the incident, as well as its impact or potential impact.

How Does the SEC Rule Apply to Me If I Do Not Own a Publicly Traded Business?

This rule will be enforced by the SEC, which has extensive investigative capabilities and the ability to determine the penalties that violators will face. Unlike the FTC Safeguards Rule, which has defined penalties and regulations, the SEC disclosure rule is open, both in terms of what defines a “material impact” and in terms of how the agency will follow up. In the worst-case scenario, Federal investigators could arrive at your door to seize documents and devices, if they believe you are responsible for a cybersecurity incident that impacted a publicly traded company, or if the company identifies your business as the source of the data breach.

Here are a few examples of ways a company could inadvertently be swept up in an SEC investigation:

  • A franchisee of a national company suffers a data breach that exposes the personal financial information of its clients.
  • A shipping company receives a fraudulent order through a pretexting attack that diverts money or materials of significant value to criminal actors.
  • A conference planner suffers a data breach, exposing the email addresses, usernames and login credentials of all conference attendees.
  • A marketing agency’s servers are breached, revealing the embargoed technical specifications of a client’s new product.
  • A law firm’s email is breached, revealing details of a client’s patent filings or lawsuits.
  • A doctor’s office wireless network is compromised, allowing hackers to steal the personal health information of corporate executives.
  • A mortgage broker’s file transfer system is compromised, exposing the property valuations of individuals referred by a client.
  • A company website is hacked, revealing administrative usernames and credentials.

These examples fall into three broad categories:

  1. Data breaches that expose data belonging to a client’s customers.
  2. Hacking attacks that uncover a client’s future business plans, internal information or intellectual property.
  3. Credential theft or protected personal data theft that compromises a client’s leadership or employees.

Something as simple as a phishing attack that exposes your email contacts could be material, if hackers then use that information to launch a targeted attack on your client or sell the information to others. Pretexting attacks that divert payments, materials or finished goods that a client needs to operate could be material if they have a significant impact on a client’s sales. Ransomware attacks that lock your clients out of needed services, disrupting their operations, could also qualify as a material impact.

What Do I Need to Do to Comply?

Only publicly traded businesses are required to report cyber incidents under the disclosure rule, but their ability to report depends on support from their vendors, franchisees, service providers and partners. Remember that if your business is the source of a cyber incident that compromises a client’s business, you may be investigated, and your cyber security policies will be scrutinized. The publicly traded company will face SEC penalties. You will lose the client, and your reputation will take a significant hit.

No business wants to deal with the SEC. Investigations can be lengthy, disruptive and expensive. It is very likely that publicly traded companies will demand some accountability from vendors and partners, as well as assurances, possibly legally binding assurances, that cybersecurity incidents will be reported. For companies that are not publicly traded, compliance requests will likely include the following:

  1. Documentation of current cyber security standards, including incident monitoring and security updates.
  2. Documentation of cyber security employee training practices.
  3. Written plans to report cyber security incidents to impacted clients as soon as these incidents are known.
  4. Written plans to respond to and stop cyber attacks, along with an evaluation of data loss or potential third-party compromises.

Do not be surprised if clients ask for this documentation. Clients may also want to execute additional nondisclosure agreements (NDAs) that include specific language around cyber incidents, or ask for these protections to be outlined in service contracts or contract amendments.

How Will the SEC Enforce the Cyber Incident Disclosure Rule?

It is impossible to know what enforcement will look like, as the SEC tends to treat violations on a case-by-case basis. Based on past behavior around new regulations, the SEC is likely to issue warnings for a period of time for first-time offenders or minor breaches. If a significant breach occurs, or if a publicly traded company repeatedly violates the rule, an extensive investigation with significant penalties will follow. This will trigger a stampede for services that will leave providers struggling to keep up with demand, and companies scrambling to find providers who can help them. It is better to take this matter seriously now, evaluate your needs and get professional cyber security support if you need it.

Note that the new disclosure rule does not require an experienced or certified professional to oversee or report cybersecurity incidents. Most small businesses should be able to manage compliance on their own, or with the help of a VCISO.

Why Did the FTC Add This Reporting Rule?

The SEC outlined two needs that drove the new disclosure rule. First, the SEC believed, as do many law-enforcement organizations, that cyber crime is underreported. By bringing their authority to this area, the SEC seeks to compel a greater level of reporting compliance, eliminating the tendency of some businesses to quietly pay ransoms or overlook seemingly minor cyber intrusions.

Second, the SEC felt that current reporting, which lumps cyber security incidents in with other business challenges, did not provide enough information to shareholders. The standard report will allow shareholders to see how often a business suffers cybersecurity incidents and how severe they are, providing another data point investors can use to evaluate opportunities.

As a final, broader goal that was unstated, the disclosure rule puts anyone who works with a publicly traded company on notice that their clients’ interactions are under Federal scrutiny. This is likely meant to compel greater adoption of cyber security best practices across all U.S. businesses, which will make it harder for criminals to carry out attacks. In that regard, it is the most significant effort to date by the U.S. government to establish and require cyber security as a basic element of business operations.

If you have questions about the SEC disclosure rule, how it could impact you, how you can comply or how you can improve your cyber security employee training, please contact us online or call us at 1-800-658-8311.

Vacant Land Scam Warning Issued: Can You Spot These Red Flags?

Real estate agents nationwide need to be on alert for the Vacant Land Scam. A California Department of Real Estate (DRE) advisory issued in July noted what the DRE called “a sharp increase in real estate fraud involving identity theft and the sale of vacant land and unencumbered property.”

Similar vacant land scams have been reported throughout the United States. Do not assume that this warning does not apply if you are not in California. Every real estate agent should understand how the scam works, and how to spot the red flags of a potentially fraudulent transaction.

What Is a Vacant Land Scam?

Vacant land scam is an umbrella term that applies to any attempt to fraudulently sell real estate that the scammer does not own. While undeveloped land is the most common focus of these scams, criminals may attempt to sell residential or commercial buildings, condominiums or homes.

Scammers begin by researching properties through public records. They first look for properties that are free of mortgages and liens. They then look for properties that are likely to be unoccupied; undeveloped land, empty long-term rentals and out-of-season vacation rentals are among the most popular targets.

Criminals will then identify the owner of the property and attempt to assume their identity. Properties owned by the elderly or by foreign nationals are most often targeted. The scammer will pose as the property owner and hire a real estate agent to sell the property, pocketing cash from the transaction.

Vacant Land Scam Red Flags and Responses

The signs of a potential vacant land scam are easy to spot, and this is one of the simpler scams to thwart. Be on the lookout for the following:

The seller refuses to meet in person. This should be a red flag for any transaction. Scammers may claim to be too busy or to be out of the country and will claim that they cannot attend the closing. They will also resist video calls and prefer to communicate solely by text or email. The simple solution is to insist on an in-person or video meeting, or to require the seller to use a third-party identity verification service to prove their identity. Be sure this is a service that you choose, as some scammers may attempt to fake identity verification.

The offering price is well below market value. The scammer will claim that they want a quick sale, in cash, with a fast closing and the money wired to their account. There are legitimate reasons why a client would ask for these conditions, so you will need to balance these requests against other warning signs. One clear red flag is a client who refuses to provide an identifiable mailing address or bank account number and demands a wire transfer to a public location, such as a money transfer office.

The seller refuses to allow a For Sale sign on the property. This is a significant red flag that your agency can address by requiring a sign on any property that it lists. Grant an exception to this rule only on a limited basis, and only after someone else at the agency has reviewed the request and transaction details.

The seller provides their own notary. This is a significant warning sign for document fraud. Require all clients to use your in-house notary or a notary approved by your agency. If a client supplies their own notary, contact that individual directly to confirm they ae who they claim to be.

The vacant land scam is a form of identity theft that relies on real estate agents prioritizing service and convenience for a client over due diligence. When in doubt about a transaction, set those instincts aside and be skeptical. These next two steps will stop nearly any attempt at this scam:

  1. Have someone else review the property offer. Get a second set of eyes on the situation. Ask a colleague or manager to take a look at the property offer and circumstances and tell you what they think. Be neutral in your approach; if you ask someone if something looks suspicious, they may look for signs of fraud. If you ask someone to give their opinion of a situation, they are likely to evaluate it objectively.
  2. Contact the property owner of record. You can get access to the name and address of the property owner, which should give you a means of contacting them. In the worst case scenario, the deal is legitimate and the seller will recognize you. Simply tell them that this is an extra step your agency follows to prevent fraudulent real estate sales. If the property owner has no idea who you are or that their property is for sale, you will want to join them in reporting the fraud to law enforcement and your local real estate governing body.

Like all attempts at fraud, a vacant land scam requires you to trust details and situations that seem a little out of the ordinary. Learning to trust your instincts and to identify the common techniques used by scammers will help you identify and avoid most cyber attacks and pretexting attacks. Protect Now offers an in-depth Elearning program, Cyber, Social and Identity Protection Certification (CSI) that will give you the confidence and strategies you need to stop scammers. You can try a free CSI demo online at any time.

Protect Now also provides interactive in-person and virtual CSI cyber security employee training for groups that is CE eligible in many states. To learn more, contact us online or call us at 1-800-658-8311.

Here’s Why You Need Identity, Privacy, and Device Protection

People are often anxious about the security of their personal information and online accounts. Cybercriminals are finding new ways to invade your privacy which is why you need comprehensive protection to keep you safe online.

We spend a lot of time on this blog discussing SMB security. However “all security is personal”, even at the enterprise level. That’s because it’s people who implement security, monitor it and react to vulnerabilities. Therefore if those people are lax in their own personal security, how are they going to do their jobs effectively?

Here are some protection and privacy best practices that you can use to keep your identity and sensitive information away from prying eyes and restore your faith in technology.

Device Protection

Device protection refers to the measures you take to protect your hardware or physical devices from intruders and potentially harmful software, such as malware, adware, and viruses.

Protect Your Hardware

Knowing where your smartphones, computers, iPads, and gaming consoles are and never allowing people you don’t know to use them are the first steps in protecting them.

Ensure that you protect your devices with a password to ensure that your photos, banking apps, and text messages stored on them are inaccessible if you lose your phone at a concert or leave your tablet in a restaurant.

It’s also a good idea to back up your files regularly so that your images, videos, and documents are lost if your phone is stolen.

Protection Against Malicious Software

To keep your device safe, you’ll also have to protect it from software threats. There are many ways for malware and viruses to get onto your devices, including phishing scams, suspicious websites, questionable downloads, and clicking on advertisements.

When browsing sites that seem unreliable, use caution, and apply common sense when clicking on links.

You can also download a reliable antivirus software application to help detect, identify, and remove malware and viruses that could pose a threat to your online security.

Privacy Protection

Protecting your privacy involves preventing advertisers, fraudsters, and other unscrupulous organizations from obtaining access to the information you’d prefer to keep private.

It only takes a few careful modifications to your regular browsing, emailing, and social media activities to increase your internet privacy.

Limit What You Share on Social Media

Consider your usage of social media. Do you upload pictures containing information that could be used to identify you? Examples of information that you shouldn’t share online include your:

  • Full name
  • Birthday
  • Physical address
  • Current location

If your profile is freely accessible and anyone can view it, you might want to think about limiting what you post online. Sadly, although your loved ones may like reading your status posts, cybercriminals enjoy them even more.

Fraudsters can learn enough about you in just a few minutes of spying to pass themselves off as you or to target you. Restrict the information you post on social media and restrict the number of people you follow and befriend to those you actually know.

Use a VPN

Connecting to a virtual private network (VPN) is another great way to protect your online privacy. By encrypting your connection and keeping your location hidden, a VPN enables you to browse the internet anonymously.

Protecting your privacy with a VPN is essential when using public Wi-Fi at a library, restaurant, or coffee shop.

This is because cyber criminals typically wait around unprotected Wi-Fi networks to spy on users making online purchases or paying bills to gain access to their login information.

Keep up with the latest developments, and if a corporation that stores your information is the target of a cyberattack, take swift action to protect your identity and safeguard your account.

Here are some examples of identity theft:

1.   Forging an Identity

The most frequent form of identity theft is when a thief takes a victim’s Social Security number and uses it to create a new false identity.

2.   Creating New Accounts Using Someone Else’s Credentials

When a scammer successfully obtains financial data and personally identifiable information from a user, they can open new accounts such as utility accounts, credit cards, and more using the victim’s good credit rating.

3.   Taking Over Someone Else’s Account

Account takeover occurs when a fraudster takes the victim’s account login information and adds themselves as authorized parties, giving them access to the victim’s banking facilities.

Fortunately, this type of fraudulent activity is steadily decreasing due to the widespread use of EMV chip readers.

4.   Medical Identity Theft

Medical identity theft occurs when fraudsters pose as patients to access certain prescribed drugs and have their medical care covered by the victim.

5.   Corporate Identity Theft

Corporate identity fraud occurs when a criminal tries to issue new lines of credit in the name of a company, sends clients fake bills, and then takes the payments themselves. This type of identity theft is most common in small businesses.

A cybercriminal may still manage to obtain your personally identifiable information even when you follow all the rules.

When a security breach occurs at an establishment with your personal information, you’ll need to find another way to keep your information and banking accounts safe.

Investing in identity security software that monitors the dark web and notifies you of any suspicious activity that might point to identity theft is a good idea.

Considering how many ways there are to target users online, it should come as no surprise that many are uneasy about their safety when surfing the net.

Fortunately, you can safeguard your devices, protect your identity, and keep your browsing history away from prying eyes by installing reliable antivirus software.

Business Email Compromise Gets Smart with WormGPT: How Businesses Must Prepare

WormGPT, a new, AI-powered tool for pretexting attacks, is attracting subscribers among the cyber criminal community, according to reporting from ZD.net. The capabilities of this tool, which uses similar technology to large learning models like ChatGPT, are grounds for significant concern for all business owners.

Researchers from SlashNext were able to access the tool and examine its capabilities. They found the following:

  • WormGPT can create flawless, persuasive emails indistinguishable from a human conversation.
  • Built-in translation capabilities allow WormGPT users to communicate fluently and flawlessly in languages they cannot speak. The exact languages that WormGPT can process have not yet been reported.
  • The software can write its own malware, though the extent of these capabilities were not tested.

The WormGPT Threat to Businesses

By creating flawless, persuasive, customized emails and texts, WormGPT has the potential to overcome the most obvious fingerprints of a fraudulent Business Email Compromise (BEC) or phishing attack: bad grammar, odd sentence structure and generic requests. Even novice criminals could use this tool to trick employees who have extensive cyber security and fraud prevention training.

This does not render cyber security employee training useless. Training programs that teach employees to recognize unusual requests or unusual language from customers will still stop most attacks, and programs that emphasize awareness will have some success in thwarting AI-powered attacks with impeccable grammar and urgent requests. The rise of programs like WormGPT does mean that businesses cannot solely rely on language as a way to detect fraudulent emails. To meet this challenge, businesses need to look at technical solutions and their everyday practices.

Effective Techniques to Mitigate WormGPT Threats to Business

The most dangerous WormGPT attacks will attempt to steal goods, money or credentials. Pretexting attacks claiming to come from senior company leaders, clients or IT staff will present the greatest challenge, particularly if criminals have gained access to the actual email accounts of these individuals.

Businesses should take the following steps to prevent sophisticated pretexting attacks of all types:

  1. Automatically blacklist all emails. Most email programs can be set to warn users of an email coming from a new or unknown address while allowing emails from known contacts to pass through. This function should be enabled to catch criminals who attempt to spoof email addresses by changing a letter to a number, adding or moving a letter, or changing a domain name. For example, if you work at industries.com and have the CEO’s email in your contacts, fraudulent emails from industries.net, industr1es.com or indutsries.com will be flagged. The same technology can be used to identify attempts to spoof client emails.
  2. Establish strict protocols for delivery changes. Businesses are well within their rights to demand faxed approval of any changes to delivery locations, dates or volumes, or to ask for 48 hours’ notice to implement such changes. Similar rules should apply if clients attempt to place orders on credit or ask for significant increases in deliveries.
  3. Require phone verification for order or delivery changes. You can either mandate that clients call when they need a significant change in their order volume or a new delivery destination, or send an email telling clients, “Call your account manager to confirm this change.” Do not include details on who to call, and if you receive an email asking for that information, do not reply. This will dissuade the majority of criminals attempting BEC fraud. If the stolen goods are valuable enough, criminals may actually reach out by phone.
  4. Set a unique passcode with each client. This works with phone verification to stop fraud. Each individual client should have their own unique passcode that they provide when they need to change order details. In the event that a criminal calls to try and complete a fraudulent switch, they will not know the passcode, and the order will not be changed. Use random strings of letters and numbers in these passcodes, and convey them only via telephone to clients, never by email or text, which can be intercepted by criminals.
  5. Call the client to verify the change. A significant increase in order size or a change in delivery location are red flags for fraud. Employees should be required to call the client on record for the account and personally verify any order changes.

These steps serve two purposes. First, they will defeat the majority of attempts to steal goods via BEC attacks. Second, they will provide ample evidence to your insurance company that you have policies and practices in place to deter fraud. Banks and insurance companies have been pushing back on claims for reimbursement involving pretexting attacks and BEC fraud on the grounds that employees allowed these attacks to happen. A demonstrated level of internal vigilance and security may help your cause if you need to take a claim to court.

The other necessary defense against WormGPT and other forms of business fraud is employee training. Criminals count on hurried, helpful employees who are motivated to provide service and clear bottlenecks. Employees who learn to recognize the red flags of fraud can still do their jobs efficiently and keep customers happy while protecting your business. To learn more about employee training that generates real change in the workplace, contact us online or call us at 1-800-658-8311.

Protect Now Clears First Step for Online Cyber Security Employee Training CE Accreditation

Online cyber security employee training courses from Protect Now have been certified by the International Distance Education Certification Center (IDECC). This certification represents a critical step toward offering continuing education (CE) credits for licensed real estate professionals who take Protect Now’s Cyber Social Identity (CSI) Protection Certification courses online.

IDECC is an internationally recognized standards and certification body for online and distance education. More than 40 U.S. and Canadian jurisdictions require or endorse IDECC certification as a prerequisite for state and provincial CE accreditation.

“This is both a validation of the quality of our online training courses and an important step toward getting licensed professionals the cyber security training that they need,” said Robert Siciliano, co-founder and head of training for Protect Now.  “Our in-depth employee training enables licensed professionals to protect themselves, their clients and their businesses. As we gain CE eligibility, it becomes a professional benefit as well.”

In-person training and live virtual training seminars from Protect Now are already CE-eligible in 18 states, including Florida, New York and Texas, with the company adding additional accreditations on a regular basis as it works to provide a CE-eligible program throughout the United States. Protect Now’s eLearning classes cover the same material as their in-person sessions, using a series of self-directed videos that allow students to learn at their own pace.  In addition to convenience, the eLearning provides an affordable option for individuals and small businesses.

Once a student enrolls, they have lifetime access to the video library and its updates for future reference. Protect Now regularly reviews and updates its course content in response to shifting trends in cyber crime, while teaching students to recognize and apply the value they place on personal data protection in business settings.

“A few years ago, training focused on dangerous links sent in emails and texts, as well as phishing attacks,” Siciliano explained. “Now our students face far more sophisticated attacks involving fake websites and criminals who will call on the phone and directly engage to try and steal credentials or money. We constantly monitor the threats aimed at small and midsized businesses to ensure that we provide our students the skills they need to avoid cyber crime.”

With IDECC certification in hand, Protect Now is on its way for state-level CE accreditation for its online cyber security employee training in all 50 states. Announcements of eligibility will be made in the coming months.

About Protect Now

Led by noted cyber security speaker and expert Robert Siciliano, Protect Now provides in-person, virtual and online cyber security employee training that changes attitudes toward cyber security by making it personal. The company’s in-person CSI Protection Certification is CE eligible for real estate professionals in more than 18 states, with CE eligibility pending for its eLearning modules. To learn more or try a free online employee training class, visit protectnowllc.com.

Cyber Security Newsletter Hits 10,000 Subscriber Milestone

The cyber security newsletter from Protect Now Partner and Head of Training Robert Siciliano hit a milestone of 10,000! subscribers on LinkedIn on July 17, 2023. Subscriptions for the newsletter grew exponentially as the 10,000-reader threshold neared.

In addition to LinkedIn, the CSI Cyber Security Newsletter is available via email subscription, with past issues posted to the Protect Now Blog. Each issue highlights current cyber security news of interest to small- and mid-sized-business owners, including evolving threats, regulatory updates and practical advice to avoid cyber criminals, presented in language that non-technical web users can understand.

“Tremendous thanks to everyone who has subscribed, but also everyone who has ever shared or forwarded the newsletter,” Siciliano said. “I created the CSI newsletter to fill a void that I saw in security coverage. The response over the last few months has surpassed my expectations.”

A Practical Cyber Security Newsletter for Businesses

The “void” Siciliano cites is a reliable, knowledgeable source of practical information business owners and employees can use to understand and respond to evolving cyber threats. With new cyber threats and new social-engineering techniques emerging constantly, individuals need to understand how to keep their data and systems safe.

“Finding information on cyber crime is not a problem,” Sicilano noted. “Finding relevant information with practical advice is far harder than it should be. There is a real effort in every issue to identify the most relevant threats, so that readers get a curated view of what is happening now, or what may be right on the horizon.”

Siciliano puts himself in the shoes of his clients when choosing topics and ways to present them. “The average employee is not worried about a zero-day exploit in file transfer software, but they care a lot about the growing trend of pretexting attacks, where a criminal will call and pretend to be a client or coworker to steal money or information,” he said.

The newsletter also serves as an evolving, value-added supplement for those who complete Protect Now CSI Cyber Security Employee Training. As Siciliano explains, new cyber attacks are often easily foiled using the same methods that thwart older hacking and phishing techniques. “You have to be skeptical and you have to be vigilant. We all get a feeling when something seems off. If you can learn to recognize that and apply it to online interactions, you can stop the majority of these attacks, no matter how the criminal tries to make contact. All cyber crime breaks down into two categories: A criminal breaking into systems, which is a software issue, or a criminal convincing an employee to do something, which is a people issue.”

The CSI cyber security newsletter is published monthly. LinkedIn users can subscribe via Siciliano’s LinkedIn page, or sign up to receive the email newsletter using the Subscribe for Email Updates section below.

ChatGPT Conversations Stolen: What You Should Do Now to Protect Yourself

Stolen ChatGPT conversations have been found on the Dark Web, according to Singapore-based cybersecurity firm Group-IB. The theft and publication of ChatGPT conversations reveals a danger about the software that many users may not know.

According to Group-IB’s data, nearly 27,000 ChatGPT conversations were offered for sale on the Dark Web in May 2023. The majority of these data were stolen from India and Pakistan using malware during the past year. The United States had the sixth-largest number of stolen conversations, at 2,995, just ahead of France, which led Europe with 2,923 conversations.

What Makes ChatGPT Conversations Vulnerable?

Conversations with ChatGPT take place using a browser or through a remote connection to a ChatGPT server in the overwhelming majority of cases. If you have a local installation of ChatGPT that you access directly via a LAN, with no connection to the Internet, you are at a much lower risk for data theft, but such installations remain rare.

Hackers can steal ChatGPT conversations as they happen in one of three ways:

  1. Using malware programs such as Raccoon, which exfiltrate data from an infected device.
  2. Using eavesdropping software that captures communications as they move back and forth between a ChatGPT server.
  3. Hacking a ChatGPT account and directly downloading past conversations.

The third method of attack is the one that may surprise many ChatGPT users. By default, ChatGPT saves your prompts and the logs of your conversations. If hackers can gain access to your account, they may be able to download complete transcripts of your past conversations. This could include sensitive business data, software code or personal information that could be used to compromise your identity or your business.

The current global distribution of ChatGPT theft may not appear to be a threat to North American users, but this is a mental trap. Hackers may be targeting particular industries or businesses overseas, but the techniques and methods they learn spread almost instantly across the globe. More ChatGPT theft will happen, and more U.S. businesses will be targeted. The only good news is that you have time to prepare.

How to Prevent ChatGPT Conversation Theft

There are a few steps ChatGPT users should take immediately to prevent data loss.

  1. Scan your devices for malware. This should be a common, regular practice at home and at work. Keyloggers and malware can creep onto your devices even if you practice great cyber security habits. Regular scans offer confirmation that your devices are clean.
  2. Disable your ChatGPT history. To do this, access the Settings in your account and turn off Chat History & Training. This forces ChatGPT to dump any conversations that are more than 30 days old. Be sure to save any conversations you want to keep outside of the ChatGPT interface, using Microsoft Word, Notepad or another program that resides on your hard drive.
  3. Clear your old conversations. To do this, click on your profile picture, then click on Clear Conversations. This will give you the option to remove all of your archived ChatGPT conversations.
  4. Beware of what you share. Even with these steps, ChatGPT will store conversations for 30 days. It is best to avoid using ChatGPT to compose documents with sensitive business information that could be valuable to rivals, or to completely write code that powers proprietary software, as these could easy be stolen in the event of a breach. Do not give personal details to ChatGPT, such as your address, phone, email, login credentials or bank and credit card numbers. Hackers will mine ChatGPT logs for this information.
  5. Protect your ChatGPT account as fiercely as your bank account. Never share any login information for your ChatGPT account with anyone under any circumstances. If possible, use two-factor authorization or a password manager to log in to your ChatGPT account. In cases where a single account is shared across an organization, every individual user should have their own login with two-factor authentication or a password manager for additional security.

The explosive growth of ChatGPT and its brand-new capabilities provide fertile ground for criminals. The majority of ChatGPT users probably have not considered conversation log theft as a cyber security risk, but it can be, depending on how you use this AI tool. As criminals probe new ways to harvest data from AI systems, remember that basic cyber security employee training, such as our CSI Protection Certification, will prepare employees to use new online tools with a much lower degree of risk.