MoveIt Hack: What Businesses Should Know and Individuals Should Do

Dozens of global businesses may have been impacted by the MoveIt hack, a cyber attack on a third-party data-transfer provider that has potentially exposed the sensitive personal information of millions of people in the United States alone. Here is what businesses and individuals should know about the hack and how they should respond.

The MoveIt Hack Explained

MoveIt is a data-transfer tool developed by Progress Software that allows businesses to send large volumes of data across the Internet. In a typical MoveIt transfer, data are sent from one user’s account to a web server, then downloaded to another user’s account, completing the transfer.

A Russian hacker group known as Cl0p claims to have used a vulnerability in MoveIt to access the servers that stored the data, exfiltrating millions of records. Data were stolen from a broad range of organizations, including banks, broadcasters, the U.S. Department of Energy and the Oregon DMV, which alone reported approximately 3.5 million records exposed.

Cl0p has posted a growing list of potential targets on the Dark Web and is threatening to publish the data unless the impacted organizations pay a ransom.

It is important to understand what this attack is not and what it is. Though it has been reported as a ransomware attack by some media outlets, it is not a traditional ransomware attack where hackers lock up an organization’s systems and demand a payment to release them. Instead, Clop is holding the data it stole hostage and threatening to publish or sell it if impacted organizations do not pay. The MoveIt attack itself was limited to MoveIt servers and hackers did not gain direct access to other online systems of their victims. However, the data stolen in the attack may contain information that criminals could use in the future to carry out phishing or pretexting attacks, login credentials or personal information that can be used for identity theft.

The exact nature of what was stolen will vary from organization to organization. In some cases, information about employees was compromised. In others, individual customer records, potentially including Social Security numbers, were stolen. What any organization lost depends on what they sent via MoveIt and what Cl0p was able to access. In remarks to reporters on June 15, Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said, “As far as we know, the actors are only stealing information that is specifically being stored on the file transfer application at the precise time that the intrusion occurred.”

It is possible that Cl0p is overstating the data it actually has. Those who sent data via MoveIt should still have their data, as Cl0p was only able to steal the copies sitting on MoveIt servers.

How Should Businesses React to the MoveIt Attack?

If you use MoveIt, patch the software immediately. Only download the software directly from the Progress Software site. Be alert for additional updates on vulnerabilities and patches from Progress Software. Unpatched software may still be vulnerable to the exploits used by Cl0p.

Assess the potential damage from the MoveIt hack. The start date for the hack is unknown, but it is believed to have begun in late winter or early spring 2023. Examine the records for all MoveIt transfers since January 1, 2023, and the data that were transferred. Assume that these data have been stolen and could be sold to other hackers or published on the Dark Web. Do not assume that paying a ransom will protect your data. Criminals may take your money and sell the data anyway. You must assume that any sensitive information sent via MoveIt after January 1 has been compromised.

Change login credentials. All logins must be updated. This is a good time to consider adding two-factor authentication or a password manager if you do not currently have them.

Alert any potentially impacted clients or customers. Failure to disclose knowledge of a data breach can lead to lawsuits, government fines and possible sanctions on the organization or its senior leaders. If there is any doubt about data theft, assume the data were stolen and notify everyone who was potentially impacted. It is better to over-respond in this situation than to discover that you failed to notify victims.

Discuss phishing and pretexting risks with employees and reinforce protocols. Data stolen in this breach could include both business and personal emails for employees, which could provide fuel for pretexting attacks for the next 12 months. Cyber security employee training can help employees identify and respond to risks, but when the threat of an attack rises, organizations must instill extra vigilance through additional communications. Explain to employees what happened, how the stolen data can be used to commit acts of fraud or theft and how to respond if they receive an unusual or unexpected request from a co-worker or organizational leader.

Step up monitoring. IT and Accounting personnel should be on the lookout for new or unusual behavior. Pay particular attention to an increased number of login attempts, new remote login attempts or very small charges hitting bank accounts or debit/credit cards. These are all possible signs of criminals attempting to validate stolen credentials ahead of a larger attack.

How Should Individuals React to the MoveIt Hack?

Assume your personal data have been stolen. The MoveIt breach is just one of many ongoing data breaches. Most people should assume that their personal information, including passwords, phone number, email and address have been stolen and are available on the Dark Web. You will take a much more active and stronger approach to online security if you believe your personal information has been compromised than if you assume that it has not.

Freeze your credit. Unless you are applying for credit cards, a mortgage or a loan, freezing your credit is one of the best ways to prevent identity theft. You will need to reach out to each of the three credit-reporting agencies to do this, and to unfreeze your credit if you decide to apply for a loan in the future.

Use two-factor authentication on all sensitive logins. If two-factor authentication is available, you should take advantage of it and ensure that codes are sent to your smart phone rather than an email address that a criminal could compromise. If the sites you commonly use do not require two-factor authentication, consider using a password manager to gain an extra bit of security. The benefit of two-factor authentication is simple: Even if criminals steal your password, they cannot access your accounts without the two-factor authentication code.

Monitor your financial statements closely. Be on the lookout for very small charges, from one penny to just over one dollar, originating from unknown sources, as well as small charges that are quickly refunded to your account. Criminals use these small charges to validate stolen credit and debit cards before they carry out significant attacks. Some legitimate businesses that require access to your bank account will also use this method. When in doubt, contact your bank and ask about the transaction.

Be wary of emails about the MoveIt hack. Nearly every high-profile data breach is accompanied by a second wave of phishing attacks attempting to capitalize on it. You may receive official-looking emails from banks or service providers informing you of the breach and asking you to log in to verify your account or update your information. Never click on links in emails or text messages, even if you believe they are legitimate. Open a web browser, go to the verified website for the business and log in there.

Expect a wave of phishing and spam attacks. Any time a major data breach occurs, a rise in phishing and spam attacks follows as recently stolen email addresses and phone numbers get added to criminals’ databases. Be particularly mindful of attacks that spoof popular shopping sites or delivery services, such as Amazon, eBay or UPS. Follow the same rule for emails and texts about the MoveIt attack: do not click on links in emails or texts and log in directly to websites to verify any potential issues. Block any spam messages that you receive and block numbers that send spam or phishing texts.

Maintaining vigilance after a significant data breach can be challenging. Many people and organizations will be alert for a week or two, then assume that things are back to normal if no attacks occur. While there are no hard and fast data on the lag between when data are stolen and when criminals launch attacks, know that a fresh set of stolen data can circulate for up to two years online. High-value data, such as login credentials, may be used by criminals within a few hours to try and compromise additional systems.

Preventing fraud and theft online requires a consistent approach amid evolving threats. Protect Now offers in-depth seminars and online cyber security employee training that raises vigilance and empowers employees to recognize and stop cyber threats. To learn more, contact us online or call us at 1-800-658-8311.

AI Voice Scams Are Here: What Businesses Must Know

The phone rings at the desk of a new employee. The boss is on the line. He says he’s having trouble reaching staff, and he needs several hundred dollars of gift cards to give to a client. He asks the employee to buy the cards, then call him back with the serial numbers.

AI Voice Scams Are Here: What Businesses Must KnowA shipping clerk receives a text message from a known client asking to call an unfamiliar number. The client picks up the phone and asks the clerk to divert a pending shipment to a new address because of facility issues at the old address.

An AI voice scam has been launched in both of these examples. How would your employees react?

Using deepfake technology, criminals can pull off an AI voice scam with just a few seconds of someone’s voice. As reported by Agence France Press via Yahoo! News, 70% of people surveyed by McAfee Labs did not believe they could tell a real voice apart from an AI-generated voice. This opens new avenues for pretexting attacks by criminals impersonating business leaders and clients. While the examples cited by Agence France Press involve “Grandparent scams,” where the faked voice of a grandchild is used to demand money, it is a small leap for criminals to exploit these same tools to drain business bank accounts and steal goods.

How to Stop AI Voice Scams in Your Business

An AI voice scam is a sophisticated attack designed to avoid detection. Do not assume that a machine voice claiming to be the CEO will call, or that there will be obvious signs that something is wrong. The best deepfake technology can synthesize speech and respond to questions in real time. In the Grandparent Scam, the criminals may pre-record a snippet of the fake grandchild in distress while the criminal does most of the talking. In more advanced scams, employees can be duped into believing they are talking with people they know.

There are three steps that businesses must take to prevent losses from an AI voice scam:

  1. Beware of what you share. As we discussed in Is Your Website a Bait Shop for Phishing Attacks, sharing by companies arms criminals with the information they need to carry out all kinds of pretexting attacks. Add video clips featuring senior staff to the list of things that should not be easily accessible online. If you must post an employee’s keynote speech or personal welcome to all site visitors, make sure that there is no clear voice-only audio. Put music under their voice or add some recognizable room tone or background noise. Only the most sophisticated voice replicators can extract a single voice from audio with multiple tracks. If you face a significant risk of data loss, system compromise or theft, the safest course is to remove any usable samples of any kind of the voices of senior leaders. This includes personal websites and social media posts as well as company-owned properties.
  2. Establish firm business protocols. At any point in time, employees should know what they are and are not authorized to do. Precise protocols will vary from business to business and role to role, but there are best practices to guide this. For example, employees should know that they are not authorized to make personal purchases on behalf of the company; establishing this rule will stop gift card scams. Employees must know that they are never to share a password or download software without specific, in-person authorization from a superior. Companies that deliver goods should have a formal process in place with their clients for any changes in delivery dates or locations, which can include a 24-hour written notice that is verified by more than one individual on the shipper’s end. More guidance on establishing protocols and responding to attacks can be found in our free Cyber Crime Response Kit.
  3. Train, train, train. The best defense against all types of attacks is cyber security employee training. Business should have regular training for all employees, as well as a specialized training program for new employees. Anecdotal evidence and some recent study data show that cyber criminals tend to target new workers who may not be as familiar with a company’s policies and who may not have received formal training. Employee training should begin on the first day on the job and is essential for businesses that have been victims of cyber crime in the past.

A sophisticated pretexting AI voice scam can be very difficult to detect and defeat. Alert employees who know company policies and protocols that mandate a second set of eyes on unusual coworker or client requests are the best ways to stop these attacks. Protect Now can help you develop a complete employee training program and establish protocols based on your specific business needs. To learn more, contact us online or call us at 1-800-658-8311.

Pretexting Attacks Nearly Double in 2023: What Business Owners Need to Know

Pretexting attacks, many launched through Business Email Compromise (BEC), have nearly doubled in 2023 according to the Verizon 2023 Data Breach Investigations Report. First, the costs: Based on 16,312 data security investigations that found 5,199 confirmed breaches in the past year, Verizon determined that 74% of all breaches involved human actions, and 97% of breaches were financially motivated. Business Email Compromise attacks accounted for more than half of the attacks Verizon documented, with a median of $50,000 stolen per attack.

Companies Make Phishing Attacks Easy with Too Much Information OnlineFor more intrusive system compromise attacks, more than 95% of attacks resulted in business losses between $1 and  $2.25 million. Training employees to recognize and thwart these attacks is far less expensive than the remediation and recovery that may be needed after a successful attack. Employees need to know what pretexting is, how it works and how to respond to it.

What Is Pretexting?

Pretexting is a form of phishing where the criminal gains the trust of an employee by pretending to be a vendor, business partner or coworker. Some examples of pretexting include the following:

  1. An IT team member contacts an employee and asks them to download software to perform system maintenance.
  2. A senior leader or executive contacts an employee and asks them to buy gift cards for a client or a company promotion, then asks for the gift card codes so they can be distributed immediately.
  3. A client asks for a regular delivery to be routed to a new address.
  4. A vendor asks for credit card information to resolve a payment problem.
  5. A bank employee asks for account access to resolve a problem.
  6. A coworker sends a text that reads, “Let me know if you get this text.”

All of these are real-world examples of pretexting scams. The criminal creates a pretext, a scenario that asks the targeted employee to take action personally. This can include downloading malware or programs that allow remote access to devices, providing logins or providing two-factor authentication codes.

Criminals who use pretexting scams have varying degrees of sophistication. Text-based scams tend to be the most common and least sophisticated. Pretexting scams that involve email may include convincing duplicates of company, client or business email templates or websites, as well as return addresses that are virtually indistinguishable from legitimate emails. The criminal attempts to gain trust, relying on the employee’s desire to be helpful or resolve a business problem.

These attacks are rising in frequency because they are successful. Most employees have been trained to ignore requests from strangers and to go directly to websites instead of clicking on links in emails. What these employees often are not prepared for is a criminal who wants to communicate with them directly. The pretext catches them off guard. A criminal would never call and pretend to be a client, or text and pretend to be a CEO, would they?

How to Stop Pretexting Attacks

Businesses of every size must include pretexting awareness as part of cyber security employee training. Employees with access to company finances, customer and employee data or system credentials should be the top priority for this training, but it must extend to every member of the workforce to be effective. If criminals believe they can steal thousands of dollars from your company, they will probe every possible weakness to try and get a foothold in your organization.

It is equally critical to train remote and hybrid employees who spend only part of their time in the office. This has emerged as a significant training gap in many organizations, and it is a ripe target for pretexting. At a minimum, you must continually remind employees that you will never text them asking for a response or to purchase anything. Establish protocols for times when IT must work with employees remotely. Make sure employees know who the IT staff are and provide a mechanism to verify that they are speaking with a coworker rather than a criminal. Provide an email address for a staff member who is always available in case an employee needs to verify an IT request.

Be wary of what you share online about your company and its people. Criminals will mine your About and Staff pages for names, emails and titles that they can use for pretexting. They will read your press releases to learn about your vendors and clients. Unprotected digital assets, including site code and images, can be used to create spoofed versions of your website or company emails to trick employees.

As with other social engineering scams, a skeptical employee can be the best defense. Employees should be continually reminded to stop and think if an interaction seems strange and to verify any unusual requests with a trusted co-worker by voice or in person.

Protect Now will help you stop pretexting, phishing and other social engineering attacks with our CSI Protection Certification program, designed for the specific needs of small- and mid-sized businesses and available via in-person seminars, virtual seminars or eLearning. Contact us online to learn more, or call us at 1-800-658-8311.

FTC Safeguards Rule: Real Estate Businesses Must Check Their Status

The new FTC Safeguards Rule goes into effect on June 9. Everyone in the real estate industry needs to take note of this and evaluate their need for compliance. Failure to comply can result in fines up to $43,972 per day. There is an above-average chance that your real estate business will be subject to these regulations.

The new FTC Safeguards Rule goes into effect on June 9. Everyone in the real estate industry needs to take note of this and evaluate their need for compliance.Who Is Subject to the FTC Safeguards Rule in Real Estate?

The National Association of Realtors® (NAR) issued a Washington Report update on the Safeguards Rule, outlining who is subject to the new regulations.

You are considered a “financial institution” under the FTC Safeguards rule if–

You maintain customer information for more than 5,000 customers

and you provide the following:

    • Real estate settlement services
    • Appraisal services (unless you are appraising on a one-time basis and destroying records)
    • Mortgage services
    • “Finder” services that match buyers and sellers who negotiate their own transactions

The size of your agency, including number of employees, transactions or annual revenue, has no bearing on Safeguards Rule compliance. If you store records for more than 5,000 customers, you are subject to these regulations.

Two Options for Real Estate Safeguards Rule Compliance

The simplest way for any real estate professional to comply with the Safeguards Rule is to delete old data. If you maintain fewer than 5,000 records, you are not subject to the rule. Note that the regulations apply equally to paper records and digital records and they do not specify the type of customer information that is considered. In other words, if you have a storage unit full of old customer files or a huge email list, that could put you over the limit of 5,000 records, even if you do not have in-depth, digital financial records for all of those customers. Specifically,

Customer information means any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.

This can create confusion, because some may interpret the rule to mean financial information, while the Safeguards Rule itself has no such limitations. In thinking about whether a particular record contains personal information, ask yourself this question: Could this information, by itself or in combination with information gathered elsewhere, be used to harm a customer? Considered in that context, information as mundane as an email address or phone number qualifies for protection under the Safeguards Rule.

Can you delete or destroy your old records? For most appraisers, agents and brokers in small agencies, this should be possible. Think about the number of transactions you process in a year and the average time you need to hold on to information to complete a transaction. Even if you want to hold on to information for your most valuable clients, you should be able to get under the 5,000-record limit. Be aware that you will need to put a program in place to delete or destroy records on a regular basis to stay under the limit, and that it is prudent to allow some breathing room: You do not want to have 4,998 records if the FTC launches a compliance investigation. It is better to set a cap around 4,000 or fewer, if your business allows.

If you must maintain more than 5,000 records, you must comply with the FTC Safeguards Rule. In general you cannot do this on your own. The regulations require a qualified individual, someone with a professional background in cyber security, to evaluate current security measures, enforce security protocols and verify compliance among all third-party vendors and service providers. The Qualified Individual will also create a written security plan that includes information on how data are stored and retrieved, as well as data destruction protocols and steps to take in case of a cyber attack.

For most real estate businesses, a Virtual CISO can handle the majority of compliance needs. This is an experienced cyber security professional who offers their support as a service at a much lower rate than a full-time cyber security specialist. Larger real estate businesses that process a significant amount of transactions each year, those who build and operate apps or online systems, or those with extensive archives of paper and electronic records, may want to consider a full-time Chief Information Security Officer who can manage the risks of custom software.

Protect Now can help you find a Virtual CISO versed in FTC Safeguards Rule compliance, and provide CE-eligible cyber security training for real esate professionals. If you have questions or concerns about the Safeguards Rule, please contact us online or call us at 1-800-658-8311.

SEO Poisoning: Train Employees, Watch Your Search Results

SEO poisoning is a new tactic that scammers use to steal credentials. It can be difficult to detect, and it can harm the reputation of your business if scammers attempt to spoof your identity.

What Is SEO Poisoning?

SEO poisoning is a type of phishing attack. Cyber criminals create a fake version of a website or a landing page, then use search engine optimization (SEO) techniques to get it to rank highly in online searches.

This technique emerged for a simple reason: cyber security employee training teaches workers to never click on links in texts or emails. Because that training has had some success, cyber criminals have changed their tactics. They still send fake texts and emails that you have likely seen, claiming to be from Amazon, Ebay, PayPal or some other major online company. The email includes a link to click to resolve some phony problem, such as a package that cannot be delivered, or loss of account access.

People with good online habits know to never click on these links. Instead, they go directly to the website, log in and see if there is a problem. This is where SEO poisoning may be effective: By setting up a fake site that looks legitimate and ranks highly in search results, scammers can capture login credentials just as if the target had clicked a link in an email.

The scam relies on the trust people have in search results, and their tendency to quickly click the first or second link that they see without investigating in closely. Once thieves have an individual’s login, they can take control of their accounts and potentially compromise business systems.

In some cases, criminals buy paid advertising that appears at the top of search results to trick people. Those ad campaigns get shut down quickly, sometimes in just a few hours, but they can snare unwary individuals while they are online. Criminals time their ad buys and SEO poisoning efforts to coincide with mass emails, hoping to steal credentials before their campaigns and sites get kicked out of search results.

Fake Sites Can Harm Your Reputation

There are two ways that SEO poisoning can damage your online reputation, and potentially damage your search rankings. The first and most obvious risk is someone spoofing your website and using it for criminal activity. Never assume that you will be immune to this. While top sites remain the biggest targets for spoofing, any site that requires users to log in can become spoofing victims. Even nonprofits can be spoofed, if their sites collect donations or personal information.

The best defense against SEO poisoning and spoofing is to check your branded search results regularly. Search your company’s name and your main website URL at least once a week. If you find sites ripping off your identity, report them to the search engines immediately.

The second danger lies in abandoned websites. Some businesses have old websites, promotional sites or microsites that have not been used, or in some cases, accessed, for several years. Sites like this are a prime target for takeover by cyber criminals, who rely on older domains and sites to legitimize SEO poisoning campaigns. Make a point to review all of your online properties and to shut down any that are no longer in use. URLs should be forwarded from out-of-date sites to your main site, which prevents scammers from hijacking old domains for criminal activity.

Easy Steps to Avoid SEO Poisoning

Employees should be taught to be skeptical about any link they come across, even at the top of search results. Follow these steps to avoid clicking on a fake site:

  1. Never click on links in texts and emails. This rule still applies. If you receive an email or text with some alarming information, be suspicious. Then go directly to the site from a web browser.
  2. Look at links before clicking. Even if the link is an ad, even if the link is at the top of the search page, study it carefully before you click. Most businesses have an easy-to-remember URL, like amazon.com, ebay.com or paypal.com. Search engines always show the link address under the search result, for both paid advertisements and organic search links. Check those links, and check the spelling to make sure it’s accurate. When in doubt, try typing the URL into the bar at the top of your browser. If it’s a site you visit frequently, the full URL should appear.
  3. Only click on top-level links. Scammers may try to fool you by asking you to look up a “customer service” or “client login” page. Ignore that advice. Only click on links pointing to the top-level domain, such as etsy.com or mercari.com.

As a final way to protect yourself, consider refreshing or starting your cyber security training. Our CSI Protection Certification program teaches the skills needed to detect and avoid online scams, including SEO poisoning attacks. Available in person, virtually or online, CSI Protection Certification develops superior cyber awareness and will make you and your employees nearly impossible to scam. To learn more, call us at 1-800-658-8311 or contact us online.

Lawsuits: A New Reason to Invest in Cyber Security

Lawsuits relating to cyber security incidents are on the rise, according to the 9th Annual Data Security Incident Response Report published by law firm BakerHostetler. For 2022, there were 42 lawsuits filed from 494 incidents that led to individual notifications, including 4 lawsuits filed in cases where fewer than 1,000 people were impacted by a data breach.

Lawsuits: A New Reason to Invest in Cyber SecuritySecurityWeek noted that this represented a significant trend, as 2018 data from BakerHostetler showed just 4 lawsuits filed from 394 incidents reported to impacted users.

Why Are Cyber Security Lawsuits Increasing?

Individuals and businesses are fed up with data breaches and the time and expense needed to address them. As a result, the days of providing free credit monitoring for a year or two are over.

Stronger state data protection laws also play a role in the rise of lawsuits, as they offer a framework for individuals to seek compensation for business and personal expenses incurred by a data breach. The California Consumer Privacy Act has become the model for a growing number of state-level regulations that hold businesses accountable for data breaches.

Insurance companies have also begun to push back against claims for business disruptions caused by cyber security incidents. Taking advantage of stronger state and Federal regulations, insurers who offer cyber security liability and recovery policies may require business owners to certify data protection measures for vendors and third parties. If those organizations experience a cyber attack, insurers may sue to recover their costs.

Invest in Cyber Security Employee Training to Keep Lawsuits at Bay

In the event of a lawsuit, businesses must disclose all aspects of their cyber security, including methods used to protect data, attack response and recovery plans and employee training and protocols. Businesses that have strong cyber security measures will be less likely to face lawsuits, while businesses  with weak security measures could be liable for significant damages and legal expenses.

Business owners should expect their cyber security to be scrutinized, and significant gaps will become a greater liability. In BakerHostetler’s report, 39% of cyber attacks were due to human factors, including phishing, social engineering or employee abuse of access. Collectively, this made up the greatest percentage of attack causes; while the root cause was unknown in 26% of attacks, phishing ranked second overall at 25% of attacks.

Sending employees a training video twice a year is not effective employee training. Real employee training teaches workers to recognize obvious attacks, to flag suspicious activity and to report anything that concerns them. CSI Protection Certification from Protect Now delivers this kind of effective training, empowering employees to stop threats by changing their attitudes toward business security. Our training is available through in-person or virtual seminars, or through our eLearning platform. To learn more, contact us online or call us at 1-800-658-8311.

When Google Ads Deliver Malware, Will Your Employees Download It?

A new method is out for distributing BumbleBee malware: Google Ads. Researchers at Secureworks discovered Google Ads campaigns and downloads promoted through high-ranking sites in Google Organic Search that included malware along with downloads of popular software, including Zoom and ChatGPT.

When Google Ads Deliver Malware, Will Your Employees Download It?Employees who search for installation packages for popular programs may come across these downloads through ads or Organic Search listings. The downloads do contain the software installer, but they also contain a second file that deploys BumbleBee malware, a back-door program that can give hackers the access they need to steal business data or deploy ransomware. BumbleBee is one of the more dangerous malware trojans, as it can install itself without setting off antivirus software.

Why This Malware Scam Works

Most employees are not software experts and may not detect the presence of malware in a download. If they see an ad or a search listing for software they need, they will click. In this case, a compromised WordPress site was used to create phony pages that mirrored the look of the actual software makers. The only way to discover the malware was to examine the download file.

Scams like this rely on a lack of employee sophistication, an urgent need for the employee to install or update software and the appearance of legitimacy to trick people into installing malware. If a Google ad or a top search listing looks legitimate and points to a legitimate-looking site, the download must be legitimate. If the download works and the software installs correctly, why would anyone suspect a scam? An employee who downloaded this malware would find the experience so ordinary and problem-free that they may not even consider it when asked by IT if they experienced anything unusual ahead of a ransomware attack.

Every Business Should Take These Steps to Prevent Malware Attacks

Google has an obligation, and considerable financial incentive, to protect its users from advertising and search-based scams. The company has protections in place to prevent hackers from promoting malicious software, but the same hackers that target businesses with malware also work to circumvent Google’s protections. Fraudulent sites do not last long, but they are a risk, which puts the ultimate responsibility for stopping these malware attacks on individuals.

There are three levels of defense that businesses can use to prevent malware downloads, with varying levels of success.

  1. Prevent employees from downloading software. If you have the resources and a central IT department, this is the highest level of security available. All employee software downloads can be blocked, which prevents these types of scams. The tradeoff may be a very busy schedule for IT employees, who will need to handle every software download request. Depending on the size of your business, this may result in delays for employees who need to download new software or updates.
  2. Discourage employees from downloading software. Company policy can be set to discourage downloads or to download software only from sources supplied by IT professionals within the organization. This is less effective than a ban, as some employees may circumvent the policy, so it works best in conjunction with employee cyber security training.
  3. Train employees to download only from trusted sites. Employees should be trained to only download software from the manufacturer, and to go directly to the manufacturer’s site whenever they need a new installation or update. Businesses can reinforce this practice by providing all employees with a list of links to software sites, either by email or through a company Intranet, so that employees do not rely on search to find software publishers.

These legitimate-looking malware attacks are the stuff of nightmares for cyber security professionals because they can deceive almost anyone, even well-trained employees, into downloading malicious software. Business policies can go a long way toward thwarting these hacking attempts, but they work best when combined with vigilant, empowered employees who value company security and speak up when something seems wrong. Protect Now can help you develop a vigilant workforce through our CSI Protection Certification program. To learn more, contact us online or call us at 1-800-658-8311.

DOJ Alleges $8 Million Familiar Fraud at Transit Authority

Would Your Employees Notice Millions in Fraud?

The United States Department of Justice (DOJ) announced indictments against two individuals suspected of familiar fraud schemes that led to $8 million in losses for Massachusetts Bay Transit Authority commuter rail operator Keolis between July 2014 and November 2021. Both the scope and the longevity of these schemes are exceptional, although the methods used to steal the money are very common, raising questions about why the individual charged was able to commit this fraud for so long.

What Happened in the Keolis Familiar Fraud Case?

John P. Pigsley of Beverly, Massachusetts, a former Assistant Chief Engineer of Facilities for Keolis Commuter Services, has been accused of running two schemes that netted $8 million. In the first scheme, Pigsley is accused of conspiring with John Rafferty of Hale’s Location, New Hampshire, the former General Manager of LJ Electric, to create fraudulent invoices for vehicles and equipment, leading to more than $4 million in losses.

In the second scheme, Pigsley is accused of ordering copper wire for Keolis projects, picking it up himself or delivering it to his home address, then selling it to scrap yards. Over the course of several years, Pigsley is alleged to have made more than $4.5 million from the scheme. The actual value of the stolen material was not disclosed.

In a statement, Keolis Commuter Services said, “In late 2021, our enhanced financial controls and project management oversight identified project anomalies linked with the practices of an employee.” According to the DOJ indictment, this was 7 years after the fraud began.

Employees Must Be Empowered to Recognize Risks

Cyber threats are not the only challenges that businesses face. Familiar fraud, committed by an employee, family member or trusted business partner, can be more devastating and more difficult to detect. As with cyber security, employee training is essential to prevent losses. Employees must know how to recognize fraud and trust their instincts. They must also feel empowered to call out anything suspicious.

In the DOJ indictment against Pigsley, three common familiar fraud techniques that should have been caught stand out:

  1. Phony invoices: This is one of the most common types of familiar fraud. An employee with purchasing authority may conspire with a third party to create fake invoices and split the proceeds, or set up shell companies to invoice for goods and services that do not exist. This type of fraud can be difficult to detect in large, complex organizations, such as a railway operations company, or in businesses that frequently order large volumes of material from multiple vendors. Strong vendor approval and verification processes must be in place to detect this type of fraud; all new vendors should be verified by someone other than the person placing the orders. Shipments should be tracked and matched against invoices for at least the first 90 days of any new relationship. Any changes in volume or frequency in orders with a particular vendor should be flagged for follow up.
  2. Home deliveries. There are very few circumstances where an employee should receive materials shipments at home. Home addresses for all employees with purchasing authority should be kept on file by accounting staff. Any deliveries that match against a home address should be flagged for review. Any changes in regular delivery addresses, even if they only account for a portion of a shipment, should also be flagged for review.
  3. Personal pickup. Some employees may pick up and deliver materials as a regular part of their job. In an ideal world, purchasing and pickup are separate, so that no single employee has the ability to order and collect goods. When this is not practical, regular audits must be conducted of employees who can both order and deliver supplies, services and materials. Employees should be able to provide invoices for what was ordered, receipts for what was received and documentation for what was delivered.

Familiar fraud is one of the most difficult challenges that businesses face, because it comes not from external actors, but from trusted co-workers, friends and family. Proper business controls can prevent it, but only if employees understand what to look for and how to respond. Protect Now’s CSI Protection Certification training focuses on cyber crime but enables employees to spot any kind of suspicious behavior by teaching them to trust and act on their instincts. To learn more about our training programs, contact us online or call us at 1-800-658-8311.

2013 Boston Marathon Bombing: My Best Worst Day Ever

Like Big Papi said “This is our f–king city.” It’s the 10th anniversary of that beautiful – tragic day. The new Netflix documentary “American Manhunt; The Boston Marathon Bombing”, 

No alt text provided for this image

Front Page Boston Globe Robert Siciliano Above the Fold

has me sobbing in my kitchen. I’ve watched the movie Patriots Day with Mark Wahlberg countless times. This week I was asked to speak at a high school on my 12 years of Boston Marathon preparation, fundraising and the planner asked about the possibility of me discussing my experience on Boylston St that day, which I wasn’t expecting to do. And leading up to the moment I got on stage, I didn’t realize how shaken I still am. I could barely talk without my voice cracking. Thankfully, the moderator kept the dialog light and we talked about the training, fundraising and fun memories.

And heres the thing, NOTHING HAPPENED TO ME. Nothing happened to anyone in my family. My wife and two little girls, my dad, my sister-in-law, and some friends were all at the finish line, 100 yards away from the first bomb, which scared the hell out of me, but still. Completely unscratched. I just saw some sh#t. Ran right by it actually, which is part of the problem. That’s it. But it haunts me. And it makes me think about actual front line military, law enforcement and paramedics who deal with violence, trauma, and tragedy as a vocation. How do they even deal?

Training for a marathon is a taxing, physical, emotional and expensive process. For me personally, that has meant multiple cortisone shots, almost a hundred physical therapy appointments and a few arguments with my wife. Why do it? Why climb a mountain? Why be a police officer? Why be an emergency room nurse? Why detonate a bomb in a crowd of innocent people? We all make choices others wouldn’t and we justify our decisions based on our interests, options and perspective.

For me, I just wanted to lose weight, get fit and finally give back to a charity. When you’re 50 with a young family and your health and marriage are good, bills are paid and life is settled, words like “health,” “gratitude” and “grace” begin to have more meaning. And when you become a runner, you join a special club of conscious people who enjoy challenging themselves and understand our time is limited .

In 2013 I was on my way to run about a 4:10 (my best time ever), but was stopped at mile 26 due to some terrorists’ agenda.

During the 2013 Boston Marathon, my improved time put me on Boylston Street shortly after the blasts. There were two loud bangs, and as I rounded the corner I saw the finish line through dissipating smoke. Boston police immediately corralled runners from going any farther down Boylston because it was now a volatile area and potential crime scene. At 2:52 PM I called my wife, who was at the finish line, about 100 yards from the first bomb, and got no answer. A minute later, I got my dad on the phone; he was with my wife and the kids and he confirmed they were OK. I instructed him to leave ASAP, as another bomb could go off any moment. I told him to “walk down the center of the street and avoid any cars!”

But nothing was going to keep me away from them; I couldn’t just sit there and wait. In my mind, there were bombs going off between my family and myself. As a father, son and husband, the instinctual need to get your family to safety overpowers every sense of reason. I dodged a couple of police officers and ran down Boylston, the only runner on the field, putting myself in jeopardy and now also causing law enforcement to chase after me. At the 26-mile mark, I saw people on the ground, bloody and getting medical attention from the few paramedics that were on hand to take care of runners expected to be injured in more predictable, less violent ways. I made a decision to keep going. Which still doesn’t sit well. It felt like a 3D movie where the scene was pushing me back in my chair, but the sound was off. I know the scene was loud with sirens and screams, but I heard nothing.

Then I heard an angry cop (rightly so) blasting his voice in my ear before he wrestled me off the course. Eluding further apprehension, but onward to my family, I hopped a fence and ran down a back alley behind the restaurants, bars and shops that were evacuating people through their back doors. What I saw was people—many victims who must have made their way on their own or with the assistance of others—screaming, crying and making frantic phone calls…and there was blood. Some victims I saw lost anywhere from pints to whatever; I don’t know. I just remember freaking out and not wanting to run in it.

I ended up behind the finish line and found a way to cross Boylston. I made my way to the Weston Hotel, where I found my family, scooped up my four-year-old and hiked another half mile to my vehicle. Leaving behind two vehicles, we piled nine adults and children into my Yukon and evacuated.

No alt text provided for this image

Evacuating the city, carrying my 40lb child after running 26 miles.

Out of relative danger, our attention now turned to our two children and damage control. To gauge my seven-year-old’s feelings, I calmly asked her, “Did you have fun today?” She said, “Yes, today was awesome! Until the bombs went off!” Knowing she was shaken, the radio stayed off and adults did what they could to speak in code. Note to adults who may try this: It doesn’t fool a seven-year-old.

By this time my phone was going nuts, Facebook and Twitter were buzzing and my mother, who couldn’t get in touch with us, was in complete meltdown.

Once I got home and got the kids situated, we ordered a bunch of pizza because that’s what you do when a bomb goes off. People need to feel normal.

My mom showed up at our home shortly after we got there. She was a total mess, and after the kids saw her emotional state, they understood the gravity of the situation. Today, they are showing a tremendous amount of affection and gratitude, which seems to be a side effect of their trauma.

I posted a brief note on Facebook: “Im OK, I was on Boylston St. when it happened. I saw smoke, I saw blood and people on the ground. My family was 300 yards away, waiting for me and I got to them and evacuated from the city. More later.” And the comments and “likes” poured in.

Shortly after, I provided an update: “I was right there, bomb went off. Boston police removed everyone, I kept running toward the bombs because my family was at the finish line. Police got me off the road, I resisted then another cop almost tackled me (rightly so). I ran in the back alleys, people spilling into the alleys from the explosion, screaming, crying, blood, got my dad to get my wife and kids out of there concerned for another explosion. I’m telling it to Dr. Drew on CNN between 9:15ish and 9:30ish tonight.”

Again, comments poured onto my page like never before. People offering an outpouring of help and support. I never knew I had that many real friends.

I feel I have to explain the part about Dr. Drew and CNN. It may seem opportunistic, but frankly, for me, it’s therapy. I do lots of media as the expert. My network is “the media.” So when I send a blast email to raise money for charity, my network knows I’m running the Boston Marathon. When I logged into Facebook and email, the requests came in from CNN, Extra and Canadian TV, along with a few radio shows too. So I spent the evening after the run as an eyewitness. And, because it’s who I am, I gave security tips too.

No alt text provided for this image

Maria Menounos and Me at the Media Compound the day after

My Rockstar cousin, who is an Iraq and Afghanistan soldier and flies one of those crazy killer helicopters, reached out to me via Facebook and said, “I think your situation was much worse than many Middle East situations I’ve been in.” Which I thought odd because he’s had his best buddy blown up right next to him. Then he said, “When I deploy I’m armed, geared up and expecting to fight. You were at a peaceful gathering around families and innocent civilians, not expecting bombs. That makes it much worse.”

We accept the possibility of death and destruction when we sign our contracts. I’m sure no one who signed up for the marathon expected this.

This completely messed me up, putting into perspective just how awful this situation is.

I only slept three hours that night, on edge, emotional and fragile. The next day, I headed to the media compound near Boylston to meet with Maria Menounos from Extra, who is a Greek Boston girl.

I connected with Maria, and within two minutes we were both crying. She started talking about how she loves Boston so much, then I started crying, then she started crying…which completely messed me up. I tell you this because she told me people should know this is real and they can’t forget. She was professional, but she was real. She put me at ease and we got through the interview.

Since then I’ve done more media on this than I wished, including the Boston GlobeDr. DrewExtraCurrent TVCanadian TVagain and againFox Boston and some radio.

In early May after the blasts, I was asked to speak to the North Eastern Massachusetts Law Enforcement Council on the benefits of social media to law enforcement and how social can help get the word out in a tragedy. When I walked into the room to speak, everyone was in uniform. What I didn’t know was many of the men and women attending were the first responders saving lives at the finish line, and others who were involved in the capture of the bombers. That was a very emotional speech for me. Check out the Huffington Posts blog on how the Boston Police did a stellar job using Twitter during the bombing.

No alt text provided for this image

Cowboy Hat-Wearing Boston Marathon Hero Carlos Arredondo and Robert Siciliano

At this point, my family and I are safe. Emotions are still high for some. Even as I update this post from 10 years ago its messing me up. We were and still are angry. This celebratory event will forever be marked by the visual of a plume of smoke that symbolized the evil intent of misguided people that do not value human life and have no regard for our freedoms.

We caught the bastards and while there are no real answers, we may never get them. The movie Patriots Day actually did an amazing job of telling the tragic story through a composite character. And the Netflix doc really brings it home.

On behalf of my Boston, we are proud of our city, its first responders and its people, who showed the true measure of the human spirit through powerful acts of kindness and displays of citizen courage.

 

We are strong as a city, undivided as a country and unbowed by this attack. No terrorist will be allowed to alter our nation’s course.

 

Robert is running his 12th Boston Marathon for Dana-Farber Cancer Research Institute. Please consider a donation: http://danafarber.jimmyfund.org/goto/robertsiciliano

Robert Siciliano personal security and Cyber Security Expert and speaker, is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud.