Think Twice Before You Take a Fun-Looking Online Quiz – A Hacker Might be Behind It

/in /by

Though it might look like a fun thing to do, you better think twice before taking that quiz that pops up on your social media page. A hacker, otherwise known as a “social engineer” might have created it to obtain your personal information.

Criminal hackers are all over social media sites, and it should be no surprise that they have tricks up their sleeves to get the information that they need. Social media crime is on the rise. Some studies show 100’s of millions of dollars have been lost, much of that in cryptocurrency and credit card fraud.

Identity theft is part of the reason a hacker will use social media to gather info, and it’s much easier to do than you might think. Let’s take a look at some of the most common scams hackers use on social media:

Surveys and Quizzes

Have you seen those quizzes that say “Click here and reveal your “Porn StarName,” or “Fill out this quiz to find out how many kids you will have?” Though these might be totally innocent, and a little ridiculous, they could also be designed by a hacker. The idea behind these quizzes revolves around “knowledge based authentication” scams. Basically information about us, questions we answer, that are used as security questions on various forms and websites. The answers in many of these quizzes could be used to reset or crack your various pass codes.

Generally, when you fill these out, you will enter information like the street you live on, the name of your pet, your favorite song, or even your birthdate. There is a dark side to this…the information you are providing may be the exact information a hacker needs to steal your identity or get into an account.

If you think about your accounts, it’s very possible that your bank, for instance, requires you to answer questions to get your password or get into your account. What do these institutions ask? Thinks like “What is your favorite song?”  “What is the name of your pet?” As you can see, you are giving a hacker the answers to these questions when you are taking the quiz.

You can avoid all of this by scrolling right past these quiz opportunities.

Get-Rich-Quick Schemes

There are also “get-rich-quick” schemes on social media that hackers use. These include things like direct messages offering a grant or a fake business opportunity like a pyramid scheme. They also start things like gifting circles, that seem innocent, but are designed to steal personal information or money, or even both.

Gone are the days of fake Nigerian princes…now we are dealing with something much more sinister. You can avoid these scams by just taking a little time to research any business opportunity, offer, or even organization that contacts you via social media.

Imposter Scams from the “Government”

Scammers also try imposter scams on social media, and they do this by pretending that they are a government official, like someone from the IRS. The scammers might use messages on social media to pose as a tax collector, or they might offer a refund…if you confirm your personal information. As you might imagine, there is no confirmation — you are simply giving up the information they need to either steal your identity or hack into your important accounts.

Always delete these messages if you get them. The IRS will never contact you via social media, nor would they ask that you pay a bill with a gift card, a wire transfer, or with cryptocurrency.

Imposter Scams from “Family and Friends”

A scammer might also try a “family and friends” scam to get information from you. Thanks to social media, a hacker can learn more about who you know and trust, and then pretend that they are those people. In one of example, a hacker will pretend to be a person’s grandchild and send them a message online asking for money because they have a problem, but if you actually do send money, the cash goes right to a hacker.

If you have a situation like this, and you are not sure if a person is who they say they are, you need to do your research and reach out to the person. Don’t just pay them without doing this.

The Romance Scam

Finally, we have the romance scam. In this case, the hacker will strike up an online relationship with a potential victim, and it will eventually become romantic. These can happen on social media sites, or they can be directly on a dating site. They often create personas that have exotic jobs, such as a doctor in Africa, or as a military member stationed in the South Pacific. They work to build trust with their victim, and when the time is right, they come up with a sob story about how they need money, and many victims, believing that they are in a true relationship with this person, send the money willingly.

To avoid this type of scam, never, ever send money to a person you meet online, especially if they say they are a doctor or a member of the military.

Protect Yourself from ID Theft and Social Media Scams

Now that you know that there are a lot of hackers and scammers out there trying to take advantage of you, here are some ways that you can protect yourself:

1.    Spruce Up Your Privacy Settings–The first thing you need to do is to set up your social media profile to be private and set it so that only your friends and family can access it. This means that you have a much smaller chance of getting access to your account. Also, it’s a good idea to stop sharing information like where you went to high school and your full date of birth. The less information you post, the less likely it is that a hacker can gain information from you.

2.    Be Skeptical – You always want to be a skeptic when it comes to anything online. There are so many scams out there, and so many attempts to get information, that you really need to be skeptical. If you are willing to lower your guard, a scammer is definitely willing to take your information. So, really look deep at any messages you might receive, especially if something looks weird or sounds off. You should also notice things like bad grammar or a lot of typos. Those are a great indication that you might be dealing with a scammer.

3.    Actually Know the People You are Friends With – Do you actually know everyone on your friend list in real life? Most people don’t, but you really should be selective about who you are allowing to see your content. Anyone on your friend list can see your information, and that means they have access to personal information about you if you post it. You also have to be aware that someone on your friend list could be copying and pasting from your page or making screen shots.

4.    Follow Up – Have you gotten any messages from a friend of yours that just seems like it is a bit strange? If you do get this type of message, don’t click on anything and don’t reply. For instance, if your best friend Peter sends you a message to “Check out this link,” and it’s something that Peter would never be interested in, you should check with Peter another way, like with a phone call or text, to find out if it’s legit or not.

5.    Look Out for Others – Finally, you should look out for other people when you get a weird message or strange request. If you get a weird message from a friend, you should let that friend know. If someone lets you know that there might be a duplicate account of your personal account, you should let your friends know.

Try to Stay One Step Ahead of the Hackers

Before concluding, there are a few other things that you can do in order to stay a step or two ahead of hackers. First, make sure that you are using a strong, unique password for your account. Utilize a password manager. Never use the same passcode twice. A virus protection software suite is also recommended. Using firewalls is helpful, too, as well as a VPN.

You can also sign up for ID protection services, which will help to keep important information, such as your email address, under monitoring. With this type of protection and a bit of focus from you, it will be easier than ever to keep an eye out for scams, and you can get back to enjoying social media as it was intended.

Robert Siciliano CSP, CSI, CITRMS is a security expert and private investigator with 30+ years experience, #1 Best Selling Amazon.com author of 5 books, and the architect of the CSI Protection certification; a Cyber Social Identity and Personal Protection security awareness training program. He is a frequent speaker and media commentator, and CEO of Safr.Me and Head Trainer at ProtectNowLLC.com

Prepare Your Digital Life Before You Die

/in /by

In life as in business, we need to have contingency plans. That means backing up our back up and that means having a plan for when we expire. Nobody really wants to deal with that expire part. Nobody wants to address the fact that the clock is ticking. But you need to.

Prepare Your Digital Life Before You DieBeing in the business of security awareness training, and having a relatively accessible (and some might say – high) online profile. I am contacted by a lot of people facing a number of different issues. Lots are victims of various crimes, both in the physical and virtual world, such as victims of stalking, or they claim their devices are being spied on, (often I think they might be legit paranoid), or they’ve lost money in some type of a scam, you name it. Sometimes I function as a “victims advocate” and I do have a soft spot for those in a bind.

However, there are a number of situations where I am simply not in a position to help. I may not have the resources, for example I can’t (nobody can) call Facebook and get your hacked account back, and I am not a boots on the ground detective in a position to intervene in whatever wire fraud loss you may be dealing with.

What I often do, is provide perspective, like, for example, if they were notified of a data breach, and their credit card is involved, they call me freaking out, and I tell them that doesn’t necessarily mean their identity is at risk because credit card fraud is not the same thing as your Social Security number in the hands of criminals and so on.

Sometimes people just need a little “talking off the ledge” and engage with an expert to feel better about their situation. And then there are situations that come up, like the unexpected death of a loved one. To me, those are often the worst. That’s because I am empathetic to someone’s real pain and problems, but I’m not fully equipped to help. But like most plugged-in people, I do have some pretty good connections.

That brings me to Bob Young of FIFO Networks. Bob was introduced to me by my vCISO Mike. Bob is a guy who has a skill set that very few have, and he has a bedside manner that makes him perfect for his job. He is a super nice guy. Bob specializes in a number of technology disciplines, but what he’s really good at is getting access to digital devices that few can get access to. So, for example, if your loved one dies, Bob has a good chance of getting in their phone or computer or accounts. Frankly, I hope that you never ever have to meet Bob.

One word for a guy like Bob might be a “hacker”. And while to some, this word might be offensive, there are all kinds of hackers out there. There are good hackers known as “white hats” and there are bad hackers, known as “black hats”, these terms come from the old spaghetti westerns. Bob is definitely one of the good guys.

Below is a discussion between Bob and I and a little bit about what he does, and what you should be doing now to prepare for the inevitable. Yes, inevitable. You are going to die. Me too. It’s coming.

Robert (Me): Thank you for joining me today. Can you share a story or two about what it looks like when someone comes to you to assist in digital recovery after someone’s passing?

Bob: Certainly. Recently a grieving brother called me to access his deceased brother’s computer. The brother mentioned significant investments and a missing will, hoping the computer held clues.

Robert: What are the primary goals in digital recovery after someone dies?

Bob: There are two main goals: data recovery and account recovery. While these goals overlap, they’re distinct. Data recovery involves retrieving information, while account recovery focuses on gaining access to accounts, often requiring passwords and recovery keys.

Robert: In our discussion, you mentioned various encryption methods. Could you elaborate on how encryption impacts the recovery process?

Bob: Absolutely. Encryption, like BitLocker or FileVault, adds complexity. For example, recovering data from a Windows computer with BitLocker may require accessing the Microsoft account for the recovery key. Physical security keys or a Yubikey can be game-changers, but they’re rare.

Robert: Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA) play a significant role. How do these impact the recovery process?

Bob: 2FA and MFA add an extra layer of security, often involving codes sent via text or authenticator apps. Accessing the deceased’s phone becomes crucial for unlocking accounts requiring 2FA/MFA.

Robert: Unlocking devices seems central to the process. Where do you usually start, with the phone or the computer?

Bob: It’s somewhat circular. While unlocking the computer might grant access to significant accounts, you often need the phone for 2FA. I typically start with the phone, ensuring its accessibility.

Robert: Unlocking a deceased person’s phone appears challenging. How do you approach this?

Bob: While biometric authentication is common, knowing the PIN or pattern code is usually sufficient. In case family members don’t have this information, alternate methods exist to bypass biometric authentication using a PIN.

Robert: What if the computer is locked? What steps do you take to unlock it?

Bob: Unlocking methods vary, but it’s best to start by asking relatives or friends for the password. Failing that, searching for written records or changing the unknown password can be attempted. Password-cracking tools and password removal are more complex options.

Robert: Can you share a specific case, like Ron’s, where you successfully recovered critical information?

Bob: In Ron’s case, finding a will and stock market investments was a priority. After searching Ron’s office, I used professional tools to change the computer password. No encryption hurdles meant swift access to essential information, including the will stored on the computer and a backup in county records.

Robert: What advice do you have for individuals to prepare for digital recovery after their passing?

Bob: Preparation is key. Maintain a well-organized offline list of passwords, use a password manager, grant access to your phone, document financial accounts, file your will with county records, and ensure your trusted person knows about any physical security keys.

Robert: Lastly, you mentioned legal considerations. How do you navigate the legal aspects of account and data recovery?

Bob: Legalities are crucial. I comply with government laws and often require proof of relationships. However, online account providers may have their own procedures, emphasizing the importance of proactive steps like setting up Legacy Contacts on platforms such as Facebook.

Robert: Thank you for providing insights into this intricate process. If our readers have further questions, they can contact you at your website, correct?

Bob: Yes, that’s correct. If anyone needs more information, they can reach out to me at fifonetworks.com/contact-us.

Thank you Bob. And to my loyal readers, like I said, as much as I like Bob, I hope you never have to meet him. Meanwhile, to summarize, here are some action items, things that you can, and should do now to prepare for your demise.

  1. Maintain a Password List: Keep a complete, well-organized, offline list of all passwords, including those for computers, online accounts, and other devices.
  2. Use a Password Manager: Simplify the process by using a password manager. Have written records of two passwords: the master password for the password manager and the computer login password.
  3. Grant Access to Your Phone: Ensure that your trusted person knows the PIN or pattern code for your phone. Consider including this information in your password list.
  4. Financial Accounts List: Keep an updated list of all financial accounts, including banks, investments, and other relevant details that your trusted person might need.
  5. File Your Will: File a copy of your will with the County Records office. This ensures a legal and easily retrievable document for your family.
  6. Physical Security Key: If you use a physical security key, like a Yubikey, make sure your trusted person knows about it, what it looks like, and where to find it.
  7. Set Up Legacy Contacts: On platforms like Facebook, set up a Legacy Contact to manage your page after you die. This proactive step facilitates smoother access for your family.
  8. Emergency Information: Consider creating a sealed envelope or a digital document containing essential information about your digital assets and how to access them. Ensure your trusted person knows where to find this.
  9. Online Account Provider Procedures: Familiarize yourself with procedures offered by online account providers. Some platforms have features like Legacy Contacts that you can set up in advance.
  10. Communication: Lastly, communicate your wishes regarding digital assets to your trusted person. Let them know your preferences and where to find critical information in case of your passing.

Taking these proactive steps ensures a smoother transition for your family members when dealing with your digital afterlife.

Spammy Scammy Text Messages: Fake Accounts on the Rise as Scammers Use Phone Farms

/in /by

Every single time I get on a stage and present a security awareness training program, someone desperately asks me how to stop all the scammy text messages. My response is the same for everybody; You can’t. What you can do is play the Whac-a-Mole game and continually mark them as spam and block them. That’s it. It’s just an annoyance, like mosquitoes.

Spammy Scammy Text Messages: Fake Accounts on the Rise as Scammers Use Phone FarmsThere are a few things that you can, and should do… straight from Apple:

Block messages from a specific person or phone number on an iPhone

When you block a specific contact or phone number, messages from that person or number aren’t delivered. (The person sending the message doesn’t know that their message was blocked.)

1.    Open the Messages app on your iPhone.

2.    In a Messages conversation, tap the name or number at the top of the conversation.

3.    Tap Info, scroll down, then tap Block this Caller.

Most of us are receiving spammy scammy text messages on a regular basis. These text messages pose as somebody who we are supposed to know who lost their phone or someone who supposedly is our friend asking us out to lunch or some other request designed to engage us in a conversation.

The texts themselves serve a few different purposes for the scammers. The impetus for all of them is some form of fraud. This will include a romance scam where they engage you and eventually it leads to a crypto scam, called “pig butchering”. Weird name, but very lucrative for the bad guys.

Another is so they can create Google Voice accounts and compromise your Gmail and Google account. In this scam, the scammer approaches sellers on Facebook Marketplace and pretends to be interested in something you’re selling. They ask for your phone number to discuss the purchase. Then scammer uses the victim’s phone number to create or take over a Google Voice account by convincing you to fork over any form of two factor authentication alert you might receive on your device during the transaction.

Many of the scams involved compromising your phone number so they can be used for verification on various websites.

The verification stage required for opening new online accounts is usually the one thing internet users dread the most. It can be a pain in the neck, and most people would rather forget the process altogether.

However, the reason why many sites force their users to verify their identity is to safeguard their details and for the safety of all legitimate account holders on their platform. Despite these efforts, it seems scammers have found a way to bypass the security measures that have been put in place.

There are services, such as 5Sim, that allow users to rent a phone number specifically for use in the SMS verification process. What’s worse is that these fraudulent phone numbers are available for just a few pennies!

Sites, such as Instagram, Amazon, and Discord, use SMS verification to prevent people from creating bogus accounts which are difficult to trace. How it works is that, when a user tries to open a new account, an SMS will be sent to their phone number and they have to verify that they have received it before being allowed to continue.

This simple but effective method has worked quite well for a long time now. That is until scammers found a way around it, using large-scale, automated services, such as 5Sim, that lease out phone numbers.

In a post shared via its website, 5Sim said that users who do not want to use their personal numbers for SMS verification when registering an account can use a phone number from 5Sim. 

They said all that is needed is an internet connection, which means the process works even without a SIM card placed inside the phone. Users can even select a phone number from any part of the world.

In another interview on VICE, an employee of another website, Discord, said they were also aware of the existence of companies, such as 5Sim. The spokesperson went on to say that they try to block such accounts whenever they identify them.

Discord, like many other sites, requires a valid phone number for SMS verification, instead of VoIP numbers. This is probably an attempt to reduce the incidents of fake accounts. However, according to 5Sim, they provide users with ordinary numbers.

5Sim did say that its customers are not allowed to use their phone numbers for any illegal activity, or any actions that might cause harm to third parties or to the service. AhmOkYaAllRightyThen!

It is not clear how far 5Sim goes in ensuring that its customers adhere to these regulations, or whether it does indeed impose the restrictions on accounts in cases where fraudulent activities are suspected. In the meantime, though, scammers have a guaranteed way to bypass a lot of very important safety precautions.

For you, just knowing what’s happening in the background, understanding of the various scams, knowing there are a few things that can be done in addition to the game of whack-a-mole. The key here is to keep paying attention. Don’t let anyone CONvince you otherwise.