Tax Season Is Cyber Crime Season

As tax season begins, cyber crime targeting W-2 forms is on the rise. Criminals want W-2 forms so they can file fraudulent tax returns and cash the refund checks. Victims find out about these scams when they attempt to file their legitimate returns, only to be told that a return has already been filed.

tax securityThe U.S. Justice Department, citing Internal Revenue Service data from 2013, reported that 5 million tax returns were filed fraudulently, seeking $30 billion in refunds. Cases of this fraud are believed to be much higher today, leaving victims to wait out a lengthy process of reconciliation before they can get the tax refunds they deserve.

Anyone who issues or distributes W-2 forms needs to take exceptional care with them. Because they contain Social Security numbers and personally identifying information, they are considered protected personal information under state laws.

How to Protect and Safely Distribute W-2 Forms

Criminals attempt to steal W-2 forms in two ways: online and in person. In-person theft simply involves stealing W-2 forms from someone’s mailbox. Criminals know when to look, but they may not know what they are looking for.

You can prevent mailbox theft by distributing W-2 forms online, or by handing them to employees in the office. If you must mail W-2 forms, it is best to do so in a plain envelope with a handwritten return address that looks like a personal letter. Avoid envelopes that look corporate, and absolutely avoid windowed envelopes that show the form or that have printed messages stating that a W-2 is inside.

If you distribute W-2 forms electronically or provide self service for your employees, follow these tips:

  1. Give employees a link instead of emailing a W-2 form. Most payroll providers include password-protected individual employee accounts as part of their service. Take advantage of these so that employees have to download their forms, rather than sending them via email.
  2. If you must email, be sure the email is encrypted. This prevents thieves from capturing the documents in transit. Send W-2 forms only to employee email accounts that you manage, not third-party accounts or free email services that are more easily compromised.
  3. Encourage employees to file early. Early filing is the best defense against a fraudulent claim, and criminals tend to file very early in the season.
  4. Beware of phishing and social engineering scams. Criminals may attempt to harvest W-2 forms by pretending to be accountants, representatives of online filing services such as TurboTax or state or Federal tax agents. Remember that no one will ever contact you by phone, email or text with a legitimate request for someone’s tax documents.
  5.  Warn employees of tax season scams. Send a reminder email that no one from the company and no legitimate government agent will ever contact them to ask for a copy of a W-2, and advise them to be careful responding to requests from trusted contacts, such as their own lawyers and accountants. Follow one simple rule whenever you receive a request for personal information: Call to verify.

Many employees and a large number of business professionals are unaware of the growing number of scams targeting tax documents. These forms contain one of the most valuable pieces of personal information: an individual’s Social Security number. If an attempt to steal employee tax forms from an organization succeeds, it must be treated as a data breach and reported to law enforcement. Employees will need to inform the Social Security Administration of the compromise as well.

W-2 theft is another aspect of phishing and social engineering that businesses can fight with cyber security awareness training. Our CSI Protection Certification succeeds where other programs fail by tapping into the personal desire employees have to keep their own data safe and showing them how those instincts apply in workplace situations. Contact us online to learn more or call us at 1-800-658-8311.

Fake Emails are Becoming a Major Issue for Businesses

You might be surprised to know that more than 3.4 billion fake emails are sent around the globe each day. What does this mean? It means that almost every company out there is vulnerable to cybercrimes in the form of “spoofing” and “phishing.” On top of this, most companies out there have not protected themselves from this type of cyber attack. What’s even more interesting is that the vast majority of these emails are not coming from some foreign land, but they are coming from sources based in the US.

This all sounds pretty dreary, but it’s not all bad. Research is showing that many industries in the US are making strides against these fake emails, though some are working harder than others.

To get the data for this research, companies like Valimail is using data from internal analysis of billions of different email authentication requests. The company also used almost 20 million public records about email to publish its report.

This report shows that email impersonation, which made up 1.2 percent of all emails sent during the first quarter of 2019, is the favorite weapon of cyber criminals to get access to a network. They also try to get access to sensitive information and intellectual property.

Fake emails are a problem, and they are not blocked by cybersecurity defenses that are traditionally used.

These fake emails are one of the biggest sources of cyberattacks. As more businesses recognize email vulnerabilities, organizations should start using authentication technology to protect against fraudulent and untrustworthy senders.

The fact is this: too many cybercriminals are using fake emails to get through these defenses, and better methods to identify senders is needed to make sure that email is more trustworthy both now and in the future.

Protect Yourself

  • The e-mails usually contain at least one link they want you to click. Hover your mouse to see what the URL is. It may appear legit, but note the “http” part.
  • Reputable sites for giant businesses, such as Microsoft and PayPal, will have an “https” in their URL. The phishing link’s URL will usually not have the “s.”
  • A big red flag is if there are typos or poorly constructed sentences, but a phishing e-mail may also have flawless text.
  • Don’t be fooled by company logos, stock imagery, privacy policies, phone numbers and other formalities in the message field. It’s so easy for a hacker to put these elements in there.
  • Be leery of warnings or alerts that don’t sound right. Gee, why would your account be “in danger of being suspended”?

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity Protection security awareness training program.

Genealogy Websites Scare Me, But This is Good

Investigators in Sacramento have arrested Joseph James DeAngelo for rape, but they only found him based on records from a genealogical website.

10 Internet Security Myths that Small Businesses Should Be Aware OfThe effort wasn’t easy, but this guy is now off the streets. The process started with taking a look at DNA that was collected from the crime scene, which happened many years ago. Investigators didn’t have a match. However, recently, they started comparing DNA with genetic profiles that have been collected from ancestry sties. These are companies that collect DNA from people to tell them more about their family backgrounds.

Though DeAngelo’s DNA was not found, investigators were able to match the DNA of his family members with the DNA found at the crime scene. Investigators looked closer and noticed that DeAngelo not only lived in the area where the rape occurred, but also was in the same age range as the suspect. The investigators began watching DeAngelo and picked up a piece of trash that he discarded. They tested it in the lab, and the DNA on it was a perfect match to the DNA at the crime scene.

Once investigators realized they had a match, they knew that they had to spring into action. They were able to quickly make an arrest. DeAngelo was booked into jail and charged with two murders. He is also expected to face an additional 12 homicide charges, which occurred from 1974 to 1986. Because the crimes occurred in several counties, it is likely that county prosecutors will come together as one prosecution team to put DeAngelo on trial. It is also likely that the trial would not be held in Sacramento because the majority of the crimes occurred in Southern California. There is also the question as to if the prosecution team will charge DeAngelo with rape, as the statute of limitations has expired. There is no statute of limitations for murder in the state of California.

Some prosecutors, however, are looking to the FBI to help put DeAngelo behind bars for the alleged rapes, too, including Jeff Reisig from Yolo Country, and the DA from Contra Costa County. They believe that DeAngelo is the so-called East Area Rapist, who has been connected to 12 murders, 51 rapes, and hundreds of burglaries.

There are certainly some issues with these DNA tests, but that can be for another time. For now, it’s pretty important to know that there is some good that can come out of it, especially if it means getting criminals off the street.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

How Your Username Can Be used to Track You

You probably have a few usernames, or you might have just one that you use for every site. Either way, your user names can be used not just to identify you online, but it can also be used to track you and find out information about you. How do people track you based on your user name? They do the following:

They Start with a Google Search

The first thing people do to track your username is do a Google search. You will be amazed by all of the information that is out there. However, Google is not the only game in town, so the best scammers will search on other search engines, too, including Bing,  USA.gov, various information broker sites and within social media.

They Then Move on to Social Networks

With so many people on social networks, it is a good possibility that a scammer can find you there, too, especially if they know the username that you use over and over again. It’s easy to find someone on sites like Facebook, Pinterest, Twitter, and Instagram, and in many cases, this is a gold mine of information for them.  Once they find your account, they can do any number of things like save your profile image, and then do a reverse image source. This often helps them find even more information.

Don’t Forget the Blogs

Savvy searchers will also do searches of a username on blogging sites like Tumblr, Blogger, and LiveJournal. Unless your blog is locked down, and most are not, they can read them.

Do a General Sweep of Username Searches

There are other sites, too, that allow people to search by username. For example, you can search for a username on Spotify. This could tell them what types of music you like. They also might look on a site like Reddit, and they can see any comments you have made. They aren’t done yet, though…you can even search for usernames on sites like Amazon.com and eBay. As you can imagine, once they go through all of these steps, they can know a ton about you.

You might think that this is an invasion of privacy, but all of this information is totally legal, totally available, and totally free.

And many of you are TOTALLY putting it ALL out there!

If you put your information out there, it is there for anyone to look at and use as they will. So, consider changing up your usernames, and while you are at it, take a look at your accounts and content to make sure nothing there’s going to get you in trouble, and beef up the security options.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

ISPs invading Subscriber’s Privacy

It’s hard to keep track of the news of politics these days, and even if you can, how do you know it’s even real? The political landscape has greatly changed since January, and there have been a lot of laws passed that will affect us all, including the repeal of a law that protected your privacy on the internet. Basically, with this repeal, your internet service provider, or ISP, can sell your browsing history to anyone.

If you use the internet, you will be affected by this law. Not only will this change allow your ISP sell your browsing history to the highest bidder, it could also make it easier than ever before to access information about your family, your finances, and your health. Your ISP can now sell this information to companies, and they don’t need your permission to do so.

So, what does this mean for you? After all, you might not think it really matters that much. In simple terms, it means that your ISP can collect data about your browsing habits, create a record of this, and then sell it to advertisers. Think about your browsing history yesterday. If you want, open it up right now from your browser. One minute, you might have been buying dog food on Amazon, and then next, reading the latest news from the Kardashians. Regardless of if you want advertisers to know that you are a Kardashian fan, or not, to them, your data is a gold mine.

Now, think about your browsing history over the past few weeks or months, and then consider that your ISP knows each and everything you have searched for. It knows about that weird smell coming from your laundry room that you checked out online, and it knows that you have listened to that catchy new pop song a few times. It also knows your deepest worries, your sexual preferences, your political leanings, and what you are feeding your family. This information is invaluable to advertisers, but do you really want it getting out?

Luckily, you have options, one of which is called a VPN, or Virtual Private Network, which will encrypt data. Some of these, such as Hotspot Shield VPN, a client, is a good option. Also, start paying attention to those cookies and delete them.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Consumers Have Given Up on Security

According to a recent study, online security for most people is too bothersome. The US National Institute of Standards and Technology published the study, which shows that most people who use the internet have just given up and don’t follow the advice given to them about online security.

The result of this is that consumers are engaging in risky online behavior, and according to one survey participant, if “something happens, it is going to happen” and “it is not the end of the world.”

This is concerning to many, including security experts and survey authors. During this survey, approximately 40 people were interviewed in order to understand how those without a technical background feel about computer security. Though this isn’t a total significant sample size, it is a surprising look at how people feel about the information that experts are giving them. Each interview ran from 45 minutes to an hour, and the goal of the researchers was to find out where the average person stands on online security.

The authors of the report were surprised by the resignation of the interviewees during the survey. Essentially, they saw that people just can’t keep up with security changes. The survey participants, overall, believe that online security is too complex, and these people don’t see the benefits of making any efforts.

Some of the people who took the survey seemed to be under the impression that they didn’t have any information that a hacker would want. For example, one person claimed that they don’t work in a government agency and they don’t send sensitive information over email, so if a hacker wants to take their blueberry muffin recipe, they can go ahead and take it.

What’s interesting is what the study’s authors found when comparing those who had experienced identity theft with those who hadn’t. Those who have had an incident with the theft of their identity were much more focused on their online security.

To help the survey participants better understand their risks and to change their minds about internet security, study authors advise that those involved in technology and security must work diligently to help the people using the internet understand the dangers of lax security. They also must work to make it easy for internet users to do the best they can when keeping their accounts safe. It’s important for people who use the internet to make it a habit to remain more secure.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Top 3 Social Engineering Scams

Think about hackers breaking into accounts. If you think they need top-notch computer skills, you would be wrong. These days, instead of requiring skills behind a keyboard, hackers generally rely on strategy…specifically a strategy called social engineering. This means that hackers don’t have to be technical, but they DO have to be clever and crafty because they are essentially taking advantage of people and “tricking” them into giving information.

There are four main ways that hackers use social engineering:

  • Phishing – where hackers use email tricks to get account information
  • Vishing – similar to phishing, but through voice over the phone
  • Impersonation – the act of getting information in person
  • Smishing – getting account info through text messages

Phishing accounts for 77 percent of all social engineering incidents, according to Social Engineer, but in vishing attacks, alone, businesses lose, on average, $43,000 per account.

Here are the top scams that all consumers and businesses should know about as we move into 2017:

Scam Using the IRS

Starting from the holiday season stretching through the end of tax season, there are scams involving the IRS. One such scam uses caller ID to change the true number of the caller and replaces it with a number from Washington, D.C., making it look like the number is from the IRS. Usually, the hacker already knows a lot about the victim, as they got information illegally, so it really sounds legit.

In this scam, the hacker tells the victim that they owe a couple of thousands of dollars to the IRS. If the victim falls for it, the hacker explains that due to the tardiness, it must be paid via a money transfer, which is non-traceable and nonrefundable.

BEC or Business Email Compromise Scam

In the business email compromise, or BEC scam, a hacker’s goal is to get into a business email account and get access to any financial data that is stored within. This might be login information, back statements, or verifications of payments or wire transfers.

Sometimes a hacker will access the email by using an email file that contains malware. If an employee opens the file, the malware will infect the computer and the hacker has an open door to come right in.

Another way that hackers use the BEC scan is to access the email of a CEO. In this case, they will impersonate the CEO and tell the financial powers that be that he or she requires a wire transfer to a bank account. This account, of course, belongs to the hacker not the business. When most people get an email from their boss asking them to do something, they do it.

Ransomware

Finally, hackers are also commonly using ransomware to hack their victims. In this case, the hackers are working towards convincing targets to install dangerous software onto their computer. Then, the computer locks out the data and the victim cannot access it…until he or she pays a ransom.

At this point, they are informed that they can get access back when they pay a ransom. This might range from a couple of hundred to several thousands. Usually, the hackers demand payment by bank transfer, credit card, bitcoin, PayPal, or money transfer services. Victims are usually encouraged to go to a certain website or call a certain number Unfortunately, too often, once the victim pays the ransom, the hacker never opens up the system. So now, the hacker has access to the victim’s computer and their credit card or financial information.

The way social engineering works in this scam is varied:

One way is this…imagine you are browsing the internet, and then you get a popup warning that looks quite official, such as from the FBI. It might say something like “Our programs have found child pornography on your computer. You are immediately being reported to the FBI unless you pay a fine.” When you click the popup to pay, the program actually downloads a program called spyware to your computer that will allow the hacker to access your system.

Another way that social engineering works with ransomware is through voice. In this case, you might get a phone call from someone saying they are from Microsoft and the representative tells you that they have scanned your computer and have found files that are malicious. Fortunately, they can remotely access the machine and fix the problem, but you have to install a program to allow this. When you install it, you give them access to everything, including personal and financial information, and they can do what they want with it.

Finally, you might get an email offering a free screen saver or coupon, but when you open it, the software encrypts your drive and takes over your computer.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Parents legally can spy on their Kids

Just because something is legal, does that mean you should do it? In the case of spying on your kids’ phone activities, some say yes. Though the very same mode of operation is illegal in most states when the eavesdropper is your boss or anyone else and you’re the “eavesdropee,” this same mechanism is legal and encouraged for parents to their kids.

12DYou’re probably envisioning a parent listening in on their boy-crazy teen daughter’s phone conversation. But it’s more than that.

According to a nydailynews.com article, the Court of Appeals in New York ruled that secretly listening in on and even recording a cellphone conversation is legal—after a man recorded a cellphone conversation involving his five-year-old son. The child’s mother’s boyfriend, over the phone, threatened to beat him.

Dad acted in good faith when he wired the phone, and the slime who made the threat, was convicted on three counts. But his attorney claimed that the eavesdropping was illegal and thus, the conversation was not admissible.

The judge in this case pointed out that not all cases come in template form inside a black box. But can a parent eavesdrop on an older child who’s cognizant enough to rationally protest? Again, we can’t apply a cookie cutter to this concept. But in New York, it’s legal to conduct this practice, with the assumption that the parent is acting in the best interest of the minor.

In another case, points out the article, a woman inserted a tape recorder in her autistic son’s backpack to pick up the suspected verbal abuse from the boy’s bus matron.

The line can be very fuzzy over just when it’s ethical for a parent to tap a child’s phone conversations and when it’s done for more self-serving reasons, such as in divorce cases. Again, it’s legal in New York, because it was determined that the potential benefits far outweigh the potential grievances.

At least 12 other states, though, are on board with this doctrine of vicarious consent, including New Jersey, Texas, Arizona, Maine and the Carolinas. Hopefully, not too many parents will abuse this legal right and end up eavesdropping for the fun of it or to show off their “power” as the adult in charge.

But that fact is, kids can get into lots of trouble with their physical and digital lives if their parents are unaware of what’s going on.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

What is a Cache?

Perhaps someone has told you that you need to “clear your cache,” but what does this mean and why should you do it? A cache is a folder of recently visited webpages, which is stored on your computer’s hard drive, and maintained by your Internet browser.

1DThe purpose of a cache is to speed up the loading of webpages. Your computer’s hard drive collects data from websites that you visit, so that when you visit them again, certain aspects of the previously visited pages (such as graphics) don’t have to be reloaded the next time, and this makes the loading time a little bit shorter.

But the space your cache has on your hard drive is limited, and over time, it can get congested. Data that hasn’t been accessed for a while gets tossed out to make room for new data from the new pages that you visit.

And sometimes, the cache process doesn’t work properly. The result is an incompletely loaded page, or a page that looks odd because it’s supposed to load new content but it’s showing old content. (Sometimes, page loading problems aren’t caused by a faulty cache, but this is such a common cause that you’ve probably heard people say, “You need to clear your browser’s cache.”)

So, now you know what a cache is, here are some specific steps to clear it on different browsers:

How to clear your cache in Chrome:

  • In the upper right of the browser click the little icon that says “Customize and control Google Chrome” when you hover over it with your cursor
  • Click History
  • Click “Clear browsing data”

How to clear your cache in Internet Explorer:

  • In the upper right of Internet Explorer, click the gear icon or “Tools”
  • Click Internet Options
  • Under “Browsing History” you’ll see a delete button; click that.

If you use another browser, and there are a few, search online for instructions on how to clear your cache.

Another option you have is to use software (free or paid) designed to clean the clutter from your computer and devices. These programs often work well, but sometimes they work too well and clean more than they are supposed to. It’s always a good idea to backup your information before cleaning your computer.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!

McAfees 10 Tips To Secure New Devices and Guard Against Cybercrime in 2011

Here are some practical tips from McAfee to ensure optimal Internet safety and security in 2011:

Be aware that threats aimed at mobile phones are growing – Use software that backs up smart devices and use strong discretion when storing, saving or editing personal information on your smartphone or device. Don’t keep all of your personal passwords on your device, and avoid using it to store financial information like credit card and bank account numbers.

Keep in mind that gaming and entertainment devices are now Internet-connected – Many people don’t realize that their new gaming console may represent another port of entry for cybercrooks into their household. Some Internet TV applications can expose personal information, so be sure to install anti-virus software, two-way firewalls, anti-spyware, anti-phishing, and safe search capabilities, just as you would on a PC. Block free browser access via these devices and use parental controls wherever possible to ensure the safety of children who play interactive games.

Use technologies to protect information on USBs – Secure USB sticks by encrypting information, making it unreadable to someone who has taken or found it. In addition, install security software to protect portable hard drive devices and never leave such devices unattended.

Make sure that you are using a comprehensive security software platform for your PC– Free point solutions may work well for specific concerns and known threats, but it won’t protect you against emerging threats and is usually only being offered to get you to buy more comprehensive software. Ensure that it is comprehensive – meaning it has anti-virus with cloud computing, a two-way firewall, anti-spyware, anti-phishing and safe search capabilities.

Invest in identity theft protectionYour identity is you’re your most valuable asset. And with all your information contained and transmitted on your devices you need comprehensive coverage to protect you from identity thieves.

Make sure to transfer your PC best practices to all of your Internet-connected devices If you have an Apple device, Apple’s MobileMe service is available, providing tools for synching, backing up and securing data. Consider installing security software for new Internet connected devices such as smartphones, and make sure the device’s Wi-Fi is connected to a secure network.

Pay attention to your children’s online activities Communicate with children about cybercrimes, monitor their web activity and consider keeping the family computer in a common space to minimize their exposure to inappropriate content. For additional advice on child safety, visit the McAfee Family Internet Safety Center at www.mcafee.com/family and 10-Step Internet Safety Plan For Your Family.

Search and shop safely Before submitting credit card numbers or other personal information, always read the online vendor’s privacy and security policy. Consider using a trusted website safety advisor, such as McAfee® SiteAdvisor® software, included in all of McAfee consumer security suites, to determine which ecommerce sites are safe. Also, look for the McAfee SECURE™ trustmark before heading to the check-out counter.

Back up critical information Guard against data loss by utilizing a regular back-up software program to ensure that all critical information and personal files are safe in case of emergency.

STOP. THINK. CONNECT. is the first-ever coordinated message to help all digital citizens stay safer and more secure online. The message was created by an unprecedented coalition of private companies, nonprofits and government organizations

Robert Siciliano is a McAfee Consultant and Identity Theft Expert. See him discussing how a person becomes an identity theft victim on CounterIdentityTheft.com (Disclosures)