Phishing attacks Two-Factor Authentication

Hackers bank heavily on tricking people into doing things that they shouldn’t: social engineering. A favorite social engineering ploy is the phishing e-mail.

13DHow a hacker circumvents two-factor authentication:

  • First collects enough information on the victim to pull off the scam, such as obtaining information from their LinkedIn profile.
  • Or sends a preliminary phishing e-mail tricking the recipient into revealing login credentials for an account, such as a bank account.
  • The next phase is to send out a text message appearing to be from the recipient’s bank (or PayPal, Facebook, etc.).
  • This message tells the recipient that their account is about to be locked due to “suspicious” activity detected with it.
  • The hacker requests the victim to send the company (which is really the hacker) the unique 2FA code that gets texted to the accountholder upon a login attempt. The victim is to wait for this code to be sent.
  • Remember, the hacker already has collected enough information (password, username) to make a login attempt. Entering this data then triggers a send of the 2FA code to the victim’s phone.
  • The victim then texts back the code—right into the hacker’s hands. The hacker then uses it to get into the account.
  • The victim made the cardinal mistake of sending back a 2FA code via text, when the only place the victim is supposed to enter this code is the login field of their account when wanting to access it!

So in short, the crook somehow gets your password (easy with brute force software if you have a weak password) and username or retrieved in a data dump of some hacked site. They spoof their text message to you to make it look like it came from the company of your account.

Red flags/scams/behaviors/requests  to look out for:

Pay Attention!

  • You are asked via phone/email/IM etc to send someone the 2FA code that is sent to your mobile (prompted by their login attempt).
  • If you receive the 2FA code, this means someone is trying to gain access to your account. If it’s not you, then who is it?
  • Never send any 2FA code out via text, e-mail or phone voice. Never. Consider any such request to be a scam.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Phishing Protection 101

Phishing-type e-mails are designed to trick the recipient into either downloading a virus (which then gives the hacker remote control of the computer) or revealing enough information for the thief to open credit cards in the victim’s name, get into their bank account, etc.

13DThere are many ways the crook can trick the victim. Here are telltale signs:

  • The message wants you to “verify” or “confirm” your password, username or other sensitive information.
  • And why must you do this? Because “suspicious activity” has been detected on your account, or, your account “is at risk for being compromised.”
  • Your name may or may not be in the message. Always be suspect.
  • Financial institutions will never ask you to enter your login information in an email and be suspect on a website.
  • Another ploy is the subject line: There’s a sense of urgency, such as, “Your account is about to be suspended.” A business will contact you by phone or snail mail if there’s a problem.
  • Even if the e-mail seems to have come from your boss at work and addresses you by name, and includes a link…realize that a hacker is capable of learning enough about someone from their LinkedIn page and Facebook to then convincingly impersonate someone they know.

Links in E-mails

  • Typically there’s a link (when there’s not, there’s a malicious attachment).
  • Never click links inside e-mails even if the sender seems to be your employer, health plan carrier or other enterprise you’ve done business with.
  • Hover the mouse over the link. If the URL is different than what’s there, assume it’s a scam.
  • Generally, only click links in emails when you have to actually click the link to verify an email address once you have just signed up for a new website.

Additional Telltale Signs

  • Just weird stuff. For example, a person who edits for a living receives an unexpected e-mail explaining there’s an attachment that needs to be proofread; wow, a paying gig!
  • Not so fast. The accompanying letter is very poorly constructed, including misspellings of common words, and includes very irrelevant information, such as “I’m a single mom with three wonderful kids.” Why would THIS be included in a legitimate proofreading job?
  • Yet how did the scammer know you’re an editor? Because the crook’s software somehow found your e-mail on the editing gig site you registered with two years ago.
  • The subject line says you’ve won something, or you’ll lose something.
  • If you go to a website and don’t see your site key (if you registered with one), leave. But you shouldn’t have gone to the website in the first place!
  • Always beware of emails purportedly from FedEx, UPS, Amazon, Ebay or anything in your spam folder.

Embrace the idea of deleting reams of UNREAD e-mails without having opened them. If a subject line has you worried, such as “You owe back taxes” or “Your shipment was lost,” then phone the appropriate personnel to see if this is true.

If you suspect you’ve been scammed:

  • Log into whatever account might be compromised and check messages, contact customer service.
  • Place a fraud alert on your credit if your SSN was exposed.
  • Update your security software; run a full system scan.
  • If you revealed any login information, change that account’s login data.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Security Appreciation lacking

What’s it gonna take for companies to crack down on their cybersecurity? What’s holding them back? Why do we keep hearing about one company data breach after another?

1SWell, there’s just not enough IT talent going around. The irony is that most company higher-ups admit that cybersecurity is very important and can even name specific situations that could compromise security, such as

having multiple vendors vs. only a single vendor; not having quality-level encryption in place; allowing employees to bring their own mobile devices to work and use them there for business; and having employees use cloud services for business.

Many even admit that they lack confidence in preventing a sophisticated malware onslaught and are worried about spear phishing attacks.

So as you can see, the understanding is out there, but then it kind of fizzles after that point: Businesses are not investing enough in beefing up their cybersecurity structure.

Let’s first begin with signs that a computer has been infected with malware:

  • It runs ridiculously slow.
  • Messages being sent from your e-mail—behind your back by some unknown entity.
  • Programs opening and closing on their own.

What can businesses (and people at home or traveling) do to enhance cybersecurity?

  • Regularly back up all data.
  • All devices should have security software and a firewall, and these should be regularly updated.
  • Got an e-mail from your boss or company SEO with instructions to open an attachment or click a link? Check with that person first—by phone—to verify they sent you the attachment or link. Otherwise, this may be a spear phishing attempt: The hacker is posing as someone you normally defer to, to get you to reveal sensitive information.
  • Mandate ongoing security training for employees. Include staged phishing e-mails to see who bites the bait. Find out why they bit and retrain them.
  • Never open e-mails with subject lines telling you an account has been suspended; that you won a prize; inherited money; your shipment failed; you owe the IRS; etc. Scammers use dramatic subject lines to get people to open these e-mails and then click on malicious links or open attachments that download viruses.
  • Install a virtual private network before you use public Wi-Fi.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Look out for Shipping E-mail Phishing Scams

Stop clicking on e-mails about your package delivery! Scam, scam, scam! Look, it’s simple:13D

  • Scammers are also pretending to be from the DHL and FedEx shipping companies, not just UPS.
  • Crooks know that at any given time, thousands and thousands of U.S. people are waiting for a package delivery.
  • So these cyber thieves send out mass e-mails by the millions, knowing that they will reach a lot of people who are expecting a package.
  • The subject line of these e-mails says something about “your delivery” or “your shipment” that lures the recipient into opening the e-mail. Usually, the message is that the delivery has failed, and the recipient is tricked into clicking on an attachment or a link.
  • And that’s when malware gets downloaded to their computer.

This technique is called social engineering: tricking people into doing things they shouldn’t. People are too quick to click. I wonder how many of these clicker-happy people ever even gave their e-mail address to UPS. The last time I sent something via UPS, I don’t even recall being asked for my e-mail address.

But people so freely give out their e-mail address, that when they receive one of these phishing e-mails by crooks, they think it’s legitimate. They believe that the attachment is a new shipping label to print out. They even believe the threat that if they don’t use this new label right away, they’ll be charged a fee. It’s all about hurry, hurry, hurry! People don’t stop and T-H-I-N-K first.

What can be done about this? First off, don’t freely give out your e-mail. That way, if you get an e-mail from a company that you just, by chance, happen to be doing business with, you’ll know it’s a fraud—because you never gave your e-mail to that company in the first place.

Next, share this information with your family and friends. They’ll probably all deny that they’re capable of falling for this scam, but I’m sure that when the unwise ones are alone, they’ll give it some hard thought.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Protect Yourself from Phishing

Everyone has received very obvious “phishing” e-mails: Messages in your in-box that have outrageous subject lines like “Your Account Will Be Suspended,” or, “You Won!”

13DWhile some phishing attacks are obvious, others look harmless, such as those in a person’s workplace in-box, seemingly from their company’s higher-ups.

Researchers point out that an e-mail may appear to come from the company’s HR department, for example. E-mails with an “urgent email password change request” had a 28% click rate, Wombat security reported.

Phishing victims act too quickly.

In the workplace, instead of phoning or texting the HR department about this password reset, or walking over to the HR department (a little exercise never hurts), they quickly click.

So one way, then, to protect yourself from phishing attacks is to stop acting so fast! Take a few breaths. Think. Walk your duff over to the alleged sender of the e-mail for verification it’s legit.

Wombat’s survey reveals that 42% of respondents reported malware infections, thanks to hasty clicking. However, employees were more careful when the e-mail concerned gift card offers and social media.

The report also reveals:

  • 67% were spear phished last year (spear phishing is a targeted phishing attack).
  • E-mails with an employee’s first name had a 19% higher click rate.
  • The industry most duped was telecommunications, with a 24% click rate.
  • Other frequently duped industries were law, consulting and accounting (23%).
  • Government was at 17%.

So as you see, employees continue to be easy game for crooks goin’ phishin.’

And attacks are increased when employees use outdated plug-ins: Adobe PDF, Adobe Flash, Microsoft Silverlight and Java.

The survey also reveals how people guard themselves from phishing attacks:

  • 99% use e-mail spam filters.
  • 56% use outbound proxy protection.
  • 50% rely on advanced malware analysis.
  • 24% use URL wrapping.

These above approaches will not prevent all phishing e-mails from getting into your in-box. Companies must still rigorously train employees in how to spot phishing attacks, and this training should include staged attacks.

Protect Yourself

  • Assume that phishing e-mails will sometimes use your company’s template to make it look like it came from corporate.
  • Assume that the hacker somehow figured out your first, even last name, and that being addressed by your full name doesn’t rule out a phishing attack.
  • Get rid of the outdated plug-ins.

Phishing attacks are also prevalent outside the workplace, and users must be just as vigilant when on their personal devices.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Phishing works and here’s why

A phishing e-mail is sent by a cyberthief to trick its recipient into revealing sensitive information so that the crook could steal money from the recipient or gain access to a business’s classified information. One way to lure an employee is for the crook to make the e-mail appear like it was sent by the company’s CEO. Often, phishing e-mails have urgent subject lines like “Your Chase Bank Balance Is Negative.”

PSHIn its 2015 Data Breach Report, Verizon reported that 23 percent of employees open their phishing e-mails. Eleven percent go further by clicking on something they shouldn’t.

Why do so many employees (and mainstream users) fail to recognize a phishing e-mail? Strong security awareness training at companies is lacking. Perhaps the company simply tosses a few hardcopy instructions to employees. Perching them before videos isn’t enough, either.

Security awareness training needs to also include staged phishing attacks to see which employees grab the bait and why they did so. With a simulated phishing attack approach, employees will have a much better chance of retaining anything they’ve learned. It’s like teaching a kid to hit a homerun; they won’t learn much if all they do is read instructions and watch videos. They need to swing at balls coming at them.

The return on investment from staged phishing attacks will more than offset the cost of this extra training. Living the experience has proven to be a far more effective teacher than merely reading about it or listening to a lecture. As straightforward as this sounds, this approach is not the rule in companies; it’s the exception.

Even rarer is when phishing simulation is ongoing rather than just an annual or semiannual course. But just because it’s rare doesn’t mean it’s not that effective. Companies tend to cut corners any way they can, and foregoing the phishing simulations is often at the top of the list of investments to nickel-and-dime.

If you want to see how gullible your employees (or family and friends) are to phishing e-mails, which again, are geared towards tricking the recipients to click on a malicious link or attachment, pay a visit to Phish.io.

Here you can register, and this free service will send phishing e-mails to your specified recipients. However, these are harmless tests and will not lead to anything negative—other than to reveal who can be duped.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Phishing Scams: Don’t Click that Link!

You’re sitting on your front porch. You see a stranger walking towards your property. You have no idea whom he is. But he’s nicely dressed. He asks to come inside your house and look through your bank account records, view your checkbook routing number and account number, and jot down the 16-digit numbers of your credit cards. Hey, he also wants to write down all your passwords.

13DYou say, “Sure! Come on in!”

Is this something you’d be crazy enough to do? Of course not!

But it’s possible that you’ve already done it! That’s right: You’ve freely given out usernames, passwords and other information in response to an e-mail asking for this information.

A common scam is for a crook to send out thousands of “phishing” e-mails. These are designed to look like the sender is your bank, UPS, Microsoft, PayPal, Facebook, etc.

The message lures the recipient into clicking a link that either leads to a page where they then are tricked into entering sensitive information or that link is infected and downloads malware to the users’ device.

The cybercriminal then has enough of your information to raid your PayPal or bank account and open up a new line of credit—in your name.

The message typically says that the account holder’s account is about to be suspended or deactivated due to (fill in the blank; crooks name a variety of reasons), and that to avoid this, the account holder must immediately re-enter login information or something like that.

Sometimes a phishing e-mail is an announcement that the recipient has won a big prize and must fill out a form to collect it. Look for emails from FedEx or UPS requiring you to click a link. This link may be infected.

Aside from the ridiculousness of some subject lines (e.g., “You’ve Won!” or “Urgent: Your Account Is in Danger of Being Deactivated”), many phishing e-mails look legitimate.

If you receive an e-mail from a company that services you in any way, simply phone them before you click on any link. If you click any of the links you could end up with malware.

Watch this video to learn about how to avoid phishing:

https://youtu.be/c-6nD3JnZ24

Save yourself the time and just call the company. But you don’t even have to do that. Just ignore these e-mails; delete them. Nobody ever got in trouble for doing this. If a legitimate company wants your attention, you’ll most likely receive the message via snail mail, though they may also call.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!

How to Recognize a Phishing Scam

So someone comes up to you in a restaurant—a complete stranger—and asks to look at your driver’s license. What do you do? Show it to that person? You’d have to be one loony tune to do that.

3DHowever, this same blindness to security occurs all the time when a person is tricked by a “phishing” e-mail into typing in the password and username for their bank, or it may be the login credentials for their PayPal account or health plan carrier.

Phishing e-mails are a favorite scam of cyber criminals. THEY WORK.

When a cyber thief goes phishing, he uses a variety of bait to snag his prey. Classic examples are subject lines that are designed to get the recipient to immediately open the message and quickly react to it, such as an announcement you owe money, have won a prize or that your medical coverage has been cancelled.

And to resolve these problems, you’re asked to log into your account. This is where you place your account credentials into the palm of the thief on the other end of these e-mails.

  • Phishing e-mails may address you by name (the hacker already knows about you), but usually, your name is nowhere mentioned.
  • The e-mails usually contain at least one link they want you to click. Hover your mouse to see what the URL is. It may appear legit, but note the “http” part. Reputable sites for giant businesses, such as Microsoft and PayPal, will have an “https” in their URL. The phishing link’s URL will usually not have the “s.”
  • A big red flag is if there are typos or poorly constructed sentences, but a phishing e-mail may also have flawless text.
  • Don’t be fooled by company logos, stock imagery, privacy policies, phone numbers and other formalities in the message field. It’s so easy for a hacker to put these elements in there.
  • Be leery of warnings or alerts that don’t sound right. Gee, why would your account be “in danger of being suspended”?

The links will take you to a phony site that looks like the real thing and ask you for your login credentials, credit card information, etc. Another way this scam works is by downloading a virus to your computer after you click on the link. Sometimes there’s an attachment that you’re urged to open. The lure might be that it’s a survey from your bank or a report to review from your employer.

A phishing e-mail may still look like the real deal. So how do you protect yourself? Never click on links inside e-mails. Don’t open attachments unless they’ve been sent from someone you personally know. If you think it’s from your company, healthcare plan or bank, then whip out your phone and call the company to see if they sent you the e-mail.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Phishing 101: How Not to Get Hooked

You’d think that it would be as easy as pie to avoid getting reeled in by a phishing scam. After all, all you need to do is avoid clicking on a link inside an email or text message. How easy is that?

A phishing scam is a message sent by a cybercriminal to get you to click on a link or open an attachment. Clicking on the link or attachment downloads a virus, or takes you to a malicious website (that often looks like real site).

You are then tricked into entering user names, passwords and other sensitive account information on the website that the scammer then uses to take your money, steal your identity or impersonate you.

Intel Security recently designed a quiz to help people identify a phishing email. Sometimes they’re so obvious; for example, they say “Dear Customer” instead of your actual name, and there are typos in the message. Another tip-off is an unrealistic “threat” of action, such as closing down your account simply because you didn’t update your information. Some scammers are more sophisticated than others and their emails look like the real thing: no typos, perfect grammar, and company logos.

The quiz showed ten actual emails to see if all of us could spot the phishing ones.

  • Out of the 19,000 respondents, only 3% correctly identified every email.
  • 80% thought at least one phishing email was legitimate.
  • On average, participants missed one in four fraudulent emails.

image001

The biggest issue may not be how to spot a phishing scam as much as it is to simply obey that simple rule: Don’t click links inside emails from unknown senders! And don’t download or click on attachments. Now if you’re expecting your aunt to send you vacation photos and her email arrives, it’s probably from her.

But as for emails claiming to be from banks, health plan carriers, etc.…DON’T click on anything! In fact, you shouldn’t even open the message in the first place.

And I can’t say this enough: Sorry, but you aren’t special enough to be the one person to be chosen as the recipient of some prince’s lofty inheritance. And nobody wins a prize out of the blue and is emailed about it.

A few more things to keep in mind:

  • An email that includes your name can still be a phishing scam.
  • Don’t fret about not opening a legitimate message. If it is, they’ll call you or send a snail mail.
  • You can also contact the company directly to see if they emailed you anything.

Want to see how your phishing skills stack up? Take the Intel Security quiz, here.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.

How your Brain is affected by Phishing Scams

A recent study says that people are more mindful of online safety issues than what experts had previously believed. An article on phys.org says that Nitesh Saxena, PhD, wanted to know what goes on in users’ brains when they come upon malicious websites or malware warnings.

13DSaxena points out that past studies indicated that users’ minds are pretty much blank when it comes to malware signs. Saxena and colleagues used brain imaging (functional MRI) for their study.

Study subjects were asked to tell the authentic login pages of popular websites from phony replications. A second task for them was to differentiate between harmless pop-ups while they read some news articles and pop-ups with malware warnings.

The fMRI showed brain activity as it corresponded to the users’ online activity: attention, making decisions, solving problems. The images lit up for both tasks, but of course, fMRI can’t tell if the user is making the right decision.

That aside, the results were that the users were accurate 89 percent of the time with the malware warning task. When users were met with malware warnings, the language comprehension area of the brain lit up. Saxena states in the phys.org article, “Warnings trigger some sort of thought process in people’s brains that there is something unusual going on.”

The accuracy rate of telling an authentic website from a phony one was just 60 percent. Saxena believes this might be because users don’t know what to look for. For instance, they don’t know to look at the URL, which can give away the phoniness.

This study also had the participants complete a personality evaluation to measure impulsiveness. The fMRI images revealed differences based on impulsivity. Saxena says there was a “negative correlation” between brain activity and impulsive behavior. The impulsive user is prone to hastily clicking “yes” to proceed, when a malware warning pops up.

There was less brain activity in the key cerebral areas of decision-making in the users who had greater degrees of impulsivity.

This study has potential applications for the improved design of malware warning systems. These results can also assist company managers by identifying impulsive workers who need stronger online security training.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention.