The Ultimate Guide to Passwords, Password Managers, Two Factor and Passkeys

In the age of digital interconnectedness, passwords have become the first line of defense against cyber threats. Unfortunately, many individuals still rely on weak, easily guessable passwords that leave their online accounts vulnerable to attacks. This article delves into the most commonly used and easily crackable passwords, and provides essential tips for creating and managing strong, secure passwords.

The Ultimate Guide to Passwords, Password Managers, Two Factor and Passkeys

See ProtectNow’s Cyber Security Awareness Check to determine if your personal or organizational security been breached. Get an instant answer. Check if your email has been breached or check if your password/s have been breached.

Commonly Used Weak Passwords

Cybersecurity experts have identified several password patterns that are frequently exploited by hackers:

  1. Personal Information: Using personal information like names, birthdays, or pet names as passwords is a significant security risk. Hackers can easily obtain this information through social media or data breaches.
  2. Simple Sequences: Passwords composed of simple sequences like “123456,” “password,” or “qwerty” are incredibly easy to crack.
  3. Repetitive Patterns: Using the same password for multiple accounts is a common mistake. If one account is compromised, hackers can gain access to all linked accounts.
  4. Predictable Variations: Modifying a weak password slightly, such as adding a number or symbol, doesn’t significantly improve security. Hackers can use automated tools to quickly crack these variations.

How Hackers Crack Passwords

Hackers employ various techniques to crack passwords, including:

  1. Brute-Force Attacks: This method involves systematically trying every possible combination of characters until the correct password is found.
  2. Dictionary Attacks: Hackers use lists of common words and phrases to guess passwords.
  3. Credential Stuffing: Hackers reuse stolen credentials from one data breach to attempt to log into other accounts.

Creating Strong, Secure Passwords

To protect your online accounts, it’s crucial to create strong, unique passwords for each account. Here are some tips:

  1. Password Length: Aim for passwords that are at least 12 characters long. Longer passwords are significantly harder to crack.
  2. Password Complexity: Incorporate a mix of uppercase and lowercase letters, numbers, and symbols. Avoid using easily guessable patterns.
  3. Password Uniqueness: Use a different password for each online account. This limits the damage if one account is compromised.
  4. Password Manager: Consider using a password manager to securely store and generate complex passwords.
  5. Two-Factor Authentication (2FA): Enable 2FA whenever possible. This adds an extra layer of security by requiring a second form of verification, such as a code sent to your phone.

Password Management Best Practices

To effectively manage your passwords, follow these best practices:

  1. Avoid Sharing Passwords: Never share your passwords with anyone, even trusted friends or family members.
  2. Regularly Update Passwords: Change your passwords periodically to stay ahead of potential threats.
  3. Be Wary of Phishing Attacks: Be cautious of suspicious emails or messages that ask for your personal information or password.
  4. Use Secure Wi-Fi Networks: Avoid using public Wi-Fi networks for sensitive online activities, as they can be vulnerable to hacking.
  5. Stay Informed: Keep up-to-date with the latest cybersecurity news and best practices.

By following these guidelines, you can significantly reduce the risk of your online accounts being compromised. Remember, strong passwords are essential, but they are only one part of a comprehensive cybersecurity strategy.

What is a Passkey?

A passkey is a type of digital key that allows you to sign in to websites and apps without using traditional passwords. It’s a more secure and convenient way to authenticate yourself online.

How it works:

  1. Creation: You create a passkey on your device, typically using your fingerprint, face recognition, or PIN.
  2. Storage: The passkey is stored securely on your device.
  3. Authentication: When you want to sign in to a website or app, you use your device’s built-in authentication method (e.g., fingerprint, face recognition) to verify your identity.

Benefits of using passkeys:

  • Enhanced security: Passkeys are much more secure than traditional passwords, as they are unique to your device and cannot be easily phished or hacked.
  • Improved convenience: You can sign in to your accounts with a simple gesture, eliminating the need to remember complex passwords.
  • Stronger protection against phishing attacks: Passkeys are tied to your device, making it difficult for attackers to trick you into entering your credentials on fake websites.

Where can you use passkeys?

Many tech companies and websites are starting to support passkeys, including Google, Microsoft, and Apple. You can use passkeys to sign in to your Google Account, Microsoft account, and other supported services.

By adopting passkeys, you can significantly improve your online security and simplify your digital life.

What is a Password Manager?

A password manager is a digital tool designed to store and manage your passwords securely. It generates strong, unique passwords for each of your online accounts and encrypts them in a secure vault. This eliminates the need to remember complex passwords and reduces the risk of using weak, easily guessable ones.

Privacy and Security Issues with Password Managers

While password managers are designed to enhance security, there are potential privacy and security concerns to consider:

  1. Master Password Security:
  2. Data Breaches:
  3. Company Practices:
  4. Zero-Knowledge Encryption:
  5. Human Error:

How to Choose a Secure Password Manager:

When selecting a password manager, consider the following factors:

  • Strong Encryption: Ensure the password manager uses robust encryption algorithms to protect your data.
  • Zero-Knowledge Encryption: Opt for a password manager that offers zero-knowledge encryption for maximum security.
  • Regular Security Audits: Choose a company that conducts regular security audits to identify and address vulnerabilities.
  • User-Friendly Interface: A user-friendly interface can make password management easier and less prone to errors.
  • Multi-Factor Authentication (MFA): Enable MFA to add an extra layer of security to your password manager account.
  • Reliable Customer Support: Good customer support can be helpful if you encounter any issues or have questions.

By carefully selecting and using a reputable password manager, you can significantly enhance your online security and protect your sensitive information.

Robert Siciliano CSP, CSI, CITRMS is a security expert and private investigator with 30+ years experience, #1 Best Selling Amazon author of 5 books, and the architect of the CSI Protection certification; a Cyber Social Identity and Personal Protection security awareness training program. He is a frequent speaker and media commentator, and CEO of Safr.Me and Head Trainer at ProtectNowLLC.com.

AI Scammers Are Stealing Homes From Their Owners Without Them Realizing It

Real-estate fraud experts warn that AI advancements and the abundance of publicly available information has made scammers more daring in their attempts at deed or title theft. These fraudsters are targeting a wide range of property owners from residents of big mansions to individuals with simpler homes or smaller vacant land parcels.

AI systems can swiftly scan databases to identify unoccupied properties or homes without existing mortgages, potentially flagging them as prime targets for fraudulent refinancing schemes. This process is often much faster than manual human searches.

Moreover, the vast amount of personal data accessible to scammers significantly simplifies the task of impersonating property owners. With detailed information at their fingertips, fraudsters can more convincingly assume the identities of legitimate homeowners, making their schemes increasingly difficult to detect and prevent.

Vacant Land Scams

In 2022, a parcel of land in Fairfield, Connecticut, changed hands after a scammer posed as the rightful owner. This type of deed fraud has become a growing concern for ordinary property owners. The recorder’s office functions similarly to a repository for real estate documents, but the responsibility for verifying the legitimacy of transactions often falls on title companies and notaries.

Title professionals are required to carry insurance precisely because they play a crucial role in ensuring the authenticity of property dealings. However, the system faces challenges, particularly with smaller transactions. Many closing agents, focused on processing a high volume of deals, may not always apply the same level of scrutiny to each case.

This situation highlights the vulnerabilities in the current property transaction system and underscores the need for enhanced safeguards to protect property owners from fraudulent activities. The incident in Fairfield serves as a reminder of how easily scammers can exploit weaknesses in the process, potentially causing significant distress and financial loss to legitimate property owners.

Deepfakes Fool Everyone

AI technology is making it increasingly simple for fraudsters to target anyone with their scams. These criminals are now leveraging artificial intelligence across various platforms, including phone calls, email phishing, and even property title transfers with local record keepers.

When title companies insist on verifying identities, some scammers are now offering video calls that turn out to be deepfakes or AI-generated videos, further complicating the verification process.

One of the key strengths of AI is its capacity to process and learn from vast amounts of data. In the context of property fraud, this becomes particularly concerning as property information is often publicly accessible. In certain states, a basic search can reveal a wealth of information including appraisal data, blueprints, transaction history, and even images of signed deeds.

With the aid of AI, fraudsters can now produce counterfeit documents more rapidly and with a higher degree of realism. This technological advancement significantly enhances their ability to create convincing forgeries, making it more challenging for authorities and property owners to detect and prevent such scams.

It’s Getting Worse

A recent study conducted in May 2024 by the American Land Title Association and NDP Analytics revealed that seller impersonation fraud is becoming increasingly prevalent in the real estate industry. This type of fraud, where individuals falsely assume the identities of property owners to sell their properties, affected a significant portion of title insurance companies.

The survey, which found that 28% of title insurance companies encountered at least one instance of seller impersonation fraud in 2023. A full 19% of these companies reported fraud attempts in April 2024 alone.

These findings underscore the growing challenge that seller impersonation fraud poses to the real estate industry and highlight the need for increased vigilance and protective measures.

If scammers are able to forge a deed, they could end up with a house—or even a mansion.

Graceland: The King of Rock and Roll is Scammed

In the early months of 2024 a firm calling itself Naussany Investments and Private Lending declared ownership of Graceland and revealed intentions to sell the property at auction. Elvis Presley’s granddaughter, Riley Keough, took legal action against the company, alleging the use of falsified documents to claim ownership, and emerged victorious in the lawsuit.

Subsequently, in August, federal authorities charged a Lisa Jeanine Findley, a Missouri resident, with fraud and identity theft for her alleged involvement in a scheme to unlawfully acquire the iconic estate.. Findley, is accused of orchestrating an elaborate plan to defraud the Presley family and gain control of Graceland through various fraudulent means. How in the heck she thought she could get away with that is further evidence that sociopaths think they are above the law.

Protect Yourself

Consumers, Real estate brokers and title companies can take several steps to protect themselves and their clients from property deed theft:

1. Monitor property records regularly:

Check your county recorder’s office or online property database periodically to ensure no unauthorized changes have been made to yours of your clients deed.

2. Sign up for alerts:

Many counties now offer free notification services that alert property owners of any changes or filings related to their property.

3. Be cautious with personal information:

Avoid sharing sensitive personal or property details with unknown individuals or through unsolicited communications.

4. Secure important documents:

Keep your property documents, including the deed, in a safe place such as a bank safety deposit box, fire retardant safe and a copy encrypted via online storage.

5. Be wary of unsolicited offers:

Be cautious of unexpected offers to buy your property or requests to sign documents related to your property.

6. Use title insurance:

Consider purchasing an owner’s title insurance policy, which can provide protection against fraudulent claims on your property.

7. Verify identities:

When engaging in any property transactions, always verify the identities of parties involved and the legitimacy of documents. Don’t just automatically trust either party is who they say they are.

8. Stay informed about local laws:

Familiarize yourself with your state’s property laws and any recent legislation aimed at combating deed theft, such as, for example, New York’s recent anti-deed theft bill.

9. Act quickly if you suspect fraud:

If you suspect your property deed has been stolen or tampered with, contact law enforcement, your title insurance and a real estate attorney immediately.

10. Consider professional assistance:

For complex property matters, consult with a reputable real estate attorney or title professional to ensure your property rights are protected.

By implementing these protective measures, property owners can significantly reduce their risk of falling victim to deed theft and safeguard their valuable assets.

Robert Siciliano CSP, CSI, CITRMS is a security expert and private investigator with 30+ years experience, #1 Best Selling Amazon author of 5 books, and the architect of the CSI Protection certification; a Cyber Social Identity and Personal Protection security awareness training program. He is a frequent speaker and media commentator, and CEO of Safr.Me and Head Trainer at ProtectNowLLC.com.

Think Twice Before You Take a Fun-Looking Online Quiz – A Hacker Might be Behind It

Though it might look like a fun thing to do, you better think twice before taking that quiz that pops up on your social media page. A hacker, otherwise known as a “social engineer” might have created it to obtain your personal information.

Criminal hackers are all over social media sites, and it should be no surprise that they have tricks up their sleeves to get the information that they need. Social media crime is on the rise. Some studies show 100’s of millions of dollars have been lost, much of that in cryptocurrency and credit card fraud.

Identity theft is part of the reason a hacker will use social media to gather info, and it’s much easier to do than you might think. Let’s take a look at some of the most common scams hackers use on social media:

Surveys and Quizzes

Have you seen those quizzes that say “Click here and reveal your “Porn StarName,” or “Fill out this quiz to find out how many kids you will have?” Though these might be totally innocent, and a little ridiculous, they could also be designed by a hacker. The idea behind these quizzes revolves around “knowledge based authentication” scams. Basically information about us, questions we answer, that are used as security questions on various forms and websites. The answers in many of these quizzes could be used to reset or crack your various pass codes.

Generally, when you fill these out, you will enter information like the street you live on, the name of your pet, your favorite song, or even your birthdate. There is a dark side to this…the information you are providing may be the exact information a hacker needs to steal your identity or get into an account.

If you think about your accounts, it’s very possible that your bank, for instance, requires you to answer questions to get your password or get into your account. What do these institutions ask? Thinks like “What is your favorite song?”  “What is the name of your pet?” As you can see, you are giving a hacker the answers to these questions when you are taking the quiz.

You can avoid all of this by scrolling right past these quiz opportunities.

Get-Rich-Quick Schemes

There are also “get-rich-quick” schemes on social media that hackers use. These include things like direct messages offering a grant or a fake business opportunity like a pyramid scheme. They also start things like gifting circles, that seem innocent, but are designed to steal personal information or money, or even both.

Gone are the days of fake Nigerian princes…now we are dealing with something much more sinister. You can avoid these scams by just taking a little time to research any business opportunity, offer, or even organization that contacts you via social media.

Imposter Scams from the “Government”

Scammers also try imposter scams on social media, and they do this by pretending that they are a government official, like someone from the IRS. The scammers might use messages on social media to pose as a tax collector, or they might offer a refund…if you confirm your personal information. As you might imagine, there is no confirmation — you are simply giving up the information they need to either steal your identity or hack into your important accounts.

Always delete these messages if you get them. The IRS will never contact you via social media, nor would they ask that you pay a bill with a gift card, a wire transfer, or with cryptocurrency.

Imposter Scams from “Family and Friends”

A scammer might also try a “family and friends” scam to get information from you. Thanks to social media, a hacker can learn more about who you know and trust, and then pretend that they are those people. In one of example, a hacker will pretend to be a person’s grandchild and send them a message online asking for money because they have a problem, but if you actually do send money, the cash goes right to a hacker.

If you have a situation like this, and you are not sure if a person is who they say they are, you need to do your research and reach out to the person. Don’t just pay them without doing this.

The Romance Scam

Finally, we have the romance scam. In this case, the hacker will strike up an online relationship with a potential victim, and it will eventually become romantic. These can happen on social media sites, or they can be directly on a dating site. They often create personas that have exotic jobs, such as a doctor in Africa, or as a military member stationed in the South Pacific. They work to build trust with their victim, and when the time is right, they come up with a sob story about how they need money, and many victims, believing that they are in a true relationship with this person, send the money willingly.

To avoid this type of scam, never, ever send money to a person you meet online, especially if they say they are a doctor or a member of the military.

Protect Yourself from ID Theft and Social Media Scams

Now that you know that there are a lot of hackers and scammers out there trying to take advantage of you, here are some ways that you can protect yourself:

1.    Spruce Up Your Privacy Settings–The first thing you need to do is to set up your social media profile to be private and set it so that only your friends and family can access it. This means that you have a much smaller chance of getting access to your account. Also, it’s a good idea to stop sharing information like where you went to high school and your full date of birth. The less information you post, the less likely it is that a hacker can gain information from you.

2.    Be Skeptical – You always want to be a skeptic when it comes to anything online. There are so many scams out there, and so many attempts to get information, that you really need to be skeptical. If you are willing to lower your guard, a scammer is definitely willing to take your information. So, really look deep at any messages you might receive, especially if something looks weird or sounds off. You should also notice things like bad grammar or a lot of typos. Those are a great indication that you might be dealing with a scammer.

3.    Actually Know the People You are Friends With – Do you actually know everyone on your friend list in real life? Most people don’t, but you really should be selective about who you are allowing to see your content. Anyone on your friend list can see your information, and that means they have access to personal information about you if you post it. You also have to be aware that someone on your friend list could be copying and pasting from your page or making screen shots.

4.    Follow Up – Have you gotten any messages from a friend of yours that just seems like it is a bit strange? If you do get this type of message, don’t click on anything and don’t reply. For instance, if your best friend Peter sends you a message to “Check out this link,” and it’s something that Peter would never be interested in, you should check with Peter another way, like with a phone call or text, to find out if it’s legit or not.

5.    Look Out for Others – Finally, you should look out for other people when you get a weird message or strange request. If you get a weird message from a friend, you should let that friend know. If someone lets you know that there might be a duplicate account of your personal account, you should let your friends know.

Try to Stay One Step Ahead of the Hackers

Before concluding, there are a few other things that you can do in order to stay a step or two ahead of hackers. First, make sure that you are using a strong, unique password for your account. Utilize a password manager. Never use the same passcode twice. A virus protection software suite is also recommended. Using firewalls is helpful, too, as well as a VPN.

You can also sign up for ID protection services, which will help to keep important information, such as your email address, under monitoring. With this type of protection and a bit of focus from you, it will be easier than ever to keep an eye out for scams, and you can get back to enjoying social media as it was intended.

Robert Siciliano CSP, CSI, CITRMS is a security expert and private investigator with 30+ years experience, #1 Best Selling Amazon.com author of 5 books, and the architect of the CSI Protection certification; a Cyber Social Identity and Personal Protection security awareness training program. He is a frequent speaker and media commentator, and CEO of Safr.Me and Head Trainer at ProtectNowLLC.com

Spammy Scammy Text Messages: Fake Accounts on the Rise as Scammers Use Phone Farms

Every single time I get on a stage and present a security awareness training program, someone desperately asks me how to stop all the scammy text messages. My response is the same for everybody; You can’t. What you can do is play the Whac-a-Mole game and continually mark them as spam and block them. That’s it. It’s just an annoyance, like mosquitoes.

Spammy Scammy Text Messages: Fake Accounts on the Rise as Scammers Use Phone FarmsThere are a few things that you can, and should do… straight from Apple:

Block messages from a specific person or phone number on an iPhone

When you block a specific contact or phone number, messages from that person or number aren’t delivered. (The person sending the message doesn’t know that their message was blocked.)

1.    Open the Messages app on your iPhone.

2.    In a Messages conversation, tap the name or number at the top of the conversation.

3.    Tap Info, scroll down, then tap Block this Caller.

Most of us are receiving spammy scammy text messages on a regular basis. These text messages pose as somebody who we are supposed to know who lost their phone or someone who supposedly is our friend asking us out to lunch or some other request designed to engage us in a conversation.

The texts themselves serve a few different purposes for the scammers. The impetus for all of them is some form of fraud. This will include a romance scam where they engage you and eventually it leads to a crypto scam, called “pig butchering”. Weird name, but very lucrative for the bad guys.

Another is so they can create Google Voice accounts and compromise your Gmail and Google account. In this scam, the scammer approaches sellers on Facebook Marketplace and pretends to be interested in something you’re selling. They ask for your phone number to discuss the purchase. Then scammer uses the victim’s phone number to create or take over a Google Voice account by convincing you to fork over any form of two factor authentication alert you might receive on your device during the transaction.

Many of the scams involved compromising your phone number so they can be used for verification on various websites.

The verification stage required for opening new online accounts is usually the one thing internet users dread the most. It can be a pain in the neck, and most people would rather forget the process altogether.

However, the reason why many sites force their users to verify their identity is to safeguard their details and for the safety of all legitimate account holders on their platform. Despite these efforts, it seems scammers have found a way to bypass the security measures that have been put in place.

There are services, such as 5Sim, that allow users to rent a phone number specifically for use in the SMS verification process. What’s worse is that these fraudulent phone numbers are available for just a few pennies!

Sites, such as Instagram, Amazon, and Discord, use SMS verification to prevent people from creating bogus accounts which are difficult to trace. How it works is that, when a user tries to open a new account, an SMS will be sent to their phone number and they have to verify that they have received it before being allowed to continue.

This simple but effective method has worked quite well for a long time now. That is until scammers found a way around it, using large-scale, automated services, such as 5Sim, that lease out phone numbers.

In a post shared via its website, 5Sim said that users who do not want to use their personal numbers for SMS verification when registering an account can use a phone number from 5Sim. 

They said all that is needed is an internet connection, which means the process works even without a SIM card placed inside the phone. Users can even select a phone number from any part of the world.

In another interview on VICE, an employee of another website, Discord, said they were also aware of the existence of companies, such as 5Sim. The spokesperson went on to say that they try to block such accounts whenever they identify them.

Discord, like many other sites, requires a valid phone number for SMS verification, instead of VoIP numbers. This is probably an attempt to reduce the incidents of fake accounts. However, according to 5Sim, they provide users with ordinary numbers.

5Sim did say that its customers are not allowed to use their phone numbers for any illegal activity, or any actions that might cause harm to third parties or to the service. AhmOkYaAllRightyThen!

It is not clear how far 5Sim goes in ensuring that its customers adhere to these regulations, or whether it does indeed impose the restrictions on accounts in cases where fraudulent activities are suspected. In the meantime, though, scammers have a guaranteed way to bypass a lot of very important safety precautions.

For you, just knowing what’s happening in the background, understanding of the various scams, knowing there are a few things that can be done in addition to the game of whack-a-mole. The key here is to keep paying attention. Don’t let anyone CONvince you otherwise.

AI Voice Scams Are Here: What Businesses Must Know

The phone rings at the desk of a new employee. The boss is on the line. He says he’s having trouble reaching staff, and he needs several hundred dollars of gift cards to give to a client. He asks the employee to buy the cards, then call him back with the serial numbers.

AI Voice Scams Are Here: What Businesses Must KnowA shipping clerk receives a text message from a known client asking to call an unfamiliar number. The client picks up the phone and asks the clerk to divert a pending shipment to a new address because of facility issues at the old address.

An AI voice scam has been launched in both of these examples. How would your employees react?

Using deepfake technology, criminals can pull off an AI voice scam with just a few seconds of someone’s voice. As reported by Agence France Press via Yahoo! News, 70% of people surveyed by McAfee Labs did not believe they could tell a real voice apart from an AI-generated voice. This opens new avenues for pretexting attacks by criminals impersonating business leaders and clients. While the examples cited by Agence France Press involve “Grandparent scams,” where the faked voice of a grandchild is used to demand money, it is a small leap for criminals to exploit these same tools to drain business bank accounts and steal goods.

How to Stop AI Voice Scams in Your Business

An AI voice scam is a sophisticated attack designed to avoid detection. Do not assume that a machine voice claiming to be the CEO will call, or that there will be obvious signs that something is wrong. The best deepfake technology can synthesize speech and respond to questions in real time. In the Grandparent Scam, the criminals may pre-record a snippet of the fake grandchild in distress while the criminal does most of the talking. In more advanced scams, employees can be duped into believing they are talking with people they know.

There are three steps that businesses must take to prevent losses from an AI voice scam:

  1. Beware of what you share. As we discussed in Is Your Website a Bait Shop for Phishing Attacks, sharing by companies arms criminals with the information they need to carry out all kinds of pretexting attacks. Add video clips featuring senior staff to the list of things that should not be easily accessible online. If you must post an employee’s keynote speech or personal welcome to all site visitors, make sure that there is no clear voice-only audio. Put music under their voice or add some recognizable room tone or background noise. Only the most sophisticated voice replicators can extract a single voice from audio with multiple tracks. If you face a significant risk of data loss, system compromise or theft, the safest course is to remove any usable samples of any kind of the voices of senior leaders. This includes personal websites and social media posts as well as company-owned properties.
  2. Establish firm business protocols. At any point in time, employees should know what they are and are not authorized to do. Precise protocols will vary from business to business and role to role, but there are best practices to guide this. For example, employees should know that they are not authorized to make personal purchases on behalf of the company; establishing this rule will stop gift card scams. Employees must know that they are never to share a password or download software without specific, in-person authorization from a superior. Companies that deliver goods should have a formal process in place with their clients for any changes in delivery dates or locations, which can include a 24-hour written notice that is verified by more than one individual on the shipper’s end. More guidance on establishing protocols and responding to attacks can be found in our free Cyber Crime Response Kit.
  3. Train, train, train. The best defense against all types of attacks is cyber security employee training. Business should have regular training for all employees, as well as a specialized training program for new employees. Anecdotal evidence and some recent study data show that cyber criminals tend to target new workers who may not be as familiar with a company’s policies and who may not have received formal training. Employee training should begin on the first day on the job and is essential for businesses that have been victims of cyber crime in the past.

A sophisticated pretexting AI voice scam can be very difficult to detect and defeat. Alert employees who know company policies and protocols that mandate a second set of eyes on unusual coworker or client requests are the best ways to stop these attacks. Protect Now can help you develop a complete employee training program and establish protocols based on your specific business needs. To learn more, contact us online or call us at 1-800-658-8311.

Lawsuits: A New Reason to Invest in Cyber Security

Lawsuits relating to cyber security incidents are on the rise, according to the 9th Annual Data Security Incident Response Report published by law firm BakerHostetler. For 2022, there were 42 lawsuits filed from 494 incidents that led to individual notifications, including 4 lawsuits filed in cases where fewer than 1,000 people were impacted by a data breach.

Lawsuits: A New Reason to Invest in Cyber SecuritySecurityWeek noted that this represented a significant trend, as 2018 data from BakerHostetler showed just 4 lawsuits filed from 394 incidents reported to impacted users.

Why Are Cyber Security Lawsuits Increasing?

Individuals and businesses are fed up with data breaches and the time and expense needed to address them. As a result, the days of providing free credit monitoring for a year or two are over.

Stronger state data protection laws also play a role in the rise of lawsuits, as they offer a framework for individuals to seek compensation for business and personal expenses incurred by a data breach. The California Consumer Privacy Act has become the model for a growing number of state-level regulations that hold businesses accountable for data breaches.

Insurance companies have also begun to push back against claims for business disruptions caused by cyber security incidents. Taking advantage of stronger state and Federal regulations, insurers who offer cyber security liability and recovery policies may require business owners to certify data protection measures for vendors and third parties. If those organizations experience a cyber attack, insurers may sue to recover their costs.

Invest in Cyber Security Employee Training to Keep Lawsuits at Bay

In the event of a lawsuit, businesses must disclose all aspects of their cyber security, including methods used to protect data, attack response and recovery plans and employee training and protocols. Businesses that have strong cyber security measures will be less likely to face lawsuits, while businesses  with weak security measures could be liable for significant damages and legal expenses.

Business owners should expect their cyber security to be scrutinized, and significant gaps will become a greater liability. In BakerHostetler’s report, 39% of cyber attacks were due to human factors, including phishing, social engineering or employee abuse of access. Collectively, this made up the greatest percentage of attack causes; while the root cause was unknown in 26% of attacks, phishing ranked second overall at 25% of attacks.

Sending employees a training video twice a year is not effective employee training. Real employee training teaches workers to recognize obvious attacks, to flag suspicious activity and to report anything that concerns them. CSI Protection Certification from Protect Now delivers this kind of effective training, empowering employees to stop threats by changing their attitudes toward business security. Our training is available through in-person or virtual seminars, or through our eLearning platform. To learn more, contact us online or call us at 1-800-658-8311.

2013 Boston Marathon Bombing: My Best Worst Day Ever

Like Big Papi said “This is our f–king city.” It’s the 10th anniversary of that beautiful – tragic day. The new Netflix documentary “American Manhunt; The Boston Marathon Bombing”, 

No alt text provided for this image

Front Page Boston Globe Robert Siciliano Above the Fold

has me sobbing in my kitchen. I’ve watched the movie Patriots Day with Mark Wahlberg countless times. This week I was asked to speak at a high school on my 12 years of Boston Marathon preparation, fundraising and the planner asked about the possibility of me discussing my experience on Boylston St that day, which I wasn’t expecting to do. And leading up to the moment I got on stage, I didn’t realize how shaken I still am. I could barely talk without my voice cracking. Thankfully, the moderator kept the dialog light and we talked about the training, fundraising and fun memories.

And heres the thing, NOTHING HAPPENED TO ME. Nothing happened to anyone in my family. My wife and two little girls, my dad, my sister-in-law, and some friends were all at the finish line, 100 yards away from the first bomb, which scared the hell out of me, but still. Completely unscratched. I just saw some sh#t. Ran right by it actually, which is part of the problem. That’s it. But it haunts me. And it makes me think about actual front line military, law enforcement and paramedics who deal with violence, trauma, and tragedy as a vocation. How do they even deal?

Training for a marathon is a taxing, physical, emotional and expensive process. For me personally, that has meant multiple cortisone shots, almost a hundred physical therapy appointments and a few arguments with my wife. Why do it? Why climb a mountain? Why be a police officer? Why be an emergency room nurse? Why detonate a bomb in a crowd of innocent people? We all make choices others wouldn’t and we justify our decisions based on our interests, options and perspective.

For me, I just wanted to lose weight, get fit and finally give back to a charity. When you’re 50 with a young family and your health and marriage are good, bills are paid and life is settled, words like “health,” “gratitude” and “grace” begin to have more meaning. And when you become a runner, you join a special club of conscious people who enjoy challenging themselves and understand our time is limited .

In 2013 I was on my way to run about a 4:10 (my best time ever), but was stopped at mile 26 due to some terrorists’ agenda.

During the 2013 Boston Marathon, my improved time put me on Boylston Street shortly after the blasts. There were two loud bangs, and as I rounded the corner I saw the finish line through dissipating smoke. Boston police immediately corralled runners from going any farther down Boylston because it was now a volatile area and potential crime scene. At 2:52 PM I called my wife, who was at the finish line, about 100 yards from the first bomb, and got no answer. A minute later, I got my dad on the phone; he was with my wife and the kids and he confirmed they were OK. I instructed him to leave ASAP, as another bomb could go off any moment. I told him to “walk down the center of the street and avoid any cars!”

But nothing was going to keep me away from them; I couldn’t just sit there and wait. In my mind, there were bombs going off between my family and myself. As a father, son and husband, the instinctual need to get your family to safety overpowers every sense of reason. I dodged a couple of police officers and ran down Boylston, the only runner on the field, putting myself in jeopardy and now also causing law enforcement to chase after me. At the 26-mile mark, I saw people on the ground, bloody and getting medical attention from the few paramedics that were on hand to take care of runners expected to be injured in more predictable, less violent ways. I made a decision to keep going. Which still doesn’t sit well. It felt like a 3D movie where the scene was pushing me back in my chair, but the sound was off. I know the scene was loud with sirens and screams, but I heard nothing.

Then I heard an angry cop (rightly so) blasting his voice in my ear before he wrestled me off the course. Eluding further apprehension, but onward to my family, I hopped a fence and ran down a back alley behind the restaurants, bars and shops that were evacuating people through their back doors. What I saw was people—many victims who must have made their way on their own or with the assistance of others—screaming, crying and making frantic phone calls…and there was blood. Some victims I saw lost anywhere from pints to whatever; I don’t know. I just remember freaking out and not wanting to run in it.

I ended up behind the finish line and found a way to cross Boylston. I made my way to the Weston Hotel, where I found my family, scooped up my four-year-old and hiked another half mile to my vehicle. Leaving behind two vehicles, we piled nine adults and children into my Yukon and evacuated.

No alt text provided for this image

Evacuating the city, carrying my 40lb child after running 26 miles.

Out of relative danger, our attention now turned to our two children and damage control. To gauge my seven-year-old’s feelings, I calmly asked her, “Did you have fun today?” She said, “Yes, today was awesome! Until the bombs went off!” Knowing she was shaken, the radio stayed off and adults did what they could to speak in code. Note to adults who may try this: It doesn’t fool a seven-year-old.

By this time my phone was going nuts, Facebook and Twitter were buzzing and my mother, who couldn’t get in touch with us, was in complete meltdown.

Once I got home and got the kids situated, we ordered a bunch of pizza because that’s what you do when a bomb goes off. People need to feel normal.

My mom showed up at our home shortly after we got there. She was a total mess, and after the kids saw her emotional state, they understood the gravity of the situation. Today, they are showing a tremendous amount of affection and gratitude, which seems to be a side effect of their trauma.

I posted a brief note on Facebook: “Im OK, I was on Boylston St. when it happened. I saw smoke, I saw blood and people on the ground. My family was 300 yards away, waiting for me and I got to them and evacuated from the city. More later.” And the comments and “likes” poured in.

Shortly after, I provided an update: “I was right there, bomb went off. Boston police removed everyone, I kept running toward the bombs because my family was at the finish line. Police got me off the road, I resisted then another cop almost tackled me (rightly so). I ran in the back alleys, people spilling into the alleys from the explosion, screaming, crying, blood, got my dad to get my wife and kids out of there concerned for another explosion. I’m telling it to Dr. Drew on CNN between 9:15ish and 9:30ish tonight.”

Again, comments poured onto my page like never before. People offering an outpouring of help and support. I never knew I had that many real friends.

I feel I have to explain the part about Dr. Drew and CNN. It may seem opportunistic, but frankly, for me, it’s therapy. I do lots of media as the expert. My network is “the media.” So when I send a blast email to raise money for charity, my network knows I’m running the Boston Marathon. When I logged into Facebook and email, the requests came in from CNN, Extra and Canadian TV, along with a few radio shows too. So I spent the evening after the run as an eyewitness. And, because it’s who I am, I gave security tips too.

No alt text provided for this image

Maria Menounos and Me at the Media Compound the day after

My Rockstar cousin, who is an Iraq and Afghanistan soldier and flies one of those crazy killer helicopters, reached out to me via Facebook and said, “I think your situation was much worse than many Middle East situations I’ve been in.” Which I thought odd because he’s had his best buddy blown up right next to him. Then he said, “When I deploy I’m armed, geared up and expecting to fight. You were at a peaceful gathering around families and innocent civilians, not expecting bombs. That makes it much worse.”

We accept the possibility of death and destruction when we sign our contracts. I’m sure no one who signed up for the marathon expected this.

This completely messed me up, putting into perspective just how awful this situation is.

I only slept three hours that night, on edge, emotional and fragile. The next day, I headed to the media compound near Boylston to meet with Maria Menounos from Extra, who is a Greek Boston girl.

I connected with Maria, and within two minutes we were both crying. She started talking about how she loves Boston so much, then I started crying, then she started crying…which completely messed me up. I tell you this because she told me people should know this is real and they can’t forget. She was professional, but she was real. She put me at ease and we got through the interview.

Since then I’ve done more media on this than I wished, including the Boston GlobeDr. DrewExtraCurrent TVCanadian TVagain and againFox Boston and some radio.

In early May after the blasts, I was asked to speak to the North Eastern Massachusetts Law Enforcement Council on the benefits of social media to law enforcement and how social can help get the word out in a tragedy. When I walked into the room to speak, everyone was in uniform. What I didn’t know was many of the men and women attending were the first responders saving lives at the finish line, and others who were involved in the capture of the bombers. That was a very emotional speech for me. Check out the Huffington Posts blog on how the Boston Police did a stellar job using Twitter during the bombing.

No alt text provided for this image

Cowboy Hat-Wearing Boston Marathon Hero Carlos Arredondo and Robert Siciliano

At this point, my family and I are safe. Emotions are still high for some. Even as I update this post from 10 years ago its messing me up. We were and still are angry. This celebratory event will forever be marked by the visual of a plume of smoke that symbolized the evil intent of misguided people that do not value human life and have no regard for our freedoms.

We caught the bastards and while there are no real answers, we may never get them. The movie Patriots Day actually did an amazing job of telling the tragic story through a composite character. And the Netflix doc really brings it home.

On behalf of my Boston, we are proud of our city, its first responders and its people, who showed the true measure of the human spirit through powerful acts of kindness and displays of citizen courage.

 

We are strong as a city, undivided as a country and unbowed by this attack. No terrorist will be allowed to alter our nation’s course.

 

Robert is running his 12th Boston Marathon for Dana-Farber Cancer Research Institute. Please consider a donation: http://danafarber.jimmyfund.org/goto/robertsiciliano

Robert Siciliano personal security and Cyber Security Expert and speaker, is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud.

Protect Now Announces Agreement to Bring Cyber Social Identity (CSI) and Personal Protection Certification to RE/MAX University®

Comprehensive Program Includes Personal Security and Cyber Security Certification

DENVER, CO – April 4, 2023 – Protect Now, a leading provider of cyber security training and solutions, today announced an agreement with RE/MAX, LLC, a global real estate franchisor with more than 140,000 agents in almost 9,000 offices and a presence in more than 110 countries and territories.

Through this agreement, RE/MAX will add Protect Now’s Cyber Social Identity (CSI) and Personal Protection Certification to the programs offered through RE/MAX University, an exclusive-to-RE/MAX learning hub designed to help each agent level-up their professional expertise. Through this new security awareness training program, real estate professionals will have the opportunity to learn strategies to keep themselves, their businesses and the clients’ data safe.

Developed by Protect Now, the CSI Protection Certification training offers the most current best practices in cyber security to prevent wire fraud, identity theft and breaches, paired with practical advice real estate professionals can use to stay safe in the field. CSI Certification helps to meet FTC Safeguards Rule compliance and delivers a marketing tool to help professionals grow market access, reputation and sales. REALTORS® with a professional designation earn a median income 74% higher than those without, according to an NAR Member Survey.

“We are proud to bring this exceptional safety and cyber security program to the real estate professionals we support,” said Bryson Creighton, Vice President, RE/MAX University Learning & Education. “This is a critical tool that will help our agents and franchisees build trust with their clients and provide the exceptional service that RE/MAX is known for.”

The 2021 National Association of Realtors Annual Safety Report found that 5% of REALTORS® had been a victim of a crime while working as a real estate professional. Cyber-attacks are a growing threat to the real estate industry, where many agencies operate as small- or mid-sized businesses, and where regular email, text and telephone contact with buyers and sellers occurs daily. Criminals have stepped up their attacks on smaller businesses in recent years. Data from 2019 showed that cyber criminals made small businesses their top target, accounting for 43% of data breaches.

“Criminals will always go after the easiest targets,” said Protect Now Co-Founder and Head Security Awareness Trainer Robert Siciliano. “They’ve learned that they can’t make the ‘big hits’ going after large companies, so they now look for small business with lower levels of cyber security. They launch thousands of attacks each month, because it’s a numbers game. They can make a good amount of money from a few hundred breaches with far less risk and effort.”

Protect Now closes the gap between small- and large-business cyber security awareness with training that emphasizes the individual role each employee plays in cyber security. Brokers and agents are taught to see their personal role in protecting access and data, which has proven an effective tool in changing organizational attitudes toward cyber security.

“Wire fraud has surpassed a $200 million a year, which decimates the buyer’s bank account, kills the sale, shatters commissions, ruins the agency’s reputation and can lead to lengthy, expensive lawsuits for everyone involved in the transaction. We are also entering an era where the Federal government will demand more accountability from everyone who handles financial information. These are powerful reasons for real estate professionals to attend this training,” Siciliano said.

###

About Protect Now
Protect Now is a leading provider of cyber security training and solutions for business, municipal and nonprofit clients, with an emphasis on organizations that process sensitive information from the general public. Protect now delivers a suite of cyber security services, including Virtual CISOs, Dark Web Monitoring and FTC Compliance, backed by personal security, cyber security and anti-phishing training that creates meaningful change in employee attitudes toward cyber security by emphasizing the importance of personal security. To learn more about Protect Now’s cyber security solutions, visit https://protectnowllc.com/.

Three Federal Agencies Warn of Business Email Compromise (BEC) Scams

Business Email Compromise (BEC) scams netted $2.4 billion in losses during 2021, with 19,954 complaints reported to the United States government. A joint advisory from the Federal Bureau of Investigation (FBI), the Food and Drug Administration Office of Criminal Investigations (FDA OCI) and the U.S. Department of Agriculture (USDA) urges businesses in the agricultural and food sectors to beware of scams stealing physical goods, not money.

New BEC scams targeting food producers use phony emails and websites to order or reroute goods, such as powdered milk, sugar or whole milk. In some cases, fake emails were used to reroute existing shipments to criminals, while in others fake orders were placed by criminals pretending to be existing clients.

How Business Email Compromise Scams Work

BEC scams combine elements of social engineering and phishing. Criminals learn the names of senior executives at companies likely to order large quantities of ingredients or other goods. They then send phony emails or place fake online orders using spoofed assets and email addresses. In some cases, they will communicate directly with senior staff and place orders or ask for shipments to be rerouted. Because the emails look legitimate and generate real responses from humans, employees may accept the phony orders or reroute shipments, leading to hundreds of thousands of dollars in lost product.

Among the scams reported by the Federal government–

  • One group of criminals forged the identity of a U.S. company and placed orders for ingredients from June through August of 2022 with multiple suppliers. The scam netted at least $200,000 in stolen goods.
  • Criminals used a fake email to get a line of credit and $100,000 in milk powder by posing as a food company.
  • Four fake companies targeted a single food manufacturer, ordering nearly $600,000 in whole milk powder and non-fat dry milk.

How to Spot BEC Scams

In nearly every case outlined by U,S, government agencies, there was a small change in an email address that revealed the fraud. In some cases, an extra letter was added. In other cases, the number “1” was substituted for a lower-case “L.” Email addresses may also point to incorrect domains, such as a .org or .net instead of a .gov or .com.

Business Email Compromise scams can slip by employees, even those who have had cyber security training, because they appear professional and do not directly ask for money. They appear to be professional enquiries, often include recognizable names and company logos and present business opportunities. It is only after the order has shipped that companies realize they have been scammed.

As with most scams, awareness and verification stop the criminals and the attacks.

  1. Make all employees who handle orders and shipments aware of Business Email Compromise scams.
  2. Put a second set of eyes on any order over a certain amount, regardless of where it appears to come from.
  3. Do not respond directly to emails that appear suspicious. Study return addresses carefully and, if anything appears off, call the alleged client directly.
  4. Verify any large order or order change by calling the client directly and asking for confirmation.
  5. Ask for advance payment before delivering goods to any new client.
  6. Use Dark Web Monitoring to find out what information about your company has been circulating online. Names of staff could be used for social engineering and phishing attacks. Names of executives and company assets can be used by scammers to create phony emails and websites.

In the most insidious versions of a Business Email Compromise scam, criminals gain access to a company’s legitimate email server, then create fake accounts that they use to communicate with their victims. This can be remedied by reviewing all company email accounts regularly and by immediately closing the accounts of former employees.

As the government warning illustrates, cyber threats come in many forms and through many channels. This scam is a prime example of the kind of attack that many existing cyber training programs miss.

Movers and Shakers: Watch Out for These Scammy Conference Invitation Traps

Finally we are back to booking a ton of live-in-person security awareness training at conferences! It’s about time! Business is getting back to pre-Covid days here in the States and any non-in-person training is being supplemented with live-online and e-learning. It’s all good! However, we are also seeing more of one of the weirdest scams out there: Conference Invitation Scams.

Conference Invitation Scams are on the rise

This is when a scammer sends out invitations to an event, like a conference, with the sole intention of scamming the people they are inviting to attend or to speak at that event. These events might be real, or they could be totally made up. The targets of these scams include CEOs, business owners, lecturers, philanthropists, researchers, and more. The goal of these scammers is to steal the identities of their targets and ultimately get Credit card numbers, checks or money wire transfers by scamming the victims.

And that’s not all, these same scams are usually piggybacked with “conference attendee lists for sale” scams. That means companies that might exhibit or market their products and services to attendees of specific conferences are targeted to buy lists that are either lame or simply don’t exist. Conference managers have their backs up against the wall fielding communications from victims who accuse the legitimate conference hosts of bad service and of course worse, fraud.

Identifying a Scam

There are a few signs that you should look out for when you get an invitation to a conference or an event. They include:

  • The invitation is random or a surprise
  • The invitation is filled with bad grammar or typos
  • The invitation asks that you pay a premium price to attend, which includes both transportation and accommodations
  • The name of the conference sounds like one that is real, such as Tech Crunch, but spelled like TecKrunch
  • You cannot pay by credit card, they might require a check, wire transfer, peer to peer payment, or cryptocurrency.
  • The invitation is extremely flattering
  • The greeting on the invitation sounds strange, like “Salutations”
  • The invitation creates a sense of urgency about getting your personal information
  • The conference is in a different country
  • The invitation seems too good to be true
  • The invitation asks for personal information and covers your accommodation, transportation, or conference cost
  • The landing page of the site doesn’t have a phone number or address listed
  • Or none of the above. The invitation or list for sale email is perfect. There are the absolutely nothing wrong with it.

Beware of the Conference Invitation Scam targeting speakers

Generally, the scam works like this: the scammer starts the scam by sending an email to the victim, which invites them to speak or attend a conference. The scammer often uses the victims’ social media pages in order to get info about them. This helps the invitation seem more personalized.

The victim is then asked to register for the conference, which gives the scammer even more personal information. On top of this, the scammer could ask the victim to pay a fee in order to attend the conference, and pay it fast, because they also create a sense of urgency to attend the conference, such as saying “spots are limited.”

If the victim that is targeted falls for the scam and sends their info, the scammer could have enough to steal the person’s identity. To add more, the scammer can even add the name of the victim, if they are well-known in the industry, to promote the conference.

When the victim goes through all of this, they will soon find that they have been the victim of a scammer. You even have to be careful when attending a conference that is legitimate, because a scammer will send out fake invites to real conferences, too. Since a victim knows about these conferences already, they are usually more willing to give up their information.

How to Protect Yourself from a Conference Invitation Scams

There are a few tricks and tips that you can start using if you commonly attend conferences. The include:

It’s entirely likely your email address as a username, has been part of not just one, but multiple data breaches. And because of this, you are likely

  • to be targeted in scams related to that organizations product or service. Right now, check if your email address has been part of any specific breaches by utilizing our “Hacked email Checker” and then change your password for those accounts.
  • Do your research about the event and try to match up the information you find with the invitation you received.
  • Contact the event organizers directly. While a website can be created from scratch or spoofed, there is still value to looking up the event and the contact info of the organizer, report your findings and find out if it’s legit.
  • If you see an email that is similar to what is described above, don’t even respond.
  • If you get an invitation that seems strange, look into it more.
  • Don’t give any personal info, including your Social Security Number. There is no reason a conference organizer would need that.
  • Copy and paste the full email into Google to see if others have reported it as a scam. You are likely not the only person to be solicited in this way.

If You are a Victim, What Should You Do?

Do you think you have become a victim of a conference invitation scam? If yes, there are some steps that you should take right now.

  • First, get contact with your credit card companies and banks, and make sure they know about it. Refute the fraudulent charges.
  • Next, you should contact your local police and file a report which might be needed to get your money back.
  • Consider contacting the police in the area where the conference was supposed to be held.
  • If you are inclined to do so, you may want to get in touch with the Better Business Bureau and report it.
  • You can also report this online by using the BBB Scam Tracker on the BBB website, to the FBI at the Internet Crime Complaint Center, or the FTC’s Online Complaint Assistant.

The most important thing is to pay attention. We’ve never seen more scams or more variations on existing scams in our entire lives. It’s funny to us, we here experts saying “criminal hackers are more sophisticated than ever” and they are not. What they are, is organized, more than ever. Scammers treat fraud as a business, they have a hierarchy, they punch a clock, they have employees, and it is that “structure” that results in a sophisticated profitable business that leads to huge profits.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.