Think Twice Before You Take a Fun-Looking Online Quiz – A Hacker Might be Behind It

Though it might look like a fun thing to do, you better think twice before taking that quiz that pops up on your social media page. A hacker, otherwise known as a “social engineer” might have created it to obtain your personal information.

Criminal hackers are all over social media sites, and it should be no surprise that they have tricks up their sleeves to get the information that they need. Social media crime is on the rise. Some studies show 100’s of millions of dollars have been lost, much of that in cryptocurrency and credit card fraud.

Identity theft is part of the reason a hacker will use social media to gather info, and it’s much easier to do than you might think. Let’s take a look at some of the most common scams hackers use on social media:

Surveys and Quizzes

Have you seen those quizzes that say “Click here and reveal your “Porn StarName,” or “Fill out this quiz to find out how many kids you will have?” Though these might be totally innocent, and a little ridiculous, they could also be designed by a hacker. The idea behind these quizzes revolves around “knowledge based authentication” scams. Basically information about us, questions we answer, that are used as security questions on various forms and websites. The answers in many of these quizzes could be used to reset or crack your various pass codes.

Generally, when you fill these out, you will enter information like the street you live on, the name of your pet, your favorite song, or even your birthdate. There is a dark side to this…the information you are providing may be the exact information a hacker needs to steal your identity or get into an account.

If you think about your accounts, it’s very possible that your bank, for instance, requires you to answer questions to get your password or get into your account. What do these institutions ask? Thinks like “What is your favorite song?”  “What is the name of your pet?” As you can see, you are giving a hacker the answers to these questions when you are taking the quiz.

You can avoid all of this by scrolling right past these quiz opportunities.

Get-Rich-Quick Schemes

There are also “get-rich-quick” schemes on social media that hackers use. These include things like direct messages offering a grant or a fake business opportunity like a pyramid scheme. They also start things like gifting circles, that seem innocent, but are designed to steal personal information or money, or even both.

Gone are the days of fake Nigerian princes…now we are dealing with something much more sinister. You can avoid these scams by just taking a little time to research any business opportunity, offer, or even organization that contacts you via social media.

Imposter Scams from the “Government”

Scammers also try imposter scams on social media, and they do this by pretending that they are a government official, like someone from the IRS. The scammers might use messages on social media to pose as a tax collector, or they might offer a refund…if you confirm your personal information. As you might imagine, there is no confirmation — you are simply giving up the information they need to either steal your identity or hack into your important accounts.

Always delete these messages if you get them. The IRS will never contact you via social media, nor would they ask that you pay a bill with a gift card, a wire transfer, or with cryptocurrency.

Imposter Scams from “Family and Friends”

A scammer might also try a “family and friends” scam to get information from you. Thanks to social media, a hacker can learn more about who you know and trust, and then pretend that they are those people. In one of example, a hacker will pretend to be a person’s grandchild and send them a message online asking for money because they have a problem, but if you actually do send money, the cash goes right to a hacker.

If you have a situation like this, and you are not sure if a person is who they say they are, you need to do your research and reach out to the person. Don’t just pay them without doing this.

The Romance Scam

Finally, we have the romance scam. In this case, the hacker will strike up an online relationship with a potential victim, and it will eventually become romantic. These can happen on social media sites, or they can be directly on a dating site. They often create personas that have exotic jobs, such as a doctor in Africa, or as a military member stationed in the South Pacific. They work to build trust with their victim, and when the time is right, they come up with a sob story about how they need money, and many victims, believing that they are in a true relationship with this person, send the money willingly.

To avoid this type of scam, never, ever send money to a person you meet online, especially if they say they are a doctor or a member of the military.

Protect Yourself from ID Theft and Social Media Scams

Now that you know that there are a lot of hackers and scammers out there trying to take advantage of you, here are some ways that you can protect yourself:

1.    Spruce Up Your Privacy Settings–The first thing you need to do is to set up your social media profile to be private and set it so that only your friends and family can access it. This means that you have a much smaller chance of getting access to your account. Also, it’s a good idea to stop sharing information like where you went to high school and your full date of birth. The less information you post, the less likely it is that a hacker can gain information from you.

2.    Be Skeptical – You always want to be a skeptic when it comes to anything online. There are so many scams out there, and so many attempts to get information, that you really need to be skeptical. If you are willing to lower your guard, a scammer is definitely willing to take your information. So, really look deep at any messages you might receive, especially if something looks weird or sounds off. You should also notice things like bad grammar or a lot of typos. Those are a great indication that you might be dealing with a scammer.

3.    Actually Know the People You are Friends With – Do you actually know everyone on your friend list in real life? Most people don’t, but you really should be selective about who you are allowing to see your content. Anyone on your friend list can see your information, and that means they have access to personal information about you if you post it. You also have to be aware that someone on your friend list could be copying and pasting from your page or making screen shots.

4.    Follow Up – Have you gotten any messages from a friend of yours that just seems like it is a bit strange? If you do get this type of message, don’t click on anything and don’t reply. For instance, if your best friend Peter sends you a message to “Check out this link,” and it’s something that Peter would never be interested in, you should check with Peter another way, like with a phone call or text, to find out if it’s legit or not.

5.    Look Out for Others – Finally, you should look out for other people when you get a weird message or strange request. If you get a weird message from a friend, you should let that friend know. If someone lets you know that there might be a duplicate account of your personal account, you should let your friends know.

Try to Stay One Step Ahead of the Hackers

Before concluding, there are a few other things that you can do in order to stay a step or two ahead of hackers. First, make sure that you are using a strong, unique password for your account. Utilize a password manager. Never use the same passcode twice. A virus protection software suite is also recommended. Using firewalls is helpful, too, as well as a VPN.

You can also sign up for ID protection services, which will help to keep important information, such as your email address, under monitoring. With this type of protection and a bit of focus from you, it will be easier than ever to keep an eye out for scams, and you can get back to enjoying social media as it was intended.

Robert Siciliano CSP, CSI, CITRMS is a security expert and private investigator with 30+ years experience, #1 Best Selling author of 5 books, and the architect of the CSI Protection certification; a Cyber Social Identity and Personal Protection security awareness training program. He is a frequent speaker and media commentator, and CEO of Safr.Me and Head Trainer at

Spammy Scammy Text Messages: Fake Accounts on the Rise as Scammers Use Phone Farms

Every single time I get on a stage and present a security awareness training program, someone desperately asks me how to stop all the scammy text messages. My response is the same for everybody; You can’t. What you can do is play the Whac-a-Mole game and continually mark them as spam and block them. That’s it. It’s just an annoyance, like mosquitoes.

Spammy Scammy Text Messages: Fake Accounts on the Rise as Scammers Use Phone FarmsThere are a few things that you can, and should do… straight from Apple:

Block messages from a specific person or phone number on an iPhone

When you block a specific contact or phone number, messages from that person or number aren’t delivered. (The person sending the message doesn’t know that their message was blocked.)

1.    Open the Messages app on your iPhone.

2.    In a Messages conversation, tap the name or number at the top of the conversation.

3.    Tap Info, scroll down, then tap Block this Caller.

Most of us are receiving spammy scammy text messages on a regular basis. These text messages pose as somebody who we are supposed to know who lost their phone or someone who supposedly is our friend asking us out to lunch or some other request designed to engage us in a conversation.

The texts themselves serve a few different purposes for the scammers. The impetus for all of them is some form of fraud. This will include a romance scam where they engage you and eventually it leads to a crypto scam, called “pig butchering”. Weird name, but very lucrative for the bad guys.

Another is so they can create Google Voice accounts and compromise your Gmail and Google account. In this scam, the scammer approaches sellers on Facebook Marketplace and pretends to be interested in something you’re selling. They ask for your phone number to discuss the purchase. Then scammer uses the victim’s phone number to create or take over a Google Voice account by convincing you to fork over any form of two factor authentication alert you might receive on your device during the transaction.

Many of the scams involved compromising your phone number so they can be used for verification on various websites.

The verification stage required for opening new online accounts is usually the one thing internet users dread the most. It can be a pain in the neck, and most people would rather forget the process altogether.

However, the reason why many sites force their users to verify their identity is to safeguard their details and for the safety of all legitimate account holders on their platform. Despite these efforts, it seems scammers have found a way to bypass the security measures that have been put in place.

There are services, such as 5Sim, that allow users to rent a phone number specifically for use in the SMS verification process. What’s worse is that these fraudulent phone numbers are available for just a few pennies!

Sites, such as Instagram, Amazon, and Discord, use SMS verification to prevent people from creating bogus accounts which are difficult to trace. How it works is that, when a user tries to open a new account, an SMS will be sent to their phone number and they have to verify that they have received it before being allowed to continue.

This simple but effective method has worked quite well for a long time now. That is until scammers found a way around it, using large-scale, automated services, such as 5Sim, that lease out phone numbers.

In a post shared via its website, 5Sim said that users who do not want to use their personal numbers for SMS verification when registering an account can use a phone number from 5Sim. 

They said all that is needed is an internet connection, which means the process works even without a SIM card placed inside the phone. Users can even select a phone number from any part of the world.

In another interview on VICE, an employee of another website, Discord, said they were also aware of the existence of companies, such as 5Sim. The spokesperson went on to say that they try to block such accounts whenever they identify them.

Discord, like many other sites, requires a valid phone number for SMS verification, instead of VoIP numbers. This is probably an attempt to reduce the incidents of fake accounts. However, according to 5Sim, they provide users with ordinary numbers.

5Sim did say that its customers are not allowed to use their phone numbers for any illegal activity, or any actions that might cause harm to third parties or to the service. AhmOkYaAllRightyThen!

It is not clear how far 5Sim goes in ensuring that its customers adhere to these regulations, or whether it does indeed impose the restrictions on accounts in cases where fraudulent activities are suspected. In the meantime, though, scammers have a guaranteed way to bypass a lot of very important safety precautions.

For you, just knowing what’s happening in the background, understanding of the various scams, knowing there are a few things that can be done in addition to the game of whack-a-mole. The key here is to keep paying attention. Don’t let anyone CONvince you otherwise.

AI Voice Scams Are Here: What Businesses Must Know

The phone rings at the desk of a new employee. The boss is on the line. He says he’s having trouble reaching staff, and he needs several hundred dollars of gift cards to give to a client. He asks the employee to buy the cards, then call him back with the serial numbers.

AI Voice Scams Are Here: What Businesses Must KnowA shipping clerk receives a text message from a known client asking to call an unfamiliar number. The client picks up the phone and asks the clerk to divert a pending shipment to a new address because of facility issues at the old address.

An AI voice scam has been launched in both of these examples. How would your employees react?

Using deepfake technology, criminals can pull off an AI voice scam with just a few seconds of someone’s voice. As reported by Agence France Press via Yahoo! News, 70% of people surveyed by McAfee Labs did not believe they could tell a real voice apart from an AI-generated voice. This opens new avenues for pretexting attacks by criminals impersonating business leaders and clients. While the examples cited by Agence France Press involve “Grandparent scams,” where the faked voice of a grandchild is used to demand money, it is a small leap for criminals to exploit these same tools to drain business bank accounts and steal goods.

How to Stop AI Voice Scams in Your Business

An AI voice scam is a sophisticated attack designed to avoid detection. Do not assume that a machine voice claiming to be the CEO will call, or that there will be obvious signs that something is wrong. The best deepfake technology can synthesize speech and respond to questions in real time. In the Grandparent Scam, the criminals may pre-record a snippet of the fake grandchild in distress while the criminal does most of the talking. In more advanced scams, employees can be duped into believing they are talking with people they know.

There are three steps that businesses must take to prevent losses from an AI voice scam:

  1. Beware of what you share. As we discussed in Is Your Website a Bait Shop for Phishing Attacks, sharing by companies arms criminals with the information they need to carry out all kinds of pretexting attacks. Add video clips featuring senior staff to the list of things that should not be easily accessible online. If you must post an employee’s keynote speech or personal welcome to all site visitors, make sure that there is no clear voice-only audio. Put music under their voice or add some recognizable room tone or background noise. Only the most sophisticated voice replicators can extract a single voice from audio with multiple tracks. If you face a significant risk of data loss, system compromise or theft, the safest course is to remove any usable samples of any kind of the voices of senior leaders. This includes personal websites and social media posts as well as company-owned properties.
  2. Establish firm business protocols. At any point in time, employees should know what they are and are not authorized to do. Precise protocols will vary from business to business and role to role, but there are best practices to guide this. For example, employees should know that they are not authorized to make personal purchases on behalf of the company; establishing this rule will stop gift card scams. Employees must know that they are never to share a password or download software without specific, in-person authorization from a superior. Companies that deliver goods should have a formal process in place with their clients for any changes in delivery dates or locations, which can include a 24-hour written notice that is verified by more than one individual on the shipper’s end. More guidance on establishing protocols and responding to attacks can be found in our free Cyber Crime Response Kit.
  3. Train, train, train. The best defense against all types of attacks is cyber security employee training. Business should have regular training for all employees, as well as a specialized training program for new employees. Anecdotal evidence and some recent study data show that cyber criminals tend to target new workers who may not be as familiar with a company’s policies and who may not have received formal training. Employee training should begin on the first day on the job and is essential for businesses that have been victims of cyber crime in the past.

A sophisticated pretexting AI voice scam can be very difficult to detect and defeat. Alert employees who know company policies and protocols that mandate a second set of eyes on unusual coworker or client requests are the best ways to stop these attacks. Protect Now can help you develop a complete employee training program and establish protocols based on your specific business needs. To learn more, contact us online or call us at 1-800-658-8311.

Lawsuits: A New Reason to Invest in Cyber Security

Lawsuits relating to cyber security incidents are on the rise, according to the 9th Annual Data Security Incident Response Report published by law firm BakerHostetler. For 2022, there were 42 lawsuits filed from 494 incidents that led to individual notifications, including 4 lawsuits filed in cases where fewer than 1,000 people were impacted by a data breach.

Lawsuits: A New Reason to Invest in Cyber SecuritySecurityWeek noted that this represented a significant trend, as 2018 data from BakerHostetler showed just 4 lawsuits filed from 394 incidents reported to impacted users.

Why Are Cyber Security Lawsuits Increasing?

Individuals and businesses are fed up with data breaches and the time and expense needed to address them. As a result, the days of providing free credit monitoring for a year or two are over.

Stronger state data protection laws also play a role in the rise of lawsuits, as they offer a framework for individuals to seek compensation for business and personal expenses incurred by a data breach. The California Consumer Privacy Act has become the model for a growing number of state-level regulations that hold businesses accountable for data breaches.

Insurance companies have also begun to push back against claims for business disruptions caused by cyber security incidents. Taking advantage of stronger state and Federal regulations, insurers who offer cyber security liability and recovery policies may require business owners to certify data protection measures for vendors and third parties. If those organizations experience a cyber attack, insurers may sue to recover their costs.

Invest in Cyber Security Employee Training to Keep Lawsuits at Bay

In the event of a lawsuit, businesses must disclose all aspects of their cyber security, including methods used to protect data, attack response and recovery plans and employee training and protocols. Businesses that have strong cyber security measures will be less likely to face lawsuits, while businesses  with weak security measures could be liable for significant damages and legal expenses.

Business owners should expect their cyber security to be scrutinized, and significant gaps will become a greater liability. In BakerHostetler’s report, 39% of cyber attacks were due to human factors, including phishing, social engineering or employee abuse of access. Collectively, this made up the greatest percentage of attack causes; while the root cause was unknown in 26% of attacks, phishing ranked second overall at 25% of attacks.

Sending employees a training video twice a year is not effective employee training. Real employee training teaches workers to recognize obvious attacks, to flag suspicious activity and to report anything that concerns them. CSI Protection Certification from Protect Now delivers this kind of effective training, empowering employees to stop threats by changing their attitudes toward business security. Our training is available through in-person or virtual seminars, or through our eLearning platform. To learn more, contact us online or call us at 1-800-658-8311.

2013 Boston Marathon Bombing: My Best Worst Day Ever

Like Big Papi said “This is our f–king city.” It’s the 10th anniversary of that beautiful – tragic day. The new Netflix documentary “American Manhunt; The Boston Marathon Bombing”, 

No alt text provided for this image

Front Page Boston Globe Robert Siciliano Above the Fold

has me sobbing in my kitchen. I’ve watched the movie Patriots Day with Mark Wahlberg countless times. This week I was asked to speak at a high school on my 12 years of Boston Marathon preparation, fundraising and the planner asked about the possibility of me discussing my experience on Boylston St that day, which I wasn’t expecting to do. And leading up to the moment I got on stage, I didn’t realize how shaken I still am. I could barely talk without my voice cracking. Thankfully, the moderator kept the dialog light and we talked about the training, fundraising and fun memories.

And heres the thing, NOTHING HAPPENED TO ME. Nothing happened to anyone in my family. My wife and two little girls, my dad, my sister-in-law, and some friends were all at the finish line, 100 yards away from the first bomb, which scared the hell out of me, but still. Completely unscratched. I just saw some sh#t. Ran right by it actually, which is part of the problem. That’s it. But it haunts me. And it makes me think about actual front line military, law enforcement and paramedics who deal with violence, trauma, and tragedy as a vocation. How do they even deal?

Training for a marathon is a taxing, physical, emotional and expensive process. For me personally, that has meant multiple cortisone shots, almost a hundred physical therapy appointments and a few arguments with my wife. Why do it? Why climb a mountain? Why be a police officer? Why be an emergency room nurse? Why detonate a bomb in a crowd of innocent people? We all make choices others wouldn’t and we justify our decisions based on our interests, options and perspective.

For me, I just wanted to lose weight, get fit and finally give back to a charity. When you’re 50 with a young family and your health and marriage are good, bills are paid and life is settled, words like “health,” “gratitude” and “grace” begin to have more meaning. And when you become a runner, you join a special club of conscious people who enjoy challenging themselves and understand our time is limited .

In 2013 I was on my way to run about a 4:10 (my best time ever), but was stopped at mile 26 due to some terrorists’ agenda.

During the 2013 Boston Marathon, my improved time put me on Boylston Street shortly after the blasts. There were two loud bangs, and as I rounded the corner I saw the finish line through dissipating smoke. Boston police immediately corralled runners from going any farther down Boylston because it was now a volatile area and potential crime scene. At 2:52 PM I called my wife, who was at the finish line, about 100 yards from the first bomb, and got no answer. A minute later, I got my dad on the phone; he was with my wife and the kids and he confirmed they were OK. I instructed him to leave ASAP, as another bomb could go off any moment. I told him to “walk down the center of the street and avoid any cars!”

But nothing was going to keep me away from them; I couldn’t just sit there and wait. In my mind, there were bombs going off between my family and myself. As a father, son and husband, the instinctual need to get your family to safety overpowers every sense of reason. I dodged a couple of police officers and ran down Boylston, the only runner on the field, putting myself in jeopardy and now also causing law enforcement to chase after me. At the 26-mile mark, I saw people on the ground, bloody and getting medical attention from the few paramedics that were on hand to take care of runners expected to be injured in more predictable, less violent ways. I made a decision to keep going. Which still doesn’t sit well. It felt like a 3D movie where the scene was pushing me back in my chair, but the sound was off. I know the scene was loud with sirens and screams, but I heard nothing.

Then I heard an angry cop (rightly so) blasting his voice in my ear before he wrestled me off the course. Eluding further apprehension, but onward to my family, I hopped a fence and ran down a back alley behind the restaurants, bars and shops that were evacuating people through their back doors. What I saw was people—many victims who must have made their way on their own or with the assistance of others—screaming, crying and making frantic phone calls…and there was blood. Some victims I saw lost anywhere from pints to whatever; I don’t know. I just remember freaking out and not wanting to run in it.

I ended up behind the finish line and found a way to cross Boylston. I made my way to the Weston Hotel, where I found my family, scooped up my four-year-old and hiked another half mile to my vehicle. Leaving behind two vehicles, we piled nine adults and children into my Yukon and evacuated.

No alt text provided for this image

Evacuating the city, carrying my 40lb child after running 26 miles.

Out of relative danger, our attention now turned to our two children and damage control. To gauge my seven-year-old’s feelings, I calmly asked her, “Did you have fun today?” She said, “Yes, today was awesome! Until the bombs went off!” Knowing she was shaken, the radio stayed off and adults did what they could to speak in code. Note to adults who may try this: It doesn’t fool a seven-year-old.

By this time my phone was going nuts, Facebook and Twitter were buzzing and my mother, who couldn’t get in touch with us, was in complete meltdown.

Once I got home and got the kids situated, we ordered a bunch of pizza because that’s what you do when a bomb goes off. People need to feel normal.

My mom showed up at our home shortly after we got there. She was a total mess, and after the kids saw her emotional state, they understood the gravity of the situation. Today, they are showing a tremendous amount of affection and gratitude, which seems to be a side effect of their trauma.

I posted a brief note on Facebook: “Im OK, I was on Boylston St. when it happened. I saw smoke, I saw blood and people on the ground. My family was 300 yards away, waiting for me and I got to them and evacuated from the city. More later.” And the comments and “likes” poured in.

Shortly after, I provided an update: “I was right there, bomb went off. Boston police removed everyone, I kept running toward the bombs because my family was at the finish line. Police got me off the road, I resisted then another cop almost tackled me (rightly so). I ran in the back alleys, people spilling into the alleys from the explosion, screaming, crying, blood, got my dad to get my wife and kids out of there concerned for another explosion. I’m telling it to Dr. Drew on CNN between 9:15ish and 9:30ish tonight.”

Again, comments poured onto my page like never before. People offering an outpouring of help and support. I never knew I had that many real friends.

I feel I have to explain the part about Dr. Drew and CNN. It may seem opportunistic, but frankly, for me, it’s therapy. I do lots of media as the expert. My network is “the media.” So when I send a blast email to raise money for charity, my network knows I’m running the Boston Marathon. When I logged into Facebook and email, the requests came in from CNN, Extra and Canadian TV, along with a few radio shows too. So I spent the evening after the run as an eyewitness. And, because it’s who I am, I gave security tips too.

No alt text provided for this image

Maria Menounos and Me at the Media Compound the day after

My Rockstar cousin, who is an Iraq and Afghanistan soldier and flies one of those crazy killer helicopters, reached out to me via Facebook and said, “I think your situation was much worse than many Middle East situations I’ve been in.” Which I thought odd because he’s had his best buddy blown up right next to him. Then he said, “When I deploy I’m armed, geared up and expecting to fight. You were at a peaceful gathering around families and innocent civilians, not expecting bombs. That makes it much worse.”

We accept the possibility of death and destruction when we sign our contracts. I’m sure no one who signed up for the marathon expected this.

This completely messed me up, putting into perspective just how awful this situation is.

I only slept three hours that night, on edge, emotional and fragile. The next day, I headed to the media compound near Boylston to meet with Maria Menounos from Extra, who is a Greek Boston girl.

I connected with Maria, and within two minutes we were both crying. She started talking about how she loves Boston so much, then I started crying, then she started crying…which completely messed me up. I tell you this because she told me people should know this is real and they can’t forget. She was professional, but she was real. She put me at ease and we got through the interview.

Since then I’ve done more media on this than I wished, including the Boston GlobeDr. DrewExtraCurrent TVCanadian TVagain and againFox Boston and some radio.

In early May after the blasts, I was asked to speak to the North Eastern Massachusetts Law Enforcement Council on the benefits of social media to law enforcement and how social can help get the word out in a tragedy. When I walked into the room to speak, everyone was in uniform. What I didn’t know was many of the men and women attending were the first responders saving lives at the finish line, and others who were involved in the capture of the bombers. That was a very emotional speech for me. Check out the Huffington Posts blog on how the Boston Police did a stellar job using Twitter during the bombing.

No alt text provided for this image

Cowboy Hat-Wearing Boston Marathon Hero Carlos Arredondo and Robert Siciliano

At this point, my family and I are safe. Emotions are still high for some. Even as I update this post from 10 years ago its messing me up. We were and still are angry. This celebratory event will forever be marked by the visual of a plume of smoke that symbolized the evil intent of misguided people that do not value human life and have no regard for our freedoms.

We caught the bastards and while there are no real answers, we may never get them. The movie Patriots Day actually did an amazing job of telling the tragic story through a composite character. And the Netflix doc really brings it home.

On behalf of my Boston, we are proud of our city, its first responders and its people, who showed the true measure of the human spirit through powerful acts of kindness and displays of citizen courage.


We are strong as a city, undivided as a country and unbowed by this attack. No terrorist will be allowed to alter our nation’s course.


Robert is running his 12th Boston Marathon for Dana-Farber Cancer Research Institute. Please consider a donation:

Robert Siciliano personal security and Cyber Security Expert and speaker, is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud.

Protect Now Announces Agreement to Bring Cyber Social Identity (CSI) and Personal Protection Certification to RE/MAX University®

Comprehensive Program Includes Personal Security and Cyber Security Certification

DENVER, CO – April 4, 2023 – Protect Now, a leading provider of cyber security training and solutions, today announced an agreement with RE/MAX, LLC, a global real estate franchisor with more than 140,000 agents in almost 9,000 offices and a presence in more than 110 countries and territories.

Through this agreement, RE/MAX will add Protect Now’s Cyber Social Identity (CSI) and Personal Protection Certification to the programs offered through RE/MAX University, an exclusive-to-RE/MAX learning hub designed to help each agent level-up their professional expertise. Through this new security awareness training program, real estate professionals will have the opportunity to learn strategies to keep themselves, their businesses and the clients’ data safe.

Developed by Protect Now, the CSI Protection Certification training offers the most current best practices in cyber security to prevent wire fraud, identity theft and breaches, paired with practical advice real estate professionals can use to stay safe in the field. CSI Certification helps to meet FTC Safeguards Rule compliance and delivers a marketing tool to help professionals grow market access, reputation and sales. REALTORS® with a professional designation earn a median income 74% higher than those without, according to an NAR Member Survey.

“We are proud to bring this exceptional safety and cyber security program to the real estate professionals we support,” said Bryson Creighton, Vice President, RE/MAX University Learning & Education. “This is a critical tool that will help our agents and franchisees build trust with their clients and provide the exceptional service that RE/MAX is known for.”

The 2021 National Association of Realtors Annual Safety Report found that 5% of REALTORS® had been a victim of a crime while working as a real estate professional. Cyber-attacks are a growing threat to the real estate industry, where many agencies operate as small- or mid-sized businesses, and where regular email, text and telephone contact with buyers and sellers occurs daily. Criminals have stepped up their attacks on smaller businesses in recent years. Data from 2019 showed that cyber criminals made small businesses their top target, accounting for 43% of data breaches.

“Criminals will always go after the easiest targets,” said Protect Now Co-Founder and Head Security Awareness Trainer Robert Siciliano. “They’ve learned that they can’t make the ‘big hits’ going after large companies, so they now look for small business with lower levels of cyber security. They launch thousands of attacks each month, because it’s a numbers game. They can make a good amount of money from a few hundred breaches with far less risk and effort.”

Protect Now closes the gap between small- and large-business cyber security awareness with training that emphasizes the individual role each employee plays in cyber security. Brokers and agents are taught to see their personal role in protecting access and data, which has proven an effective tool in changing organizational attitudes toward cyber security.

“Wire fraud has surpassed a $200 million a year, which decimates the buyer’s bank account, kills the sale, shatters commissions, ruins the agency’s reputation and can lead to lengthy, expensive lawsuits for everyone involved in the transaction. We are also entering an era where the Federal government will demand more accountability from everyone who handles financial information. These are powerful reasons for real estate professionals to attend this training,” Siciliano said.


About Protect Now
Protect Now is a leading provider of cyber security training and solutions for business, municipal and nonprofit clients, with an emphasis on organizations that process sensitive information from the general public. Protect now delivers a suite of cyber security services, including Virtual CISOs, Dark Web Monitoring and FTC Compliance, backed by personal security, cyber security and anti-phishing training that creates meaningful change in employee attitudes toward cyber security by emphasizing the importance of personal security. To learn more about Protect Now’s cyber security solutions, visit

Three Federal Agencies Warn of Business Email Compromise (BEC) Scams

Business Email Compromise (BEC) scams netted $2.4 billion in losses during 2021, with 19,954 complaints reported to the United States government. A joint advisory from the Federal Bureau of Investigation (FBI), the Food and Drug Administration Office of Criminal Investigations (FDA OCI) and the U.S. Department of Agriculture (USDA) urges businesses in the agricultural and food sectors to beware of scams stealing physical goods, not money.

New BEC scams targeting food producers use phony emails and websites to order or reroute goods, such as powdered milk, sugar or whole milk. In some cases, fake emails were used to reroute existing shipments to criminals, while in others fake orders were placed by criminals pretending to be existing clients.

How Business Email Compromise Scams Work

BEC scams combine elements of social engineering and phishing. Criminals learn the names of senior executives at companies likely to order large quantities of ingredients or other goods. They then send phony emails or place fake online orders using spoofed assets and email addresses. In some cases, they will communicate directly with senior staff and place orders or ask for shipments to be rerouted. Because the emails look legitimate and generate real responses from humans, employees may accept the phony orders or reroute shipments, leading to hundreds of thousands of dollars in lost product.

Among the scams reported by the Federal government–

  • One group of criminals forged the identity of a U.S. company and placed orders for ingredients from June through August of 2022 with multiple suppliers. The scam netted at least $200,000 in stolen goods.
  • Criminals used a fake email to get a line of credit and $100,000 in milk powder by posing as a food company.
  • Four fake companies targeted a single food manufacturer, ordering nearly $600,000 in whole milk powder and non-fat dry milk.

How to Spot BEC Scams

In nearly every case outlined by U,S, government agencies, there was a small change in an email address that revealed the fraud. In some cases, an extra letter was added. In other cases, the number “1” was substituted for a lower-case “L.” Email addresses may also point to incorrect domains, such as a .org or .net instead of a .gov or .com.

Business Email Compromise scams can slip by employees, even those who have had cyber security training, because they appear professional and do not directly ask for money. They appear to be professional enquiries, often include recognizable names and company logos and present business opportunities. It is only after the order has shipped that companies realize they have been scammed.

As with most scams, awareness and verification stop the criminals and the attacks.

  1. Make all employees who handle orders and shipments aware of Business Email Compromise scams.
  2. Put a second set of eyes on any order over a certain amount, regardless of where it appears to come from.
  3. Do not respond directly to emails that appear suspicious. Study return addresses carefully and, if anything appears off, call the alleged client directly.
  4. Verify any large order or order change by calling the client directly and asking for confirmation.
  5. Ask for advance payment before delivering goods to any new client.
  6. Use Dark Web Monitoring to find out what information about your company has been circulating online. Names of staff could be used for social engineering and phishing attacks. Names of executives and company assets can be used by scammers to create phony emails and websites.

In the most insidious versions of a Business Email Compromise scam, criminals gain access to a company’s legitimate email server, then create fake accounts that they use to communicate with their victims. This can be remedied by reviewing all company email accounts regularly and by immediately closing the accounts of former employees.

As the government warning illustrates, cyber threats come in many forms and through many channels. This scam is a prime example of the kind of attack that many existing cyber training programs miss.

Movers and Shakers: Watch Out for These Scammy Conference Invitation Traps

Finally we are back to booking a ton of live-in-person security awareness training at conferences! It’s about time! Business is getting back to pre-Covid days here in the States and any non-in-person training is being supplemented with live-online and e-learning. It’s all good! However, we are also seeing more of one of the weirdest scams out there: Conference Invitation Scams.

Conference Invitation Scams are on the rise

This is when a scammer sends out invitations to an event, like a conference, with the sole intention of scamming the people they are inviting to attend or to speak at that event. These events might be real, or they could be totally made up. The targets of these scams include CEOs, business owners, lecturers, philanthropists, researchers, and more. The goal of these scammers is to steal the identities of their targets and ultimately get Credit card numbers, checks or money wire transfers by scamming the victims.

And that’s not all, these same scams are usually piggybacked with “conference attendee lists for sale” scams. That means companies that might exhibit or market their products and services to attendees of specific conferences are targeted to buy lists that are either lame or simply don’t exist. Conference managers have their backs up against the wall fielding communications from victims who accuse the legitimate conference hosts of bad service and of course worse, fraud.

Identifying a Scam

There are a few signs that you should look out for when you get an invitation to a conference or an event. They include:

  • The invitation is random or a surprise
  • The invitation is filled with bad grammar or typos
  • The invitation asks that you pay a premium price to attend, which includes both transportation and accommodations
  • The name of the conference sounds like one that is real, such as Tech Crunch, but spelled like TecKrunch
  • You cannot pay by credit card, they might require a check, wire transfer, peer to peer payment, or cryptocurrency.
  • The invitation is extremely flattering
  • The greeting on the invitation sounds strange, like “Salutations”
  • The invitation creates a sense of urgency about getting your personal information
  • The conference is in a different country
  • The invitation seems too good to be true
  • The invitation asks for personal information and covers your accommodation, transportation, or conference cost
  • The landing page of the site doesn’t have a phone number or address listed
  • Or none of the above. The invitation or list for sale email is perfect. There are the absolutely nothing wrong with it.

Beware of the Conference Invitation Scam targeting speakers

Generally, the scam works like this: the scammer starts the scam by sending an email to the victim, which invites them to speak or attend a conference. The scammer often uses the victims’ social media pages in order to get info about them. This helps the invitation seem more personalized.

The victim is then asked to register for the conference, which gives the scammer even more personal information. On top of this, the scammer could ask the victim to pay a fee in order to attend the conference, and pay it fast, because they also create a sense of urgency to attend the conference, such as saying “spots are limited.”

If the victim that is targeted falls for the scam and sends their info, the scammer could have enough to steal the person’s identity. To add more, the scammer can even add the name of the victim, if they are well-known in the industry, to promote the conference.

When the victim goes through all of this, they will soon find that they have been the victim of a scammer. You even have to be careful when attending a conference that is legitimate, because a scammer will send out fake invites to real conferences, too. Since a victim knows about these conferences already, they are usually more willing to give up their information.

How to Protect Yourself from a Conference Invitation Scams

There are a few tricks and tips that you can start using if you commonly attend conferences. The include:

It’s entirely likely your email address as a username, has been part of not just one, but multiple data breaches. And because of this, you are likely

  • to be targeted in scams related to that organizations product or service. Right now, check if your email address has been part of any specific breaches by utilizing our “Hacked email Checker” and then change your password for those accounts.
  • Do your research about the event and try to match up the information you find with the invitation you received.
  • Contact the event organizers directly. While a website can be created from scratch or spoofed, there is still value to looking up the event and the contact info of the organizer, report your findings and find out if it’s legit.
  • If you see an email that is similar to what is described above, don’t even respond.
  • If you get an invitation that seems strange, look into it more.
  • Don’t give any personal info, including your Social Security Number. There is no reason a conference organizer would need that.
  • Copy and paste the full email into Google to see if others have reported it as a scam. You are likely not the only person to be solicited in this way.

If You are a Victim, What Should You Do?

Do you think you have become a victim of a conference invitation scam? If yes, there are some steps that you should take right now.

  • First, get contact with your credit card companies and banks, and make sure they know about it. Refute the fraudulent charges.
  • Next, you should contact your local police and file a report which might be needed to get your money back.
  • Consider contacting the police in the area where the conference was supposed to be held.
  • If you are inclined to do so, you may want to get in touch with the Better Business Bureau and report it.
  • You can also report this online by using the BBB Scam Tracker on the BBB website, to the FBI at the Internet Crime Complaint Center, or the FTC’s Online Complaint Assistant.

The most important thing is to pay attention. We’ve never seen more scams or more variations on existing scams in our entire lives. It’s funny to us, we here experts saying “criminal hackers are more sophisticated than ever” and they are not. What they are, is organized, more than ever. Scammers treat fraud as a business, they have a hierarchy, they punch a clock, they have employees, and it is that “structure” that results in a sophisticated profitable business that leads to huge profits.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.

Are Password Managers Safe? Should You Use One?

Do you think password managers are safe? You probably do, or at least hope they are if you are using them. Keep in mind, there is no such thing as 100% safe or 100% secure. Password managers, the companies that create host and deploy them, have one job and that is to keep your passwords secure.

From my experience, they’ve done a pretty good job of that thus far. To this day I am unaware of a password manager that has been breached in such a way where all of the user data was unencrypted and exposed. In general, these companies engage in full on application security and have bank level or military grade encryption. What is so bizzare to me is last I read, less than 10% of computer users use a password manager. I think a password manager is the best use of my time and money in regards to computer security.

If a password manager was to get hacked, the path of least resistance would be targeting an individual user, compromising their device, and logging into their password manager itself.

Although researchers had shown that they might not be as safe as you think they are. Before we go further, though, just know that I’m not too worried about this.

First, let’s take a look at this study. Generally, it looked at how often passwords were leaking from host computers, and then focused on if the password managers that were installed were leaving passwords on the memory of the computers.

What the study found was that all of the password managers did a good job at keeping passwords safe when it was “not running.” So, it means that a hacker wouldn’t be able to force the software into giving away a password. However, it also found that all of the password managers that were tested made an attempt to remove the password from the memory of the computer…but in a couple of cases, the passwords were still found.

Some of the software tested, left the master password and the secret key on the computer. What this means is that it could be possible now for a hacker to access information from the program. But, you have to realize that these programs are trying to remove the information…but due to situational incidents, it isn’t always possible.

Another software that was tested, caused some concerns with the researchers. Essentially, the program takes passwords when the user types them, and scrambles them, but they are decrypted when put into the computer’s memory.

Yet another password manager was examined. Here, the software removed the master password from the memory of the computer, and it was not able to be found.

Is this something to worry about? It depends. How a password manager behaves on a device and whether or not it stores entered password in memory etc. shouldn’t be that big of a deal. In reality, if the device has spyware on it, or a malware that allows for full recording of every keystroke, then that device in that user is essentially screwed.

Since researchers had pointed out these issues, all of the programs had been updated and changed. That’s why I’m not worried. Plus, the real issue doesn’t have much to do with the password managers’ security in regards to its memory or cloud access or its application security, but with the security of the devices that they are on.


In every security awareness training I do, I expound upon the benefits of using a password manager. Inevitably, in every discussion, the question comes up “what if the password manager gets hacked?” The pure naïveté of that question comes from most computer users belief that hacking or penetrating hardware software or networks etc. is as easy as snapping one’s fingers. It is not. There are generally a number of scenarios that need to come together in order for a device to be compromised.

But there is one single solitary scenario that makes data on a device vulnerable and that is “password re-use” leading to credential stuffing. Credential stuffing is such a weird term. Anyways, OWASP defines Credential stuffing as “the automated injection of stolen username and password pairs (“credentials”) in to website login forms, in order to fraudulently gain access to user accounts. Since many users will re-use the same password and username/email, when those credentials are exposed (by a database breach or phishing attack, for example) submitting those sets of stolen credentials into dozens or hundreds of other sites can allow an attacker to compromise those accounts too.”

When you look at the danger of using one password over and over again, you are much safer when using a password manager. Meanwhile head over to my

website homepage and scroll down until you see our Password Checker and click “Check if your password has been breached”. Don’t worry about entering your password on the site. We don’t store anything and what can we possibly do with the password? It’s just a password. How can we possibly track that back to any specific account? At a minimum we would need an additional user name. If you’re so concerned, do it from a private browser and or use VPN. It just doesn’t matter. Relax. Just get a password manager.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.

Security Appreciation: Cyber Security

Awareness; knowledge or perception of a situation or fact.

Appreciation; a full understanding of a situation.

Cyber Security Appreciation

“My business has been hacked. Now what?” Here are the steps you should employ immediately.

Hire a Professional – When a business is hacked, it is entirely possible they were compromised because they did not employ technicians to prevent it in the first place. Therefore 3rd parties that specialize is security and breach mitigation should be contacted immediately. These IT security professionals specialize in prevention and containment. Their role proactively is to seek out vulnerabilities by utilizing vulnerability scanning software to seek out points of entry and patch those vulnerabilities prior to an intrusion.

Change and Reset Passwords – Many hacks begin with compromised passwords. Easy to guess/easy to hack/easy to crack passwords make the hackers job, well, EASY. Never using the same password twice, and utilizing upper case, lowercase and characters along with using a password manager ensures password security.

Update All Software – Begin by scanning all hardware and software with anti-virus programs and removing viruses. Vulnerabilities are often due to outdated software or operating systems riddled with flaws. Updating with critical patches eliminates these threats. Maintain redundant networked hardware systems in place, backed up data, contingency plans to put duplicate systems online immediately following a breach.

Update Your Companies Hardware – Old outdated hardware simply can’t keep up with the requirements of newer robust software or the security software required to keep networks secure.

Back Up All of Your Data – You have to make sure that you are regularly backing up data to a secure location. This data should also be encrypted.

Manage All Identities – Make sure that you are managing identities and access to accounts. You must do this across the board, as just one account being accessed could make you or your network extremely vulnerable.

Utilize Multi-Factor Authentication – You can use multi-factor authentication to keep accounts protected, too. This means every time a device or an online account is accessed, an additional text message must be sent with a one-time pass code or a one-time pass code sent to a key fob. There are hardware devices available that are also forms of second factor or multi factor authentication.

Security Awareness Training – Assuming employees know what to do and more importantly, what not do, is risky. Providing effecting ongoing security awareness, and in the authors opinion “security appreciation training” is partnering with employees to protect the network.

Patching – Set up a system so that you can always ensure that your hardware and software is always patched and updated on a regular basis. This helps to keep your data safe.

Align Your IT Security with Other Business Security – Those who are in the IT industry often feel as if they are struggling to keep up with changing technology, including security tech. The success of a business is based on keeping it secure, and keeping all types of security in mind including IT security, has a direct impact on revenue.

Recognize Social Engineering Scams – Every time the phone rings, every time an email comes in, every time an employee opens up a US postal letter, be suspect. Criminals contacting you or employees will try to bamboozle them with gift card scams, utility bills scams, invoices for products and services, you name it. There are thousands of scams designed to fleece consumers and small businesses.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.