AI Voice Scams Are Here: What Businesses Must Know

The phone rings at the desk of a new employee. The boss is on the line. He says he’s having trouble reaching staff, and he needs several hundred dollars of gift cards to give to a client. He asks the employee to buy the cards, then call him back with the serial numbers.

AI Voice Scams Are Here: What Businesses Must KnowA shipping clerk receives a text message from a known client asking to call an unfamiliar number. The client picks up the phone and asks the clerk to divert a pending shipment to a new address because of facility issues at the old address.

An AI voice scam has been launched in both of these examples. How would your employees react?

Using deepfake technology, criminals can pull off an AI voice scam with just a few seconds of someone’s voice. As reported by Agence France Press via Yahoo! News, 70% of people surveyed by McAfee Labs did not believe they could tell a real voice apart from an AI-generated voice. This opens new avenues for pretexting attacks by criminals impersonating business leaders and clients. While the examples cited by Agence France Press involve “Grandparent scams,” where the faked voice of a grandchild is used to demand money, it is a small leap for criminals to exploit these same tools to drain business bank accounts and steal goods.

How to Stop AI Voice Scams in Your Business

An AI voice scam is a sophisticated attack designed to avoid detection. Do not assume that a machine voice claiming to be the CEO will call, or that there will be obvious signs that something is wrong. The best deepfake technology can synthesize speech and respond to questions in real time. In the Grandparent Scam, the criminals may pre-record a snippet of the fake grandchild in distress while the criminal does most of the talking. In more advanced scams, employees can be duped into believing they are talking with people they know.

There are three steps that businesses must take to prevent losses from an AI voice scam:

  1. Beware of what you share. As we discussed in Is Your Website a Bait Shop for Phishing Attacks, sharing by companies arms criminals with the information they need to carry out all kinds of pretexting attacks. Add video clips featuring senior staff to the list of things that should not be easily accessible online. If you must post an employee’s keynote speech or personal welcome to all site visitors, make sure that there is no clear voice-only audio. Put music under their voice or add some recognizable room tone or background noise. Only the most sophisticated voice replicators can extract a single voice from audio with multiple tracks. If you face a significant risk of data loss, system compromise or theft, the safest course is to remove any usable samples of any kind of the voices of senior leaders. This includes personal websites and social media posts as well as company-owned properties.
  2. Establish firm business protocols. At any point in time, employees should know what they are and are not authorized to do. Precise protocols will vary from business to business and role to role, but there are best practices to guide this. For example, employees should know that they are not authorized to make personal purchases on behalf of the company; establishing this rule will stop gift card scams. Employees must know that they are never to share a password or download software without specific, in-person authorization from a superior. Companies that deliver goods should have a formal process in place with their clients for any changes in delivery dates or locations, which can include a 24-hour written notice that is verified by more than one individual on the shipper’s end. More guidance on establishing protocols and responding to attacks can be found in our free Cyber Crime Response Kit.
  3. Train, train, train. The best defense against all types of attacks is cyber security employee training. Business should have regular training for all employees, as well as a specialized training program for new employees. Anecdotal evidence and some recent study data show that cyber criminals tend to target new workers who may not be as familiar with a company’s policies and who may not have received formal training. Employee training should begin on the first day on the job and is essential for businesses that have been victims of cyber crime in the past.

A sophisticated pretexting AI voice scam can be very difficult to detect and defeat. Alert employees who know company policies and protocols that mandate a second set of eyes on unusual coworker or client requests are the best ways to stop these attacks. Protect Now can help you develop a complete employee training program and establish protocols based on your specific business needs. To learn more, contact us online or call us at 1-800-658-8311.

Lawsuits: A New Reason to Invest in Cyber Security

Lawsuits relating to cyber security incidents are on the rise, according to the 9th Annual Data Security Incident Response Report published by law firm BakerHostetler. For 2022, there were 42 lawsuits filed from 494 incidents that led to individual notifications, including 4 lawsuits filed in cases where fewer than 1,000 people were impacted by a data breach.

Lawsuits: A New Reason to Invest in Cyber SecuritySecurityWeek noted that this represented a significant trend, as 2018 data from BakerHostetler showed just 4 lawsuits filed from 394 incidents reported to impacted users.

Why Are Cyber Security Lawsuits Increasing?

Individuals and businesses are fed up with data breaches and the time and expense needed to address them. As a result, the days of providing free credit monitoring for a year or two are over.

Stronger state data protection laws also play a role in the rise of lawsuits, as they offer a framework for individuals to seek compensation for business and personal expenses incurred by a data breach. The California Consumer Privacy Act has become the model for a growing number of state-level regulations that hold businesses accountable for data breaches.

Insurance companies have also begun to push back against claims for business disruptions caused by cyber security incidents. Taking advantage of stronger state and Federal regulations, insurers who offer cyber security liability and recovery policies may require business owners to certify data protection measures for vendors and third parties. If those organizations experience a cyber attack, insurers may sue to recover their costs.

Invest in Cyber Security Employee Training to Keep Lawsuits at Bay

In the event of a lawsuit, businesses must disclose all aspects of their cyber security, including methods used to protect data, attack response and recovery plans and employee training and protocols. Businesses that have strong cyber security measures will be less likely to face lawsuits, while businesses  with weak security measures could be liable for significant damages and legal expenses.

Business owners should expect their cyber security to be scrutinized, and significant gaps will become a greater liability. In BakerHostetler’s report, 39% of cyber attacks were due to human factors, including phishing, social engineering or employee abuse of access. Collectively, this made up the greatest percentage of attack causes; while the root cause was unknown in 26% of attacks, phishing ranked second overall at 25% of attacks.

Sending employees a training video twice a year is not effective employee training. Real employee training teaches workers to recognize obvious attacks, to flag suspicious activity and to report anything that concerns them. CSI Protection Certification from Protect Now delivers this kind of effective training, empowering employees to stop threats by changing their attitudes toward business security. Our training is available through in-person or virtual seminars, or through our eLearning platform. To learn more, contact us online or call us at 1-800-658-8311.

2013 Boston Marathon Bombing: My Best Worst Day Ever

Like Big Papi said “This is our f–king city.” It’s the 10th anniversary of that beautiful – tragic day. The new Netflix documentary “American Manhunt; The Boston Marathon Bombing”, 

No alt text provided for this image

Front Page Boston Globe Robert Siciliano Above the Fold

has me sobbing in my kitchen. I’ve watched the movie Patriots Day with Mark Wahlberg countless times. This week I was asked to speak at a high school on my 12 years of Boston Marathon preparation, fundraising and the planner asked about the possibility of me discussing my experience on Boylston St that day, which I wasn’t expecting to do. And leading up to the moment I got on stage, I didn’t realize how shaken I still am. I could barely talk without my voice cracking. Thankfully, the moderator kept the dialog light and we talked about the training, fundraising and fun memories.

And heres the thing, NOTHING HAPPENED TO ME. Nothing happened to anyone in my family. My wife and two little girls, my dad, my sister-in-law, and some friends were all at the finish line, 100 yards away from the first bomb, which scared the hell out of me, but still. Completely unscratched. I just saw some sh#t. Ran right by it actually, which is part of the problem. That’s it. But it haunts me. And it makes me think about actual front line military, law enforcement and paramedics who deal with violence, trauma, and tragedy as a vocation. How do they even deal?

Training for a marathon is a taxing, physical, emotional and expensive process. For me personally, that has meant multiple cortisone shots, almost a hundred physical therapy appointments and a few arguments with my wife. Why do it? Why climb a mountain? Why be a police officer? Why be an emergency room nurse? Why detonate a bomb in a crowd of innocent people? We all make choices others wouldn’t and we justify our decisions based on our interests, options and perspective.

For me, I just wanted to lose weight, get fit and finally give back to a charity. When you’re 50 with a young family and your health and marriage are good, bills are paid and life is settled, words like “health,” “gratitude” and “grace” begin to have more meaning. And when you become a runner, you join a special club of conscious people who enjoy challenging themselves and understand our time is limited .

In 2013 I was on my way to run about a 4:10 (my best time ever), but was stopped at mile 26 due to some terrorists’ agenda.

During the 2013 Boston Marathon, my improved time put me on Boylston Street shortly after the blasts. There were two loud bangs, and as I rounded the corner I saw the finish line through dissipating smoke. Boston police immediately corralled runners from going any farther down Boylston because it was now a volatile area and potential crime scene. At 2:52 PM I called my wife, who was at the finish line, about 100 yards from the first bomb, and got no answer. A minute later, I got my dad on the phone; he was with my wife and the kids and he confirmed they were OK. I instructed him to leave ASAP, as another bomb could go off any moment. I told him to “walk down the center of the street and avoid any cars!”

But nothing was going to keep me away from them; I couldn’t just sit there and wait. In my mind, there were bombs going off between my family and myself. As a father, son and husband, the instinctual need to get your family to safety overpowers every sense of reason. I dodged a couple of police officers and ran down Boylston, the only runner on the field, putting myself in jeopardy and now also causing law enforcement to chase after me. At the 26-mile mark, I saw people on the ground, bloody and getting medical attention from the few paramedics that were on hand to take care of runners expected to be injured in more predictable, less violent ways. I made a decision to keep going. Which still doesn’t sit well. It felt like a 3D movie where the scene was pushing me back in my chair, but the sound was off. I know the scene was loud with sirens and screams, but I heard nothing.

Then I heard an angry cop (rightly so) blasting his voice in my ear before he wrestled me off the course. Eluding further apprehension, but onward to my family, I hopped a fence and ran down a back alley behind the restaurants, bars and shops that were evacuating people through their back doors. What I saw was people—many victims who must have made their way on their own or with the assistance of others—screaming, crying and making frantic phone calls…and there was blood. Some victims I saw lost anywhere from pints to whatever; I don’t know. I just remember freaking out and not wanting to run in it.

I ended up behind the finish line and found a way to cross Boylston. I made my way to the Weston Hotel, where I found my family, scooped up my four-year-old and hiked another half mile to my vehicle. Leaving behind two vehicles, we piled nine adults and children into my Yukon and evacuated.

No alt text provided for this image

Evacuating the city, carrying my 40lb child after running 26 miles.

Out of relative danger, our attention now turned to our two children and damage control. To gauge my seven-year-old’s feelings, I calmly asked her, “Did you have fun today?” She said, “Yes, today was awesome! Until the bombs went off!” Knowing she was shaken, the radio stayed off and adults did what they could to speak in code. Note to adults who may try this: It doesn’t fool a seven-year-old.

By this time my phone was going nuts, Facebook and Twitter were buzzing and my mother, who couldn’t get in touch with us, was in complete meltdown.

Once I got home and got the kids situated, we ordered a bunch of pizza because that’s what you do when a bomb goes off. People need to feel normal.

My mom showed up at our home shortly after we got there. She was a total mess, and after the kids saw her emotional state, they understood the gravity of the situation. Today, they are showing a tremendous amount of affection and gratitude, which seems to be a side effect of their trauma.

I posted a brief note on Facebook: “Im OK, I was on Boylston St. when it happened. I saw smoke, I saw blood and people on the ground. My family was 300 yards away, waiting for me and I got to them and evacuated from the city. More later.” And the comments and “likes” poured in.

Shortly after, I provided an update: “I was right there, bomb went off. Boston police removed everyone, I kept running toward the bombs because my family was at the finish line. Police got me off the road, I resisted then another cop almost tackled me (rightly so). I ran in the back alleys, people spilling into the alleys from the explosion, screaming, crying, blood, got my dad to get my wife and kids out of there concerned for another explosion. I’m telling it to Dr. Drew on CNN between 9:15ish and 9:30ish tonight.”

Again, comments poured onto my page like never before. People offering an outpouring of help and support. I never knew I had that many real friends.

I feel I have to explain the part about Dr. Drew and CNN. It may seem opportunistic, but frankly, for me, it’s therapy. I do lots of media as the expert. My network is “the media.” So when I send a blast email to raise money for charity, my network knows I’m running the Boston Marathon. When I logged into Facebook and email, the requests came in from CNN, Extra and Canadian TV, along with a few radio shows too. So I spent the evening after the run as an eyewitness. And, because it’s who I am, I gave security tips too.

No alt text provided for this image

Maria Menounos and Me at the Media Compound the day after

My Rockstar cousin, who is an Iraq and Afghanistan soldier and flies one of those crazy killer helicopters, reached out to me via Facebook and said, “I think your situation was much worse than many Middle East situations I’ve been in.” Which I thought odd because he’s had his best buddy blown up right next to him. Then he said, “When I deploy I’m armed, geared up and expecting to fight. You were at a peaceful gathering around families and innocent civilians, not expecting bombs. That makes it much worse.”

We accept the possibility of death and destruction when we sign our contracts. I’m sure no one who signed up for the marathon expected this.

This completely messed me up, putting into perspective just how awful this situation is.

I only slept three hours that night, on edge, emotional and fragile. The next day, I headed to the media compound near Boylston to meet with Maria Menounos from Extra, who is a Greek Boston girl.

I connected with Maria, and within two minutes we were both crying. She started talking about how she loves Boston so much, then I started crying, then she started crying…which completely messed me up. I tell you this because she told me people should know this is real and they can’t forget. She was professional, but she was real. She put me at ease and we got through the interview.

Since then I’ve done more media on this than I wished, including the Boston GlobeDr. DrewExtraCurrent TVCanadian TVagain and againFox Boston and some radio.

In early May after the blasts, I was asked to speak to the North Eastern Massachusetts Law Enforcement Council on the benefits of social media to law enforcement and how social can help get the word out in a tragedy. When I walked into the room to speak, everyone was in uniform. What I didn’t know was many of the men and women attending were the first responders saving lives at the finish line, and others who were involved in the capture of the bombers. That was a very emotional speech for me. Check out the Huffington Posts blog on how the Boston Police did a stellar job using Twitter during the bombing.

No alt text provided for this image

Cowboy Hat-Wearing Boston Marathon Hero Carlos Arredondo and Robert Siciliano

At this point, my family and I are safe. Emotions are still high for some. Even as I update this post from 10 years ago its messing me up. We were and still are angry. This celebratory event will forever be marked by the visual of a plume of smoke that symbolized the evil intent of misguided people that do not value human life and have no regard for our freedoms.

We caught the bastards and while there are no real answers, we may never get them. The movie Patriots Day actually did an amazing job of telling the tragic story through a composite character. And the Netflix doc really brings it home.

On behalf of my Boston, we are proud of our city, its first responders and its people, who showed the true measure of the human spirit through powerful acts of kindness and displays of citizen courage.


We are strong as a city, undivided as a country and unbowed by this attack. No terrorist will be allowed to alter our nation’s course.


Robert is running his 12th Boston Marathon for Dana-Farber Cancer Research Institute. Please consider a donation:

Robert Siciliano personal security and Cyber Security Expert and speaker, is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud.

Protect Now Announces Agreement to Bring Cyber Social Identity (CSI) and Personal Protection Certification to RE/MAX University®

Comprehensive Program Includes Personal Security and Cyber Security Certification

DENVER, CO – April 4, 2023 – Protect Now, a leading provider of cyber security training and solutions, today announced an agreement with RE/MAX, LLC, a global real estate franchisor with more than 140,000 agents in almost 9,000 offices and a presence in more than 110 countries and territories.

Through this agreement, RE/MAX will add Protect Now’s Cyber Social Identity (CSI) and Personal Protection Certification to the programs offered through RE/MAX University, an exclusive-to-RE/MAX learning hub designed to help each agent level-up their professional expertise. Through this new security awareness training program, real estate professionals will have the opportunity to learn strategies to keep themselves, their businesses and the clients’ data safe.

Developed by Protect Now, the CSI Protection Certification training offers the most current best practices in cyber security to prevent wire fraud, identity theft and breaches, paired with practical advice real estate professionals can use to stay safe in the field. CSI Certification helps to meet FTC Safeguards Rule compliance and delivers a marketing tool to help professionals grow market access, reputation and sales. REALTORS® with a professional designation earn a median income 74% higher than those without, according to an NAR Member Survey.

“We are proud to bring this exceptional safety and cyber security program to the real estate professionals we support,” said Bryson Creighton, Vice President, RE/MAX University Learning & Education. “This is a critical tool that will help our agents and franchisees build trust with their clients and provide the exceptional service that RE/MAX is known for.”

The 2021 National Association of Realtors Annual Safety Report found that 5% of REALTORS® had been a victim of a crime while working as a real estate professional. Cyber-attacks are a growing threat to the real estate industry, where many agencies operate as small- or mid-sized businesses, and where regular email, text and telephone contact with buyers and sellers occurs daily. Criminals have stepped up their attacks on smaller businesses in recent years. Data from 2019 showed that cyber criminals made small businesses their top target, accounting for 43% of data breaches.

“Criminals will always go after the easiest targets,” said Protect Now Co-Founder and Head Security Awareness Trainer Robert Siciliano. “They’ve learned that they can’t make the ‘big hits’ going after large companies, so they now look for small business with lower levels of cyber security. They launch thousands of attacks each month, because it’s a numbers game. They can make a good amount of money from a few hundred breaches with far less risk and effort.”

Protect Now closes the gap between small- and large-business cyber security awareness with training that emphasizes the individual role each employee plays in cyber security. Brokers and agents are taught to see their personal role in protecting access and data, which has proven an effective tool in changing organizational attitudes toward cyber security.

“Wire fraud has surpassed a $200 million a year, which decimates the buyer’s bank account, kills the sale, shatters commissions, ruins the agency’s reputation and can lead to lengthy, expensive lawsuits for everyone involved in the transaction. We are also entering an era where the Federal government will demand more accountability from everyone who handles financial information. These are powerful reasons for real estate professionals to attend this training,” Siciliano said.


About Protect Now
Protect Now is a leading provider of cyber security training and solutions for business, municipal and nonprofit clients, with an emphasis on organizations that process sensitive information from the general public. Protect now delivers a suite of cyber security services, including Virtual CISOs, Dark Web Monitoring and FTC Compliance, backed by personal security, cyber security and anti-phishing training that creates meaningful change in employee attitudes toward cyber security by emphasizing the importance of personal security. To learn more about Protect Now’s cyber security solutions, visit

Three Federal Agencies Warn of Business Email Compromise (BEC) Scams

Business Email Compromise (BEC) scams netted $2.4 billion in losses during 2021, with 19,954 complaints reported to the United States government. A joint advisory from the Federal Bureau of Investigation (FBI), the Food and Drug Administration Office of Criminal Investigations (FDA OCI) and the U.S. Department of Agriculture (USDA) urges businesses in the agricultural and food sectors to beware of scams stealing physical goods, not money.

New BEC scams targeting food producers use phony emails and websites to order or reroute goods, such as powdered milk, sugar or whole milk. In some cases, fake emails were used to reroute existing shipments to criminals, while in others fake orders were placed by criminals pretending to be existing clients.

How Business Email Compromise Scams Work

BEC scams combine elements of social engineering and phishing. Criminals learn the names of senior executives at companies likely to order large quantities of ingredients or other goods. They then send phony emails or place fake online orders using spoofed assets and email addresses. In some cases, they will communicate directly with senior staff and place orders or ask for shipments to be rerouted. Because the emails look legitimate and generate real responses from humans, employees may accept the phony orders or reroute shipments, leading to hundreds of thousands of dollars in lost product.

Among the scams reported by the Federal government–

  • One group of criminals forged the identity of a U.S. company and placed orders for ingredients from June through August of 2022 with multiple suppliers. The scam netted at least $200,000 in stolen goods.
  • Criminals used a fake email to get a line of credit and $100,000 in milk powder by posing as a food company.
  • Four fake companies targeted a single food manufacturer, ordering nearly $600,000 in whole milk powder and non-fat dry milk.

How to Spot BEC Scams

In nearly every case outlined by U,S, government agencies, there was a small change in an email address that revealed the fraud. In some cases, an extra letter was added. In other cases, the number “1” was substituted for a lower-case “L.” Email addresses may also point to incorrect domains, such as a .org or .net instead of a .gov or .com.

Business Email Compromise scams can slip by employees, even those who have had cyber security training, because they appear professional and do not directly ask for money. They appear to be professional enquiries, often include recognizable names and company logos and present business opportunities. It is only after the order has shipped that companies realize they have been scammed.

As with most scams, awareness and verification stop the criminals and the attacks.

  1. Make all employees who handle orders and shipments aware of Business Email Compromise scams.
  2. Put a second set of eyes on any order over a certain amount, regardless of where it appears to come from.
  3. Do not respond directly to emails that appear suspicious. Study return addresses carefully and, if anything appears off, call the alleged client directly.
  4. Verify any large order or order change by calling the client directly and asking for confirmation.
  5. Ask for advance payment before delivering goods to any new client.
  6. Use Dark Web Monitoring to find out what information about your company has been circulating online. Names of staff could be used for social engineering and phishing attacks. Names of executives and company assets can be used by scammers to create phony emails and websites.

In the most insidious versions of a Business Email Compromise scam, criminals gain access to a company’s legitimate email server, then create fake accounts that they use to communicate with their victims. This can be remedied by reviewing all company email accounts regularly and by immediately closing the accounts of former employees.

As the government warning illustrates, cyber threats come in many forms and through many channels. This scam is a prime example of the kind of attack that many existing cyber training programs miss.

Movers and Shakers: Watch Out for These Scammy Conference Invitation Traps

Finally we are back to booking a ton of live-in-person security awareness training at conferences! It’s about time! Business is getting back to pre-Covid days here in the States and any non-in-person training is being supplemented with live-online and e-learning. It’s all good! However, we are also seeing more of one of the weirdest scams out there: Conference Invitation Scams.

Conference Invitation Scams are on the rise

This is when a scammer sends out invitations to an event, like a conference, with the sole intention of scamming the people they are inviting to attend or to speak at that event. These events might be real, or they could be totally made up. The targets of these scams include CEOs, business owners, lecturers, philanthropists, researchers, and more. The goal of these scammers is to steal the identities of their targets and ultimately get Credit card numbers, checks or money wire transfers by scamming the victims.

And that’s not all, these same scams are usually piggybacked with “conference attendee lists for sale” scams. That means companies that might exhibit or market their products and services to attendees of specific conferences are targeted to buy lists that are either lame or simply don’t exist. Conference managers have their backs up against the wall fielding communications from victims who accuse the legitimate conference hosts of bad service and of course worse, fraud.

Identifying a Scam

There are a few signs that you should look out for when you get an invitation to a conference or an event. They include:

  • The invitation is random or a surprise
  • The invitation is filled with bad grammar or typos
  • The invitation asks that you pay a premium price to attend, which includes both transportation and accommodations
  • The name of the conference sounds like one that is real, such as Tech Crunch, but spelled like TecKrunch
  • You cannot pay by credit card, they might require a check, wire transfer, peer to peer payment, or cryptocurrency.
  • The invitation is extremely flattering
  • The greeting on the invitation sounds strange, like “Salutations”
  • The invitation creates a sense of urgency about getting your personal information
  • The conference is in a different country
  • The invitation seems too good to be true
  • The invitation asks for personal information and covers your accommodation, transportation, or conference cost
  • The landing page of the site doesn’t have a phone number or address listed
  • Or none of the above. The invitation or list for sale email is perfect. There are the absolutely nothing wrong with it.

Beware of the Conference Invitation Scam targeting speakers

Generally, the scam works like this: the scammer starts the scam by sending an email to the victim, which invites them to speak or attend a conference. The scammer often uses the victims’ social media pages in order to get info about them. This helps the invitation seem more personalized.

The victim is then asked to register for the conference, which gives the scammer even more personal information. On top of this, the scammer could ask the victim to pay a fee in order to attend the conference, and pay it fast, because they also create a sense of urgency to attend the conference, such as saying “spots are limited.”

If the victim that is targeted falls for the scam and sends their info, the scammer could have enough to steal the person’s identity. To add more, the scammer can even add the name of the victim, if they are well-known in the industry, to promote the conference.

When the victim goes through all of this, they will soon find that they have been the victim of a scammer. You even have to be careful when attending a conference that is legitimate, because a scammer will send out fake invites to real conferences, too. Since a victim knows about these conferences already, they are usually more willing to give up their information.

How to Protect Yourself from a Conference Invitation Scams

There are a few tricks and tips that you can start using if you commonly attend conferences. The include:

It’s entirely likely your email address as a username, has been part of not just one, but multiple data breaches. And because of this, you are likely

  • to be targeted in scams related to that organizations product or service. Right now, check if your email address has been part of any specific breaches by utilizing our “Hacked email Checker” and then change your password for those accounts.
  • Do your research about the event and try to match up the information you find with the invitation you received.
  • Contact the event organizers directly. While a website can be created from scratch or spoofed, there is still value to looking up the event and the contact info of the organizer, report your findings and find out if it’s legit.
  • If you see an email that is similar to what is described above, don’t even respond.
  • If you get an invitation that seems strange, look into it more.
  • Don’t give any personal info, including your Social Security Number. There is no reason a conference organizer would need that.
  • Copy and paste the full email into Google to see if others have reported it as a scam. You are likely not the only person to be solicited in this way.

If You are a Victim, What Should You Do?

Do you think you have become a victim of a conference invitation scam? If yes, there are some steps that you should take right now.

  • First, get contact with your credit card companies and banks, and make sure they know about it. Refute the fraudulent charges.
  • Next, you should contact your local police and file a report which might be needed to get your money back.
  • Consider contacting the police in the area where the conference was supposed to be held.
  • If you are inclined to do so, you may want to get in touch with the Better Business Bureau and report it.
  • You can also report this online by using the BBB Scam Tracker on the BBB website, to the FBI at the Internet Crime Complaint Center, or the FTC’s Online Complaint Assistant.

The most important thing is to pay attention. We’ve never seen more scams or more variations on existing scams in our entire lives. It’s funny to us, we here experts saying “criminal hackers are more sophisticated than ever” and they are not. What they are, is organized, more than ever. Scammers treat fraud as a business, they have a hierarchy, they punch a clock, they have employees, and it is that “structure” that results in a sophisticated profitable business that leads to huge profits.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.

Are Password Managers Safe? Should You Use One?

Do you think password managers are safe? You probably do, or at least hope they are if you are using them. Keep in mind, there is no such thing as 100% safe or 100% secure. Password managers, the companies that create host and deploy them, have one job and that is to keep your passwords secure.

From my experience, they’ve done a pretty good job of that thus far. To this day I am unaware of a password manager that has been breached in such a way where all of the user data was unencrypted and exposed. In general, these companies engage in full on application security and have bank level or military grade encryption. What is so bizzare to me is last I read, less than 10% of computer users use a password manager. I think a password manager is the best use of my time and money in regards to computer security.

If a password manager was to get hacked, the path of least resistance would be targeting an individual user, compromising their device, and logging into their password manager itself.

Although researchers had shown that they might not be as safe as you think they are. Before we go further, though, just know that I’m not too worried about this.

First, let’s take a look at this study. Generally, it looked at how often passwords were leaking from host computers, and then focused on if the password managers that were installed were leaving passwords on the memory of the computers.

What the study found was that all of the password managers did a good job at keeping passwords safe when it was “not running.” So, it means that a hacker wouldn’t be able to force the software into giving away a password. However, it also found that all of the password managers that were tested made an attempt to remove the password from the memory of the computer…but in a couple of cases, the passwords were still found.

Some of the software tested, left the master password and the secret key on the computer. What this means is that it could be possible now for a hacker to access information from the program. But, you have to realize that these programs are trying to remove the information…but due to situational incidents, it isn’t always possible.

Another software that was tested, caused some concerns with the researchers. Essentially, the program takes passwords when the user types them, and scrambles them, but they are decrypted when put into the computer’s memory.

Yet another password manager was examined. Here, the software removed the master password from the memory of the computer, and it was not able to be found.

Is this something to worry about? It depends. How a password manager behaves on a device and whether or not it stores entered password in memory etc. shouldn’t be that big of a deal. In reality, if the device has spyware on it, or a malware that allows for full recording of every keystroke, then that device in that user is essentially screwed.

Since researchers had pointed out these issues, all of the programs had been updated and changed. That’s why I’m not worried. Plus, the real issue doesn’t have much to do with the password managers’ security in regards to its memory or cloud access or its application security, but with the security of the devices that they are on.


In every security awareness training I do, I expound upon the benefits of using a password manager. Inevitably, in every discussion, the question comes up “what if the password manager gets hacked?” The pure naïveté of that question comes from most computer users belief that hacking or penetrating hardware software or networks etc. is as easy as snapping one’s fingers. It is not. There are generally a number of scenarios that need to come together in order for a device to be compromised.

But there is one single solitary scenario that makes data on a device vulnerable and that is “password re-use” leading to credential stuffing. Credential stuffing is such a weird term. Anyways, OWASP defines Credential stuffing as “the automated injection of stolen username and password pairs (“credentials”) in to website login forms, in order to fraudulently gain access to user accounts. Since many users will re-use the same password and username/email, when those credentials are exposed (by a database breach or phishing attack, for example) submitting those sets of stolen credentials into dozens or hundreds of other sites can allow an attacker to compromise those accounts too.”

When you look at the danger of using one password over and over again, you are much safer when using a password manager. Meanwhile head over to my

website homepage and scroll down until you see our Password Checker and click “Check if your password has been breached”. Don’t worry about entering your password on the site. We don’t store anything and what can we possibly do with the password? It’s just a password. How can we possibly track that back to any specific account? At a minimum we would need an additional user name. If you’re so concerned, do it from a private browser and or use VPN. It just doesn’t matter. Relax. Just get a password manager.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.

Security Appreciation: Cyber Security

Awareness; knowledge or perception of a situation or fact.

Appreciation; a full understanding of a situation.

Cyber Security Appreciation

“My business has been hacked. Now what?” Here are the steps you should employ immediately.

Hire a Professional – When a business is hacked, it is entirely possible they were compromised because they did not employ technicians to prevent it in the first place. Therefore 3rd parties that specialize is security and breach mitigation should be contacted immediately. These IT security professionals specialize in prevention and containment. Their role proactively is to seek out vulnerabilities by utilizing vulnerability scanning software to seek out points of entry and patch those vulnerabilities prior to an intrusion.

Change and Reset Passwords – Many hacks begin with compromised passwords. Easy to guess/easy to hack/easy to crack passwords make the hackers job, well, EASY. Never using the same password twice, and utilizing upper case, lowercase and characters along with using a password manager ensures password security.

Update All Software – Begin by scanning all hardware and software with anti-virus programs and removing viruses. Vulnerabilities are often due to outdated software or operating systems riddled with flaws. Updating with critical patches eliminates these threats. Maintain redundant networked hardware systems in place, backed up data, contingency plans to put duplicate systems online immediately following a breach.

Update Your Companies Hardware – Old outdated hardware simply can’t keep up with the requirements of newer robust software or the security software required to keep networks secure.

Back Up All of Your Data – You have to make sure that you are regularly backing up data to a secure location. This data should also be encrypted.

Manage All Identities – Make sure that you are managing identities and access to accounts. You must do this across the board, as just one account being accessed could make you or your network extremely vulnerable.

Utilize Multi-Factor Authentication – You can use multi-factor authentication to keep accounts protected, too. This means every time a device or an online account is accessed, an additional text message must be sent with a one-time pass code or a one-time pass code sent to a key fob. There are hardware devices available that are also forms of second factor or multi factor authentication.

Security Awareness Training – Assuming employees know what to do and more importantly, what not do, is risky. Providing effecting ongoing security awareness, and in the authors opinion “security appreciation training” is partnering with employees to protect the network.

Patching – Set up a system so that you can always ensure that your hardware and software is always patched and updated on a regular basis. This helps to keep your data safe.

Align Your IT Security with Other Business Security – Those who are in the IT industry often feel as if they are struggling to keep up with changing technology, including security tech. The success of a business is based on keeping it secure, and keeping all types of security in mind including IT security, has a direct impact on revenue.

Recognize Social Engineering Scams – Every time the phone rings, every time an email comes in, every time an employee opens up a US postal letter, be suspect. Criminals contacting you or employees will try to bamboozle them with gift card scams, utility bills scams, invoices for products and services, you name it. There are thousands of scams designed to fleece consumers and small businesses.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.

Is Your Spouse Cheating? Your Kids Lying? They Might Use a Vault Application

If you have a child who has a smartphone or a spouse who is acting suspicious, they might be hiding things on their mobile devices. How are they doing this? By using a vault application.

Basically, these apps offer a place where people can hide things like videos, photos, and other files, and you would probably never realize it by looking at their phones.

vault application

Vault application – how does it work?

A vault application is basically little storage app where people can store things they want to hide. Some of them are called “Calculator Vault,” “Ky-Calc,” and “Calculator Percent.” Unsurprisingly, if you were to open these apps, they simply look like a calculator.

In fact, you can use them as a calculator. But, if a secret code is put into the app, you can store things. For example, “Ky-Calc” allows users to store images, keep a separate contact list, and it even has a hidden internet browser.

If you are like most people you probably don’t want your kids to hide things from you, but at the end of the day, the real danger is hiding in the vault application. Yes, apps like these are commonly found on the phones of sneaky kids and spouses, they also are popular for predators. These are people who begin to engage with your kids online, and then ask your kids to download these apps… and then, they can communicate with them without you realizing it.

Here are some things that you should know about vault applications:

  • Vault apps are not very safe. Though they might seem safe, people can easily take a screen shot, and then share it with someone else.
  • These apps look just like other apps. Typically, they are calculators, and they even work like calculators, but they are accessed with a secret code.
  • If you look at a person’s phone and they have two or more calculator apps on the phone, there is probably something weird happening. All smart phones have a calculator on them, so why would you need another?
  • Vault apps are usually free, and they are quite easy to find in the App Store or the Google Play Store. People find them by searching for “hidden apps,” “photo vault,” or even “ghost apps.”
  • You may also be shocked to learn that teens often have competitions with their friends to see what type of content they can hide on these apps without getting caught.
  • Most people who use a mobile phone know what a vault application is, and even kids as young as 12-years old or younger use them.

If you are a parent, or even if you think your spouse is acting strange, you should start looking into the mobile devices of those in your family. There should be an open and honest discussion about this, and it shouldn’t be a taboo subject, especially when it comes to a loved one.

Quite frankly, your kids shouldn’t expect total privacy until they are 18 years old. With a spouse, it’s respect for each other. If you don’t have trust with your kids or spouse, there is an issue.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.

Digital Literacy: A Smart Parent’s Guide

Do you have a child, tween, or teen who uses the internet? If you want to be a Smart Parent, you should be aware of the following facts:

Smart Parent Guide to Digital Literacy

  • Teens largely believe that the internet is, for the most part, pretty private
  • Teens think that they are mature enough to make decisions for their life online
  • Teens think that they are safe when on the internet and that people don’t typically hide their identity or pretend to be someone else
  • Teens don’t generally feel “friending” a stranger can be dangerous
  • Teens think that since they are “better” with technology, that they can make better decisions than their parents about what are the best online practices

These are very obviously pretty naive views that most teens have, and if you, as a smart parent, don’t step in and explain why these are not correct, and could be dangerous, you could be putting your kids into a bad situation. And, if you as an adult share the same beliefs as teens, you are sorely mistaken.

Make sure that you are always in communication with your kids about their use of the internet. Explain the risks involved and share stories with them about other teens who have gotten into trouble online.

A study done by McAfee Antivirus concluded that more than one in 12 tweens who would befriend a stranger online would them meet that stranger in public. The reality is, “17-year-old Eddie” could easily be “47-year-old Bill”.

Online Rules That Every Smart Parent Should Consider

Experts recommend that parents have a set of rules for their kids when it comes to using the internet. Here are some that you might want to consider:

  • You should know how to get into every account your kid has, including social media accounts. You should also check their accounts periodically.
  • This might sound ridiculous, and maybe even the impossible, don’t allow your kids to use social media, chat online, or (unless it is schoolwork related) text their friends until they are in 9th or 10th grade, and even then, never let them use any app or site that allows for anonymous communication.
  • Your 13-year old won’t “die” if they don’t have a TikTok or Snapchat account. Nothing good will come out of letting them have one. My kids don’t.
  • Let your kids use the internet but put a time limit on it. And it should be primarily used for school.
  • Don’t let your kids reply to messages from strangers and don’t allow them to add people online that they don’t know.
  • Don’t give out any personal info online, including phone numbers and addresses.
  • Make sure your kids know that kindness and respect are extremely important, and bullying others online is never acceptable.
  • Don’t give your kids your personal passwords for your accounts.
  • Don’t let your kids have access to devices any time they want. Have a “screen-free” family night where you go for a walk, go get ice cream, or have a family game night, instead.
  • Don’t allow digital devices to babysit your child.
  • Don’t allow mobile devices in the bedroom, and don’t let laptops into the bedroom unless your kids are using them for homework.
  • You shouldn’t let your kids post photos of themselves online without your permission.
  • Always look at chat logs, texts, and other online communications your kids are sending. Make sure they know that there will be consequences if you find out they are deleting messages.
  • Don’t let your kids download software or apps without permission.

Watch for These Mistakes

  • Don’t allow your kid to have a traditional smart phone before they are in the 9th You can give them a feature-phone, however, that you monitor.
  • Don’t let your kid use the internet when you aren’t watching what they are doing.
  • Don’t let your kids use the internet in areas where you can’t see what they are doing or behind closed doors.
  • Don’t let your kids play games online with chat enabled, as these are common magnets for sex predators.

Finally, lead by example. Just because other parents are letting their kids do some of these things, it doesn’t mean that you need to.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.