Archive for category: Uncategorized

Though it might look like a fun thing to do, you better think twice before taking that quiz that pops up on your social media page. A hacker, otherwise known as a “social engineer” might have created it to obtain your personal information.

Criminal hackers are all over social media sites, and it should be no surprise that they have tricks up their sleeves to get the information that they need. Social media crime is on the rise. Some studies show 100’s of millions of dollars have been lost, much of that in cryptocurrency and credit card fraud.

Identity theft is part of the reason a hacker will use social media to gather info, and it’s much easier to do than you might think. Let’s take a look at some of the most common scams hackers use on social media:

Surveys and Quizzes

Have you seen those quizzes that say “Click here and reveal your “Porn StarName,” or “Fill out this quiz to find out how many kids you will have?” Though these might be totally innocent, and a little ridiculous, they could also be designed by a hacker. The idea behind these quizzes revolves around “knowledge based authentication” scams. Basically information about us, questions we answer, that are used as security questions on various forms and websites. The answers in many of these quizzes could be used to reset or crack your various pass codes.

Generally, when you fill these out, you will enter information like the street you live on, the name of your pet, your favorite song, or even your birthdate. There is a dark side to this…the information you are providing may be the exact information a hacker needs to steal your identity or get into an account.

If you think about your accounts, it’s very possible that your bank, for instance, requires you to answer questions to get your password or get into your account. What do these institutions ask? Thinks like “What is your favorite song?”  “What is the name of your pet?” As you can see, you are giving a hacker the answers to these questions when you are taking the quiz.

You can avoid all of this by scrolling right past these quiz opportunities.

Get-Rich-Quick Schemes

There are also “get-rich-quick” schemes on social media that hackers use. These include things like direct messages offering a grant or a fake business opportunity like a pyramid scheme. They also start things like gifting circles, that seem innocent, but are designed to steal personal information or money, or even both.

Gone are the days of fake Nigerian princes…now we are dealing with something much more sinister. You can avoid these scams by just taking a little time to research any business opportunity, offer, or even organization that contacts you via social media.

Imposter Scams from the “Government”

Scammers also try imposter scams on social media, and they do this by pretending that they are a government official, like someone from the IRS. The scammers might use messages on social media to pose as a tax collector, or they might offer a refund…if you confirm your personal information. As you might imagine, there is no confirmation — you are simply giving up the information they need to either steal your identity or hack into your important accounts.

Always delete these messages if you get them. The IRS will never contact you via social media, nor would they ask that you pay a bill with a gift card, a wire transfer, or with cryptocurrency.

Imposter Scams from “Family and Friends”

A scammer might also try a “family and friends” scam to get information from you. Thanks to social media, a hacker can learn more about who you know and trust, and then pretend that they are those people. In one of example, a hacker will pretend to be a person’s grandchild and send them a message online asking for money because they have a problem, but if you actually do send money, the cash goes right to a hacker.

If you have a situation like this, and you are not sure if a person is who they say they are, you need to do your research and reach out to the person. Don’t just pay them without doing this.

The Romance Scam

Finally, we have the romance scam. In this case, the hacker will strike up an online relationship with a potential victim, and it will eventually become romantic. These can happen on social media sites, or they can be directly on a dating site. They often create personas that have exotic jobs, such as a doctor in Africa, or as a military member stationed in the South Pacific. They work to build trust with their victim, and when the time is right, they come up with a sob story about how they need money, and many victims, believing that they are in a true relationship with this person, send the money willingly.

To avoid this type of scam, never, ever send money to a person you meet online, especially if they say they are a doctor or a member of the military.

Protect Yourself from ID Theft and Social Media Scams

Now that you know that there are a lot of hackers and scammers out there trying to take advantage of you, here are some ways that you can protect yourself:

1.    Spruce Up Your Privacy Settings–The first thing you need to do is to set up your social media profile to be private and set it so that only your friends and family can access it. This means that you have a much smaller chance of getting access to your account. Also, it’s a good idea to stop sharing information like where you went to high school and your full date of birth. The less information you post, the less likely it is that a hacker can gain information from you.

2.    Be Skeptical – You always want to be a skeptic when it comes to anything online. There are so many scams out there, and so many attempts to get information, that you really need to be skeptical. If you are willing to lower your guard, a scammer is definitely willing to take your information. So, really look deep at any messages you might receive, especially if something looks weird or sounds off. You should also notice things like bad grammar or a lot of typos. Those are a great indication that you might be dealing with a scammer.

3.    Actually Know the People You are Friends With – Do you actually know everyone on your friend list in real life? Most people don’t, but you really should be selective about who you are allowing to see your content. Anyone on your friend list can see your information, and that means they have access to personal information about you if you post it. You also have to be aware that someone on your friend list could be copying and pasting from your page or making screen shots.

4.    Follow Up – Have you gotten any messages from a friend of yours that just seems like it is a bit strange? If you do get this type of message, don’t click on anything and don’t reply. For instance, if your best friend Peter sends you a message to “Check out this link,” and it’s something that Peter would never be interested in, you should check with Peter another way, like with a phone call or text, to find out if it’s legit or not.

5.    Look Out for Others – Finally, you should look out for other people when you get a weird message or strange request. If you get a weird message from a friend, you should let that friend know. If someone lets you know that there might be a duplicate account of your personal account, you should let your friends know.

Try to Stay One Step Ahead of the Hackers

Before concluding, there are a few other things that you can do in order to stay a step or two ahead of hackers. First, make sure that you are using a strong, unique password for your account. Utilize a password manager. Never use the same passcode twice. A virus protection software suite is also recommended. Using firewalls is helpful, too, as well as a VPN.

You can also sign up for ID protection services, which will help to keep important information, such as your email address, under monitoring. With this type of protection and a bit of focus from you, it will be easier than ever to keep an eye out for scams, and you can get back to enjoying social media as it was intended.

Robert Siciliano CSP, CSI, CITRMS is a security expert and private investigator with 30+ years experience, #1 Best Selling Amazon.com author of 5 books, and the architect of the CSI Protection certification; a Cyber Social Identity and Personal Protection security awareness training program. He is a frequent speaker and media commentator, and CEO of Safr.Me and Head Trainer at ProtectNowLLC.com. 

The phone rings at the desk of a new employee. The boss is on the line. He says he’s having trouble reaching staff, and he needs several hundred dollars of gift cards to give to a client. He asks the employee to buy the cards, then call him back with the serial numbers.

A shipping clerk receives a text message from a known client asking to call an unfamiliar number. The client picks up the phone and asks the clerk to divert a pending shipment to a new address because of facility issues at the old address.

An AI voice scam has been launched in both of these examples. How would your employees react?

Using deepfake technology, criminals can pull off an AI voice scam with just a few seconds of someone’s voice. As reported by Agence France Press via Yahoo! News, 70% of people surveyed by McAfee Labs did not believe they could tell a real voice apart from an AI-generated voice. This opens new avenues for pretexting attacks by criminals impersonating business leaders and clients. While the examples cited by Agence France Press involve “Grandparent scams,” where the faked voice of a grandchild is used to demand money, it is a small leap for criminals to exploit these same tools to drain business bank accounts and steal goods.

How to Stop AI Voice Scams in Your Business

An AI voice scam is a sophisticated attack designed to avoid detection. Do not assume that a machine voice claiming to be the CEO will call, or that there will be obvious signs that something is wrong. The best deepfake technology can synthesize speech and respond to questions in real time. In the Grandparent Scam, the criminals may pre-record a snippet of the fake grandchild in distress while the criminal does most of the talking. In more advanced scams, employees can be duped into believing they are talking with people they know.

There are three steps that businesses must take to prevent losses from an AI voice scam:

1. Beware of what you share. As we discussed in Is Your Website a Bait Shop for Phishing Attacks, sharing by companies arms criminals with the information they need to carry out all kinds of pretexting attacks. Add video clips featuring senior staff to the list of things that should not be easily accessible online. If you must post an employee’s keynote speech or personal welcome to all site visitors, make sure that there is no clear voice-only audio. Put music under their voice or add some recognizable room tone or background noise. Only the most sophisticated voice replicators can extract a single voice from audio with multiple tracks. If you face a significant risk of data loss, system compromise or theft, the safest course is to remove any usable samples of any kind of the voices of senior leaders. This includes personal websites and social media posts as well as company-owned properties.
2. Establish firm business protocols. At any point in time, employees should know what they are and are not authorized to do. Precise protocols will vary from business to business and role to role, but there are best practices to guide this. For example, employees should know that they are not authorized to make personal purchases on behalf of the company; establishing this rule will stop gift card scams. Employees must know that they are never to share a password or download software without specific, in-person authorization from a superior. Companies that deliver goods should have a formal process in place with their clients for any changes in delivery dates or locations, which can include a 24-hour written notice that is verified by more than one individual on the shipper’s end. More guidance on establishing protocols and responding to attacks can be found in our free Cyber Crime Response Kit.
3. Train, train, train. The best defense against all types of attacks is cyber security employee training. Business should have regular training for all employees, as well as a specialized training program for new employees. Anecdotal evidence and some recent study data show that cyber criminals tend to target new workers who may not be as familiar with a company’s policies and who may not have received formal training. Employee training should begin on the first day on the job and is essential for businesses that have been victims of cyber crime in the past.

A sophisticated pretexting AI voice scam can be very difficult to detect and defeat. Alert employees who know company policies and protocols that mandate a second set of eyes on unusual coworker or client requests are the best ways to stop these attacks. Protect Now can help you develop a complete employee training program and establish protocols based on your specific business needs. To learn more, contact us online or call us at 1-800-658-8311.

Like Big Papi said “This is our f–king city.” It’s the 10th anniversary of that beautiful – tragic day. The new Netflix documentary “American Manhunt; The Boston Marathon Bombing”, 

Front Page Boston Globe Robert Siciliano Above the Fold

has me sobbing in my kitchen. I’ve watched the movie Patriots Day with Mark Wahlberg countless times. This week I was asked to speak at a high school on my 12 years of Boston Marathon preparation, fundraising and the planner asked about the possibility of me discussing my experience on Boylston St that day, which I wasn’t expecting to do. And leading up to the moment I got on stage, I didn’t realize how shaken I still am. I could barely talk without my voice cracking. Thankfully, the moderator kept the dialog light and we talked about the training, fundraising and fun memories.

And heres the thing, NOTHING HAPPENED TO ME. Nothing happened to anyone in my family. My wife and two little girls, my dad, my sister-in-law, and some friends were all at the finish line, 100 yards away from the first bomb, which scared the hell out of me, but still. Completely unscratched. I just saw some sh#t. Ran right by it actually, which is part of the problem. That’s it. But it haunts me. And it makes me think about actual front line military, law enforcement and paramedics who deal with violence, trauma, and tragedy as a vocation. How do they even deal?

Training for a marathon is a taxing, physical, emotional and expensive process. For me personally, that has meant multiple cortisone shots, almost a hundred physical therapy appointments and a few arguments with my wife. Why do it? Why climb a mountain? Why be a police officer? Why be an emergency room nurse? Why detonate a bomb in a crowd of innocent people? We all make choices others wouldn’t and we justify our decisions based on our interests, options and perspective.

For me, I just wanted to lose weight, get fit and finally give back to a charity. When you’re 50 with a young family and your health and marriage are good, bills are paid and life is settled, words like “health,” “gratitude” and “grace” begin to have more meaning. And when you become a runner, you join a special club of conscious people who enjoy challenging themselves and understand our time is limited .

In 2013 I was on my way to run about a 4:10 (my best time ever), but was stopped at mile 26 due to some terrorists’ agenda.

During the 2013 Boston Marathon, my improved time put me on Boylston Street shortly after the blasts. There were two loud bangs, and as I rounded the corner I saw the finish line through dissipating smoke. Boston police immediately corralled runners from going any farther down Boylston because it was now a volatile area and potential crime scene. At 2:52 PM I called my wife, who was at the finish line, about 100 yards from the first bomb, and got no answer. A minute later, I got my dad on the phone; he was with my wife and the kids and he confirmed they were OK. I instructed him to leave ASAP, as another bomb could go off any moment. I told him to “walk down the center of the street and avoid any cars!”

But nothing was going to keep me away from them; I couldn’t just sit there and wait. In my mind, there were bombs going off between my family and myself. As a father, son and husband, the instinctual need to get your family to safety overpowers every sense of reason. I dodged a couple of police officers and ran down Boylston, the only runner on the field, putting myself in jeopardy and now also causing law enforcement to chase after me. At the 26-mile mark, I saw people on the ground, bloody and getting medical attention from the few paramedics that were on hand to take care of runners expected to be injured in more predictable, less violent ways. I made a decision to keep going. Which still doesn’t sit well. It felt like a 3D movie where the scene was pushing me back in my chair, but the sound was off. I know the scene was loud with sirens and screams, but I heard nothing.

Then I heard an angry cop (rightly so) blasting his voice in my ear before he wrestled me off the course. Eluding further apprehension, but onward to my family, I hopped a fence and ran down a back alley behind the restaurants, bars and shops that were evacuating people through their back doors. What I saw was people—many victims who must have made their way on their own or with the assistance of others—screaming, crying and making frantic phone calls…and there was blood. Some victims I saw lost anywhere from pints to whatever; I don’t know. I just remember freaking out and not wanting to run in it.

I ended up behind the finish line and found a way to cross Boylston. I made my way to the Weston Hotel, where I found my family, scooped up my four-year-old and hiked another half mile to my vehicle. Leaving behind two vehicles, we piled nine adults and children into my Yukon and evacuated.

Evacuating the city, carrying my 40lb child after running 26 miles.

Out of relative danger, our attention now turned to our two children and damage control. To gauge my seven-year-old’s feelings, I calmly asked her, “Did you have fun today?” She said, “Yes, today was awesome! Until the bombs went off!” Knowing she was shaken, the radio stayed off and adults did what they could to speak in code. Note to adults who may try this: It doesn’t fool a seven-year-old.

By this time my phone was going nuts, Facebook and Twitter were buzzing and my mother, who couldn’t get in touch with us, was in complete meltdown.

Once I got home and got the kids situated, we ordered a bunch of pizza because that’s what you do when a bomb goes off. People need to feel normal.

My mom showed up at our home shortly after we got there. She was a total mess, and after the kids saw her emotional state, they understood the gravity of the situation. Today, they are showing a tremendous amount of affection and gratitude, which seems to be a side effect of their trauma.

I posted a brief note on Facebook: “Im OK, I was on Boylston St. when it happened. I saw smoke, I saw blood and people on the ground. My family was 300 yards away, waiting for me and I got to them and evacuated from the city. More later.” And the comments and “likes” poured in.

Shortly after, I provided an update: “I was right there, bomb went off. Boston police removed everyone, I kept running toward the bombs because my family was at the finish line. Police got me off the road, I resisted then another cop almost tackled me (rightly so). I ran in the back alleys, people spilling into the alleys from the explosion, screaming, crying, blood, got my dad to get my wife and kids out of there concerned for another explosion. I’m telling it to Dr. Drew on CNN between 9:15ish and 9:30ish tonight.”

Again, comments poured onto my page like never before. People offering an outpouring of help and support. I never knew I had that many real friends.

I feel I have to explain the part about Dr. Drew and CNN. It may seem opportunistic, but frankly, for me, it’s therapy. I do lots of media as the expert. My network is “the media.” So when I send a blast email to raise money for charity, my network knows I’m running the Boston Marathon. When I logged into Facebook and email, the requests came in from CNN, Extra and Canadian TV, along with a few radio shows too. So I spent the evening after the run as an eyewitness. And, because it’s who I am, I gave security tips too.

My Rockstar cousin, who is an Iraq and Afghanistan soldier and flies one of those crazy killer helicopters, reached out to me via Facebook and said, “I think your situation was much worse than many Middle East situations I’ve been in.” Which I thought odd because he’s had his best buddy blown up right next to him. Then he said, “When I deploy I’m armed, geared up and expecting to fight. You were at a peaceful gathering around families and innocent civilians, not expecting bombs. That makes it much worse.”

“We accept the possibility of death and destruction when we sign our contracts. I’m sure no one who signed up for the marathon expected this.”

This completely messed me up, putting into perspective just how awful this situation is.

I only slept three hours that night, on edge, emotional and fragile. The next day, I headed to the media compound near Boylston to meet with Maria Menounos from Extra, who is a Greek Boston girl.

I connected with Maria, and within two minutes we were both crying. She started talking about how she loves Boston so much, then I started crying, then she started crying…which completely messed me up. I tell you this because she told me people should know this is real and they can’t forget. She was professional, but she was real. She put me at ease and we got through the interview.

Since then I’ve done more media on this than I wished, including the Boston Globe, Dr. Drew, Extra, Current TV, Canadian TV, again and again, Fox Boston and some radio.

In early May after the blasts, I was asked to speak to the North Eastern Massachusetts Law Enforcement Council on the benefits of social media to law enforcement and how social can help get the word out in a tragedy. When I walked into the room to speak, everyone was in uniform. What I didn’t know was many of the men and women attending were the first responders saving lives at the finish line, and others who were involved in the capture of the bombers. That was a very emotional speech for me. Check out the Huffington Posts blog on how the Boston Police did a stellar job using Twitter during the bombing.

Cowboy Hat-Wearing Boston Marathon Hero Carlos Arredondo and Robert Siciliano

We caught the bastards and while there are no real answers, we may never get them. The movie Patriots Day actually did an amazing job of telling the tragic story through a composite character. And the Netflix doc really brings it home.

On behalf of my Boston, we are proud of our city, its first responders and its people, who showed the true measure of the human spirit through powerful acts of kindness and displays of citizen courage.

 

We are strong as a city, undivided as a country and unbowed by this attack. No terrorist will be allowed to alter our nation’s course.

 

Robert is running his 12th Boston Marathon for Dana-Farber Cancer Research Institute. Please consider a donation: http://danafarber.jimmyfund.org/goto/robertsiciliano

Robert Siciliano personal security and Cyber Security Expert and speaker, is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud.

Business Email Compromise (BEC) scams netted $2.4 billion in losses during 2021, with 19,954 complaints reported to the United States government. A joint advisory from the Federal Bureau of Investigation (FBI), the Food and Drug Administration Office of Criminal Investigations (FDA OCI) and the U.S. Department of Agriculture (USDA) urges businesses in the agricultural and food sectors to beware of scams stealing physical goods, not money.

New BEC scams targeting food producers use phony emails and websites to order or reroute goods, such as powdered milk, sugar or whole milk. In some cases, fake emails were used to reroute existing shipments to criminals, while in others fake orders were placed by criminals pretending to be existing clients.

How Business Email Compromise Scams Work

BEC scams combine elements of social engineering and phishing. Criminals learn the names of senior executives at companies likely to order large quantities of ingredients or other goods. They then send phony emails or place fake online orders using spoofed assets and email addresses. In some cases, they will communicate directly with senior staff and place orders or ask for shipments to be rerouted. Because the emails look legitimate and generate real responses from humans, employees may accept the phony orders or reroute shipments, leading to hundreds of thousands of dollars in lost product.

Among the scams reported by the Federal government–

• One group of criminals forged the identity of a U.S. company and placed orders for ingredients from June through August of 2022 with multiple suppliers. The scam netted at least $200,000 in stolen goods.
• Criminals used a fake email to get a line of credit and $100,000 in milk powder by posing as a food company.
• Four fake companies targeted a single food manufacturer, ordering nearly $600,000 in whole milk powder and non-fat dry milk.

How to Spot BEC Scams

In nearly every case outlined by U,S, government agencies, there was a small change in an email address that revealed the fraud. In some cases, an extra letter was added. In other cases, the number “1” was substituted for a lower-case “L.” Email addresses may also point to incorrect domains, such as a .org or .net instead of a .gov or .com.

Business Email Compromise scams can slip by employees, even those who have had cyber security training, because they appear professional and do not directly ask for money. They appear to be professional enquiries, often include recognizable names and company logos and present business opportunities. It is only after the order has shipped that companies realize they have been scammed.

As with most scams, awareness and verification stop the criminals and the attacks.

1. Make all employees who handle orders and shipments aware of Business Email Compromise scams.
2. Put a second set of eyes on any order over a certain amount, regardless of where it appears to come from.
3. Do not respond directly to emails that appear suspicious. Study return addresses carefully and, if anything appears off, call the alleged client directly.
4. Verify any large order or order change by calling the client directly and asking for confirmation.
5. Ask for advance payment before delivering goods to any new client.
6. Use Dark Web Monitoring to find out what information about your company has been circulating online. Names of staff could be used for social engineering and phishing attacks. Names of executives and company assets can be used by scammers to create phony emails and websites.

In the most insidious versions of a Business Email Compromise scam, criminals gain access to a company’s legitimate email server, then create fake accounts that they use to communicate with their victims. This can be remedied by reviewing all company email accounts regularly and by immediately closing the accounts of former employees.

As the government warning illustrates, cyber threats come in many forms and through many channels. This scam is a prime example of the kind of attack that many existing cyber training programs miss.

Do you think password managers are safe? You probably do, or at least hope they are if you are using them. Keep in mind, there is no such thing as 100% safe or 100% secure. Password managers, the companies that create host and deploy them, have one job and that is to keep your passwords secure.

From my experience, they’ve done a pretty good job of that thus far. To this day I am unaware of a password manager that has been breached in such a way where all of the user data was unencrypted and exposed. In general, these companies engage in full on application security and have bank level or military grade encryption. What is so bizzare to me is last I read, less than 10% of computer users use a password manager. I think a password manager is the best use of my time and money in regards to computer security.

If a password manager was to get hacked, the path of least resistance would be targeting an individual user, compromising their device, and logging into their password manager itself.

Although researchers had shown that they might not be as safe as you think they are. Before we go further, though, just know that I’m not too worried about this.

First, let’s take a look at this study. Generally, it looked at how often passwords were leaking from host computers, and then focused on if the password managers that were installed were leaving passwords on the memory of the computers.

What the study found was that all of the password managers did a good job at keeping passwords safe when it was “not running.” So, it means that a hacker wouldn’t be able to force the software into giving away a password. However, it also found that all of the password managers that were tested made an attempt to remove the password from the memory of the computer…but in a couple of cases, the passwords were still found.

Some of the software tested, left the master password and the secret key on the computer. What this means is that it could be possible now for a hacker to access information from the program. But, you have to realize that these programs are trying to remove the information…but due to situational incidents, it isn’t always possible.

Another software that was tested, caused some concerns with the researchers. Essentially, the program takes passwords when the user types them, and scrambles them, but they are decrypted when put into the computer’s memory.

Yet another password manager was examined. Here, the software removed the master password from the memory of the computer, and it was not able to be found.

Is this something to worry about? It depends. How a password manager behaves on a device and whether or not it stores entered password in memory etc. shouldn’t be that big of a deal. In reality, if the device has spyware on it, or a malware that allows for full recording of every keystroke, then that device in that user is essentially screwed.

Since researchers had pointed out these issues, all of the programs had been updated and changed. That’s why I’m not worried. Plus, the real issue doesn’t have much to do with the password managers’ security in regards to its memory or cloud access or its application security, but with the security of the devices that they are on.

 

In every security awareness training I do, I expound upon the benefits of using a password manager. Inevitably, in every discussion, the question comes up “what if the password manager gets hacked?” The pure naïveté of that question comes from most computer users belief that hacking or penetrating hardware software or networks etc. is as easy as snapping one’s fingers. It is not. There are generally a number of scenarios that need to come together in order for a device to be compromised.

But there is one single solitary scenario that makes data on a device vulnerable and that is “password re-use” leading to credential stuffing. Credential stuffing is such a weird term. Anyways, OWASP defines Credential stuffing as “the automated injection of stolen username and password pairs (“credentials”) in to website login forms, in order to fraudulently gain access to user accounts. Since many users will re-use the same password and username/email, when those credentials are exposed (by a database breach or phishing attack, for example) submitting those sets of stolen credentials into dozens or hundreds of other sites can allow an attacker to compromise those accounts too.”

When you look at the danger of using one password over and over again, you are much safer when using a password manager. Meanwhile head over to my

website homepage and scroll down until you see our Password Checker and click “Check if your password has been breached”. Don’t worry about entering your password on the site. We don’t store anything and what can we possibly do with the password? It’s just a password. How can we possibly track that back to any specific account? At a minimum we would need an additional user name. If you’re so concerned, do it from a private browser and or use VPN. It just doesn’t matter. Relax. Just get a password manager.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.