Posts

Phishing Protection 101

Phishing-type e-mails are designed to trick the recipient into either downloading a virus (which then gives the hacker remote control of the computer) or revealing enough information for the thief to open credit cards in the victim’s name, get into their bank account, etc.

13DThere are many ways the crook can trick the victim. Here are telltale signs:

  • The message wants you to “verify” or “confirm” your password, username or other sensitive information.
  • And why must you do this? Because “suspicious activity” has been detected on your account, or, your account “is at risk for being compromised.”
  • Your name may or may not be in the message. Always be suspect.
  • Financial institutions will never ask you to enter your login information in an email and be suspect on a website.
  • Another ploy is the subject line: There’s a sense of urgency, such as, “Your account is about to be suspended.” A business will contact you by phone or snail mail if there’s a problem.
  • Even if the e-mail seems to have come from your boss at work and addresses you by name, and includes a link…realize that a hacker is capable of learning enough about someone from their LinkedIn page and Facebook to then convincingly impersonate someone they know.

Links in E-mails

  • Typically there’s a link (when there’s not, there’s a malicious attachment).
  • Never click links inside e-mails even if the sender seems to be your employer, health plan carrier or other enterprise you’ve done business with.
  • Hover the mouse over the link. If the URL is different than what’s there, assume it’s a scam.
  • Generally, only click links in emails when you have to actually click the link to verify an email address once you have just signed up for a new website.

Additional Telltale Signs

  • Just weird stuff. For example, a person who edits for a living receives an unexpected e-mail explaining there’s an attachment that needs to be proofread; wow, a paying gig!
  • Not so fast. The accompanying letter is very poorly constructed, including misspellings of common words, and includes very irrelevant information, such as “I’m a single mom with three wonderful kids.” Why would THIS be included in a legitimate proofreading job?
  • Yet how did the scammer know you’re an editor? Because the crook’s software somehow found your e-mail on the editing gig site you registered with two years ago.
  • The subject line says you’ve won something, or you’ll lose something.
  • If you go to a website and don’t see your site key (if you registered with one), leave. But you shouldn’t have gone to the website in the first place!
  • Always beware of emails purportedly from FedEx, UPS, Amazon, Ebay or anything in your spam folder.

Embrace the idea of deleting reams of UNREAD e-mails without having opened them. If a subject line has you worried, such as “You owe back taxes” or “Your shipment was lost,” then phone the appropriate personnel to see if this is true.

If you suspect you’ve been scammed:

  • Log into whatever account might be compromised and check messages, contact customer service.
  • Place a fraud alert on your credit if your SSN was exposed.
  • Update your security software; run a full system scan.
  • If you revealed any login information, change that account’s login data.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Beware of the CEO E-mail Scam

Beware of the B.E.C. scam, says a report at fbi.gov. The hackers target businesses and are good at getting what they want.

emailThe hackers first learn the name of a company’s CEO or other key figure such as the company’s lawyer or a vendor. They then figure out a way to make an e-mail, coming from them, appear to come from this CEO, and send it to employees.

The recipients aren’t just randomly selected, either. The hackers do their homework to find out which employees handle money. They even learn the company’s particular language, says the fbi.gov article. The company may be a big business, small enterprise and even a non-profit organization.

Once they get it all down, they then request a wire transfer of money. This does not raise red flags in particular if the company normally sends out wire transfer payments.

This CEO impersonation scam is quite pervasive, stinging every state in the U.S. and occurring in at least 79 other nations. The fbi.gov article cites the following findings:

  • Between October 2013 and February 2016, complaints came in from 17,642 victims. This translated to over $2.3 billion lost.
  • Arizona has been hit hard by this scam, with an average loss per scam coming in at between $25,000 and $75,000.

Companies or enterprises that are the victim of this scam should immediately contact their bank, and also request that the bank contact the financial institution where the stolen funds were transferred to.

Next, the victim should file a complaint with the IC3.

How can businesses protect themselves from these scam e-mails?

  • Remember, the hacker’s e-mail is designed to look like it came from a key figure with the organization. This may include the type of font that the key figure normally uses in their e-mails; how they sign off (e.g., “Best,” “Thanks a bunch,”), and any nicknames, such as “Libbie” for Elizabeth. Therefore, contact that person with a separate e-mail (not a reply to the one you received) to get verification, or call that individual.
  • Be suspicious if the e-mail’s content focuses on a wire transfer request, especially if it’s urgent.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Look out for Shipping E-mail Phishing Scams

Stop clicking on e-mails about your package delivery! Scam, scam, scam! Look, it’s simple:13D

  • Scammers are also pretending to be from the DHL and FedEx shipping companies, not just UPS.
  • Crooks know that at any given time, thousands and thousands of U.S. people are waiting for a package delivery.
  • So these cyber thieves send out mass e-mails by the millions, knowing that they will reach a lot of people who are expecting a package.
  • The subject line of these e-mails says something about “your delivery” or “your shipment” that lures the recipient into opening the e-mail. Usually, the message is that the delivery has failed, and the recipient is tricked into clicking on an attachment or a link.
  • And that’s when malware gets downloaded to their computer.

This technique is called social engineering: tricking people into doing things they shouldn’t. People are too quick to click. I wonder how many of these clicker-happy people ever even gave their e-mail address to UPS. The last time I sent something via UPS, I don’t even recall being asked for my e-mail address.

But people so freely give out their e-mail address, that when they receive one of these phishing e-mails by crooks, they think it’s legitimate. They believe that the attachment is a new shipping label to print out. They even believe the threat that if they don’t use this new label right away, they’ll be charged a fee. It’s all about hurry, hurry, hurry! People don’t stop and T-H-I-N-K first.

What can be done about this? First off, don’t freely give out your e-mail. That way, if you get an e-mail from a company that you just, by chance, happen to be doing business with, you’ll know it’s a fraud—because you never gave your e-mail to that company in the first place.

Next, share this information with your family and friends. They’ll probably all deny that they’re capable of falling for this scam, but I’m sure that when the unwise ones are alone, they’ll give it some hard thought.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Protect Yourself from Phishing

Everyone has received very obvious “phishing” e-mails: Messages in your in-box that have outrageous subject lines like “Your Account Will Be Suspended,” or, “You Won!”

13DWhile some phishing attacks are obvious, others look harmless, such as those in a person’s workplace in-box, seemingly from their company’s higher-ups.

Researchers point out that an e-mail may appear to come from the company’s HR department, for example. E-mails with an “urgent email password change request” had a 28% click rate, Wombat security reported.

Phishing victims act too quickly.

In the workplace, instead of phoning or texting the HR department about this password reset, or walking over to the HR department (a little exercise never hurts), they quickly click.

So one way, then, to protect yourself from phishing attacks is to stop acting so fast! Take a few breaths. Think. Walk your duff over to the alleged sender of the e-mail for verification it’s legit.

Wombat’s survey reveals that 42% of respondents reported malware infections, thanks to hasty clicking. However, employees were more careful when the e-mail concerned gift card offers and social media.

The report also reveals:

  • 67% were spear phished last year (spear phishing is a targeted phishing attack).
  • E-mails with an employee’s first name had a 19% higher click rate.
  • The industry most duped was telecommunications, with a 24% click rate.
  • Other frequently duped industries were law, consulting and accounting (23%).
  • Government was at 17%.

So as you see, employees continue to be easy game for crooks goin’ phishin.’

And attacks are increased when employees use outdated plug-ins: Adobe PDF, Adobe Flash, Microsoft Silverlight and Java.

The survey also reveals how people guard themselves from phishing attacks:

  • 99% use e-mail spam filters.
  • 56% use outbound proxy protection.
  • 50% rely on advanced malware analysis.
  • 24% use URL wrapping.

These above approaches will not prevent all phishing e-mails from getting into your in-box. Companies must still rigorously train employees in how to spot phishing attacks, and this training should include staged attacks.

Protect Yourself

  • Assume that phishing e-mails will sometimes use your company’s template to make it look like it came from corporate.
  • Assume that the hacker somehow figured out your first, even last name, and that being addressed by your full name doesn’t rule out a phishing attack.
  • Get rid of the outdated plug-ins.

Phishing attacks are also prevalent outside the workplace, and users must be just as vigilant when on their personal devices.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

How to unsend or cancel an E-mail

If the person you are sending an e-mail to pretty much instantaneously receives it, how on earth can you unsend or cancel it? Well, you have several options.

emailCriptext

  • This is a browser plug-in that works for Chrome and Safari.
  • Your message including attachments will be encrypted.
  • You will know when it’s been opened.
  • You can recall messages and assign them expiration times. The recall, of course, comes after the recipient has possibly opened the message, but if they’re, for instance, away from their computer when it comes in, and you recall the e-mail, they will never know it was there. Or maybe they will have seen it and decided to open it later, and when that time comes, they see that it has vanished and think they’re going crazy.

UnSend.it

  • Like Criptext, this plug-in will let you know when messages have been opened. In addition, it allows you to recall them and also set expiration times.
  • Missing, however, is the encryption feature.
  • It’s compatible with more browsers than is Criptext.

What about Gmail users?

  • Enable the “Undo Send” feature as follows.
  • In the upper right is a gear icon; click on it.
  • Select Settings to bring up the “General” tab.
  • Scroll to Undo Send.
  • Click checkbox for Enable Undo Send.
  • You can choose a cancellation time of five, 10, 20 or 30 seconds. A grace period of only five or 10 seconds doesn’t make much sense, so you may as well choose 30 seconds unless you routinely need recipients to receive your messages less than 30 seconds after you send them.
  • Hit Save Changes.

Virtru

  • This plug-in is compatible with Chrome and Firefox.
  • Those with Yahoo, Gmail or Outlook accounts can use it.
  • For $2/month, you can have message recall and self-destruction, along with message forwarding.
  • The free version does not offer any kind of recall or cancellation features, only secure messaging.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Phishing works and here’s why

A phishing e-mail is sent by a cyberthief to trick its recipient into revealing sensitive information so that the crook could steal money from the recipient or gain access to a business’s classified information. One way to lure an employee is for the crook to make the e-mail appear like it was sent by the company’s CEO. Often, phishing e-mails have urgent subject lines like “Your Chase Bank Balance Is Negative.”

PSHIn its 2015 Data Breach Report, Verizon reported that 23 percent of employees open their phishing e-mails. Eleven percent go further by clicking on something they shouldn’t.

Why do so many employees (and mainstream users) fail to recognize a phishing e-mail? Strong security awareness training at companies is lacking. Perhaps the company simply tosses a few hardcopy instructions to employees. Perching them before videos isn’t enough, either.

Security awareness training needs to also include staged phishing attacks to see which employees grab the bait and why they did so. With a simulated phishing attack approach, employees will have a much better chance of retaining anything they’ve learned. It’s like teaching a kid to hit a homerun; they won’t learn much if all they do is read instructions and watch videos. They need to swing at balls coming at them.

The return on investment from staged phishing attacks will more than offset the cost of this extra training. Living the experience has proven to be a far more effective teacher than merely reading about it or listening to a lecture. As straightforward as this sounds, this approach is not the rule in companies; it’s the exception.

Even rarer is when phishing simulation is ongoing rather than just an annual or semiannual course. But just because it’s rare doesn’t mean it’s not that effective. Companies tend to cut corners any way they can, and foregoing the phishing simulations is often at the top of the list of investments to nickel-and-dime.

If you want to see how gullible your employees (or family and friends) are to phishing e-mails, which again, are geared towards tricking the recipients to click on a malicious link or attachment, pay a visit to Phish.io.

Here you can register, and this free service will send phishing e-mails to your specified recipients. However, these are harmless tests and will not lead to anything negative—other than to reveal who can be duped.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Finding out which Employees keep clicking on Phishing E-mails

You have the best IT security, but dang it…the bad guys keep getting in. This means someone inside your house keeps opening the back door and letting the thieves slip inside. You have to find out who this enabler in your company is, and it may be more than one.

11DThey don’t know they’re letting in the crooks, because the crooks are disguising themselves as someone from your company or a vendor or some other reputable entity.

After figuring out who these welcome-mat throwers are, you then have to continuously keep them trained to recognize the thieves.

So how do you locate these gullible employees? The following might come to mind:

  • Create a make-believe malicious website. Then create an e-mail campaign—toss out the net and see how many phish you can catch. You must make the message seem like it’s coming from you, or the CEO, or IT director, a customer, a vendor, the company credit union, what-have-you.
  • You’ll need to know how to use a mail server to spoof the sender address so that it appears it really did come from you, the CEO, IT director, etc.
  • This giant undertaking will take away good time from you and will be a hassle, and that’s if you already have the knowledge to construct this project.
  • But if you hire an extraneous security expert or phish-finder specialist to create, execute and track the campaign, you’ll be paying big bucks, and remember, the campaign is not a one-time venture like, for example, the yearly sexual harassment training. It needs to be ongoing.
  • What leads to a data breach is that one doggone click. Thus, your “find out who the enabler is” should center on that one single click.
  • This means you don’t have to create a fake website and all that other stuff.
  • Send out some make-believe phishing e-mails to get an idea of who’s click-prone.
  • Set these people aside and vigorously train them in the art of social engineering. Don’t just lecture what it is and the different types. Actually have each employee come up with five ways they themselves would use social engineering if they had to play hacker for a day.
  • Once or twice a month, send them staged phishing e-mails and see who bites.
  • But let your employees know that they will receive these random phishing tests. This will keep them on their toes, especially if they know that there will be consequences for making that single click. Maybe the single click could lead them to a page that says in huge red letters, “BUSTED!”
  • This approach will make employees slow down and be less reflexive when it comes to clicking a link inside an e-mail.
  • Of course, you can always institute a new policy: Never click on any links in any e-mails no matter whom the sender is. This will eliminate the need for employees to analyze an e-mail or go “Hmmmm, should I or shouldn’t I?” The no-click rule will encourage employees to immediately delete the e-mail.
  • But you should still send them the mock phishing e-mails anyways to see who disregards this rule. Then give them consequences.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

How to Recognize a Phishing Scam

So someone comes up to you in a restaurant—a complete stranger—and asks to look at your driver’s license. What do you do? Show it to that person? You’d have to be one loony tune to do that.

3DHowever, this same blindness to security occurs all the time when a person is tricked by a “phishing” e-mail into typing in the password and username for their bank, or it may be the login credentials for their PayPal account or health plan carrier.

Phishing e-mails are a favorite scam of cyber criminals. THEY WORK.

When a cyber thief goes phishing, he uses a variety of bait to snag his prey. Classic examples are subject lines that are designed to get the recipient to immediately open the message and quickly react to it, such as an announcement you owe money, have won a prize or that your medical coverage has been cancelled.

And to resolve these problems, you’re asked to log into your account. This is where you place your account credentials into the palm of the thief on the other end of these e-mails.

  • Phishing e-mails may address you by name (the hacker already knows about you), but usually, your name is nowhere mentioned.
  • The e-mails usually contain at least one link they want you to click. Hover your mouse to see what the URL is. It may appear legit, but note the “http” part. Reputable sites for giant businesses, such as Microsoft and PayPal, will have an “https” in their URL. The phishing link’s URL will usually not have the “s.”
  • A big red flag is if there are typos or poorly constructed sentences, but a phishing e-mail may also have flawless text.
  • Don’t be fooled by company logos, stock imagery, privacy policies, phone numbers and other formalities in the message field. It’s so easy for a hacker to put these elements in there.
  • Be leery of warnings or alerts that don’t sound right. Gee, why would your account be “in danger of being suspended”?

The links will take you to a phony site that looks like the real thing and ask you for your login credentials, credit card information, etc. Another way this scam works is by downloading a virus to your computer after you click on the link. Sometimes there’s an attachment that you’re urged to open. The lure might be that it’s a survey from your bank or a report to review from your employer.

A phishing e-mail may still look like the real deal. So how do you protect yourself? Never click on links inside e-mails. Don’t open attachments unless they’ve been sent from someone you personally know. If you think it’s from your company, healthcare plan or bank, then whip out your phone and call the company to see if they sent you the e-mail.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.