Posts

Be aware of all these Confidence Crimes

Criminals have a reliance on tricking victims to get access to account information, like passwords. This is known as social engineering, and is also called a “confidence crime.” These come in many forms:

Do Not Take the Bait of These Phishermen

  • A phishing email that targets a specific person is known as spear-phishing. A spear-phishing email looks like an email that might come from a legitimate company to a specific person. For example, a thief might send a fake email to a company’s employee who handles money or IT. It looks like the email is from the CEO of the company, and it asks the employee for sensitive information, such as the password for a financial account or to transfer funds somewhere.
  • Telephones are used for phishing, too, also called “vishing,” which is a combination of phishing and voicemail.
  • Fake invoices are also popular among hackers and scammers. In this case, a fake invoice is sent to a company that looks like one from a legitimate vendor. Accounting pays the invoice, but the payment actually goes to a hacker.
  • Another scam is when a bad guy leaves a random USB drive around the office or in a parking lot. His hope is that someone will find it, get nosy, and insert it into their computer. When they do, it releases malware onto the network.
  • Cyber criminals also might try to impersonate a vendor or company employee to get access to business information.
  • If someone calls, if you get an email, if the doorbell rings, or if someone enters your office, always look at it with suspicion.

Be thoughtful about security:

  • Set up all bank accounts with two-factor authentication. All web-based email accounts should have two factor authentication. This way, even if a hacker gets your password, they still can’t access your accounts.
  • Train staff to be careful about what they post on social media, such as the nickname the CEO goes by in the office.
  • Do not click any link inside of an email. These often contain viruses that can install themselves on your network.
  • Any requests for money or other sensitive data should be verified over the phone or in-person. Never just give the information in an email.
  • All money transfers should require not one, but two signatures.
  • Make sure all employees are fully trained to recognize a phishing attempt. Also, make sure to stage phishing simulation attempts to make sure they are following protocol.
  • Help people understand the importance of looking out for things like a new email address for the CEO or Kathy in accounting suddenly signing her name Kathi.
  • Also, teach staff to report any uncharacteristic behaviors with long-time vendors or even fellow coworkers.

I once presented a security awareness program to a company that was almost defrauded. They hired me because of an email accounting had received from the CEO. The CEO sent a nice proper letter to accounting requesting payment be made to a specific known vendor.

A number of things were wrong with the email. First and foremost, like I mentioned, the email was nice and proper. Apparently the CEO isn’t all that nice, is somewhat of a bully, and all his communications are laden with profanity. So the red flags, where the fact that the email was nice. Imagine.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

5 Reasons why You will get Hacked

Don’t be part of the “I’ll never get hacked” camp. Do you really think it won’t happen to you? If so, it’s:

4DBecause you think no phishing e-mail could get past your radar. Just because you can spot a Nigerian scam doesn’t mean you can’t be tricked. Phishing campaigns today are ingenious and sophisticated, and include information about the recipients, fooling them into thinking these e-mails are from their friends or associates. These messages will blend right in with all your other legit messages as far as content and appearance, which include good spelling and grammar.

Because you think you’re not a target. You think you’re too little a fish in a sea of gargantuans for a hacker to be interested in you. However, every fish in the sea, including the tiniest, is a potential target. Sometimes, all a hacker wants is someone else’s e-mail from which to send spam.

Because you think deleting your cookies will keep you from getting targeted. This is like saying your house can’t get broken into because the second story windows are locked. But what if the first floor windows, and the front door, are open? Intruders will find other ways to cyber track you than cookies. For example, your IP address can identify you, which is why it’s always good to run Hotspot Shield to mask your IP address and protect your data on free WiFi. Second, your computer and browser have your unique fingerprint.

Because you think you’re invulnerable with firewall and antivirus software. Did you know that in some cases the best anti-malware detection, especially for larger business networks, spot only 45 percent of attacks? Keeping in mind you have to have antivirus, antiphishing, antispyware and a firewall as necessary layers of protection.

Because you think that avoiding Internet back alleys will keep you protected. Just like a mugging can occur in broad daylight in a busy mall parking lot, so can deposition of malware in that this is many times more likely to occur as a result of visiting popular online shopping sites and search engines, when compared to phony software sites. And if you spend a lot of time on porn sites, consider yourself infected.

Don’t Be a Myth Head

A smart, sophisticated cyber criminal will go after smart, sophisticated users, not just the dumb ones. Don’t let your guard down for a second. There’s always someone out there who’s smarter than you—or, at least—smart enough to trick you, if you become lax.

One step forward is to just commit to never, ever clicking on any links inside of e-mails. And when you receive an e-mail with an empty subject line, even if the sender is apparently your mother…don’t open it. Instead, send her an e-mail and ask her if she sent you one with a blank subject line. And even then, don’t open it, because you just never know. Protecting yourself takes a little more time, but remember, a stitch in time saves nine. Which frankly, I really don’t know what that means, but it sounds good right here.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Malware and Phishing Warnings in Chrome Browser to be changed by Google

Google normally displays a malware and phishing warning in the Chrome browser. There are plans, though, to alter the display. Currently it’s a white warning against a red background. The new display will be an entirely red page, with a big X at the display’s top. These warnings tell the user that the site they’re about to visit may try to install malware or con you into giving up personal information.

13DThe new warning, like the current one, gives users the option to skip it and go to the website, but they must first acknowledge what they’re about to do.

Though a date for the changes hasn’t been set, they can be viewed on the Dev and Canary builds of Chrome.

The changes are designed to better indicate to users that an attack might happen, rather than make them think that one already has happened. After all, a malware warning should not scare you away, but instead, inform. Nevertheless, many malware warnings get ignored anyways.

A study showed that people were twice as likely to bypass a warning if the website was already part of their browsing history. This indicates that users are not so likely to believe that a previously visited, and especially popular, site could be threatening.

The study recommends that warnings should be formulated to let people know that even “high-reputation websites” can be malicious, poised to download a virus or deceive you into giving out your Social Security number.

The malware and phishing warnings on Chrome will perhaps always be in a state of further development.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Most Toxic Superhero 2014

It’s a bird! It’s a plane! It’s Superman! Yes, this superhero might be the epitome of courage, justice, and strength, but he might also be the biggest threat to you online.

We’ve entered a new age of superheroes. No longer are they just pictures in a comic book. They are now accessible on computers, game console devices, and mobile devices. Superheroes like Captain America, Thor, and Spiderman star on the silver screen. The Green Arrow and The Flash have their own television shows. Videos like Batkid and the Spiderman dad went viral on YouTube (and consequently, melted our hearts).

This is great news to comic publishers like Marvel and DC Comics. Unfortunately, it’s also good news to hackers and scammers too. Cybercriminals know that search engines (like Google, Yahoo! and Bing) can also be used for criminal means. Therefore, they use popular search terms to draw victims in like celebrity gossip, holidays, viral hits, and…you guessed it…superheroes.

McAfee just released a study on the Most Toxic Superheroes that analyzed what superhero search led to the most risky websites using McAfee® SiteAdvisor® site ratings. And the Man of Steel topped the list. The study determined that searching “Superman,” “Superman and free torrent download,” “Superman and watch,” “Superman and free app,” and “Superman and online,” yields a 16.5% chance of landing on a website that has tested positive for online threats, such as spyware, adware, spam, phishing, viruses and other malware.

This year the Most Toxic Superheroes are:

superhero

Here are some things you can do to protect yourself:

  • Be suspicious: If a search turns up a link to free content or too-good-to-be-true offers, be wary
  • Double-check the web address: Look for misspellings or other clues that the site you are going to may not be safe (for more on this, read my blog on typosquatting)
  • Search safely: Use a web safety advisor, such as McAfee SiteAdvisor that displays a red, yellow, or green ratings in search results, alerting you to potential risky sites before you click on them
  • Protect yourself: Use comprehensive security software on all your devices, like McAfee LiveSafe™ service, to protect yourself against the latest threats

Want to know more? Join the discussion on Twitter using hashtag #toxicsuperhero.

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

Phishing Alert: 8 Tips to protect yourself from Attacks

It’s as easy for hackers to phish out your personal data as it is to sit in a canoe on a still pond, cast the bait and wait for the fish to bite.

13DSo many people fail to learn about phishing scams, a favorite and extremely prevalent scam among cybercriminals.

A type of phishing scam is to lure the user onto a malicious website. ZeuS (Zbot) is such an example, planted on websites; visit that site and it will download a virus to your device that will steal your online banking information, then forward it to a remote server, where the thief will obtain it. Very clever.

But that ingenuity is contingent on someone being gullible enough to open a phishing e-mail, and then taking that gullibility one step further by clicking on the link to the malicious site.

10 Phishing Alerts

  • An unfamiliar e-mail or sender. If it’s earth-shaking news, you’ll probably be notified in person or via a voice phone call.
  • An e-mail that requests personal information, particularly financial. If the message contains the name and logo of the business’s bank, phone the bank and inquire about the e-mail.
  • An e-mail requesting credit card information, a password, username, etc.
  • A subject line that’s of an urgent nature, particularly if it concludes with an exclamation point.

Additional Tips

  • Keep the computer browser up-to-date.
  • If a form inside an e-mail requests personal information, enter “delete” to chuck the e-mail.
  • The most up-to-date versions of Chrome, IE and Firefox offer optional anti-phishing protection.
  • Check out special toolbars that can be installed in a web browser to help guard the user from malicious sites; this toolbar provides fast alerts when it detects a fraudulent site.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

10 Ways you may get Hacked this Summer

Can you name 10 ways you can get hacked this summer? I can.

Hotel Hacking

4DThose hotel electronic card locks for doors aren’t as secure as you think. A criminal attaches a little electronic gizmo beneath the lock, and presto, he’s in your room. You can’t stop this, but you can make the burglary worthless by not leaving valuables in your room. Always have your door locked overnight.

Car Hacking

Forget the bent coat hanger trick — that’s for rookies. But even a dimwitted thief could hack into your car this summer. For only $5, the thief buys a “black box,” a key fob spoofer, that electronically forces car doors open. Short of disabling your keyless entry, what you can do is park your car in lighted areas and keep valuable out of it. Or have your mechanic install a kill switch.

Credit Card Skimming

Criminals set up those card readers at stores with devices that will steal your card information. If you can’t pay with cash, use a credit card since there’s a delay in payment, whereas a debit card takes money from your account at the point of purchase. Keep a close eye on your credit card statements and bank account.

Hacking a Charging Phone

Avoid charging up your phone at a public kiosk. It doesn’t take a mental giant to install malware into these kiosk plugs. Once your phone gets plugged in, it’ll get infected. Use only your plug or wall outlets.

Finders Keepers Finders Weepers

If you happen to find a CD-ROM or thumb drive lying around in public, leave it be, even if it’s labeled “Hot Summer Babes at the Seashore.” You can bet that a crook left it there on purpose and wants you to plug it into your computer. You’ll end up installing malware that will allow the thief to remotely control your computer.

Phishing for Victims

You get an e-mail with a striking message in the subject line such as “Pics of you drunk at my party!” A percentage of people for whom these messages apply to will open the e-mail and take the bait: a link to click to see the photos. The link is malware and will infect your computer.

Wi-Fi Sharing

Using a public computer is always risky, as anyone can monitor your online actions. Hackers can even “make” your device go to malicious websites that will infect your device. Stay away from public Wi-Fi or use a VPN (virtual private network) like Hotspot Shield. A VPN will protect you summertime and all time at public WiFis.

Photo Geotagging

Every time you take a picture and post online, your location will be up for grabs in cyberspace, unless you’ve disabled your device’s geotagging.

Social Media

Beware of clickjacking and XSS. Clickjackers place a phony screen over an obscured malicious link, luring you to click. The hidden link then is triggered and gives the hacker your contacts, taking you to a malicious site. XSS puts a malicious script right in your browser that will install malware. So be judicious about clicking on popular videos and whatnot.

Airplane WiFi Hacking

Connect while 35,000 feet high and you can be revealing all sorts of private goodies. Airplanes lack online security. The aforementioned VPN is your best bet when connecting to airplane WiFi

Start your summer off securely by avoiding becoming a victim of hackers.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Phishing Alert: 10 Tips To Protect Your Business From Attacks

It’s becoming too easy for criminals to get their hands on your banking information, due to your employees’ ignorance of phishing scams.

13DMalware attacks have soared recently, targeting banks for the purpose of stealing online banking information. Over 200,000 new infections occurred between July and September 2013—the highest jump in the past 11 years, according to a TrendsLab Security report. Cyber-criminals are ubiquitous on this planet, and phishing is a favorite among their arsenal of attacks, a way to gain access to computers, as well as infecting a computer.

ZeuS (aka Zbot) is a common malware planted on websites. If a website is infested with ZeuS, or other malware, and you visit that site, your computer will become infested with ZeuS. Once settled in, ZeuS steals online banking credentials, and then transmits these details to a remote server, where the cyber-criminals can access it. But for ZeuS to spread, that means someone is opening a phishing email and clicking on the link that leads to the virus-inhabited website.

Who’s clicking on these links? Unfortunately, some of your employees probably are. According to a recent eWeek article, 18 percent of phishing messages are opened in the workplace—and yes, this includes clicking the accompanying malicious link.

That’s not all—sometimes the numbers can go even higher. According to the report, one particular phishing campaign yielded a 72 percent clicking response on the link.

Furthermore, the report states, 71 percent of users’ computers have a higher susceptibility of infection due to having outdated versions of popular software such as Microsoft Silverlight and Adobe Acrobat.

How To Stop Your Employees

Monthly training of employees to avoid suspicious emails helps knock down the percentage of clicks to 2 percent, much better than quarterly training does (to 19 percent). The report adds that cleaning recipients’ invaded computers costs the company, even though 57 percent of companies rated phishing attacks as “minimal.” However, even “minimal” impact still means a lot of cleanup for a high volume of attacks, involving IT staff response and employee downtime during system restoration.

Those who take the bait are costing you money, and the potential risk to your business is enormous. The Anti-Phishing Working Group recommends the follow tips. Share them with your employees ASAP.

  • A big red flag should go with emails that request personal financial information. If the name of the company bank is mentioned, arrange a phone call to that bank regarding the suspicious email.
  • Be leery of exciting or worrisome statements designed to rattle emotions rather than sink in logically; think before you click!
  • Be highly suspicious of a message asking for a password, username, credit card information, date of birth or other very private details of yourself or your company.
  • If you don’t recognize the sender’s name or address, or have no idea what the message could pertain to, simply ignore it altogether. It’s never urgent to click a link; you won’t get fired if you don’t.
  • Never enter confidential financial (or personal) data in a form inside the email.
  • A special toolbar, installed in the Web browser, can help protect you from fraudulent sites. The toolbar compares online addresses with those of known phishing sites and will provide a prompt alert before you have a chance to click or give out private information.
  • The latest versions of Chrome, Firefox and Internet Explorer have optional anti-phishing protection.
  • Bank, debit and credit account statements should be regularly checked for suspicious transactions.
  • If any transactions look suspicious or unfamiliar, alert appropriate personnel to contact the relevant financial institution.
  • The computer browser should always be kept up-to-date. Security patches should be installed.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.