Think about hackers breaking into accounts. If you think they need top-notch computer skills, you would be wrong. These days, instead of requiring skills behind a keyboard, hackers generally rely on strategy…specifically a strategy called social engineering. This means that hackers don’t have to be technical, but they DO have to be clever and crafty because they are essentially taking advantage of people and “tricking” them into giving information.
There are four main ways that hackers use social engineering:
- Phishing – where hackers use email tricks to get account information
- Vishing – similar to phishing, but through voice over the phone
- Impersonation – the act of getting information in person
- Smishing – getting account info through text messages
Phishing accounts for 77 percent of all social engineering incidents, according to Social Engineer, but in vishing attacks, alone, businesses lose, on average, $43,000 per account.
Here are the top scams that all consumers and businesses should know about as we move into 2017:
Scam Using the IRS
Starting from the holiday season stretching through the end of tax season, there are scams involving the IRS. One such scam uses caller ID to change the true number of the caller and replaces it with a number from Washington, D.C., making it look like the number is from the IRS. Usually, the hacker already knows a lot about the victim, as they got information illegally, so it really sounds legit.
In this scam, the hacker tells the victim that they owe a couple of thousands of dollars to the IRS. If the victim falls for it, the hacker explains that due to the tardiness, it must be paid via a money transfer, which is non-traceable and nonrefundable.
BEC or Business Email Compromise Scam
In the business email compromise, or BEC scam, a hacker’s goal is to get into a business email account and get access to any financial data that is stored within. This might be login information, back statements, or verifications of payments or wire transfers.
Sometimes a hacker will access the email by using an email file that contains malware. If an employee opens the file, the malware will infect the computer and the hacker has an open door to come right in.
Another way that hackers use the BEC scan is to access the email of a CEO. In this case, they will impersonate the CEO and tell the financial powers that be that he or she requires a wire transfer to a bank account. This account, of course, belongs to the hacker not the business. When most people get an email from their boss asking them to do something, they do it.
Finally, hackers are also commonly using ransomware to hack their victims. In this case, the hackers are working towards convincing targets to install dangerous software onto their computer. Then, the computer locks out the data and the victim cannot access it…until he or she pays a ransom.
At this point, they are informed that they can get access back when they pay a ransom. This might range from a couple of hundred to several thousands. Usually, the hackers demand payment by bank transfer, credit card, bitcoin, PayPal, or money transfer services. Victims are usually encouraged to go to a certain website or call a certain number Unfortunately, too often, once the victim pays the ransom, the hacker never opens up the system. So now, the hacker has access to the victim’s computer and their credit card or financial information.
The way social engineering works in this scam is varied:
One way is this…imagine you are browsing the internet, and then you get a popup warning that looks quite official, such as from the FBI. It might say something like “Our programs have found child pornography on your computer. You are immediately being reported to the FBI unless you pay a fine.” When you click the popup to pay, the program actually downloads a program called spyware to your computer that will allow the hacker to access your system.
Another way that social engineering works with ransomware is through voice. In this case, you might get a phone call from someone saying they are from Microsoft and the representative tells you that they have scanned your computer and have found files that are malicious. Fortunately, they can remotely access the machine and fix the problem, but you have to install a program to allow this. When you install it, you give them access to everything, including personal and financial information, and they can do what they want with it.
Finally, you might get an email offering a free screen saver or coupon, but when you open it, the software encrypts your drive and takes over your computer.
Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.Filed Under: hackers internet safety online scams Phishing social engineering
Small businesses are hardly immune to attacks by hackers.
- The illusion of low attack risks comes from the publicity that only huge corporations get when they are breached, like Target, Sony and Anthem. These are giants, so of course it makes headline news.
- But when a “ma and pa” business gets attacked, it’s not newsworthy.
If you own a small business, ask yourself just how the mega-giant Target got infiltrated by cybercriminals in the first place. Answer: a ma and pa HVAC vendor of Target’s!
Cybercriminals thrive on the myth that only big companies get attacked. They know that many small outfits have their guards down; have only rudimentary security measures in place. Never assume you know everything that a hacker wants—or doesn’t want.
Think of it this way: Which burglar is more likely to make off like a bandit? One who attempts to infiltrate a palace that has a 10-foot-high stone wall, surrounding a moat that surrounds the palace, with motion sensors everywhere that set off piercing alarms; an army of Dobermans; and a high tower where guards are keeping a lookout?
Or the burglar who tries to break into a small townhome with only a deadbolt and window screens for security? Sure, the palace has millions of dollars worth of wall art alone, but what chances does the burglar have of getting his hands on it? The little townhome just might have some electronics and jewelry he can sell underground.
No business is too small or its niche too narrow to get a hacker’s attention; just like any burglar will notice an open ground floor window in that little townhome at 3 a.m.
- Never use lack of funds as an excuse to cut corners on security.
- Share security information with competitors in your niche.
- Consider the possibility that a cyber attack can be an inside job in your little company—something relatively easy to pull off (e.g., every employee probably knows the direct e-mail to the company owner).
- Get cyber attack insurance. A halfway-sized cyber attack could cripple any small company and have tangential fallout.
Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.Filed Under: cyber crime cybersecurity
Tags: social media, Social Media privacy, social media scams, Social Media security
Leave personal details off your Facebook page.
Does the whole world—or even your private circle, many of whom you haven’t seen in person for years, or even at all—have to know you’re laid up from hernia surgery (i.e., vulnerable, defenseless)?
Try this experiment for a week: Assume that the only visitors to your Facebook are 1) future possible employers, 2) master gossip spreaders and reputation bashers, and 3) your future in-laws (if you’re not married). This should really change the game plan of how you post.
Never send naked photos of yourself.
Not even to your significant other. After all, in many cases of leaked nude images…the significant other is the leaker! If your lovey-dove wants to see you in your birthday suit, then present yourself that way in person—after you know for sure all the cameras in the room are turned off.
Enough with the selfies.
It’s gotten to a point where all selfies look alike: Some doofus holding up the phone and staring INTO the phone. Whatever happened to the nice images of yesteryear, where someone, posing nicely, was facing the viewer? Selfies are fine if you’re showing off your abs when the selfie next to it of 90 days ago shows the Pillsbury Dough Boy, but please, nobody is special enough to justify endless selfies, including those for which you corralled a bunch of people to take part in it.
Instagram is not for food images.
Don’t waste your time. Think “borrrrrring!” Who really wants to see your beet salad? If you want to promote your recipe skills, start a website.
“Like” only recent posts.
Nobody pays attention to likes on old posts.
Cross out cross-posting.
Post an item on your Snapchat story, then put it in a private message…NOT.
No ODRs, no oversnapping.
Avoid opening but not replying on Snapchat. Avoid double-snapping someone.
Say no to screengrabbing.
Read that again. Don’t grab a Snapchat unless you want the sender to know who did it.
Be mindful of commenting on your teenagers’ pages. Be sincere if you must, like a congratulations for qualifying for the state wrestling finals.
Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.Filed Under: social media privacy
Recently, says a report at wired.com, it’s been unveiled that the obscure Israel-based NSO Group has been selling spyware delivered to smartphones through vulnerabilities in Apple’s iOS operating system.
“Pegasus” spyware can put a surveillance out on nearly everything including keystrokes, e-mails, video feeds and phone calls. Apple says that the three vulnerabilities with this spyware (“Trident”) have been patched.
In short, NSO Group’s spyware has been reverse engineered for the first time—achieved by the security research firm Lookout, which discovered Pegasus. Also getting credit for the discovery is Citizen Lab.
- Ahmed Mansoor, a well-known human rights activist with a history of being targeted by surveillance spyware, sent the security firms the suspicious SMS text messages he had received.
- Mansoor’s mobile device was running iOS’s latest version when two phishing texts came in with links. He had refused to click them.
- Instead he sent screenshots to Citizen Lab. The links led to a blank Safari browser page. The analysis then began.
- The spyware was intended to jailbreak the phone.
Jailbreaking an iPhone means the user can bypass Apple’s plan and customize the experience. However, in the Pegasus case, remote hackers wanted this control.
Citizen Lab and Lookout took their analysis to Apple, who made the patches within 10 days. The recommendation is to regularly download the latest iOS versions to help protect the device from attacks. The latest iOS version will stop Pegasus. However, it’s possible for NSO to infiltrate other phone operating systems like Android with the spyware, says Citizen Lab and Lookout.
NSO Group has no website, and supposedly, earns $75 million a year, with governments as the typical clients, and may have up to 500 employees. It won’t be any surprise if a new and similar threat follows soon, as the NSO Group is quite advanced, with a solid software development organization.
Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.Filed Under: hackers online security spyware
You shouldn’t leave any digital trace of yourself after you leave a job. Hopefully, you’ll be leaving voluntarily and thus have the time to first make backups before you delete anything. This may seem easy, but you need to take inventory to make sure you get EVERYTHING.
Note: make sure that every suggestion below is allowed via a company’s internal policies.
An article at wired.com gives these recommendations:
- Use a flash drive for smaller amounts of data.
- An alternative is a personal account with Dropbox or Google Drive.
- For more data use an external hard drive.
- Don’t include company information in your backups.
- Forward e-mails you want to save to your personal e-mail.
- Delete all e-mail files, then close down your e-mail account.
- Check USB slots.
- Clear out your personal data if you don’t have authority to wipe the device.
- Delete all your passwords, usernames, etc., that are stored in the computer.
- Browsers like Chrome and Firefox will save passwords and tie them to Google ID or Firefox Sync. Don’t just close out of the browser; log out so that nobody sees your passwords. Do what you can to make the browser forget your passwords.
- In Chrome is “Manage Saved Passwords” in the settings. Use this to delete passwords from any Google account you’ve used. Warning: Hopefully you don’t use the same password and username for workplace Chrome as you do for home, but if you do, deleting this information at workplace Chrome will also clip them at your home computer.
- In Safari, go to “Preferences,” then “Passwords” and delete.
- For Microsoft Edge, click the three dots in the upper right; go to “Settings” and then “View Advanced Settings.” Click “Manage Saved Passwords” and delete.
- If you’re allowed to, wipe the computer.
- The wired.com article recommends KillDisk and DP Wipe.
- Wipe your mobile device that’s provided by the company, assuming you have permission.
- If you don’t have permission, ask the IT team to do this. Just make sure you’re logged out of all applications.
- Shut your company voicemail down—after you delete remaining messages.
#1. Keep everything up to date. You know those annoying popups telling you updates are available? Do you ever click out of them? Don’t. Always update at the time these appear.
#2. Two-step verification. Two-step verification or authentication should be set up for all your accounts that offer it. A unique one-time code is sent to the user’s phone or via e-mail that must be entered in the login field.
#3. Unneeded browser extensions? Review your browser extensions. Uninstall the ones you don’t use. Too many extensions can slow down your computer.
#4. Encryption. Encryption software will scramble your e-mail and other correspondence so that prying eyes can’t read them, but you and your intended correspondent can. If you must use public Wi-Fi (like at a coffee house), install a virtual private network to encrypt transactions.
#5. Lock screen protection for your mobile device. Your smartphone has lock screen protection in the form of a password to prevent a non-authorized user from gaining access. If you leave your phone lying around or lose it, you’re protected if you have a password. Otherwise you are screwed.
In the same vein, your laptop should have protection from non-authorized users. Set up a password that allows access to using the device, including after hibernation periods.
#6. Check active logins. Some accounts allow you to check active logins to see if any unauthorized users have been in your accounts, such as Twitter, Facebook and Gmail.
#7. How easy can someone impersonate you? Could anyone phone your bank or medical carrier and give the correct information to bypass security, such as your “favorite pet’s name”? Who might know this information? Well, if it’s on your Facebook page, anyone who can view it. How much of your personal information is actually online? Many accounts allow a “secondary password” Ask them.
#8. Simple but powerful layers of protection.
- Don’t have login information written down on hardcopy.
- Cover your webcam with tape (yes, cybercrooks have been known to spy on people this way).
#9. Sharing your personal life with the whole world. Set all of your social media accounts to the private settings you desire. Do you really want a potential employer to see you hurling at your late-night party? Make sure images that you post are not geo-tagged with your home address.
#10. Web tools. Check out the various toolbars that you can add to your browser to beef up security. Be selective and check ratings.
Robert Siciliano, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.Filed Under: digital security
Who needs a hanger to steal a car when you can use a laptop? Despite today’s vehicles having far more sophisticated security protection, thieves can still break in—like the two crooks who stole at least 30 Dodge and Jeep vehicles…with just a laptop computer.
In Houston, video showed the pair in the act, though authorities are still working on piecing together just how the capers were pulled off.
One possibility is that a database contains codes that link key fobs to cars. Perhaps the thieves, who may be part of a ring, somehow got access to this database (one theory is that a crooked employee sold them the access), and from there, created key fobs based on vehicle ID numbers. VINs are visible on vehicles. Vehicles that are targeted for theft don’t “know” an authentic fob from a fraudulent one.
Again, this is all conjecture, but one thing’s for sure: The pair did not steal the vehicles the old-fashioned way.
Though today’s electronic security measures will stop the thief who lacks techy know-how and prefers the coat hanger and hotwire method, technology won’t stop smarter, more ingenious crooks who feel quite at home committing cyber based crimes.
With more and more criminals relying on the Internet of Things to commit all sorts of crimes, maybe the best security for a motor vehicle would indeed be one of the old-fashioned security features: install a kill switch.
Robert Siciliano, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.Filed Under: online safety online security security
As long as humans sit at computer screens, there will always be infected computers. There’s just no end to people being duped into clicking links that download viruses.
A report at theregister.co.uk explains how subjects, unaware they were guinea pigs, fell for a phishing experiment.
- Subjects were sent an FB message or e-mail from an unfamiliar sender, though 16 percent of the subjects who ultimately clicked reported they knew the sender.
- The sender announced they had images from a New Year’s Eve party but not to share them.
- 43.5% clicked the FB message link and one-quarter clicked the e-mail link.
- Many of the subjects denied making these clicks, but most who admitted it named curiosity as the reason.
- 5% claimed they thought their browser would protect them from an attack.
Obviously, there will always be that percentage of the human population who will allow curiosity to preside over common sense and logic. The idea of simply never, never, ever clicking a link inside an e-mail is an impossible feat for them—perhaps more difficult than quitting smoking or losing 50 pounds.
This is the battle that businesses have with their employees, which is how businesses get hacked into and massive data breaches result.
However, says the report, rigid training of employees may backfire because valid e-mails may be ignored—though it seems that there has to be a way for companies to get around this—perhaps a phone call to the sender for verification if the company is small. For large businesses, maybe executives could just resort to the old-fashioned method of reaching out to employees; how was this done before the World Wide Web was invented?
Digital signing of e-mails has been suggested, but this, too, has a loophole: some employees misinterpreting the signatures.
Nevertheless, security training is not all for nothing; ongoing training with staged phishing e-mails has been proven, through research, to make a big difference. Unfortunately, there will always exist those people who just can’t say “No” to something as mundane as images from a New Year’s Eve party from a sender they’ve never even heard of.
Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.Filed Under: Data Breaches data theft
Tags: hacking, social media, Social Media privacy, social media safety, social media scams
If the super big wigs could get their social media accounts hacked, you can too. If you can believe it, the Twitter accounts of the following were recently hacked:
- Google CEO Sundar Pichai
- Yahoo CEO Marissa Mayer
- Oculus CEO Brendan Iribe
- Twitter co-founder Jack Dorsey
Shouldn’t these CEOs know how to prevent getting hacked? One little slip could let in the cybercriminals: reusing the same password.
Times have really changed. During the good ‘ol days, employees barely knew the CEO. Sometimes he was faceless, and at most, they received form letters from him…or her. Nowadays, company workers know the names of the CEO’s grandkids, new puppy, where they spent their last vacation, complete with photos.
CEOs want a human connection to their company’s worker bees and hence, many are very active on social media—so active, in fact, that they hardly think of security…like using old passwords for new accounts and/or using the same password for multiple accounts…and/or using an easily crackable password.
Other mistakes CEOs make:
- Posting personal information—way too much, more than enough for hackers to use against them.
- This includes names of kids and vacation destinations, details about hobbies, relatives and other personal data.
- Inclusion of personal information on a professional social media profile.
That may all sound innocent and just a way for CEOs to humanize themselves, but the more personal information they share with the world, the easier it is for cybercriminals to bust in. Crooks can often easily obtain the CEO’s e-mail and send a message that appears innocent, but has a link or attachment that the recipient is lured into clicking.
Once clicked, the attachment or e-mail unleashes malware, giving the crook control of the CEO’s computer. So even if the CEO has a unique and very strong and long password for each social media account, all it takes is a moment of having their guard down and hastily clicking a malicious link or attachment to get infected.
The hacker may have many motives for breaking into an account, and this includes posing as the CEO and posting items on the social media account with the hopes of damaging the CEO’s reputation.
Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.Filed Under: social media privacy
Tags: home security, home security alarm, Home Security ideas, home security tips
If you were to design the ultimate security system for a house, what would you focus on? These days, many people would immediately think in terms of the most technologically advanced alarm system—one that’s voice activated, detects motion anywhere, can be remotely controlled and allows remote viewing of the home, etc.
But even in this day and age of connectedness, the best security system begins with the front door. That’s because, essentially, the door is potentially your home’s weakest link—no matter how high tech the alarm system is.
Contrary to TV and movie depictions—even TV commercials for security systems—of burglars always smashing through windows in the dark (makes a noisier, more dramatic effect), by far the No. 1 entrance for an intruder is the front door. And often, it’s kicked in.
That’s because typically, only two or four mite-sized screws are holding up one or two little strike plates, attached to a weak door frame of thin pine. If you only knew how easy it is to sever pine. 10 year old kids in karate classes do this with their bare hands.
What if your door included one-sixteenth inch of heavy steel? Try kicking through that. And what about a four foot bar that’s installed over the strike plates, screwed right into the door’s frame? Wow, you have one tough-ass security system for your door: The Door Devil Anti Kick Door Jamb Security Kit. It includes:
- Three and a half inch heavy screws, which go into 2 x 4 studs located behind the door frame
- Steel door jamb reinforcement (48 inches): replaces the small brass strike plate
- Three inch screws for reinforcing the door hinges
In addition, there are other things you can do to make your door more impenetrable.
- A door bar jammer or door brace: One end fits snuggly under the doorknob, while the other end is angled out and affixed to the floor.
- Deadbolt wrap: This will reinforce the area around the door lock.
- A better strike plate: Thicker means better.
- Door frame reinforcement: This steel implement is up to four feet in length, and some versions are decorative.
Of course, all of these measures add up to zero protection if you leave your door unlocked. Many intruders gain entry through unlocked doors. It’s that simple. But don’t forget that even a very determined burglar tires out and does not want to be standing there all day trying to kick down a heavily reinforced door.Filed Under: home security