As many of you know, I’m big on using Password phrasing (15+ characters, unique to you and just as important, puts a smile to your face) to protect yourself and AFMC from the baddies’ wrath. In case you’re wondering what it’s like to use a simple password, please check out this article, along with noting the below statement https://www.zdnet.com/article/the-worst-passwords-of-2020-show-we-are-as-lazy-about-security-as-ever/ :
“While vendors need to be reminded that allowing easy and simple combinations do nothing to protect the privacy and security of users, it is also up to us to take responsibility for our own accounts.”
Once again the Baddies are throwing out various ways of infecting our devices, including our mobile phones / tablets. Use “Wise Trust” with any and all text / SMS messages that are thrown your way (the latest is a “your parcel has been sent out”) and ask yourself why you’re getting this text message. If by chance you’re waiting on a parcel, do not use that SMS link, and instead go to the Courier’s website using your browser.
See https://www.tomsguide.com/news/wroba-mobile-trojan-ios-android for more details
Are you sure that’s your colleague / friend? Gather many of you are aware of this past summer’s Twitter hack of celebrity accounts. The investigation is showing that the baddies found a way to contact several Twitter employees and were able to convince one of them that they were IT support, then leverage that contact to speak to others that allowed them the super access to the Twitter system. The Wise Trust lesson is that anyone can be impersonated and you need to ask the, sometimes uncomfortable, question by calling whoever directly to make sure they are who they say they are.
In my Scam Avoidance presentations I do emphasize the following uncomfortable point: “Regardless of fault, if you get scammed, you have to own it”, and as per the article’s victims (see link below), there’s no explanation as to why the individuals lost money, even with them stating they’ve followed security recommendations (Two Factor Authentication, unique passwords, avoided opening up suspected emails, etc.).
Sometimes Wise Trust can only go so far, but you have to look at YOUR risk capability, along with the reputation of the firm you’re working with, to be aware of how they’ll respond to hacking.
Though it may seem like it’s unlikely to happen to you, the Baddies are watching for potential victims, possibly by tracking your sign up to an in-store text message promotion.
As outlined in the below article, a couple decided to take advantage of Shoppers Drug Mart promotion with them receiving a weekly text to ‘See if you’re a winner and click on the link!’. Then one time they received a link to enter their PC Optimum login details, which resulted in their points being cashed in.
The couple had their points returned, and Shoppers is claiming that it wasn’t due to one of their texts, it is thought that the couple experienced a “smishing campaign” that is like email phishing, but done over text. Were the baddies lucky in that this couple happen to receive one of thousands of scam texts that mimic a legitimate service or was it due to some technical hack / research, we may never know?
The takeaway, always be weary of the correspondence you receive personally and professionally, and use Wise Trust to avoid following into a victim trap.
From https://www.cbc.ca/amp/1.5713366 comes this statement:
Fraudsters stole nearly $3,000 — the maximum amount allowed for an e-transfer payment — from 48 Sunova customer accounts, using an ad on Google designed to look like Sunova’s real site and glean users’ banking information if they clicked on it and tried to log in.
And here’s the Google search page (noting it can happen with any search engine):
Here’s the question / take away:
- Would your “Wise Trust” awareness be enough to not click on the first link presented? Be honest, as I’m betting that at least some of us (due to be busy or whatever) wouldn’t have spotted the fake.
- The victims have to own the fact that they’re on the hook for $1k deductible, as it was their own actions that resulted in the scam happening.
Lessons learned and please pass the knowledge on how to protect yourself, family and friends.
Wouldn’t you know it, it’s not enough to be on the lookout for Excel, Word and PDF attachments along with any links that the baddies throw our way, we now have to be aware of legitimate looking Google Drive, Microsoft OneDrive and SharePoint links along with OneNote attachments. The below article is a good overview on an impersonation attempt with someone you know and the multi-layered steps they take to lure you in. As the author states quite elegantly “As we’ve said many times before, the only thing worse that being scammed is being scammed and then realising that the signs were there all along. Crooks don’t always make obvious mistakes, but if they do, make sure you don’t miss them.” https://nakedsecurity.sophos.com/2020/09/02/phishing-scam-uses-sharepoint-and-one-note-to-go-after-passwords/amp/
Ever wondered how it is that your login details from an older website breach are readily available and used as another lure to fulfill Blind Trust actions as you believe the baddies have all of your login details (it is very unlikely they have your new login details, which you’ve no doubt already changed, RIGHT?). If you’re interested in a gentle mental exercise, see the following article from Troy Hunt https://www.troyhunt.com/we-didnt-encrypt-your-password-we-hashed-it-heres-what-that-means/ and why you need to use unique phrases for your passwords.
Hello and I’m going to keep this short. Whatever you do, take the time to review the PDF document below, especially for the examples presented and the last page of general advice. Please forward to your friends and family, so that we can all be aware of what’s hitting us on a regular basis and avoid being the victim.
Zix MId-Year Global Threat Report 2020 (10 MB PDF)
And now some Cyber prevention tips from the far easterly point in Canada, that is relevant no matter where you’re from in this great country of ours. Regardless if your credentials happen to have been compromised or not, following these tips will help your Wise Trust assessments of the threats we all face. https://vocm.com/2020/08/21/better-business-bureau-cyber-attack-tips/
1. If aware of a compromise implement a credit freeze / fraud alert with your bank / credit reporting agencies;
2. Update the passwords for all of your online accounts (especially if you happen to reuse the same password – bad idea by the way);
3. Monitor your credit card transactions carefully;
4. Avoid fake emails;
5. Enable multi-factor authentication where available;
6. Shakeup your password protocol using unique password phrasing for all accounts;
7. Play hard to get with strangers (they will do their best to lure you into Blind Trust actions that make you the victim);
8. If you have to use public Wi-Fi connections only do so cautiously and carefully;
9. Never click and tell.
Some thoughts to pass along in regards to various messaging scams that are popular, probably a rehash of old techniques:
- Be careful of “Voice Message / Mail” notifications,
as the baddies are taking advantage of duplicating standard layouts
from a variety of providers. Use Wise Trust before opening and forward
to me if not sure;
today’s video conferencing world, be suspicious of unexpected invites
to Zoom, Teams or Google Meet / Duo as baddies are using them to catch
- And as always, if a message comes from someone you know, but looks odd, call the person to verify.
Are you at risk of ID theft? Here are 5 tell-tale behaviours https://www.techradar.com/news/are-you-at-risk-of-id-theft-here-are-5-tell-tale-behaviours
Very apropos given one of today’s CBC headline news regarding CERB Payments on hold due to Fraudster with a quick overview of the five behaviours we need to be careful of or avoid entirely:
- Not regularly checking credit card / bank statements (the latest email – text notifications from the banks is useful);
- Use the same username / email address & easy to remember password (password phrasing, unique password & password manager or securely document your logins);
- Never checked your credit report outside of getting a loan (it’s becoming easier to do so and best to do it before asking for that loan);
- Use Blind Trust and click on any links getting sent your way (as always, do not trust a link till you use Wise Trust to validate);
- Extensive sharing on social media (posting publicly your actions make it easy for the baddies to take over your account)
Received a message stating the baddie knows your password?
Given the multitude of hacks on big firms (yahoo being one infamous example) it is likely that at least one of your email addresses along with a password is known to the baddie community (see https://haveibeenpwned.com/ to confirm) and such it shouldn’t be considered unusual to get a extortion message (sometimes with very personal like details) with the baddie stating they have proof your laptop is being actively monitored by showing they have a known email / password. If you or a family / friend receive one of these “Demand for Action” type message, stop, use Wise Trust, and reach out to your techy support to discuss further.
See the following link for further details, with emphasis on the following three steps:
- “Don’t Panic”, as it is most likely an automated message trying to lure you in;
- “Change that password wherever you have used it”, assuming you haven’t done so already;
- “Report It”, especially if you’re a victim (Note: Reporting it, should include passing it on to friends, family and your technical support people.)
Phishing, Pharming, Vishing, Smishing and CONSENT
Wanted to go over the various methods of either obtaining your password or gaining CONSENT as you may use Facebook / Google / Microsoft account to access other vendors:
- Phishing; using email to fraudulently obtain personal information (for example, verifying Date of Birth) or lure you to another website;
- Pharming; managing to make changes to your browser that has you redirected to other, sometimes look alike, web sites that ask for personal information;
- Vishing / Smishing; using your mobile device (voice or text) that either gains your trust or threatens you to obtain information or money;
- Note, two authority scams were perpetuated in Canada recently, causing the victims to lose $10k & $2k of their hard savings.
- CONSENT; not all scams are direct, some utilize websites or apps in which it asks you to setup a login by using a Facebook / Google / Microsoft (Parent) account and thereby gains permissions to further infiltrate that Parent account and take it over.
Though this article is a bit dated (you now check the padlock to the left of the web address) it reiterates what to look for and use Wise Trust wherever possible to protect yourself. Remember to pass the word to family and friends.
And another reason for getting the word out to as many people as possible is to warn them of scams. The following 3 sentences say it all:
“At the story’s end, she cried bitter tears, absolutely inconsolable at what she’d done — sending $10,000 to fraudsters posing as the police. It was her life savings as a cleaner in Canada and the scam left her with 33 cents in her chequing account. Within about an hour Monday, it was all gone.“
As we celebrate Canada Day, find time to discuss with Family and Friends that any Covid-19 app tracing you decide to participate in, comes from official government websites. Note it may not be easy to distinguish between a government sponsored posting versus a baddie, so please discuss / share official links and avoid any social posting that demands action or looks odd.
Pretexting – Tailgating; when talking to family and friends about their security discuss the terms Pretexting (the attacker pretending to be an authority or authorized person) & Tailgating (following someone through an opened locked door, pretending to be delivery or repair person). Either of these techniques depends on someone using “Blind Trust” to gain unauthorized access and making you the victim. See https://www.csoonline.com/article/3546299/what-is-pretexting-definition-examples-and-prevention.html for further examples (it includes an interesting corporate / legal story).
Biases in Perceptions; came across this article, and though written from an IT risk perspective, I felt Georgia Crossland PhD researcher’s lessons are shareable to us all as they cover off the following normal human thoughts:
- Optimism bias; the impression that we have this under control and not questioning our actions before they’re too late;
- Fatalistic thinking; can’t do anything about it so why bother to make the effort to protect ourselves or our family / friends.
For those of us who are parents, custodians or bearers of advice, you always wonder how many times you can repeat yourself (for parents, saying “No” seems to be a favourite pastime) and such I’m always interested in finding different ways of increasing awareness of how to avoid being scammed. Came across the following article, which in a nutshell reinforces that we all make mistakes (even the author) and such puts a new perspective on being aware. When you have a chance, check out https://www.infosecurity-magazine.com/blogs/click-here-falls-scams/. I have the following points for you to keep in mind when discussing with family and friends:
- Some scams are intentionally badly written, so that they can identify gullible people (i.e. this is part of their strategy to fully wring out all available funds from a victim);
- These are desperate times for a number of our associates and that desperation can lead to Blind Trust decisions that put them further into the hole (be there to support / guide them to use Wise Trust, regardless on how bad things might be);
- A direct quote to be aware of for all of us: “The trick (from the scammers’ perspective) is to make the scam at least as convincing (if not more so) than the legitimate actions or transactions we make every day.”.
Once again encouraging you to talk to families and friends about Wise Trust actions, be aware of Covid-19 (or whatever is the news of the day) imitation sites with the purpose of doing harm by harvesting data / pushing out malware and you need to avoid clicking on text / email links that are being spammed out to you. See https://www.zdnet.com/article/crooks-are-using-realistic-looking-webpage-templates-to-trick-you-into-handing-over-personal-data/ for further details.you
Wanted to share recent news headlines that once again emphasizes that we in the community need to do more to spread the word on Wise Trust / proper password hygiene as the baddies have proven to be inhumanly mean if you don’t:
“Over 500,000 Zoom accounts sold on hackers forums”, a recent investigation has shown that users are using the same account credentials (email / password) that have been previously been harvested, some from many years ago, and the baddies are using these same credentials to get hits on Zoom accounts and confirming they still work.
Take away; Use password phrasing or Password Manager to have unique logins for all of your accounts.
- Keep your personal details on “public” Social Media posts to a minimum as the baddies are reading those same posts and are on the lookout for victims.
The FBI’s Charlotte office released an alert describing how scammers can use personal information on social media to break into online accounts. As people are confined to their homes, many have been drawn to social media where they’re encouraged to share information about themselves, like their pets’ names, the types of cars they’ve owned, and their mothers’ maiden names.
Many of these games are innocent, but they’re also goldmines for criminals seeking answers to account security questions. Even if you haven’t used personal information for security questions, sharing excessive information about yourself can allow attackers to craft targeted social engineering attacks against you.
A couple of new baddie techniques to be aware of:
Website browsing in what you consider to be safe sites, doesn’t mean a baddie doesn’t have a trap waiting for you (similar to walking a downtown street and being pickpocket). See the following document for an example of a Fake Security Certificate, that tries to convince you to download a current certificate. Certificates are handled by the website owner, not by you. Close the browser immediately when you encounter this and avoid wherever you were browsing previously;
Baddies are using OneNote file attachments as another way of loading malware on to your computer. Regardless of the attachment, use Wise Trust to think before opening, and if not sure, delete the email.