Business Technology Topic of the Month
- Include information on secure remote access in regular training and new staff orientations.
- Have policies covering basic cybersecurity, give copies to your employees, and explain the importance of following them.
- Before letting any device- whether at an employee's home or on a vendor's network- connect to your network, make sure it meets your network's security requirements.
- Tell your staff about the risks of public Wi-Fi.
- Require employees to use unique, complex network passwords and avoid unattended, open workstations.
- Consider creating a VPN for employees to use when connecting remotely to the business network.
- Require multi-factor authentication to access areas of your network that have sensitive information. This requires additional steps beyond logging in with a password- like a temporary code on a smartphone or a key that's inserted into a computer.
- If you offer Wi-Fi on your business premises for guests and customers, make sure it's separate from and not connected to your business network.
- Include provisions for security in your vendor contracts, especially if the vendor will be connecting remotely to your network.
- Scam emails with links and attachments that put your data and network at risk. These phishing emails make up ransomware attacks.
- Server vulnerabilities which can be exploited by hackers.
- Infected websites that automatically download malicious software onto your computer.
- Online ads that contain malicious code- even on websites you know and trust.
- Have a plan- How would your business stay up and running after a ransomware attack? Put this plan in writing and share it with everyone who needs to know.
- Back up your data- Regularly save important files to a drive or server that's not connected to your network. Make data backup part of your routine business operations.
- Keep your security up to date- Always install the latest patches and updates. Look for additional means of protection, like email authentication, and intrusion prevention software, and set them to update automatically on your computer. On mobile devices, you may have to do it manually.
- Alert your staff- Teach them how to avoid phishing scams and show them some of the common ways computers and devices become infected. Include tips for spotting and protecting against ransomware in your regular orientation and training.
- Limit the damage- Immediately disconnect the infected computers or devices from your network. If your data has been stolen, take steps to protect your company and notify those who might be affected.
- Contact the authorities- report the attack right away to your local FBI office.
- Keep your business running- Now's the time to implement the plan. Having data backed up will help.
- Should I pay the ransom?- Law enforcement doesn't recommend that, but it's up to you to determine whether the risks and costs of paying are worth the possibility of getting your files back. However, paying the ransom does not guarantee you get your data back.
- Notify customers- If your data or personal information was compromised, make sure you notify the affected parties- they could be at risk of identity theft.
- ONLY SCAMMERS DEMAND PAYMENT IN CRYPTOCURRENCY. No legitimate business is going to demand you send cryptocurrency in advance- not to buy something, and not to protect your money. That's always a scam.
- ONLY SCAMMERS WILL GUARANTEE PROFITS OR BIG RETURNS. Don't trust people who promise you can quickly and easily make money in the crypto markets.
- NEVER MIX ONLINE DATING AND INVESTMENT ADVICE. If you meet someone on a dating site or app, and they want to show you how to invest in crypto, or asks you to send them crypto, that's a scam.
- A so-called "investment manager" contacts you out of the blue. They promise to grow your money- but only if you buy cryptocurrency and transfer it into their online account. The investment website they steer you to looks real, but it's a fake, and so are their promises. If you log in to your "investment account", you won't be able to withdraw your money at all, or only if you pay high fees.
- An online "love interest" wants you to send money or cryptocurrency to help you invest. That's a scam. As soon as someone you meet on a dating app asks you for money, or offers you investment advice advice, know this: that's a scammer. The advice and offers to help you invest in cryptocurrency are nothing but scams. If you send them crypto, or money of any kind, it'll be gone, and you typically won't get it back.
- Scammers guarantee that you'll make money or promise big payouts with guaranteed returns. Nobody can make those guarantees. Much less in a short time. And there's nothing "low risk" about cryptocurrency investments. So: if a company or person promises you'll make a profit, that's a scam. Even if there's a celebrity endorsement or testimonials from happy investors. Those are easily faked.
- Scammers promise free money. They'll promise free cash or cryptocurrency, but free money promises are always fake.
- Scammers make big claims without details or explanations. No matter what the investment, find out how it works and ask questions about where your money is going. Honest investment managers or advisors want to share that information and will back it up with details.
- IF YOU SEE A TWEET ( OR A TEXT, OR OTHER MESSAGE ON SOCIAL MEDIA) THAT TELLS YOU TO PAY WITH CRYPTOCURRENCY, THAT'S A SCAM!
Technology Topic of the Month
What is Account Takeover
Account Takeover (ATO) fraud involves a criminal gaining unauthorized access to a user's account and using it for some type of personal gain.
What is Account Takeover Fraud?
Account takeover fraud can involve any type of online account, social media, and online banking accounts. Commonly targeted accounts are those from which a criminal can steal money. For example, a hacker might gain access to an online banking account and send funds to their own account. A fraudster could take over a social media account and invent a reason to request money from family and friends of the victim.
Difference Between Account Takeover and Identity Theft
With account takeover, the fraudster is using an existing account, whereas in identity theft, they would open up a new account while posing as the victim.
How Do Criminals Get Credentials In the First Place?
A data breach is when a list of usernames (and potentially accompanying passwords) is leaked. These lists go on sale on the black market, meaning any number of criminals could be using them at the same time.
If a username and password for one account is known, hackers can use automated systems to try the same combination on a list of popular online platforms. This is referred to as credential stuffing, and is the reason it's so important to use a different password for every account.
These attacks may occur via email, over the phone, or via text message. The fraudster is trying to get you to hand over your login information. A phishing email might pose as a customer support message that persuades you to click a link to a phishing site (a fake website designed to phish for information). Here, you are prompted to enter your login information, which is then stolen by criminals.
An example of an account takeover scam initiated over the phone is an iteration of the tech support scheme.
For example, the criminal poses as a Microsoft representative and persuades you that your computer has a virus and needs to be fixed. You hand over remote access to your device, and the criminal can access any accounts you have credentials stored for. They may purport to be "testing" accounts and access them in plain sight, or they could remote access to install spyware.
Specific types of malware downloaded onto your device from malicious email links or attachments could expose your credentials. Some spyware takes regular images of your computer sessions, while key loggers record every keystroke, exposing your usernames and passwords.
Hacking Over Unsecured Wife
Many people think nothing of logging in to free Wi-Fi while at a cafe', mall, hotel, or airport. But these networks are often unsecured and represent a great opportunity for hackers to steal your information. A common attack over these networks is a man in the middle attack in which the hacker intercepts the contents of your internet traffic.
What are Attackers Trying To Do?
Here are some of the different things that criminals can get up to once they have access:
- Credit Card Fraud- Credit Card details for use in credit card fraud.
- Merchant Account Fraud- With access to bank account, an attacker can transfer funds to another account, among other things.
- Re-sell credentials: Username and password combinations may be posted for sale on the black market.
- Take out loans: Access to financial accounts can be used to take out loans and even mortgages in the victim's name.
- Monetary requests: By taking over a victim's social media account, the attacker can pose as the victim and make requests to family and friends for money.
* Once a criminal has access to an account, they usually very quickly try to lock the real user out by changing the password, recovery email, two-factor authentication settings, and security questions and logging out of other devices.
- A vendor your company regularly deals with sends an invoice with an updated mailing address.
- A company CEO asks her assistant to purchase dozens of gift cards to send out as employee rewards. She asks for the serial numbers so that she can email out right away.
- A home buyer receives a message from his title company with instructions on how to wire his down payment.
- Spoof an email account or website. Slight variations on legitimate addresses fool victims into thinking fake accounts are authentic.
- Send spear phishing emails. These messages look like they're from a trusted sender to trick victims into revealing confidential information. That information lets criminals access company accounts, calendars, and data that gives them the details they need to carry out the BEC schemes.
- Use malware. Malicious software can infiltrate company networks and gain access to legitimate email threads about billing and invoices. That information is used to time requests or send messages so accountants or financial officers don't question payment requests. Malware lets criminals gain undetected access to victim's data, including passwords and financial account information.
- Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, links to family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.
- Don't click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company's phone number on your own (don't use the one a potential scammer is providing), and call the company to ask if the request is legitimate.
- Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
- Be careful what you download. Never open an attachment from someone you don't know, and be wary of email attachments forwarded to you.
- Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
- Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in account number or payment procedures with the person making the request.
- Be especially wary if the requester is pressing you to act quickly.