Since 2004, October has been recognized as Cybersecurity Awareness Month. It originated from the Department of Homeland Security and has grown from a national to an international effort. Infinity is proud to be a Champion of it.
Why should you care about it?
In simplest terms, because our modern (online) lives put us at risk.
Everything is connected now. From our phones with all our emails and accounts, to our social networks, to our smart home devices and the world at large.
Unless you’re living off the grid without email and Internet somewhere (in which case, you wouldn’t be reading this), then you are connected.
And those connections need to be protected.
So this month we’re focusing on 4 ways you can do just that.
- Enable multi factor authentication on every account that offers it. This simple step to enter a code or click one extra time has been proven to be 99% effective against account takeover attempts.
- Run your software updates. Whether it’s on your phone, your computer, or even your smart TV, get out of the habit of hitting ‘remind me later.’
- and 4. Find here with additional details.
Here’s the extra I mentioned. It’s a tipsheet that basically sums up what I try to illustrate in these emails each month. I know these examples can get long sometimes, and they may not be as fascinating to you as they are to me. That doesn’t mean I want you to stop reading them, of course, but this sheet is succinct guidance you can print out and refer to at any time.
1. Post Hurricane/Disaster Scams
In June, we heard it from the Federal Trade Commission (FTC). And just 2 days ago our own Attorney General issued another warning for consumers to be on the lookout for price gouging and scams in response to Tropical Storm Ian.
“Unfortunately, con artists will try to take advantage of those impacted by a weather-related disaster or individuals looking to donate to their neighbors in need,” said GA Attorney General Chris Carr. “As we continue to pray for the families and communities in the path of Tropical Storm Ian, we want to remind consumers of the important steps they can take to protect themselves from price gouging and scams. We know this is a difficult and scary time for many, and anyone who is artificially increasing costs on the backs of hardworking Georgians will be held accountable.”
It is fairly easy for a scammer to set up a realistic-looking website, copy a logo, or create a name that sounds very close to that of a well-known charity. Many scammers offering work will even come to your door.
It’s important to be careful when responding to ads or posts on social media or crowdfunding sites, as these are not always legitimate – even if they have been shared or liked by your friends.
It is very important to take your time to review an organization thoroughly before you give someone your money.
What can you do to avoid these scams?
CISA, the Cybersecurity and Infrastructure Security Agency, says to exercise caution in handling emails with hurricane-related subject lines, attachments, or hyperlinks. Remember that events that impact a large area or a lot of people will always be a hot topic for criminals.
The Attorney General’s Consumer Protection Division offers the following tips to help consumers avoid scams and other fraud in the aftermath of a storm.
- Steer clear of any contractor who asks for full payment up-front, only accepts payment in cash, or refuses to provide you with a written contract.
- Avoid door-to-door offers for home repair work. Instead, ask friends and neighbors for referrals.
- Be skeptical of any contractor that offers to pay your insurance deductible or offers other no-cost incentives, as these can be signs of fraud. Always talk to your insurance company before committing to any storm-related repairs or inspections.
- Ask contractors for references and check them out.
- Check with the Better Business Bureau to see if there are any complaints against the business.
- Ensure that the contractor has the required licensing and/or affiliation, especially for work involving tree removal and treating water damage or mold. Not all contractors are required to be licensed by the state, but you can see those that are at sos.ga.gov.
- Legitimate contractors should be able to provide the following:
- Business license
- General liability insurance
- Workers compensation insurance
- Written manufacturer warranties
- Written labor warranties
2. New Browser-in-the-Browser Technique
This is another example of how the criminals are getting more sophisticated in their tactics. A new credential-stealing technique pops up looking like a new window used for authentication; only it’s actually part of the initial malicious site.
Browser-in-the-Browser (BitB) takes advantage of sites that use a pop-up window for user authentication. With a little bit of code, conveniently available in a kit, hackers can make a scam window which at first glance is indistinguishable from the authentic one.
Researchers at GroupIB report messages with attractive offers being sent to lure victims to a scam page with a login button.
Almost any button on the bait webpages opens an account data entry form mimicking a legitimate window. It has a fake green lock sign, a fake URL field that can be copied, and even an additional window for two-factor authentication.
Currently, this is only being reported by gamers on Steam, but with the common use of third-party authentication (such as Google, Facebook, Microsoft 365, or any cloud-based directory service) – this same technique could soon be used to trick users into providing business credentials.
How can you protect yourself?
- Ideally, you don’t have to worry about the following ways to identify this as a scam because you do not click on links in unsolicited messages. That said, there are ways to see if the popup window is real or not.
- First, look at your taskbar. Did another browser window open? If not, then this isn’t a real popup window. (Keep in mind we are not talking about new tabs in the same browser window. This scam appears as its own window popup.)
- Try to change the size of the popup window. Dragging the corners or clicking the maximize button will not work in this kind of scam.
- Check for inconsistencies in fonts and design between the ‘real’ window and the popup.
- Test the padlock symbol in front of the URL on the popup. Authentic browsers display SSL certificate information when you click on the lock.
3. Dark Web Email Scam
The Federal Trade Commission (FTC) has recently issued a Consumer Alert about emails claiming your data is for sale on the dark web.
People report getting messages that can include some of the ‘stolen information,’ such as all or part of the person’s Social Security number, date of birth, and driver’s license number.
The FTC wants everyone to know that these emails themselves could be the trick.
Granted, if you use a credit monitoring service or a credit card with a company that monitors the dark web, then this kind of message could be real. However, this is also an effective scam scare tactic.
Kelle Slaughter, the FTC’s Identity Theft Program Manager, says, “These emails may contain links and people may be subject to click them which could download malware, and compromise personal information on their computers.”
So how can you stay safe from this?
- Remember to stop yourself any time you read an unsolicited message that evokes any kind of emotion, whether that’s fear, anger, overwhelming sympathy, etc. Scammers like to make their targets feel emotional so they act quickly, without thinking things through.
- Look carefully at the sender name and address. If it seems like a legitimate company you should be receiving this kind of information from, then navigate to their website independently of the email and log in.
- Don’t be fooled by the ‘information’ of yours included in the message. Far too much of our data is publicly available, and the millions of data breach records can easily fill in the rest.
- However, the FTC recommends treating the message as real and acting accordingly to better protect yourself. 1. Change the passwords on your email accounts. Email accounts often are the weak link in online security because password resets for other accounts go to your email. 2. Check your credit reports. After securing your accounts, make sure nobody has opened new accounts using your information. Visit AnnualCreditReport.com to get an annual free credit report from each of the three nationwide credit bureaus, Equifax, Experian, and TransUnion. Through December 2023, you can get a free credit report every week from each of them at the website.
- Consider signing up for dark web monitoring so you’ll know from a reputable source whether your data is at risk. This can often be helpful for businesses as well as individuals.
