Did you know it’s been 4 years since I started sending these top scams messages? I hadn’t realized it was that long.
And I’m proud to say that the feedback you’ve given me shows it has been worth doing. So thank you for that.
But now I think you’re ready for more. Well, different, not really more. I’m not going to send you anything more.
What I’m going to send now is still one single email on the first of the month but with an expanded scope. It will no longer be limited to the top 3 scams my team and I are hearing about or dealing with.
And that’s not because they’re no longer relevant. It’s because no matter how sophisticated the delivery methods get, the principles of handling the scams we talk about remain the same. And I don’t want you to get bored hearing the same old advice. You’re probably sick of it already. And there are many other security risks out there.
So going forward I -may- include a noteworthy scam. But I will also include critical software warnings, relevant business trends that can impact your costs such as cyber insurance, and other items that fall under the security brief umbrella.
I hope you continue to find it useful, and I’d love to hear your feedback. Reply to me anytime, good or bad.
From my perspective, the better prepared you are, the more protected you are. And awareness is still the key to protection. I just want to help broaden that awareness.
Arm yourself and your colleagues with the information below.
Thank you.
– Chuck
1. Seasonal Scam Alert
- Emails with a fake W-2 link
- Threats of your social security number getting cancelled
- Emails about liens on your assets
Click the IRS logo to get more info direct from the source.
Ransomware Recovery in the Wild
Who: Suffolk County, NY (government)
Impact: Most populated county in the state outside NYC’s 5 boroughs. Attack impacted civil service title searches, purchasing contract searches, Medicare direct deposits, workers’ compensation direct deposits and more. Websites down for the municipal government, county police department, mass transit system, and more.
Brief Timeline:
September 8, 2022 – Ransomware attack in County Clerk’s office forced systems offline
October 2022 – Systems certified as clean from malware
December 2022 – Specialists could begin to access computer systems in the County Clerk’s office
February 24, 2023 – Online services began to be restored and systems began to be reconnected to the Internet
Cost: 5.4 M dollars on investigation and recovery
My Take: Imagine the City of Savannah website down for 5 months, its employees unable to access computer systems for 3 months. How would they work? What open projects or information would they have lost? How could they continue to serve residents, visitors, and businesses? If you normally pay utility services online, would you have to use your time to go to an office in person and wait in line? What if you had a permit or zoning application in progress when this happened? How would it impact the courts, sanitation, or police operations?
Government is a well-known target for criminals because they have historically been slow to update their systems. Often this is due to time and money. But take a look at the time and money an attack costs above. Proper cybersecurity is critical. Invest in setting it up properly now or you’ll pay far more later.
Good News
KnowBe4 shared this headline that made me smile:
“Business Email Compromise Gang Gets Jail Time for Stealing Millions”
They mostly operated in Europe, specifically targeting France, but no matter where in the world they are, it’s good to know the criminals are getting caught.
Lonely at the Top…and More Vulnerable
The Wall Street Journal recently covered how changes in leadership at a company can make it more vulnerable to attack.
“A change in leadership in an organization is often a time of uncertainty, confusion and insecurity.
It’s also the perfect time for cybercriminals to strike.”
Their research showed that the likelihood of someone falling for a malicious email is higher during times of leadership change. And that hackers know it and often time their attacks to take advantage of such changes.
Makes sense, right? If you’re the new leader, you don’t know everyone yet. A well-spoofed email could easily seem legitimate.
On the flip side, if you’re an employee and you know there is a change at the top, you could understandably fall for fake announcements, policy change messages, or otherwise unusual requests.
Clear communication is key.
If you consistently make sure your team knows the standard methods of official company communication, plus the proper procedures for request approvals and raising the red flag on anything out of the ordinary, your times of transition should not turn into times of successful attacks.
Common Question & My Answer:
Should I click the Unsubscribe link on an unwanted email?
If you know me well enough, you know my answer is going to be, “it depends.”
I don’t say it to be vague; there are just various factors to consider.
- If the message is from a company or subscription you know–and that isn’t setting off warning bells that it might be spoofed–yes, it’s safe to click the Unsubscribe link. In fact, all businesses should include a safe and easy way to unsubscribe. Companies that require you to send your information to a mailing address or call to unsubscribe could be in violation of the CAN-SPAM Act.
- if you think the message is a scam or you’re not sure of the sender, no, don’t click the unsubscribe link. You could end up verifying that your email address is valid and start to receive even more junk or attacks.
A couple of other options to keep in mind are that your email service may offer their own ‘unsubscribe’ feature that you can take advantage of, and you can usually set up filters that automatically send certain senders or subject lines to your Junk or Trash folder.
When you’re at work, you can always ask my team to check an email out for you. And when in doubt at home, you can always delete.
