Seasonal Scam Alert
CISA, the Cybersecurity & Infrastructure Security Agency, has issued a warning about scams in the aftermath of natural disasters.
You can click the logo to view this warning (and others), but essentially, they want us all to be on alert for criminals using “email or malicious websites to solicit personal information by posing as a trustworthy organization, notably as charities providing relief. Exercise caution in handling emails with hurricane/typhoon-related subject lines, attachments, or hyperlinks to avoid compromise. In addition, be wary of social media pleas, texts, or door-to-door solicitations related to severe weather events.”
Welcome to Hurricane Season, where the weather is not even the biggest part of the disaster anymore.
3 Headlines
1. JP Morgan Fined for Deleting 47 Million Emails
The Securities and Exchange Commission (SEC) has just fined JPMorgan Chase 4 Million for deleting 47 million emails from early 2018.
The emails were deleted in 2019 from 8,700 inboxes belonging to as many as 7,500 employees in the retail banking division of the nation’s largest bank.
The SEC says the contents of some of the emails, which could not be recovered since they were permanently deleted, were requested in subpoenas for at least a dozen civil securities-related regulatory investigations.
JPMorgan claims the messages were mistakenly deleted due to miscommunications between the bank’s corporate compliance technology division and an outside vendor tasked with archiving and deleting communications dating back to the 1970s and 1980s. JPMorgan reported the deletions in 2020 when they discovered it.
The SEC order reports, “a member of JPMorgan’s compliance department acknowledged in an internal email after the deletion event was discovered that lost documents could relate to potential future investigations, legal matters and regulatory inquiries.”
JPMorgan has agreed to some sanctions from the SEC and has implemented some new policies. This is the third time the investment advisor has agreed to punishment for failing to preserve electronic records.
Why does this matter to you?
First, let me just say that I’m not going to debate whether the amount of the fine is hefty or a slap on the wrist. I’m also not going to speculate how the emails were permanently deleted and unrecoverable. Accidents can and do happen. What I want to point out is that the vendor did not get fined. JPMorgan did. JPMorgan’s reputation is getting hit for this, not the vendor’s.
Almost every type of business is subject to some sort of governance or oversight. JPMorgan apparently got this fine because the vendor failed to apply the proper retention setting (3 years) for those emails.
What I want for you and your business is to a) know your regulations and compliance requirements, b) put the proper safeguards and policies in place to protect yourself from situations like this, and c) communicate and overcommunicate with your staff about what’s happening with your company. Help them be invested so they will help keep you protected. And choose partners you can trust to be diligent and have your best interests at heart.
2. Massive Impersonation Campaign Imitates More than 100 Brands
Bolster, a software company that builds AI/ML technology to ‘protect regular citizens from bad actors on the internet,’ recently reported on a year-long campaign that impersonated 100+ of the most popular clothing, footwear, and apparel brands.
Names you know, such as Nike, Adidas, and Tommy Hilfiger, were all targeted. The investigation revealed an extensive network of brand impersonation scam sites, with over 3,000+ live domains identified.
And these sites were very well made, so much so that they were appearing as the second and third listing in search results and visitors were completing online shopping visits, providing credit card and other payment details.
So why should you care?
This is the perfect reminder that criminals are not the sloppy, typo-ridden Nigerian princes of days past. They have tools to look professional and to scale quickly.
And while your company may not be as big a household name as Nike to be targeted in this particular campaign, the ease with which these scams can be rolled out means that we are all targets.
So as users, we need to remember to be vigilant about the websites we visit. Look carefully at URLs for copycat domains, and never enter passwords or payment information on sites you do not independently navigate to.
As business owners, we can consider tools like reputation management monitoring so we find out quickly if something like this scam campaign is using our brand, or maybe work with a business like Bolster, though I have not used it and cannot vouch for it. More importantly, we need to keep educating our employees, stakeholders, and partners about the kinds of scams that are out there and how to recognize them so we don’t fall prey. Security awareness training cannot be a once-a-year email or webinar. It needs to be ongoing.
3. FTC Reveals 5 Most Common Text Scams
According to the FTC’s Consumer Sentinel database, text message scams cost consumers more than 330 Million in 2022.
Texts have an estimated 98% open rate, so knowing the top 5 scam types can help keep you and anyone you share this with safe.
- Copycat bank fraud prevention alerts – these messages may ask you to reply YES or NO to verify whether a transaction was authorized or give you a number to call ASAP about suspicious activity. Remember not to reply to unsolicited emails or texts, and always independently check any bank or other account when you get an unexpected alert.
- Fake gifts or rewards…for a small fee. If you really win a prize, you do not have to give your credit card information; legitimate companies will cover shipping.
- Phony package delivery problems – Even though you’ve received tons of mail with no problem, suddenly there’s an issue with a mysterious package. And when you try to get the details, they ask for payment information for a ‘redelivery fee.’ If you’ve already made a purchase and paid for shipping, you won’t have pay twice. And if someone sent you a gift that went out for delivery, you can rest assured they paid for shipping.
- Bogus job offers – These are sometimes fake ‘mystery shopper’ positions or opportunities to make money while driving around in a vehicle with ads on it. Other times, these texts target people who have posted their resumes on employment sites. No matter what the angle, never give your social security number or other private information to an unknown texter. Try to get the details on a company and job so you can confirm it by other means before giving any of your data away.
- Amazon impersonations – These texts ask you to verify a big-ticket order by calling a number in the message. If you do, you are connected with a fake Amazon rep who makes a mistake and refunds you too much. You are then asked to pay back the difference, usually via untraceable gift cards. Similar to other scams above, always check your accounts independently when you get any kind of alert like this. You’ll see there is no order in your account, and you can report the text to the FTC here https://reportfraud.ftc.gov/#/.
2 Quick Stats
29,880
Check Point Research warns us that 29,880 domains related to holidays or breaks were created in May 2023. This is up 23% from last May. And last year, 1 in 83 of those live websites were malicious or suspicious.
Check Point Research also notes several scam email campaigns centered around summer vacation deals and approved leave requests that we should all look out for.
1 in 3
According to a June survey by PasswordManager.com, 1 in 3 job seekers has been tricked into applying and/or interviewing for a fake job in their searches over the past 2 years.
38% reported encountering fake job postings.
15% had personal information stolen.
9% had money stolen.
Good News
An attacker in the UK was convicted of man-in-the-middle cyber crimes.
A Man-in-the-Middle or Manipulator-in-the-Middle attack is when some form of tech is used to intercept communications, manipulate those communications for the criminal’s own devious purposes, and control a conversation between two systems, networks, entities or people.
According to the conviction details, in 2018, Ashley Liles’ employer became the victim of a ransomware attack. Liles’ role was IT Security Analyst, working alongside law enforcement to respond to and mitigate the attack. But Liles himself intercepted a board member’s email over 300 times, altering the payment details on blackmail emails in an attempt to have the ransom paid to himself. According to The Register, he also used an email address almost identical to the attacker’s to help pressure the company to pay up, though they did not.
Liles’ downfall was access logs showing that the board member’s email had been accessed from his home. Liles had tried to wipe his devices, but the proof was recovered. Despite the evidence, he maintained his innocence for 5 years until appearing in court in May. He will be sentenced in July.
Granted, this is an interesting twist that should be rare, but it’s a good lesson for any infosec professionals who may be tempted to join the dark side–you’ll get caught. And more importantly, this conviction reinforces the best practices we know that organizations should always maintain and audit security logs and that all members of a network–not just employees–should be educated with security awareness training to avoid falling victim to a ransomware attack in the first place.
