Did You Know?
The US Postal Service (USPS) has become the most impersonated brand, overtaking Microsoft.
This is based on Guardio’s Brand Phishing Report for Q1 2024.
“The early months of 2024 have shown that cybercriminals are diversifying their methods, extending beyond the traditional focus on technology and retail sectors in previous years.”
You’ve likely experienced one of the most common scams yourself. A text claims there is a problem with your package delivery, and they want you to log in and/or confirm personal information – along with a small fee sometimes – to fix the problem.
Text notifications are so common now, and phones continue to have fewer protections than computers and email systems that this is not a shock.
The sudden surge in Q1 is something researchers will continue to track, but the main takeaway is to treat your phone the same way you do your business email (and hopefully your personal email as well.
Always stop yourself when an unexpected message comes in.
If it is asking you to click a link, open an attachment, or provide personal information, treat it very suspiciously. If it seems urgent, be downright skeptical.
Try to find out where the link is pointing (without clicking on it), or simply share it with your IT team and let us dig into it in a secure environment.
Log in independently of the message to see if there is any real alert on your account.
Do not reply or engage with the message, but report the sender as a scammer if you can.
Ripped from the Headlines:
Athletic Director Used AI To Frame Principal With Racist Remarks In Fake Clip: Police
This news out of Baltimore, MD may be the first of its kind in the country, and some authorities say that laws may need to be updated to catch up with the damage AI technology can be used to cause now.
What happened?
It appears to be the story of a disgruntled employee seeking revenge. The Athletic Director faked an audio clip of the principal saying negative things about students and teachers, which was shared on social media and resulted in serious real life consequences.
Why does this matter?
We’ve seen deepfakes with celebrities, and we’ve talked about how AI could influence elections. We’ve shared examples of scammers using voice cloning to scare you with the sound of someone you know in danger to steal your money.
But this was not a high tech foreign agent or someone whose job is to be a cyber criminal. This was an employee in a high school.
As the article points out, “Experts warned that artificial intelligence is becoming increasingly powerful, while the ability to detect it may lag behind without more resources.”
As exhausting as it is to be critical of everything we see, hear, and read, we need to stay vigilant.
World Password Day is Thursday, May 2
Celebrate with a little password pulse check.
Intel made up this ‘holiday’ in 2013.
It’s meant to remind us all to take a close look at our logins and make sure they check the required security boxes.
And it’s actually more important now than when it began.
Experts at security company KnowBe4 report that “the average person has 5 to 7 passwords that they share over 150 sites and services.”
We all know sharing passwords across accounts is a no-no. But having 150 passwords to keep strong and secure sounds practically impossible.
Rather than have you feel overwhelmed at all the passwords you should update and old accounts to close out, I’d like to give you 2 steps to better protect yourself and everyone you’re connected to.
- Enable MFA on every account that offers it. That way, even if you are using (or reusing) a weak password, you will have another level of protection.
- Get a password manager. There are options out there (some free) that will create and remember strong passwords for you. They can take time to set up initially, but even if you start with just your few most used logins, you’ll be safer than doing nothing at all.
Updates on the AT&T Breach
As you probably heard about in March, AT&T suffered a breach of 73 million former and current customers’ data.
They have now notified those customers, as well as U.S. state authorities and regulators of the security incident.
As a quick recap, AT&T was made aware of a potential breach by hackers in 2021 who claimed to be selling a database of their customers’ info. AT&T denied that they had been breached and said the data did not appear to come from their systems.
In March 2024, the data was found on the dark web and confirmed by AT&T to be of their customers. AT&T believes the breach dates back to 2019 or earlier.
Now, they are facing a class action lawsuit for negligence and breach of contract.
The stolen data contains personal information including phone numbers, account numbers, PINs, emails, DOBs, and social security numbers. AT&T said the information does not appear to contain personal financial information or call history.
They’ve offered 1 year of identity-theft and credit-monitoring services, and customers who want it will need to sign up by Aug. 30, 2024.
But what do you think happens next?
Did they investigate fully enough in 2021, or could they have done more?
Was a weakness in one of their vendors’ systems the cause of the breach?
Will they get a slap on the wrist, or will authorities want to make an example out of them?
Will the lawsuit set precedent for stronger data protection requirements of large companies?
Will they lose customers because of how they’ve handled the situation, or are they so big it doesn’t matter?
I don’t have the answers, but I’m interested in learning more.
We take security incredibly seriously at Infinity, for our clients as well as for ourselves. And the worst can happen, even when you think you’ve done everything right. So we will continue to layer security measure upon security measure and learn as much as we can from the examples of others.
If you have any questions about security, please feel free to ask.
