FTC Warns of Vishing Increase after Equifax Data Breach

The Federal Trade Commission (FTC) is warning consumers about an uptick in vishing, following the recent data breach of one of the three major credit bureaus, Equifax.

Vishing is a form of phishing, where the scammers place a phone call to a potential victim requesting sensitive or personal information. The FTC warning emphasizes that any calls from anyone claiming to be from Equifax are fraudulent.

The federal agency also is providing additional tips to help consumers after the breach that allowed cyber criminals to access names, addresses, social security numbers, birth dates, and some credit card numbers of about 44 percent of the U.S. consumer population.

  • Do not trust the caller ID that appears on the phone display. Scammers can easily spoof, or imitate, actual numbers on those displays to make you think it is from a legitimate caller.
  • Hang up on robo calls without pressing numbers or saying anything.
  • Consider freezing your credit. This can be a reasonable option, if you do not need to provide access to your reports to anyone. However, it does not prevent you from temporarily unfreezing your credit files when you do apply for credit or fill out an application for housing or a credit card.
  • Monitor all payment card charges. Since credit reports include card numbers for your accounts, it is possible these thieves have them all. Check statements regularly and report anything that looks unfamiliar to the card issuer immediately.
  • Check your credit reports on a regular basis. You can get them at the annualcreditreport.com website at no charge. Get one every four months to stay on top of them. Consider altering your free credit report requests among the three major credit reporting bureaus: Equifax, Experian and TransUnion.
  • File your income taxes early. The earlier you can do this, the less likely someone can do it first and get your tax return.

Remember, the more information criminals have about you, the easier it is to not only trick you on the phone and steal from you, but they also can craft realistic phishing email messages and texts, too.  So, be on the lookout for those as well.  Be proactive about protecting your finances and your identity.

Taxpayer Caution: Scams

The IRS has issued a warning that tax-related scams continue across the United States even though the tax-filing season has ended for most taxpayers. People should remain on alert to new and emerging schemes involving the tax system that continue to claim victims.

The IRS urges people to watch for schemes that are variations of a theme involving fictitious tax bills and demands to pay by purchasing and transferring information involving a gift card or iTunes card. Taxpayers can avoid these and other tricky financial scams by taking a few minutes to review the tell-tale signs of these schemes.

EFTPS Scam

A newer scam linked to the Electronic Federal Tax Payment System (EFTPS) has been reported nationwide. In this ruse, con artists call to demand immediate tax payment. The caller claims to be from the IRS and says that two certified letters mailed to the taxpayer were returned as undeliverable.  The scammer then threatens arrest, if a payment is not made immediately with a specific prepaid debit card.  Victims are told that the debit card is linked to the EFTPS when, in reality, it is controlled entirely by the scammer. Victims are warned not to talk to their tax preparer, attorney or the local IRS office until after the payment is made.

“Robo-Call” Messages

The IRS does not call and leave pre-recorded, urgent phone messages, asking for a call back. In this tactic, scammers tell victims that if they do not call back, a warrant will be issued for their arrest. Those who do respond are told they must make immediate payment either with a specific prepaid debit card or by wire transfer.

Private Debt Collection Scams

The IRS recently began sending letters to a relatively small group of taxpayers whose overdue federal tax accounts are being assigned to one of four private-sector collection agencies. Taxpayers should be on the lookout for scammers posing as private collection firms.  The IRS-authorized firms will only be calling about a tax debt the person has had – and has been aware of – for years.  The IRS would have previously contacted taxpayers about their tax debt.

Scams Targeting People with Limited English Proficiency

Taxpayers with limited English proficiency have been recent targets of phone scams and email phishing schemes that continue to occur across the country. Con artists often approach victims in their native language and threaten them with deportation, police arrest and license revocation, among other things. They tell their victims they owe the IRS money and must pay it promptly through a preloaded debit card, gift card or wire transfer.  They may also leave “urgent” callback requests through phone “robo-calls” or via a phishing email.

Tell Tale Signs of a Scam:

The IRS (and its authorized private collection agencies) will never:

  • Call to demand immediate payment using a specific payment method, such as a prepaid debit card, gift card or wire transfer. The IRS does not use these methods for tax payments. The IRS will usually first mail a bill to a taxpayer who owes taxes. All tax payments should only be made payable to the U.S. Treasury and checks should never be made payable to third parties.
  • Threaten to immediately bring in local police or other law      enforcement groups to have the taxpayer arrested for not paying.
  • Demand that taxes be paid without giving the taxpayer the opportunity to question or appeal the amount owed.
  • Ask for credit or debit card numbers over the phone.

For anyone who doesn’t owe taxes and has no reason to think they do:

  • Do not give out any information. Hang up immediately.
  • Contact the Treasury Inspector General for Tax Administration to report the call. Use their IRS Impersonation Scam Reporting web page. Alternatively, call 800-366-4484.
  • Report the call to the Federal Trade Commission. Use the FTC Complaint Assistant on FTC.gov. Add “IRS Telephone Scam” in the notes.

For anyone who owes tax or thinks they do:

  • View tax account information at online at IRS.gov to see the actual amount you owe,  Then review payment options
  • Call the number on the billing notice, or
  • Call the IRS at 800-829-1040. IRS workers can help.

How to Know It’s Really the IRS Calling or Knocking

The IRS initiates most contacts through regular mail delivered by the United States Postal Service. However, there are special circumstances in which the IRS will call or come to a home or business, such as:

  • when a taxpayer has an overdue tax bill,
  • to secure a delinquent tax return or a delinquent employment tax payment, or,
  • to tour a business as part of an audit or during criminal investigations.

Even then, taxpayers will generally first receive several letters (called “notices”) from the IRS in the mail. For more information, visit “How to know it’s really the IRS calling or knocking on your door” on IRS.gov.

Source – United States Computer Emergency Readiness Team June 26, 2017

Travel Securely. Keep Cyber Criminals Away.

Travel Securely 2017Summer is a time to get away — time to take your dream vacation, go to the lake, or visit relatives out-of-state.

Many travelers check emails and the status of work projects, read social media posts and play games on their devices while waiting for a plane or stretching out on the beach.

It’s not surprising that many cyber criminals target travelers.

Fortunately, with a little care, it is possible to protect yourself and avoid potential problems.

Here are some tips to help you keep connected, but in a secure manner:

Sharing Isn’t Always Caring

  • Avoid publicly posting where and when you will be traveling. When you reveal these specific details, you are providing information that could be used by criminals to target your home or your family while you are gone. Sending private posts and photos during your vacation to family and friends is ok; however, if you post them publicly, you increase the risk of someone using that information for malicious activities.
  • Just as important as using discretion when posting, is making sure your children and friends understand the risks associated with posting your vacation plans.
  • Do not use public computers and open wireless networks for sensitive online transactions. Wi-Fi spots in airports, hotels, coffee shops and other public places can be convenient but they are often not secure and can leave you at risk. If you are accessing the Internet through an unsecured network, you should be aware that malicious individuals might be able to eavesdrop on your connection. This could allow them to steal your log-in credentials, financial information, or other sensitive information. Any public Wi-Fi should be considered “unsecure.”
  • Turn off features on your computer or mobile device that allow you to automatically connect to Wi-Fi and other services such as social media websites. Consider using a cellular 3G/4G connection as a hotspot, which is generally safer than an open Wi-Fi connection. If you do connect through your hotel’s Wi-Fi, verify the name of the Wi-Fi hotspot with hotel staff.

 

Recommendations

  • Password protect your devices so if they are lost or stolen, the information is protected; and enable device tracking.
  • Make sure your laptop and other mobile devices have the latest patches installed. Your software vendor should notify you whenever an update is available. Set your device to auto update.
  • Back up your data with another device or cloud service
  • Use of security software is a must. Some programs can also locate a missing or stolen phone, tablet or other similar device, while others will back up your data and can even remotely wipe all data from the phone, if it is reported stolen. Make sure you have anti-virus software installed, updated and running.
  • Do not access sensitive accounts (e.g. banks, credit cards, etc.) or conduct sensitive transactions over public networks, including hotel and airport Wi-Fi and business centers, or Internet cafes. Use wired connections instead of Bluetooth or Wi-Fi connections, whenever possible.
  • Do not plug USB cables into public charging stations; only connect USB powered devices using the intended AC power adapter.
  • Keep in mind that if you are traveling abroad, different countries have different laws, which may allow government employees or law enforcement full access to your mobile devices without your knowledge or permission. It also is important to know the local laws regarding online behavior. Some online behaviors, such as posting disparaging comments or pictures of illegal activity on social media websites, can be illegal in a foreign country.

 

Further Information

More information is available in the User Recommendations section of the CIS Primer on Overseas Travel at: https://msisac.cisecurity.org/whitepaper/documents/CIS%20Primer%20-%20Overseas%20Travel.pdf.

For more information about how to stay safe in cyberspace, visit the Center for Internet Security at www.cisecurity.org .

Thwart Cyber Crime

Natl Cyber Security Mo 16October is “National Cyber Security Awareness Month,” which is an annual Homeland Security campaign to raise consumers’ awareness of cyber security.

Cyber security continues to be a growing problem in the U.S.

According to the FBI’s Internet Crime Complaint Center, in 2015, the agency received approximately 288,000 complaints from consumers who were exposed to online fraud – a six percent increase over the previous year.

In recognition of Cyber Security Awareness Month, the American Bankers Association (ABA) is urging online users to take simple steps to safeguard their personal information, protect their networks and stop fraud.

Fraudsters are using the Internet to facilitate all types of scams. As a result, it is extremely important that online users secure their Internet connection and install the latest security software to lessen their exposure to online threats.

The ABA recommends the following tips while navigating the web:

  • Keep your computers and mobile devices up to date.  Having the latest security software, web browser and operating system are the best defenses against viruses, malware and other online threats. Turn on automatic updates so you receive the newest fixes as they become available.
  • Create Complic@t3d passwords. A strong password is at least eight characters in length and includes a mix of upper and lowercase letters, numbers, and special characters.
  • Watch out for phishing scams. Phishing scams use fraudulent emails and websites to trick users into disclosing private account or login information. Never click links or open attachments or pop-up screens from unknown sources.  Forward phishing emails to the Federal Trade Commission (FTC) at [email protected] – and to the company, bank or organization impersonated in the email.
  • Keep personal information personal. Hackers can use social media profiles to figure out your passwords and answer the security questions in the password reset tools. Lock down your privacy settings and avoid posting things like birthdays, addresses, mother’s maiden name, etc.  Be wary of requests to connect from people you do not know.
  • Secure your internet connection. Always protect your home wireless network with a password. When connecting to public Wi-Fi networks, be cautious about what information you are sending over it.
  • Shop safely. Before shopping online, make sure the website uses secure technology. When you are at the checkout screen, verify that the web address begins with https. Also, check to see if a tiny locked padlock symbol appears on the page.
  • Read the site’s privacy policies. Though long and complex, privacy policies tell you how the site protects the personal information it collects. If you do not see or understand a website’s privacy policy, consider doing business elsewhere.

Use Extra Caution When Receiving Wire Transfer Requests

Buss Email CompromiseOne of the most common forms of phishing is the Business Email Compromise (BEC) scam.

This is when employees of a particular business, generally those who have authorization to wire money from the company’s financial accounts, are targeted.

Typically, the employees in the crosshairs of the scammers will receive an email that appears to be from an executive, or some other authorized employees, of their companies requesting money be transferred to some account. Often, the money is to be sent outside the United States.

Another BEC scam involves a business that has an established relationship with a supplier. The fraudster asks to wire funds for invoice payment to an alternate, fraudulent account via spoofed email, telephone or fax.

Similar to this scam, an email account of an employee is hacked and then used to make requests for invoice payments to fraudster-controlled bank accounts. Messages are sent to multiple vendors identified from the employee’s contact list.  The business may not become aware of the scheme until their vendors follow up to check for the status of their invoice payments.

It is difficult to identify these types of attacks; however, there are warning signs. Usually, the request is presented to the employee as urgent and it cannot wait for the process of getting additional approvals.  In addition, the sender’s email address is spoofed. This means it appears to be from a legitimate company at first glance; however, with closer inspection, it is not the same.

Anyone who is authorized to perform wire transfers should use extra caution when receiving requests.

Heed Warning Signs

• Check the email address, and then check it again to make sure it truly is from someone who can authorize such transactions. Often, fake domains are used that are so close to the spoofed one that it is hard to see. Sometimes, they have just one or two letters that are different. Sometimes, they will replace the letter “L” with a number “1” or the letter “O” with a zero, for example. Some use extensions that are similar to company email but not exactly the same. For example, .co instead of .com.

• Verify again that the request is legitimate as part of two-factor authentication. Do this preferably via telephone, but alternatively by sending a new email message (not a reply) back to the requester. Use familiar phone numbers and email addresses, not details provided in the email requests.

• Follow a process of getting multiple approvals before a wire transfer is allowed in your business. If there is no process for this, create one, follow it and ensure it is enforced.

• Verify any changes in vendor payment location by using a secondary sign-off by company personnel.

• Stay updated on your customers’ habits, including the reason, detail and amount of payments. Be aware of any significant changes.

• Be suspicious of requests for secrecy or pressure to take action quickly.

• Be wary of free, web-based email accounts, which are more susceptible to being hacked.

If your business has been targeted by a BEC email, contact your financial institution immediately and request that they contact the financial institution where the fraudulent transfer was sent. Next, call law enforcement and also file a complaint — regardless of the dollar loss — with the FBI’s Internet Crime Complaint Center (IC3) at https://www.ic3.gov/default.aspx.

No business is immune to cybercrime. Businesses of all sizes and types are vulnerable.  But awareness and employee education can help a business fight cybercrime.

Business Alert: Understand the Threats of Ransomware

RansomwareRansomware is a form of malware that targets both human and technical weaknesses in businesses and other organizations in an effort to deny the availability of critical data and/or systems.

When the victim business determines it is no longer able to access data, the cyber actor demands payment of a ransom, at which time the actor purportedly provides an avenue to the victim to regain access to its data.

Infection Vectors

Ransomware is frequently delivered through phishing emails to end users. Early ransomware emails were often generic in nature, but more recent emails are highly targeted to both the business and employees, making scrutiny of the document and sender important to prevent exploitation. An email compromise occurs in one of two ways:

  1. Receipt of an email containing malicious attachments, including: .pdf, .doc, .xls, and .exe file extensions. These attachments appear legitimate, such as an invoice or electronic fax, but contain malicious code.
  2. Receipt of an email that appears legitimate but contains a link to a website hosting an exploit kit.

When the user opens the malicious file or link in the phishing email, the most frequent end result is the rapid encryption of files and folders containing business-critical information and data.

Another infection method involves adversaries hacking a known website to plant the malware. End users are infected when visiting the compromised website while using outdated browsers, browser plugins and other software.

After infection, the malware usually calls home to command and control (C2) infrastructure to obtain encryption keys from the adversary. Once keys are obtained, the malware begins rapidly encrypting files and folders on local drives, attached drives, and network shares to which the infected user has access. Businesses are generally not aware that they have been infected until users are no longer able to access data or begin to see messages advising them of the attack and demanding a ransom payment.

While the FBI normally recommends an investment in measures to prevent, detect, and remediate cyber exploitation, the key areas to focus on with ransomware are prevention, business continuity and remediation.

It is very difficult to detect a successful ransomware compromise before it is too late. The best approach is to focus on in depth defense or several layers of security, as there is no single method to prevent a compromise.

As ransomware techniques and malware continue to evolve and become more sophisticated, even with the most robust prevention controls in place, there is no guarantee against exploitation. This fact makes contingency and remediation planning crucial to business recovery and continuity, and those plans should be tested regularly to ensure the integrity of sensitive data in the event of a compromise.

Prevention Considerations 

  • Focus on awareness and training. Since end users are targeted, employees should be made aware of the threat of ransomware, how it is delivered, and trained on information security principles and techniques.
  • Patch the operating system, software and firmware on devices. All endpoints should be patched as vulnerabilities are discovered. This can be made easier through a centralized patch management system.
  • Ensure anti-virus and anti-malware solutions are set to automatically update and regular scans are conducted.
  • Manage the use of privileged accounts. Implement the principle of “least privilege.” No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary; and they should operate with standard user accounts at all other times.
  • Implement least privilege for file, directory and network share permissions. If a user only needs to read specific files, they should not have write access to those files, directories or shares. Configure access controls with least privilege in mind.
  • Disable macro scripts from office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full office suite applications.
  • Implement software restriction policies (SRP) or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular Internet browsers, or compression/decompression programs, including those located in the AppData/LocalAppData folder.

Business Continuity Considerations

  • Regularly back up data and verify its integrity.
  • Secure your backups. Ensure backups are not connected to the computers and networks they are backing up. Examples might be securing backups in the cloud or physically storing them offline. Some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real time, also known as persistent synchronization. Backups are critical in ransomware; if you are infected, backups may be the best way to recover your critical data.

Additional Considerations

There are other considerations; however, they can be highly dependent on budget and system configuration

  • Implement application whitelisting. Only allow systems to execute programs known and permitted by security policy.
  • Use virtualized environments to execute operating system environments or specific programs.
  • Categorize data based on its value to the business, and implement physical/logical separation of networks and data for different organization units. For example, sensitive business data or research should not reside on the same server and/or network segment as an organization’s email environment.
  • Require user interaction for end user applications communicating with websites uncategorized by the network proxy or firewall. Examples include requiring users to type information or enter a password when their system communicates with a website categorized by the proxy or firewall.

The Ransom

The FBI does not advocate paying a ransom to an adversary. Paying a ransom does not guarantee a business will regain access to its data. In fact, some individuals or organizations were never provided with decryption keys after paying a ransom. Paying a ransom emboldens the adversary to target other organizations for profit and provides a lucrative environment for other criminals to become involved.

Finally, by paying a ransom, an organization is funding illicit activity associated with criminal groups, including potential terrorist groups, who likely will continue to target an organization. While the FBI does not advocate paying a ransom, there is an

understanding that when businesses are faced with an inability to function, executives will evaluate all options to protect shareholders, employees and customers.

What to Do if you have a Ransomware Event?

In all cases, the FBI encourages businesses to contact the local FBI Cyber Task Force immediately to report a ransomware event and request assistance. The FBI works

with federal, state, local and international partners to pursue cyber actors globally and assist victims of cyber crime.

Victims are also encouraged to report cyber incidents to the FBI’s Internet Crime Complaint Center at www.ic3.gov or the Cyber Task Forces at www.fbi.gov/contact-us/field.

______________

Source: CyberDivision, FBI

Secure your Mobile Device

mobile-payment-securityCyber criminals are increasingly targeting mobile devices as use of the technology continues to grow.

Mobile devices can be full of personal and professional information that cyber crooks would love to get their hands on. Mobile devices, gaming systems and other web-enabled devices are vulnerable to the same virus, spyware and phishing threats as a home or business computer. There are also some unique risks that can affect mobile devices.

While banks use sophisticated safeguards to protect customer information, it is important for consumers to take safety measures, too. Remember: a mobile device –phone or tablet — is like a little computer, and any device used to connect to the Internet needs to be protected.

These practices can help you protect your mobile device:

  • Keep your device safe. The portability of a mobile device makes it prone to be misplaced or get stolen. It goes without saying, users take care!
  • Configure your device to be more secure. Make use of the security options your mobile device offers. Enable file encryption and remote locate and wipe abilities, if available.
  • Use the passcode lock. This will make it more difficult for thieves to access your information, if your device is lost or stolen.
  • Log out completely when you finish a mobile banking session.
  • Protect your device from viruses and malicious software, or malware, just like you do for your computer by installing mobile security software.
  • Use caution when downloading applications. Downloaded apps are an easy way for hackers to compromise the security of your mobile device. Apps can contain malicious software, worms and viruses. Only download apps from dedicated app stores and avoid “jailbreaking” your device (removing restrictions or making modifications to the operating system that are not authorized), which can open the device to malware and voids your warranty, if a virus does occur. Review the app’s privacy policy and understand what data the app can access on your device before you download. Beware of apps that ask for unnecessary “permissions.”
  • Download updates for your device and mobile apps. Make sure you are running the latest version of your operating system, security software and web browser. Developers are constantly working to find and remove bugs and other “holes” that could make your device more vulnerable.
  • Avoid storing sensitive information like passwords, a social security number or bank account numbers on your mobile device.
  • Be aware of shoulder surfers. The most basic form of information theft is observation. Be aware of your surroundings, especially when you are entering sensitive information.
  • Use secure sites. When banking or shopping, check to be sure the site is security enabled. Look for web addresses with “https://” which means the site takes extra measures to help secure your information. The web address “http://” is not secure.
  • Delete data before discarding your mobile device using specialized software or using the manufacturer’s recommended method.
  • Beware of mobile phishing. Avoid opening links and attachments in emails and texts, especially from senders you do not know. And be wary of ads (not from your security provider) claiming that your device is infected.
  • Watch out for public Wi-Fi. Public connections are not secure. Do not perform banking transactions or any business that involves finances or other personal information, including login and password information, on a public network. If you need to access your account, try disabling the Wi-Fi and switching to your mobile network.
  • Disable interfaces when not in use. Leaving interfaces like Wi-Fi, Bluetooth and infrared on or visible when they are not in use can make it easy for attackers to exploit vulnerabilities of the software used by these interfaces.
  • Only give your mobile number to people you know and trust and never give out anyone else’s number without their permission.

Contact your financial institution immediately, if you change your phone number or lose your mobile device and to report any suspected fraud.