Visit these web sites for information to help protect you from being the victim of fraud or identity theft.
A Text Message Mess
Let me set the scene: your friend John is rushing to get his daughter from school and his son to the soccer field on time and he still needs to stop at the grocery store because there’s nothing in the fridge. In the midst of his everyday madness, he gets a text message from Google with a verification code. He thinks, “That’s weird. Maybe I should log into my email and see what’s going on.”
Before John gets a chance, he gets another message. It says:
Google has detected unusual activity on your account. Please reply with the verification code sent to your mobile device to stop unauthorized activity.
What should John do?
It’s quite possible that he might reply with the code, especially while he’s distracted and worried that he might lose access to his email. Unfortunately, if he sends the code, he’ll be giving a hacker access to his email account.
Here’s what happened behind the scenes:
A hacker who has John’s email address and mobile number went to the email login screen and clicked “Forgot Password” and asked for a verification code via text message.
John received the verification code on his phone.
The hacker, pretending to be John’s email provider, sent him a text message and asked for the code.
John forwarded the code to the hacker and the hacker had everything he needed to complete the login process.
The hacker could gather a lot of information about John while snooping through his email. He also could change John’s settings. So future emails sent to John are forwarded to the hacker. It could be a long time before John notices this change.
So, what can you do?
Don’t send or forward verification codes to anyone via text or email. If you happen to receive a verification code that you did not initiate a request for, contact your email provider immediately since that could be a warning sign that someone is attempting to tamper with your email account. This text message scam also applies to your internet banking accounts or accounts you have established with online merchants that offer a forget password or user ID feature!
Bluetooth Security Tips
Bluetooth is a type of wireless technology that has been widely adopted due to a number of benefits provided such as cell phone users being able to talk “hands free” using Bluetooth headsets, laptops for things like a wireless mouse and/or keyboard, fitness monitors and even various children’s toys. Very few people realize that Bluetooth enabled devices are susceptible to various security threats. Attacks against Bluetooth enabled devices can result in unauthorized access to sensitive information and device access; the automatic nature of the connection is an enormous benefit for the hacker.
Bluetooth Threats (not a complete list):
Bluejacking – sending anonymous text messages to another Bluetooth device within range of the hacker.
Bluesnarfing – allows malicious hackers to access and copy information stored on a Bluetooth enabled device without the deviceholder’s knowledge.
Bluesniping – a specific form of bluesnarfing that allows connecting with and accessing data on Bluetooth devices at longer ranges (i.e. over a half mile away) using antennas.
Bluebugging – allows hackers to take full control of a device, allowing them to use its features including making calls, sending text messages, and accessing all data stored on the device.
Tips for using Bluetooth securely:
Turn Bluetooth off when not in use since this limits your exposure to security threats.
Do not accept pairing requests from unknown parties.
When pairing a device for the first time, do it at home or in the office.
Remove all pairings for devices that become lost or stolen, or are no longer in use.
Where possible, use a strong pin when pairing devices and change the default pin to something more secure.
Change the default name of the Bluetooth device (typically identifies device type).
Install mobile security software such as anti-virus, anti-spam, firewall on devices that will allow it.
Install security updates from manufacturers (i.e. upgrade to iOS 9 to avoid a known Bluetooth iPhone vulnerability) as soon as possible.
Top 10 Facebook Scams Users Beware!
Source: Fraud Magazine VOL. 30 NO.5 September/October 2015
Facebook is a goldmine for ever-changing fraud scams which lure victims to unknowingly download malware onto their computers allowing fraudsters to expedite scams. Thousands of people are victimized DAILY. The following are the most common:
Guess who viewed your profile? This is a false claim that an app, often called “Who Views” will show you who’s viewed your Facebook profile, but it actually installs a spying and spamming virus on your PC.
Explicit photos or videos of friends. Victims who click on supplied links are told they need to update their Adobe flash viewer but they actually install malware.
Ads for fake products and services. Bitdefender identified 50,000 questionable domains supposedly selling pharmaceuticals and dating services. A third of the sites were also bogus replicas of genuine pages, used for phony sales or phishing for personal information.
Morbid Images. A faked video supposedly of a woman being beaten to death is being used to attract victims to gruesome sites that either charge fees or install malware. Another recent fake video claims to show a woman being killed by her husband.
5: Funny Videos. This is a variation of #2 above, though it doesn’t claim to show friends, just people in embarrassing situations. Again, this is a ruse to get victims to install a special video player that is really malware. A variation of this scam claims to link explicit photos and video of well-known celebritiesmost recently Harry Potter star, Emma Watson.
A link to what purports to be the “10 Hottest Leaked Snapshots Ever.” For those of you who don’t know, Snapchat is an instant photo messaging service owned by Facebook; this scam leads to a malware download.
The big prize giveaway. Most common recent bait includes a Disney-related prize and an SUV or luxury vehicle. Some current scam pages have upwards of 60,000 fans. The pages are then renamed and used to bombard fans with spam-type advertising either from the original scammer or whomever they sold it to. The prizes are never really given away.
Danger Targets. Scammers use “yard sale” and similar pages on Facebook to lure victims to specific locations where they may be robbed or assaulted.
Facebook Identity Theft. In this scam, crooks hack and clone a victim’s page and pose as them. Then they try to scam money usually by claiming to be in financial trouble.
A Change of Color. This scam has been around a while but it is still going strong. Quite simply, it claims that an app can change the color of Facebook profiles from the default blue. It asks users to provide their sign-on details, which are then used to hack the victim’s account.
Stop and think before you click on any Facebook links with which you aren’t familiar. Be very skeptical when faced with suspicious activity that illustrates morbid behavior or offers a big prize giveaway. Also, limit what personal information you provide about yourself and family members on your Facebook account or any other social media account.
Cyber Thieves Never take a Vacation
Every year vacationers put their house lights on timers and their mail on hold when they travel away from home. It’s just as important when taking a vacation to take similar precautions with good cyber habits. Many cyber criminals specifically target travelers…
Criminals often set online lures to sell fake vacations or tickets. These may be just simple advertisements or sophisticated scams using realistic websites, complete with phone operators that will “assist” you.
Social media posts with pictures of tourist attractions may update your friends and family, but they also tell criminals that you’re on vacation and your house is empty. Other older posts may contain personal details or pictures of your home, telling thieves what items of value are in the house or how to circumvent security systems.
Sensitive data, such as login names and passwords, are especially valuable to criminals. One way criminals obtain such data is by installing a “keylogger” on hotel public computers. The keylogger records every keystroke typed on the computer and then transmits that information to the criminal.
Some cyber criminals specialize in “sniffing” the Wi-Fi and public networks in airports and coffee shops, allowing the criminal to collect and read all information sent over a wireless network.
Other criminals use a practice called “juice jacking,” where the criminal rigs a public charging kiosk to siphon information directly from your device when you plug into it.
Who’s the Boss?
The cyber security threat doesn’t end with you; Social engineers often use information about a boss’ vacation to gain physical access or commit financial fraud. The social engineer knows that they can reference the boss and the boss will not be reachable to verify whether he/she really did order the “repairman” or gave instructions for a fraudulent wire transfer.
When in Rome…
Different countries have different laws, which may allow government employees or law enforcement full access to your device without your knowledge or permission. Some countries are known to collect all data residing in that country, while others collect data from devices left in hotel rooms. This may be very important in countries that do not have the same freedom of speech as the United States. Some of these countries are known to have jailed tourists who posted negative comments online about the government or who posted criminal activities online, such as the use of alcohol or drugs.
Luckily, with a little care it’s possible to avoid these problems. Follow these simple tips to ensure that the only memories from your vacation are good ones:
Easy Tips to Protect Yourself
Use discretion when posting personal information on social media. This information is a treasure-trove to social engineers. Do not post information about travel plans or details; save the pictures and updates until after you return home.
Set email away messages to only respond to known contacts in your address book.
Disable geo-locational features, such as automatic status updates and friend finder functionalities.
Remind friends and family members to exercise the same caution.
Easy Tips to Protect Your Devices
Keep your electronic devices with you at all times.
Before traveling abroad, change all passwords that you will use while traveling, and upon return change the passwords of any accounts that were accessed while abroad. This includes passwords used by social media websites and email providers for which you have automatic logins.
Do not access sensitive accounts (e.g. financial institutions, credit cards, etc.) or conduct sensitive transactions over public networks, including hotel and airport Wi-Fi and business centers, or Internet cafés.
Use up-to-date anti-virus, anti-spyware, and anti-adware protection software; apply recommended patches to your operating system and software.
Use wired connections instead of Bluetooth or Wi-Fi connections, whenever possible.
Do not plug USB cables into public charging stations; only connect USB powered devices using the intended AC power adapter.
Know the local laws regarding online behavior, as some online behaviors are illegal in certain countries.
Protecting Against Cybercrime
What is Cybercrime?
Cybercrime is any violation of federal, state, or local statute, or malicious or suspicious activity, in which a computer, network or device is an integral component of the violation. Examples can include: a malicious cyber criminal breaking into a computer to steal information (computer intrusion) or to change a website (website defacement); malware being placed on a computer without the owner’s permission; and that malware using that computer’s resources to send spam.
Who Are the Actors and What Do They Want?
Cybercrime actors can generally be classified into several categories: lone hackers, script kiddies, insiders, hacktivists, terrorists, nation-states, and organized cyber criminal groups. The motivations for committing cybercrime will vary and can include a desire for recognition or promotion of an ideology; theft of money or information for industrial espionage; or the creation of widespread disruption. Cybercrime is big business. Between October 1, 2013, and December 31, 2014, for example, U.S. victims lost nearly $180 million through a scam known as the Business Email Compromise. One underground market has more than 14 million U.S. credit cards for sale . The creators of the CryptoLocker ransomware earned approximately $300,000 profit in its first 100 days.
How Can You Protect Yourself?
Cybercrime—whether from malware on a single computer or the recent high-profile hacks against Sony, Target, Home Depot and others—impacts everyone. Below are some key practices you can use to help minimize your risk of being a victim:
Configure Your Computer Securely
Make sure your computer, smartphones, and tablets are safe. Use privacy and security settings in your software, email system and web browsers. New strains of malicious software are appearing all the time, so it is imperative to regularly update your anti-virus software to identify and thwart the newest threats.
Keep Software and Operating Systems Updated
Be sure to install all software updates as soon as they are offered; using the “auto update” setting is the best way to ensure timely updates. Similarly, make sure you keep your operating system and any third-party plug-ins that you use updated.
Use Strong Passwords
Never use simple or easy-to-guess passwords like “123456” or “p@$$word” or “football.” Cybercriminals use automated programs that will try every word in the dictionary in a few minutes. When creating a password, use at least 10 characters, with a combination of uppercase and lowercase letters, numbers, and symbols.
Be Cautious About Links and Attachments
Be cautious about all communications you receive including those purported to be from friends and family, and be careful when clicking on links in those messages. When in doubt, delete it.
Protect Your Personal Information
Be aware of financial and sensitive information you give out. Cybercriminals will look at your social networking webpage to find information about you--remember, many of the answers to website and bank security questions can be found online, like the color of your car (remember posting that picture of you standing in front of your car?) and your mother’s maiden name. Use privacy settings to limit who can see the details of your social network pages, and be smart about what you decide to share online.
Review Your Financial Statements Regularly
Cybercriminals find loopholes and your accounts may get hacked through no fault of your own, so review your financial statements regularly. Contact your financial institution immediately if you see any suspicious looking activity.
What to Do If You Are a Victim?
If you’ve been a victim of identity theft, notify AEFCU’s Member Contact Center at 860.568.2020, and any other entities with which you have accounts to inform them that someone may be using your account fraudulently. Contact all three major credit bureaus to request a credit report, and have a fraud alert and a credit freeze placed on your account.
Internet-related crime, like any other crime, should be reported to appropriate authorities at the local, state, or federal levels, depending on the scope of the crime.
The following resources can help with reporting cyber crime:
Social Engineering Through the Internet
Source: Thomas F. Duffy, Chair, Multi-State ISAC
Social engineering refers to the methods attackers use to manipulate people into sharing sensitive information, or taking an action, such as downloading a file. Sometimes a social engineer is able to rely solely on information posted online or will sometimes interact with the victim to persuade the victim to share details or perform an action.
Information posted online can seem harmless, until you think about how a social engineer could use the same information. By gathering multiple pieces of information from various sources, a cyber criminal could have enough facts about you to craft a very convincing social engineering scam. Think about how these seemingly innocuous details might be valuable to the cyber criminal:
Posting a picture of your pet might give away your pet’s name, or posting a photo of your car would identify its color. Pet’s name and car color are commonly used security questions.
Answering a “meme” can give away personally identifiable information (PII) such as your date of birth or other sensitive information, including answers to security questions.
Be careful about how much information you post and think about how the various pieces might be combined for use by a cyber criminal.
The following three common types of persuasion methods highlight different ways social engineers target victims through the Internet:
Tech Support Call Scams
In Tech Support Call Scams, the scammer, claiming to work for a well-known software or technology company cold calls victims in an attempt to convince the victim that their computer is at risk of attack, attacking another computer, or is infected with malware, and that only the caller can remediate the problem. In convincing the victim, the scammer often persuades the victim to provide remote access to the victim’s computer. The scammer can then install malware or access confidential information. In some variations the scammer persuades the victim to pay for unnecessary or fictitious antivirus software or software updates.
In Romance Scams, the malicious actors create fake profiles on dating websites and establish relationships with other site members. Once a sense of trust is established, the scammer fabricates an emergency and asks the victim for financial assistance. The scammer generally claims they will repay the victim as soon as the crisis is over, however, if the victim sends money, the scammer will prolong the scam, sometimes stealing thousands of dollars from the victim.
In this scenario, also known as the “Grandparent Scam,” malicious actors use information posted on social media websites by a traveling family member to trick other family members into sending money overseas. Often the scam targets the elderly, who are less likely to realize the information was originally posted online. The scammer will monitor social media websites for people traveling overseas, and then contact the family members, through the Internet or via phone, with a crisis and requesting that money be sent immediately. The scammers rely on all the information users post online about themselves and their trips, in order to convince the family member that they know the traveler and are privy to personal details, and thus should be trusted.
Easy Tips to Protect Yourself from Social Engineering
Use discretion when posting personal information on social media. This information is a treasure-trove to scammers who will use it to gain your trust.
Before posting any information on social media, consider: What does this information say about me? How can this information be used against me? Is this information, if combined with other information, harmful?
Remind friends and family members to exercise the same caution. Request that they remove revealing information about you.
Verify the identity of anyone who contacts you through different means. Do not use the information they provide you.
Do not send money to people you do not know and trust.