Cybersecurity Awareness Basics
How to avoid identity theft, frauds, scams and more. Click below for more information.
A business email compromise (BEC) attack sees cyber criminals use social engineering to trick an employee at a business into transferring a large sum of money to an account controlled by the crooks. Often these messages pretend to be from someone the victim knows, such as their boss, a colleague or another known and trusted business contact. The attackers can steal hundreds of thousands of dollars just by sending a few emails – and by the time the victim has realized they've been duped by cyber criminals, it's too late.
From “ZD Net” Danny Palmer (2/16/2021)
CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) on TrickBot malware. A sophisticated group of cyber criminals are using phishing emails claiming to contain proof of traffic violations to lure victims into downloading TrickBot. TrickBot is a highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities.
From “CISA” (3/17/2021)
The top three crimes reported by victims in 2020 were phishing scams, non-payment/non-delivery scams, and extortion. Victims lost the most money to business email compromise scams, romance and confidence schemes, and investment fraud. Notably, 2020 saw the emergence of scams exploiting the COVID-19 pandemic. The IC3 received over 28,500 complaints related to COVID-19, with fraudsters targeting both businesses and individuals.
From “FBI” (3/17/2021)
While we like to assume that we will never fall victim to a cyberthreat, it happens. Make sure that if your employees do end up clicking on a site or attachment that seems unsafe, they know to reach out to your IT department or MSP to let them know. Make sure your team is not afraid to report an issue. Malicious code can lay dormant or undetected for an extended period of time before malicious activity occurs.
From “Forbes” Steve Cochran (3/10/2021)
When it comes to email communications today, phishing and spam are both unwelcome nuisances in everyone’s inbox. In order to defend against the different tactics cybercriminals are leveraging online, a variety of essential security measures are necessary–one of the most important being general awareness.
From “Security Boulevard” Kelsey Clark (3/09/2021)
One of the more concerning trends I’ve seen over the past year or so, is deploying something new into production during this annual budget cycle, and then deploying the DR for it during the next annual budget cycle. While some have blamed the pandemic for this, I’m not sure it is. It may make the bottom line look better, but you’ve just significantly increased your risk profile for at least a year related to whatever you just spent all of that money on rolling out! Does that really make sense?
From “JHA FinTalk” Eric Flick (3/23/2021)
Executives are targeted not only for the access and authority they have, but also because, in many cases, they are not the most well-informed on matters related to cybersecurity. This can be attributed to both their busy schedules and, in some cases, being less tech-savvy. It’s important that executives are informed about the current threat environment (e.g., whaling, business email compromise) and trained on securing their online personas 24/7, at work and beyond.
From “ISACA” Sourya Biswas (3/18/2021)
In the pre-pandemic world, you could break the exam process into three basic parts—pre-exam preparation, day-to-day management, and post-exam wrap-up. These stages don’t really change in a virtual environment, but some of the critical tools and behaviors needed during them absolutely do.
From “ABA Banking Journal” Michael Althouse and Mandi Lermond (3/09/2021)
Globally, hundreds of thousands of organizations running Exchange email servers from Microsoft just got mass-hacked, including at least 30,000 victims in the United States. Each hacked server has been retrofitted with a “web shell” backdoor that gives the bad guys total, remote control, the ability to read all email, and easy access to the victim’s other computers. Researchers are now racing to identify, alert and help victims, and hopefully prevent further mayhem.
From “Krebs on Security” Brian Krebs (3/09/2021)
Attackers are targeting state, local, tribal and territorial (SLTT) government entities, masquerading as vendors and suppliers. They use phishing attacks to hijack email accounts at these companies and send urgent fake invoices to their government clients.
From “Info Security Magazine” Phil Muncaster (3/22/2021)
Unfortunately, some people may take advantage of COVID-19 by using fraudulent websites, phone calls, emails, and text messages. While claiming to offer “help,” they may be trying to trick people into providing Social Security numbers, bank account numbers, and other personal information. Do not divulge your bank or credit card numbers or any other personal information over the phone unless you initiated the conversation with the other party and you know that it is a reputable organization.
From “FDIC Consumer News” (3/19/2021)
Let’s say you get an email about a charge to your credit card for something you aren’t expecting or don’t want. Your first instinct may be to immediately call the company or respond to the email and to stop the payment. Scammers know that, and are taking advantage of it in a new phishing scheme. People tell us they’re getting emails that look like they’re from Norton, a company that sells antivirus and anti-malware software. (Tip: the emails are NOT from Norton.) The emails say you’ve been (or are about to be) charged for a Norton product — maybe an auto renewal or new order. If this is a mistake, the email says, you should call immediately. (Tip: don’t.)
From “Federal Trade Commission” Emily Wu (3/17/2021)
Identity theft happens when a criminal steals information about you and uses that information to commit fraud, such as requesting unemployment benefits, tax refunds, or a new loan or credit card in your name. If you don’t take precautions, you may end up paying for products or services that you didn’t buy and dealing with the stress and financial heartache that follows identity theft.
From “SANS” Lenny Zeltser (3/10/2021)
According to financial institutions and federal agencies, since COVID-19 began, fraud attempts have as much as tripled, with a wide variety of new scams emerging that prey on those who have been financially been hit hard by the pandemic and subsequent closures and shutdowns, people who have become isolated, as well as good Samaritans who want to be helpful to those in crisis. Indeed, the pandemic has provided a greenfield opportunity for cyber criminals, who are playing to bank customers’ concerns about job loss, financial health and community safety.
From “ABA Banking Journal” Karen Epper Hoffman (3/04/2021)
In the latest campaign, if the recipients of a phishing message open what's portrayed as a tax-themed Word document, it displays a blurred background as well as “enable editing” and “enable content” prompts, Cybereason says.
From “Bank Info Security” Prajeet Nair (3/16/2021)
The double-extortion tactic also gained more traction in 2020. In this type of attack, the criminals threaten to leak the encrypted data publicly unless the ransom is paid. As such, even victimized organizations that have backups of the stolen data may be more willing to pay the ransom to avoid exposure. At least 16 different ransomware variants are now using the double-extortion plot, according to Unit 42.
From “Tech Republic” Lance Whitney (3/17/2021)
As for best practices when using video conferencing tools, first and foremost if you don’t feel secure, don’t share any information that may put you at risk - whether that’s intellectual property, PII, or heck, even pictures of your kids, if you wouldn’t walk around in public showing that type of information, it’s not safe to broadcast over video either. On top of that, it’s the little things that can make a big difference. Always password protect your meetings, never use a personal event link for a public facing meeting, and ensure your service provider encrypts all audio and video transmission - just following these simple tips can help mitigate some of the many attack tools that hackers have at their disposal.
From “Security Magazine” Maria Henriquez (3/15/2021)
Tax season can be a stressful time for many Americans, and scammers are waiting for you to slip up so they can steal your personal information, money and identity. NCSA and the Internal Revenue Service (IRS) want to help you stay safe online while filing your taxes with these best practices, tips, and resources.
From “National Cybersecurity Alliance” (3/09/2021)
Amid the coronavirus pandemic, 2020 saw a quick and abrupt transition to digital banking and commerce, a boon for banks and customers alike. But that shift also triggered a host of schemes and scams from cybercriminals eager to take advantage of the new environment. A financial crime report released Thursday by fraud prevention company Feedzai looks at some of the common types of attack and offers advice to financial institutions and their customers.
From “Tech Republic” Lance Whitney (3/04/2021)