Overview

Messaging serves as a primary mode of communication in both our personal and professional lives. However, quite often we can be our own worst enemy when it comes to text messaging safely and securely. Learn the most common mistakes people make and how you can avoid them in your dayto-day lives.

Auto Complete

Auto complete is a common feature in many messaging apps. As you type the name of the person you want to message, your app may automatically select the person for you. This feature can lead to mistakes, especially when multiple contacts share similar names. For example, you may intend to send a sensitive text to a co-worker but instead accidentally message your daughter’s coach who happens to share a very similar name. Always double-check the full name of the person you intend to message before you hit send.

Replying to Group Messages

Group chats are another common feature, but make sure you are aware of all group members who are on the thread before responding. When you are replying to an entire group, you want to be sure your reply is appropriate for everyone in that group. Another common mistake is accidentally replying to the entire group instead of a specific person. Take your time in responding: Double-check before hitting the send button.

Emotion

Avoid sending messages when angry, upset, or emotionally charged. That message could cause you far more harm in the future, perhaps even costing you a friendship or a job. Instead, take a moment to calmly organize your thoughts. If you must vent your frustration, open a new message with no recipient selected, type out exactly what you are feeling, then walk away from your device. Perhaps make yourself a cup of tea or go for a walk. When you return, delete the message, and start over again. You will most likely be in a far calmer and clearer state of mind. Consider direct communication via phone or in-person for a more effective conversation. It can be difficult for people to determine your tone and intent with just a text message.

Privacy

Traditional SMS messaging lacks robust privacy protections; once sent, you lose control over the message. Messages can be forwarded, posted publicly, shared as a screenshot, or disclosed due to court orders. For private communication, pick up the phone and call the individual. Finally, if you utilize your work device for messaging, remember that your employer may have the authority to monitor and potentially read messages on work devices.

Malicious

Messages Like with email, cyber attackers are going to try to trick, fool, or scam you with messages. These messages can include malicious links they want you to click, requests for you to share personal information, or pressure for you to call a phone number. Have you ever received an odd text message with just the word “Hi” in the message and wondered what that is about? That is a cyber attacker trying to start conversations with you, often the beginning of something called a romance scam. If you receive odd or suspicious messages on your device, simply delete them. In addition, as also is the case with email, it's possible to spoof the source of a text message. Be certain that you know the identity of the person with whom you're texting before divulging any personal information, particularly if you did not initiate the conversation. You can also block any unwanted or suspicious phone numbers or accounts attempting to message you.

Secure Messaging

Make sure that whatever messaging app you are using is current and up to date, ensuring it has the latest security features. Consider dedicated secure messaging apps like Signal for enhanced security and privacy.

Used With Permission: The Monthly Security Awareness Newsletter for You OUCH! March 2024 © SANS Institute 2023 www.sans.org/security-awareness

Overview

In today's digital age, your personal information is more valuable than ever. Unfortunately, this also makes it a prime target for identity theft. Understanding this threat, detecting it, and knowing how to protect yourself are essential elements in safeguarding your online digital life.

What is Identity Theft?

Identity theft occurs when someone unlawfully obtains your personal information – your name, identification numbers like your Social Security or passport number, or credit card details, for example – to commit fraud or other crimes. A common form of identity theft is Financial Identity Theft, where someone uses your information for financial fraud. For example, they steal your identity and get a credit card, mortgage or car loan in your name, and you have to pay the bills. However, other types of identity theft exist One example is Medical Identity Theft, where someone steals your medical information and charges medical insurance in your name for medical procedures you never received. Another is Tax-Related Identity Theft, when a criminal uses your tax identification number to file a tax return in your name and claim a fraudulent refund. Then when you attempt to file for a tax return, you cannot get your money back as it's already been submitted to someone else.

Preventive Measures

What can you do to protect yourself? Unfortunately, it is not as easy as it sounds, as so many organizations already have your information and it's up to them to protect it. However, there are some key steps you can take.

• Strong Passwords: One of the most effective ways to protect yourself is secure each of your accounts with a unique, long password, and when possible, enable multi-factor authentication.
• Regular Software Updates: Ensure your devices are updated with the latest security patches and features by enabling automatic updating on all your devices.
• Credit Cards: Use credit cards for online purchases, never debit cards, as credit cards give you far more protection against fraud. Another idea is to use one credit card for just online purchases and another for in-person purchases. Some services provide virtual or one-time use credit cards for every online purchase.
• Credit Freeze: A credit freeze locks your credit report, preventing fraudsters from opening new accounts in your name. This can be done for free by contacting the major credit bureaus. This may not be an option in all countries.

Detecting Identity Theft

Early detection is one of the most powerful ways you can protect yourself. The sooner you detect your identity is being used by someone else, the sooner you can act. Some of the most common indications of identity theft include:

• Unusual Financial Statements: Regularly monitor all your bank and credit card statements. You want to look for any charges or money transfers you know you did not make. A great way to do this is to enable automatic notifications. This way anytime there is a charge to your credit card or a change to your savings or checking account you are notified right away.
• Irregular Credit Reports: Annually review your credit reports for suspicious activity. You are looking for any new loans in your name that you know you did not make or any major changes in your credit rating.
• Mysterious Bills or Notifications: Be wary if you begin receiving bills for items you know you never purchased, or if you are contacted by payment agencies for unpaid bills for items or services you never purchased.
• Unexpected Denials: If you're unexpectedly denied your tax refund, or a credit or a loan application, investigate why.

Responding to and Recovering from Identity Theft

If you are concerned that your identity has been compromised, act right away.

• Report Immediately: Report right away if you suspect an incident. For example, if you identify fraudulent activity in your bank account or credit card, contact your bank. Also, file a report with local law enforcement. This can be crucial in proving the crime and helping you recover any costs or file insurance claims.
• Fraud Alerts and Credit Freezes: Place a fraud alert on your credit reports and consider a credit freeze if you have not already. In addition, work with credit bureaus to remove fraudulent information.
• Document Everything: When calling organizations to recover, be sure to keep detailed records of your communications and actions taken, to include who you talked to, what date / time, and what was discussed.
• Change Passwords: Update passwords for all your key accounts. If you do not have a password manager to track all your new passwords, consider getting one.

Conclusion

By understanding what identity theft is and employing these measures, you can greatly reduce your risk of becoming a victim.

Used with permission: Identity Theft: Preventing, Detecting, and Responding The Monthly Security Awareness Newsletter for You OUCH! February 2024 © SANS Institute 2023 www.sans.org/security-awareness

Overview

Have you ever wondered what those squares of dots or bars called “QR codes” are all about? You most likely have seen them posted on websites, printed on posters, used as mobile tickets, or on restaurant tables. How do these work, and are there risks you should be worried about? Let’s find out.

How Do QR Codes Work?

QR code stands for “Quick-Response code” and is a machine-readable code usually consisting of a matrix of black and white squares (they can also come in other colors and contain background images). These squares can be easily created with QR code generators, and they’re used to encode information such as website URLs, email contact information, or other types of data. Think of QR codes like bar codes but more versatile. Most mobile device cameras recognize and decode the information coded in a QR code. In other words, when you try to take a picture of a QR code with your device’s camera, it will decode the QR code and ask you if you want to act on the information it contains, such as opening a link to a website.

What Is the Danger?

QR codes can be difficult for people to easily interpret, which makes it easier for cyber attackers to encode information that could be malicious or cause harm. For example, a QR code could send you to a malicious website that attempts to harvest your personal information, like passwords or credit card numbers, or perhaps even try to install malware on your device.

In addition, QR codes can take additional steps, such as adding a contact to your contacts list or composing an email on your behalf. The QR code by itself is not the threat; however, the information or action it triggers can be.

For example, let’s say you are in the city or perhaps in an airport, and there is a poster on a wall promoting a product that interests you. The poster has a QR code you can use to quickly get more information. What you don’t realize is that someone has covered the poster’s QR code with a sticker of a different QR code. When you look at the poster you trust it, not realizing that the QR code on the poster has been replaced by a criminal. When you scan the QR code to learn more about the product, you are directed to a website controlled by the criminal to start an attack.

What Should I Do to be Safe?

• Be careful before trusting and scanning a QR code. First, ask yourself: Can you trust the source? Do you trust the poster, restaurant, or the website that is showing the QR code? If someone left a handout on your car with a QR code, can you believe it?
• Once you scan a QR code, your device will ask you if you want to act on the information it reads before it does anything. For example, if the QR code is a link to a website, your device will ask you if you want to visit the site before going to it. Take time to review the call to action or the link itself and ensure you feel comfortable visiting it.
• Confirm your mobile devices are always updated and running the latest version of its operating system. This ensures that it has the latest security features. The easiest way to do this is to enable automatic updates on your device.
• There is no need to install special mobile apps to decode QR codes, you should be able to simply use your device’s built-in camera. If a website is requiring you to download a specialized QR scanning app, it is most likely counterfeit or fake.
• Think twice before providing confidential or personal information to any website that you reached via a publicly visible QR code.

QR codes are a convenient way to access all sorts of new information and capabilities. Taking a few simple steps can help you make the most of them, safely and securely.

Used with permission:

The Monthly Security Awareness Newsletter for You OUCH! January 2024 © SANS Institute 2023 www.sans.org/security-awareness

Are you tired of constantly creating complex passwords? Frustrated with having to remember and type all those characters, symbols and numbers? Well, we have a solution for you: the ever-powerful passphrase!

Passphrases

You may not realize it but passwords are one of the primary attack vectors for cyber attackers. Bad actors are targeting your passwords, and if they can guess correctly or hack the right one, they can easily access your email, bank accounts, or perhaps steal your entire identity. The weaker your passwords, the easier it is for them to get in. As such, strong passwords are one of the most effective ways to protect your accounts and online digital life. Traditionally, you were trained to use highly complex passwords. The idea was that the greater the complexity, the harder for cyber attackers and their automated programs to guess the password. But the problem with that is complex passwords are also hard to both remember and type accurately. An even better way to create a strong, secure password is something called a passphrase. Instead of complexity these are strong because of their length. Here’s a couple examples:

Time for strong coffee!

lost-snail-crawl-beach

Passphrases are nothing more than a series of words and can contain over twenty characters if a site allows it. That may seem like a lot but both examples above contain more than twenty characters, and unlike passwords, passphrases are much easier to remember and simpler to type. The longer the passphrase, the more secure it is. In some situations, you may be asked to add some complexity to your passphrase — i.e., adding symbols, uppercase letters, or numbers. The easiest way to do this is to modify some of the letters in your passphrase with symbols or numbers. For example, by replacing the letter e with the number 3, the above examples become more complex, yet are still easy enough to remember and type:

Tim3 for strong coff33!

lost-snail-crawl-b3ach

Keep it Unique

In order for the passphrase to be truly secure, it also needs to be unique for every account. If you reuse the same passphrase, or one that contains an easily identifiable pattern, for multiple accounts, you are putting yourself in danger.

All a cyber attacker needs to do is hack one website you use frequently, steal the passphrase you use for that particular website, and if all your passwords/passphrases are the same they will then have access to all your other accounts. Can’t remember all those long, unique passphrases for each of your accounts?

We have a solution for you: password managers.

Password managers are special computer programs that securely store all your passwords in an encrypted vault protected by a primary password. To access the vault, you only need to remember the primary password. The password manager can automatically retrieve your passwords whenever you need them and will automatically log into websites for you. Password managers have evolved to contain other features, including storing answers to secret questions, warning you when you reuse passwords or end up on a spoofed website, using generators that will create strong passwords or passphrases for you, and many more. Most password managers also securely sync across almost any computer or device, so regardless of what system you are using you have easy, secure access to all your passwords.

The Final Step – Multi-Factor Authentication

A final step to making your passphrases truly foolproof is adding a second layer of protection to them - something called Multi-Factor Authentication (MFA). MFA requires you to have two pieces of identification when you login to your accounts. This could be your password and a biometric like a fingerprint; or it could be your password and an auto-generated numerical code that is sent to a different device or email account. The code is unique every time and can be generated from a mobile phone or another trusted device. This process ensures that even if a cyber attacker gets your passphrase they still can’t get into your accounts, as they don’t have the second factor. MFA should be enabled whenever possible, especially for your most important accounts such as your banking, retirement, or personal email accounts. If you are using a password manager, it is highly recommended you protect it with a strong passphrase AND multi-factor authentication.

Passphrases are a great way to both simplify security and help secure your accounts. To make your online digital life even simpler and more secure, we suggest combining the power of password managers and MFA for your passphrases.

Used with permission.

The Monthly Security Awareness Newsletter for You

OUCH! December 2023

© SANS Institute 2023www.sans.org/security-awareness

Have I Been Hacked?

The internet can be overwhelming, with new technologies changing all the time. No matter how safe you try to be, sooner or later you may be unfortunate enough to get hacked. The sooner you detect something bad has happened, and the faster you respond, the more you can minimize the impact. Below are signs that you may be hacked and if so, suggestions to resolve it.

Clues One of Your Online Accounts May Have Been Hacked

• Family or friends notify you they are receiving unusual messages or invites from you that you know you did not send.
• Your password to one of your accounts no longer works even though you know the password is correct.
• You receive notifications from websites that someone has logged into your account when you know you did not log in yourself.
• You receive emails confirming changes to your online profile that you did not make.

Clues Your Computer or Mobile Device Has Been Hacked

• Your antivirus program generates an alert that your system is infected. Make sure it is your anti-virus software generating the alert, and not a random pop-up window from a website trying to fool you into calling a number or installing something else. Not sure? Open your antivirus program to confirm if your computer is truly infected.
• While browsing the web, you are often redirected to pages you did not want to visit, or new pages appear unwanted.
• You get a pop-up window saying your computer has been encrypted and you must pay a ransom to get your files back.

Clues Your Credit Card or Finances Have Been Hacked

• There are suspicious or unknown charges to your credit card or unauthorized transfers in your bank account that you know you did not make.

Now What? – How To Take Back Control

If you suspect you have been hacked, stay calm. You will get through this. If the hack is work-related, do not try to fix the problem yourself. Instead, report it immediately. If it is a personal system or account that has been hacked, here are some steps you can take:

• Recovering Your Online Accounts: If you still have access to your account, log in from a trusted computer and reset your password with a new, unique and strong password - the longer the better. If you did not have Multi-Factor Authentication (MFA) enabled, now is a good time to enable it. If you no longer have access to your account, contact the website and inform them your account has been taken over. If you have any other accounts that share the same password as your hacked account, also change those passwords immediately.
• Recovering Your Personal Computer or Device: If your antivirus program is unable to fix an infected computer or you want to be surer your system is safe, consider reinstalling the operating system and rebuilding the computer. If you feel uncomfortable rebuilding, or if your computer or device is old, it may be time to purchase a new one.
• Financial Impact: For issues with your credit card or any financial accounts, call your bank or credit card company right away. The sooner you call them, the more likely you can recover your money. Don’t call them using the phone number in an email, but use a trusted phone number, such as the one listed on the back of your bank card or their website. Monitor your statements and credit reports frequently. If possible, enable automated notifications whenever there is a charge or money transfer.

What to Do to Stay Ahead of Cyber Attackers?

OUCH Security Awareness newsletter is published monthly and has an entire series on how to secure yourself. In the Resources section below, we list the most important OUCH newsletters to read to protect yourself. These resources focus on three key steps:

1. Keep all your systems and devices updated and current to the latest version.
2. Use strong, unique passwords for each of your accounts, manage those accounts with a Password Manager, and enable MFA.
3. Be skeptical - keep an eye out for social engineering tactics such as phishing emails.

Resources

Password Managers: https://www.sans.org/newsletters/ouch/power-password-managers

MFA: One Simple Step to Securing Your Accounts: https://www.sans.org/newsletters/ouch/one-simple-step-to-securing-your-accounts/ 

Emotional Triggers - How Cyber Attackers Trick You: https://www.sans.org/newsletters/ouch/emotional-triggers-how-cyber-attackers-trick-you/  Phishing Attacks Are Getting Trickier: https://www.sans.org/newsletters/ouch/phishing-attacks-getting-trickier/

Used with permission: The Monthly Security Awareness Newsletter for You OUCH! November 2023 © SANS Institute 2023 www.sans.org/security-awareness

Overview

Cyber attackers are constantly looking for and finding new vulnerabilities in the software you use every day. A vulnerability is a mistake or weakness in how software was developed. This software may run your laptop, the mobile apps on your smartphone, or perhaps even the software in your thermostat. Cyber attackers take advantage of and exploit these software vulnerabilities, allowing them to remotely break into systems, including the ones you use. At the same time, the vendors who create the devices and software are constantly developing new fixes for these vulnerabilities and pushing them out as software updates. One of the best ways you can protect yourself is to ensure that the technologies you use always have these latest updates. These updates not only fix known vulnerabilities, but often add new security features, making it much harder for cyber attackers to hack into your devices.

How Updating Works

When a software vulnerability is known, the developer or vendor will create a software fix for the vulnerability (called a patch) and release the update to the public. Your system then downloads and installs this update, fixing the vulnerabilities. Examples of software you need to update are:

• The operating systems that run your laptop (such as Microsoft Windows or Apple OSX) or run your smartphone (such as Android or iOS)
• Home networking equipment such as your Internet router or Wi-Fi access points or home smart devices such as thermostats, doorbells, home appliances, or security cameras
• Programs that run on your devices, such as your laptop’s web browser or your phone’s mobile apps

This is why whenever you want to purchase a new device or install a new computer program or mobile app, check first to be sure the vendor is actively updating the program or device. The longer software goes without any updates, the more likely it has vulnerabilities that cyber attackers can exploit. This is why many vendors, such as Microsoft, automatically release new patches every single month. In addition, if you are no longer using a certain computer program, software, or mobile app, remove it from your system. The less software you have installed, the fewer potential vulnerabilities you have and the more secure you are. Finally, if any of your devices or applications are old and no longer supported by the vendor, we recommend you replace them with newer versions that are actively updated and supported.

How to Update

There are two ways to update your systems.

1. Manual (the hard way): When an update is available, you manually download and install the update. This gives you more control over what and when updates are installed. The disadvantage of manual updates is that it is much more work, as you not only have to track when each of your devices or programs have to be updated, but you must update them manually, which makes it easy to forget to update them.
2. Automatic (the easy way): You enable automatic updating on all of your devices, which means whenever a new patch is released your device automatically downloads and installs it. The advantage of automatic updates is that most of the work is done for you. The disadvantage of automatic updates is the updated program could cause a problem, resulting in the loss of functionality or data. This is rare for personal devices, but can happen for more complex environments, like within large corporations. When you enable automatic updates, be sure to double check your system regularly to ensure the updates are happening.

Of the two approaches, we highly recommend you enable and use automatic updating on all your personal devices. This ensures that all the technologies you are using, from your smartphone and laptop to your baby monitor and door locks, have the latest software. Up-to-date devices and software make it that much harder for any cyber attackers to hack you and your systems.

Used with Permission:

The Power of Updating The Monthly Security Awareness Newsletter for You OUCH! October 2023 © SANS Institute 2023 www.sans.org/security-awareness

Background

Our kids' lives are online today more than ever, from socializing with friends and gaming, to online learning and education. So how can we help our kids make the most of online technology, safely and securely?

Education and Communication

First and foremost, make sure that you foster good open communications with your children. Far too often, parents get caught up in the technology required to block content or determining which mobile apps are good or bad. Ultimately, keeping kids safe is less about technology and more about behavior and values. A good place to start is to create a list of expectations with your kids. Here are some factors to consider (Note that these rules should evolve as kids get older.):

• Decide on times when they can or cannot go online for fun, and for how long. For example, you may want to be sure children complete all homework or chores before gaming online or social networking with friends and limit the amount of time they do spend online each day.
• Identify the types of websites, mobile apps, and games that they can access online and why they are appropriate or not.
• Determine what information they can share and with whom. Children often do not realize that what they post online is public, permanent, and accessible to anyone. In addition, anything they share privately with their friends can (and often is) shared with others without them knowing.
• Identify who they should report problems to, such as strange pop-ups, scary websites, or if someone online is being a bully or creepy. It's critical that children feel safe talking to a trusted adult.
• Just like in the real world, teach children to treat others online as they would want to be treated themselves, with respect and dignity.
• Ensure children understand that people online may not be who they claim to be, and that not all information is accurate or truthful.
• Define what can be purchased online and by whom, including in-game purchases.

Over time, the better they behave and the more trust they gain, the more flexibility you may want to give them. Once you decide on the rules, post them in the house. Even better, have your kids contribute to the rules and sign the document so that everyone is in full agreement.

The earlier you start talking to your kids about your expectations, the better. Not sure how to start the conversation? Ask them which apps they are using and how they work. Put your child in the role of teacher and have them show you what they are doing online. Consider giving them some “What if…” scenarios to reinforce the positive digital behaviors you’ve discussed or agreed upon. Keeping communication open and active is the best way to help kids stay safe in today’s digital world.

For mobile devices, consider a central charging station somewhere in your house. Before your children go to bed at night, have a specific time when all mobile devices are placed at the charging station so your children are not tempted to use them when they should be sleeping.

Security Technologies and Parental Controls

There are security technologies and parental controls you can use to monitor and help enforce the rules you set. These solutions tend to work best for younger children. Older kids not only need more access to the internet but often use devices that you may not control or cannot monitor, such as school-issued devices, gaming consoles, or devices at a friend's or relative's house. In addition, older children can often circumvent purely technological attempts to control them. This is why, ultimately, communication, values, and trust with children are so important.

Leading by Example

Remember to set a good example as parents or guardians. When your kids talk to you, put your own digital device down and give them your full attention. Consider not using digital devices at the dinner table, and never text while driving. Finally, when kids make mistakes, treat each one as an experience to learn from instead of simply punishing them. Make sure they feel safe approaching you when they experience anything uncomfortable or realize they have made a mistake online.

Used With Permission: Online Security for Kids The Monthly Security Awareness Newsletter for You OUCH! September 2023 © SANS Institute 2023 www.sans.org/security-awareness

Are You Frustrated with Passwords?

Like most people, you likely find creating, managing, and remembering all your different passwords a daunting task. It seems like every website has different password rules and many require additional security measures such as security questions. Wouldn’t it be great if there was a single solution to take care of all your password problems? There is. It’s called a password manager.

Password Managers Simplify and Secure Your Digital Life

Password managers are a software solution that stores your passwords in a protected database, sometimes called a vault. The password manager encrypts the vault's contents and protects it with a primary password that only you know. When you need one of your passwords, you simply type your primary password into your password manager to unlock the vault. The password manager often integrates into your web browser and automatically retrieves the correct password and securely logs you into the website. This allows you to easily maintain a unique password for each of your accounts, which is critical to keeping your digital life secure. In addition, most password managers include the ability to synchronize across multiple devices. When you update a password on one device, those changes are synchronized to all your other devices. Finally, most password managers detect when you're attempting to create a new online account and can create and store a new, unique password for you. The only password you have to remember is the primary password you use to access your password manager. It's critical that you make this password long and unique. In fact, we recommend you make it a passphrase--a long password made up of multiple words or phrases. If your password manager supports multi-factor authentication, use that as well. Finally, it’s vitally important that you remember your primary password to avoid getting locked out of your password manager.

Choosing a Password Manager

There are many password managers to choose from. In the Resources section below, you will find a link to reviews of password managers. Meanwhile, when trying to find the one that's best for you, keep the following in mind:

• Your password manager should be simple to use. If you find the solution too complex to understand, find one that better fits your needs.
• A good password manager should be compatible with and synchronize across all your devices.
• Use only well-known and trusted password managers. Be wary of products that have not been around for a long time or have little or no community feedback.
• Make sure the vendor actively updates the password manager and be sure you are always using the most recent version.
• The password manager should give you the option to securely store other sensitive data, such as the answers to your secret security questions, credit card information, and frequent flier numbers.
• Be suspicious of password managers that let you recover your primary password or allow their tech support organizations to change it for you. You may want to write down your primary password, store it in a sealed envelope, and secure the envelope in a protected location in case you forget.

Password Managers Not for You?

We understand some people may find password managers overwhelming and too complicated to use. Yet to be secure, a unique password is still needed for each account. How can someone safely remember all those unique passwords? One option is to write those passwords down. This is not an option for work-related passwords. But this may be an alternative to use at home for personal accounts if password managers are simply not an option. The key step is securing that notebook. If you or a loved one does use a notebook to write passwords down, be sure that notebook is stored in a safe place that only you or trusted family members have access to.

Used with Permission

The Power of Password Managers The Monthly Security Awareness Newsletter for You OUCH! August 2023 © SANS Institute 2023 www.sans.org/security-awareness

The Story

David was busy watching his favorite streaming series when he got a phone call from a number he did not recognize. The area code was the same as his, so he assumed it was someone local and answered the phone. Right away David was asked to confirm his full name. The caller then stated that he was from the police department and that a warrant had been issued for David’s arrest. David’s taxes were outstanding and if they were not paid in the next 24 hours, the police would have to arrest him. David was terrified and asked what he needed to do.

The caller then gave him the phone number of the local government tax department where he could take care of the outstanding taxes. David immediately hung up and then called that number, which was answered by a kind lady who identified herself with the local tax department. David gave her his full information. After a moment, she confirmed that he had $1,487.72 outstanding in taxes. If he paid immediately over the phone with his credit card, she would be able to take care of the situation and he would not go to jail. David was relieved and immediately gave her the credit card information, which she charged for the full amount, telling him everything was resolved.

The Attack

The problem was that the callers were neither from the police department nor a government tax agency. These were two criminals working together to scam people. They were calling thousands of random people and repeating the same story. They used special software to ensure that the number they called from always used the same area code as the victims they were calling, making it look like their phone number was local and more trusted.

These criminals use other stories as well — everything from claiming that your warranty has expired, to providing business loans you can take out for free, to fixing your infected computer. Quite often they are trying to get your credit card information or passwords, fool you into transferring them money, or perhaps even give them remote access to your computer.

These scammers often create a tremendous sense of urgency or promise you something too good to be true in order to trick you. They use emotion to rush you into making a mistake. They may have also collected prior information about you which they’ll use to establish credibility.

More recently, with the availability of artificial intelligence services, scammers can even change their voices in phone calls.

The Counterattack: What You Can Do

There are several steps you can take immediately to protect yourselves:

• Configure your phone to only allow calls from trusted numbers in your phone’s Contacts or Address Book. This makes it so that any call from someone you do not know will instead go directly to voicemail. The vast majority of scammers will not even bother leaving a voice message, and for the ones who do, it is easier to determine if it's a scam and delete. In addition, some service providers also have call screening service which you can enable.
• If you do end up on the phone with someone you do not know, be cautious. If they are pressuring you into taking an action, it's most likely a scam. If they say it's your bank calling, hang up and use a trusted phone number to call your bank back, such as the number on your bank card. If they say it's the government calling, go to that government department’s website and find a trusted phone number to call back. The longer they have you on the phone, the more likely they can trick you.
• Never provide the caller with personal or sensitive information that they should already have. If your bank calls you, they should already know your name, address, and account number.

Modern scammers are extremely aggressive. They have nothing to lose and everything to gain. Configure your phone to only receive phone calls from contacts you know and trust, and when in doubt, hang up!

Used with permission, The Monthly Security Awareness Newsletter for You OUCH! July 2023 © SANS Institute 2023 www.sans.org/security-awareness

Overview

Your financial accounts are a primary target for cyber-criminals. You have money, and they will do anything to steal it. By financial accounts, we mean not only your checking or savings accounts, but also investments, retirement, and online payment accounts like PayPal. Fortunately, with some simple, fundamental steps, you can protect yourself.

How they attack?

Banks invest a huge amount of money in securing their systems, making it extremely difficult for a cyber-criminal to hack into them. This is why cyber-criminals target you and your accounts instead. They know you don’t have your own security team to protect you, so it's much easier to hack you than a bank. Here are the two most common ways they will target you and attempt to steal your money:

Passwords:

Each of your financial accounts is protected by a password. If a cyber-criminal can guess or compromise any of those passwords, they can log in as you and then transfer your money to bank accounts that they control. There are numerous ways they will try to get your password. One common method is infecting your computer with malware. Once your computer is infected, they can capture your username and password when you access your bank’s website. Another common method is sending phishing emails that pretend to come from your bank. When you click on the link in the email, you think you are logging into your bank’s website, but in reality, you are logging into a fake website that the criminals control. This allows them to once again harvest your username and password, which they can then use to log in as you.

Asking:

Cyber criminals can simply ask you for your password or for you to transfer the money to them. Such social engineering attacks often start by getting you on the phone. Cyber-criminals know that once they get you talking, it's much easier for them to use emotion to get you to make a mistake. This is why you are starting to see more phishing emails, voice mail, and browser pop-ups creating a sense of urgency by telling you that you have to call a phone number to resolve an issue or to take advantage of an amazing opportunity before it expires. Once you call the phone number, the criminals create a tremendous sense of pressure to either give them access to your accounts or to move your money to different accounts for them. For example, they may tell you they are from tech support or the government, claiming that your computer is infected and that if you don’t act now, you will lose all your money.

Protecting Yourself

Fortunately, securing your bank accounts is simpler than you may think. Here are three simple steps to protect yourself.

Be Suspicious:

First and foremost, you are your own best defense. If you get an email, text message, voicemail, or browser pop-up that seems odd or suspicious, it may be an attack. The greater the sense of urgency, and the more you are being pressured to act NOW, the more likely it is an attack.

Use Strong Passwords / MFA:

Protect each of your financial and personal email accounts with a long, unique password. Can’t remember all of those unique passwords? Consider using a password manager to securely remember and store them all for you. The best way to protect each of your financial accounts is to enable a feature called multi-factor authentication (MFA) on each account.

Monitor:

Finally, monitor all your financial accounts. You can set up automated alerts that will email or text you any time money is moved into or out of your accounts. This way you can quickly detect any unauthorized or suspicious transaction. The sooner you detect something wrong and report it to your bank, the more likely you will be able to recover your money.

Used with Permission:

The Monthly Security Awareness Newsletter for You OUCH! June 2023 © SANS Institute 2022 www.sans.org/security-awareness

What is It and Why Should I Care?

Artificial Intelligence (AI) describes systems programmed to think and respond like humans. In fact, we asked the AI solution ChatGPT that very question and got this response.

What is Artificial Intelligence?

Artificial intelligence (AI) refers to the simulation of human intelligence in machines that are programmed to think and learn like humans. It involves the development of algorithms and computer programs that can perform tasks that typically require human intelligence, such as recognizing speech, understanding natural language, making decisions, and playing games. There are several types of AI, including rule-based AI, expert systems, and machine learning.

What makes AI so powerful is it can simulate the intelligence and reasoning capability of the human mind, but it can analyze exponentially far more information than any human and do it exponentially faster.

The concept of AI is not new. Originally covered in science fiction novels, AI is something that has been in development for decades. The reason you are hearing so much about it now is that for the first time, anyone has the opportunity to interact with and see the true functionality of AI.

ChatGPT, an online-powered AI chat bot, is one of the first publicly available solutions that is able to respond like a real human, passing something called the Turing Test. This test determines a machine’s ability to exhibit intelligent behavior by having a real human interact with the machine through a text-based chat channel. If the human could not tell whether they were interacting with a machine or person, the machine is said to have passed the test. AI solutions today are the first publicly available that do just that.

However, online conversations are just the beginning of what AI can do. There are now AI solutions that can create a video of a person teaching a class in any language, analyze health records and quickly determine who most likely has cancer, create news articles or essays on the topic of your choice, generate images for children’s books, or create code for new computer programs. While AI is not necessarily something to be feared, there are some dangers of which to be aware. Artificial Intelligence:

Dangers of Artificial Intelligence

1. Recreating You: AI solutions can take a recording of a person’s voice – your voice – and then use it to create real-time audio that sounds just like you, saying whatever it wants to impersonate you. So, a cyber attacker could record a phone voice message that sounds like you, tricking your coworkers, your bank, or a family member into thinking you called and asked them to take an action. AI can also do this with pictures or video. Sometimes called Deep Fakes, an AI solution can take an existing picture or video of you and use it to recreate entirely new pictures or videos (including your voice) appearing to show you doing things that you never did.

2. Wrong Answers: As for the data or answers AI provides, the solutions can be wrong. AI often uses public information from the Internet, and its answers can be influenced by the biases of its developers. While typical search engines are designed to provide you the “best” or most correct answer to your queries, solutions like AI may be designed to give you the most humanlike answer. Which is better depends on what you are attempting to achieve.

3. Not All Equal: With AI becoming the latest hot technology, there are literally hundreds of startup companies now offering different AI services. Many of these want your information or credit card for a trial. Be careful - not all AI services are trustworthy. Do your research before signing up and using an AI service.

4. Your Privacy: Whenever using or interacting with an AI system, such as when chatting online with ChatGPT, be aware that any information you enter into the system can not only be processed by it but also retained and used to give answers to others. This means if you enter any personal information about yourself or any confidential information from work, that information will be stored and potentially shared with or sold to others. Do not share or enter any information that you consider sensitive, personal, or is confidential at work.

The Future of AI

Artificial Intelligence is still very much in its infancy, similar to where the Internet was twenty to thirty years ago. While we can expect rapid evolution and adoption of AI, it's very difficult to predict what its impact will be. Just be aware that these capabilities are out there, and when using AI, be very careful what information you enter and share.

Used with Permission:

The Monthly Security Awareness Newsletter for You OUCH! May 2023 © SANS Institute 2022 www.sans.org/security-awareness

Warning! Your computer is infected with Black Basta ransomware. Call this phone number right away to fix your computer! - If you saw this warning pop-up on your computer, would you call the phone number?

The Attack

After thirty years of working hard, Deborah had saved enough money to retire with her husband. Wanting to review her retirement accounts, she typed in the name of her bank into her browser. What she did not realize is she had mistyped the bank name, taking her to a different website that immediately displayed a scary warning banner that claimed her computer was infected and instructed her to call tech support immediately. The pop-up warning was very professional. It detailed which malware infected her computer, had an official company logo, and provided an emergency number for her to call.

Deborah immediately called the number, which was answered by a seemingly professional support agent. The agent explained that her computer was indeed infected and that they needed access to her computer to fix it. She had to visit a specific website, download their security software, and then install it. She did as requested, and the support agent informed her they had access, after which they started searching her computer.

Soon they confirmed her worst fears, not only was her computer infected, but it appeared her bank account had been broken into. Fortunately, the tech support company had a direct connection with her bank, and they quickly transferred her to a fraud agent. The fraud agent confirmed her account was indeed compromised and was being used to transfer fraudulent funds. They told her to immediately transfer all of her money into a different bank account to protect it. Deborah did as instructed. They then informed her that her retirement account was also compromised. Fortunately, they also had a partnership with the government tax agency. She was then connected to a government agent who explained that to secure her retirement account, she needed to cash in her life savings and move it into another account before criminals were able to access all of it. She did this. It was a long and terribly emotional night, but Deborah was glad to not only have fixed her computer but saved all of her money by moving it to new, safe accounts. She went to bed exhausted.

The next morning, she logged into her new bank account to access her recently moved savings and retirement accounts, but all the money was gone. In a panic she called the tech support number she had called yesterday. There was no answer. She soon realized her entire life savings was gone. She had just given it away.

How to Avoid This Happening to You

Cyber criminals have learned that the easiest way to infect your computer or steal your money is to simply ask. Scareware is a common way they do this - by tricking you into thinking your computer is infected when it's really not. They then rush you into taking hasty actions so they can take advantage of you. This story is based on real events that happened to real people. Deborah’s computer was never infected, instead she accidentally visited the wrong website. The tech support company was not a real company, but a team of cyber criminals half-way around the world. Even the bank fraud and government agents were just different members of the same cyber-criminal team. Once cyber criminals get you on the phone, they will try anything possible to make money. So how can you protect yourself?

• Being suspicious is your best defense. Any time someone is trying to rush you into taking an action, it may be an attack. The greater the sense of urgency and the more they are pressuring you, the more likely it is a scam.
• No legitimate company will ever ask you for your password. No bank is going to ask you to move your money.
• Never use contact information provided in an alert or pop-up. If you want to check the legitimacy of an alert, always use contact methods that you already know, such as phone numbers on your bank statements or credit cards or use links bookmarked in your browser.

If you do believe you or a loved one has fallen victim to a financial scam, report it to law enforcement and your bank right away. The sooner you report, the more likely you may be able to get your money back.

Used with permission of SANS Institute 2022 www.sans.org/security-awareness

The Monthly Security Awareness Newsletter for You OUCH! April 2023 ©

Overview

We often hear of the term “spring cleaning,” the time of year when we go through our belongings and organize our house and lives in preparation for the upcoming summer. This is also the perfect time to take an annual review of your digital life. The following seven simple steps, taken once a year, will go a long way toward ensuring you can make the most of technology, safely and securely.

ACCOUNTS: Review each of your accounts. Using a long, unique password for each account ensures that if one account is compromised, your other accounts are still safe. Can't remember all those different passwords? Don’t worry, neither can we. We recommend you use a password manager to securely store all your passwords and make your life far simpler and more secure. Enable multi-factor authentication (MFA) when possible, especially for your personal email or financial accounts. This is the single most important step you can take to secure any online account. If you have any online accounts, you have not accessed in over a year, it could be time to simply delete them.

PROGRAMS: Keeping your devices and software updated and current ensures you have the latest security features installed and known vulnerabilities are fixed. The simplest way to do this is to make sure you have automatic updating enabled on all your computers, mobile devices, and even smart home devices. Also, delete any unused programs or apps on your mobile devices and computers. Some apps require large amounts of storage, can introduce new vulnerabilities, and may even slow things down. The fewer apps you have, the more secure your system and your information remains. Many devices show you how long it has been since you've used an app. If it has been a year since you last used the app, chances are you don't need it anymore.

FINANCES: Verify that your bank accounts, credit card accounts, investments, and retirement accounts are configured to alert you whenever a transaction is made, especially for unusual sign-ins, large purchases, or money transfers. This will make it so that you are always notified when a financial transaction occurs, and you can spot any fraud or unauthorized activity right away. The sooner you identify fraudulent activity, the sooner you can stop it and the more likely you can recover your money. Depending on which country you live in, an additional step you can take is to implement a credit freeze, which can be one of the most effective ways to protect your identity.

DISPOSING OF DEVICES: Over time you may find yourself collecting old devices you no longer need - perhaps an old smartphone or smart home device. If you dispose of any of these devices, first wipe any personal information from them. Most devices have a simple wiping function that securely purges all personal information (or reset to factory default) before disposing of the device.

BACKUPS: No matter how safe or secure you are, at some point you will most likely need backups to recover your important information or migrate your information to a new device. Set your devices to automatically back up to the cloud. Creating and scheduling automatic backups allows you to recover your most important information.

PARENTING: If you are a parent or guardian, this is a good time to review any parental controls settings you have in place for children. As children get older, you will most likely need to update these controls settings.

SOCIAL MEDIA: Review privacy settings on your social media accounts – these are a goldmine of personal information. Review your accounts to check that you are not sharing sensitive information such as your birthday, phone number, home address, banking information, or geo-location in personal photos. Spending just a couple hours a year taking these steps will go a long way toward protecting you, your devices, and information.

Used with permission © SANS Institute 2022 www.sans.org/security-awareness OUCH! March 2023

Overview

When you bought a new computer years ago, you often had to install additional security software on your computer to help ensure it was secure against cyber attackers. However, most of today’s computers and devices have numerous security features already built into them, such as automatic-updating, firewalls, disk encryption, and file protection. In addition, Microsoft provides on Windows computers security functionality called Microsoft Defender, which includes additional features such as anti-virus. In many ways today’s systems by default are much more secure. In fact, YOU are most likely now the greatest weakness. This is why cyber attackers continually target people, attempting to trick you into doing things you should not do, such as give up your passwords, click on links, or open email attachments that install malware on your computers or share your credit card information.

Which tools should I consider?
If you want to take some additional steps to secure your systems, there are some additional security programs you can consider.

Password Manager: Passwords can be complex and overwhelming, especially having to remember potentially hundreds of different passwords. A Password Manager is a secure vault that protects and stores all your passwords for you so you have to only remember one master password. In addition, they can log you into websites, generate passwords for you, and help validate certain websites.

Virtual Private Network (VPN): VPNs primarily focus on protecting your privacy by encrypting your connection to the Internet and hiding your source location.

Security Suites: These are packages of security software that provide a collection of additional security features above and beyond what your operating system already provides. For example, filtering for dangerous websites, parental controls, and often a VPN. Each suite has different features, so research the one that you feel is best if you need one.

Selecting a Security Vendor
If you need to purchase additional security tools or software, there are many different vendors from which to choose. Which one should you choose? Quite often different vendors are more similar in the features they offer than they are different. The key is to use a solution from a trusted vendor. You don’t want to accidentally purchase and install something distributed by cyber criminals that is infected with malware.

Purchase tools from only well-known vendors that you have heard of and trust. Never purchase a tool from a company you know nothing about, that is brand new, or has no comments or lots of negative comments. You want to be sure that the solution you are purchasing is legitimate and actively updated and maintained. You may even want to consider in what country the vendor is based. There are numerous online sites that have reviews of trusted vendors showcasing the differences in features and costs of their security software.

Be careful of free tools. While excellent free security tools do exist, there can be some concerns. These tools may be limited in features, difficult to use, or not updated frequently. In some cases, free tools may be developed by cyber attackers and then infected with malware.

Remember, while these security tools are helpful, start first with your computer's built-in security features, to include enabling automatic updating. Today’s operating systems are very secure by default. Finally, you are your own best defense. Be cautious with any odd or suspicious phone calls, emails, or text messages. No security software in the world can protect you from someone trying to trick or fool you into something you should not do.

Used with permission.

OUCH! February 2023

© SANS Institute 2022www.sans.org/security-awareness

Overview

Do you hate passwords? Are you tired of constantly logging into new websites or can’t remember all of your complex passwords? Frustrated by having to generate new passwords for new accounts or having to change old passwords for existing accounts? We have good news for you. There is a solution called biometrics that helps make cybersecurity easier for you. Below we explain what biometrics are, how they make your life simpler and why you will start seeing more of them.

First, Why Passwords?
Passwords are part of something called authentication, the process of proving who you are. There have typically been two things you can provide to prove your identity: something you know (like your passwords) and something you have (like an ATM card or your mobile device). Traditionally authentication has been done with passwords. Passwords were first adopted as it was one of the easiest authentication solutions to deploy. However, over the years our lives have become far more complicated with far more accounts than anyone ever expected. It is quite common for a person to have over 100 passwords in their work and personal life.

In addition, cyber attackers have become quite good at guessing, stealing or cracking passwords. This is why you see so many rules about passwords, such as making them long (so they are hard to guess) and using a unique password for every account (so if one of your accounts is hacked, your other accounts are still safe). The problem with all of the password requirements is they make being cybersecure more difficult. Password managers dramatically help as they securely remember all of your passwords and log you into websites for you, but is there a better way? This is where biometrics can help by providing a third thing to prove your identity – something you are.

Biometrics
Like passwords, biometrics are another way to prove who you are. The difference is instead of having to remember something (like your passwords) you use an element of who you are to prove your identity, such as using your fingerprint to gain access to your phone. Biometrics are much simpler as you don’t have to remember or type anything, you just authenticate using who you are. There are many different types of biometric such as your voice, how you walk, or your iris prints. However, fingerprints and facial recognition are the two most common, especially for mobile devices. While biometrics have a tremendous number of advantages, they also have some disadvantages, one of the biggest being if your fingerprint or face is copied by cyber attackers, you cannot change them.

Passkeys
Over the coming months and years, you should start seeing biometrics replacing passwords with a new technology called Passkeys. This technology is being adopted by Microsoft, Apple and Google and you should soon see it being adopted at more and more websites over time. Passkeys replace passwords by allowing you to prove who you are by simply using biometrics combined with your mobile device. When you create an account at a website (such as Google or Apple) instead of creating a password you register your mobile device. Moving forward you log into that website by authenticating with your mobile device using biometrics, such as your fingerprint or facial recognition. The website trusts your mobile device, and your mobile device confirms it's
you using biometrics. In addition, your biometric data (fingerprint or face) is not sent to any website. Instead, your biometrics is securely stored locally on your device. It’s just used to unlock the “Passkey”, a unique key, created for each site, which your device sends to the site while protecting your biometric data. While no solution is perfect, biometrics and solutions like Passkeys can help keep you secure while simplifying security.

Resources
Password Managers: https://www.sans.org/newsletters/ouch/password-managers/
More on Passkeys: https://www.sans.org/blog/what-is-phishing-resistant-mfa/

Used with permission

OUCH! January 2023

© SANS Institute 2022www.sans.org/security-awareness

Overview

Mobile devices, such as smartphones, smart watches, and tablets, continue to advance and innovate at an astonishing rate. As a result, you may be replacing a new device as often as every year. Unfortunately, you may not realize just how much personal data are on your devices — far more than your computer. Below we cover the different types of data on your mobile devices and how you can securely wipe your device before disposing or replacing it. If your mobile device was issued to you by work, check with your supervisor about disposal procedures first.

Your Information
Your mobile devices store more sensitive data than you realize, to include . . .

Where you live and work, and your daily travel habits. The contact details for everyone in your address book, including family, friends, and co-workers. Phone call history including inbound, outbound, voicemail, and missed calls. Texting or chat sessions within applications like secure chat, games, and social media. Personal photos, videos, and audio recordings. Stored passwords and access to your accounts, such as your bank, social media, or email. Health related information, including your age, heart rate, or exercise history. Financial information including credit cards, payment methods, and transactions.

Erasing Your Device
Regardless of how you dispose of your mobile device, such as donating it, exchanging it for a new one, giving it to someone, reselling it, or even recycling it, first erase all of your sensitive information. Do not assume that the next owner will “do the right thing.” The first step is to back up your device so you can recover and transfer all your data and settings to your new device. Once backed up, you will want to reset your device, as this wipes your data and resets it to factory default. During the reset
process you may be prompted to enter your cloud password to break any links with that device to the Cloud; be sure to do this. The reset steps below are for the two most common devices — Apple
and Android.

Apple iOS Devices: Settings | General | Transfer or Reset | Erase All Content and Settings

Android Devices: Settings | System | Reset Options | Erase All Data

(these options vary depending on your device manufacturer).

SIM & External Cards
In addition to resetting your device, also consider what to do with your SIM (Subscriber Identity Module) card. This is the little card in your phone issued to you by your phone carrier; it’s what identifies your device and enables it to make a cellular or data connection. When you wipe your device, the SIM card retains information about your account and is tied to you. If you are keeping your phone number and moving to a new device, talk to your phone service provider about transferring your SIM card. If this is not possible, keep your old SIM card and physically destroy it. Many of today’s modern smartphones having something called an eSIM, which is a virtual SIM card as opposed to a physical SIM. The eSIM is wiped during the reset process.

Finally, some Android mobile devices utilize a removable SD (Secure Digital) card for additional storage. Remove these external storage cards from your mobile device prior to disposal. These cards can often be re-used in new mobile devices or can be used as generic storage on your computer with a USB adapter. If reusing your SD card is not possible, then just like your old SIM card, we recommend you physically destroy it.

If you are not sure about any of the steps covered above, or if your device reset options are different, take your mobile device to the store from which you bought it from and get help. Finally, if you are throwing a device away, consider donating it instead. There are many excellent charitable organizations that accept used mobile devices, and many mobile providers have drop-off bins in their stores to recycle them.

Used with permission

OUCH! December 2022

© SANS Institute 2022 www.sans.org/security-awareness

Overview

Browsers such as Google Chrome, Microsoft Edge, Apple Safari, or Mozilla Firefox are one of the most common ways people interact with the Internet. We use them for reading the news, checking email, shopping online, watching videos, and playing games. As a result, browsers are also a target for cyber attackers.

Many people assume browsing online is safe if you only visit well-known, trusted websites. However, it is quite easy to accidentally click on or visit an unsafe web page, sometimes without even knowing it. In addition, the very websites you know, and trust can be hacked, with cyber attackers installing malicious software on them. Finally, today’s browsers have many new features, which often can be confusing, and if misconfigured, expose you to even more dangers.

Securely Leveraging Your Browser

Here are key steps to protecting yourself:
Updating: Always use the latest version of your browser. Updated browsers have the latest security patches and are much more secure. With today’s computers this has become much easier as you simply enable automatic updating on your system. Or for some browsers you simply restart your browser whenever it tells you there is a new update. After an update, check for new security features from which you can benefit.

Warnings: Today’s browsers can often recognize certain malicious websites designed to cause you harm. If your browser warns you that the website you are about to visit is dangerous, close your browser tab and find what you need on a different website.

Syncing: Never sync your work browser with your personal browser or any personal accounts. Syncing is when you enable browsers on different devices to talk to each other and share your browsing information, such as your browsing history, bookmarks, and saved content.

Passwords: Many browsers support the option of saving your passwords to different sites. Instead of storing your passwords in your browser, we recommend you use a dedicated password manager. Password managers are a separate security application that have far more security features and functionality.

Plug-ins: Plug-ins or extensions are small pieces of software added to browsers that can add
functionality. However, each new plug-in you add can also add more vulnerabilities. For your work computer, only add plug-ins that are authorized and approved, and just like your browser, keep them updated. Remove plug-ins that you no longer need or use.

Privacy Mode: Most browsers offer a privacy option (also referred to as “incognito mode”). This
means when you open a browser tab in privacy mode, you limit what information is collected about you. For example, your browser does not collect cookies, does not track browsing history, and will not store nor distribute sensitive information about you.

Live Chat: Some websites now offer a live chat feature where you can ask questions. Only engage in these online chats with known, trusted websites. In addition, limit the information you share during a live chat session, as you have no idea who is collecting your information, what they are doing with it, and to whom they may be selling it or sharing it.

Beware of Remote Control: Fraudulent websites will attempt to hack your computer by posting a fake security pop-up warning to your browser that your computer is infected and pressuring you for an online chat session to fix your computer. They will then urgently request that you allow them to install a remote agent to allow them to fix your computer. In reality your computer is just fine. Instead, they are attempting to trick you into installing malicious software so they can steal your passwords and your data, and track all of your online activity.

Log Off: When you are finished visiting a website, be sure to log off to remove sensitive login and password information before closing the browser.

The Monthly Security Awareness Newsletter for You
OUCH! November 2022

© SANS Institute 2022www.sans.org/security-awareness

The Outlook Junk Email filter doesn’t stop delivery of junk email messages but does the next best thing—it moves suspected spam to the Junk Email folder.

Microsoft system defaults and rules added by email administrators are in place to limit the amount of junk mail that can get to your Inbox.

It's a good idea to regularly review messages in the Junk Email folder to check for legitimate messages that were incorrectly classified as junk. If you find a message that isn’t junk, drag it back to the Inbox or any other folder. Microsoft is constantly refining the criteria to identify Spam and Junk email and there should be very few instances of legitimate email being captured in your Junk Email folder.

Please note:  Do not respond to or forward emails located in your Junk Email folder.  We are beginning to see individuals capture UMB Spam and Phishing emails located in their Junk Email folder and either responding to them or forwarding them.  There is no need to report any messages in your Junk Email folder as Spam. 

Microsoft’s algorithms learn the identity of individuals who send you emails.  You will receive an alert if you receive an email from someone who doesn’t typically contact you, and the alert will look like this:  “You don’t typically receive email from username@some.domain.com Learn why this is important “

The link will take you to a Microsoft page that gives you information on how to spot a phishing email.

If the message is from someone from outside of the University, you will also see the following message:

CAUTION: This email originated from a non-UMB email system.  Hover over any links and use caution opening attachments.

If you receive either one or both alerts in an email that is in your Junk Email folder, you can most often safely ignore it.  You can delete messages in your Junk Email folder or leave them alone.  They will automatically be deleted after 30 days.

Please continue to do your part to protect UMB resources by reporting suspicious emails you might receive in your Inbox and ignore or delete emails in your Junk Email folder.  

Overview

Cyber attackers are constantly innovating ways to trick us into doing things we should not do, like clicking on malicious links, opening infected email attachments, purchasing gift cards or giving up our passwords. In addition, they often use different technologies or platforms to try to trick us, such as email, phone calls, text messaging, or social media. While all of this may seem overwhelming, most of these attacks share the same thing: emotion. By knowing the emotional triggers that cyber attackers use, you can often spot their attacks no matter what method they are using.

It's all About Emotions
It all starts with emotions. We, as humans, far too often make decisions based on emotions instead of facts. There is, in fact, an entire field of study on this concept called “behavioral economics,” led by researchers such as Daniel Khaneman, Richard Thaler, and Cass Sunstein. Fortunately for us, if we know the emotional triggers to look for, we can successfully spot and stop most attacks. Listed below are the most common emotional triggers for which to watch. Sometimes cyber attackers will use a combination of these different emotions in the same email, text message, social media post, or phone call - making it that much more effective.

Urgency: Urgency is one of the most common emotional triggers, as it's so effective. Cyber attackers will often use fear, anxiety, scarcity, or intimidation to rush you into making a mistake. Take, for example, an urgent email from your boss demanding sensitive documents to be sent to her right away, when in reality it is a cyber attacker pretending to be your boss. Or perhaps you get a text message from a cyber attacker pretending to be the government informing you that your taxes are overdue and you have to pay now or you will go to jail.

Anger: You get a message about a political, environmental, or social issue that you are very passionate about — something like “you won’t believe what this political group or corporate company is doing!”

Surprise / Curiosity: Sometimes the attacks that are the most successful say the least. Curiosity is evoked with surprise; we want to learn more. It is a response to something unexpected. For example, a cyber attacker sends you a message that a package is undelivered and to click on a link to learn more, even though you did not order anything online. We are enticed to learn more! Unfortunately, there’s no package, just malicious intent on the other side of that link.

Trust: Attackers use a name or brand you trust to convince you into taking an action. For example, a message pretending to be from your bank, a well-known charity, a trusted government organization,
or even a person you know. Just because an email or text message uses a name of an organization you know and their logo, does not mean the message actually came from them.

Excitement: You get a text message from your bank or service provider thanking you for making your payments on time. The text message then provides a link where you can claim a reward–a new iPad, how exciting! The link takes you to a website that looks official, but asks for all of your personal information, or says that you need to provide credit card information to cover small shipping/handling costs. This is a cyber attacker who is simply stealing your money or your identity.

Empathy / Compassion: Cyber attackers take advantage of your good will. For example, after a
disaster appears on the news, they will send out millions of fake emails pretending to be a charity serving the victims and asking you for money.

By better understanding these emotional triggers, you will be far better prepared to spot and stop cyber attackers, regardless of the lure, technology, or platform they use.

Used with permission by SANS Security Awareness       

October 2022

© SANS Institute 2022www.sans.org/security-awareness

The Internet of Things refers to any object or device that sends and receives data automatically through the Internet. This rapidly expanding set of “things” includes tags (also known as labels or chips that automatically track objects), sensors, and devices that interact with people and share information machine to machine.

Why Should We Care?

Cars, appliances, wearables, lighting, healthcare, and home security all contain sensing devices that can talk to other machines and trigger additional actions. Examples include devices that direct your car to an open spot in a parking lot; mechanisms that control energy use in your home; control systems that deliver water and power to your workplace; and other tools that track your eating, sleeping, and exercise habits.

This technology provides a level of convenience to our lives, but it requires that we share more information than ever. The security of this information, and the security of these devices, is not always guaranteed.

What Are the Risks?

Though many security and resilience risks are not new, the scale of interconnectedness created by the Internet of Things increases the consequences of known risks and creates new ones. Attackers take advantage of this scale to infect large segments of devices at a time, allowing them access to the data on those devices or to, as part of a botnet, attack other computers or devices for malicious intent. See Cybersecurity for Electronic Devices, Understanding Hidden Threats: Rootkits and Botnets, and Understanding Denial-of-Service Attacks for more information.

How Do I Improve the Security of Internet-Enabled Devices?

Without a doubt, the Internet of Things makes our lives easier and has many benefits; but we can only reap these benefits if our Internet-enabled devices are secure and trusted. The following are important steps you should consider to make your Internet of Things more secure.

Evaluate your security settings. Most devices offer a variety of features that you can tailor to meet your needs and requirements. Enabling certain features to increase convenience or functionality may leave you more vulnerable to being attacked. It is important to examine the settings, particularly security settings, and select options that meet your needs without putting you at increased risk. If you install a patch or a new version of software, or if you become aware of something that might affect your device, reevaluate your settings to make sure they are still appropriate. See Good Security Habits for more information.

Ensure you have up-to-date software. When manufacturers become aware of vulnerabilities in their products, they often issue patches to fix the problem. Patches are software updates that fix a particular issue or vulnerability within your device’s software. Make sure to apply relevant patches as soon as possible to protect your devices. See Understanding Patches for more information.

Connect carefully. Once your device is connected to the Internet, it’s also connected to millions of other computers, which could allow attackers access to your device. Consider whether continuous connectivity to the Internet is needed. See Securing Your Home Network for more information.

Use strong passwords. Passwords are a common form of authentication and are often the only barrier between you and your personal information. Some Internet-enabled devices are configured with default passwords to simplify setup. These default passwords are easily found online, so they don't provide any protection. Choose strong passwords to help secure your device. See Choosing and Protecting Passwords for more information.

Additional Information

The following organizations offer additional information about this topic:

• Online Trust Alliance: https://otalliance.org/smarthome
• Open Web Application Security Project (OWASP):
  https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project 
  https://www.owasp.org/index.php/IoT_Security_Guidance
• Atlantic Council: http://www.atlanticcouncil.org/publications/issue-briefs/smart-homes-and-the-internet-of-things
• Networks of 'Things' (NIST Special Publication 800-183): http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-183.pdf
• Department of Homeland Security: https://www.dhs.gov/securingtheIoT
• Stop.Think.Connect.: https://www.dhs.gov/stopthinkconnect

Authors

Stop.Think.Connect. and National Cybersecurity and Communications Integration Center (NCCIC)

What is a social engineering attack?

In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization's network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.

What is a phishing attack?

Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts.

Phishing attacks may also appear to come from other types of organizations, such as charities. Attackers often take advantage of current events and certain times of the year, such as

• Natural disasters (e.g., Hurricane Katrina, Indonesian tsunami)
• Epidemics and health scares (e.g., H1N1, COVID-19)
• Economic concerns (e.g., IRS scams)
• Major political elections
• Holidays

What is a vishing attack?

Vishing is the social engineering approach that leverages voice communication. This technique can be combined with other forms of social engineering that entice a victim to call a certain number and divulge sensitive information. Advanced vishing attacks can take place completely over voice communications by exploiting Voice over Internet Protocol (VoIP) solutions and broadcasting services. VoIP easily allows caller identity (ID) to be spoofed, which can take advantage of the public’s misplaced trust in the security of phone services, especially landline services. Landline communication cannot be intercepted without physical access to the line; however, this trait is not beneficial when communicating directly with a malicious actor.

What is a smishing attack?

Smishing is a form of social engineering that exploits SMS, or text, messages. Text messages can contain links to such things as webpages, email addresses or phone numbers that when clicked may automatically open a browser window or email message or dial a number. This integration of email, voice, text message, and web browser functionality increases the likelihood that users will fall victim to engineered malicious activity. 

What are common indicators of phishing attempts?

• Suspicious sender’s address. The sender's address may imitate a legitimate business. Cybercriminals often use an email address that closely resembles one from a reputable company by altering or omitting a few characters. 
• Generic greetings and signature. Both a generic greeting—such as “Dear Valued Customer” or “Sir/Ma’am”—and a lack of contact information in the signature block are strong indicators of a phishing email. A trusted organization will normally address you by name and provide their contact information.
• Spoofed hyperlinks and websites. If you hover your cursor over any links in the body of the email, and the links do not match the text that appears when hovering over them, the link may be spoofed. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net). Additionally, cybercriminals may use a URL shortening service to hide the true destination of the link.
• Spelling and layout. Poor grammar and sentence structure, misspellings, and inconsistent formatting are other indicators of a possible phishing attempt. Reputable institutions have dedicated personnel that produce, verify, and proofread customer correspondence.
• Suspicious attachments. An unsolicited email requesting a user download and open an attachment is a common delivery mechanism for malware. A cybercriminal may use a false sense of urgency or importance to help persuade a user to download or open an attachment without examining it first.

How do you avoid being a victim?

• Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
• Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
• Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
• Don't send sensitive information over the internet before checking a website's security. (See Protecting Your Privacy for more information.)
• Pay attention to the Uniform Resource Locator (URL) of a website. Look for URLs that begin with "https"—an indication that sites are secure—rather than "http.”
• Look for a closed padlock icon—a sign your information will be encrypted.
• If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group. (See the APWG eCrime Research Papers).
• Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic. (See Understanding Firewalls for Home and Small Office Use, Protecting Against Malicious Code, and Reducing Spam for more information.)
• Take advantage of any anti-phishing features offered by your email client and web browser.
• Enforce multi-factor authentication (MFA). (See Supplementing Passwords for more information.)

What do you do if you think you are a victim?

• If you believe you might have revealed sensitive information about your organization, report it to the appropriate people within the organization, including network administrators. They can be alert for any suspicious or unusual activity.
• If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.
• Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.
• Watch for other signs of identity theft. (See Preventing and Responding to Identity Theft for more information.)
• Consider reporting the attack to the police, and file a report with the Federal Trade Commission.

Authors

Cybersecurity and Infrastructure Security Agency (CISA)

It may be easy to identify people who could gain physical access to your devices—family members, roommates, coworkers, people nearby, and others. Identifying the people who have the capability to gain remote access to your devices is not as simple—as long as your device is connected to the internet, you are at risk for someone accessing your information. However, you can significantly reduce your risk by developing habits that make it more difficult.

• Improve password security. Passwords are one of the most vulnerable cyber defenses. Improve your password security by doing the following
• Create a strong password. Use a strong password that is unique for each device or account. Longer passwords are more secure. An option to help you create a long password is using a passphrase—four or more random words grouped together and used as a password. To create strong passwords, the National Institute of Standards and Technology (NIST) suggests using simple, long, and memorable passwords or passphrases. (See Choosing and Protecting Passwords.)
• Consider using a password manager. Password manager applications manage different accounts and passwords while having added benefits, including identifying weak or repeated passwords. There are many different options, so start by looking for an application that has a large install base (e.g., 1 million plus) and an overall positive review. Properly using one of these password managers may help improve your overall password security.
• Use multi-factor authentication, if available. Multi-factor authentication (MFA) is a more secure method of authorizing access. It requires two out of the following three types of credentials: something you know (e.g., a password or personal identification number [PIN]), something you have (e.g., a token or ID card), and something you are (e.g., a biometric fingerprint). Because one of the required credentials requires physical presence, this step makes it more difficult for a threat actor to compromise your device. (See Supplementing Passwords.)
• Use security questions properly. For accounts that ask you to set up one or more password reset questions, use private information about yourself that only you would know. Answers that can be found on your social media or facts everyone knows about you can make it easier for someone to guess your password.
• Create unique accounts for each user per device. Set up individual accounts that allow only the access and permissions needed by each user. When you need to grant daily use accounts administrative permissions, do so only temporarily. This precaution reduces the impact of poor choices, such as clicking on phishing emails or visiting malicious websites.
• Choose secure networks. Use internet connections you trust, such as your home service or Long-Term Evolution connection through your wireless carrier. Public networks are not very secure, which makes it easy for others to intercept your data. If you choose to connect to open networks, consider using antivirus and firewall software on your device or using a Virtual Private Network service, which allows you to connect to the internet securely by keeping your exchanges private. When setting up your home wireless network, use Wi-Fi Protected Accessed 3 (WPA3) encryption. All other wireless encryption methods are outdated and more vulnerable to exploitation. (See Securing Wireless Networks.)
• Keep all of your personal electronic device software current. Manufacturers issue updates as they discover vulnerabilities in their products. Automatic updates make this easier for many devices—including computers, phones, tablets, and other smart devices—but you may need to manually update other devices. Only apply updates from manufacturer websites and built-in application stores—third-party sites and applications are unreliable and can result in an infected device. When shopping for new connected devices, consider the brand’s consistency in providing regular support updates.
• Be suspicious of unexpected emails. Phishing emails are currently one of the most prevalent risks to the average user. The goal of a phishing email is to gain information about you, steal money from you, or install malware on your device. Be suspicious of all unexpected emails. (See Avoiding Social Engineering and Phishing Attacks.)

Used with permission of CISA

Proper Disposal of Electronic Devices

Why is it important to dispose of electronic devices safely?

In addition to effectively securing sensitive information on electronic devices, it is important to follow best practices for electronic device disposal. Computers, smartphones, and cameras allow you to keep a great deal of information at your fingertips, but when you dispose of, donate, or recycle a device you may inadvertently disclose sensitive information, which could be exploited by cyber criminals.

Types of electronic devices include:

• Computers, smartphones, and tablets — electronic devices that can automatically store and process data; most contain a central processing unit and memory, and use an operating system that runs programs and applications;
• Digital media — these electronic devices create, store, and play digital content. Digital media devices include items like digital cameras and media players;
• External hardware and peripheral devices — hardware devices that provide input and output for computers, such as printers, monitors, and external hard drives; these devices contain permanently stored digital characters; and
• Gaming consoles — electronic, digital, or computer devices that output a video signal or visual image to display a video game.

What are some effective methods for removing data from your device?

There are a variety of methods for permanently erasing data from your devices (also called sanitizing). Because methods of sanitization vary according to device, it is important to use the method that applies to that particular device.

Before sanitizing a device, consider backing up your data. Saving your data to another device or a second location (e.g., an external hard drive or the cloud) can help you recover your data if you accidently erase information you had not intended to or if your device is stolen (this can also help you identify exactly what information a thief may have been able to access). Options for digital storage include cloud data services, CDs, DVDs, and removable flash drives or removable hard drives (see Using Caution with USB Drives for more information).

Methods for sanitization include:

• Deleting data. Removing data from your device can be one method of sanitization. When you delete files from a device—although the files may appear to have been removed—data remains on the media even after a delete or format command is executed. Do not rely solely on the deletion method you routinely use, such as moving a file to the trash or recycle bin or selecting “delete” from the menu. Even if you empty the trash, the deleted files are still on device and can be retrieved. Permanent data deletion requires several steps.
• Computers. Use a disk cleaning software designed to permanently remove the data stored on a computer hard drive to prevent the possibility of recovery.
• Secure erase. This is a set of commands in the firmware of most computer hard drives. If you select a program that runs the secure erase command set, it will erase the data by overwriting all areas of the hard drive.
• Disk wiping. This is a utility that erases sensitive information on hard drives and securely wipes flash drives and secure digital cards.
• Smartphones and tablets. Ensure that all data is removed from your device by performing a “hard reset.” This will return the device to its original factory settings. Each device has a different hard reset procedure, but most smartphones and tablets can be reset through their settings. In addition, physically remove the memory card and the subscriber identity module card, if your device has one.
• Digital cameras, media players, and gaming consoles. Perform a standard factory reset (i.e., a hard reset) and physically remove the hard drive or memory card.
• Office equipment (e.g., copiers, printers, fax machines, multifunction devices). Remove any memory cards from the equipment. Perform a full manufacture reset to restore the equipment to its factory default.
• Overwriting. Another method of sanitization is to delete sensitive information and write new binary data over it. Using random data instead of easily identifiable patterns makes it harder for attackers to discover the original information underneath. Since data stored on a computer is written in binary code—strings of 0s and 1s—one method of overwriting is to zero-fill a hard disk and select programs that use all zeros in the last layer. Users should overwrite the entire hard disk and add multiple layers of new data (three to seven passes of new binary data) to prevent attackers from obtaining the original data.
• Cipher.exe is a built-in command-line tool in Microsoft Windows operating systems that can be used to encrypt or decrypt data on New Technology File System drives. This tool also securely deletes data by overwriting it.
• Clearing is a level of media sanitation that does not allow information to be retrieved by data, disk, or file recovery utilities. The National Institute of Standards and Technology (NIST) notes that devices must be resistant to keystroke recovery attempts from standard input devices (e.g., a keyboard or mouse) and from data scavenging tools.
• Destroying. Physical destruction of a device is the ultimate way to prevent others from retrieving your information. Specialized services are available that will disintegrate, burn, melt, or pulverize your computer drive and other devices. These sanitization methods are designed to completely destroy the media and are typically carried out at an outsourced metal destruction or licensed incineration facility. If you choose not to use a service, you can destroy your hard drive by driving nails or drilling holes into the device yourself. The remaining physical pieces of the drive must be small enough (at least 1/125 inches) that your information cannot be reconstructed from them. There are also hardware devices available that erase CDs and DVDs by destroying their surface.
• Magnetic media degaussers. Degaussers expose devices to strong magnetic fields that remove the data that is magnetically stored on traditional magnetic media.
• Solid-state destruction. The destruction of all data storage chip memory by crushing, shredding, or disintegration is called solid-state destruction. Solid-State Drives should be destroyed with devices that are specifically engineered for this purpose.
• CD and DVD destruction. Many office and home paper shredders can shred CDs and DVDs (be sure to check that the shredder you are using can shred CDs and DVDs before attempting this method).

For more information, see the NIST Special Publication 800-88 Guidelines for Media Sanitization.

How can you safely dispose of out-of-date electronic devices?

Electronic waste (sometimes called e-waste) is a term used to describe electronics that are nearing the end of their useful life and are discarded, donated, or recycled. Although donating and recycling electronic devices conserves natural resources, you may still choose to dispose of e-waste by contacting your local landfill and requesting a designated e-waste drop off location. Be aware that although there are many options for disposal, it is your responsibility to ensure that the location chosen is reputable and certified. Visit the Environmental Protection Agency’s (EPA) Electronics Donation and Recycling webpage for additional information on donating and recycling electronics. For information on recycling regulations and facilities in your state, visit the EPA Regulations, Initiatives, and Research on Electronics Stewardship webpage.

Used with permission of CISA

Got Backups?

Overview

If you use a computer or mobile device long enough, sooner or later something will go wrong. You may accidentally delete the wrong files, have a hardware failure, or lose a device. Even worse, malware may infect and wipe or encrypt your files. At times like these, backups are often the only way you can rebuild your digital life.

Backups are copies of your information stored somewhere other than on your computer or mobile device. When you lose, or cannot access, valuable data on your device, you can recover your data from backups. Many of the files we create today are already automatically stored and backed-up in the cloud, such as Microsoft Word documents stored in Microsoft OneDrive, Dropbox, or Google Drive, or personal photos stored in Apple iCloud. But there may be files you create that are not automatically stored in the cloud; or perhaps you want additional backups for personal use.

What, When, and How

The first step is deciding what you want to back up: (1) specific data that is important to you; or (2) everything, perhaps including your entire operating system. Many backup solutions are configured by default to use the first approach and only back up the most commonly used folders. If you are not sure what to back up or want to be extra careful, consider backing up everything.

Second, decide how frequently to back up the data. Built-in backup programs such as Apple’s Time Machine or Windows Backup and Restore allow you to create an automatic “set it and forget it” schedule. Common scheduling options include hourly, daily, and weekly. Other solutions may offer “continuous protection” in which files are immediately backed up as they are edited or saved. At a minimum, we recommend automated daily backups of critical files.

Finally, decide how you are going to back up. There are two ways: local or cloud-based backups. Local backups rely upon devices you physically control such as external USB drives or network accessible devices. The advantage of local backups is that they enable you to back up and recover large amounts of data quickly. The disadvantage is that if you become infected with malware, it is possible for the infection to spread to your backups. Also, if you have a disaster, such as fire or theft, you could lose your backups as well as your computer. If you use external devices for backups, store a copy offsite in a secure location and make sure your backups are properly labeled. For additional security, consider encrypting your backups.

Cloud-based solutions are online services that back up and store your files on the internet. Typically, you install an application on your computer. The application then automatically backs up your files either on a defined schedule or as you modify or save them. Some advantages of Cloud solutions are their simplicity, automation of backups, and access to files from almost anywhere. Also, since your data resides in the cloud, home disasters such as fire or theft will not affect your backup. The main disadvantage is the bandwidth it consumes. Your ability to backup and restore depends on how much data you are backing up and the speed of your network. Not sure if you want to use local or cloud-based backups? Be extra safe and use both.

With mobile devices, most of your data such as emails, text messages, or photos you take are automatically stored in the cloud. However, your mobile app configurations, system preferences, and other files may not be stored in the cloud. By automatically backing up your mobile device, not only do you preserve this information, but it is easier to transfer your data when you upgrade to a new device.

Additional Key Points

• Regularly test that your backups are working by retrieving and opening a file.
• If you rebuild a system from backup including the operating system, be sure you reapply the latest security patches and updates before using it again.
• If you are using a cloud solution, select one that is easy for you to use and research the security options. For example, does your cloud backup vendor support two-step verification to secure your online account? Backups are a simple and low-cost way to protect your digital life.

Used with permission by SANS Security Awareness      

Charity and Disaster Scams

Cyber criminals know that one of the best ways to rush people into making a mistake is by creating a heightened sense of urgency. And one of the easiest ways to create a sense of urgency is to take advantage of a crisis. This is why cyber criminals love it whenever there is a traumatic event with global impact. What most of us regard as a tragedy, cyber criminals view as an opportunity, such as the breakout of a war, a major natural disaster such as a volcanic explosion, and of course infectious disease breakouts like COVID19. When there is an immense amount of social media and news coverage about a certain event, cyber criminals know that is the time to strike.

They use this opportunity to create timely phishing emails or scams about the event, and then send that phishing email or launch the scam to millions of people around the world. For example, during a natural disaster, they may pretend to be a charity asking for donations to save children in need. Cyber criminals can often act within hours of a crisis or disaster, as they have all the technical infrastructure prepared and are ready ahead of time. How can we protect ourselves the next time there is a big crisis or disaster, and cyber criminals seek to exploit it?

How to Detect and Defend Against These Scams

The key to avoiding these scams is to be suspicious of anyone who reaches out to you. For example, do not trust an urgent email claiming to be from a charity that desperately needs donations, even if the email appears to be from a brand that you know and trust. Do not trust a phone call claiming to be a local food bank pressuring you to donate. The greater the sense of urgency, the more likely the request is an attack. Here are some of the most common indicators of a charity scam:

• Be very suspicious of any charity that requires that you donate via cryptocurrency, Western Union, wiring money, or gift cards.
• Cyber criminals can change their caller ID phone number to make their phone call look like it’s from your local area code or from a trusted name. Caller ID cannot be relied upon these days. ● Some cyber criminals will use names and logos that sound or look like a real charity. This is one reason it pays to do some research before giving.
• Cyber criminals will often make lots of vague and sentimental claims about what they will do with your money but give no specifics about how your donation will be used.
• Do not assume pleas for help on crowdfunding sites such as GoFundMe or social media sites such as TikTok are legitimate, especially in the wake of a crisis or tragedy.
• Some cyber criminals may try to trick you into donating to them by thanking you for a donation you made in the past when in reality you never donated to them.
• Do not give out personal or financial information in response to any unsolicited request.

How to Make a Difference Safely

To donate in times of need or to help those impacted by a disaster, donate only to well-known, trusted organizations. You initiate the connections and decide who to reach out to, such as what websites to visit or what organizations to call. When you consider giving to a charity, search its name plus words like “complaint,” “review,” “rating,” or “scam.” Not sure which charities to trust? Start by researching on government websites you trust, or perhaps links provided by a well-known and highly trusted news organization. Donating in times of need is a fantastic way to make a difference, just be sure you are giving to legitimate organizations.

Used with permission by SANS Security Awareness    

Yes, You Are a Target

Many people mistakenly believe they are not a target for cyber attackers: that they, their systems, or accounts do not have any value. This could not be further from the truth. If you use technology in anyway, at work or at home, trust us - you have value to the bad guys. But, you are in luck. You already have the best defense there is against these cyber-attacks, you.

Why You Are a Target

There are lots of different cyber attackers on the Internet today, and they all have different motivations. So why would any of them want to attack you? Because by hacking you they help achieve their goal. Here are two common examples of cyber attackers and why they would target you.

Cyber Criminals: These guys are out to make as much money as possible. What makes the Internet so valuable to them is they can now easily target everyone in the world with just the push of a button. And there are A LOT of ways they can make money from you. Examples include stealing money from your bank or retirement accounts, creating a credit card in your name and sending you the bill, using your computer to hack other people, or hacking your social media or gaming accounts and selling them to other criminals. The list is almost endless how bad guys can make money off you. There are hundreds of thousands of these bad guys who wake up each morning with the goal of hacking as many people as possible every single day, including you.

Targeted Attackers: These are highly trained cyber attackers, often working for governments, criminal syndicates, or competitors targeting you at work. You may feel your job would not attract much attention, but you would be very surprised.

The information you handle at work has tremendous value to different companies or governments.

Targeted attackers may target you at work not because they want to hack you, but to use you to hack one of your co-workers or other systems.  These types of attackers may target you at work because of what other companies you work or partner with.

I Have Anti-Virus, I’m Safe

Okay, so I’m a target, not a problem. I’ll just install anti-virus and a firewall on my computer and I’m protected, right? Well unfortunately, no. Many people feel if they install some security tools then they are secure. Unfortunately, that is not entirely true. Cyber attackers continue to get better and better, and many of their attack methods now easily bypass security technologies. For example, they often create special malware that your antivirus cannot detect. They bypass your email filters with a customized phishing attack or call you on the phone and trick or scam you out of your credit card, money, or password. Technology plays an important role in protecting you, but ultimately you are the best defense.

Fortunately, being secure is not that hard; ultimately common sense and some basic behaviors are your best defense. If you get an email, message, or phone call that is extremely urgent, odd, or suspicious, it may be an attack. To ensure your computers and devices are secure, keep them current and enable automatic updating. Finally, use a strong, unique passphrase for each of your accounts. Staying cyber-aware is ultimately your best defense.

Digital Inheritance

Overview

Have you ever thought about the uncomfortable question, what happens to our digital presence when we die or become incapacitated? Many of us have or know we should have a will and checklists of what loved ones need to know in the event of our passing. But what about all of our digital data and online accounts? Should we consider some type of digital will? Should we create a “digital inheritance” plan?

Think about your digital presence. Bank and retirement accounts, home mortgages, family photos and videos, smart home accounts, email, and social media are just some of the many examples that make up our digital footprint. In the event of your death or the death of a close family member, family and loved ones may need prompt access to those accounts or data. In addition, legacy data and online accounts left behind could become vulnerable over time to hackers, thus placing family and friends at risk.

Creating a Plan

It is a good idea to discuss your desires with your trusted family or friends, like other end-of-life details. In addition to having these conversations, take inventory and document your digital assets and online accounts. If you do not provide access to your accounts after you die, it can be very difficult for family members to access or close them. For example, would you want your family members to be locked out of all those years of family photos and videos you have stored online?

One idea is to document your online presences in a password manager. This is a program that securely stores all your logins and passwords, credit cards, and other sensitive information. It’s designed to make creating, storing, and accessing passwords and security questions vastly simpler. In many ways, this is a powerful tool to catalog your digital presence. With many password managers you can even configure them to share all or certain passwords with other trusted family members. If you are uncomfortable with that, document access to your password manager and seal that in an envelope; then have that sealed envelope opened after your passing by an executor or trusted family member. This way, they will have access to your password manager and be able to access your accounts and information stored in there.

In addition, some sites provide the option to identify legacy or trusted contacts. Facebook, for example, allows participants to determine in advance if they would like their account deleted or memorialized after passing. Memorializing creates a space that’s only visible to existing friends, where memories can be shared. Finally, you may want to consider dealing with a lawyer or estate planner who specializes in digital inheritance.

Inheriting Digital Assets

You may find yourself in the situation where you have to recover or access the online accounts of a recently deceased friend or family member. We recommend you first coordinate with a lawyer and other family members before taking action. Other family members could quickly become upset if they see you taking action without consulting them first. Then start with identifying any passwords you can find. Did the family member write them down or store them anywhere? If that is not an option, can you access any computers or mobile devices they used and are still logged into? If not, you most likely will have to reach out to each site for access to the deceased member’s account. This often includes having to provide both a death certificate and proof you are directly related to the family member. In some cases, you will not be able to access the account or data stored in the account but only delete it. Every site handles these situations differently, which can be a time-consuming process.

In today’s digital world, we should not only consider physical assets but also digital assets in our future estate planning.

Securing WiFi at Home

Overview

To create a secure home network, you need to start by securing your Wi-Fi access point (sometimes called a Wi-Fi router). This is the device that controls who and what can connect to your home network. Here are five simple steps to securing your home Wi-Fi to create a far more secure home network for you and your family.

Focus on The Basics

Often the easiest way to connect to and configure your Wi-Fi device is while connected to your home network. Point your web browser to the specific IP address documented in your device’s manual (an example of this would be https://192.168.1.1) or use a utility or mobile app provided by your Wi-Fi device vendor.

1.Change the Admin Password: Your Wi-Fi access point was most likely shipped with a default password for the administrator account that allows you to change the device configuration. Often these default passwords are publicly known, perhaps even posted on the Internet. Be sure to change the admin password to a unique, strong password, so only you have access to it. If your device allows it, change the admin username as well.

2.Create a Network Password: Configure your Wi-Fi network, so it has a unique, strong password as well (make sure it is different from your device admin password). This way only people and devices you trust can join your home network. Consider using a password manager to select a strong password and to keep track of all of your passwords for you.

3.Firmware Updates: Turn on automatic updating of your Wi-Fi access point’s operating system, often called firmware. This way you ensure your device is as secure as possible with the latest security options. If automatic updating is not an option on your Wi-Fi access point, periodically log into and check your device to see if any updates are available. If your device is no longer supported by the vendor, consider buying a new one that you can update to obtain the latest security features.

4.Use a Guest Network:  A guest network is a virtual separate network that your Wi-Fi access point can create.  This means that your Wi-Fi access point actually has two networks. The primary network is the one that your trusted devices connect to, such as your computer, smartphone, or tablet devices.  The guest network is what untrusted devices connect to, such as guests visiting your house or perhaps some of your personal smart home devices. When something connects to your guest network, it cannot see or communicate with any of your trusted personal devices connected to your primary network.

5.Use Secure DNS Filtering: DNS is an internet-wide service that converts the names of websites into numeric addresses. It is what helps ensure your computer can connect to a website when you type in the website’s name. Wi-Fi access points typically use the default DNS server supplied by your internet service provider, but more secure alternatives are available for free from services such as OpenDNS, CloudFlare for Families, or Quad9that can provide extra security by blocking malicious or other undesirable websites. Log into your Wi-Fi access point and change the DNS server address to a more secure alternative.  Securing your home Wi-Fi access point is the first, and one of the most important, step in creating a secure home network. For more information about securing your Wi-Fi access point, refer to the device’s manual, or if your internet service provider provided your Wi-Fi device, contact them for more information on security features.

Used with permission by SANS Security Awareness  

Spot and Stop Message Attacks

What are messaging attacks?

Smishing (a portmanteau word combining SMS and phishing) are attacks that occur when cyber attackers use SMS, texting, or similar messaging technologies to trick you into taking an action you should not take.

Perhaps they fool you into providing your credit card details, get you to call a phone number to get your banking information, or convince you to fill out an online survey to harvest your personal information.

Just like in email phishing attacks, cyber criminals often play on your emotions to get you to act by creating a sense of urgency or curiosity, for example. However, what makes messaging attacks so dangerous is there is far less information and fewer clues in a text than there is in an email, making it much harder for you to detect that something is wrong.

A common scam is a message telling you that you won an iPhone, and you only need to click on a link and fill out a survey to claim it. In reality, there is no phone, and the survey is designed to harvest your personal information. Another example would be a message stating that a package could not be delivered with a link to a website where you are asked to provide information needed to complete delivery, including your credit card details to cover “service charges.” In some cases, these sites may even ask you to install an unauthorized mobile app that infects and takes over your device.

Sometimes cyber criminals will even combine phone and messaging attacks. For example, you may get an urgent text message from your bank asking if you authorized an odd payment. The message asks you to reply YES or NO to confirm the payment. If you respond, the cybercriminal now knows you are willing to engage and will call you pretending to be the bank’s fraud department. They will then try to talk you out of your financial and credit card information, or even your bank account’s login and password.

Spotting and Stopping Messaging Attacks

Here are some questions to ask yourself to spot the most common clues of a messaging attack:

• Does the message create a tremendous sense of urgency attempting to rush or pressure you into taking an action?
• Is the message taking you to websites that ask for your personal information, credit card, passwords, or other sensitive information they should not have access to
• Does the message sound too good to be true? No, you did not really win a new iPhone for free.
• Does the linked website or service force you to pay using non-standard methods such as Bitcoin, gift cards or Western Union transfers?
• Does the message ask you for the multi-factor authentication code that was sent to your phone or generated by your banking app?
• Does the message look like the equivalent of a “wrong number?” If so, do not respond to it or attempt to contact the sender; just delete it.

If you get a message from an official organization that alarms you, call the organization back directly. Don’t use the phone number included in the message, use a trusted phone number instead. For example, if you get a text message from your bank saying there is a problem with your account or credit card, get a trusted phone number on your bank’s website, a billing statement, or from the back of your bank or credit card.

Also remember that most government agencies, such as tax or law enforcement agencies, will never contact you via text message, they will only contact you by old fashioned mail.

When it comes to messaging attacks, you are your own best defense.

Used with permission SANS Institute 2021 www.sans.org/security-awareness

Preventing and Responding to Identity Theft

Please be aware that now is the time to remain vigilant in protecting your personal information from theft with regards to personal tax preparation and reporting.  Please review the information below as well as the attached document from the IRS.

Is identity theft just a problem for people who submit information online?

You can be a victim of identity theft even if you never use a computer. Malicious people may be able to obtain personal information (such as credit card numbers, phone numbers, account numbers, and addresses) by stealing your wallet, overhearing a phone conversation, rummaging through your trash (a practice known as dumpster diving), or picking up a receipt at a restaurant that has your account number on it. If a thief has enough information, he or she may be able to impersonate you to purchase items, open new accounts, or apply for loans.

The Internet has made it easier for thieves to obtain personal and financial data. Most companies and other institutions store information about their clients in databases; if a thief can access that database, he or she can obtain information about many people at once rather than focus on one person at a time. The Internet has also made it easier for thieves to sell or trade the information, making it more difficult for law enforcement to identify and apprehend the criminals.

How are victims of online identity theft chosen?

Identity theft is usually a crime of opportunity, so you may be victimized simply because your information is available. Thieves may target customers of certain companies for a variety of reasons; for example, a company database is easily accessible, the demographics of the customers are appealing, or there is a market for specific information. If your information is stored in a database that is compromised, you may become a victim of identity theft.

Are there ways to avoid being a victim?

Unfortunately, there is no way to guarantee that you will not be a victim of online identity theft. However, there are ways to minimize your risk:

• Do business with reputable companies– Before providing any personal or financial information, make sure that you are interacting with a reputable, established company. Some attackers may try to trick you by creating malicious web sites that appear to be legitimate, so you should verify the legitimacy before supplying any information. (See Avoiding Social Engineering and Phishing Attacks and Understanding Web Site Certificates for more information.)
• Take advantage of security features– Passwords and other security features add layers of protection if used appropriately. (See Choosing and Protecting Passwords and Supplementing Passwords for more information.)
• Check privacy policies– Take precautions when providing information, and make sure to check published privacy policies to see how a company will use or distribute your information. (See Protecting Your Privacy and How Anonymous Are You? for more information.) Many companies allow customers to request that their information not be shared with other companies; you should be able to locate the details in your account literature or by contacting the company directly.
• Be careful what information you publicize– Attackers may be able to piece together information from a variety of sources. Avoid posting personal data in public forums. (See Guidelines for Publishing Information Online for more information.)
• Use and maintain anti-virus software and a firewall– Protect yourself against viruses and Trojan horses that may steal or modify the data on your own computer and leave you vulnerable by using anti-virus software and a firewall. (See Understanding Anti-Virus Software and Understanding Firewalls for more information.) Make sure to keep your virus definitions up to date.
• Be aware of your account activity– Pay attention to your statements, and check your credit report yearly. You are entitled to a free copy of your credit report from each of the main credit reporting companies once every twelve months. (See com(link is external) for more information.)

How do you know if your identity has been stolen?

Companies have different policies for notifying customers when they discover that someone has accessed a customer database. However, you should be aware of changes in your normal account activity. The following are examples of changes that could indicate that someone has accessed your information:

• unusual or unexplainable charges on your bills
• phone calls or bills for accounts, products, or services that you do not have
• failure to receive regular bills or mail
• new, strange accounts appearing on your credit report
• unexpected denial of your credit card

What can you do if you suspect or know that your identity has been stolen?

Recovering from identity theft can be a long, stressful, and potentially costly process. Many credit card companies have adopted policies that try to minimize the amount of money you are liable for, but the implications can extend beyond your existing accounts. To minimize the extent of the damage, take action as soon as possible:

• Start by visiting IdentityTheft.gov – This is a trusted, one-stop resource to help you report and recover from identity theft. Information provided here includes checklists, sample letters, and links to other resources.
• Possible next steps in the process – You may need to contact credit reporting agencies or companies where you have accounts, file police or other official reports, and consider other information that may have been compromised.

Other sites that offer information and guidance for recovering from identity theft are:

• Federal Trade Commission – https://www.consumer.ftc.gov
• United States Department of Justice – https://www.usdoj.gov/criminal/fraud/websites/idtheft.html
• Social Security Administration – https://www.ssa.gov/pubs/EN-05-10064.pdf

Author

US-CERT Publications

Staying Safe from Tax Scams

As people seek to file their tax returns this year, cybercriminals will be busy trying to take advantage of this with a variety of scams. Citizens may learn they are victims only after having a legitimate tax return rejected because scammers already fraudulently filed taxes in their name. According to the Internal Revenue Service (IRS), there was a 60% increase in 2018 in phishing scams that tried to steal money or tax data. The IRS identified 9,557 fraudulent tax returns as of only February 24^th, 2018 for the last filing season. As everyone aims to file their returns among all this fraud, the following advice will explain how tax fraud happens and provide recommendations on how to prevent it from happening to you or how to get help if you are unfortunately affected by a tax scam!

How is tax fraud perpetrated?

The most common way for cybercriminals to steal money, financial account information, passwords, or Social Security Numbers is to simply ask for them. Criminals will send phishing messages often impersonating government officials and/or IT departments. They may tell you a new copy of your tax form is available. They may include a link in a very official looking email that goes to a website that uses an official organization’s logo and appears legitimate, yet is fraudulent. If you attempt to login into the false website, or provide any personal information, the criminals will see what you type and try to use it to compromise your other accounts and file a false return in your name.

Additionally, much of your personal information can be gathered online from sources like social media or past data breaches. Criminals know this, so they gather pieces of your personal information from a variety of sources and use the information to file a fake tax refund request! If a criminal files a tax return in your name before you do, you will go through the arduous process of proving that you did not file the return and subsequently correcting the return.

Criminals also impersonate the IRS or other tax officials, demanding tax payments and threatening you with penalties if you do not make an immediate payment. This contact may occur through websites, emails, or threatening calls or text messages that seem official but are not. Sometimes, criminals request their victims to pay “penalties” via strange methods like gift cards or prepaid credit cards. It is important to remember that the IRS lets citizens know it will not do the following:

• Initiate contact by phone, email, text messages, or social media without sending an official letter in the mail first.
• Call to demand immediate payment over the phone using a specific payment method such as a debit/credit card, a prepaid card, a gift card, or a wire transfer.
• Threaten you with jail or lawsuits for non-payment.
• Demand payment without giving you the opportunity to question or appeal the amount they say you owe.
• Request any sensitive information online, including PIN numbers, passwords or similar information for financial accounts.

How can you protect yourself from tax fraud?

• File your taxes as soon as you can…before the scammers do it for you!
• Always be wary of calls, texts, emails, and websites asking for personal or tax data, or payment. Always contact organizations through their publicly-posted customer service line. If they contact you end the call and call the organization on the phone number on their website. As mentioned previously, the IRS will initiate contact on these issues by mail through the postal service.
• Don’t click on unknown links or links from unsolicited messages. Type the verified, real website address into your web browser.
• Don’t open attachments from unsolicited messages, as they may contain malware.
• Only conduct financial business over trusted sites and networks. Don’t use public, guest, free, or insecure Wi-Fi networks.
• Use strong, unique passwords for all your accounts and protect them. Reusing passwords between accounts is a big risk that allows a breach of one account to affect many of them!
• Shred all unneeded or old documents containing confidential and financial information.
• Check your financial account statements and your credit report regularly for unauthorized activity. Consider putting a security freeze on your credit file with the major credit bureaus. This will prevent identity thieves from applying for credit or creating an IRS account in your name.

If you receive a tax-related phishing or suspicious email at work, report it according to your organization’s cybersecurity policy. If you receive a similar email on your personal account, the IRS encourages you to forward the original suspicious email as an attachment to its phishing@irs.gov email account, or to call the IRS at 800-908-4490. More information about tax scams is available on the IRS website and in the IRS Dirty Dozen list of tax scams.

If you suspect you have become a victim of tax fraud or identity theft, the Federal Trade Commission (FTC) Identity Theft website provides a step-by-step recovery plan. It also allows you to report if someone has filed a return fraudulently in your name, if your information was exposed in a major data breach, and many other types of fraud.

Digital Inheritance

Overview

Have you ever thought about the uncomfortable question, what happens to our digital presence when we die or become incapacitated? Many of us have or know we should have a will and checklists of what loved ones need to know in the event of our passing. But what about all of our digital data and online accounts? Should we consider some type of digital will? Should we create a “digital inheritance” plan?

Think about your digital presence. Bank and retirement accounts, home mortgages, family photos and videos, smart home accounts, email, and social media are just some of the many examples that make up our digital footprint. In the event of your death or the death of a close family member, family and loved ones may need prompt access to those accounts or data. In addition, legacy data and online accounts left behind could become vulnerable over time to hackers, thus placing family and friends at risk.

Creating a Plan

It is a good idea to discuss your desires with your trusted family or friends, like other end-of-life details. In addition to having these conversations, take inventory and document your digital assets and online accounts. If you do not provide access to your accounts after you die, it can be very difficult for family members to access or close them. For example, would you want your family members to be locked out of all those years of family photos and videos you have stored online?

One idea is to document your online presences in a password manager. This is a program that securely stores all your logins and passwords, credit cards, and other sensitive information. It’s designed to make creating, storing, and accessing passwords and security questions vastly simpler. In many ways, this is a powerful tool to catalog your digital presence. With many password managers you can even configure them to share all or certain passwords with other trusted family members. If you are uncomfortable with that, document access to your password manager and seal that in an envelope; then have that sealed envelope opened after your passing by an executor or trusted family member. This way, they will have access to your password manager and be able to access your accounts and information stored in there.

In addition, some sites provide the option to identify legacy or trusted contacts. Facebook, for example, allows participants to determine in advance if they would like their account deleted or memorialized after passing. Memorializing creates a space that’s only visible to existing friends, where memories can be shared. Finally, you may want to consider dealing with a lawyer or estate planner who specializes in digital inheritance.

Inheriting Digital Assets

You may find yourself in the situation where you have to recover or access the online accounts of a recently deceased friend or family member. We recommend you first coordinate with a lawyer and other family members before taking action. Other family members could quickly become upset if they see you taking action without consulting them first. Then start with identifying any passwords you can find. Did the family member write them down or store them anywhere? If that is not an option, can you access any computers or mobile devices they used and are still logged into? If not, you most likely will have to reach out to each site for access to the deceased member’s account. This often includes having to provide both a death certificate and proof you are directly related to the family member. In some cases, you will not be able to access the account or data stored in the account but only delete it. Every site handles these situations differently, which can be a time-consuming process.

In today’s digital world, we should not only consider physical assets but also digital assets in our future estate planning.

I’m Hacked, Now What?

Have I Been Hacked?

No matter how secure you are, sooner or later you may have an accident and become hacked.

Below are clues you might have been hacked and if so, what to do.

Your Online Accounts

• Family or friends say they are receiving unusual messages or invites from you that you know you did not send.
• Your password to an account no longer works, even though you know the password is correct.
• You receive notifications from websites that someone has logged into your account when you know you did not log in yourself. Do not click on any links in such notifications to check your account; instead, type the website address yourself into your browser, use your previously saved bookmark, or access your account from a mobile app.

Your Computer or Mobile Device

• Your antivirus program generates an alert that your system is infected. Make sure it is your
• antivirus software generating the alert and not a random pop-up window from a website trying to fool you into calling a number or installing something else. Not sure? Open and check your antivirus program to confirm if your computer is truly infected.
• You get a pop-up window saying your computer has been encrypted and you have to pay a ransom to get your files back.
• Applications seem to be crashing randomly or are loading very slowly.
• While browsing the web, you are often redirected to pages you did not want to visit or new, unwanted pages appear.

Financial

• There are suspicious or unknown charges to your credit card or bank account that you know you did not make.
• Recovering Your Online Accounts: If you still have access to your account, log in from a trusted computer that you are confident is not infected and reset your password. Once you log in, make sure to set a new, unique and strong password, the longer the better. Remember, each of your accounts should have a different password. If you can’t keep track of all of them, we recommend using a password manager. Also, if it is an option, enable Multi-Factor Authentication (MFA) for your accounts, helping ensure the cyber attackers cannot get back in. If you no longer have access to your account, contact the website and inform them your account has been taken over.
• Recovering Your Personal Computer or Device: If your antivirus program is unable to fix an infected computer or you want to be more certain your system is safe, consider reinstalling the operating system and rebuilding the computer. This often requires erasing or replacing the disk drive and then reinstalling and updating the operating system. Do not reinstall the operating system from backups. Backups should only be used for recovering your personal files. If you feel uncomfortable rebuilding, consider using a professional service to help you. Or if your computer or device is old, it may be time to purchase a new one.
• Recovering Your Financial Accounts: For issues with your credit card or any financial accounts, call your bank or credit card company right away. Call them using a trusted phone number, such as the phone number listed on the back of your bank card, the number printed on your financial statements, or visit their website. Monitor your statements and credit reports frequently. In addition, consider putting a credit freeze on your credit files.

Now What?  How to Take Back Control

If you suspect you have been hacked, stay calm; you will get through this. If the hack is work-related, do not try to fix the problem yourself; report it immediately. If it is a personal system or account that has been hacked, here are some steps you can take:

If you have suffered financial harm or feel in any way threatened, report the incident to local law enforcement.

Used with permission by SANS Security Awareness   

Anyone Can Start a Cybersecurity Career

Overview

We read about cybersecurity in the news almost every day as organizations and governments around the world continue to get hit with ransomware, scams, and cyber-attacks. There is a huge demand for people trained in cybersecurity to help defend against these growing threats. In fact, recent studies estimate that there are almost 3 million cybersecurity job openings globally. 

Have you considered a career as a cybersecurity professional? It is a fast-paced, highly dynamic field with a huge number of exciting specialties to choose from. These positions include fields like forensics, awareness and training, endpoint security, critical infrastructure, incident response, secure coding, and policy. A career in cybersecurity also allows you to work almost anywhere in the world, with a variety of benefits and an opportunity to make a real difference.

Do I need a degree in computer science?

Absolutely not. Many of the best security professionals have non-technical backgrounds. The key is a passion to learn; once you understand how technologies work (and break), you can better secure them.  Cybersecurity is so exciting because you can start learning at your own pace in the comfort of your own home.

How do I get started?

Start exploring different areas to discover your interests. You can often start with just the computers or devices you have at home.

• Coding: Learn the basics of programming. Python, HTML, or JavaScript are all good languages to get started. Consider an online training site or grab any beginner’s book on programming.
• Systems: Learn the basics of administering an operating system, such as Linux or Windows. If you really want to nerd out, build expertise through the command line interface and scripting.
• Applications: Learn how to configure, run, and maintain applications, such as web servers.
• Networking: Discover how computers and devices talk to each other by capturing and analyzing network traffic. This can be great fun as your home is most likely already a networked environment with all sorts of devices connected to it.
• Cloud Technologies: Learn how cloud services work and the different ways they can be leveraged.

Set up your own lab at home. You can use online cloud resources, such as Amazon's AWS or Microsoft’s Azure, or you can create multiple virtual operating systems on the same physical computer with virtualization services. If you want to work directly with hardware, purchase simple, cheap computers like the Raspberry Pi or Arduino. Once you get your systems up and running, start interacting with them and learn everything you can about configuring and optimizing them, or start programming and creating code on these systems. There is no right or wrong way to start, just follow where your interests take you. 

Another great way to get started is to meet and work with others in cybersecurity. Consider attending a local cybersecurity conference or a virtual ‘con’ such as Bsides or SANS New2Cyber. The hardest part is finding that first event or meet-up. Once you attend, connect with other attendees, and grow your professional network.

Other options for learning cybersecurity include YouTube videos, listening to podcasts, visiting online forums, subscribing to blogs from security professionals, or participating in online Capture the Flag (CTF) events. Ultimately, do not let your education or background hold you back. A passion to learn and help others, as well as the ability to “think outside of the box” are key attributes. Once you start developing your technical skills and meet with others, the opportunities will come.

Used with permission SANS Institute 2021 www.sans.org/security-awareness 

Password Reuse

Over the past few years, criminals have stolen more than a billion usernames and passwords from many sites across the Internet, including LinkedIn, Adobe, and Tumblr. Criminals use these stolen usernames and passwords to login to other sites including Exchange, Google, TeamViewer, GoToMyPC, and other popular sites. Many of these logins succeed because people reuse their passwords.

You can check to see if your password was stolen in one of the larger breaches at https://haveibeenpwned.com  You do not need to supply your password to check. This database does not include all breaches, so even if your password is not listed as stolen, you may still be at risk.

There's a huge amount of hacked data floating around the web, every week you hear of another site getting hacked and all of those credentials are being advertised around the Internet, but then what?  What do hackers and others with bad intentions do with all of those email addresses and passwords?  Among other things, they attempt to break into accounts on totally unrelated websites. And this is where the real problems begin.

Like it or not, people reuse passwords. Most people are just out there with the same password or three across all of their accounts. The hackers know this, so they're going to try and break into as many other accounts as they can using the credentials collected from a data breach. One way this is accomplished is through credential stuffing.

Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This is a subset of the brute force attack category, large numbers of compromised credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.

This is a serious threat for a number of reasons:

• It's enormously effective due to the password reuse problem
• It's hard for organizations to defend against because a successful "attack" is someone logging on with legitimate credentials
• It's easily automatable, you simply need software which will reproduce the logon process against a target website
• There are readily available tools and credential lists that enable anyone to try their hand at credential stuffing

We've all done it at one time or another, but please remember to use separate passwords for each of your accounts.  If you reuse any of your passwords, please change them immediately.  Consider using a password manager to allow you to have separate, strong passwords created automatically for all of your accounts.

Never use your UMID password for any other site, including other UMB sites.

Social Media Privacy

Overview

Most people would never consider walking into a crowded room and loudly broadcasting to total strangers all the details of their private life—from their health issues to their family and friends’ names, ages, jobs, or school locations. But often these same individuals won’t think twice about posting that same information on social media. The ramifications of sharing too much can have an impact not only on your personal and professional life but also the lives of your family and friends.

Social media is a great place to reconnect, share, and learn. However, just ensuring that your social media privacy settings are strong isn’t the only way to protect yourself. Once you post anything online, you have lost control of it. You need to understand what is being collected and how it is being used. Here are some privacy concerns you should have when using social media:

• Privacy Settings: Carefully create and frequently review privacy settings for all of your social media accounts, especially when changes in terms of service and privacy policies take place. Remember that even if you have secured your settings for who can view your postings, all of your information is being collected, mined, and stored on the social media platform servers—perhaps forever.
• Privacy Tree: Social media settings can’t protect you from friends, relatives, and co-workers who view your postings and then have the ability to share those postings with their circle of friends and so on.
• Family Sharing: Everyone loves to talk about their friends and family. But posting silly birthday cake pictures or health and behavior problems can lead to bullying, especially for those who are younger, and could impact their personal lives.
• Information Sharing: If a service is “free,” then you are the product. Investigations have found that what you are doing online may be sold to others.
• Location Services: Check-in data can be added to other personal data to create a profile of your life and habits, which can lead to stalking and open you to other harassing events. In addition, be aware of any location information included in any pictures or videos you post.
• Artificial Intelligence: AI, social media, and marketing are the perfect combination. Marketers now use information gathered from your habits online to feed you ads focused on your last search or purchase, and thereby continue to learn even more about you.
• Digital Death: When a person dies, their online presence becomes more vulnerable to malicious individuals if their accounts aren’t being maintained or eliminated by their survivors. The privacy of an individual is not just about that person alone; it also can impact extended family and friends.
• Unintentional Disclosure: The information you post about yourself may reveal much of your personal history, and thus the answers to your online secret security questions.

Privacy is far more than just setting the privacy options in your social media accounts. The more information you share, and the more others share about you, the more information that is collected and used by corporations, governments, and others. One of the best ways to protect yourself is to consider and limit what you share and what others share about you, regardless of the privacy options you use.

Identity Theft

What is Identity Theft?

Identity theft happens when a criminal steals information about you and uses that information to commit fraud, such as requesting unemployment benefits, tax refunds, or a new loan or credit card in your name. If you don’t take precautions, you may end up paying for products or services that you didn’t buy and dealing with the stress and financial heartache that follows identity theft.

Your personal information exists in numerous places all over the internet. Every time you browse or purchase something online, watch a video, buy groceries, visit your doctor, or use an app on your smartphone, information about you is being collected. That information is often legally sold or shared with other companies. Even if just one of these gets hacked, the criminals can gain access to your personal information. Assume that some information about you is already available to criminals and consider what you can do to slow down or detect the use of your information for fraud.

How to detect it

• Review your financial cards and other accounts regularly for any charges or payments you did not make. An easy way to do this is to sign up for email, text messages, or phone app notifications for payments and other transactions. Monitor them for fraud.
• Investigate situations when merchants decline your credit or debit cards. Look into letters or phone calls from debt collectors for overdue payments for credit cards, medical bills, or loans that you know are not yours.
• Pay attention to letters that inform you about unemployment or other government benefit claims for which you never applied.
• If available in your area, review your credit reports at least once a year. For example, in the United States, you can request free reports from annualcreditreport.com.

What to do when it happens

• Contact the organization that is involved in the fraud. For example, if a criminal opened a credit card in your name, call that credit card company to notify it about the fraud. If someone filed for a tax refund or unemployment benefits in your name, contact the corresponding government organization.
• File a report with law enforcement to create an official record of identity theft. You can often do this online. For example, in the United States you can report at identitytheft.gov. Follow the site’s instructions for any additional steps you may need to take.
• When responding to fraud, keep records of your interactions with your financial institutions and law enforcement, as well as the costs you incur due to identity theft in case these details will be needed later.
• Notify your insurance company; you may have identity theft protection included in one of your policies.

How to defend against it

Here are some simple steps you can take to decrease the chance of identity fraud happening:

• Limit how much information you share about yourself with online services and websites.
• Use a unique strong password for all of your online accounts and enable two-factor authentication as additional protection for your most important accounts.
• If applicable in your location, restrict who can get access to your credit reports. For example, in the United States freeze your credit score so that anyone who tries to get a credit card or loan in your name has to first temporarily unfreeze it.
• Consider getting insurance coverage, either through a dedicated policy or as part of your existing insurance plan, that covers the costs of dealing with identity theft.

Used with permission by SANS Security Awareness    

Learn a New Skill: Spotting Deepfakes

What Are Deepfakes?

The word "deepfake" is a combination of "deep learning" and "fake." Deepfakes are falsified pictures, videos, or audio recordings. Sometimes the people in them are computer-generated, fake identities that look and sound like they could be real people. Sometimes the people are real, but their images and voices are manipulated into doing and saying things they didn’t do or say. For example, a deepfake video could be used to recreate a celebrity or politician saying something they never said. Using these very lifelike fakes, attackers can spin up an alternate reality where you can’t always trust your eyes and ears.

Some deepfakes have legitimate purposes, like movies bringing deceased actors back to life to recreate a famous character. But cyber attackers are starting to leverage the potential of deepfakes. They deploy them to fool your senses, so they can steal your money, harass people, manipulate voters or political views, or create fake news. In some cases, they have even created sham companies made up of deepfake employees. You must become even more careful of what you believe when reading news or social media in light of these attacks.

The FBI warns that in the future deepfakes will have "more severe and widespread impact due to the sophistication level of the synthetic media used." Learn to spot the signs of a deepfake to protect yourself from these highly believable simulations. Each form of deepfake — still image, video, and audio — has its own set of flaws that can give it away.

Still Images

The deepfake you may see most often is the phony social media profile picture. Below are five different clues that can be used to determine if a photo could be a deepfake. You will notice that these clues are not easy to spot and can be hard to identify:

1. Background: The background is often blurry or crooked and may have inconsistent lighting such as pronounced shadows pointing in different directions.
2. Glasses: Look closely at the connection between the frames and the arms near the temple. Deepfakes often have mismatching connections with slightly different sizes or shapes.
3. Eyes: Deepfake photos currently used for fake profile pictures appear to have their eyes in the same spot in the frame, resulting in what some call the "deepfake stare."
4. Jewelry: Earrings may be amorphous or strangely attached. Necklaces may be embedded into the skin.
5. Collars and shoulders: Shoulders may be misshapen or unmatching. Collars may be different on each side.

Video

Researchers at the Massachusetts Institute of Technology, MIT, developed a question list to help you figure out if a video is real, noting that deepfakes often can't "fully represent the natural physics" of a scene or lighting.

1. Cheeks and forehead: Does the skin appear too smooth or too wrinkly? Is the age of the skin similar to the age of the hair and eyes?
2. Eyes and eyebrows: Do shadows appear in places that you would expect?
3. Glasses: Is there any glare? Too much glare? Does the angle of the glare change when the person moves?
4. Facial hair: Does the facial hair look real? Deepfakes might add or remove a mustache, sideburns, or beard.
5. Facial moles: Does the mole look real?
6. Blinking: Does the person blink enough or too much?
7. Lip size and color: Do the size and color match the rest of the person's face?

Audio/Voice

Researchers say technologies like spectrograms can show when voice recordings are fake. But most of us do not have the luxury of a voice analyzer when an attacker calls. Listen for a monotone delivery, odd pitch or emotion, and lack of background noise. Voice fakes can be hard to detect. If you receive an odd call from a legitimate organization, you can verify if the call is real by first hanging up then calling the organization back. Be sure to use a trusted phone number, such as a phone number you already have in your contact list, a phone number printed on a bill or statement from the organization, or the phone number on the organization’s official website.

Conclusion

Be aware that attackers are actively using deepfakes. They can make fake accounts on social media to connect with or create fake videos to influence public opinion. Some are even selling their services on the dark web so other attackers can do the same. We don’t expect you to become a deepfake expert, but if you arm yourself with the basics of identifying the fakes, you’ll be far better at defending yourself. If you suspect you have detected a deepfake, report it to the website or source that is hosting the content.

Resources

Social Engineering

Can you spot the fake? (Ampere News)

MIT's deepfake detection test (MIT)

Spot the deepfake

Used with permission by SANS Security Awareness     

Technical Support Scams

What are Technical Support scams?

In a Technical Support scam, a scam artist will try to contact you by phone or initiate contact via a website, often through a pop-up window in your web browser.   If you are browsing an unfamiliar website and you receive a popup claiming that your computer is infected you should immediately disconnect from that site.

If you receive a call the scammer will typically claim to be a representative from Microsoft or Apple Technical Support and claim that they have noticed your computer appears to be infected and causing an issue that has come to their attention.  They will highlight common concerns regarding your computer, such as viruses or malware.  They emphasize the danger in not addressing these issues and will offer to "fix" these manufactured issues by connecting to your system.

What is the possible impact of such scams?

The goal of the scammer is to gain remote access to your computer, and once they have achieved that via legitimate remote desktop software, such as LogMeIn they will do one or more of the following:

Trick you into installing malicious software that could capture sensitive information, such as your online banking account name and password (they might also then charge you to remove this software).

Convince you to download software that will allow them to take control of your computer remotely and adjust settings to leave your computer vulnerable.

Request credit card information so they can bill you for phone services.

Direct you to fraudulent websites and ask you to enter credit card and other personal or financial information there.

Many of these scammers have shell companies or fake entities with full websites and toll-free telephone numbers that you can call.

How can I protect myself from Technical Support Scams?

Legitimate technical support services will never contact you and ask for credit card or other financial information, or offer services in exchange for subscriptions and fees.

Per Microsoft's website, if someone contacts you claiming to be Microsoft:

Do not purchase any software or services.

Ask if there is a fee or subscription associated with the "service" -- if there is, hang up.

Never give control of your computer to a third-party unless you can confirm that it is a legitimate representative of a computer support team with whom you are already a customer or you have initiated the trouble call.

Take the person's information down and immediately report it to your local authorities.

Never provide your credit card or financial information to someone claiming to be from Microsoft or other technical support.

You can review the following resources for further protecting yourself against Technical Support scams:

• Microsoft:  Avoiding Technical Support Scams(link is external)
• Federal Trade Commission:  Tech Support Scams(link is external)

Disposing of Your Mobile Device

Overview

Mobile devices, such as smartphones, smart watches, and tablets, continue to advance and innovate at an astonishing rate. As a result, some people replace their mobile devices as frequently as every year. Unfortunately, people often do not realize how much personal data is on these devices. Below we cover what may be on your mobile device and how you should securely wipe it before disposing of it. If your mobile device was issued to you by your employer, or has any work data stored on it, be sure to check with your supervisor about proper backup and disposal procedures first.

Your Information

Mobile devices store more sensitive data than many people realize, often far more than your computer, including:  

• Where you live, work, and places you visit
• The contact details for everyone in your address book, including family, friends, and co-workers
• Phone call history, including inbound, outbound, voicemail, and missed calls
• Texting or chat sessions within applications like secure chat, games, and social media
• Web browsing history, search history, cookies, and cached pages
• Personal photos, videos, and audio recordings
• Stored passwords and access to your accounts, such as your bank, social media, or email
• Health related information, including your age, heart rate, exercise history, or blood pressure

Wiping Your Device

Regardless of how you dispose of your mobile device, such as donating it, exchanging it for a new one, giving it to another family member, reselling it, or even throwing it out, you need to be sure you first erase all that sensitive information. Simply deleting data is not enough, instead you should securely erase all the data on your device. The easiest way to do this is to reset your device. The reset function varies among devices; listed below are the steps for the two most common devices. An even more secure step is to make sure you have encryption enabled on your device before resetting it. On most recent mobile devices, the easiest way to do this is to simply enable a screen lock (which hopefully you have enabled already). Finally, we highly recommend you backup your device before resetting it.

• Apple iOS Devices: Settings | General | Reset | Erase All Content and Settings
• Android Devices: Settings | Privacy | Factory Data Reset

SIM & External Cards

In addition to your device, you also need to consider what to do with your SIM (Subscriber Identity Module) card. A SIM card is what a mobile device uses to make a cellular or data connection. When you wipe your device, the SIM card retains information about your account and is tied to you. If you are keeping your phone number and moving to a new device, talk to your phone service provider about transferring your SIM card. If this is not possible, keep your old SIM card and physically destroy it to prevent  someone  else  from  reusing  it  to  impersonate  you  and  gain  access  to  your  information  or  accounts.  Finally, some Android mobile devices utilize a removable SD (Secure Digital) card for additional storage. Remove these external storage cards from your mobile device prior to disposal. These cards can often be reused in new mobile devices or can be used as generic storage on your computer with a USB adapter. If reusing your SD card is not possible, then just like your old SIM card, we recommend you physically destroy it.  If you are not sure about any of the steps covered above, or if your device reset options are different, take your mobile device to the store you bought it from and get help from a trained technician. Finally, if you are throwing a device away, consider donating it instead. There are many excellent charitable organizations that accept used mobile devices, and many mobile providers have drop-off bins in their stores.

Digital Spring Cleaning

Most of us are so looking forward to spring! The landscape starts to take shape, flowers start to bloom, and, for many, there’s a desire to spring clean. While it might be easy to see the need to purge and tidy up, realizing the need to also digitally declutter isn’t so apparent. Here are some quick tips to get your digital life in order and establish new digital habits:

BACKUPS: We listed this step first because, in the long run, it’s one of the most important and a step you want to take before moving on to the others. No matter how safe or secure you are, at some point, you will most likely need backups to recover your important information. Reasons can include having a hard drive fail, losing a device, and becoming infected with malware such as ransomware. Creating and scheduling automatic backups ensures you can recover your most important information.

DELETE: Delete any unused programs or apps on your mobile devices and computers. Some apps require large amounts of storage, can introduce new vulnerabilities, and may even slow things down. The fewer apps you have, the more secure your system and your information. Many devices show you how long it has been since you’ve used an app—if it has been more than a few months, chances are you don’t need the app!

UPDATE: Update all of the devices and apps you do have and enable automatic updating whenever possible. This way, your devices and apps stay current, not only ensuring they run faster but making it much harder for anyone to hack into them.

PASSWORDS: Review your passwords. If you are using the same passwords for multiple accounts, change them so each account has a unique password. Can’t remember all your unique passwords? Consider using a password manager. Finally, enable two-factor authentication (2FA) whenever possible, especially for any email or financial accounts.

FINANCIAL ACCOUNTS: Make sure your bank accounts, credit card accounts, and retirement accounts are configured to alert you whenever a transaction is made, especially for large purchases or money transfers. The sooner you spot fraudulent activity, the sooner you can stop it. Depending on what country you live in, a credit freeze can be one of the most effective ways to protect your identity.

BROWSER: Review any and all add-ons or plugins installed in your browser. Review the permission settings; do the plugins really need access to your location, passwords, or contact lists? If you are no longer using certain plugins, or have privacy concerns about them, delete them.

SOCIAL MEDIA: Check out your online presence and own it. Review your privacy settings and delete any photos and videos that are no longer accessed or needed. You can also search for yourself on a search engine and see what information is out there about you. Remember, it’s fine to limit how much information you share, and even with whom you choose to share it with.

DESK: Clean out your desk drawer, wipe any old hard drives and USBs, and perhaps even destroy any sticky notes with too much information. Consider investing in a document shredder if you don’t have one.

EMAIL: Perform an email file purge, delete what you don’t need, and organize what you do. Pay particular attention to any sensitive documents, such as those with your date of birth or Social Security number and get those out of your inbox!

While this may appear to be a daunting task, rest assured your devices and information will be far more protected. If this seems like a lot to do, consider choosing just a few items, or try to check off one item per day or week. Every little step goes a long way in protecting you.

Privacy –Protecting Your Digital Footprint

What is Privacy?

There are many different definitions of “privacy.” We are going to focus on personal privacy, protecting the information about you that others collect. In today's digital world, you would be astounded at all the different entities that not only collect information about you, but who then legally share or sell that information. Each time you browse or purchase something online; stream a video; buy groceries; search the web; visit your doctor; or use an app on your smartphone, smart TV, or other home devices, information about you is being collected. This information can be used to sell you goods or services, decide your interest rates for loans, or determine the type of medical care you get or the jobs you are eligible for. Additionally, if this information falls into the wrong hands, it can be used by cyber attackers to target and attack you.

The goal of maintaining personal privacy is managing your digital footprint, i.e.  attempting to protect and limit what information is collected about you. Be aware that in today's digital world, it is almost impossible to eliminate your digital footprint or stop every organization from collecting information on you; we can only reduce it.

Steps You Can Take to Help Protect Your Privacy

There is no single step you can take to address all of your privacy concerns. Instead, you will need to take a variety of steps, with each step helping in a small way. The more steps you take, the more you can help protect your privacy.

• Limit what you post and share with others online, such as on public forums or on social media. This includes being careful of what pictures or selfies you share. Even on private forums or when you enable strong privacy options, assume whatever you post will become public at some point.
• When creating online accounts, review what information the sites collect about you by checking their Privacy Policy and provide only what you absolutely need to. If you have concerns about what they collect, then don’t use the site.
• Be aware that regardless of what privacy options you set, information about you is being collected, especially on free services, such as Facebook or WhatsApp. These services base their business model on collecting data on what you do and who you interact with. If you are truly concerned about your privacy, don’t use such free sites.
• Review mobile apps before downloading and installing them. Do they come from a trusted vendor? Have they been available for a long time? Do they have lots of positive comments? Check the permissions requirements. Does the mobile app really need to know your location or have access to your contacts? If you don’t feel comfortable, then choose a different app. Look for apps that promote privacy and give you privacy options. While you may have to pay more for an app that respects your privacy, it may be worth it.
• Consider using a Virtual Private Network (VPN) for your internet connections, especially when you’re using a public network, like free WiFi.
• When using a browser, set the privacy options to private or incognito to limit what information is shared, how cookies are used and stored, and protect your browning history. Consider privacy extensions like Privacy Badger or privacy-focused browsers.
• Consider using anonymous search engines designed for privacy, such as DuckDuckGo or StartPage.

In many ways, privacy is something very hard for you to protect, as so much of your privacy depends on the privacy laws and requirements of the country you live in and the ethics of the companies you deal with. Although you can never truly protect all of your privacy in this technological age we live in, these steps will help limit the amount of information collected about you.

Used with permission by SANS Security Awareness     

Top Three Social Media Scams

Overview

While social media is a fantastic way to communicate, share, and have fun with others, it is also a lowcost way for cyber criminals to trick and take advantage of millions of people. Don’t fall victim to the three most common scams on social media.

Investment Scams

Have you ever seen a post about an investment opportunity that promises a huge return on investment in an extremely quick amount of time with allegedly little to no risk? The reality is, these guarantees are

really investment scams. Fraudsters simply steal your money after you pay them. These scams often

include ads or success stories from past customers to promote the investments, but those are just fake

testimonials to increase your trust. Often these investment scams are about investing in crypto-currencies or real estate, and payment is often made in crypto-currencies or other non-standard payment methods.  If an investment seems too good to be true, it most likely is. Remember, there is no such thing as guaranteed, high-return investments. Only invest your money in trusted, well-known resources, not strangers you meet online pushing a get-rich-quick scheme.

Romance Scams

When criminals develop an online relationship with someone they’ve identified as lonely or vulnerable to trick them out of money, this is known as a romance scam. The criminal will use whatever tactics they can to build trust, including exchanging fake photos or sending gifts, then share a tragic story about needing money to pay for expenses such as hospital bills or for travel costs to visit the victim in person. To avoid actually meeting in person, these criminals may say they work in an industry that prevents them from doing so, such as construction, international medicine, or the military. They often request money as a wire transfer or gift cards to get cash quickly and remain anonymous. These types of scams are not only common on social media but with online dating apps. Be careful with people you meet online, take things slowly, and never send money to someone you have only communicated with online.

Additionally, if you believe someone you know may be vulnerable to such an attack or is in an online

relationship that raises these flags, offer to help them. Sometimes it can be very difficult for someone

engrossed in an emotional connection to see just how dangerous the situation has become.

Online Shopping Scams

Online shopping scams happen when you purchase items online at extremely low or unbelievable prices

but never receive them. Tempting ads on social media will promote incredible prices and have links that

take you to sites that appear to be legitimate and sell well-known brands, but these sites are often fake.

Be wary of websites that have no contact information, broken contact forms, or use personal email

addresses. Type the name of the online store or its web address into a search engine to see what others

have said about it. Look for terms like "fraud," "scam," "never again," and "fake." Be very cautious of

online promotions or deals that appear too good to be true. It’s far safer to purchase items that may cost slightly more, but from trusted sites that you or your friends have used before. The good news is: You are your own best defense. You are in control. Just be on alert for scams like these

and you will be able to make the most of social media safely and securely.

Used with permission by SANS Security Awareness  

MFA

The confidence level in authentication using a combination of username and password is at an all-time low. Despite considerable investments in security, hackers can easily gain access to company confidential data if they manage to secure a user’s login and password.

Authentication is the process of proving that you are who you say you are. It’s an essential part of any modern IT system, and while passwords are often considered part of an authentication system, they don’t provide proof of identity. This is what creates the weakness in information security that gives hackers access – and this is the first area we need to address in order to improve security

One of the most commonly used factors for authentication is the time-honored username and password. The problem is, a password doesn’t really prove that you are you. Anyone can enter in a username and password, and as the myriad of security breaches of the last few years prove, just because you know the password doesn’t mean it’s yours.

The more recent solution to the password problem has been to add in a second factor that reduces the risk of a hacker using a stolen password. MFA helps protect you by adding an additional layer of security, making it harder for bad guys to log in as if they were you. Your information is safer because thieves would need to steal both your password and your phone.

Two-factor authentication (2FA) strengthens access security by requiring two methods (also referred to as factors) to verify your identity. These factors can include something you know - like a username and password, plus something you have - like a smartphone app to approve authentication requests.

2FA protects against phishing, social engineering and password brute-force attacks and secures your logins from attackers exploiting weak or stolen credentials.

What is UMB doing to strengthen our security?

UMB’s computing environment requires a high level of security to ensure the privacy, integrity, and confidentiality of the data that resides in its systems.  During the last 10 years, the UMID and password have developed and served as a common credential to access systems and services at the university.  This authentication strategy has greatly improved the computing services user experience.  However, with the growth of cyber threats and attacks, and the attempts to convince individuals at UMB to reveal their credential, known as phishing, it has prompted the computing industry to address this problem. 

An approach was devised to leverage multiple verification methods and no longer rely only on a single credential.  The combined strength of these multiple factors of authentication create a confidence or level of assurance that the person accessing the system is the appropriate individual.  At UMB, we will be transitioning to a MFA approach that allows users to use a mobile device in addition to their UMID and password to achieve a significantly higher level of security and almost entirely negate the risk associated with phishing and similar attacks.

As a means of strengthening information security and the protection of university data, UMB applications and services accessed by your UMID, and password will require the use of Multi-Factor Authentication (MFA).  MFA adds a 2nd step (factor) to how you login with your UMID and password.  The University’s MFA solution is called DUO. 

To use DUO, you must set up one or more devices as your DUO 2nd factor.  The DUO Mobile app on your iPhone or Android is the preferred 2nd factor as it provides the easiest and overall best user experience.  Other 2nd factor options can be found on the DUO website below.

For additional information on Multi-Factor Authentication and DUO, including details on how to setup DUO on your phone, and other frequently asked questions, please visit:

http://www.umaryland.edu/cits/services/duo

May 3^rd – World Password Day

World Password Day is a great excuse to recognize and break the habit of reusing passwords.  It is estimated that at least 59% of all people reuse the same password for all of their accounts from social networking sites to their most sensitive financial systems.

Security & Compliance gets reports almost weekly for credentials posted publically that contain umaryland related usernames and the passwords associated with those accounts on sites that have no relation to the University.  If you are using the same password on your University account and those sites, you are putting University data at risk.

We are in the process of implementing multifactor authentication using DUO which will help prevent University credentials from being used without being able to authenticate using a second factor such as your cell phone.  Most popular Internet sites also offer multifactor authentication but some people feel it is too cumbersome to use.  I certainly advocate that you should use multifactor authentication wherever possible, from Facebook and Twitter to your personal banking accounts.

If you choose not to protect your personal sites with multifactor authentication you must make sure that you are not reusing passwords between accounts.  This is one of the main reasons that hackers are successful in breaking into unrelated accounts; credentials posted on the Internet after data breaches occurred at some of the Internet’s most popular sites, Yahoo, Equifax, MyFitnessPal and DropBox just to name a few, were used to gain access to unrelated accounts.

There have been many reports that show why hackers are so successful in gaining access to your accounts:

• We keep using the same passwords again and again.
• Most people have 99 things to worry about every day, passwords are typically not one of them
• People treat work and personal accounts with the same indifference, 47% of users have the same password for their work and personal accounts
• Breaches no longer faze us, 53% of people have not changed their password even after the announcement of a data breach at a popular site
• My account was in that breach? Still not fazed. Only 55% of people will change their password after finding out that their credentials were part of a data breach.
• We think our Instagram and Facebook posts are for our friends only. 51% of people refuse to believe that their credentials could be compromised by information shared on social media.
• We love a good old fashioned spreadsheet. 42% keep passwords in a file on a mobile device in Excel or Word.
• Most people don’t feel that they are worth a hacker’s time. 38% believe their accounts are valuable enough to a hacker.
• We’re all a little lazy. Unless IT requires us to change our password, most people are happy to continue with the same password.  39% say if it’s not required, they won’t do it.

Maintaining unique and strong passwords for every account is a difficult task however for a small fee and in some cases free there are password managers available that will generate strong passwords for every account you have.  Most also have the capability to store personal details for those accounts and will auto populate your username and password into websites for you.  It takes the guesswork out of creating unique passwords and provides a roadblock to a hacker if your credentials are stolen at one site to keep them from trying those same credentials anywhere else. It also makes it easy to change passwords in the event that one of your accounts ends up in a data breach.

In addition to using multifactor authentication wherever possible I strongly recommend that you investigate a password management program to manage all of your account information. 

Password Managers

Overview

One of the most important steps you can take to protect yourself is to use a unique, strong

password for each of your accounts and apps. Unfortunately, it’s almost impossible to

remember all of the different passwords. In addition, we know it’s time consuming to constantly

have to type in your passwords at different sites, generate new passwords, track the answers to

all your security questions, and numerous other factors. However, there is a solution that will

make your life both much simpler and far more secure, password

1. Your password manager should be simple to use. If you find the solution too complex to understand, find a different one that better fits your style and expertise.
2. The password manager should work on all devices you need to use passwords on. It should also be easy to keep your passwords synchronized across all your devices.
3. Use only well-known and trusted password managers. Be wary of products that have not been around for a long time or have little or no community feedback.
4. Cybercriminals can create fake password managers to steal your information. Also, be very suspicious of vendors that promote they developed their own encryption solution.
5. Avoid any password manager that claims to be able to recover your master password for you. This means they know your master password, which exposes you to too much risk.
6. Make sure whatever solution you choose; the vendor continues to actively update and patch the password manager and be especially sure you are always using the most recent version.
7. The password manager should give you the option of storing other sensitive data, such as the answers to your secret security questions, credit card information, and frequent flier numbers.
8. Consider writing your master passphrase in a sealed envelope and storing it in a locked cabinet, physical safe, or lockbox.

How Password Managers Work

Password managers work by storing all of your passwords in a database, which is sometimes called a vault. The password manager encrypts the vault’s contents and protects it with a master password that only you know. When you need your passwords, such as to log in to your online bank or email account, you simply type your master password into your password manager to unlock the vault. The password manager will automatically retrieve the correct password and securely log you in to the website. You no longer have to remember your passwords or manually log in to your accounts.

In addition, most password managers include the ability to automatically synchronize across multiple devices. This way, when you update a password on your laptop, those changes are synchronized to all your other devices. Finally, most password managers detect when you’re attempting to create a new online account or update the password for an existing account, and they automatically update the vault for you.

It’s critical that the master password you use to protect the password manager is long and unique. In fact, we recommend you make your master password a passphrase—a long password made up of multiple words or phrases. If your password manager supports two-step verification, use that for your master password as well. Finally, be sure you remember your master passphrase. If you forget it, you will not be able to access any of your other passwords.

Choosing a Password Manager

There are many password managers to choose from. When trying to find the one that’s best for you, keep the following in mind:

Password managers are a great way to securely store all your passwords and other sensitive data, such as credit card numbers. However, make sure to use a unique, strong master passphrase and always use the latest version of whichever solution you choose.

Vishing – Phone Call Attacks and Spam

Overview

When you think of a cybercriminal you probably think of an evil mastermind sitting behind a computer, launching sophisticated attacks over the internet. While some of today’s cyber criminals do use advanced technologies, many simply use the phone to trick their victims. There are two big advantages to using a phone: Unlike other attacks, there are fewer security technologies that can detect and stop a phone call attack; also, it is much easier for criminals to convey emotion and build trust over the phone, which makes it easier to trick their victims. Let’s learn how to spot and stop these attacks.

How Do Phone Call Attacks Work?

First, understand that these criminals are usually after your money, information, or access to your computer (or all three). They do this by tricking you into doing something you should not do, a technique called “social engineering.” Cyber criminals often create situations that feel very urgent and realistic on the call.  Some of the most common examples include:

• The caller pretends they are from the government and informs you that you have unpaid taxes. They explain that if you don’t pay your taxes right away you will go to jail, then pressure you to pay your taxes with your credit card over the phone. This is a scam. The government will send official tax notifications only by regular mail.
• The caller pretends to be from a company such as Amazon, Apple, or Microsoft Tech Support and explains that your computer is infected. Once they convince you that your computer is infected, they pressure you into buying their software or giving them remote access to your computer.
• An automated voicemail informs you that your bank account or credit card has been canceled, and you  have  to  call a  number  back to  reactivate it.  When you  call, you  get  an  automated system that asks you to confirm your identity as well as all sorts of private questions. This is really not your bank. They are simply recording all your information for identity fraud.
• Anytime anyone calls you and creates a tremendous sense of urgency or pressure, be extremely suspicious. They are attempting to rush you into making a mistake. Even if the phone call seems OK at first, if it starts to feel strange, you can stop and say “no” at any time
• Be especially wary of callers who insist that you purchase gift cards or prepaid debit cards.
• Never trust Caller ID. Bad guys will often spoof the number, so it looks like it is coming from a legitimate organization or has the same area code as your phone number.
• Never allow a caller to take temporary control of your computer or trick you into downloading software. This is how they can infect your computer.
• Unless you placed the call, never give the other party information that they should already have. For example, if the bank called you, they shouldn’t be asking for your account number.
• If you believe a phone call is an attack, simply hang up. If you want to confirm that the phone call was legitimate, go to the organization’s website (such as your bank) and call the customer support phone number directly yourself. That way, you really know you are talking to the real organization.
• If a phone call is coming from someone you do not personally know, let the call go directly to voicemail. This way you can review unknown calls on your own time. Even better, on many phones you can enable this by default with the “Do Not Disturb” feature.

Scams and attacks over the phone are on the rise. You are the best defense at detecting and stopping them.

Used with permission by SANS Security Awareness 

The Importance of General Software Updates and Patches

What do you do when you see those little icons and pop-up messages that appear in the system tray, indicating there is a new software update available for you to download and install?  Most people find such notifications and the process of installing new software updates insignificant and disrupting. The truth is, people ignore such notifications for various reasons, such as, ‘Do I really need to install this update?’, ‘My computer is working just fine, I don’t think this update is for me!’, ‘I don’t have time to reboot my computer’, etc. If you are accustomed to dismissing those update notifications, you need to reconsider that practice. Applying software updates is one of the most important things you can do with your computer. In fact, if you don’t do it, you’re very likely going to get some kind of malware in your system and even get hijacked.

Your computer at UMB should already be on a regular patch cycle that updates the software automatically without you having to do anything, however it is extremely important for you to remember to do this for your personal computer at home.

What Are Software Updates, Anyway?

A software update, also known as a ‘Patch’ or a ‘Service Pack’, is a piece of software released by software vendors, mainly to address security vulnerabilities in their existing products. Software updates occasionally contain bug fixes and product enhancement. These updates are installed over the current installation and do not require uninstallation or re-installation of the software in question. In simple words, when you need to update a program, you don’t need to do anything other than let the updater do its thing.

A software update may contain:

• Security Vulnerability Fixes: More than 90% of software and operating system (OS) updates are to patch security vulnerabilities in programs. A software program with a security hole in it can allow very bad things to happen to the computer. Exploiting security vulnerabilities in programs to deliver malware is a common method employed by cybercriminals.
• Bug Fixes and Product Enhancements: Though most software updates are developed mainly to address security holes in programs, you may come across software updates with bug fixes and product enhancements to improve program’s performance. A ‘bug’ refers to unintended mistakes created by the programmer which causes the program to give unexpected results and errors.

Why Software Updates Are So Important For Your Computer?

In order to get the best performance from your computer, and most importantly, to stay protected against cyber-attacks and malicious threats, it is very important that you not neglect any critical software updates. Using an unpatched/outdated computer is like living in a house with no locks on the doors, inviting unwanted intruders. When you ignore updates on your computer, you are choosing to leave your computer open to infection. Cybercriminals depend on the apathy of users around software updates to keep their malicious endeavor running.

Downloading updates and installing them can sometimes be tedious, but the advantages you get from the updates are worth the time and effort to complete. The good news is you don’t even need to manually download and install most updates for each piece of software. Operating systems and a majority of programs installed on your computer can do the job for you with very little or no intervention. All you need to do is simply grant your consent when asked, by just the click of a button.

How to Manage Software Updates Efficiently

The best way to manage software updates on your computer is to let the software itself do it for you. Operating system and other software, such as your Antivirus program, can be configured to automatically download and install updates for you. However, not all software offers an automatic update feature. Widely used programs like Java and Adobe® Reader® will not update automatically, unfortunately these are typically the most frequently abused programs when they develop security vulnerabilities. 

The icon will show in the bar near the clock indicating that the relevant program needs an update and require you to activate them to start the update procedure. If you see such icons down near the clock, do the update as soon as you are able.

It is important to mention that software updates are not limited to computers. Software updates are also available for mobile devices like your smartphone, and other devices. The updates for such devices are usually known as ‘firmware updates’. In the case of smartphones, you may also receive updates for the applications installed on your phone, just the way you receive program updates on your computer. The bottom line is, do not restrict yourself to just updating your computer. When you see updates for your other devices, make sure you install them as well for better performance and enhanced security.

Securely Using Mobile Apps

Overview

Mobile devices, such as tablets, smartphones, and smartwatches, have become one of the primary technologies we use in both our personal and professional lives. What makes these devices so powerful are the thousands of apps we can choose from. These apps enable us to be more productive, communicate and share with others, train and educate, or just have more fun. Here are steps you can take to securely use and make the most of today’s mobile apps.

Obtaining Safe Mobile Apps

Cyber criminals have mastered their skills at creating and distributing malicious apps that appear to be legitimate. If you install one of these apps, criminals can often take complete control of your mobile device or data. This is why you want to ensure you only download safe mobile apps from trusted sources. What you may not realize is that the brand of mobile device you use determines your options for downloading apps.  For Apple devices, only download mobile apps from the Apple App Store. The advantage here is that Apple does a security check of all mobile apps before they are made available to customers. While Apple cannot catch all malicious apps, this managed environment dramatically reduces the risk of downloading one. In addition, if Apple does find an app that it believes is malicious, it will quickly remove it. For Android devices, only download mobile apps from Google Play, which is maintained by Google. Similar to Apple, Google does a security check of all apps before they are made available to customers. The difference with Android devices is that you can also enable certain options that allow you to download mobile apps from other sources. We highly recommend against this since anyone, including cyber criminals, can easily create and distribute malicious mobile apps and trick you into infecting your mobile device. Regardless of which brand you are using, research an app before downloading it. Look at how long the mobile app has been available, how many people have used it, and who the vendor is.  The longer an app has been publicly available, the more people that have used and left positive comments about it, and the more often the app vendors update it, the more likely the app can be trusted. In addition, install only apps you need and use. Ask yourself, “Do I really need this app?” Not only does each app potentially bring new vulnerabilities but also new privacy issues. If you stop using an app or no longer find it useful, remove it from your mobile device (you can always add it back later if you find you truly need it).

Apps Privacy and Permissions

Once installed, make sure the app is protecting your privacy. Does that app really need access to your location, microphone, or contacts? When you enable permissions, you may be allowing the creator of that app to track you, even allowing them to share or sell your information to others. If you do not wish to grant these permissions, simply deny the permission request, grant the app the permission only when it’s actively being used, or shop around for another app that meets your requirements. Remember, you have lots of choices out there.

Updating Apps

Mobile apps, just like your computer and mobile device operating system, must be updated. Criminals are constantly searching for and finding new weaknesses in apps and developing ways to exploit these weaknesses. The app’s developers create and release updates to fix these weaknesses and protect your devices. The more often you check for and install updates, the better. Most devices allow you to configure your system to automatically update mobile apps. We highly recommend enabling this setting. Mobile apps are key to making the most of your devices. Just be careful of the ones you select and make sure you use them safely and securely.

Used with permission by SANS Security Awareness  

Securely Gaming Online

What makes online gaming so fun is that you can play and interact with others from anywhere in the world, often you don’t even know the people you are playing with. While the vast majority of people online are out to have fun just like you, there are those who want to cause harm.

Securing Yourself

The greatest risk to online gaming is not the technology itself but the interactions you have with strangers.

• Be cautious of any messages that ask you to take an action, such as clicking on a link or downloading a file. Attackers will use in-game messaging or phishing emails in an attempt to fool you into taking actions that can infect your computer, steal your identity, or your gaming accounts. If a message seems odd, urgent, or too good to be true, be suspicious that it may be an attack.
• Many online games have their own financial markets where you can trade, barter, or buy virtual goods. Just like in the real world, there are fraudsters who will attempt to trick you and steal your money or any virtual currency you have. Deal only with people that have established, trusted reputations.
• Use a strong, unique passphrase for any gaming accounts. This way attackers cannot simply guess your passwords and take over your accounts. If your game/platform offers two-step verification, use it. Can’t remember all your passwords? Use a password manager.

Securing Your System

Attackers may attempt to hack into or take over the computer or device you are gaming on, you need to take steps to protect it.

• Secure your devices by always running the latest version of the operating system and the gaming software or mobile app. Outdated software has known vulnerabilities that attackers can exploit and use to hack into your device. Enable automatic updating when possible. By keeping your devices and gaming applications updated, you eliminate most of those known vulnerabilities.
• Download gaming software and game add-on packs from trusted websites only. Attackers will often create fake or infected versions, then distribute it from their own server. In addition, if any game or add-on requires you to disable any security tools or settings, do not use it.
• Underground markets have sprung up to support cheating activity. Besides being unethical, many cheating programs are themselves malware that will infect your device. Never install or use any type of cheating software or websites.
• Check the website of whatever online gaming software you are using. Many gaming sites have a section on how to secure yourself and your system.

For Parents or Guardians

Education and an open dialogue with your kids is the most effective step you can take to protect children. One approach is to ask them to show you how their games work, have them show you what a typical game looks like. Perhaps even play the game with them. In addition, have them describe the different people they meet online. Quite often online gaming can be a big part of your child’s social life. By talking to them (and them talking to you) you can spot a problem and protect them far more effectively than any technology. Some additional steps include:

• Know what games they are playing and make sure you feel the games are age appropriate for your child.
• Limit the amount of information your kids share online. For example, they should never share their password, age, phone number or home address.
• Consider having their gaming device in an open area where you can keep an eye on them. In addition, younger children should not game in their rooms or late at night.
• Bullying, foul language, or other antisocial behaviors can be a problem. Keep an eye on your kids, if they seem upset after playing a game they could have been bullied online. If they are bullied online, report it to the game site and have them play online games with trusted friends only.
• Learn if your child’s games support in-app purchases and what sorts of parental overrides they provide.

Used with permission by SANS Security Awareness  

Tips for Your Social Media Accounts

Social media sites, such as Snapchat, Facebook, Twitter, Instagram, and LinkedIn, are amazing resources, allowing you to meet, interact, and share with people around the world. However, with all this power comes risks--not just for you, but your family, friends, and employer. In this newsletter, we cover the key steps to making the most of social media securely and safely.

Posting

Be careful and think before posting. Anything you post will most likely become public at some point, impacting your reputation and future, including where you can go to school or the jobs you can get. If you don’t want your family or boss to see it, you probably shouldn’t post it. Also, be aware of what others are posting about you. You may have to ask others to remove what they share about you.

Privacy

Almost all social media sites have strong privacy options. Enable them when possible. For example, does the site really need to be able to track your location? In addition, privacy options can be confusing and change often. Make it a habit to check and confirm they are working as you expect them to.

Passphrase

Secure your social media account with a long, unique passphrase. A passphrase is a password made up of multiple words, making it easy for you to type and remember, but hard for cyber attackers to guess.

Lock Down Your Account

Even better, enable two-factor authentication on all of your accounts. This adds a one-time code with your password when you need to log in to your account. This is actually very simple and is one of the most powerful ways to secure your account.

Scams

Just like in email, bad guys will attempt to trick or fool you using social media messages. For example, they may try to trick you out of your password or credit card. Be careful what you click on: If a friend sends you what appears to be an odd message or one that does not sound like them, it could be a cyber-attacker pretending to be your friend.

Terms of Services

Know the site’s terms of service. Anything you post or upload might become the property of the site.

Work

If you want to post anything about work, check with your supervisor first to make sure it is okay to publicly share.

Follow these tips to enjoy a much safer online experience. To learn more on how to use social media sites safely, or report unauthorized activity, check your social media site’s security page.

The Dark Web

Overview

You may have heard the term “Dark Web” used by others or in the media and wondered “what is the Dark Web?” or “should I be doing anything about it?” Today we explain what the Dark Web is and what it means to you.

What Is It?

The Dark Web consists of systems on the Internet designed for communicating or sharing information securely and anonymously. There is no single “Dark Web”; it is not something like Facebook where it’s run by a single organization. Instead, the Dark Web is collections of different systems and networks managed by different people used for a variety of purposes. These systems are still connected to and are part of the Internet; however, you will generally not find them using your normal search engines. You often also need special software on your computer to find or access them. One example is the Tor Project. To access this Dark Web, you download and install the Tor Browser. When you connect to web servers using the Tor Browser, your encrypted traffic travels through other computers also using Tor. As it hops through these computers, the source IP address is changing— meaning that when you get to the web site, your online activity is anonymized. Other examples of Dark Webs include Zeronet, Freenet, and I2P.

Who Uses It?

Cyber criminals are big users of the Dark Web. They maintain websites and forums in the Dark Web to enable their criminal activities such as purchasing drugs or selling gigabytes of hacked data—all anonymously and securely. For example, when a cyber-criminal hacks a bank or an online shopping store, they steal as much information as they can, then sell that information to other cyber criminals on sites in the Dark Web.

There are also legitimate uses of the Dark Web. For example, people in countries where censorship is rampant can use Dark Web networks to share information and see what else is happening in the world while protecting their privacy and remaining anonymous. Journalists, whistleblowers, and privacy-minded people can use the Dark Web to increase their anonymity and bypass censorship. In addition, individuals like these can use technologies like the Tor Browser not only to access the Dark Web, but anonymously browse the regular Internet.

What Should I Do?

Unless you have a specific reason to access the Dark Web, we caution you against it. Some Dark Web sites are used for illegal purposes; many of the sites will use your computer in a peer network to accomplish their goals, and in some cases your computer may even be probed or attacked. Some companies offer monitoring services to let you know if your name or other information has been stolen by cyber criminals and found on the Dark Web. The actual value of these services is questionable. The best way to protect yourself is to assume some of your information is already in the Dark Web being used by cyber criminals. As a result:

• Be suspicious of any phone calls or emails pretending to be an official organization and pressuring you into taking an action, such as paying a fine. Criminals may even use information they found about you to create a personalized attack.
• Monitor your credit card and bank statements; perhaps even set up daily alerts on any transactions that happen. This way you can detect if any financial fraud is happening. If you do detect it, report it to your credit card company or bank right away.
• Put a freeze on your credit score. It does not impact how you can use your credit card and is one of the most effective steps you can take to protect yourself from identity theft.

Creating a Cyber Secure Home

Overview

In the past, building a home network was nothing more than installing a wireless router and several computers. Today, as so many of us are working, connecting, or learning from home, we have to pay more attention to creating a strong cyber secure home. Here are four simple steps to do just that.

Your Wireless Network

Almost every home network starts with a wireless (or Wi-Fi) network. This is what enables your devices to connect to the Internet. Most home wireless networks are controlled by your Internet router or a separate, dedicated wireless access point. They both work the same way: by broadcasting wireless signals which allow the devices in your house to connect to the Internet. This means securing your wireless network is a key part of protecting your home. We recommend the following steps to secure it.

• Change the default administrator password to your Internet router or wireless access point, whichever is controlling your wireless network. The administrator account is what allows you to configure the settings for your wireless network.
• Ensure that only devices you trust can connect to your wireless network. Do this by enabling strong security. Doing so requires a password to connect to your home network and encrypts online activities once connected.
• Ensure the password used to connect to your wireless network is a strong password that is different from the administrator password. Remember, your devices store passwords, so you only need to enter the password once for each device. If you’re not sure how to do these steps, check your Internet Service Provider’s website or check the website of the vendor for your router or wireless access point.

Passwords

Use a strong, unique password for each of your devices and online accounts. The key words here are strong and unique. The longer your password the stronger it is. Try using a series of words that are easy to remember, such as sunshine-doughnuts-happy.

A unique password means using a different password for each device and online account. Use a password manager to remember all those strong passwords, which is a security program that securely stores all your passwords for you in an encrypted, virtual safe. Additionally, enable two-step verification whenever available, especially for your online accounts. It uses your password, but also adds a second authentication step, such as a code sent to your smartphone or an app on your smartphone that generates the code for you. This is probably the most important step you can take, and it's much easier than you think.

Your Devices

The next step is knowing what devices are connected to your wireless home network and making sure all of those devices are trusted and secure. This used to be simple when you had just a computer. However, today almost anything can connect to your home network, including your smartphones, TVs, gaming consoles, baby monitors, printers, speakers, or perhaps even your car. Once you have identified all the devices on your home network, ensure that each of them is secure. The best way to do this is to change any default passwords on them and enable automatic updating wherever possible.

Backups

Sometimes, no matter how careful you are, you may be hacked. If that is the case, often the only way you can recover your personal information is to restore from a backup. Make sure you are doing regular backups of any important information and verify that you can restore from them. Most mobile devices support automatic backups to the Cloud. For most computers, you may have to purchase some type of backup software or service, which are relatively low-priced and simple to use.

Used with permission by SANS Security Awareness

Securing Your Mobile Devices

Overview

Mobile devices are an amazing and easy way to communicate with friends, shop or bank online, watch movies, play games, and perform a myriad of other activities. Since these devices are such an important part of your life, it is essential to keep you and your devices safe and secure.

Securing Your Devices

It may surprise you to know that the biggest risk to your mobile device is most likely not cyber criminals but you. You are far more likely to lose or forget a mobile device than have someone hack into it. The number one thing you should do to protect your device is enable automatic screen locking when the device is idle. This means that to use your device, you have to unlock the screen with a strong passcode, your face, or your fingerprint. This helps ensure that it is much harder for anyone else to access your information if your device is lost or stolen. As a bonus, for most mobile devices, enabling the screen lock also enables encryption, helping protect the data stored on the device.

Here are several more tips to help protect your devices:

1. Updating: Enable automatic updating on your devices, so they are always running the latest version of the operating system and apps. Attackers are always looking for new weaknesses in software, and vendors are constantly releasing updates and patches to fix them. Keeping your devices up to date makes them much harder to hack. When choosing a new Android device, look at the vendor’s commitment to keeping the device updated. Apple iOS devices are updated by the company itself, while Android mobile devices are updated by the vendor that sold you the device, and not all vendors actively update their devices. If you are using an old device that is no longer supported or cannot be updated, consider purchasing a new device that is fully supported.
2. Tracking: Install or enable trusted software to remotely track your mobile device over the Internet. This way, you can connect to it over the Internet and find its location if your device is lost or stolen or remotely wipe all of your information in a worst-case situation.
3. Trusted Mobile Apps: Only install apps you need and stick to trusted sources. For Apple iOS devices such as iPads or iPhones, that means Apple’s App Store. For Android devices, use Google Play; for Amazon tablets, utilize the Amazon App Store. While you may be able to install apps from other sites, these are not vetted and are far more likely to be infected or outright malicious, either of which could compromise your privacy. Also, check to make sure the app has lots of positive reviews and is actively updated by the vendor before downloading it. Stay away from brand new apps, apps with few reviews, or apps which are rarely updated.
4. Privacy Options: Mobile devices collect extensive information about you, especially since you take them everywhere you go. Thoroughly review your device’s privacy settings, including location tracking, and make sure sensitive notifications (such as verification codes) don’t appear on-screen when the device is locked.
5. Work: Be sure any mobile device you use for work is authorized for work use. When at work, be extra careful and never take any pictures or video that may accidentally include sensitive information, such as pictures of whiteboards or computer screens. Your mobile devices are a powerful tool –one that we want you to enjoy and use. Just following these few simple steps can go a long way to keeping you and your devices secure.

Used with permission by SANS Security Awareness   

Phishing Attacks Are Getting Trickier

Phishing attacks have become the most common method cyber attackers use to target people at work and at home. Phishing attacks have traditionally been emails sent by cyber attackers to trick you into doing something you should not do, such as opening an infected email attachment, clicking on a malicious link, or sharing your password. While traditional phishing attacks continue today, many cyber attackers are creating advanced phishing emails that are more customized and harder to detect. They are also using technologies such as text messaging, social media, or even telephone calls to engage and fool you. Here are their latest tricks and how you can spot them.

Cyber Attackers Are Doing Their Research

Phishing emails used to be easier to detect because they were generic messages sent out to millions of random people. Cyber attackers had no idea who would fall victim; they just knew the more emails they sent, the more people they could trick. We could often detect these simpler attacks by looking for odd emails with “Dear Customer” in the beginning, misspellings, or messages that were too good to be true, such as Nigerian princes offering you millions of dollars

Today’s cyber attackers are far more sophisticated. They now research their intended victims to create a more customized attack. Instead of sending out a phishing email to five million people, or appearing to be generic emails sent by corporations, they may send it to just five people and tailor the attack to appear to be sent from someone we know. Cyber attackers do this by:

• researching our LinkedIn profiles, what we post on social media, or by using information that is publicly available or found on the Dark Web.
• crafting messages that appear to come from management, coworkers, or vendors you know and work with.
• learning what your hobbies are and sending a message to you pretending to be someone who shares a mutual interest.
• determining you have been to a recent conference or just returned from a trip and then crafting an email referencing your travels.

Cyber attackers are actively using other methods to send the same messages, such as texting you or even calling you directly by phone.

How to Detect These More Advanced Phishing Attacks

Because cyber attackers are taking their time and researching their intended victims, it can be more difficult to spot these attacks. The good news is you can still spot them if you know what you are looking for. Ask yourself the following questions before taking action on a suspicious message:

1. Does the message create a heightened sense of urgency? Are you being pressured to bypass your organization’s security policies? Are you being rushed into making a mistake? The greater the pressure or sense of urgency, the more likely this is an attack.
2. Does the email or message make sense? Would the CEO of your company urgently text you asking for help? Does your supervisor really need you to rush out and buy gift cards? Why would your bank or credit card company be asking for personal information they should already have about you? If the message seems odd or out of place, it may be an attack.
3. Are you receiving a work-related email from a trusted coworker or perhaps your supervisor, but the email is using a personal email address such as @gmail.com?
4. Did you receive an email or message from someone you know, but the wording, tone of voice or signature in the message is wrong and unusual?

If a message seems odd or suspicious, it may be an attack. If you want to confirm if an email or message is legitimate, one option is to call the individual or organization sending you the message with a trusted phone number.

You are by far the best defense. Use common sense.

Used with permission by SANS Security Awareness   

VPN

Overview

You may find yourself needing to use public Wi-Fi for Internet access when you are away from home, such as when you are at your local restaurant or coffee shop, or when you are traveling at a hotel or airport. But how secure are these public networks and who is watching or recording what you are doing online? Perhaps you do not even trust your ISP (Internet Service Provider) at home and want to be sure they can’t monitor what you do online. Protect your online activities and privacy with something called a VPN (Virtual Private Network). A VPN is a technology that creates a private, encrypted tunnel for your online activity making it much more difficult for anyone to watch or monitor what you are doing online. In addition, a VPN helps hide your location, making it much harder for websites you visit to determine where you are located.

How Does It Work?

A VPN works by creating a private, encrypted tunnel to a VPN provider that you select. All your online activity goes through this tunnel, then leaves your VPN provider’s network to your intended destination. For example, if you’re based in Tampa, Florida and you connect to a VPN server in Munich, Germany, any website you connect to will think you are connecting from Munich, Germany. A VPN is simple to use. The first step is finding a VPN provider you trust and then creating an account with them (this usually requires you purchasing their service). Once you have an account, you download, install, and configure their VPN software. Once installed and configured, you connect to the Internet as you always do. The VPN software will silently create your encrypted tunnel and start protecting your privacy without you even realizing it.

Selecting a VPN Provider

Your online activities are only as secure and private as your VPN provider. Be sure to select one that you can trust. Here are key points when selecting a VPN service provider:

• Logging: Look for a service which does not keep any logs and focuses on privacy. If your VPN service provider does not collect any logs, it is much harder for anyone to go back and see what you have done online.
• Where the Company is Based: Different VPN providers are based in different countries. Be sure you select a VPN provider that is based in a country that has strong privacy laws. VPN providers located in countries that have very few or weak privacy laws may be forced to give up information they collect on you.
• Servers: Look for a VPN service that has the servers located in the countries or cities you need. Some VPN providers have thousands of servers and locations across the globe. Do you have a need to make your connections appear like they are coming from a specific country? Can the VPN provider provide that?
• Compatibility: Look for services that work across different computers and mobile devices. For example, you may use a Windows laptop, a tablet, and an iPhone. You’ll want a VPN service that will work on all those devices.
• Avoid Free: Be very cautious of “free” VPN services; how are they making money and staying in business? Free services may collect and sell your information.

A VPN is a fantastic way to help protect your online privacy. However, a VPN does nothing to secure your computer, devices, or online accounts. Even if you are using a VPN, be sure you always follow basic security steps, including ensuring your devices are updated, using a screen lock, and using strong, unique passwords for all your accounts.

Ransomware

What is Ransomware?

Ransomware is a type of malicious software (malware) that is designed to hold your files or computer hostage, demanding payment for you to regain access. Ransomware has become very common because it is so profitable for criminals.

Like most malware, ransomware starts by infecting your computer, most often when you open an infected attachment or click on a malicious link in a phishing email. Once ransomware infects your computer, it encrypts files on your hard drive –possibly even your entire hard drive –or anything else connected to your computer, so you can no longer access your files. It then informs you that the only way you can recover your files is to pay the cybercriminal a ransom (thus the name ransomware). Sometimes, the criminals also threaten to release your files publicly if you don’t pay the ransom. The criminals may demand payment in the form of untraceable digital currency, such as Bitcoin. If you pay the ransom, the criminals might give you access to your files, but there are no guarantees. Sometimes they will even take your money and still leave your computer infected without you knowing it or keep asking for more money.

Protect Against the Infection

You can protect your computer against a ransomware infection the same way you protect it against other forms of malware. Here are three key steps:

• Update Your Systems and Software: Cyber criminals often infect computers or devices by taking advantage of unfixed bugs (known as vulnerabilities) in your software. The more current your software is, the fewer known vulnerabilities it has, and the harder it is for cyber criminals to infect them. Therefore, make sure your operating systems, applications, and devices have automatic updating enabled.
• Enable Anti-Virus: Use up-to-date anti-virus software from a trusted vendor. Such tools are designed to detect and stop malware. However, anti-virus cannot block or remove all malicious programs, and usually it cannot recover your files after a ransomware infection. Cyber criminals are constantly innovating, developing new and more sophisticated infection tactics that can evade detection. In turn, anti-virus vendors are constantly updating their products with new capabilities to detect malware. In many ways it has become an arms race, with both sides attempting to outwit the other.
• Be Vigilant: Cyber criminals often trick people into installing ransomware and other forms of malicious software through phishing email attacks. For example, a cybercriminal might send you an email that looks legitimate and contains an attachment or a link. Perhaps the email appears to come from your bank or a friend. However, if you open the attached file or click the link, you could activate malicious code that infects your computer. If a message creates a strong sense of urgency or seems too good to be true, it could be an attack. Be vigilant –cyber attackers play on your emotions. —Common sense is often your best defense.

Back Up Your Files Before the Infection

Since it’s impractical to assume that you’ll always be able to prevent an infection, your best defense against ransomware is backups. If you have a backup of your important documents and other files, you have the option of recovering from backup instead of paying the ransom. It’s important that you use some type of automated backup that regularly backs up all your files and that you test your restore procedures to make sure you can recover them if the need arises. There are numerous simple Cloud and local backup solutions that you can install on your computer that will securely and regularly back up all your files for you.

OUCH! Is published by SANS Security Awareness and is distributed under the Creative Commons BY-NC-ND 4.0 license. You are free to share or distribute this newsletter as long as you do not sell or modify it.

Securely Using the Cloud

Overview
You may have heard of a concept called “the cloud.” This means using a service provider on the internet to store and manage your data. Examples include creating documents on Google Docs, accessing email in Microsoft O365, sharing files via Dropbox, or storing your pictures on Apple’s iCloud. While you access and synchronize your data from multiple devices anywhere in the world and share your information with anyone you want, you often do not know and cannot control where
your data is physically stored.

Selecting a Cloud Provider
Cloud services are neither good nor evil. They are tools for getting things done. However, when you use these services, you are essentially handing over your private data to strangers, expecting them to keep it both secure and available. As such, you want to be sure you are choosing your service provider wisely. For work-related information, check with your supervisor to see if you are allowed to use cloud services and which ones are authorized. If you are considering using cloud services for
personal use, consider the following:

1. Trust: Can you trust the cloud provider? Is this a well-known, public company that millions of people are already using, or is this a small, unknown company based out of a country you never heard of?

2. Support: How easy is it to get help or have a question answered? Is there a phone number you can call or email address you can contact? Are there other options for support, such as public forums or Frequently Asked Questions on their website?

3.  Simplicity: How easy is it to use the service? The more complex the service is, the more likely you will make mistakes and accidentally expose or lose your information. Use a cloud provider you find easy to understand, configure, and use.

4.  Security: How will your data get from your computer to the cloud service? Is the connection secured by encryption? How is your data stored? Is it encrypted, and if so, who can decrypt your data? As you migrate your data, remember security is a shared responsibility between you and the vendor.

5.  Terms of Service: Take a moment to review the Terms of Service (they are often surprisingly easy to read). Under which country’s laws does the service provider operate? Pay particular attention to rights that you cede to your service provider.

Securing Your Data
The next step is to make sure you use your cloud services properly. How you access and share your data can often have a far greater impact on the security of your data than anything else. Some key steps you can take include:

1. Authentication: Use a strong, unique password to protect your cloud account. If your cloud provider offers two-step verification, we highly recommend that you enable it.

2. Sharing Files / Folders: Cloud providers make it very simple to share data - sometimes too simple. It can be very easy to accidentally share your information publicly. Protect yourself by only allowing specific people (or groups of people) access to specific files or folders. When someone no longer needs access, remove them. Your cloud provider should provide an easy way to track who has access to your files and folders.

3. Settings: Understand the security settings offered by your cloud provider. For example, if you share pictures, files, or a folder with someone else, can they share your data with others without your knowledge?

4. Renew: Do not forget to renew your subscription or you could lose access to your data.

Used with permission by SANS Security Awareness   

 Stop Spear Phishers

The Center for Information Technology Services (CITS) has received reports of email messages sent to University of Maryland account holders that look very official and are created to get the account holder to give up personal information. The messages warn of a variety of account problems.

Suspicious Email Messages

• Compromised accounts are being restricted
• Account deletion is being conducted in preparation for a system upgrade
• Unused accounts are being deleted
• Mailbox storage limit has been reached
• Accounts are being migrated to a new system
• A maintenance process to fight spam is being conducted

These emails, themselves a type of spam, request that you visit a link to verify your account or reply  to the message with your directory ID, password, as well as full name and contact information.

DO NOT DO THIS!

These emails are an attempt (called “phishing”) by someone to gain access to personal information, which they should not have. The “From:” address is forged (or “spoofed”), and may or may not be an actual email address, but is not where the email actually originated. Targeted versions of phishing have been termed “spear phishing.”

What to Do If You Receive a Phishing Message

First, do not respond to the phishing message for any reason, including trying to scold or taunt the sender.

Second, send the message to spam@umaryland.edu as an attachment. With the entire phishing email in its original format, the administrators can get the information needed to adjust the IronPort filters to block future phishing messages from this sender.

INSTRUCTIONS

What to Do If You Have Responded to a Phishing Message

If you responded to a phishing message with your password, please email or call the IT Help Desk and change your password immediately.

If you still have a copy of the original phishing message, send the message to spam@umaryland.edu as an attachment. With the entire phishing email in its original format, the administrators can get the information needed to adjust the IronPort filters to block future phishing messages from this sender.

Chris Phillips

Got Backups?

Overview

If you use a computer or mobile device long enough, something will eventually go wrong. You may accidentally delete the wrong files, have a hardware failure, or lose a device. Even worse, malware, such as ransomware, may wipe your files and/or hold them captive. At times like these, backups are often the only way you can rebuild your digital life.

What, When, and How

Backups are copies of your information stored somewhere other than on your computer or mobile device. When you lose valuable data, you can recover your data from backups. The first step is deciding what you want to back up: specific data that is important to you or everything, including your entire operating system. Many backup solutions are configured by default to use the first approach. They back up the most commonly used folders. If you are not sure what to back up or want to be extra careful, back up everything.

Second, decide how frequently to back up. Built-in backup programs, such as Apple’s Time Machine or Windows Backup and Restore, allow you to create an automatic “set it and forget it” schedule. Common options include hourly, daily, weekly, etc. Other solutions offer “continuous protection” in which new or altered files back up immediately each time you save a document. At a minimum, we recommend automated daily backups of critical files.

Finally, decide how you are going to back up. There are two ways: locally or Cloud-based. Local backups rely upon devices you control, such as external USB drives or Wi-Fi accessible network devices. The advantage of local backups is that they enable you to back up and recover large amounts of data quickly. The disadvantage is if you become infected with malware, such as Ransomware, it is possible for the infection to spread to your backups. Also, if there’s a fire, theft, or other disaster, it can result in you losing not only your computer, but the backups, as well. If you use external devices for backups, store a copy off-site in a secure location and make sure your backups are properly labeled.

Cloud-based solutions are online services that store your files on the Internet. Typically, you install an application on your computer. The application then automatically backs your files either on a schedule or as you modify them. An advantage of Cloud solutions is their simplicity; backups are often automatic, and you can usually access your files from anywhere. Also, since your data resides in the Cloud, home disasters, such as fire or theft, will not affect your backup. Finally, Cloud backups can help you recover from malware infections such as Ransomware. The disadvantage is your ability to back up and restore depends on how much data you have backed up and the speed of your network. Not sure if you want to use local or Cloud- based for backups? Be extra safe and use both.

With mobile devices, most of your data is already stored in the Cloud. However, your mobile app configurations, recent photos, and system preferences may not be. By backing up your mobile device, not only do you preserve this information, but it is easier to transfer your data when you upgrade to a new device.

Key Points

• Backing up your data is only half the battle. You must also be sure that you can recover it. Test periodically that your backups are working by retrieving and opening a file.
• If you rebuild a system from a backup, be sure you reapply the latest security patches and updates before using it again.
• If you are using a Cloud solution, select one that is easy for you to use and research the security options. For example, do they support two-step verification to secure your online account?

Backups are a simple and low-cost way to protect your digital life.

Virtual Conferencing Safely and Securely

What is Virtual Conferencing?

With so many of us now working from home, you are most likely finding yourself remotely connecting with your co-workers using virtual conferencing solutions like Zoom, Slack, or Microsoft Teams. Your family members -perhaps even your children –may also be using these same technologies to connect with friends or for remote learning. Regardless of why you are connecting, here are key steps you can take to make the most of these technologies safely and securely.

Attending a Virtual Conference

If you will be attending a virtual conference, here are five key steps.

1. Update the Software: Make sure you are always using the latest version of the conferencing software. The more recent and updated your software, the more secure you will be. Enable automatic updating and quit your program when done, so it can check for the latest updates the next time you restart.
2. Configure Audio / Video Settings: Set your preferences to mute your microphone and turn off your video when joining a meeting and enable them only when youwant. Consider placing a webcam cover or tape over your computer’s camera to ensure privacy when you’re not actively broadcasting. Remember: if your camera is on, everyone can see what you are doing even when you are not talking.
3. Double-Check What’s Behind You: If you want to enable your webcam, be aware of what’s behind you. Ensure you do not have any personal or sensitive information visible behind you during a call. Some video conferencing software lets you blur or use a virtual background, so people cannot see what is behind you.
4. Don’t Share Your Invite: The invite link is your personal ticket to enter the meeting. Even if a trusted co-worker needs the link, it’s much better they ask the conference organizer for their own invite.
5. Do Not Record: Do not take screenshots of or record the conference call without permission. You could accidentally share sensitive information if those screenshots or recordings become public.

Hosting a Virtual Conference

If you will be hosting a virtual conference, here are some additional steps you should take.

1. Require a Password: To protect the privacy and security of your conference and control who can join, protect your meeting with a password. This way only people who have the conference password can join the event.
2. Review Attendees: Review the people attending your event. If there is someone you do not know or cannot identify, have that person confirm their identity. If you have any concerns, or if someone is being rude or disruptive, remove them from the conference. Many solutions offer the option to lock the conference once it has begun, so no one else can join unless you let them in. Another option may be to initially place people in a virtual waiting room, so you can approve who joins the call.
3. Inform if Recording: If you intend to record the event (and have permission to record), be sure to inform everyone on the conference ahead of time.
4. Sharing Your Screen: If you will be sharing your computer screen at any point, be sure to first close all other applications and remove any sensitive files from your computer’s desktop. Also disable any pop-up notifications. This helps ensure you don’t accidently share sensitive or embarrassing information while sharing your computer screen. Another option is to consider sharing just the program you want to show instead of sharing your entire computer screen.

These technologies are a fantastic tool and, in many ways, represent the future of how we will work, collaborate, and communicate with others. These simple steps will go a long way to ensure you safely and securely make the most of them.

Used with permission, published by SANS Security Awareness and is distributed under the Creative Commons BY-NC-ND 4.0 license.

One Simple Step to Securing Your Accounts

Does it seem like cyber criminals have a magic wand for getting into your email or bank accounts and there’s nothing you can do to stop them? Wouldn’t it be great if there was one single step you could take that would help protect you from cyber criminals and let you securely make the most of technology? While no sole step will stop all cyber criminals, one of the most important steps you can take is to enable something called two-factor authentication (sometimes called 2FA, two-step verification, or multi-factor authentication) on your most important accounts.

The Problem With Passwords
When it comes to protecting your accounts, you are most likely already using some type of password. There are several ways to authenticate yourself into an account: something you have, something you know, something you are, somewhere you are. When you employ more than one method of authentication, you are adding an additional layer of protection from cyber criminals – even if they crack one method, they’d still need to bypass the additional factor(s) to access your account. Passwords prove who you are based on something you know. The danger with passwords is that they are a single point of failure. If a cybercriminal can guess or compromise your password, they can gain access to your most important accounts. In addition, cyber criminals are developing faster and better techniques at guessing, compromising, or bypassing passwords. Fortunately, you can fight back with two-factor authentication.

Two-Factor Authentication
Adding two-factor authentication is a far more secure solution than relying on just passwords alone. It works by requiring not one but two different methods to authenticate yourself. This way if your password is compromised, your account is still protected. One example is your ATM card; when you withdraw money from an ATM machine, you are actually using a form of two-factor authentication. To access your money, you’ll need two things: your ATM card (something you have) and your PIN number (something you know). If you lose your ATM card, anyone who finds your card cannot withdraw your money as they do not know your PIN. The same is true if they only have your PIN and not the card. An attacker must have both to compromise your ATM account. The concept is similar for two-factor authentication; you have two layers of security.

Using Two-Factor Authentication Online
Two-factor authentication is something you set up individually for each of your accounts.
It is actually quite simple: you usually need to do nothing more than syncing your mobile phone with your account. That way when you need to log into your account, not only do you log in with your account username and password, but you also use a unique one-time code you get from your phone. The idea is the combination of both your password and unique code are required to log in. Usually, this unique code will be sent via a text message to your mobile device or email. Your phone may also have a mobile app (such as Google or Microsoft Authenticator app) that will generate the unique code for you. When possible, mobile apps are considered the most secure option for obtaining your unique code.

What makes this so simple is that you usually only have to do this once from whatever computer or device you are using to log in. Once the website or your account recognizes your device, moving forward you often only need your password to login. Any time you try (or someone else tries) to log in with your account but from a different computer or device, they will have to use two-factor authentication again. This means if a cybercriminal gains your password, they still can’t access your account as they can’t access the unique code.

Remember, two-factor authentication is usually not enabled by default, so you’ll have to enable it yourself for each of your most important accounts, such as banking, investments, retirement, or personal email. While this may seem like more work at first, once it’s set up it's very easy to use.

Used with permission by SANS Security Awareness    

Cybersecurity Awareness Month

Week 1: Oct. 1-5

Make Your Home a Haven for Online Safety

Every day, parents and caregivers teach kids basic safety practices—like looking both ways before crossing the street and holding an adult's hand in a crowded place. Easy-to-learn life lessons for online safety and privacy begin with parents leading the way. Learning good cybersecurity practices can also help set a strong foundation for a career in the industry.

With family members using the internet to engage in social media, adjust the home thermostat or shop for the latest connected toy, it is vital to make certain that the entire household—including children—learn to use the internet safely and responsibly and that networks and mobile devices are secure. Week 1 will underscore basic cybersecurity essentials the entire family can deploy to protect their homes against cyber threats.

3 things you can do tonight to protect your home and family

Most of us probably remember our parents advising us to look both ways before crossing the street, or to never touch a hot stove. But how many of us can recall parental guidance—or have talked to our own children—about how to secure our social media accounts, or how to protect our laptops from hackers?

Cybersecurity isn’t just for the workplace. Technology permeates our daily lives, helping us to connect, create, and cool off. We take our tech home, using smartphones to play music or stream movies when we aren’t answering emails. As the number of devices per household continues to grow, more children are being exposed to more technology in less time.

It’s our responsibility as consumers and family members to be aware of our own security and understand how each of us is empowered to protect it.

1: Engage with your family about the way they use technology.

Communication is important in relationships, whether with a partner or a family. Take the time to talk about technology—and we don’t mean just to share the Wi-Fi password.

For the parents among us, get involved with the technology your children use. What apps and social media sites are helping them connect with friends? What information are they sharing through texts and social media, and with whom? Are they aware of fake profiles, Fortnite scams, and other tricks used by cybercriminals?

Understanding how your children engage with devices and online services will help you protect them from dangers they may not be aware of. Help them understand that they’re in control of their accounts’ privacy settings and what they share, and that a little caution can save a lot of embarrassment and regret down the road. As an added bonus, your tech talks might give you some gift ideas for the approaching holiday season!

2: Change that Wi-Fi password!

Most home routers come out of the box with a default SSID (network name) and password. Usually, this information is printed on a label, and many people never change it. Problem is, most of these passwords are also posted online and are easy for hackers (and neighbors) to find. Some routers may not even require a password by default!

If someone can log in to your router, they can view your connected devices, change your network settings, and even lock you out of your own network. Earlier this year, the FBI warned consumers to reset their router passwords in response to an outbreak of Russian malware that allowed hackers to do exactly those things. Even if the hackers don’t poke around, they can use your home like a free hotspot as long as they’re in range (in which case you’d better hope they’re not up to anything illegal!).

Your home has a front door; so does your network. Make sure you keep both locked tight.

3: Make sure your family’s devices are all password (or fingerprint) protected.

Computers and smartphones include password protection features that you can enable in system settings. Most newer phones and laptops also include biometric protection features such as fingerprint scanners or facial recognition. Some devices may ask you to create a passwords or biometric profiles when you first configure them or when you update their operating system. There’s a good reason for that.

If your device doesn’t have a password, anyone who picks it up can view your pictures, messages, and other data. Your thief may place a few Amazon orders in your name, or meddle with other open apps.

Setting a strong password or using biometric authentication prevents thieves from stealing your data, even if they manage to get their hands on your computer or phone. It also helps prevent your significant other or your kids from snooping on or pranking you.

Cybersecurity Awareness Month - Week 2

10.18 - Cybersecurity Awareness Month - Week 2

Internet of Things (IoT)

What Is the Internet of Things (IoT)

In the past, technology was relatively simple; you just connected your computer to the Internet and used it for your daily activities. However, technology became more advanced when mobile devices came into our lives, devices such as smartphones and tablets. These devices put the power of desktop computers into our pockets. While far more mobile, these devices also brought their own, unique security challenges. The next big technical advancement is the Internet of Things. The Internet of Things, often shortened to IoT, is all about connecting everyday devices to the Internet, devices from doorbells and light bulbs to toy dolls and thermostats. These connected devices can make our lives much simpler; for example, having your lights automatically activate as your phone recognizes when you get close to home. The IoT market is moving at an amazing pace, with new devices appearing every week. However, like mobile devices, IoT devices also come with their own individual security issues. In this newsletter, we help you understand what those risks are and what you can do to secure your IoT devices, your home, and your family.

Issues with IoT

Know what IoT devices you have connected to your network, isolate them often, keep them updated, and have strong passphrases.

The power of IoT is that most of these devices are simple. For example, you simply plug your coffee machine in and it asks to connect to your home Wi-Fi network. However, all that simplicity comes at a cost. The biggest problem with IoT devices is that many of the companies making them have no experience with security. Instead, their expertise is manufacturing household appliances. Or perhaps they are a startup trying to develop a product the most efficient, fastest way possible, such as on Kickstarter. These organizations are focusing on profits, not cyber security. As a result, many IoT devices purchased today have little or no security built into them. For example, some have default passwords that are well known, perhaps even posted on the Internet, and cannot be changed.

In addition, many of these devices have no option or ability to configure them; you’re stuck with whatever was shipped. To make matters worse, many of these devices can be difficult to update or may not even have the capability. As a result, many of the IoT devices you are using can quickly become out of date with known vulnerabilities that cannot be fixed, leaving you permanently vulnerable.

Protecting Your IoT Devices

So what can you do? We definitely want you to leverage the power of IoT devices securely and effectively. These devices can provide wonderful features that can make your life simpler, help save money, and increase the physical security of your home. In addition, as the technology grows, you may have no choice but to purchase or use IoT devices. Here are some steps you can take to protect your IoT devices and yourself:

• Connect Only What You Need: The simplest way to secure an IoT device is to not connect it to the Internet. If you don’t need your device to be online, don’t connect it to your Wi-Fi network.
• Separate Wi-Fi network: If you do need your IoT devices online, consider creating a separate Wi-Fi network just for them. Many Wi-Fi access points have the ability to create additional networks, such as a Guest network. Another option is to purchase an additional Wi-Fi access point just for IoT devices. This keeps your IoT devices on an isolated network, where they cannot be used to harm or attack any computer or mobile devices connected to your primary home network (which is still the main interest of cyber criminals).
• Update When Possible: Just like your PC and mobile devices, keep your IoT devices up to date. If your IoT device has the option to automatically update, enable that.
• Strong Passwords: Change any passwords on your IoT device to a unique, strong passphrase only you know. Can’t remember all of your passphrases? Don’t worry, neither can we. Consider using a password manager to securely store all of them.
• Privacy Options: If your IoT device allows you to configure privacy options, limit the amount of information it shares. One option is to simply disable any information sharing capabilities.
• Consider Replacement: At some point, you may want to replace an IoT device when your existing one has too many known vulnerabilities that cannot be fixed or there are newer devices that have far more security built into them.

There is no one size fits all for every device, so it is worth checking for best practices and any publications on how to secure them. Unfortunately, most IoT devices were not developed with cyber security in mind, so many manufacturers do not provide much security information. But as awareness for cyber security grows, we hope to see more and more IoT vendors build security into their devices and provide more information on how to protect and update them.

Helping Others Secure Themselves

Many of us feel comfortable with technology, to include how to use it safely and securely. However, other friends or family members may not feel so comfortable. In fact, they may be confused, intimidated, or even scared by it. This makes them very vulnerable to today’s cyber attackers. Cyber security does not have to be scary; it’s actually quite simple once you understand the basics. They most likely just need a guide like you to help them understand the basics.

Five Simple Steps

Here are five simple steps you can take to help others overcome those fears and securely make the most of today’s technology.  For more information on each of these points, refer to the References section at the end of this newsletter.

Helping others securely make the most of technology by sharing these five simple steps with them.

1. Social Engineering:Social engineering is a common technique used by cyber attackers to trick or fool people into doing something they should not do, such as sharing their password, infecting their computer, or sharing sensitive information. This is nothing new. Scams and con artists have existed for thousands of years. The only difference now is bad guys are applying these same concepts to the Internet. You can help others by explaining to them the most common clues of a social engineering attack, such as when someone creates a tremendous sense of urgency, when something is too good to be true, or when a cyber-attacker pretends to be someone you know but their messages don’t sound like them. Share examples of common social engineering attacks, such as phishing emails or the infamous Microsoft tech-support phone calls. If nothing else, make sure family members understand they should never give their password to anyone or allow remote access to their computer.
2. Passwords:Strong passwords are key to protecting devices and any online accounts. Walk your family members through how to create strong passwords. We recommend passphrases, as they are the easiest to both type and remember. Passphrases are nothing more than passwords made up of multiple words.  In addition, help them to install and use a password manager. It is important to have a unique password for each of your devices and accounts. If a password manager is overwhelming, perhaps teach them to write their passwords down, then store those passwords in a secure location. Finally, help them enable two-step verification (often called two-factor authentication) for important accounts. Two-step verification is one of the most effective steps you can take to secure any account.
3. Patching:Keeping systems current and fully up-to-date is a key step anyone can take to secure their devices.  This is not only true for your computers and mobile devices, but anything connected to the Internet, such as gaming consoles, thermometers, or even lights or speakers.  The simplest way to ensure all devices are current is to enable automatic updating whenever possible.
4. Anti-Virus:People make mistakes. We sometimes click on or install things we probably should not, which could infect our systems. Anti-virus is designed to protect us from those mistakes. While anti-virus cannot stop all malware, it does help detect and stop the more common attacks. As such, make sure any home computers have anti-virus installed and that it is current and active.  In addition, many of today’s anti-virus solutions include other security technology, such as firewalls and browser protection. 
5. Backups:When all else fails, backups are often the only way you can recover from mistakes (like deleting the wrong files) or cyber-attacks (like ransomware). Make sure family and friends have an automated file backup system in place. Often, the simplest solutions are Cloud-based. They back up your devices hourly or whenever you make a change to a file.  These solutions make it easy not only to back up data, but to recover it.

Securing Kids When Visiting Others

If you are comfortable with technology, you most likely not only have secured yourself, but helped secure your kids. However, when kids visit a relative who is not comfortable with technology, such as grandparents, these relatives may not be aware of how to best protect kids online or your expectations. Here are some steps you can take to help protect kids when they visit others, especially family:

• Rules. Be sure that if there are any rules or expectations you have for kid’s security, others know about them. For example, are there any rules on how long kids can be online, whom they can talk to, or what games they can or cannot play? Trust us, don’t plan on kids explaining the rules to other family members. One idea is to create a ‘rules sheet’ and share that with any relatives your kids frequently visit.
• Control. If a child understand technology better than their guardians, they may take advantage of that.  For example, kids may ask for or gain administrative rights to a grandparent’s computer and then do whatever they want, such as installing that game you may not want them playing. Make sure relatives understand they should not give the kids any additional access beyond what has been established. 

The IT Team Can’t Do It Alone – Cybersecurity Is Everyone’s Responsibility

Higher education institutions use lots of data every day. Payroll information, health insurance information, payment card information, and student information that includes financial aid information are just a few of the most sensitive data elements that are shared. These data elements are shared within institutions and with the vendors we do business with daily. It is not just IT departments that need to understand the information security requirements needed to protect these data. Every department that uses data needs to understand how to properly secure the data entrusted to it. Information security is a shared responsibility, and we offer the following tips to share with your campus community.

What can you do every day to protect data? There are very few, if any, verticals such as higher education that transmit, process, access, and share such varying sensitive data elements. There is not a "one size fits all" blueprint for information security controls that all institutions can follow. Yet all campus members have a responsibility to know basic information security protections to safeguard data and prevent those data from being mishandled:

• Update your computing devices: Ensure updates to your operating system, web browser, and applications are being performed on all personal and institution-issued devices. If prompted to update your device, don't hesitate—do it immediately.
• Enable two-factor authentication: Whether for personal use or work, two-factor authentication can prevent unauthorized access even if your login credentials are stolen or lost.
• Create really strong and unique passwords: Create unique passwords for all personal and work accounts. In today's environment, one of the best ways to create a really strong password is to use a password manager for all of your accounts. A password manager will alleviate the burden of having to memorize all the different complex passwords you've created by managing them all in one "vault" and locking that vault with a single master password.
• Protect your devices: Using biometrics or six-digit passcodes on smartphones and tablets is critical to keeping curious minds from accessing personal information, work email, or retail/banking applications. It also helps protect your device if you lose or misplace it.
• Understand where, how, and to whom you are sending data: Many breaches occur because of "oopsie moments" where we accidently post sensitive information publicly, mishandle or send to the wrong party via publishing online, or send sensitive information in an email to the wrong person. Taking care to know how you are transmitting or posting data is critical.

Getting ready to send data to a vendor or sign a contract? With more and more services moving to the cloud, higher education institutions have an additional obligation to ensure that third parties are protecting our most sensitive information. If you or your department is looking to purchase or adopt a service or technology that uses institutional data, it is imperative that you include information technology at the beginning of the project or contract process to help ensure that data are properly protected. To determine whether or not IT should be involved in the vendor/contract process, ask yourself the following questions:

• Does the project (and in-scope technologies) involve the handling or storage of personal data (e.g., student data, employee data, donor data, research data, or financial data)?
• Does the project (and in-scope technologies) involve the handling or storage of personal data that is regulated by government entities or has special contractual obligations to a third party (e.g., contract sponsored for research)?
• Is there transfer of any institutional data from an institution-owned system or device to a third-party vendor-contracted system or device?
• Does the project involve acquiring/implementing/developing software, services, or components that your institution has not previously deployed?
• Does the project involve providing a new data feed to an existing campus partner?
• Does the project involve accepting card payments in any way?

If the answer to any of the above questions is "yes," collaborate with your IT department at the beginning of the project to ensure that institutional data are properly protected.

Social Posts

• Cybersecurity practices are like sunscreen—sometimes messy to apply but worth it to keep from getting burned. #infosec #staysafeonline #CyberAware
• The IT team can't do it alone. Cybersecurity is everyone's responsibility. #infosec #CyberAware
• Visit the Stay Safe Online resource library for more sample social media posts and graphics.

Best Practices for using Public WiFi

Public Wi-Fi networks can now be found almost everywhere –in airports, coffee shops, libraries, restaurants, malls, and hotels –making it easy for anyone to connect to the Internet wherever they are. Although these Wi-Fi hotspots can be convenient, they are not always secure, potentially exposing you to online risks and presenting an opportunity for cybercriminals to steal sensitive information.  It is important to understand these risks and take measures to protect yourself while connecting to WiFi networks. SIMPLE TIPS

• Think before you connect. Before you connect to any public wireless hotspot –like on an airplane or in an airport, hotel, or café –be sure to confirm the name of the network and login procedures with appropriate staff to ensure that the network is legitimate. Cybercriminals can easily create a similarly named network hoping that users will overlook which network is the legitimate one. Additionally, most hotspots are not secure and do not encrypt the information you send over the Internet, leaving it vulnerable to cybercriminals.
• Use your mobile network connection. Your own mobile network connection, also known as your wireless hotspot, is generally more secure than using a public wireless network.  Use this feature if you have it included in your mobile plan.
• Avoid conducting sensitive activities through public networks. Avoid online shopping, banking, and sensitive work that requires passwords or credit card information while using public WiFi.
• Keep software up to date. Install updates for apps and your device’s operating system as soon as they are available. Keeping the software on your mobile device up to date will prevent cybercriminals from being able to take advantage of known vulnerabilities.
• Use strong passwords. Use different passwords for different accounts and devices. Do not choose options that allow your device to remember your passwords.  Although it’s convenient to store the password, that potentially allows cybercriminals into your accounts if your device is lost or stolen.
• Disable auto-connect features and always log out. Turnoff features on your computer or mobile devices that allow you to connect automatically to WiFi.  Once you’ve finished using a network or account, be sure to log out.
• Ensure your websites are encrypted. When entering personal information over the Internet, make sure the website is encrypted. Encrypted websites use https://.Look for https:// on every page, not just the login or welcome page. Where an encrypted option is available, you can add an “s” to the “http” address prefix and force the website to display the encrypted version.

Online Shopping Precautions

In recent years, more people have found the Internet a convenient way to shop, pay bills and track banking activity. The world of electronic commerce, also known as e-commerce, has expanded our purchasing abilities from local retailers to worldwide companies and expedited our ability to shop while maintaining a busy schedule.

Unfortunately, things can go wrong while shopping in cyberspace. Sometimes it is simply a case of a computer glitch or poor customer service. Other times, shoppers are cheated by hackers and thieves.

Research the Vendor or Website

Do business with companies you already know.  If the company is unfamiliar, investigate their authenticity and credibility. Conduct an internet search (i.e. Google, Yahoo) for the company name. The results should usually provide both positive and negative comments about the company. If there are no results, be extremely wary. Reliable companies should advertise their business address and at least one phone number, either customer service or an order line. Call the phone number and ask questions to determine if the business is legitimate.  Ask how the merchant handles returned merchandise and complaints.  Find out if it offers full refunds or only store credits.

You can also research a company in the Internet yellow pages, through the Better Business Bureau, or a government consumer protection agency including the district attorney’s office or the state Attorney General.  Perhaps friends or family members who live in the city listed can verify the validity of the company.  Remember, anyone can create a web site.

Try to shop on a website of a business that has locations within the U.S.  These stores must follow specific state and federal consumer laws.  You might not get the same protection if you place an order with a company located in another country.

Credit vs. Debit

The safest way to shop on the Internet is with a credit card.  In the event something goes wrong, you are protected under the federal Fair Credit Billing Act.  You have the right to dispute charges on your credit card and you can withhold payments during a creditor investigation.  When it has been determined that your credit was used without authorization, you can only be held responsible for the first $50 in charges. It is recommended that you obtain one credit card that you use only for online payments to make it easier to detect wrongful credit charges and to keep your other cards from being exposed.

E-commerce shopping by check leaves you vulnerable to bank fraud. Make sure your credit card is a credit card only and not a debit card or a check card. As with checks, a debit card exposes your bank account to thieves. Further, debit cards are not protected to the extent that credit cards are by federal law.

What Information to Provide

Disclose Only the Bare Facts When You Order. Never provide a Social Security Number to a vendor. When placing an order, there is certain information that you must provide to the web merchant such as your name and address.  Often, a merchant will try to obtain more information about you.  This information is used to target you for marketing purposes.  It can lead to “spam” or even direct mail and telephone solicitations.

Don’t answer any question you feel is not required to process your order.  Often, the website will mark which questions are mandatory with an asterisk (*).  Should a company require information you are not comfortable sharing, leave the site and find a different company for the product you seek.

Confirmation of Order

After placing an order online, you should receive a confirmation page that reviews your entire order.  It should include the cost of your order, your customer information, product information, and the confirmation number.

Print at least one copy of the confirmation page and the web page(s) describing the item you ordered, as well as the page showing the company name, postal address, phone number, and legal terms, including return policy.  Keep it for your own records for at least the period covered by the return/warranty policy.

You will often also receive a confirmation message that is e-mailed to you by the merchant.  Be sure to save and/or print this message as well as any other e-mail correspondence with the company.

Use Shoppers Intuition

Heed the old adage, “If it looks too good to be true, it probably is.”

• Are there extraordinary claims that you question?
• Do the company’s prices seem unusually low?
• Does the company’s phone go unanswered?
• The use of a post office box might not send up a red flag, but a merchant who does not also provide the company’s physical address might be cause for concern.

If any of these questions trigger a warning, you will be wise to find another online merchant or buy the product in a store.

Scamming You Through Social Media

Many of us have received phishing email, either at work or home. These emails look legitimate, such as from your bank, your boss, or your favorite online store, but are really an attack, attempting to pressure or trick you into taking an action you should not take, such as opening an infected email attachment, sharing your password, or transferring money. The challenge is, the more savvy we become at spotting and stopping these email attacks, the more cyber criminals try other ways of contacting and scamming us.

Attempts to scam or fool you can happen over almost any form of communication you use—from Skype, WhatsApp, and Slack to Twitter, Facebook, Snapchat, Instagram, and even gaming apps. Communication over these platforms or channels can feel more informal or trustworthy, which is precisely why attackers are using them to fool others. In addition, with today’s technologies, it has become much easier for any attacker anywhere in the world to pretend to be anything or anyone they want. It is important to remember that any communications that come your way might not be what they seem and that people are not always who they appear to be.

Key Takeaways

Here are the most common clues that a message you just received or a post you just read may be an attack:

Urgency: The message has a sense of urgency that demands “immediate action” before something bad happens, like threatening to close your account or send you to jail. The attacker wants to rush you into making a mistake.

Pressure: The message pressures you to bypass or ignore policies or procedures at work.

Curiosity: The message invokes a strong sense of curiosity or promises something that is too good to be true. No, you did not just win the lottery.

Sensitive: The message includes a request for highly sensitive information, such as your credit card number or password, or any information that you’re just not comfortable sharing.

Official: The message says it comes from an official organization, but has poor grammar or spelling. Most government organizations will not use social media for official communications directly with you. If you are not sure if the message is legitimate, call the organization back, but use a trusted phone number, such as one from their website.

Impersonation: You receive a message from a friend or co-worker, but the tone or wording just does not sound like them. If you are suspicious, call the sender on the phone to verify they sent the message. It is easy for a cyber-attacker to create messages that appear to be from someone you know. In some cases, they can take over one of your friend’s accounts and then pretend to be your friend and reach out to you. Be particularly aware of text messages, Twitter, and other short message formats, where it is more difficult to get a sense of the sender’s personality.

You are the best defense against scams, cons, and attacks like these. If a post or message seems odd or suspicious, simply ignore or delete it. If it is from someone you personally know, call the person on the phone to confirm if they really sent it.

SPAM and Phishing

Identity Theft, Fraud and Cybercrime Spam and Phishing Cybercriminals have become quite savvy in their attempts to lure people in and get you to click on a link or open an attachment.

Malicious Email

A malicious email can look just like it comes from a financial institution, an e-commerce site, a government agency or any other service or business.

It often urges you to act quickly, because your account has been compromised, your order cannot be fulfilled or there is another urgent matter to address.

If you are unsure whether an email request is legitimate, try to verify it with these steps:

• Contact the company directly – using information provided on an account statement, on the company’s official website or on the back of a credit card.
• Search for the company online – but not with information provided in the email.

Spam

Spam is the electronic equivalent of junk mail. The term refers to unsolicited, bulk – and often unwanted – email. Here are ways to reduce spam:

• Enable filters on your email programs:
• Report spam:

Most internet service providers (ISPs) and email providers offer spam filters; however, depending on the level you set, you may end up blocking emails you want. It’s a good idea to occasionally check your junk folder to ensure the filters are working properly.

Most email clients offer ways to mark an email as spam or report instances of spam. Reporting spam will also help to prevent the messages from being directly delivered to your inbox.

• Own your online presence:
• Reporting spam and phishing on Facebook

Consider hiding your email address from online profiles and social networking sites or only allowing certain people to view your personal information.

Phishing

Phishing attacks use email or malicious websites (clicking on a link) to collect personal and financial information or infect your machine with malware and viruses.

Spear Phishing

Spear phishing involves highly specialized attacks against specific targets or small groups of targets to collect information or gain access to systems. For example, a cybercriminal may launch a spear phishing attack against a business to gain credentials to access a list of customers. From that attack, they may launch a phishing attack against the customers of the business. Since they have gained access to the network, the email they send may look even more authentic and because the recipient is already customer of the business, the email may more easily make it through filters and the recipient maybe more likely to open the email.

The cybercriminal can use even more devious social engineering efforts such as indicating there is an important technical update or new lower pricing to lure people.

Spam & Phishing on Social Networks

Spam, phishing, and other scams aren’t limited to just email. They’re also prevalent on social networking sites. The same rules apply on social networks: When in doubt, throw it out. This rule applies to links in online ads, status updates, tweets, and other posts. Here are ways to report spam and phishing on major social networks:

• Reporting spam on Twitter
• Reporting spam and phishing on YouTube

Tips for Avoiding Being a Victim

• Don’t reveal personal or financial information in an email, and do not respond to email solicitations for this information. This includes following links sent in email.
• Before sending or entering sensitive information online, check the security of the website

• Pay attention to the website’s URL. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com versus .net).
• If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Contact the company using information provided on an account statement, not information provided in an email. Check out the Anti-Phishing Working Group (APWG) to learn about known phishing attacks and/or report phishing.

• Keep a clean machine. Keep all software on internet-connected devices – including PCs, smartphones and tablets – up to date to reduce risk of infection from malware.
• Report it to the appropriate people within the organization, including network administrators. They can be alert for any suspicious or unusual activity.

What to Do if You Are a Victim

• If you believe your financial accounts may be compromised, contact your financial institution immediately and close the account(s).
• Watch for any unauthorized charges to your account.

• Consider reporting the attack to your local police department, and file a report with the Federal Trade Commission or the Internet Crime Complaint Center .
• When in doubt, throw it out: Links in email, tweets, posts and online advertising are often how cybercriminals try to compromise your information. If it looks suspicious, even if you know the source, it’s best to delete or – if appropriate – mark it as junk.

Protect Yourself With These STOP. THINK. CONNECT.™ Tips

• Think before you act: Be wary of communications that implores you to act immediately, offers something that sounds too good to be true or asks for personal information.
• Make your passphrase a sentence: A strong passphrase is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music.”). On many sites, you can even use spaces! 

• Unique account, unique passphrase: Having separate passphrases for every account helps to thwart cybercriminals. At a minimum, separate your work and personal accounts and make sure that your critical accounts have the strongest passphrases.
• Lock down your login: Fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, security keys or a unique one-time code through an app on your mobile device. Your usernames and passphrases are not enough to protect key accounts like email, banking and social media.

Additional Resources

• Anti-Phishing Working Group
• OnGuardOnline 

• United States Computer Emergency Readiness Team (US-CERT)

Used with permission from the National Cybersecurity Alliance NCSA

Mobile Device Security

That smartphone in your pocket – or your tablet or laptop – contains significant information about you and your friends and family, including contact numbers, photos, and locations. Your mobile devices need to be protected. Take the following security precautions and enjoy the conveniences of technology with peace of mind while you are on the go.

Keep a Clean Machine

Keep security software current on all devices that connect to the internet: Having the most up-to-date mobile security software, web browser, operating system and apps is the best defense against viruses, malware, and other online threats.

Delete when done: Many of us download apps for specific purposes, such as planning vacations, and no longer need them afterwards, or we may have previously downloaded apps that are longer useful or interesting to us. It’s a good security practice to delete all apps you no longer use.

Protect Your Personal Information

Secure your devices: Use strong passphrases, passcodes, or other features such as touch identification to lock your devices. Securing your device can help protect your information if your device is lost or stolen and keep prying eyes out.

Personal information is like money – Value it. Protect it.: Information about you, such as the games you like to play, what you search for online and where you shop and live, has value – just like money. Be thoughtful about who gets that information and how it’s collected through apps and websites.

Own your online presence: Use security and privacy settings on websites and apps to manage what is shared about you and who sees it.

Now you see me, now you don’t: Some stores and other locations look for devices with WiFi or Bluetooth turned on to track your movements while you are within range. Disable WiFi and Bluetooth when not in use.

Connect with Care

Get savvy about WiFi hotspots: Public wireless networks and hotspots are not secure, which means that anyone could potentially see what you are doing on your laptop or smartphone while you are connected to them. Limit what you do on public WiFi and avoid logging in to key accounts like email and financial services. Consider using a virtual private network (VPN) or a personal/mobile hotspot if you need a more secure connection.

When in doubt, don’t respond: Fraudulent text messages, calls and voicemails are on the rise. Just as with email, mobile requests for personal data or immediate action are almost always scams.

Tips to Secure Your Mobile Devices

Update Your System and Software

Make sure all security and critical software are up-to-date on your connected devices and keep them updated. Turn on “automatic updates” on your devices if you’re prone to forgetting.  Cyber criminals are creating apps that are used to infect your mobile devices & steal personal data. Only download apps from trusted app stores. Read reviews of apps before downloading. Research the app developer. Own your security by doing your research before downloading.

Password Protect Your Devices

Make sure you require the use of a passcode or extra security feature (like a fingerprint) to unlock your phone or mobile device in case either is misplaced or stolen.

Use Mobile Security Software

Security software isn’t only for your desktop or laptop. There are security products you can use to protect your tablets and phones as well.

Set Up the Find “My Phone Feature” on Your Devices

This will allow you to find, remotely wipe data, and/or disable the device if it gets into the wrong hands.

Actively Manage Location Services

Location tools come in handy while planning navigating a new place, but they can also expose your location ‒ even through photos. Turn off location services when not in use.

Get Savvy About WiFi Hotspots

Do not transmit personal info or make purchases on unsecure networks (such as free WiFi at the cafe or hotel).  Instead, use a virtual private network (VPN) or your phone as a personal hotspot to surf more securely.

Stop Auto Connecting

Disable remote connectivity and Bluetooth. Some devices will automatically seek and connect to available wireless networks. And Bluetooth enables your device to connect wirelessly with other devices, such as headphones or automobile infotainment systems. Disable these features so that you only connect to wireless and Bluetooth networks when you want/need to.

Protect Physical Devices

Ensure your devices are always with you. Don’t leave devices unattended with strangers.

App with Care

Review and understand the details of an app before downloading and installing onto your device. Only download from trusted sources. Be aware that apps may request access to your location and personal information. Delete any apps that you do not use regularly to increase your security.

Used with permission from the National Cybersecurity Alliance NCSA

Online Security for Kids

Background

Kids' lives are online more than ever, from socializing with friends and interacting with family to online learning and education. As parents we want to make sure they do so in a safe and secure manner. However, this is hard as many of us never grew up in such an online environment like this. Below we cover key steps on how you can help kids make the most of online technology safely and securely.

Education / Communication

First and foremost, make sure that you foster good open communication with your children. Far too often parents get caught up in the technology required to block content or what mobile apps are good or bad. No parental control technology is perfect, and some have privacy concerns due to the data they collect. Ultimately this is not a technology problem but a behavior and values problem. Teach your kids to behave online as you would in the real world. A good place to start is to create a list of expectations with your kids. Here are some to consider (these rules should evolve as kids get older):

• Times when they can or cannot go online and for how long.
• Types of websites and/or games they can access and why they are or are not appropriate.
• What information they can share and with whom. Children often do not realize what they post is permanent and public, or that their friends may share their secret with the world.
• Who they should report problems to, such as strange pop-ups, scary websites, or if someone online is being creepy or a bully.
• Treat others online as they would want to be treated themselves.
• People online may not be who they claim to be, and not all information is accurate or truthful.
• What can be purchased online and by whom, to include in-game purchases.

Consider tying these rules to their academic grades, completion of chores, or how they treat others. Once you decide on the rules, post them in the house. Even better, have them review and sign the document; that way, everyone is in full agreement. The earlier you start talking to your kids about your expectations, the better.

Not sure how to start the conversation? Ask them what apps they are using and how they work. Put your child in the role of teacher and have them show you what they are doing online. Keeping communication open and active is the best way to help kids stay safe in today’s digital world.

For mobile devices, consider a central charging station somewhere in your house. Before your children go to bed at night, have all mobile devices placed at the charging station, so your children are not tempted to use them when they should be sleeping.

Security Technologies and Parental Controls

There are security technologies and parental controls you can use to monitor and help protect your kids. They typically provide capabilities to enforce usage limits or hours as well as content protections. These solutions tend to work best for younger children. Older kids not only need more access to the Internet but often use devices that you do not control or cannot monitor, such as those issued by school, gaming consoles, or devices at a friend’s or relative’s house. This is why communicating with your kids about your expectations and the dangers that exist on the internet is so important.

Leading by Example

Set a good example as parents or guardians. When your kids talk to you, put your own digital device down and look them in the eye. Consider not using digital devices at the dinner table and never text while driving. Finally, when kids make mistakes, treat each one as an experience to learn from instead of engaging in an immediate disciplinary action. Make sure they feel comfortable approaching you when they experience anything uncomfortable online or realize they themselves have done something wrong.

Used with permission by © SANS Institute 2020www.sans.org/security-awareness

Avoid the Most Common Email Mistakes

Email is still one of the primary ways we communicate, both in our personal and professional lives. However, quite often we can be our own worst enemy when using email. Here are the most common mistakes people make with email and how to avoid them.

Auto Complete
Auto-complete is a common feature in most email clients. As you type the name of the person you want to email, your email software automatically selects their email address for you. This way you do not have to remember the email address of all your contacts, just their names. The problem is when you know people that share similar names, it is very easy for auto-complete to select the wrong email address for you. For example, you may intend to send a very sensitive work email to “Janet Roberts”, your co-worker, but instead auto complete selects the email address for “Janice Rodriguez”, your child’s basketball coach. You end up sending a sensitive work email to someone you barely know. Always double check the name
and the email address in any sensitive email before you hit send. Another option is adding the recipient’s email after you have drafted your message, ensuring you selected the intended individual.

Reply-All
In addition to the “To” field when you create an email you also have a “CC:” option. “CC:” stands for “Carbon Copy”, which allows you to copy additional people on your email and keep them informed. When someone else sends you an email and has CC’ed people on the email, you have to decide how you want to reply: just to the sender or to everyone that was included on the email via Reply-All. If your reply is sensitive, you most likely want to reply only to the sender. However, be careful as it’s very easy to
mistakenly hit “Reply-All,” which means you would reply to everyone on the email. Once again, whenever replying to a sensitive email, always double check who you are sending the email to before you hit send.

Emotion
Never send an email when you are emotionally upset--it could harm you in the future, perhaps even costing you a friendship or a job. Instead, take a moment and calmly organize your thoughts. If you need to vent your frustration, open up a new email (make sure there is no name or email address in the TO: section) and type exactly what you feel like saying. Then get up and walk away from your computer, perhaps make yourself a cup of coffee or go for a walk. When you come back, delete the message and start over again. It may even help to have a friend or co-worker review your draft response objectively before you send it. Or better yet perhaps once you have calmed down, pick up the phone and simply talk to the person, or speak face to face if possible. It can be difficult for people to determine your intent with just an email, so your message may sound better on the phone or in person. Remember, once you send that email, it exists forever.

Privacy
Finally, email has few privacy protections. Your email can be read by anyone who gains access to it, similar to a postcard sent in the mail. Your email can easily be forwarded to others, posted on public forums,
released due to a court order, or distributed after a server was hacked. If you have something truly private to say to someone, pick up the phone and call them. If you are using your work computer for sending email, remember that your employer may have the right to monitor and perhaps even read your email when using work resources.

Attachments
If you’re attaching documents to your message, double-check that you’ve attached the correct versions of the correct files before sending.

Shopping Online Securely

Overview

The holiday season is nearing for many of us, and soon millions of people around the world will be looking to buy the perfect gifts. Many of us will choose to shop online in search of great deals and to avoid long lines and impatient crowds. Unfortunately, this is also the time of year many cyber criminals create fake shopping websites to scam and steal from others. Below, we explain the risks of shopping online and how to get that amazing deal safely.

Fake Online Stores

While many online stores are legitimate, there are some fake websites set up by cyber criminals. Criminals create these fake websites by replicating the look of real sites or using the names of well-known stores or brands. They then use these fraudulent websites to prey on people who are looking for the best deal possible. When you search online for the absolute lowest prices, you may find yourself directed to one of these fake websites. When selecting a website to make a purchase, be wary of websites advertising prices dramatically cheaper than anywhere else or offering products that are sold out nationwide. The reason their products are so cheap or available is because what you will receive is not legitimate, may be counterfeit or stolen, or may never even be delivered. Protect yourself by doing the following:

• When possible, purchase from websites that you already know, trust, and have done business with previously.
• Verify the website has a legitimate mailing address and a phone number for sales or support-related questions. If the site looks suspicious, call and speak to a human. If you can’t get a hold of someone to talk to, that is the first big sign you are dealing with a fake website.
• Look for obvious warning signs, like deals that are obviously too good to be true or poor grammar and spelling.
• Be very suspicious if a website appears to be an exact replica of a well-known website you have used in the past, but its domain name or the name of the store is slightly different. For example, you may be used to shopping online at Amazon, whose website is https://www.amazon.com. But be very suspicious if you find yourself at websites pretending to be Amazon, such as http://store-amazoncom.com.
• Type the store’s name or URL into a search engine and see what other people have said about the website in the past. Look for terms like “fraud,” “scam,” “never again,” or “fake.” A lack of reviews can also be a sign indicating that the website is very new and might not be trustworthy.
• Before purchasing any items, make sure your connection to the website is encrypted. Most browsers show a connection is encrypted by having a lock and/or the letters HTTPS in green right before the website’s name.

Remember, just because the site looks professional does not mean it’s legitimate. If you aren’t comfortable with the website, don’t use it. Instead, find a well-known website you can trust or have safely used in the past. You may not find that absolutely amazing deal, but you are much more likely to end up with a legitimate product and avoid having your personal and financial data stolen.

Your Computer/Mobile Device

In addition to shopping at legitimate websites, you want to ensure your computer or mobile device is secure. Cyber criminals will try to infect your devices so they can harvest your bank accounts, credit card information, and passwords. Take the following steps to keep your devices secured:

• If you have children in your house, consider having two devices, one for your kids and one for the adults. Kids are curious and interactive with technology; as a result, they are more likely to infect their own device. By using a separate computer or tablet just for online transactions, such as online banking and shopping, you reduce the chance of becoming infected.
• Always install the latest updates and run up-to-date anti-virus software. This makes it much harder for a cyber-criminal to infect your device.

Your Credit Card

Regularly review your credit card statements to identify suspicious charges, especially after you used your cards to make many online purchases or used a new site. Some credit card providers give you the option of notifying you by email or text messages every time a charge is made to your card or when charges exceed a set amount. Another option is to have one credit card just for online purchases. That way, if it is compromised, you can easily change the card without impacting any of your other payment activities. If you believe fraud has been committed, call your credit card company right away. This is also why you want to use credit cards for all online purchases and avoid using debit cards whenever possible. Debit cards take money directly from your bank account, so if fraud has been committed, it can be far more difficult to get your money back.  Finally, consider using credit cards that generate a unique card number for every online purchase, gift cards, or well-known payment services, such as PayPal, which do not require you to disclose your credit card number to the vendor.

Fake News

What is Fake News?

Generally speaking, fake news is a false narrative that is published and promoted as if it were true. Historically, fake news was usually propaganda put out by those in power to create a certain belief or support a certain position, even if it was completely false. Social media has now created an environment where anyone with an agenda can publish falsehoods as if they were truths. People can be paid to post fake news on behalf of someone else or automated programs, often called bots, can publish auto-generated fake news. The motivations as to why people create and distribute fake news are as numerous as there are individual opinions.

The Dangers of Fake News

While some examples of fake news seem innocent or just an attempt at fun, a lot of it can be malicious and even dangerous. Fake news is created to change people's beliefs, attitudes, or perceptions, so they will ultimately change their behavior. This means if you fall into the trap of believing fake news, your beliefs and your decisions are being driven by someone else’s agenda. Also, in some parts of the world, there can be legal consequences for publishing and sharing fake news.

How to Spot Fake News

So how do you protect yourself from fake news? The most effective way is to only trust something once you can verify it.

• Consider the Source: Think about the actual source of the news. A local blog will not be as trustworthy as a major academic journal. What does the source stand for? What are their objectives?
• Supporting Sources: Look at the sources cited in the article. Are they themselves credible? Do they even exist?
• Multiple Sources: Don’t just rely on a single article. The more you read from various sources, the more likely you can draw accurate conclusions. Also consider diverse sources and perspectives, for example, news from different countries or authors with different backgrounds.
• Check the Author: Who is the author? Research them to see if they are a credible author, their reputation in the community, whether they have a specific agenda, or if the person posting is a real person. Are they authoring within their field of expertise?
• Check the Date: Make sure that the date is recent and that it is not an older story simply rehashed.
• Comments: Even if the article, video, or post is legitimate, be careful of comments posted in response. Quite often links or comments posted in response can be auto generated by bots or by people hired to put out bad, confusing, or false information.
• Check Your Biases: Be objective. Could your own biases influence your response to the article? A problem that we humans often run into is that we only read sources that simply confirm what we already believe in. Challenge yourself by reading other sources you normally would not review.
• Check the Funding: Even legitimate publications have sponsors and advertisers who can influence an article or source. Check to see if the article is funded, and if so by whom.
• Repost carefully: Fake news relies on believers to repost, retweet, or otherwise forward false information. If you’re uncertain as to the authenticity of an article, think twice or hold off on sharing it with others.

Conclusion

In today's fast-paced world of social media, fake news surrounds us every day.  If you are not careful, you run the risk of believing and acting upon it. Take the time to follow these basic steps to help ensure you make informed decisions based on facts.

Used with permission by SANS Security Awareness

Holiday Season Online Shopping Tips

Shoppers gearing up for the online holiday shopping season should be aware of what they’re up against while doing their online shopping. The Internet has always been an uncontrolled environment, but it becomes particularly rough during the holiday shopping season.

In preparation for the shopping frenzy, hackers have crafted specific social engineering scams, malspam, and malicious, spoofed websites in order to catch people expected to spend nearly $4 billion online this year.

It’s important to know the warning signs. Here’s a guide to safe online shopping during this and all holiday shopping seasons.

1. Go directly to a store’s website instead of using search engines to look for deals. If you happen to find a deal using a search engine, try to verify it by searching for the exact name of the deal in quotes. If it’s a scam, then it’s likely someone will have already put out a warning.
2. Don’t be fooled by pop-ups and other digital ads. Many pop-ups could contain fake coupons, redirect you to malicious sites, or expose you to cross-site scripting attacks. If a coupon seems to come out of nowhere with a too-good-to-be-true offer, don’t think twice. Just click the “x” and shut it down.
3. Watch out for social media scams, especially on Facebook. Cybercriminals are using fake or compromised Facebook accounts in order to post links to amazing deals that don’t actually exist. They’re especially prone to dropping links on the walls of open groups dedicated to shopping.  During any given holiday period there will be an excess of fake offers, deals, and supposed freebies. If you’re being asked to share something on Facebook in order to get something too good to be true, you can bet there’s probably a scam involved.
4. Delete any holiday related emails with attachments. Emails with attachments, especially zip files, are suspect - it’s possible, in fact likely, that they contain malware. Delete them immediately. If you get an email from a store claiming to have a deal, type the store’s URL directly into your browser instead of clicking on the link. If the site doesn’t verify the deal, you know it’s a fake.
5. Make sure you’re on a secure connection. Look for the padlock icon to the left of the URL when you go to check out. If it’s there, then that means the information passed between a store’s server and your browser remains private. In addition, the URL should read “https” and not just “http.”
6. Do not use debit cards to shop online. Debit cards give cybercriminals direct access to your bank account, it is safer to use credit cards or a PayPal account that’s linked to a credit card. While many banks are cracking down on fraudulent withdrawals, you’ll still have to wait for your money while they investigate the charges.
7. Avoid using public Wi-Fi to shop.  If you’re shopping and entering personal data, it’s safer to do it on your secure Wi-Fi connection at home or make sure you are using a VPN on your laptop or mobile device in malls or coffee shops.
8. Watch out for malicious QR codes. QR codes are small, pixelated codes meant to be scanned by a smartphone’s camera. They often contain coupons, links to websites, or other product marketing materials. Some hackers have started creating codes that link to a phishing or malware site, printing them on stickers, and placing them on top of the legit QR codes.
9. Don’t give out extra info. If a site starts asking for out-of-the-ordinary personal data, like Social Security numbers or password security questions, close out of the site.
10. Tighten up security before you go shopping this holiday season. Make sure all software on your computer is up-to-date, including your OS, browser, and other apps. And if you don’t already have it, install an anti-virus program on your desktop or laptop. In addition, since mobile shopping is set to outpace desktop shopping for the first time this year, it’s a smart idea to download an anti-virus program for your phone if available.

DON'T FALL FOR FAKE STUDENT JOB POSTINGS

Jobs that sound too good to be true should raise a red flag for any college student. Fake job postings abound in unsolicited e-mails sent to your student account and in online job listing sites.

Fake jobs can be attempts to steal personal information about you or steal money or bank account information from you. You could also get entangled in criminal activity, so be cautious.

Here are some tips to help you identify fake jobs. You should always carefully research the legitimacy of employers before applying.

COMMON JOB SCAMS TARGETING COLLEGE STUDENTS:

• Mystery shoppers
• Envelope stuffing from home
• Repackaging or shipping from home
• Issuing checks/check processing from home
• Model/talent agencies
• Pyramid sales schemes
• A variety of scams where a student is asked to pay for certification, training materials, or equipment with promise of reimbursement

OVER-PAYMENT SCAMS

Watch out for over-payment scams. These are often posted as a bookkeeper, personal assistant, administrative assistant, etc., to assist in processing checks or mystery/secret shoppers. The “company” sends a check to the “assistant” (student), who is then responsible for taking their “salary” out of the check and wiring the remainder of the money back to the “company.” These checks are fraudulent and can leave you out thousands of dollars and facing criminal charges.

BEWARE IF THE E-MAIL OR JOB POSTING:

• Does not indicate the company name
• Comes from an e-mail address that doesn’t match the company name
• Does not give the employer contact information—title of person sending the e-mail, company address, phone number, etc.
• Offers to pay a large amount for almost no work
• Offers you a job without ever interacting with you
• Asks you to pay an application fee
• Wants you to transfer money from one account to another
• Offers to send you a check before you do any work
• Asks you to give your credit card or bank account numbers
• Asks for copies of personal documents
• Says you must send payment by wire service or courier
• Offers you a large payment for allowing the use of your bank account—often for depositing checks or transferring money
• Sends you an unexpectedly large check

No legitimate employer will send payment in advance and ask the employee to send a portion of it back. DO NOT provide any personal information especially Social Security numbers or financial information! 

EXAMPLES OF SUSPICIOUS ADS

The following job posting was rejected by the Student Employment Program Job Board:

"Agile and Responsible individual is needed to fill the vacant position of a Personal Assistant (Part time) Someone who can offer these services: *Mail services (Receive mails and drop them off at UPS) *Shop for Gifts *Sit for delivery (at your home) or pick items up at nearby post office at your convenience. (You will be notified when delivery would be made)."

A student notified the Student Employment Program that she received the following e-mail:

"If you are resourceful, organized, good with paperwork and honest, you can make three hundred dollars ($300) a week, as a business assistant. This flexible but formal position would only take at most two hours of your time daily, or even less, depending on your work-speed. You would be needed Mondays through Fridays, but the job’s flexibility lies in the fact that your duties are clear-cut and would take little of your time to be executed daily. Kindly get back to me ASAP if you are interested and wish to know more about this opportunity."

Another student received an e-mail offering them a "New, interesting, and respectable job" as a typist.

A recent actual email to UMB students:

Dear The University of Maryland, Baltimore Students...

At Market Force Information Company. Get paid $185- $250 Twice a week and we offer Survey Evaluation Services to various shopping outlets and Organizations. We want all Survey  Evaluation to take complete pride in their work, writing intelligent surveys that are clear, honest and observant.

The information collected by Market Force Information  Compliance Services reaches clients, but will always conceal individual identity. Survey results are aggregated by combining responses with those provided by other participants who have also completed the online survey. This data is stored in a database that can be analyzed by clients, but personal data will never be revealed, sold or traded without your permission.

You are providing input for the development of a product or service.

   Market Force Information Compliance Services Is one of the most popular paid survey panels in  America. My survey provides a variety of interesting surveys, including product reviews, service reviews buyers opinion, general opinion, Survey Evaluation just to name a few. Find below Job description (available survey).\The recruitment is restricted to US and Canada residents only.

JOB DESCRIPTION (AVAILABLE SURVEY):

   Survey Evaluation services are to be carried out in your location in which you will carry out a survey on the performance and effectiveness of the stores with which you will be directed to carry out a Survey Evaluation on and we would like you to become our Survey Evaluation. Salary/Wage: - $185-$250 per survey assignment.

Your employment packet includes businesses/stores evaluation (Macy-Stores, Banks, Wal-Mart, CVS, McDonald's, Best Buy and many more). Assignment instructions will be sent to you via email after you must have received the payment for the Survey assignment.

Payment for the assignment/wages would be sent to you by Certified Check. No experience required and no upfront payment needed from you (Application is Free).

If you would like to be considered for this survey assignment, please fill out the application below and kindly send the requested details to the email above.

    Name:

    Current Address:

    City:

    State:

    Zip Code:

    Home Phone:

    Cell Phone:

    Alternative email address:

    Preferred Time to Call:

    Occupation: none

    Can you check email at least twice daily?

REPORT SUSPICIOUS ADS

If you feel that you’ve been the victim of a scam, please contact University Police at 410-706-6882.

RESEARCHING ADS AND EMPLOYERS

WHY IS IT IMPORTANT TO RESEARCH EVERY OPPORTUNITY?

• To find out if the job and the company are legitimate
• To gather information to help you determine whether the company or job is a good fit for you
• To find data to help you write targeted resumes and cover letters
• To find facts to help you answer interview questions such as: Why do you want to work for this company?

VISIT THE ORGANIZATION WEBSITE

If the organization in question doesn’t have a website or the website doesn’t seem to match the advertised job, there may be cause for concern. Note the professionalism of the website. Is there specific contact information? Are jobs and career information actually posted on the site? Lack of pertinent information is a red flag.

USE PERSONAL CONTACTS, LINKED-IN OR OTHER NETWORKING SITES

Do you have any connections to help you find inside information? If you belong to a professional association, they may be able to put you in touch with people who can advise you. Search Linked-In by “People” and the advanced search fields for “Company Name.” Click the “Current Companies Only” checkbox to receive information on people currently listed as employed by this company.

USE GOOGLE

Search by the name of the organization to gather information and recent news. You can also search by “scam” to look for signs the company has been reported in any type of fraudulent activity.

CHECK WITH CONSUMER SERVICES

Two organizations to utilize are: the Better Business Bureau or the Federal Trade Commission to see if any complaints have been lodged against the company.

INVESTIGATE THE COMPANY’S REFERENCES

If you aren’t sure a company is legitimate, request a list of employees or contractors. Then contact the references to see how satisfied they are. If a company isn’t willing to share references (names, e-mail addresses and phone numbers), this is a red flag. You may want to research the references a bit as well, to be sure they are legitimate.

BE SUSPICIOUS OF POOR COMMUNICATION SKILLS

Be careful when an employer cannot communicate accurately or effectively on the website, by e-mail, over the telephone, etc. If communications are sloppy, how professional is the organization?

EXERCISE CAUTION WHEN ASKED TO PAY ANY FEES

Most legitimate employers will not charge to hire you! Don’t send money for work-at-home directories, advice on getting hired, company information or for anything else related to the job. There are some well-known internship programs that do require payment to place you in internships, but check with your department’s internship coordinator to determine if the program is legitimate.

REVIEW PAYMENT INFORMATION

When information about salary isn’t listed on a job posting, try to find out if you will receive a salary or be paid on commission. Find out how much you’re paid, how often you are paid and how you are paid. If the company doesn’t pay an hourly rate or a salary, be cautious and investigate further.

BEWARE: SCAM ADS CAN BE FOUND IN LEGITIMATE PUBLICATIONS

Read all information carefully. If the opportunity sounds too good to be true, it probably is! Just because a job lead appears in a legitimate publication, it doesn’t mean that the job or company is, necessarily, legitimate. Forget about getting rich quick.

ADDITIONAL INFORMATION ABOUT JOB SCAMS

Federal Trade Commission video about Job Scams

Holiday Online Shopping

The holiday season is a prime time for hackers, scammers, and online thieves. Due to the pandemic, this holiday season may look and feel a bit different, but we all still need to be aware of the potential dangers online shopping can bring and the ways we can protect ourselves. While millions of Americans will be online looking for the best gifts and Cyber Monday deals, hackers will be looking to take advantage of unsuspecting shoppers by searching for weaknesses in their devices or internet connections or attempting to extract personal and financial information through fake websites or charities. 

The best defense against these threats is awareness. There are a few simple steps we all can take to be more secure before and after we shop.

Check Your Devices

Before making any online purchases, make sure the device you’re using to shop online is up-to-date. Next, take a look at your accounts and ask, do they each have strong passwords? And even better, if multi-factor authentication is available, are you using it? 

Multi-factor authentication (or two-factor authentication), uses multiple pieces of information to verify your identity. Even if an attacker obtains your password, they may not be able to access your account if it’s protected by this multiple step verification process. 

Image of a little girl with wi-fi symbol beside her.

• Protect your devices by keeping the software up-to-date. These include items like mobile phones, computers, and tablets, but also appliances, electronics, and children’s toys.
• Once you’ve purchased an internet connected device, change the default password and use different and complex passwords for each one. Consider using a password manager to help.
• Check the devices’ privacy and security settings to make sure you understand how your information will be used and stored. Also make sure you’re not sharing more information than you want or need to provide.
• Enable automatic software updates where applicable, as running the latest version of software helps ensure the manufacturers are still supporting it and providing the latest patches for vulnerabilities.

Only Shop Through Trusted Sources

Think about how you're searching online? Are you searching from home or on public Wi-Fi? How are you finding the deals? Are you clicking on links in emails or going to trusted vendors? Are you clicking on ads on webpages?

You wouldn’t go into a store with boarded up windows and without signage – the same rules apply online. If it looks suspicious, something's probably not right.

Image of a website globe with verified check mark.

• Before providing any personal or financial information, make sure that you are interacting with a reputable, established vendor.
• Some attackers may try to trick you by creating malicious websites that appear to be legitimate. Always verify the legitimacy before supplying any information. If you’ve never heard of it before, check twice before handing over your information.
• Don’t connect to unsecure public Wi-Fi, especially to do your banking or shopping.
• Most of us receive emails from retailers about special offers during the holidays. Cyber criminals will often send phishing emails—designed to look like they’re from retailers—that have malicious links or that ask for you to input your personal or financial information.
• Don’t click links or download attachments unless you’re confident of where they came from. If you’re unsure if an email is legitimate, type the URL of the retailer or other company into your web browser as opposed to clicking the link.
• Never provide your password, or personal or financial information in response to an unsolicited email. Legitimate businesses will not email you asking for this information.
• Make sure your information is being encrypted. Many sites use secure sockets layer (SSL) to encrypt information. Indications that your information will be encrypted include a URL that begins with "https:" instead of "http:" and a padlock icon. If the padlock is closed, the information is encrypted.

Use Safe Methods for Purchases

If you're ready to make a purchase, what information are you handing over? Before providing personal or financial information, check the website's privacy policy. Make sure you understand how your information will be used and stored.

Image of a credit card with a lock.

• If you can, use a credit card as opposed to a debit card. There are laws to limit your liability for fraudulent credit card charges, but you may not have the same level of protection for your debit cards.  Additionally, because a debit card draws money directly from your bank account, unauthorized charges could leave you with insufficient funds to pay other bills.  Also use a credit card when using a payment gateway such as PayPal, Google Wallet, or Apple Pay.
• You’ll likely make more purchases over the holiday season, be sure to check your credit card and bank statements for any fraudulent charges frequently. Immediately, notify your bank or financial institution and local law enforcement.
• Be wary of emails requesting personal information. Attackers may attempt to gather information by sending emails requesting that you confirm purchase or account information. Legitimate businesses will not solicit this type of information through email. Do not provide sensitive information through email.

 If you receive a suspicious email that you think may be a phishing scam, you can report it at us-cert.gov/report-phishing.

Used with permission of Cybersecurity & Infrastructure Security Agency

Top Cybersecurity Tips for Vacations

Overview

As the holiday season approaches, millions of people will be traveling.  If you are among the many, here are some tips to help keep you cyber savvy and safe.

• Mobile Devices: Bring as few devices as you can. The fewer devices you bring while traveling, the fewer devices that can be lost or stolen. In fact, did you know that you are far more likely to lose a mobile device than have it stolen?  Whenever leaving a hotel room, restaurant, taxicab, train, or airplane, do a quick device check and make sure you have all your devices. Don’t forget to have friends or family traveling with you to double check for their devices too, like children who may leave a device behind on a seat or in a restaurant.
• Wi-Fi Connections: When traveling, you may need to connect to a public Wi-Fi network. Keep in mind you often have no idea who configured that Wi-Fi network, who is monitoring it or how, and who else is connected to it. Instead of connecting to a public Wi-Fi network, whenever possible connect to and use the personal hotspot feature of your smartphone. This way you know you have a trusted Wi-Fi connection. If that is not possible and you need to connect to a public Wi-Fi network (such as at an airport, hotel, or cafe), use a Virtual Private Network, often called a VPN.  This is software you install on your laptop or mobile devices to help protect and anonymize your Wi-Fi connection. Some VPN solutions include settings to automatically enable the VPN when connecting to non-trusted Wi-Fi networks.

As for the devices you choose to bring, make sure you update them, so they are running the latest operating system and apps. Keep the screen lock enabled. If possible, ensure you have some way to remotely track your devices if they are lost. In addition, you may want the option to remotely wipe the device. That way if a device is lost or stolen, you can remotely track and/or wipe all your sensitive data and accounts from the device. Finally, do a backup of any devices you take with you, so if one is lost or stolen, you can easily recover your data.

• Public Computers: Avoid using public computers, such as those in hotel lobbies or at coffee shops, to log into any accounts or access sensitive information. You don’t know who used that computer before you, and they may have infected it accidentally or deliberately with malware, such as a keystroke logger. Stick to devices you control and trust.
• Social Media: We love to update others about our travels and adventures through social media, but we don’t always know who every friend or viewer is online. Avoid oversharing while on vacation as much as possible and consider waiting to share your trip until you’re home. Additionally, don’t post pictures of boarding passes, driver’s licenses, or passports as this can lead to identity theft.

• Work: If you will be working while on vacation (we hope not!), make sure you check what your work travel policies are ahead of time, including what devices or data you can bring with you and how to remotely connect to work systems safely.

Vacation should be a time for relaxing, exploring, and having fun.  These simple steps will help ensure you do so safely and securely.

Used with permission by SANS Security Awareness     

Cybersecurity Awareness Month 2019

1. Think.Connect. is a national public awareness campaign aimed at increasing the understanding of cyber threats and empowering the American public to be safer and more secure online. Cyber threats affecting you, your family, and members of your community include:
2. Identity theft is the illegal use of someone else’s personal information in order to obtain money or credit.
3. Identity theft can happen to anyone in any location across the country.
4. Take simple steps to protect your online identity by
5. Locking and password protecting your computer and cell phone.
6. Not sharing specific personal information online, such as your full name or birthday.
7. Setting proper privacy settings on social networking sites.

Identity Theft

Fraud and Phishing

• Fraud is the intentional perversion of truth in order to induce another to part with something of value or to surrender a legal right.
• Phishing is a scam by which an email user is duped into revealing personal or confidential information that the scammer can use illicitly or fraudulently.
• Fraud and phishing attacks may take the form of an authentic-looking website or a personalized email.
• Secure yourself from fraud and phishing attacks by:
• Turning off the option to automatically download attachments.
• Saving and scanning any attachments before opening them.
• Before providing any kind of information, call and verify with the source that they are indeed the ones who sent the email.

Cyber Bullying and Ethics

• Cyber bullying is the electronic posting of mean-spirited messages about a person, often done anonymously.
• Cyber ethics help Internet users understand what type of online behavior is right and wrong.
• Cyber bullying and poor cyber ethics are threats many teens and young adults face not from strangers, but from their own peers.
• Whatever anyone posts online about another person can be spread virally, resulting in serious, unwarranted damage to an individual’s reputation or personal well-being.
• If you are being bullied, report it to a trusted adult—a parent, teacher or neighbor. Avoid being a cyber-bully and practice good cyber ethics by Following the Golden Rule
• Be nice online and in real life.
• Not saying or doing anything online that you wouldn’t say or do in person.
• Owning and taking responsibility for your actions online.

Cyber Predators

• Cyber predators are people who search online for other people in order to use, control, or harm them in some way.
• Cyber predators target teens and young adults—both male and female—on a regular basis, regardless of whether or not the victims are 18 or above.
• Social networking sites enhance a predator’s ability to target young Americans, especially if they share personal information in their profile.
• To protect yourself from cyber predators:
• Be aware—you never know who is behind the screen, so be protective of yourself and your personal information.
• If you are being targeted or harassed online, notify your family or the proper authorities

10 Tips to Securely Configure Your New Devices

10_Tips_to_Securely_Configure_Your_New_Devices