Identity Theft & Cybersecurity
As the internet and online programs become more powerful and cyber criminals become more savvy, we will make every effort to keep you informed of the latest information on protecting your computers, networks and clients. Here are two important system changes to be aware of.
Beginning January 14, 2020, Windows 7 will reach "end of life". What this means is Microsoft will stop sending critical security patches and updates and providing technical assistance. While you will be able to operate PCs using Windows 7, they will become increasingly vulnerable to security risks and viruses. Microsoft will support Windows 10 and Windows 8.1 with the latest security updates.
Windows Server 2008 will also reach "end of life". The server and networks will become vulnerable to cyberattacks. Without security updates, hackers will be able to find and exploit weaknesses.
What You Should Be Doing Now!
- Give yourself plenty of time to test applications and user experiences
- Check hardware compatibility, not just computers but printers, scanners, etc.
- Check software/systems compatibility
- Create a security plan to separate critical systems that need to run on Windows 7 devices from the Internet
- Employee training on Windows 10
We urge you to discuss with your IT department or IT consultants to plan and prepare for the transition if necessary.
Click here to view an article with more information.
Click here for an Identity Theft Recovery Plan
Click here for Cybersecurity Tips for Small Businesses
What is Cybercrime?
Like traditional crime, cybercrime covers a broad scope of criminal activity and can occur anytime and anyplace. What makes it different is that the crime is committed using a computer and the Internet. You may recognize some of its most common forms such as identity theft, computer viruses and phishing, and at a corporate level, computer hacking of customer databases.
Most people are aware of these and protect themselves and their PCs with anti-spyware and anti-virus software such as Norton or McAfee programs. You should be alert to the fact that cybercrime is becoming more and more sophisticated and not only targets consumers and large corporations, but small to medium sized businesses as well. Single programs against these intrusions are not enough.
An alarming cybercrime now affecting small to medium sized businesses is “corporate account take over.” This involves cyber criminals penetrating the computer network of a business and spreading malicious software, such as a “keylogger” which records the words typed, Web browsing history, passwords and other private information. This in turn allows them access to programs using your log-in credentials.
If they steal your password and breach your online banking system, the cybercriminal can begin an online session to initiate funds transfers, by ACH or wire transfer, to their accomplices. The accomplices withdraw the money almost immediately.
Online Security Practices
While no tools or automated software is 100% effective, the best solutions to protect your business are to be well informed and use common sense. Using a multiple vendor, multi-layer approach to system design can significantly reduce your chances of being a victim of cybercrime. To assess the risks associated with a cyber-intrusion of your business’s online systems and critical client data, ask yourself the following questions:
1. Does your business have a hardware based firewall at the network level?
2. Does the network firewall include anti-virus, anti-spyware and anti-spam services along with content filtering and intrusion prevention, detection and real-time reporting?
3. At the individual PC level, does each computer have centrally updated and monitored anti-virus, anti-spyware and anti-spam software loaded?
4. Are your computers set up to automatically update your operating system and applications for the latest available security and critical updates?
5. Do you consider your browser security setting to determine how much or how little information the browser can accept from, or transmit to, a website?
6. Does your business have a security policy in place that includes such policies as disaster recovery, use/storage of passwords, use of social media on work computers, etc.?
7. Does your business back-up critical files in case of an issue that disables your systems?
8. Has your business identified an individual to review security policies and practices on an ongoing basis?
9. Are you aware of the laws governing the protection of personal information in your state?
10. Do you have cybercrime insurance to protect your data and liability exposure in the event of an intrusion?
11. Does your business have a training program to educate employees on best practices to avoid becoming a victim?
12. Does your online banking system provide multiple layers of security tools to prevent intrusions into the system such as token-based authentication? Business principals should consider the types of transactions they conduct within online banking and check with their banking institution for available security enhancements.
These are just some of the basic steps a business can implement to assess and protect itself from cybercrime. Your business should have a network security assessment and review conducted by a certified information technology firm that specializes in network security. This evaluation will help you to identify the “next steps” in securing your network and data from unauthorized access and distribution.
Cell Phone Safety
If you’ve lost or have had your cell phone stolen and haven't setup any security at all, your contacts, (and who doesn't keep account numbers and the 300 passwords we all need to run our lives!), personal confidential documents, and calendar are free for the viewing. You don't want some criminal knowing you won't be home for the weekend and the rest of your personal business! With identity theft getting worse, here are 15 simple tips that can make having your phone lost or stolen a little easier to deal with and with a lot less stress!
1. Protect your data in case of theft. Because they're so portable, the biggest threat to a mobile device is loss or theft. Several mobile products offer features to locate and recover a lost or stolen phone. Typically they also include the ability to lock the phone, make the phone flash and scream even if the volume is turned off, and wipe out all private data if it can't be recovered. There are also programs available that allow you to remotely lock and wipe the phone by sending a text message. Some are free for locate usage with lock and wipe features paid, but in general are very low cost.
2. Lock your phone. Setup a PIN or complex pattern to gain access to the phone. Use the maximum amount of characters allowed and set the PIN/pattern required timeout to no more than 10 minutes.
3. Encrypt data. Install an encryption app if confidential data must be accessed or stored using a mobile device, but you should avoid using or storing confidential data whenever possible.
4. Use anti-virus/malware programs. Most people run anti-virus programs on their home and work computers but neglect to on their phones. Apps are available that let you scan your phone for malware, provide a safer internet browsing functionality, (i.e. will block known phishing sites that look legit), and backup and restore your data online. These apps scan other apps, settings, media and phone contents in search of suspicious files and as files or apps are being downloaded. Many of them are free and work very well.
5. Connect to secure Wi-Fi networks and disable Wi-Fi when not in use. When you're not using them, it's best to disable features like Bluetooth, infrared or Wi-Fi. By doing so you'll get longer battery life! Avoid joining unknown Wi-Fi networks when you need to connect. If you must, limit your activity to non-commerce usage.
7. Review and set privacy settings. Many apps have privacy settings within the app itself, typically in the "settings" or "privacy" tab. The settings can manage activities like whether the app can access your local information. Check the privacy default settings to make sure you agree with them, if not get rid of them. You can also review the privacy settings for your device's operating system. For example, you can turn off the phone's ability to geo-locate you, (aka location services), or create a password to protect the phone. Delete any app that you consider invasive.
8. Never unlock or "jailbreak" the default security settings. While some sites may promote the use of unauthorized applications, games, etc., the end result is the same - you've left your device open for criminals to abuse with targeted mobile malware. You should never override the security settings in your tablet or phone, especially if you plan to access personal or business email, mobile banking or other sensitive information on the Internet.
9. Replace your phone properly. Many wireless providers offer programs to upgrade your phone every couple of years. If you decide to get the latest model, be sure to delete all information stored in your device before discarding, exchanging or donating it. Perform a "hard reset" of the device which will return your phone to the original factory image and defaults and remove all data and apps. If your device has a removable SD card, be sure it is also erased.
10. Never "root" your phone. Rooting your phone leaves you open to incursion from criminals, eliminates the ability to receive support from the vendor/carrier, and in some cases can damage the phone.
11. Call your provider. If your phone is lost or stolen, call your provider and have them add your phone to the lost and stolen list. By doing this, a criminal can never reactivate the phone.
12. Buy insurance. Most cell phones cost $400-$600 without a contract, insurance is a good buy at roughly $4-6 per month, especially if you are not eligible for an upgrade.
13. Call your cell provider if you are buying a used or reconditioned cell phone from a third party, (i.e. EBay, Craigslist, etc.). If you're not eligible for an upgrade or didn't have insurance on your phone, it is enticing and far more inexpensive to search the web for a used or reconditioned phone from someone other than your carrier. The private seller should have no issue providing you with the EIN, (serial number) of the device they are selling and if they won't....RUN, you're probably buying a stolen phone! With any used or refurbished phone from anyone other than your provider, call your carrier and this way they can tell you if the device is on the lost/stolen list or already activated on someone else's account! I can't tell you how many people unknowingly buy a stolen phone or tablet.
14. Backup, Backup, Backup. There are so many options and it is so much easier to do than even a year ago. Most carriers offer a free to low-cost backup service as well as most anti-malware vendors.
15. Contact your employer. If your phone was configured by your IT department for access to email, custom apps, etc. Let them know you have lost your phone or it's been stolen. They can help you reset other work related passwords to avoid having lost corporate data compromised.
Identity theft is one of the fastest growing white-collar crimes in the nation. It is becoming more sophisticated and the number of new victims is growing. A consumer’s identity can be stolen by simply stealing information from your mail or garbage or through sophisticated phone and online schemes. Identity thieves need only to obtain your name, address, an account number and/or your social security number to take over your identity.
As a consumer, you can avoid identity theft by being aware of the various schemes and consciously taking basic precautions.
- On the Internet – through “phishing” or “spam” emails and leaving personal information on unsecured websites.
- “Dumpster Diving” – people that go through your garbage cans or a communal dumpster to obtain copies of your checks, credit card or bank statements.
- Through your mail – be conscience of bank and credit statements and preapproved credit card applications.
Do you know how to spot a phishing email?
A “Phishing” email is a scam that involves identity thieves “fishing” for your personal and financial information. It is one of the easiest forms cybercrimes criminals can carry out. Many of these emails are designed to closely resemble emails from trusted well-known companies or people. The goal is to trick you into linking to a fake website in order to gain access to your personal information (social security number, account numbers, passwords, etc.) or to add malicious software to your computer.
Be vigilant and look for the warning signs:
The sender is unknown
The title of the email doesn’t make sense
There is improper spelling or grammar
The offer seems too good to be true
You didn’t initiate the action
Message makes unrealistic threats (your account has been compromised, your account will be close, your account will be suspended, etc.
Do not open an email from someone you don’t trust and most importantly, do not click any link or provide personal information until you’ve confirmed the email is real. You can go directly to the source (your bank, company, shipping company, etc.) with a trusted phone number.
"Phishing" is a scam that involves identity thieves “fishing” for your personal and financial information. This is how it works:
- A consumer receives an e-mail which appears to originate from a financial institution, government business, or other well-known/reputable entity.
- The message describes an urgent reason you must "verify" or "re-submit" personal or confidential information by clicking on a link embedded in the message.
- The provided link appears to be the Web site of the financial institution, government business or other well-known/reputable entity, but in "phishing" scams, the Web site belongs to the fraudster/scammer.
- Once inside the fraudulent Web site, the consumer may be asked to provide Social Security numbers, account numbers, passwords or other information used to identify the consumer, such as the maiden name of the consumer's mother or the consumer's place of birth.
Other phishing scams include text messages - called "smishing", phone calls or recorded messages requesting verification of your credit card or bank account information and emails that are job offers, surveys, prizes & awards, gift certificates, sponsors or charities or money laundering schemes.
While normal “phishing” efforts depend on reaching the greatest number of people with one email, “whaling” targets top level executives at organizations with a personalized email.
- Emails appear to be sent from a legitimate business authority (Better Business Bureau or the U.S. Tax Court).
- These emails are in regards to a complaint with the Better Business Bureau, a recruitment company, information about an invoice or a tax matter.
- Links embedded in these emails will ultimately install malware on your computer.
- Bottom line – never open an email or forward it to a staff member unless you are sure of the identity of the sender.
- Protect your Social Security Number, credit card and debit card numbers, PINs (personal identification numbers), passwords and other personal information.
- Review bank statements and credit card bills carefully.
- Shred old statements, financial documents, bills, pre-approval credit card offers or other documents with sensitive personal information.
- Financial institutions and government agencies will never ask for personal or account information over the phone or online. Never provide the information unless you have initiated the contact. If you think the contact may be legitimate, contact the institution yourself.
- Disregard "too good to be true" offers.
- Review your credit report annually. AnnualCreditReport.com provides consumers with the secure means to request and obtain a free credit report once every 12 months from each of the three nationwide consumer credit reporting companies in accordance with the Fair and Accurate Credit Transactions Act (FACT Act). You can also contact each credit bureau separately.
PO Box 740241
Atlanta, GA 30374
To report Fraud: (800) 525-6285
To order a credit report (800) 685-1111
PO Box 2002
Allen, TX 75013
To report Fraud: (888) 397-3742
To order a Credit Report: (888) 397-3742
PO Box 2000
Chester, PA 19016
To report fraud: (800) 680-7289
To order a credit report: (800) 888-4213
If you are a victim of identity theft you should contact the proper authorities immediately.
- Contact creditors or financial institutions for any account that have been tampered with or opened fraudulently.
- Contact the fraud departments of each of the three major credit bureaus.
- File a report with your local police.
- File a complaint with the Federal Trade Commission at www.ftc.gov or 1-877-IDTHEFT.
In addition to identity theft, consumers should also be aware of other scams that attempt to trick individuals into giving them money. Many of these include counterfeit cashier’s checks.
- Notification you have won a lottery and once you pay a "processing" fee or transfer charge, you will receive the money. The fraudster takes your money and you never get your "winnings".
- Emails from overseas seeking your help to cash a check - You are instructed to cash the check, keep a portion for yourself and send a check to them for the difference.
- An offer to purchase an item you are selling online and sending a check for more than the purchase price. Then you are asked to cash the check and send them the difference.
- After you’ve sent the money, you learn that the check you cashed is counterfeit and the bank has offset the amount of the check against other funds in your account.
How can you avoid these types of fraud?
- If it sounds too good to be true, it’s not true!!
- Be wary of any offer that requires you to wire money or withdraw cash from your account.
- Contact the issuing bank to attempt to verify the validity of the cashier’s check before depositing the item. Do not use a phone number that is listed on the check in question.
Social networking sites are becoming more popular attack avenues for cybercriminals because people trust those they believe to be “friends”. These cybercriminals use that trust to upload malicious software onto your computer and to try and gather personal information. Caution should be used when on these sites.
Using social engineering techniques, these scammers manipulate people into entering fraudulent sites or clicking on links to spread viruses or reveal confidential information.
Here are a few examples:
- Koobface (an anagram of Facebook!)Worm
The scams involving the koobface worm are pretty straight forward. In the attack, a user will receive a message from what appears to be one of their friends. The message will say something like “Paris Hilton Tosses Dwarf On The Street”, “You must see it!!! LOL. My friend caught you on hidden cam” and many others.
Included in the message will be a link to a page which appears to be a YouTube video. A request to “upgrade your Flash player now” will appear and if downloaded and installed will infect your PC and send similar messages to your friend.
- I’ve Been Robbed! Western Union Me Money!
This scam involves suddenly receiving a message from one of your friends telling you that they’re stuck in another country, they’ve been robbed, don’t have a wallet, and need money to get out of the country. It sounds like a horrible situation but don’t get fooled and wire money before you can verify with your friend.
- IQ Test
Facebook users appear to get in invitation from a “friend” asking them to check out an IQ test. You take the test and at the end are asked to enter your cell phone number so your results can be text to you. When you do you get signed up for a premium texting services with high monthly fees.
The best way to prevent these scams is to avoid all links or invitations that appear to be out of the ordinary, even if from a friend.
Malware, short for "malicious software," includes viruses and spyware to steal personal information, send spam, and commit fraud. Criminals create appealing websites, desirable downloads, and compelling stories to lure you to links that will download malware. Malware most times remains unnoticed, either by actively hiding or by simply not making its presence on a system known to the user.
“Spyware” is a type of malicious software installed on your computer without your knowledge. It collects small pieces of personal information including Internet surfing habits and sites visited. It also can redirect web browser activity and change computer settings. Spyware is typically hidden from the user, and can be difficult to detect once installed. Spyware can be installed on computers via fraudulent emails, legitimate software download or pop-up windows. These messages masquerade and try to be as legitimate looking as possible.
- Keystroke Logging
As with spyware, keyloggers are installed on your computer without your knowledge. It is the action of tracking (or logging) the keys struck on a keyboard, typically in a hidden manner so that the person using the keyboard is unaware that their actions are being monitored. Keystroke logging can record the words typed, Web browsing history, passwords and other private information. This is extremely dangerous in all aspects of computer usage, especially with financial information.
“Scareware” is a term to describe an attempt to scare a person, via pop-ups, into believing their computer was scanned and has a virus. These pop-ups contain frivolous and alarming warnings or threats and are especially designed to look like they come from the user's operating system.
The fake scan concludes that the user's computer has a malware infection and says to fix it the user must download antivirus software and the cost is as much as $50. What the user usually gets is a form of malware that actually does infect the computer. Not to mention being out the fee!
“Ransomware” is an attack carried out using secretly installed malware that encrypts the victim's files and then requests a ransom payment in return for the decryption key that is needed to recover the encrypted files. It is on your computer because you have most likely clicked on an infected popup advertisement or an infected link in an email. The bad guys hold your computer hostage and attempt to extort payment.
The criminals often ask for a small payment, assuming you will be willing to pay to avoid the aggregation of dealing with the virus. They may ask for as little as $10 to be wired through Western Union, paid through a premium text message or sent through a form of online cash. Paying the ransom is no guarantee that your computer will be restored. Protect yourself from ransomware by using reputable antivirus software, back up often to an external hard drive or cloud, enable your popup blocker and use common sense when clicking on advertisements or email links.
Please consider the following to keep your computer safe:
- Protect your computers with a strong anti-virus/anti-spyware/anti-spam software program and make sure they are updated on a daily basis at a minimum and note the expiration date. Anti-virus software alone is not sufficient to protect your systems from today’s complicated techniques. Most identity theft problems originate with spyware.
- For Windows users, please be sure the Windows Firewall Service is turned on and your computer is up to date with critical patches. Configure Windows Update to check for these critical updates automatically.
- Strongly consider the use of a hardware based firewall product. These products are designed to protect all your computers from attackers before it reaches your PC. Typically they also provide anti-spyware and anti-virus capability as well. Stopping the intrusion before a threat arrives at your PC is one of the best measures you can take to avoid infecting your computer.
- Strongly consider the use of Content Filtering to prevent users from visiting websites that are inappropriate. These sites are more likely to contain spyware payloads that will attempt to install on your system. Some hardware based firewalls mentioned above also provide content filtering.
- Don’t trust any email from any source that is asking for or attempting to verify personal information, account numbers, etc.
- If your business utilizes an online banking system, you should consider using an additional layer of security called token-based authentication. The security token, provided by your financial institution, is a small hand held device that generates a unique, random password that is required for certain transactions. These transactions are blocked without the physical possession of the token.