CYBER SECURITY – Phishing/Smishing

You use strong passwords, 12 or more characters long, a combination of numbers, letters, and symbols, you make sure to use a different password for each of your accounts, and you store your passwords in a secure password manager.

Plus, you have set your operating system and your software to update automatically for security and other updates from the originator of the software.

You may think that you have all of your bases covered. But there is one other method that cyber criminals can use to get into your online accounts and your computer, tablet, or smartphone. They can go “phishing.”

Phishing is where scammers send you an email or a text message (called smishing) with links embedded in the email/message that takes you to a website where the scammer collects your personal information or downloads malware that can collect data from your computer for the scammer’s use.

According to the National Cybersecurity Alliance, phishing is the most common cause of data breaches. Phishing exploits a basic weakness of cybersecurity, we human beings.

Phishing attempts employ social engineering techniques to convince you to click on the links in the message. Phishing is especially an important threat for the business world because it can be used to collect intelligence about the company or manipulate the data that a company stores on its computer network as in a ransomware attack. Phishing can affect individuals as targets for identity theft.

The social engineering techniques employ one or more of the following elements:

·         They “Pretend” to be an organization or someone you know. They will impersonate organizations such as Microsoft, Amazon, Comcast, PayPal, or a major bank like Chase or Wells Fargo. They will format an email to look like it comes from the organization. For an attack on a business, they might make the email/text look like it came from a coworker or a supervisor.

·         The scammer will tell you that there is a “problem” that you need to solve. They may provide a link in the email/text that is supposed to take you to a web page that would help you solve the problem. The web page will try to collect your personal information, such as your ID and password for a specific account, your Social Security Number, or an account number. Scammers who target a business might have you move funds (if you are in the finance department) or ask for certain information. In the meantime, the link could also download malware onto your computer.

·         The scammer will “pressure” you to act fast. They will tell you that the problem needs to be taken care of right away or there could be dire consequences to you.

 

When you receive an email or text message, ask yourself the following questions:

·         Does it contain an offer that is too good to be true?

·         Is the language urgent, alarming, or threatening?

·         Are there many misspellings and bad grammar?

·         Is the greeting ambiguous or very generic?

·         Does it ask for your personal information?

·         Does it pressure you to click on a link or attachment right away?

·         Does it make a strange or abrupt business request?

If the answer is yes to any of the above questions, delete the email/text. If the answer is no to the following question, delete the email/text.

·         Does the sending e-mail address match the company that it says it is coming from?

 

Also, report a suspect phishing email. If it came to your business, report it to your IT department. If it came to your personal email account you can report it to your email provider, for example,

·         Microsoft Outlook- https://support.microsoft.com/en-us/office/phishing-and-suspicious-behaviour-0d882ea5-eedc-4bed-aebc-079ffa1105a3

·         Gmail- https://support.google.com/mail/answer/8253?hl=en

·         Mac Mail- https://support.apple.com/en-us/HT204759

 

Here are more resources that explain phishing and smishing,

 

 

National Cybersecurity Alliance:

https://staysafeonline.org/wp-content/uploads/2020/05/To-Click-or-Not-to-Click-1.pdf

https://20740408.fs1.hubspotusercontent-na1.net/hubfs/20740408/Phishing.pdf?utm_campaign=Cybersecurity%20Awareness%20Month&utm_medium=email&_hsmi=215220112&_hsenc=p2ANqtz-8S2-wU4O8ztw09QrtrGmpaPoD7T9TbiO5Pyg1tOVGtPrI9JNsr8c7w97zAytMDJO8pkOWwe-u5qgfFZ0aMKu3RaSYfrL3XhmV-WJ9wIKy6EbTuKwY&utm_content=215220112&utm_source=hs_automation

https://20740408.fs1.hubspotusercontent-na1.net/hubfs/20740408/CAM_2022_Infographics_Phishing_NOLOGO.pdf?utm_campaign=Cybersecurity%20Awareness%20Month&utm_medium=email&_hsmi=215220112&_hsenc=p2ANqtz-_dKAnZVl1XxHhkRx0PqzuZ58gpvaZW6OZuiZsc1cE3vlDHMU1-hYlSPVbVy3VCbmbQ9hqoHIxzNcPXT6Z3GotYtN6p59N0B_rJhXynYWnHYm8kB1s&utm_content=215220112&utm_source=hs_automation

https://staysafeonline.org/resources/software-updates/?utm_campaign=Cybersecurity%20Awareness%20Month&utm_medium=email&_hsmi=228150127&_hsenc=p2ANqtz-98raGuotQG1srXgV-R3FmsHvnRelgYQpPjwvC9E1e-ryz3GhSTSEJtzCeSW4AOW1_mSmTMjReGvOmxx1DQln5rwweLx9EmLm7-I6-tnh7PJxHN6GY&utm_content=228150127&utm_source=hs_email

 

Ask Leo:

https://askleo.com/phishing_how_to_know_it_when_you_see_it/

https://askleo.com/what-is-smishing/

https://askleo.com/7-signs-of-phishing-to-watch-for/

 

Federal Trade Commission:

https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams

 

CYBER SECURITY – Password Managers

Multifactor authentication (MFA) adds an additional security layer to your online accounts to ensure that unauthorized people do not access your account. MFA tries to make up for weaknesses in the ID/password model of access that have developed over the years. Those weaknesses include simple, easy passwords to guess or break (like using the word “password,” or “password1234”) or using the same password to access several online accounts.

But, even with the spread of the use of MFA, we still rely on ID and password as an entry into our accounts. There are organizations that seek to eliminate passwords (https://fidoalliance.org/), but, until industry adopts another authentication standard, we will be relying on ID and passwords in whole or in part.

An ID and password represent something we know. But if someone else also knows that ID and password, by stealing it in a hack of a major database or purchasing it in the dark web, they can access your accounts and copy your personal information to use in frauds, or, if it is a bank account, move money from your account to their own account.

Cyber criminals can also guess your password, especially if it is easy to guess like password1234, or it is short. In a brute force attack, cyber criminals use a computer program that guesses passwords. For passwords under 10 characters a successful guess can be instant or just a few seconds or minutes, even if you use numbers, upper- and lower-case letters and symbols. For passwords 12 characters or over a successful guess can take several years to several lifetimes for a successful guess. This is why cybersecurity professionals now recommend passwords be 12 characters or longer and contain a random assortment of numbers, upper- and lower-case letters and symbols.

But this approach causes a problem. Our human brains cannot remember such complicated passwords. We might be able to memorize one password that meets this standard, but not several different passwords. And it is easy for an individual to need passwords for tens if not hundreds of accounts.

A way around this might be to have a “universal” password. A password 12 or more characters long, with numbers, letters, and symbols that you memorize and use for all of your accounts. The problem with that is that if a hacker discovers your password in one account, they can access any account that you own. And cyber criminals will try your password on other accounts that you own. This is why cybersecurity professionals recommend using a different password for each account.

So, you need s separate password for each of your accounts that you own that you cannot remember. What to do?

Use a password manager. Password managers are apps that store your passwords for each of your accounts. They can reside on your smartphone, laptop, and desktop so that you can have access to your passwords just about anywhere. The information in a password manager is encrypted so that no one other than you can access it.

Password managers often offer other features that make it easier to use passwords. They can generate new passwords when you need a password for a new account or when you change passwords. They can fill in your password when you sign into your account. They also can synchronize passwords among several of your devices.

There are several password managers on the market. Some you pay for and others that are free. Check the “PC Magazine” links below for resources that evaluate the password managers that are on the market.

With a good password manager and MFA on your accounts, you improve the security of your personal information. You make it difficult for a cyber criminal to gain access to your accounts. And if someone does learn your password, they cannot access your account with MFA.

 

 

South Snohomish County Crime Watch:

 https://ssnoccrimewatch.blogspot.com/2022/10/cyber-security-multifactor.html.

 

Norton:

https://us.norton.com/blog/emerging-threats/password-attack#

 

KFMB CBS8, San Diego:

https://www.cbs8.com/article/news/verify/people-with-shorter-passwords-should-change-them-immediately/509-1e4a5b50-3692-4bb8-b17b-ff77a2e63826

 

 

National Cybersecurity Alliance:

https://staysafeonline.org/online-safety-privacy-basics/what-about-password-manager-risks/

 

Ask Leo:

https://askleo.com/are_password_managers_safe/

https://askleo.com/responses-to-your-three-common-password-manager-objections/

 

PC Magazine:

https://www.pcmag.com/picks/the-best-password-managers

https://www.pcmag.com/picks/the-best-free-password-managers

 

ELECTION SCAMS – Fraudsters Take Advantage of the Election Season

The Better Business Bureau of Washington is warning citizens to be wary of certain election phone calls, emails, and texts. Scammers are posing as being from election campaigns and PACs to con you out of your money or personal information.

Election time can be an emotional time of year. And with the polarized atmosphere of our current political climate scammers try to take advantage of our emotions to give them our money or our personal information.

According to the BBB, scammers take advantage of people’s emotions to solicit supposed donation requests or send out fake poles.

Scammers make claims to represent a candidate or political cause using language that presses hot buttons to get you to “donate.” Other scammers may pose as pollsters and promise a gift card or other prize to entice you to answer their questions. Real pollsters will not offer prizes in exchange for your opinion.  

You might receive an email with links to a spoofed candidate’s website. The phishing email may be intended to collect your personal information or install malware.

Scammers also send text messages spoofing candidates and political action committees (PACs) seeking donations.

And scammers make phone calls that try to sound like an actual campaign phone call.

During election season, many candidates and PACs send legitimate emails, text messages and make phone calls. Here are some warning signs to help determine if you are being contacted by a scammer:

·         A PAC whose name sounds more like a charity. PACs that are registered with the Federal Election Commission (FEC) have to focus solely on political activity.

·         A PAC’s website does not list the names of the people running it or provide contact information.

·         A caller claiming to be a pollster or elections official asks you for personal or financial information. Also, a pollster offers a prize to participate in a poll.

More tips:

·         If you want to donate to a candidate or political cause do not click on any links within a soliciting email or text message that you receive. Conduct a web search for that candidate’s or political cause’s website.

·         Make sure any PACs that you want to donate to are registered with the FEC. You can check out spending by candidates or PACs at the FEC website, https://www.fec.gov/data/, or the Center for Responsive Politics website, https://www.opensecrets.org/political-action-committees-pacs/2022.

·         Do not make donations or provide personal information to anyone who calls you out of the blue.

If you think you that you have been a target of an election scam, contact your local field office of the FBI, https://www.fbi.gov/contact-us/field-offices/seattle.

If the contact was over social media or the internet contact the FBI’s Internet Crime Complaint Center, https://www.ic3.gov/.

For questions or concerns about election scammers at the state or local level, contact the Washington State Attorney General’s Office, https://www.atg.wa.gov/, or the Washington State Secretary of State’s Office, https://www.sos.wa.gov/.

 

KING TV:

https://www.king5.com/article/money/scam-midterm-elections-personal-information-bbb/281-415dc073-6a09-441b-bba3-ad4b861887c0

 

Better Business Bureau:

https://www.bbb.org/article/news-releases/27597-political-scams-increase-as-midterm-elections-near

How to recognize a phishing email- https://www.bbb.org/all/spot-a-scam/how-to-spot-a-scam-email

How to recognize a smishing text message- https://www.bbb.org/all/spot-a-scam/how-to-spot-a-phony-text-message

 

AARP:

https://www.aarp.org/money/scams-fraud/info-2020/political.html?intcmp=AE-FWN-LIB3-POS9

 

CYBER SECURITY – Multifactor Authentication Blocks 99.9% of Account Attacks

Lately, cyber security professionals have been promoting the use of Multifactor Authentication (also known as 2 Factor Authentication) with your online accounts. According to Microsoft, multifactor authentication (MFA) blocks 99.9% of automated attacks on user accounts.

MFA adds a layer of security to our traditional ID and password method of gaining access to online accounts. Your ID and password is a factor that tells the custodian of your account that you have a right to use that account. This is something you know. But if someone else can find out your ID and password they can also gain access to your account because they know your ID and password. And if they are someone you do not want in your account, they can cause a lot of mischief. What if that account is your bank account, credit card account, or your email account?

According to some sources, there are over 15 billion passwords for sale by cybercriminals on the dark web. And 81 % of breaches leverage stolen or weak passwords.

MFA adds a second factor to authenticating you as you. That factor can be something you have, such as your smartphone, or something you are, such as your fingerprint or face.

With MFA, when you enter your ID and password, the custodian of your account might send you a code via email, text message to your phone, or an authenticator app on your phone. You enter the code as a second step when you sign in. This way, you verify who you are with your phone which is in your possession. Someone else cannot pose as you because they do not have your phone. Even if they have your ID and password, they don’t have your phone. If they do have your phone, it is important to lock your phone with a PIN, fingerprint, or facial scan, so that someone else cannot use your phone.

Authenticator apps are considered the best way to use MFA because they are the most secure method of authentication.

Security is often considered to add inconvenience to our online lives. MFA is not necessarily adding inconvenience. You will use MFA the first time that you sign onto an account. But as long as you are from the same computer or device as when you started you won’t have to use MFA. You might have to use MFA if you access the account from a different device, after changing your password, or if you have not accessed the account for a long time.

As Microsoft has noted, MFA blocks 99.9% of automated attacks on accounts. That leaves some room for successful attacks. The National Cybersecurity Alliance has seen instances where hackers have circumvented MFA by seeking MFA approval multiple times and the owner approves the log-in out of confusion or annoyance. There also have been instances of scammers contacting victims and asking for access to a bank account for example and telling the victim to give the scammer the MFA code. A good rule of thumb is to not to approve access to your account if you did not log-in to the account.

Major software developers have tried to provide another easy-to-use layer of security to protect your privacy and your sensitive information. You will use MFA occasionally. But you have the confidence that other people will not have access to your accounts.

 

 

National Cybersecurity Alliance:

https://20740408.fs1.hubspotusercontent-na1.net/hubfs/20740408/CAM_2022_Infographics_MFA_NOLOGO.pdf?utm_campaign=Cybersecurity%20Awareness%20Month&utm_medium=email&_hsmi=215220112&_hsenc=p2ANqtz-8zBj3BniJ-u2dPGM3xzAJZiMu4LKoI2AVhPBsCe1Zpi2vWz5fkINCnswSXf60loEg3jk0iKfwFRov17ZcxmoBMgdUaABUuboDOw0pBZ7LMaIYM3NU&utm_content=215220112&utm_source=hs_automation

https://staysafeonline.org/online-safety-privacy-basics/multi-factor-authentication/?utm_campaign=Cybersecurity%20Awareness%20Month&utm_medium=email&_hsmi=228150127&_hsenc=p2ANqtz--M2F81ZWdsurpV_FEXcZuI_G_rJWaREwUOBR8PmV9fRqN8eHzA6iMiTxVaCapdHiwrEu6AFDVv2v8yjtgW9rZ-PoYvI6LLjdTH3IbP96xvudGZPKg&utm_content=228150127&utm_source=hs_email

 

 

ZDNET:

https://www.zdnet.com/article/microsoft-using-multi-factor-authentication-blocks-99-9-of-account-hacks/

 

Tom’s Guide:

https://www.tomsguide.com/news/google-2fa-50-percent-reduction

 

South Snohomish County Crime Watch:

https://ssnoccrimewatch.blogspot.com/2022/02/multifactor-authentication-new-way-to.html