July 2023 Cybersecurity News & Tips | Anatomy of a Scam

Welcome back to the TCE Strategy monthly technology and cybersecurity?newsletter! The mission of this publication is to cut through the clutter of cybersecurity news stories and provide you with the most important, relevant and actionable cybersecurity information.

If this?newsletter?adds value, fantastic! That is the goal. Please forward it on to friends/colleagues.

Month's Cyber News in Review

Anatomy of a scam

TCE Strategy has been helping a number of clients deal with scams of one sort or another over the last several weeks, and it feels like the right time to review real-world scams that are causing financial losses, data breaches, computer takeovers, and even ransomware attacks. Let’s run through some of the most common scams and how to avoid them.

First and foremost, let’s address inherent bias. Humans have a tendency to automatically believe that they are being told the truth in most situations. Imagine how hard life would be if the opposite were true and the “default” position for inherent bias was to doubt first: We couldn’t buy groceries without verifying the label’s ingredients are accurate. We couldn’t drive without first calling our local city to verify that every speed limit sign is legitimate. These examples would bring life as we know it to a grinding halt.?However, in today’s cyber world there are many electronic forms of communication that SHOULD be viewed with skepticism first, and only accepted as valid after they have been examined closely. This is especially true if you work as part of a finance team, HR team, IT team, or executive team. You are often targeted specifically because of the access you have or the influence you have over others.

Scam #1: Malicious emails that try to infect your computer with a virus. These emails will have an attachment that claims to be a Word document, .pdf file, .zip file, etc., but in reality it is a virus trying to take over your computer. Alternatively, it may have a link to a website that tries to take advantage of an unpatched web browser (Chrome, Firefox, Edge) and infect the computer that way. These are common.

Remedy: Use strong antivirus software on your computer. Set your computer to automatically apply patches and to reboot itself when finished. Use an email service (and/or antivirus program) that tries to filter out spam emails. Be skeptical of any email with an attachment that you weren’t expecting.

Scam #2: Malicious emails that try to get you to give up your credentials. These emails will say something like your email account has been deactivated and will be deleted in 24 hours unless you “click here” to confirm that you still want to use it. The link on the “click here” button takes you to a malicious site where you type in your email address and password, but in reality you have just given your credentials to a cybercriminal.

Remedy: Recognize that email providers almost never send emails stating that your service is being terminated. Delete such emails. If you are suspicious, hover your mouse over the link in the email, and your computer should tell you where the link would take you. If it isn’t the legitimate site for your email provider, delete the email. Use MFA (Multi-Factor Authentication) on all email accounts, as it provides a very strong 2nd layer of security in case a cybercriminal does get hold of your password.

Scam #3: Malicious emails that try to get you to pay a false invoice, or to send money to pay a legitimate invoice to the wrong account. Emails from PayPal with phony invoices, emails pretending to be eBay with an invoice attached, etc. are common. You may also get a .pdf attachment that is an invoice that looks legitimate. Sometimes you get a legitimate invoice but the email asks you to send payment to a physical address or bank account that isn’t the address/account you normally send payments to.

Remedy: If you didn’t expect a bill from someone, it is probably a phony invoice. If you did expect a bill but the email asks you to send payment to a different place, pick up the phone and verify that it is legitimate before sending payment.

Scam #4: Malicious emails that try to get you to take an action you normally wouldn’t take. Emails often come in pretending to be your supervisor, the CEO of your company, etc., asking you to do things like send him the W2 forms for every employee or to give a new employee access to a bank account. Emails can also come in pretending to be your friend, child, grandchild, etc., asking for information that would be OK to give to a friend/relative but not a criminal, such as your mother’s maiden name.

Remedy: Never fall for an email that asks you to send sensitive data to perform an action that you normally wouldn’t. If you are suspicious, pick up the phone and call the person to verify. If you don’t know the person that sent the email, talk to your supervisor about next steps.

Scam #5: Calls/texts from people that are not who they claim to be. Your CEO may text you asking you to buy gift cards for a big sales meeting using your company card, and will then ask you to scratch off the sticker revealing the hidden code on the back of each card and send him/her pictures of the codes. There are also more elaborate phone schemes where cybercriminals pretend to be law enforcement and ask you to move your money to “keep it safe”. These are always scams, without exception.

Remedy: Do not buy gift cards based on a text or an email. Pick up the phone and verify it is legitimate. If the person texting you says that they can’t talk on the phone, it is another sign that this is a scam.

Scam #6: Companies selling products/services that sound amazing in their sales literature but make zero guarantees or acceptances for liability in their contract. This is not a direct scam, but it can leave you in an even worse position than many of the scams above would. If a company is providing a product or service to you, there should be language in any contract stating that the product/service will work as advertised, and that the company in question will refund your money if it does not. Costco does a great job of this in their return policies. Many other companies (especially on-line companies) often do not.

Remedy: Be careful whom you buy from. Use credit cards to pay instead of a check or debit card, as credit cards offer you more protection against this type of thing.

Scam #7: Companies asking you to sign contracts that are ridiculously one-sided against you. Any solicitor coming to your door that wants you to sign a contract is likely giving you a contract that is incredibly slanted in their favor. Terms such as 18% interest for late payments, you having to pay in full before work is performed, no guarantee of the product/service being provided, etc., are completely unreasonable and in some states are illegal. These could be online or in person.

Remedy: NEVER sign a contract without having an attorney (or someone you trust with knowledge about contract language) look over it first, especially if the contract is with a smaller company or a financial services institution.

The Internet is so full of con artists, misinformation and misleading conclusions it makes lobbyists look like genuinely upstanding people. Assume malicious intent. Verify information before taking action. If something sounds too good to be true, it almost certainly is.

Until next month, stay safe!

Upcoming & Recent Events

Here is a list of the cities that I will be in for 2023. Please feel free to reach out if you have an event in mind. I'd love to work with you to make it a reality!

July 17th-18th, Orlando, FL

August 19th-20th, Honolulu, HI

September 1st-3rd, Eau Galle, WI

September 26th-28th, Salem, OR

October 2nd, Brainerd, MN

October 11th-14th, Sacramento, CA

October 22nd-24th, New Orleans, LA

November 1st-4th, Albany, NY

November 27th-30th, Key West, FL

December 4th-6th, Indianapolis, IN

Cybersecurity Tip of the Month

Using a VPN to Protect Your Public Wi-Fi Use

Why Use a VPN?

Public Wi-Fi is convenient for many reasons: you can work away from home, it is often free, and you can use apps on your phone or tablet without using cellular data. However, public Wi-Fi is often unsecured and can provide an opportunity for cybercriminals to access personal information like login details, credit card information, and email communications. Hackers can also potentially inject malware into devices connected to unsecured networks.

One way to protect yourself from these threats is through the use of a Virtual Private Network (VPN) whenever you are connected to public Wi-Fi. VPNs protect your privacy by encrypting your Internet connection so that no one else is able to access the information you send over the network and are one of the best ways to protect yourself and ensure your public Wi-Fi use is secured.

How to Choose a VPN

There are many free and paid VPN services available, but not all of them are trustworthy. Be sure to choose a VPN that is highly rated for security and privacy. This article shares other aspects to consider as well as VPN recommendations:?https://www.comparitech.com/blog/vpn-privacy/vpn-public-wifi/

Other Ways to Increase Privacy

• While a VPN is one of the best ways to secure your public browsing, there are other steps you can take to ensure your online security:Enable multi-factor authentication for all accounts?
• Only transmit personal information over websites with an HTTPS designation
• Turn off Wi-Fi when you aren’t using it to prevent automatically connecting to public Wi-Fi networks
• Update phone settings to forget networks so they are not saved
• Turn off sharing settings