Tag Archives: CEO

Consumer Watch: Scam terms and what to guard against

Hopefully, no reader felt any unwanted twinges from last week’s scamming procedures. Combine those with today’s list for savvy consumerism.

  •  Ransomeware — a program that almost knocked yours truly upside the head last week — restricts or disables a computer, hijacks and encrypts files, then demands a fee to restore the machine’s functions. As savvy as I like to think I am, I believed most ransomeware hit businesses, rather than individuals. Nope. Luckily, I contract with a smart IT expert (Chris Wesson) who told me to perform the exact opposite instructed by the program. Lesson learned. Anytime you’re remotely suspicious of a computer activity, call your provider immediately before taking other action.
  •  Scareware is a program that gives an on-screen warning saying you’re being infected by nonexistent viruses. Its objective is to trick users into installing malware or buying false antivirus protection.
  • Skimmer is a tiny device that deducts cash from your ATM account and gathers credit card information from a gas pump or restaurant, among other robberies. These aren’t the only scenarios. That little magnetic stripe on credit and debit cards is the skimmer’s target so be cautious about handing over your cards to anyone you don’t know for any service whatsoever, and be extra careful to ensure any slot you slide your card into is vacant. Inspect the card reader to be sure it’s identical to others nearby, is firmly in place and no small camera can be seen around. Never use a debit card at the gas pump so you won’t have to input its PIN.
  •  Smishing is a phishing attempt that goes to your mobile devices via text messages. The assault “advises” the user to call a toll-free number, which often plops lots of change into the pockets of the Smisher.
  •  Spear-phishing uses phishing with personalized email, often appearing to be from someone you know. (Many robocalls with local area codes fit this bill.)
  •  Spoofing allows scammers to disguise themselves as a specific person or, perhaps, a person within a specific agency. Moreover, these fraudsters manipulate your phone’s caller ID to display a false name or number.
  •  Spyware is a type of malware. A scammer installs this bad program on your computer or cellphone to track your actions and collect information without your knowledge.
  •  Vishing, another form of phishing that uses recorded phone messages to trick you into revealing very private info.
  •  Whaling phishes for corporate executives or employees who work in the company’s payroll departments. The scammer poses as the company’s CEO or, perhaps, its attorney or even a vendor to obtain payments or hush-hush data.

We heard great news last week from the Federal Communications Commission (FCC) that it intends to put robocallers out of business. However, until that happens (as well as all other trickery), it’s urgent we never forget that scammers create new schemes and fraudulent activities every day. Whether to burglarize our bank accounts or to steal our personal identities, criminals never rest; therefore, consumers must remain vigilant. No more victims around here, okay?

Contact Ellen Phillips at consumerwatch@timesfreepress.com.

Tax Season Is Prime Time for Spear Phishers

You may not love tax season, but spear phishers certainly do: They leverage unencrypted email, poor firewalls, and general social engineering to steal taxpayers’ and organizations’ tax returns in hopes of garnering a refund and/or nonpublic information (NPI). Making matters worse is that these attacks are, in many ways, easier to wage than filing a return.

Email should be considered as secure as the server it’s hosted on, which–depending on the server–could be either extremely secure or extremely vulnerable. Normally, a cybercriminal looking to steal some returns will try to hack the server, which is why it’s good practice (and, in some cases, federally or state-mandated) to transmit financial information, including corporate tax returns, via encrypted messaging. If cybercriminals can’t get access to the server, their next best option is to target those who have access, like an IT admin.

January to mid-April is the prime time for criminals to try to convince susceptible employees to hand over private company information, including tax returns, company bank account information, and employee information including healthcare and W-2 files. Many organizations naively believe that this could never happen to them. However, a quick search online can usually show the prevalent dangers of these sorts of attacks. Companies like Snapchat, Seagate, Polycom, Advance Auto Parts, and, yes, even hospitals, schools, and utility companies have all been victims of spear phishing.

At AppRiver, we have seen the spike in phishing traffic already occurring this tax season. The beginning of the year is typically when taxpayers anticipating big refunds rush to have their returns filed, while taxpayers who owe usually procrastinate until the last second. For these reasons we anticipate that phishing traffic will continue to dwindle until the very end of tax season, with perhaps another small push toward the deadline.
So, how do criminals identify a potential target? It’s easy. First, they’ll search for a company on social media sites like Facebook and LinkedIn. Nowadays, it’s more uncommon than not for social media users to list their employment on their social media profiles, or even have a dedicated online resume (on LinkedIn, for example). In a company with more than 50 employees, odds are at least one person from finance has listed his or her employment on a social media account.

After choosing a target, the criminal will either spoof the company’s domain to create an email address that appears to come from a high-level executive, like the CEO, or create a similar one that most employees wouldn’t catch. An example would be using .net instead of .com, or adding an extra letter in the domain.

When an outside criminal crafts an email in such a way that it looks to be internal, some users will trust them without digging deeply enough. And that’s the core component to spear phishing. A criminal doesn’t need to be a hacker or gain access to secure internal systems. If someone can send convincing, legitimate-appearing emails, employees may hand over sensitive information and be none the wiser.

While right now this tactic is used to get W2s, NPI and tax returns, tactics along the same lines are used year-round–for example, using wire transfer fraud emails to dupe employees to wire tens of thousands of dollars from companies’ accounts to dummy accounts set up by the criminals. The FBI refers to these as Business Email Compromise (BEC) messages. The broader interpretation is any external email that claims to be from an internal user (like the CEO) who wants an employee to do something that compromises the integrity of business operations. This is a very dangerous attack vector because of how successful it is. The total damage companies face is in the millions each year.

So how does one avoid spear phishing, wire transfer fraud and BEC year round?

Unfortunately, there’s no panacea when it comes to blocking spear phishing attempts. However, there are some steps an organization can take to combat them:

  • Use encrypted email. It should be company policy that certain bits of sensitive data should always be encrypted when sent via email. Ideally, no such information would ever be sent externally; but, if it was, with this protocol the data would still ideally remain secured and unusable by the third-party.
  • Look at the recipient address when replying. A quick glance to the “To:” address when replying could potentially stop many of the spear phishing attacks. Criminals like to use things like freemail accounts (Outlook, Gmail, Yahoo, etc.) in the “Reply To:” field in a message in when phishing. This is only visible to most users once they go to reply. If they are willing to spend a few dollars, they even register domain names very similar to the victim’s domain.
  • Use two-factor verification. Having a company policy where it’s acceptable to transfer $50k with a single email request is a bit loose with the coffers. It’s best for everyone if there is a second verification in place, such as a quick office visit or phone call. Same with sending around something like all employees W-2 files.
  • Hover over links in messages. Spear phishing attacks sometimes aim just a single email communication to get through to a user, with no back and forth requires. Such an attack might include providing a phishing link looking for an employee’s email login, linking all the information to do a wire transfer for an external site, or even providing a link for an employee to upload sensitive company data. Knowing where you are going online by hovering, as well as glancing at, URLs once you are there is a common security tactic that some people need to follow more closely.
  • Don’t be afraid of your boss. Yeah, this can be a tough one. But some of these spear phishing emails rely on using the CEO name as a strong-arm to get an employee to do something. By writing the text in a way that sounds urgent or demanding, some employees may forgo any set policy and bypass procedures in place to please their boss. After all, they think the CEO is ordering them to. Obviously, questioning every order that comes down isn’t feasible or advisable, but, again, there are certain things like sending W-2s and wire transfers that should have set policies in place where everyone follows them no matter what. It’s better to question all wire transfers than to miss that one and send $20k to some foreign account.
  • Use an email filter. This may be obvious, but many email filters have advanced features and tests that can catch these sorts of attacks that people may not be aware of. At AppRiver, we have an advanced spear phishing test that can look for these types of low-key phishing email tactics and stop them. If you have a filter service that doesn’t have spear phishing features in it, you can even do something like block external email using your domain name in it: Any email using your domain name, but coming from somewhere that’s not your own server, gets blocked. Or you can enable SPF on your own domain and verify that on any incoming messages.

Guest blogs such as this one are published monthly and are part of Talkin’ Cloud’s annual platinum sponsorship.

Before phishing scam came along, report showed San Marcos at risk

Posted: 7:58 a.m. Saturday, March 25, 2017

More than a year before the February phishing attack that led a San Marcos employee to accidentally leak hundreds of W-2 forms, an assessment identified the city’s lack of cybersecurity training as a vulnerability.

The assessment, completed in the fall of 2015 by SHI Security Services, found that the city didn’t have a security awareness training program. The finding was one of a dozen low- and high-risk vulnerabilities listed in a draft version of the report obtained by the American-Statesman and was described as “the easiest to solve.”

RELATED: How hundreds of W-2s were stolen in San Marcos

A follow-up test was conducted with the city’s blessing, according to the city’s former information technology infrastructure manager, Lenora Newsom. The test found a number of San Marcos employees fell for a simulated phishing email sent with the help of a security consultant, Newsom said.

The city’s IT director purchased a one-year employee training package from that consultant, KnowBe4, but the plans to roll out the training took longer than expected, city spokeswoman Kristi Wyatt said. The IT department submitted a budget request last year to extend the subscription, she said, but that request was denied during the fiscal 2017 budgeting process.

Newsom, who left the city in August 2016, was one of more than 800 current and former employees whose W-2s were stolen last month. When the city notified her of the breach, Newsom said she was infuriated.

“I thought, ‘Are you kidding me? I worked really hard to prevent this,’” Newsom said. “I believe that San Marcos is ahead of a lot of places in the IT realm … but this was a piece that, well, in my opinion, was not taken seriously.”

Wyatt confirmed that the city doesn’t have mandatory cybersecurity training for employees outside of its information technology department. Rather, managers periodically send emails to employees with educational materials and information about the latest hacking trends, and human resources employees talk to new hires about cybersecurity, Wyatt said.

The city’s IT director is working on creating a training program and on Friday held its first citywide, in-person training on security, Wyatt said.

“The city will continue to provide security awareness and expand training to all employees,” Wyatt said. “Training is only one factor in protecting our information from scammers. … In many incidents, including our recent attack, human error plays a role. While we can’t prevent every possible breach, we can and have taken steps to limit our exposure.”

City focusing on improvements

The report by SHI Security Services described the lack of training as a “low-risk” finding. But it noted that the “issues described represent a demonstrable risk of service interruption and/or theft of sensitive data with a medium- or high-level of exploit skills.”

City officials declined to comment on the draft report obtained by the Statesman.

“The recent phishing incident is currently being investigated by the San Marcos Police Department, and the city is also working closely with the IRS and the FBI,” Wyatt said, adding that “further discussions could further compromise our security situation.”

Mike Sturm, the city’s IT director, wasn’t available for an interview Friday. But he said in an emailed statement that, after buying the training package from KnowBe4, the department began “evaluating, testing, and developing a plan to implement training across the organization.”

Wyatt was unable to provide information about why the city didn’t approve the IT department’s request to extend the subscription for the KnowBe4 training package during the fiscal 2017 budgeting process.

Stu Sjouwerman, CEO of KnowBe4, said he couldn’t speak about any specific customer, but said sending educational emails and going over information with new employees isn’t a strong enough method of preventing breaches.

Sjouwerman said his company has had success in reducing its customers’ vulnerability to attacks by training. In one example he offered, a customer went from about 16 percent of its employees falling for simulated attacks to 1 percent.

“There will always be somebody who has an off day and falls for that attack anyway,” he said. “But it’s dramatically less” with training.

Luck ran out

The type of attack that duped the San Marcos employee in February, in which a hacker impersonates a familiar contact to trick someone into forwarding confidential information, is called “CEO fraud” and is increasingly common, Sjouwerman said.

In February, the IRS issued a warning about such a W-2 phishing scam that had initially targeted the corporate sector but had spread to other areas, including school districts, tribal organizations and nonprofits.

That same month, employees of Belton school district’s business office released W-2 forms for about 1,700 current and former district workers after being targeted by a phishing email that appeared to be from the district’s superintendent. The forms include sensitive information, such as Social Security numbers, and some hackers use the information to file fraudulent tax returns seeking refunds.

In the case of the San Marcos breach, city officials have said, the email requesting the information was made to look as if it came from the mayor. Sjouwerman said hackers can configure such emails using a forged address.

That’s why it’s so important for employees be trained to recognize and flag suspicious emails, he said.

In a June 29, 2016, email obtained by the Statesman, Sturm requested that employees of the human resources department incorporate the KnowBe4 software into new hires’ training — right away.

“There are so many phishing emails and direct calls going around, that if a new employee doesn’t understand the risk on their first day, there is huge security risk to the City,” Sturm wrote. “Yes, we have been lucky so far.”