Latest News
Stop helping cybercriminals steal your info
Written on Sep 26, 2018
This article was published in the 2018 September/October issue of CPA Voice.
By Ryan Norton
When you take a moment to think about the various data breaches and identity theft scams that have occurred over the past few years—from Equifax to WannaCry—there tends to be a common theme: These wounds are self-inflicted.
Because we face data security threats every day, it helps to know the most common tactics cybercriminals use and how to prevent falling victim to them.
Spear phishing
Phishing scams are one of the most common and successful methods of data theft, which makes sense. They target the single most vulnerable part of the security apparatus: people.
And there’s one subset of phishing that is particularly effective.
“Spear phishing” specifically targets individuals by using personal information to convince the victim that the criminals are a familiar entity—an employer, family member, or favorite retailer—to gather private data: bank accounts, credit card information, and Social Security numbers are common requests. Luckily, there are usually a few clues that the communication isn’t legit and knowing how to spot them can protect you from being a victim.
First, businesses will not request your bank account number or Social Security number in an email. If someone on the phone is claiming to be from a collection agency, you can perform a few quick Google searches to verify their identity. Second, a legitimate agency will never ask for payment via cryptocurrency or gift cards. Third, email and letter phishing scams tend to feature glaring spelling and grammar issues.
The other, most obvious way to avoid email phishing scams is to avoid opening unsolicited emails and, on those occasions when you do open them, never clicking links or downloading attachments. If you’re worried about not being able to receive files from customers or coworkers, secure client portals and shared folders are viable options.
Evil twins
Evil twin attacks are when cybercriminals create a fake wireless access point that impersonates a real Wi-Fi network, enabling cybercriminals to directly monitor victims’ traffic or redirect victims to websites containing malware. Criminals usually set up shop in high-foot-traffic areas that advertise free Wi-Fi, like airports, coffee shops and shopping malls. Unfortunately, there’s no way to know which “hotel Wi-Fi” is legit.
If you don’t want to self-regulate what you do while connected to public Wi-Fi, one solution is a virtual private network (VPN) service. When you use a VPN, your device's traffic is encrypted, which—while not impenetrable—places a barrier between your data and would-be cybercriminals.
Ransomware
Stop me if you’ve heard this one:
You’re working late on a project that’s due tomorrow morning, but a Windows notification asking to download and install an operating system update stops you dead in your tracks. Rather than taking a break that could last an hour or more, you click “Remind Me Later” and keep working on that deadline. Six months later, the update is waiting patiently for you to find the time. It's essential for us to find the time to update our operating systems because such updates often include security patches that can help prevent attacks that compromise our cybersecurity.
Ransomware holds your computer’s data hostage until you make a payment to the cybercriminals responsible for the attack. Generally, if you don’t make a payment by a specific date, all your data is deleted. But even if you pay the ransom, there’s no guarantee you’ll get your data back—and since most of these scams ask for payment in Bitcoin, it’s not possible to simply reverse the charges.
The May 2017 WannaCry ransomware attack succeeded because people failed to update their Windows operating system. Before installing the update, Windows users were vulnerable to an exploit that didn’t even require they actively download malware to their system—even worse, if one computer on a network became infected, it was likely that WannaCry would spread to others. Here’s the rub: Microsoft issued a fix for supported versions of Windows two months before the attack took place.
The takeaway? You cannot ignore software updates.
Wrapping things up
What else can you do to protect your data? Aside from installing security software like antivirus and antispyware programs, you probably need to address your password hygiene. The problem with passwords is if they’re easy to remember, they’re usually not very secure. Since every account needs a strong, unique password, a password manager can be a relatively easy solution.
Password managers randomly generate and store passwords associated with your accounts, and some will even autofill website forms with all of your login information. In the event of an account compromise, you just generate a new password.
When you use a password manager, you only need to remember the password that logs you into that service. Cybercriminals have many ways to get their hands on your private information. Let’s stop making their job easier.
Ryan Norton is a GruntWorx contributor. This originally appeared on the Boomer Consulting, Inc. blog on June 14, 2018
By Ryan Norton
When you take a moment to think about the various data breaches and identity theft scams that have occurred over the past few years—from Equifax to WannaCry—there tends to be a common theme: These wounds are self-inflicted.
Because we face data security threats every day, it helps to know the most common tactics cybercriminals use and how to prevent falling victim to them.
Spear phishing
Phishing scams are one of the most common and successful methods of data theft, which makes sense. They target the single most vulnerable part of the security apparatus: people.
And there’s one subset of phishing that is particularly effective.
“Spear phishing” specifically targets individuals by using personal information to convince the victim that the criminals are a familiar entity—an employer, family member, or favorite retailer—to gather private data: bank accounts, credit card information, and Social Security numbers are common requests. Luckily, there are usually a few clues that the communication isn’t legit and knowing how to spot them can protect you from being a victim.
First, businesses will not request your bank account number or Social Security number in an email. If someone on the phone is claiming to be from a collection agency, you can perform a few quick Google searches to verify their identity. Second, a legitimate agency will never ask for payment via cryptocurrency or gift cards. Third, email and letter phishing scams tend to feature glaring spelling and grammar issues.
The other, most obvious way to avoid email phishing scams is to avoid opening unsolicited emails and, on those occasions when you do open them, never clicking links or downloading attachments. If you’re worried about not being able to receive files from customers or coworkers, secure client portals and shared folders are viable options.
Evil twins
Evil twin attacks are when cybercriminals create a fake wireless access point that impersonates a real Wi-Fi network, enabling cybercriminals to directly monitor victims’ traffic or redirect victims to websites containing malware. Criminals usually set up shop in high-foot-traffic areas that advertise free Wi-Fi, like airports, coffee shops and shopping malls. Unfortunately, there’s no way to know which “hotel Wi-Fi” is legit.
If you don’t want to self-regulate what you do while connected to public Wi-Fi, one solution is a virtual private network (VPN) service. When you use a VPN, your device's traffic is encrypted, which—while not impenetrable—places a barrier between your data and would-be cybercriminals.
Ransomware
Stop me if you’ve heard this one:
You’re working late on a project that’s due tomorrow morning, but a Windows notification asking to download and install an operating system update stops you dead in your tracks. Rather than taking a break that could last an hour or more, you click “Remind Me Later” and keep working on that deadline. Six months later, the update is waiting patiently for you to find the time. It's essential for us to find the time to update our operating systems because such updates often include security patches that can help prevent attacks that compromise our cybersecurity.
Ransomware holds your computer’s data hostage until you make a payment to the cybercriminals responsible for the attack. Generally, if you don’t make a payment by a specific date, all your data is deleted. But even if you pay the ransom, there’s no guarantee you’ll get your data back—and since most of these scams ask for payment in Bitcoin, it’s not possible to simply reverse the charges.
The May 2017 WannaCry ransomware attack succeeded because people failed to update their Windows operating system. Before installing the update, Windows users were vulnerable to an exploit that didn’t even require they actively download malware to their system—even worse, if one computer on a network became infected, it was likely that WannaCry would spread to others. Here’s the rub: Microsoft issued a fix for supported versions of Windows two months before the attack took place.
The takeaway? You cannot ignore software updates.
Wrapping things up
What else can you do to protect your data? Aside from installing security software like antivirus and antispyware programs, you probably need to address your password hygiene. The problem with passwords is if they’re easy to remember, they’re usually not very secure. Since every account needs a strong, unique password, a password manager can be a relatively easy solution.
Password managers randomly generate and store passwords associated with your accounts, and some will even autofill website forms with all of your login information. In the event of an account compromise, you just generate a new password.
When you use a password manager, you only need to remember the password that logs you into that service. Cybercriminals have many ways to get their hands on your private information. Let’s stop making their job easier.
Ryan Norton is a GruntWorx contributor. This originally appeared on the Boomer Consulting, Inc. blog on June 14, 2018