Cyber criminals know that one of the best ways to rush people into making a mistake is by creating a heightened sense of urgency. And one of the easiest ways to create a sense of urgency is to take advantage of a crisis. This is why cyber criminals love it whenever there is a traumatic event with global impact. What most of us regard as a tragedy, cyber criminals view as an opportunity, such as the breakout of a war, a major natural disaster such as a volcanic explosion, and of course infectious disease breakouts like COVID- 19. When there is an immense amount of social media and news coverage about a certain event, cyber criminals know that is the time to strike.
They use this opportunity to create timely phishing emails or scams about the event, and then send that phishing email or launch the scam to millions of people around the world. For example, during a natural disaster, they may pretend to be a charity asking for donations to save children in need. Cyber criminals can often act within hours of a crisis or disaster, as they have all the technical infrastructure prepared and are ready ahead of time. How can we protect ourselves the next time there is a big crisis or disaster, and cyber criminals seek to exploit it?
How to Detect and Defend Against These Scams
The key to avoiding these scams is to be suspicious of anyone who reaches out to you. For example, do not trust an urgent email claiming to be from a charity that desperately needs donations, even if the email appears to be from a brand that you know and trust. Do not trust a phone call claiming to be a local food bank pressuring you to donate. The greater the sense of urgency, the more likely the request is an attack. Here are some of the most common indicators of a charity scam:
How to Make a Difference Safely
To donate in times of need or to help those impacted by a disaster, donate only to well-known, trusted organizations. You initiate the connections and decide who to reach out to, such as what websites to visit or what organizations to call. When you consider giving to a charity, search its name plus words like “complaint,” “review,” “rating,” or “scam.” Not sure which charities to trust? Start by researching on government websites you trust, or perhaps links provided by a well-known and highly trusted news organization. Donating in times of need is a fantastic way to make a difference, just be sure you are giving to legitimate organizations.
Guest Editor
Dr. Jessica Barker is an award-winning leader on the human side of security. She is the co-CEO of Cygenta and a bestselling author. Jessica is on the SANS Security Awareness Summit advisory board.
Resources
FTC Charity Fraud: https://consumer.ftc.gov/features/how-donate-wisely-and-avoid-charity-scams/
Social Engineering: https://www.sans.org/newsletters/ouch/social-engineering-attacks/
Top Three Scams: https://www.sans.org/newsletters/ouch/top-three-social-media-scams/
Messaging Attacks: https://www.sans.org/newsletters/ouch/spot-and-stop-messaging-attacks/
Phone Call Attacks: https://www.sans.org/newsletters/ouch/vishing/
Charity Navigator: https://www.charitynavigator.org/
Please remember that The First Bank and Trust Company of Murphysboro will not call or text you to ask for your sensitive or personal information such as username/password for digital banking, a debit card number, social security number, etc. Please do not respond to any texts or calls that request this information.
Overview
As the holiday season approaches, millions of people will be traveling. If you are among the many, here are some tips to help keep you cyber savvy and safe.
Mobile Devices
Bring as few devices as you can. The fewer devices you bring while traveling, the fewer devices that can be lost or stolen. In fact, did you know that you are far more likely to lose a mobile device than have it stolen? Whenever leaving a hotel room, restaurant, taxi cab, train or airplane, do a quick device check and make sure you have all of your devices. Don’t forget to have friends or family traveling with you to double check for their devices too, like children who may leave a device behind on a seat or in a restaurant. As for the devices you choose to bring, make sure you update them so they are running the latest operating system and apps. Keep the screen lock enabled. If possible, ensure you have some way to remotely track your devices if they are lost. In addition, you may want the option to remotely wipe the device. That way if a device is lost or stolen, you can remotely track and/or wipe all your sensitive data and accounts from the device. Finally, do a backup of any devices you take with you, so if one is lost or stolen, you can easily recover your data.
Wi-Fi Connections
When traveling, you may need to connect to a public Wi-Fi network. Keep in mind you often have no idea who configured that Wi-Fi network, who is monitoring it or how, and who else is connected to it. Instead of connecting to a public Wi-Fi network, whenever possible connect to and use the personal hotspot feature of your smartphone. This way you know you have a trusted Wi-Fi connection. If that is not possible and you need to connect to a public Wi-Fi network (such as at an airport, hotel, or cafe), use a Virtual Private Network, often called a VPN. This is software you install on your laptop or mobile devices to help protect and anonymize your Wi-Fi connection. Some VPN solutions include settings to automatically enable the VPN when connecting to non-trusted Wi-Fi networks.
Public Computers
Avoid using public computers, such as those in hotel lobbies or at coffee shops, to log into any accounts or access sensitive information. You don’t know who used that computer before you, and they may have infected it accidentally or deliberately with malware, such as a keystroke logger. Stick to devices you control and trust.
Social Media
We love to update others about our travels and adventures through social media, but we don’t always know who every friend or viewer is online. Avoid oversharing while on vacation as much as possible and consider waiting to share your trip until you’re home. Additionally, don’t post pictures of boarding passes, driver’s licenses, or passports as this can lead to identity theft.
Work
If you will be working while on vacation (we hope not!), make sure you check what your work travel policies are ahead of time, including what devices or data you can bring with you and how to remotely connect to work systems safely.
Vacation should be a time for relaxing, exploring, and having fun. These simple steps will help ensure you do so safely and securely.
Resources
Phishing is a type of online scam where criminals make fraudulent emails, phone calls and texts that appear to come from a legitimate bank. Every year, people lose hundreds, even thousands, of dollars to these scams. The communication is designed to trick you into entering confidential information (like account numbers, passwords, PINs or birthdays) into a fake website by clicking on a link, or to tell it to someone imitating your bank on the phone.
What to do if you receive a scam email, call or text.
Email or Text
If you suspect that an email or text you receive is a phishing attempt:
Call
If you receive a phone call that seems to be a phishing attempt:
What to do if you fall for a scam email, call or text.
The Federal Trade Commission has posted an article on its Business Blog, “Reported crypto scam losses since 2021 top $1 billion, says FTC Data Spotlight.” According to the latest FTC Consumer Protection Data Spotlight, since the start of 2021, more than 46,000 people have reported losing over $1 billion in crypto to scams. That’s about one out of every four dollars reportedly lost to fraud during that period.
The Data Spotlight reveals that reported losses to crypto scams in 2021 were nearly 60 times what they were in 2018. Certain features of cryptocurrency may explain why it’s a favorite payment method for crooks and cons. There’s no bank or other entity to flag suspicious transactions before they happen. Crypto transfers can’t be reversed. Once the money’s gone, it’s gone. And most people are still unfamiliar with how crypto works.
Nearly half the people who reported losing crypto to a scam since 2021 said it started with an ad, post, or message on a social media platform. Of those who specified the platform where the scam began, 32% said it was on Instagram, 26% said Facebook, 9% said WhatsApp, and 7% said Telegram. More than half of the reported losses involved bogus crypto investment opportunities.
What the Data Spotlight suggests is that even people who consider themselves tech-savvy can lose money to crypto crooks. Here are three things to bear in mind to protect yourself:
Looking for more information about crypto scams? Visit ftc.gov/cryptocurrency. Report deceptive practices to the FTC at ReportFraud.ftc.gov.
Despite consumers’ varying perceptions of cybersecurity risk, anyone can be the target of hackers looking to steal money, information or an identity. But there is good news: Even the least computer-savvy people can take steps to protect themselves.
Your financial institution should empower consumers with information through cybersecurity awareness campaigns, an important step in the fight against cybercrime. Providing education and promoting good cyber hygiene will mitigate cybersecurity risk for consumers and your institution while increasing the potential for new business through knowledge sharing.
As your institution plans cybersecurity awareness initiatives, consider including the following cybersecurity best practices to enhance protections for your customers or members.
Many websites offer free alerting to let users know when something happens on an account. Encourage your customers or members to take advantage of these alerts to monitor for potential fraud. Many financial institutions and credit card companies also offer alerts on purchases of a certain size or purchases made without the card present. Encourage customers and members to utilize this feature to quickly know if a card number has fallen into the wrong hands and minimize the damage.
Unfortunately, a username and password does not always provide adequate protection against hacking. It is not uncommon for these credentials to make their way to the dark web and into the hands of cybercriminals. To increase protections, many websites that hold important information offer the option for MFA. Instead of logging in with only a username and password, a user must provide a third piece of information to access their account.
Typically, the third piece of information comes in the form of a code sent via text or phone call to a specified number. There are also authenticator applications that serve the same purpose. While MFA may not be needed for every account, it is highly recommended for email accounts, online banking, healthcare accounts and anything that holds sensitive information.
April is National Financial Capability Month, and the FDIC offers several resources to help educate and protect consumers. The FDIC’s Money Smart financial education program can help people of all ages enhance their financial skills and create positive banking relationships.
This suite of 14 self-paced online games is the newest addition to the FDIC’s Money Smart product family and now available in English and Spanish for anyone to access. It covers topics such as: your income and expenses, borrowing basics, building your financial future, and protecting your identity and other assets.
The following are just a few of the tools available from How Money Smart Are You?:
“As the Russian Government explores options for potential cyberattacks against the United States, the Department of Homeland Security continues to work closely with our partners across every level of government, in the private sector, and with local communities to protect our country’s networks and critical infrastructure from malicious cyber activity. Organizations of every size and across every sector should continue enhancing their cybersecurity defenses. Organizations can visit CISA.gov/Shields-Up for best practices on how to protect their networks, and they should report anomalous cyber activity and/or cyber incidents to report@cisa.gov or (888) 282-0870, or to an FBI field office. DHS will continue to share timely and actionable information and intelligence to ensure our partners and the public have the tools they need to keep our communities safe and secure, and increase nationwide cybersecurity preparedness.”
You’ve heard it before, but we’ll say it again. It’s important to have strong passwords and change them regularly to help keep your accounts safe. Here are the basics: Don’t use personal information. This includes names of people in your family, your address, or birthdays, since this information can be publicly available to hackers. Don’t use real words. Password cracking tools can process every word in the dictionary until a match is found. Instead use uppercase and lowercase letters combined with special characters such as “&” or “#” Create longer passwords. The longer it is, the better. Try for at least 10 characters. Don’t use the same password for multiple websites. If one website has a data breach and you’ve used that password elsewhere, it’s easier for hackers to steal more information. Change your passwords. Get in the habit of changing them twice a year.
– Michael N. Cripps
President & C.E.O.
WASHINGTON—Today, five federal agencies joined forces to remind the public about the ongoing dangers of romance scams. The Commodity Futures Trading Commission, the Consumer Financial Protection Bureau (CFPB), the Department of Homeland Security’s U.S. Immigration and Customs Enforcement (ICE), the U.S. Postal Inspection Service, and the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) have launched Dating or Defrauding?, a national awareness effort to alert the public to romance scams that target victims largely through dating apps or social media. The campaign is supported by USAGov/Outreach, a division of the U.S. General Services Administration’s Technology Transformation Services.
Romance scams are not new, but with the proliferation of online dating apps, social media, and even messaging apps, new types of scams are emerging that target new audiences and have drained victims of millions of dollars. According to the Federal Trade Commission (FTC), 2020 was a record year for romance scams. Consumer reports to the FTC indicate that the number of romance scam complaints continued to increase through 2021. A year-over-year comparison through the third quarter showed a 48 percent increase in reported romance frauds.
The joint federal agencies’ initiative shows the public how to recognize the scams before they give any money or assets and provides steps to take if they are victimized. Over the coming weeks, the interagency Dating or Defrauding? awareness campaign will reach the public via social media, local and national media outreach, and public-private partnerships to encourage them to be vigilant when making online love connections.
This effort is spearheaded through the following federal agency offices: CFTC’s Office of Customer Education and Outreach, CFPB’s Office for Older Americans, DHS/ICE’s Homeland Security Investigations, the U.S. Postal Inspection Service, and Treasury’s FinCEN.
…it is a SCAM!
DO NOT GIVE SCAMMERS MONEY OR PERSONAL INFORMATION – IGNORE THEM!
Protect yourself and others from Social Security-related scams
|
Michael Cripps,
President and CEO
Over 300,000 Android users have downloaded banking malware apps
Cybersecurity researchers report that password-stealing banking trojans were disguised as QR code readers, fitness monitors, cryptocurrency apps and more.
Here is the article : Over 300,000 Android users have downloaded these banking trojan malware apps, say security researchers | ZDNet
This article lists the apps that are on google play that should not be downloaded or installed : ‘Banking’ Trojan Malware Hits Over 300,000 Android Users | List of Apps to Avoid on Google Play App Store | Tech Times
I just wanted to share some information to help better protect you and your family as the holidays approach.
Researchers at Tessian (an email security company) caution that people should be wary of scams as Black Friday approaches. The researchers found that 30% of people in the US reported receiving a phishing message around Black Friday in 2020.
“Nearly a third of U.S. consumers (30%) said they received a phishing email around Black Friday last year, either by email or SMS to their personal email or cell,” the researchers write. “The thing is that consumers expect to receive more marketing and advertising emails from retailers during this time, touting their deals, along with updates about their orders and notifications about deliveries.
Inboxes are noisier-than-usual and this makes it easier for cybercriminals to ‘hide’ their malicious messages. What’s more, attackers can leverage the ‘too-good-to-be-true’ deals people are expecting to receive, using them as lures to successfully deceive their victims. When the email looks like it has come from a legitimate brand and email address, people are more likely to click on malicious links that lead to fake websites or download harmful attachments.”
Tessian also notes that employees at retailers should be vigilant for phishing attacks as they approach the busiest time of the year.
“And it’s not just consumers that need to be wary,” Tessian says. “Employees in the retail industry will be busier and more distracted than ever during this time, faced with hundreds of orders, thousands of customer queries to respond to, and overwhelming sales targets to hit. Cybercriminals will use this to their advantage, crafting sophisticated phishing emails and cleverly worded social engineering messages in the hope that a stressed worker will miss the cues and comply with their requests.”
Remember: The bad actors are out in force, and you need to remember to implement good cybersecurity and cyber-hygiene practices – especially over the next couple of months. Be extra cautious of any emails invoking an emotional response or asking for your account information. Feel free to review the October National Cybersecurity Awareness emails and forward them to your family members.
Michael Cripps,
President and CEO