Tag Archives: hack

Phishing Alert – FBI Offering Millions

Just a quick reminder to keep yourself safe in your email. Some of the phishing scams are incredibly good – they imitate the actual emails that a bank or company will send with the same icons and layout. It’s usually the email address and URL they’re trying to redirect you to that gives it away.

Remember, don’t just check URL’s in your email before clicking them. Don’t click them at all, instead if you’re concerned go to the site by typing in it’s name, like mybank.com rather than clicking a link. That way you’ll be safe even from the really good fakes.

Also watch out for scams that are just too ridiculous. They come in email, text messages, and voice mails. I constantly get warnings from the “IRS” that marshals are one the way. How do people think that’s accurate? I mean you can hate the IRS but that’s still not how they operate. And why do you think they’d come after you? I guess if you haven’t actually paid your taxes maybe it’s easier to get fooled by this. I had fun the other day when I was bored and answered one of these calls. Then I told the person I was onto their scam, and calling the police, and marshals were indeed on the way, but to them, not me. They hung up quickly. A waste of my time, I know, but I enjoyed it anyway.

Finally, watch out for the get rich quick scams – there is no simple thing for you to invest in that industry is trying to hide but you’re going to make a fortune. Add to this the foreign money laundering schemes, Nigerian prince emails, rich dead uncles, and the like. Let me make it simple – there is no one out there who’s just waiting to hand you millions of dollars, or even thousands, or even hundreds. Delete the email/text/voicemail and just move on.

For your entertainment, here’s an email I got today, purportedly from the director of the FBI, who somehow knows my email address but not my name. He’s reminding me that I have $10 million due to me and he’s thoroughly checked it out and for sure it’s legit! Note the ridiculous email address they refer to, and it came from andrewmcjr.fbioffice2017@nac.net because somehow the director didn’t get an official work email address. Poor guy – guess they’re really struggling these days.

phishing-fbi-citibank-2017-10

As an exercise, here’s a few of the things that are wrong with this email:

  • The “From:” email address clearly is not the FBI
  • addressed to “dear beneficiary” – they don’t know my name
  • The director of the FBI isn’t sending me any email – not happening
  • Citibank supposed email address – again not a Citibank email domain
  • FBI supposed address at the bottom – still not official FBI.gov domain, and different from the sender email, even though the email warns me explicitly to not trust such things
  • Why do I think this is my money?

Stay safe out there – phishing schemes and identity theft are rampant. By the way, if you need to report a scam to the FBI here’s the FBI E-scams and safety page.

== RESOURCES ==

Put Your Money Under Your Mattress – Tips for Security

Money Stuffed in Between the Mattresses

The rash of security breaches continues unabated, especially in the retail sector. It’s getting to the point where I feel like just pulling my money out of the bank and putting it under my mattress. I had slowly transitioned to using my ATM for all my daily purchases and now I’m back to carrying more cash.

To highlight just a few recent events:

Kmart has a blue light special on malware

Why the Home Depot breach is worse than you think

Chase warns customers about massive data breach

Staples is investigating a possible data breach

If you go back even a year the list is waaaay too long. ATM hacks abound (Did you know most of them still run Windows 95?!) Gas pump card readers have been compromised for years.

I used to worry more about using a credit card at a small retailer because of the potential for employees to steal your data and use/share/sell it. Now with big software hacks in play, little guys aren’t profitable targets. Why compromise a store with hundreds of customers when you can nail a chain with millions?

In all this paranoia what can you really do about it. I’ve put together a short list of actionable things anyone can do. In a follow-up article shortly I’ll talk more about what the industry can and should be doing.

For consumers the list includes many things that don’t have anything to do with your computers.

  1. Use more cash. The software that is being used in these breaches is just to cheap, readily available, and easy to use. Expect to continue hearing about major breaches, and eventually more minor ones as well. Trickle-down hacking.
  2. Don’t pay at the pump. I know, this is a pain, but seriously this is the one I hear about the most from real people I actually know who have been affected. It was the card reader at the pump. So pay inside, and don’t forget, most stations are part of large organizations, making them tempting targets for the same POS attacks we keep hearing about. Use cash for gas. Or drive an electric, like I do.
  3. Don’t pay at suspicious places. Well I guess I don’t mean dine-and-dash, but don’t pay at credit cards at places that you’re unsure of. Look around and ask yourself if you’d leave your wallet or phone on the table unattended while using the restroom. If not, pay in cash.
  4. Big retailers are at least as unsafe as small ones. Hacks are happening just as often at big reputable places because it’s simply more profitable. More customers = more cards. It’s simple economics. So pay cash when you can, and keep track of announcements from retailers you use, including silly looking envelopes in the mail that look like junk mail. They could be security alerts.
  5. Don’t click links in unsolicited email. This is a corollary to above – be extremely careful clicking on email alerts about password updates, account info, etc. Phishing is too easy and too common. When in doubt, either put the URL in by hand (always a good idea) or get on the old-fashioned phone and actually call: Did you guys just email a security alert? The time you spend on hold (you know you will) is better than getting hacked.
  6. Use good passwords. I’ll be writing more about this at some point, but for now remember that longer is better. I’m shocked that some organizations still don’t allow really good passwords. In terms of complication longer is often more important and secure than the old adage of numbers, letters, and special characters. But the bigger the better. If your password is 8 characters, even with all of the above, it’s hackable, nearly instantly. Just remember that.
  7. Change passwords when a hack occurs. Even if you don’t get a notice from the company, just change it. If for example you heard about Staples today and are sitting around waiting for an email or letter, remember that the hackers aren’t waiting, in fact they may have had your data for weeks or even months. Just change your password now. This is a great case of better safe than sorry.
  8. Use a password manager You need something to manage all your passwords and other important secure data, otherwise you’ll never do steps 5 and 6 above as you should. There are quite a few good ones out there. Just make sure it’s got good encryption, comes from a reputable company, and supports ALL of the platforms you need so that you’ll use it. A few off the top of my head are Lastpass, 1Password, and Msecure. Some of them even support a USB dongle to make sure that your password manager data is secure.
  9. Use two-step authentication. This is a configuration option you can get from Microsoft, Apple, Google, etc. where they send a text message to your phone when you try to login. Sometimes they also have an authenticator app instead of the text message, which is nice because you don’t need a data connection like you would with a text message. Google announced security key support today, which is a USB device you put on your keychain instead of a text to your phone.
  10. Keep software up-to-date. This is especially important for both your operating system and your browsers. Major PC OS vendors like Microsoft and Apple issue regular security updates once a week or month. Phone vendors like Google do likewise, although updates depend greatly on both your phone manufacturer and your service provider. I know, it’s crazy, but it’s true. Android phones are frequently out of date and cannot be updated for no good reason. This is on advantage of an Apple or Nexus device – frequent OS updates. Watch Adobe too – that flash engine is a common attack surface.
  11. Get rid of old hardware that can’t be updated. Old phones, old computers running insecure operating systems, etc. It’s all more dangerous than it’s worth. How old – simple, if it isn’t supported with regular security updates, it’s time to junk it. I know you think you’re saving money, but the cost of a hack is bigger, not to mention the time you spend keeping old hardware running. And yes, there are all kinds of tech geeks that can keep stuff running forever. That’s fine as long as they’ve made sure it’s secure. When in doubt, throw it out. (Like in politics.)
  12. Avoid websites that don’t support secure connections. This means look for “https” instead of just “http” in the URL. Plus depending on your browser you should see some kind of lock that indicates a secure connection. Facebook had this problem for way too long, and what it means is that although you need a password to login, your password is sent over the internet unencrypted, just waiting for that pimply kid across the table at Starbucks to steal it. For a list of sites that you’d think are secure but aren’t, check the HTTP Shaming blog.
  13. Use a prepaid credit card for internet purchases. Come to think of it, that’s not a bad idea for gas pumps and restaurants either. You can get a “credit card” that you can reload at any grocery or convenience store. T-mobile has one that is particularly nice because it has no reload or monthly fees. The prepaid card severely limits your exposure in a breach, and it’s easy for you to walk away from by just getting a new one. They can’t take more out of it than you have sitting on it.

If you’ve got more tips, let me know and I’ll add them to the list. In the meantime, keep safe.

Resources