March winds are gusting, heralding the start of another stormy season. As the skies rumble and weather forecasts become the center of our daily conversations, another kind of storm brews in the background – the digital tempest, where cunning scammers lie in wait.
Now, if your idea of a scammer is someone in a dark room filled with glowing computer screens, you’re not entirely off mark. But, much like our increasingly unpredictable weather, their strategies evolve, often shadowing current events. The stormy season provides the perfect cover for their malicious endeavors. They know, in moments of distress, we humans can be both incredibly compassionate and a tad bit gullible.
Let’s navigate these digital tempests together.
1. The Pseudo-Charity Drive.
After a particularly devastating storm, our inboxes are bombarded with messages pleading for donations for those affected. Some tug at your heartstrings with stories of families torn apart, homes destroyed, and lives forever altered. And many of these are genuine. But mixed among the real pleas are the scam artists seeking to exploit your kindness. They set up fake charity websites that look eerily genuine, siphoning off donations meant for real victims.
Pro-tip: Never click on unsolicited links. Always do your homework. Verify the charity through trusted channels, and consider donating directly on their official website or through established platforms.
2. Weather Alerts Gone Rogue.
Imagine receiving a text or email warning of a severe weather alert, complete with a link that promises up-to-the-minute updates. Only, upon clicking, malware is injected into your device, with the potential to harvest personal information.
Pro-tip: Official alerts rarely, if ever, come with links. Install a trusted weather app or bookmark legitimate weather sites for updates. Stay wary of unsolicited warnings.
3. “Too Good to Be True” Repair Services.
Post-storm damage can be a nightmare. Enter the scam artist, posing as a contractor or repair service, often offering deals that sound too good to be true. Once paid, they either do a shoddy job or simply vanish with your money.
Pro-tip: Seek out reputable service providers. Ask for recommendations, check for genuine reviews, and always, ALWAYS, get everything in writing.
Now, imagine this scenario: Amidst the whirling digital storms, our scammer sits, frustrated, unable to breach your fortified defenses. Quite a satisfying image, isn’t it?
While the aforementioned scams are some of the common ones, it’s essential to remember that scammers continually evolve. The mantra? Stay alert and always double-check.
Stay safe out there, both from the storms above and the ones on your screens. As the old adage goes, it’s better to be safe than sorry. And in this digital age, a touch of skepticism might just be the umbrella you need.
It’s that time of year again. Holiday shopping is in full-swing. Americans are buying more and more from online vendors and shipping companies are working feverishly to keep up with demand.
And, of course, the bad guys are looming, seeking an opportunity to upset the holiday season.
Due to the increasing popularity of online shopping, shipping scams are more common than ever. Given the battle over expedient shipping, there’s no wonder that cybercriminals have developed sophisticated, and timely, methods of stealing from you.
During the holiday season, one of the most common shipping scams is nothing new, and, certainly not a sophisticated cyberattack. Commonly referred to as porch pirates, those who steal packages from the exterior of homes are rampant. In fact, recent statistics reveal that 25 million Americans were victims of porch pirates in 2018.
So, what can you do?
During the checkout process, select “signature required” in the shipping details. In doing so, you will force the shipping service to get a physical signature. The process is a bit tedious by today’s standards; however, not only will you safely collect your items, but, you’ll ensure that the items aren’t carelessly tossed onto your property in haste. Not all online vendors provide this option, so, don’t be surprised if it’s not present during the checkout process.
Secondly, if you live near a package collection service, you can use those providers. A package collection service will provide you with a physical street address – an employee will collect the packages and store for you. The service is similar to USPS post office boxes; however, many commercial carriers will not deliver to a post office box, and, these services are a good substitute for home delivery.
Next, ponder the porch pirate’s methods. They steal based on opportunity and relative ease of access to the goods. If you remove the easy access, the thief will likely pass your home. Many companies sell protective bags or boxes that are secured to your front door or other physical structure. When ordering, in the “other instructions” box for shipping, indicate that the package should be placed in the protective device and locked. While it’s true that a thief could steal the protective device, remember these are typically quick-action efforts. Porch pirates usually drive through a neighborhood and dash to and from a porch – they don’t carry tools; therefore, they aren’t prepared to fight with a locked bag or box.
Similarly, review your delivery area at your home. If you have hedges or other landscaping that will provide a blind for your packages, instruct the online vendor to place the packages behind those obstructions.
A few high-tech tools are available that could prevent, or, minimally, detect package theft. Amazon provides a locker service in some areas. The locker service is similar to the package collection providers, except, you have a key to your shipping locker, which is housed in a large building. Various video doorbell systems and motion alarms could assist with preventing the bad guys – when they work correctly. I use a combination of alarm and video products. Unfortunately, they’ve not always worked to scare away the thieves. However, I receive a text when activity occurs, so, if time permits, I can drop by and move the packages inside the house.
And, of course, the true online scammers use the holiday season as ripe opportunity to flood your inbox with phishing messages.
Shipping-themed phishing messages always increase during the holiday season. Complicating the matter, shipping companies rely heavily on email or text notification in today’s vibrant shipping environment. Therefore, it’s often a challenge to detect which messages are bad.
Whether you, or your business, use UPS, FedEx, DHL, or the USPS, it’s important to understand exactly what a legitimate delivery message looks like from those vendors.
The intent of the phishing messages is to steal. Specifically, the cybercriminals are trying to steal credentials (usernames and passwords), financial information (logins, account numbers), and spread malware which could lead to system ransom, downtime, and other undesirable outcomes.
How do the would-be bad guys design shipping scam messages?
Common techniques include: phony tracking numbers, undeliverable package notice, additional postage request, invalid mailing address, or attaching files to messages that claim to be claims forms or other shipping documents.
So, what do you do if you receive one of these messages and you know you have packages, but, are concerned about the possibility of malicious messages?
One of the most common phishing attempts is delivery of a fake tracking number. There are two ways to avoid this scam. First, if you are expecting a package, simply visit the online vendor’s website, view your account information and check the shipping information there. Secondly, if your vendor only lists the tracking information, but no detail, copy the tracking number from the vendor site and visit the shipping provider. As an example, UPS provides a very quick and accurate webpage for checking on the status of packages. I simply copy and paste the tracking numbers into the UPS website and get updates immediately. Clicking on links in email messages isn’t a good idea, so, taking a couple extra steps and being cautious will avoid malicious efforts, and, possibly provide more detailed shipping information.
Don’t trust links sent to your mobile device as texts – just because you think no one has your mobile number, doesn’t mean that’s accurate. Links within text messages can present an abundance of opportunity for poor outcome. Visit the online seller and check the status there.
As for the other common shipping scams, the same instructions will work. Visit the online vendor’s website to check on all delivery issues. It’s very unlikely that you will receive an email indicating that additional postage is needed. And, email delivery of invoices as attachments is common for business purchases, but rather inconvenient and unusual for consumer purchases – just avoid opening those attachments completely.
And lastly, a perfect way to avoid all of these online scams and shipping concerns is to shop local – support your local business community.
Last week I referenced the Verizon breach report and some of the
key observations among the data.
Small businesses are a favorite target for cyberattacks.
I offered two “stacks” of suggestions: the easy-to-do stack and
the more-difficult stack. Each stack
represents best practices for improving your cybersecurity posture and reducing
data breach risk.
The “easy” stack included suggestions for raising employee
awareness, managing backup routines, enabling automatic updates, upgrading
password hygiene, and strengthening physical security.
The “difficult” stack is heavy with policy and planning.
Verizon’s report revealed that an incredible sixty percent of
small businesses that suffered a data breach were closed within six months of
the cybersecurity event.
Why?
Obviously, cost and damage to reputation account for many of the
closures. However, given that small
businesses often operate on razor thin margins, and, owners are also operators,
time is a precious resource.
As a result, expending time on building technology usage plans
and incident response plans are not front-burner priorities. Making payroll and improving revenue are
vital to the business’ success, not a plan that may never be used – at least,
that’s a common thought.
However, let’s suppose you operate a business that is dependent
upon mechanical devices. Your ability to
produce is dependent upon machines, and, more specifically the efficient
operation of those devices.
If a device breaks, many small businesses owners have the
expertise to repair their equipment themselves, in fact, their knowledge of the
functional side of a business is often the value they depend upon for
success. Manuals and a network of
knowledgeable resources complement what the owner may lack.
What happens when a data breach occurs?
Choose your own adventure – a hacker breaks into your business
software and steals customer data. Or, a
ransomware attack is successfully deployed via an email and all of your
computers and cash registers are broken.
Or, perhaps, a thief smashes a window and walks away with your server.
What do you do?
If a piece of vital equipment broke, you’d employ your knowledge,
or, knowledge network to repair the device.
In other words, you would launch a repair plan.
The same must exist with your IT operations. A plan is needed, especially if IT isn’t your
core business function.
Enter the IT plans.
A written security policy is necessary for modern businesses. In some instances, a security policy is a
regulatory requirement.
In Alabama, the new data breach notification law requires that
businesses evaluate and implement reasonable security measures – a security
policy/plan will assist in those efforts.
While there’s no penalty for not being proactive, if a breach
results, your situation will not be enhanced by not having a written security
policy.
A good security policy outlines how you manage customer data, how
you protect it, and, if an incident occurs, what you do to respond.
I suggest considering the plan as a blueprint for you and your
employees: if something goes wrong, it’s a basic manual for controlling the
situation.
Review the policy templates and tailor them to your specific
needs. Share them with your employees
and review them, at least annually.
Encryption is another must.
Encryption of your data reduces the likelihood of the data being
read by an unintended recipient. Most
modern operating systems provide a mechanism by which you can encrypt your
local data. By enabling local encryption
on your office devices, you reduce data loss through physical theft. If someone breaks into your office and steals
a computer, an encrypted device presents a formidable challenge to the
thief. Similarly, using encryption for
accessing email and other sensitive systems is important. If you employ a commercial email product,
encryption is always included in the solution, simply verify that it is
enabled.
Backups, part two.
I mentioned the importance of backups last week. However, in addition to establishing a backup
routine and testing the quality of your backups, there are a few additional
items to consider.
The purpose of a backup is to restore lost data.
If your backup solution doesn’t encrypt your data, you should
enable backup encryption. If a data
thief gains access to your backups, if they aren’t encrypted, you’ve provided a
nice package that enables easy theft of volumes of data from one location.
Also, consider your backup strategy.
Are you depending on a local device for backup, such as an
external hard drive, tape? Do you depend
on a cloud backup, such as Microsoft OneDrive?
Redundancy is important.
If you backup data to a local external hard drive, that’s great – make
sure it’s encrypted and stored safely.
But, what do you do if the hard drive fails? What do you do if your cloud provider is down
when you need to restore lost data, or, if your internet service provider is
experiencing problems?
Redundancy provides extra protection and can be accomplished very
simply. In fact, for small businesses,
the tools are often available with current software subscriptions, the features
simply need to be activated.
And, lastly, data destruction and life cycle should be reviewed.
Don’t hoard electronic data.
If you have no regulatory requirement or business need to maintain
copies of unused data, get rid of it.
Dispose of the data properly, use verified tools for deletion of the
data. By doing so, you reduce the amount
of data that a would-be bad actor can access, and, make your systems run more
efficiently.
Last week’s small, easy tasks will enhance your security posture
quickly.
This week’s suggestions require more planning and thought. However, there are many free sources for
technology, security plans, and, most modern software provide the enhanced
features that I mentioned.
Be safe and protect your business and your customers’ data.
When web presences began to take off, it was debatable what constituted an effective site. Thirty years later, I hear the same questions being asked. Do updated graphics and imagery attract more customers? Does frequently-updated content bring customers to your site? Does intuitive navigation make any difference? What about mobile compatibility? Adaptive needs support? Search engine placement? Social media presence?
The list is extensive, seems to repeat every few years, or, whenever a new platform or service emerges.
All of those items are important to a successful business presence, especially a business that is driven by an online customer base. And, you shouldn’t neglect securing your online business presence.
However, I’d argue that there are other items of equal, perhaps, more significant importance when evaluating your business technology operations.
Not paying attention is a problem in different avenues. Technology is synonymous with change. If you use technology and expect that technology to simply keep running, need no maintenance, you’re setting yourself up for failure.
Your information technology is no different than mechanical devices. Information technology requires attention. Complacency with all technology will result in poor performance, and, ultimately, failure.
Verizon produces an annual data breach investigation report. The information housed within the report is outstanding and terrifying.
Small businesses are a favorite target for cyberattacks.
According to the most recent Verizon report, almost two-thirds of all cyberattacks were directed at small businesses and individuals. The average cost for a business to recover from a successful cyberattack exceeded $400,000. And shockingly, nearly sixty percent of all business go out of business within six months of a successful cyberattack.
In the same report, a survey revealed that ninety percent of small businesses don’t use any data protection at all for company and customer information.
Wow. Ninety percent of small businesses do not use any software or service to protect data.
I’m not a website expert, but, I’ll offer this: it doesn’t matter how pretty your website’s images are or how well you place in search engines results, if you can’t protect your business data and customer data, you won’t be in business long. Similarly, your Twitter account might be on fire, but, if you hemorrhage data, your social media site will become a collection of outdated memes and twisted puns.
So, what are you to do? How do you protect your business and your customers?
Ordinarily, this is where a list would emerge. A top ten, or, top five delineation of chores to review or pursue.
For this discussion, let’s keep things simple. We have two stacks: the easy items and the more difficult items.
Let’s start with the easy stack.
Raise employee awareness. Human error accounts for a sizable portion of the successful cyberattacks. If you fail to inform your employees about the importance of data management and securing information, you shouldn’t be surprised that they open all email attachments and click every link in every email messages. Set the stage with commonsense advice: beware of fake invoices, don’t open unsolicited email attachments, don’t click on peculiar links, ask for help before “trying” a new app on your work device. If you train staff to spot and report security concerns, you will create a solid defense.
Backup your data. Often. Yes, more than once a month.
Regular backups are necessary. If you experience a ransomware attack, loss of storage systems, a recent backup will have you up-and-running quickly. That is, if you also test your regularly-occurring backups.
You only cover half the field by starting a frequent backup process. If you don’t test those backups, you cannot have confidence in the process.
Backup frequently and test regularly.
Install anti-virus and anti-malware software and enable automatic updates and scans. This is an easy, low-cost protection. Yes, the software will slow your computers. Would you rather the computers work slowly or not at all?
Update your software, especially the operating system. Modern operating systems can install and update patches automatically. If your business efforts can accommodate a fast, frequent patching process, enable automatic updates. If you have a business need to review the patches and install manually, schedule at least once per month.
Use complex passwords, passphrases. Don’t use easy passwords, just don’t. The would-be bad guys enjoy easy passwords – they’re the gift that keeps on giving. Where available, enable two-factor authentication. Often, the service is included in modern software – turn it on and turn up the difficulty to breaking into your systems.
Survey your paper documents and how you store your various computing devices.
Do you have paper scattered everywhere? Are filing cabinets locked? Are computers locked and secured to a heavy structure? Do employees walk around with USB thumb drives? Do you shred all discarded documents?
Physical security is vital. Not all theft of data occurs through a cyberattack. Crafty criminals will dig through trash, collect items from desks, take photos of computer screens, or, walk out the door with a computer.
And lastly, don’t allow personal devices on your networks. You have too much to worry about already as a small business owner. Your employees’ cellphones aren’t your concern and shouldn’t have access to your business network. Eliminate the security risk by refusing to allow the devices.
Small, easy tasks will enhance your security posture quickly.
And now, let’s move to the more difficult stack. Be safe and we will continue next time.
For the third week of National Cybersecurity Awareness Month, let’s review protecting your “IT”.
Your use of connected technology creates a digital footprint. Your footprint is composed of every click, share, text, email, post, GPS coordinate created by you and your devices. The wealth of data points are constantly updated and subsequently stored.
The digital data trail is enticing to cybercriminals.
Why?
The data is worth a lot.
Some of the wealthiest companies in the world survive on the richness of your digital footprint. Google and Facebook generate the overwhelming majority of their incomes through monetizing your digital data trail into a product: a collection of your behaviors.
Advertisers, and, others, are intoxicated by the power of the digital behavior profile. Due to the sheer volume of data that can be collected from connected systems and the relative ease by which the data can be consumed, an incredibly accurate impression of you can be rendered.
Fabella Security 
You must be logged in to post a comment.