Tag: phishing

Say NO to Stealing Sensitive Information by PhishingJust a few days after the IRS released it’s warning about W-2 phishing, it appears the College of Southern Idaho (CSI) reported that 3,000 employees’ personal information may have been compromised by a phishing scam.

The attackers are now expanding their sights into higher education according to a recent article by Paul Greene, an attorney at Harter Secrest & Emery.  Given the large number of employees, including seasonal employees, community education instructors and people who work for auxiliary agencies, these institutions are great sources of sensitive information and money.  In this case, someone impersonating a CSI administrator sent an email to an employee requesting W-2 information for all school employees over the past two years.

This type of data breach can be very expensive, cause disruption in the organization, harm the school’s reputation, and is a strong indicator that the school will be the target of future attacks.  It also sets up other higher education institutions as potential targets for other phishing scams.

Unfortunately phishing can even hit organizations sensitized to these scams.  A case in point is something that happened to me this week.  I got an email from someone in my company asking for my help.  I responded asking what I could do and through a series of emails the person asked me to help them send some money using Western Union.  At that point I got suspicious and wanted to see how far this went.  I asked them where they wanted to send it and if we could speak.  At that point the spammer said they couldn’t speak but asked me to send $750.  Needless to say I didn’t respond, but had noticed the return emails changed each time I replied.  And the email addresses were not from anyone in my company.

The best defense against these scams and the data breaches they may cause is to make employees aware of them and to implement technology that makes it difficult to steal the information.  All PII and other sensitive information should be encrypted and protected with persistent security policies so that only authorized users can access them.  If W-2 or other PII were to leak through this scam, the recipients would have useless files with random data in them.  No accessible data, no data breach.

If your employees are unaware of good data security practices, teach them.  No executive should ever ask for W-2 information or other PII by email.  They have a responsibility as does any employee to protect this sensitive information from unauthorized access.  Checks and balances are necessary to verify requests are legitimate and that you can trust the party on the other end.  Technology can help ensure that sensitive data can’t get out, but employees must be taught good data stewardship practices before they become victims.


Photo credit Jim Pennucci

How to Fight the Latest Phishing ScamsThe more things change, the more they stay the same, unfortunately.  Paul Greene, an attorney at Harter Secrest & Emery, in a recent blog post mentioned a new IRS warning about the reappearance of phishing scams targeting W-2 information.  Companies have lost thousands of dollars in email compromise attacks that first steal W-2s and then attempt wire transfer frauds.

This is nothing new, of course, with the IRS having issued the same form of warning around this time last year.  But it is tax season and the scammers, fraudsters and hackers decided to get a jump on things this year.

In recent years, the criminals targeted corporations, but this year they are casting a wider net, potentially affecting schools, non-profits, restaurants, healthcare providers, and tribal organizations.  This is a classic case of targeting organizations that may not have the best security, since they have not been victims in the past.  Those organizations affected in recent years have hardened their defenses, but now the scammers are going after the next tier.  They also may be going after the supply chain of some of the companies targeted in the past.  After all it’s easier to attack a small service provider than to attack a large bank or manufacturing company.

The scammers first attempt to access W-2s and then request a wire transfer that looks legitimate.  Unfortunately people are falling for it, partly because the requests look legitimate and partly because some organizations don’t have the proper security tools or procedures in place to thwart it.  Once an organization falls victim to an attack, it’s game on.  The hackers will keep attacking the organization unless they are stopped or until they get everything they can.

The best defense is to make employees aware of these scams and to implement technology that makes it difficult to steal the information.  All PII and other sensitive information should be encrypted and protected with persistent security policies so that only authorized users can access it.  If W-2 information were to leak through this scam, the scammers would have files with random data in them.  Since they are not authorized users, they wouldn’t be able to read the information.

Organizations also need to teach their employees that security is everyone’s job.  Just like you expect people to make sure the door locks when they leave, people need to understand that its their job to protect sensitive information in their care.  Checks and balances are necessary to verify requests are legitimate and that you can trust the party on the other end.  Technology helps in many cases, but you need to add good, old fashioned common sense too.


Photo credit Steven Depolo

Protect Your Privacy and Data During Online Holiday ShoppingToday is the last shopping day before Christmas, although I would bet a few of you will somehow buy something on Christmas morning; thank goodness for 24-hour minimarts.  A lot of us are doing more of our shopping online, which is both convenient and prone to abuse.  Protect your privacy by taking precautions and only shopping at retailers you trust.

If you shop at a trusted website, your credit card information should be safe and you are protected from someone stealing your personal information.  Reliable retailers take a lot of precautions to protect your data from hackers and insiders who might snoop.  The last thing a retailer wants is a black eye from a data breach.  You can probably think of a few sites that might be suspect.

In a recent article by Sue Marquette Poremba, “Better Security Habits Started During Holidays Should Continue All Year Long”, Sue talks about precautions ecommerce sites need to take to ensure they are trustworthy and can guarantee that all of us have a safe shopping experience now and into the new year.  While most of us may not think about the other side of the transaction, it’s important to understand how it works and what you need to know before shopping.

Here are some of the main points from the article.

  • Conduct research: consumers should check reviews about ecommerce sites to evaluate the “naughty” and the “nice.” Consider how you want your customers to review you. Do you want to have a black mark of a data breach on your record permanently? (Ask Target about that problem.)
  • When in doubt, throw it out: consumers shouldn’t fall for spam or phishing emails about your site. It’s tough to tell a real email from a phishing email anymore, so how do you want to get the word to your potential shoppers about sales without them worrying about it being fake?
  • Personal information is like money, so value it and protect it: consumers can only do so much to protect their personal information once they give it to you. What are you doing on the back end to keep that data safe? Are you encrypting passwords? How secure is your cloud storage? Is your software and operating system up to date?
  • Use safe payment options: Here again, the customer is depending on you. Are you PCI compliant? Is your mobile app secured with HTTPS?


You can help an online retailer by following these guidelines and alert them if you receive something fishy in your email or in a text message.  Make sure you only go to trusted merchants so you don’t get that letter in the mail saying something was stolen.

Enjoy the holiday season and enjoy all those online purchases.


Photo credit Jesse757

10 Tips To Make You A Cyber Smart Holiday ShopperAs we move into the week of Thanksgiving in the US, some of us start thinking about eating, family and football; not necessarily in that order.  Others start thinking about shopping for the holidays.

Next week is Cyber Monday and I think it’s a little easier on the feet and constitution than Black Friday.  I would rather go online and go after all the bargains, rather than waiting in line and fighting all the crazy people out there trying to get $50 off a television.  But to each his or her own.

As with anything online, you need to take the good with the bad.  There will be a lot of great deals from reputable sites, but watch out for scams.  Online scammers try to game the search engines with “legitimate” bargains.  You search for a bargain and the link takes you to a site that looks legitimate. Check to see that it is a legitimate merchant before you buy anything.  Some are just sites with malware that could wreak havoc on your computer.

Also look out for social media, text and email scams.  Facebook, Twitter and LinkedIn are popular targets.  A seemingly great offer for a discounted service or product will first ask for personal information.  This is a basic phishing scam to get you to give up personal information that results in targeted attacks. If you see something that looks too good to be true, it probably is.  It may have come from a hacked account, so beware.  As usual, the goal is to get you to part with your money.

Here are 10 tips to keep you safe while online shopping:

  • Conduct research: When using a new website for purchases, read reviews and see if other consumers have had a positive or negative experience with the site.
  • When in doubt, throw it out: Links in emails, posts and texts are often how cyber criminals try to steal your information or infect your devices.
  • Personal information is like money: value it and protect it: When making a purchase online, only provide information required to complete the transaction. You only need to fill out required fields at checkout.
  • Use safe payment options: Credit cards are generally the safest option because they allow you to seek a credit from the issuer if there is a problem.  Your liability is also limited if someone steals your credit card information.
  • Protect your $$: When shopping, check to be sure the site is security enabled. Look for URLs with https:// to help secure your information.
  • Now you see me, now you don’t: Some stores and other locations look for devices with Wi-Fi or Bluetooth turned on to track your movements while you are within range. Disable Wi-Fi and Bluetooth when not in use.
  • Get savvy about Wi-Fi hotspots: Limit the type of business you conduct over open public Wi-Fi connections, including logging on to key accounts, such as email and banking. Adjust the security settings on your device to limit who can access your phone.
  • Keep a clean machine: Keep all web-connected devices, including PCs, smartphones and tablets, free from malware and infections by running only the most current versions of software and apps.
  • Get two steps ahead: Turn on two-factor authentication on accounts where available. It adds a layer of protection beyond login ID and password.
  • Create better passwords: If your passwords are weak, improve them by adding capital letters, numbers and symbols and using different passwords for every account.

Shopping online is a great way to get some bargains and save time.  Enjoy yourself, but keep safe.  You worked hard for your money, so don’t let scammers and cyber criminals get you to part with it.


Photo credit Kevin Galens

Book a meeting