Phishing Scams Continue

1455037742_featured.jpeg

In mid-January, I was asked to present at a conference of businesspeople regarding CyberSecurity issues. I usually present at least once per month at meetings and conferences about Cyber issues and best practices for protecting corporate and personal information.

When I speak at conferences, one of the topics I always discuss is phishing – a malicious e-mail sent to someone in an attempt to steal information from the recipient or otherwise negatively affect the recipient or their computer system. I’ve also posted on this blog previously about the risks of phishing.

When I would present similar information two years ago, I would say that more than 70 percent of attendees were unaware of phishing and the various risks associated with it. In my more recent presentations, including this latest one in January with 150 attendees, it seems like over 50 percent of attendees were aware of the concept of phishing scams and 20 percent of them had seen it first-hand.

The Good News: Many more people are aware of Phishing scams
The Bad News: The reason many people are aware is because they or someone they know have been hit with some of these scams.

To continue on our quest to spread awareness and recognition of these scams, I’ve created another post about it.

To be clear: Phishing Scams are currently the most common active threat that are hitting users personally and at all levels of organizations.

Spear-Phishing is something similar but more targeted in which e-mails appear to be sent from a particular person that the recipient knows. When this happens, the recipient can sometimes communicate back-and-forth with the scammer because their e-mail address looks legitimate. Every month a company executive or board member mentions a scenario to me whereby their organization was or was almost duped into sending confidential information or wiring money based on what appeared to be legitimate e-mails from scammers. Often times scammers create an email address but change the letters of the company domain name and then send their messages to unsuspecting users.

Here are some simple examples:
If the CFO’s real address is jsmith@example.com the scammers create one such as
-jsmith@examp1e.com (a numeric 1  in place of the letter ‘l’)
-jsmith@exanple.com (’n’ in place of ‘m’)

They then send an email to someone who can wire transfer money, such as a Controller or Finance Manager, and they requests funds be sent for some logical reason.  If the recipient doesn’t look closely enough, they won’t see that it came from an incorrect e-mail address.

Note: Almost every week we hear about these types of spear phishing scams. Most of them involve wiring money or some other funds transfer.

Ways to protect yourself and your firm:
1 – If possible, never accept a request to wire transfer money without a face-to-face (or video) conversation or a phone call dialed by you to the phone number you know is accurate for the person requesting the wire. Implement this policy in your firm and make everyone aware of it.
2 – If you typically cannot meet with the person face-to-face/video call, such as in large organizations, setup a code word that is to be used in authorization step for all wire transfer requests. The code word should be published only to staff involved in wire transfers and it should be changed on a regular basis, but no less than annually.
3 – Ensure that your bank sends an e-mail alert anytime a wire transfer is requested, and setup your e-mail software (such as Outlook) with a rule that automatically will display an alert on your screen when a wire transfer happens. Alerts should be sent to more than one person. Even better, send the alerts to your mobile phone(s). My team can show you how to do this.
4 – While many good firewalls can protect your firm’s users by blocking lots of external threats, carefully created phishing emails can often slip past them. We offer clients a content filtering service that blocks certain types of outbound connections that are attempted when a user unknowingly clicks on a link in a scammer’s email message. Check with your IT department or provider for this type of service.
5 – Always try to look at the sender’s e-mail address to see if it truly is accurate. With as busy as everyone is, it is easy to miss that.
6 – Remember that high-quality logos from banks, utilities and other organizations may look accurate, but unless you check the links to see where they go to, you cannot be sure. One way to be certain you are going to the correct website is to actually type the web address into your browser rather than clicking a link or button. It is an extra step, but it helps ensure you go to the right website (assuming you type it correctly).

User Awareness also helps drive down the impact of CyberSecurity scams. To that end, we have created a bi-weekly CyberSecurity TechTip for which you, anyone in your firm, or other colleagues at other firms can sign up. We don’t use the CyberSecurity TechTips for any other purpose other than to help our clients, colleagues and friends avoid Scams. To sign up for the Bi-Weekly CyberSecurity TechTip emails, simply go to this page and enter your name and email address.

Microsoft Word Tip – Quickly Change Line Spacing

Some people find it tedious or frustrating to deal with their line spacing in Microsoft Word documents. It is actually easier than many realize. You can change the line spacing on a single paragraph, page, or even the entire document in two easy keystrokes. Place your cursor anywhere on the target paragraphs, then press a combination of the Control (or CTRL) key and a number as indicated below:

  • Press Ctrl+1 to change the line spacing to single spaced.
  • Press Ctrl+2 to change the line spacing to double spaced.
  • Press Ctrl+5 to change the line spacing to 1.5 (or one and a half spaced).

Notes:

  • If you are using a MAC, simply use the “Command” key in place of the CTRL key
  • You must use the numbers above the alphabet keys. This shortcut does not recognize the numeric keypad.

World Backup Day is March 31st!

World Backup Day!

Make a commitment to ensure your information is truly recoverable.  Data Recovery

For many years, our firm has been invited into companies of all sizes to evaluate their IT infrastructure and identify any risks to the client’s business.  Lately, for obvious reasons, the focus is on security.  Proper information security is crucial, but it includes more than just networks and access points.

Almost every month our team conducts IT Assessments for new clients.  Our team estimates that at least ten percent (10%) of the time, we discover that the client would be unable to recover all of their data in the event of a catastrophic loss to their servers, despite having backup systems in place.

Some may think that this data backup issue is associated with small businesses who have tight budgets.  Not True!  That ten percent spans clients of all sizes, including large enterprises.

We have concluded that the primary reason why data is not fully backed up is not due to a lack of funds, but instead a lack of knowledge.  Far too many business executives and IT leaders assume that, because a backup job is running and a log looks correct, everything is backed up.  That is a dangerous assumption.

We’ve seen plenty of cases where most of a firm’s data is backed up, but recent databases were never added to the backup job.  Or other cases where companies who still use tapes for backing up data never realize that their tapes have deteriorated to the point where they cannot restore information.

How to solve this situation?

Simple.  Trust and Verify.  It seems obvious that an IT staff or IT partner will handle your backups properly, but there should be a check to ensure you can recover your information.  Make sure that someone confirms that each type of data or file location is included within a regular backup routine.

Ask to test the restore process by requesting that the IT team restore a few arbitrary files to a separate temporary location as a spot-check — you would have to do that in a disaster anyway.

Are your files hosted with a hosting provider?

Great – ask them to do the same thing, then check the results.  While most hosting providers do a great job, there are some who don’t notice when you add a new database or new file storage area.

I’ve heard clients say “We have a hosting provider who handles our backup – they are responsible.”  Could be.  But regardless of who performs the task on a daily basis, the client’s officers (CIO, CFO, etc.) are still accountable to the firm’s shareholders and should confirm the firm’s data is backed up and protected.

If your firm has files on company laptops in the field, there are simple solutions to getting that information backed up as well using a cloud-based backup provider, or synchronizing files with your home office servers.

There is much more that should be done to prepare for a disaster, but with March 31 being World Backup Day, this is a great time to ensure your company’s data (and your important personal data) is being backed up properly.

Trust –and– verify.

 

www.worldbackupday.com

iOS8 – Make sure you have over 5GB of free space before upgrading to iOS 8

iOS 8 was released earlier today and many users are interested in upgrading to it quickly.

While there are many new features and improvements, users should be aware that downloading and installing iOS 8 wirelessly on an iPhone requires approximately 4.7GB of free space!   If you perform the upgrade via iTunes and a computer, you will still need almost 3GB of free space in order to work through the download and installation.  This is because the installation files, known as “packages” need to be downloaded in order for parts of the installation to execute.

You will get space back, however.  Once the upgrade is complete, iOS 8 removes the installation files and you will end up with almost the same available space.  To see how much space your iOS device has available, simply open the “Settings” application and choose “General” then “Usage”.  The amount of free space will be at the top of the screen.  Once the iOS 8 upgrade is complete, several apps will require updates, which may or may not require more space.  That’s why it is best to have more than the minimums available.

For our clients for which we manage dozens, hundreds or thousands of devices in their environment, we are recommending that their users wait a week or two before upgrading in order to find out if there are any issues with the initial release of the new iOS.  This has happened previously with iOS6 and iOS7. We prefer to plan the upgrade process and leverage Mobile Device Management (MDM) tools where appropriate in order to verify that devices have been backed up, any key applications still work properly, conduct testing and other tasks.  This is not always possible in certain client environments.

iPhones and iPads have become crucial devices for many business professionals.  For those who don’t have time to deal with new release issues, it makes sense to wait and see if there are any issues with the initial release and then decide whether or not to wait for a patched version (i.e. iOS 8.01, 8.1, etc.).  Regardless of the upgrade path you choose, be certain that you back up your device before the upgrade and make sure you have more than the minimum free space available.

Does your business need an overall Mobile Device Management strategy?  If so, give us a call at 610-276-5500.

Tips to Increase Your Smartphone Security

iphone lockYour entire address book, calendar, personal files, photos, and other sensitive information is compressed into one handheld device: your smartphone. Sure, you’ve taken proper precautions to encrypt your company data, setup disaster recovery, and even migrate your files into the cloud. But, how secure is your smartphone? These tips will help keep your handset secure and your information private.

1. Create a lock code. To increase the security of your smartphone, set a lock code. You can create a 4-digit PIN or an actual password with a mix of letters, numbers, and characters.  Ideally, you should set your smartphone to require this code every time you wake it for use rather than setting adelay of 1 or 5 minutes before passcode entry is required.

2. Enable “Do Not Track.” Every website you surf on your mobile device collects information, or data points, to better tailor advertisements to you. By enabling “Do Not Track” on your mobile web browser, you are telling these websites to not collect any information. While enabling this function does not guarantee your data will not be collected, it does significantly limit the amount. Android users can enable this setting on their Google Chrome browser and iOS users can set this up on their Safari browser.

3. Get familiar with Recovery Apps. It is inevitable.  At some point you will misplace your phone. However, now you can track it down when it’s not where you left it. Both Android and iOS offer recovery apps that allow you to track your phone down via GPS location and also lock it just in case in falls into the wrong hands.  You also have the ability to completely wipe all data from the phone if you fear that it may be in the wrong hands, or that you may never recover the device.

5. Keep your device physically secure. While you protect your data from websites and businesses, you may be leaving your phone susceptible to the old fashioned snatch-and-grab. Keep your phone in a hard to access place such as in a tight front pocket. It is not a good idea to leave your phone unattended on your office desk, within your car, or on a counter at a department store or coffee shop.  Thieves merely need a few seconds to steal your device.

Terms of Use | Privacy Policy | Sitemap