What You Need to Know About Cybersecurity

Cybersecurity threats are all around us though we may not be paying attention to them. This free guide can help you learn how to protect yourself from the latest scams

Fraudsters are crafting even more creative ways to scam people out of money. Because of this, we created this guide to help you reduce your risk of being duped and to help you keep your personal information safe.

REMEMBER: You’re not too old or too young to be scammed by criminals, and you shouldn’t be ashamed if it happens. Always let your financial advisor know if you’ve been scammed, as soon as you can. They can help you make changes to your financial accounts and potentially unravel or mitigate further damage.

Real-Life Staff Examples

Here are a few recent examples that happened to GWA staff and their families:

Bank Text. A staff member received a text from what looked like her credit union asking to confirm a payment from her account. While it looked completely legitimate, she does not use that account and knew there would be no activity needing approval.

Employer Email. A staff member’s young son works for a local city. He received an email that looked like it came from the human resources department stating that they changed their payroll system. It provided a link asking him to upload his bank account and routing number so his paycheck would not be delayed. He asked his boss about the email.

Legitimate Business activity. Another staff member paid a tollway bill online with a credit card and then later received an email asking to verify ACH bank details. Except she remembered that it was paid by credit card.

Impersonation. One staff member received a text from an unknown phone number claiming to be another staff member. The sender asked her to run down to the nearest drugstore (likely to buy gift cards and provide the numbers).

Password Update. Another staff member received a message from what looked like LinkedIn, providing a link to update her password.

Had any of these staff members been too busy to pay close attention, they could easily have clicked on links that downloaded viruses or revealed their personal details to these scammers.

Here’s What You Need to Know

No account is completely hack-proof, but applying some common sense security measures can substantially reduce the risk that your information will be compromised.

Two-Factor Authentication. Where possible, set up two-factor authentication (2FA) to require a second identification method for you to log in to your account such as login codes, tokens, and fingerprints or other biometrics.

Authenticators Apps. Google, Microsoft, and other authenticators allow you to use the app to access passcodes for participating websites. They keep the codes in one place and even work when you’re offline. Note that if you buy or upgrade to a new device, you will have to set it up again to “remember” the new device.

Artificial Intelligence. You may wish to set up fingerprint and facial or eye scan technology on your devices. There is also work being done with behavioral biometrics. These systems can measure the rate at which you input data using your keyboard, eye-hand coordination, voice, and even the pressure with which you type or tap.

Keep Software Updated. Even if you use two-factor and authenticators, when you use an outside source for a code, you can open yourself up for hackers to take advantage of backdoor vulnerabilities. Therefore, you must keep your device software updated and maintain current antivirus and antimalware programs on all your devices.

Stop Creating Spam for Yourself. You may unwittingly create even more spam for yourself and increase your risk of falling prey to scams. Never respond to a spam email and think twice before unsubscribing and letting the spammer know they reached an active account. If you do not know the sender or do business with them, delete the email. Reducing the amount of spam and junk emails that you receive will help you sort through emails faster.

Stop Recycling Passwords. With password apps, you don’t have to remember what they are or where you saved them. Once you sign up and pay a relatively low annual fee, you’ll use one password to access your app and all your passwords.

Watch for Social Engineering

A successful “hook” uses social engineering in the form of headlines designed to lure you into taking some sort of action. Cybercriminals often send emails with heartfelt requests, shocking headlines, or legitimate-looking offers. If you click, you may be sent to web pages that install malicious software on your device.

Here are several types of social engineering scams:

Phishing and Spear Phishing. As we saw in the real-life examples earlier in this guide, familiarity and lack of attention can be catastrophic. To protect yourself, question the legitimacy of every email you receive, to help you avoid unwittingly giving up private information.

To protect yourself from phishing and spear phishing:

Be wary of emails that look like they came from your bank or credit card company that ask for personal information. Or watch for those that may send you to sites requesting personal information. Verify requests by calling the number on the back of your bank card. You should also routinely check your credit report.
If you receive an urgent email from a friend or co-worker that asks for money or a bank transfer, or an email that seems out of place, call them to verify if they sent it.
Pay attention to the “from” in emails and hover over any links to see the address they send you to in your computer’s notification area to spot phishing.
For charitable donations, you can make those directly on the company’s website instead of through an email request.

Ransomware. This is a type of malicious spam that prevents you from accessing personal information on your computer. Victims are either sent emails that are “booby-trapped” with attachments they open, or they click malicious links while browsing.

The three types of ransomware are scareware, screen locks, and encrypting ransomware:

Scareware. This usually takes the form of pop-ups that claim your computer is infected and you must purchase the hacker’s software to remove it. Your files are usually safe, but if you back out or pay, you’ll continue to get the annoying pop-ups.

Lock-screen ransomware. This will lock you out of your computer, often with an official-looking seal that says illegal activity has been detected and you must pay a fine.

Encrypted ransomware. This means your files were snatched by a hacker who encrypts them and claims you will only get them back if you pay. Still, there is no guarantee the files will be returned to you if you decide to pay.

To protect yourself from ransomware:

Never pay a ransom to get your data back. You may be able to use other alternatives to get some of it, but you may never get it all
Routinely create secure backups to external drives that remain unplugged when not in use, so they do not become infected.
You can also backup to cloud storage that includes highly-encrypted, multi-factor authentication. Learn if cloud-based services can be trusted
Use multi-factor authentication whenever possible, including any cloud storage
Avoid clicking links, photos, or videos from strangers or even those known to you that look suspicious. Contact the sender to verify if they sent you something and what it is before you open anything.

Pharming. This is the practice of sending users to legitimate-looking websites that mine personal data like login credentials, social security numbers, and account numbers. This can occur when you inadvertently click a link that installs a virus on your computer that changes the addresses of sites you wish to visit.

To protect yourself from pharming:

Install anti-virus and anti-malware software and keep it updated
Use smart computer practices like avoiding clicking on websites or emails that look suspicious
Watch for addresses in the address bar that don’t look right
Be wary of sites that ask for personal information that normally do not
Get in the practice of looking for a lock on the address bar that indicates the website has special security encryption before you share information on the page
Click on the security lock in the address bar to make sure the website has an up-to-date, trusted certificate

Botnets. Like pharming, botnets can use your computer to create a network by sending you messages that are generally out of character. They often arrive by way of a strange email or private message from a friend suggesting you look at a link, picture, or video.

Botnets are large, zombie networks that link together thousands or even millions of affected computers to stage either a spam attack or Distributed Denial of Service (DDoS) attack. A DDoS usually overloads a website with requests, causing malfunctions and even taking down websites.

To protect yourself from botnets:

Never click links, pictures, or videos in emails or private messages sent by a friend or connection that seems out of character.
Ask your contact if they sent you something and what it is before you consider opening it.

Mobile Scams

Smishing. Similar to phishing emails that try to trick you into entering personal information or login credentials, short message service (SMS) phishing performs much the same function but uses messaging and texting instead.

Over 90 percent of attacks start with smishing, a technique where cybercriminals send text or private messages that dupe people into revealing personal information or login details, or that provide links they click which send their device malicious packets.

Mobile Ransomware. Ransomware threats are now focusing on mobile phones. The cybercriminal steals the data first, locks the victim out of their data, and then sends a note telling them to pay.

Sextortion. Cybercriminals may even threaten to shame the victim on the internet with their personal data. Frequently, these criminals gain access to explicit photos or messages and engage in “sextortion” to extort money from those who wish to protect their reputations.

Quishing. Scammers are taking advantage of people’s willingness to use QR codes and sending them to nefarious sites that steal your information or automatically download malicious ransomware.

Public Wi-Fi. Public hotspots are not the place to open new accounts or access your bank or investment accounts. Some of the sites you reach may be spoofed, leaving you open to sharing your personal details.

Protect yourself from mobile scams:

As with your desktop, you should add a virus protection app to your mobile devices. Your mobile provider may offer free apps and there are other free apps such as Malwarebytes
Never click on anything you are unsure about
Never assume privacy when using public hotspots
Verify the owner of a QR code before scanning it

The Latest Scams

Fake Search Results Online. While they do their best to avoid it, online search engine results such as those from Google, Bing, and others may have fake websites included at the top of search results, including paid ads.

Membership Scams for Prime and Other Services. Calls, texts, and emails asking you to confirm or cancel the membership charge or asking for bank account information to reinstate your account.

Account Suspension/Deletion Scams. Fraudsters send a message, text, or email asking you to click on a link to verify your account or reinstate it. Also, watch out for phone calls offering discounts for immediate payment of a bill. Threats that a service will be turned off without payment (most companies will send you multiple notices by mail).

Digital Money Movement. Criminals impersonate well-known companies, financial institutions, and even government agencies requesting payment by wire transfer or through Zelle® or other payment platforms.

Facebook Market Place and Other Sales Sites. Watch for scammers that require you to provide your email address to make or receive payment using a Zelle® “business” account to which they send an email with links that ask you to sign in and “verify” your payment account.

Things you can do to protect yourself

1. Think Before You Part With Your Money. Never send money to:

Anyone claiming your account is compromised
Asking you to send money to yourself
Claiming to be from a government agency
Any stranger, regardless of any reason they give
Telemarketers selling you something
Unauthorized, unverified crypto sites or salespeople

2. Simple Safety Reminders. These additional practices can help reduce your chances of becoming a victim.

Never allow remote access to your computer if you have not initiated contact with a company you know through a verified phone number or website
Never click on anything that looks suspicious or too good to be true
Review URLs and search results online to verify if you have the right business before clicking on it
If you receive a suspicious call, email, or text, do not disclose your personal information until you verify it is a legitimate source by contacting the company directly. Most entities from banks to the IRS will never contact you through an email that asks for private details or to verify your password
Set up Two-factor authentication with services you use online
Protect your login IDs, passwords, and PIN numbers, and ensure they are not easily guessable
Protect your bank cards and avoid storing them online
Keep your computer system software and browsers updated. These updates offer the latest security updates and fix flaws in previous versions. The WannaCry attack in 2017 was successful because it exploited many users who did not apply the Microsoft updates to their computer
Keep your anti-virus and anti-malware software up to date
Cut down on the amount of spam you sort through daily with two email accounts. Use one for personal emails only, and one for public use like signing up for new accounts, mail lists, and public forums
Protect yourself from card scanners. Use RFID protectors for tap and pay bank cards with the contactless symbol
Watch your mailbox for scams that warn your warranty is out, insurance offers, request payment for a service you do not use, and include check-like documents offering loans. Take care to verify that any bills and statements are from companies you currently do business with before you pay them

3. Ensure you are securing your passwords. A password manager—some well-known versions include LastPass, Dashlane, RoboForm, and 1Password—is essentially a secure online storage vault for your passwords. You’ll find both desktop and smartphone app versions available. Load them on multiple devices and your information will be synced across them.

4. Verify your cloud storage is secure. As cloud-based services become more prevalent, you might be wondering how your information is stored. If a criminal were to guess your password, he or she could potentially gain access to your information. Here are some provider security features to watch for:

Encryption at rest. Not only should your information be encrypted in transit, but it should also be encrypted at rest—while it’s sitting in the cloud. That way, if anyone were to get access to that information, he or she would still need your password in order to make any sense of it. Verify your cloud provider provides this added security.
Audit your files frequently. Remove anything from your backup set that is no longer pertinent to your life or necessary to retain.
Always have a backup plan. The only surefire way to insulate yourself from all possible disaster scenarios is to couple your cloud provider with some sort of local storage. Essentially, it means keeping an external hard drive with all your data locked up in a secure location even though you’ve subscribed to a cloud service. In the unlikely event that a cloud provider experiences a breach or other issue, you will thank yourself for maintaining a copy of your data locally.
Manage your own encryption key. Although most cloud providers handle all encryption needs for their customers, some give you the option of managing your own encryption key. This ensures that no one other than you, not even the cloud provider, can access your data.

5. Ensure your web browser is secure. It’s important to check your browser’s default settings which are often geared toward enhanced usability rather than information security. The following features are not considered dangerous in and of themselves, but they are commonly used by attackers as avenues of exploitation:

Use multifactor authentication when possible. This extra layer of protection can help make your login process much more secure.
HTTPS connection. Check the beginning of the URL you visit to access your cloud to verify that you see https:// which means that your information will be encrypted while it’s in transit between you and the cloud. If the URL begins with “http”, keep in mind that any information you transmit could potentially be compromised. In this situation, we’d strongly recommend finding an alternative.
JavaScript. This web scripting language is used to create interactive effects that enhance the look, feel, and functionality of the majority of websites you visit. Hackers can manipulate the JavaScript on a legitimate website to redirect you to a malicious site that could download viruses or attempt to harvest your personal information. Browsers give you the option to allow or deny sites to run JavaScript, and it is best practice to allow only trusted and secure sites to do so. Consider creating allow and block lists through either your browser’s settings or a browser add-on/extension.
ActiveX. Because of widespread malicious activity with ActiveX controls, many browsers have disabled the controls by default. Many do not even support them any longer. ActiveX warrants mention since it is still in use on some browsers. Hackers can inject malicious code into vulnerable sites that could compromise your computer and put your sensitive information at risk when you run ActiveX on that particular site. If a website prompts you to install and run software, run only from a trusted and secure site.
Plug-ins, add-ons, or extensions. These software components can be added to work with your browser to support certain features or functionality of different sites. Plug-ins, add-ons, and extensions you may have added over time usually release regular updates, which can leave outdated versions open to security holes.
Cookies. When you browse the web, some of your online activity and information you provide to sites is collected and stored in cookies, including your IP address, the last time you visited that site, and your e-mail address or username. Privacy issues are the main concern here, as some sites (especially advertising sites) may use cookies to track your browsing habits without your knowledge. Allow cookies only for sites that you trust, especially if you’re providing login or payment information. Every once in a while, clear your cookie cache, even if cookies are stored only by trusted sites.

6. Other things you can do. These tips are from a former FBI agent:

Don’t falsely believe that if they don’t do much online, a hacker or spoofer isn’t going to be interested in their data
Take extra care when traveling with tech
Have a data breach plan in place
Be cautious about what you visit, read, or receive. The internet is untrustworthy, and we must test and validate everything we do while online
If you become a victim of ransomware, visit a trusted local IT company that can reload your computer from scratch and pull your data from backups
The FBI keeps a database of cybersecurity crimes and would like you to report if you become a victim of cybercrime to their Internet Crime Complaint Center at ic3.gov
Finally, if you receive an email or text message that threatens your life, call 1-800-CALLFBI immediately so that the FBI can deal with that real-time

Check out our other carefully curated articles on information security. We are always happy to answer any questions you may have when it comes to preventing online threats. You can reach us at one of our convenient offices listed on the Contact Us page.

###

We all know there is a lot of misinformation on the web. That’s why, as part of our GWA Gives^© program, we are dedicated to helping others find sound advice. We believe in sharing free material so people have a trusted source to rely upon.

This material has been provided for general informational purposes only and does not constitute either tax or legal advice. Although we go to great lengths to make sure our information is accurate and useful, we recommend you consult a tax preparer, professional tax advisor, or lawyer.