Tuesday, August 23, 2016

Beware of "FTC Refund" phishing fraud

There is a new email scam out that is based on a previous scam perpetrated by J.K. Publications, Inc., that was resolved by the Federal Trade Commission (FTC) several years back.

Because the FTC publishes fraudulent cases like this one on its web site, bad guys can use this information to create a phishing attack that appears legitimate. The real FTC cases are posted here: https://www.ftc.gov/enforcement/cases-proceedings/refunds.

The phishing email being disseminated this week appears to be from the FTC; it recounts old facts from the J.K. Publications case and promises you a refund check. However, the FTC will not send you an email telling you that you need to take action (like click a link or attachment in the email) to receive a refund.

Rule of thumb: Any time you receive an email from an official-sounding organization promising you a refund in a particular dollar amount, be extremely wary of it. Do not click links and do not open attachments to emails like this. Delete the email.

Monday, August 15, 2016

Two "MySSA" Social Security Administration phishing scams to watch for

Description (official SSA.gov alert is here)

  • In the first scam, you receive an official-looking email from the Social Security Administration (SSA), inviting you to create an account so you can receive benefits. The link lands you on a fraudulent web page where scammers hope you will input your confidential information.
  • In the second scam, the bad guys actually create an account for you and then redirect payments to a bank account that they control.

Prevention tips:

  • As always, stop, think and do not click! Navigate to ssa.gov directly from your web browser.
  • Create your own MySSA account with a strong username and password at https://secure.ssa.gov/RIL/SiView.do. This is similar to filing your tax return early before the bad guys file a bogus return and steal your refund.
  • When creating your MySSA account, under Add extra security, enable two-factor authentication via text message.
  • After you create your MySSA account, go to settings and choose the option that any changes to your bank account be done physically at a SSA branch office instead of using your online account.
  • Alternatively, block all electronic access to your Social Security record. See https://secure.ssa.gov/acu/IPS_INTR/blockaccess. To unblock your record in the future requires contacting the SSA.

Saturday, August 6, 2016

See how quickly a social engineer can nab your account credentials

This time every year, a couple of ginormous cyber security conferences happen in Las Vegas. Thousands of hackers and information security geeks gather to attend the infamous DEF CON and Black Hat events. Some of the hacks that are revealed at these events each year will astound the average Internet user—including demonstrations of hacking a baby monitor, remotely shutting down an insulin pump, building a hacker drone, using a cell phone to hack a car, etc.

And let's face it, we are all Internet users now because most of our electronic devices are connected to the Internet. This is called the Internet of Things, or IoT.

The most common cyber attack vector employs social engineering techniques to get you to unwittingly execute malware that exploits some vulnerability in your system, allowing someone to remotely control the system or perhaps encrypt all your files and hold them for ransom, and other nefarious deeds.

Social engineers use deception to persuade you into giving up information that you should not be sharing. This is very easily achieved. Embedded in this Tech Insider article is a 10-minute real-world video to prove it: A hacker shows how you can take over someone's online account in minutes using nothing but a phone.

Watch this hacker steal a reporter's cellular account credentials and email address in only moments with one phone call to his cellular carrier.