email | Bach Seat

Tag Archive for email

RB | April 7, 2016

Comments Off

9 Emails You Should Never Open

The increasing pace of life coupled with mobile computing which bombards us with emails and messages, from more sources, and across more devices than ever before has created what Proofpoint calls a generation of trigger-happy clickers.

Trigger-happy clickers are falling more and more for fake emails from cybercriminals. These fake emails are so convincing and compelling that they fool 10% of recipients into clicking on the malicious link according to the article. To put that into context a legitimate marketing department typically expects <2% click rate on their advertising campaigns.

So, despite the best efforts of security professionals, too many people are still falling prey to email scams at home and work. Whether it’s a get-rich-quick scheme or a sophisticated spearphishing attack, here are some emails to steer clear of:

1. The government scam

These emails look as if they come from government agencies, such as the IRS, FBI, or CIA. If these TLA’s want to get a hold of you, it won’t be through email.

2. The “long-lost friend”

This scammer tries to make you think you know them, but it might also be a contact of yours that was hacked.

3. The billing issue

These emails typically come in the form of legitimate-looking communications. If you catch one of these, log into your member account on the website or call the call center.

4. The expiration date

A company claims your account is about to expire, and you must sign in to keep your data. Again, sign in directly to the member website instead of clicking a link in the email.

5. You’re infected

A message claims you’re infected with a virus. Simple fix: Just run your antivirus and check. In a recent twist, scammers claiming to be computer techs associated with well-known companies like Microsoft. They say that they’ve detected viruses or other malware on your computer to trick you into giving them remote access or paying for software you don’t need.

Scammers have been peddling bogus security software for years. They set up fake websites, offer free “security” scans, and send alarming messages to try to convince you that your computer is infected with malware. Then, they try to sell you software to fix the problem. At best, the software is worthless or available elsewhere for free. At worst, it could be malware — software designed to give criminals access to your computer and your personal information.

But wait it gets worse – If you paid for their “tech support” you could later get a call about a refund. The refund scam works like this: Several months after the purchase, someone might call to ask if you were happy with the service. When you say you weren’t, the scammer offers a refund.

Or the caller may say that the company is going out of business and providing refunds for “warranties” and other services.

The scammers eventually ask for a bank or credit card account number. Or they ask you to create a Western Union account. They might even ask for remote access to your computer to help you fill out the necessary forms. But instead of putting money in your account, the scammers withdraw money from your account.

6. You’ve won

Claims you won a contest you never entered. You’re not that lucky; delete it. It’s illegal to play a foreign lottery. Any letter or email from a lottery or sweepstakes that ask you to pay taxes, fees, shipping, or insurance to claim your prize is a scam.

Some scammers ask you to send the money through a wire transfer. That’s because wire transfers are efficient: your money is transferred and available for pick up very quickly. Once it’s transferred, it’s gone. Others ask you to send a check or pay for your supposed winnings with a credit card. The reason: they use your bank account numbers to withdraw funds without your approval, or your credit card numbers to run up charges.

7. The bank notification

An email claiming some type of deposit or withdrawal. Give the bank a call to be safe.

8. Playing the victim

These emails make you out to be the bad guy and claim you hurt them in some way. Ignore.

9. The security check

A very common phishing scam where a company just wants you to “verify your account.” Companies almost never ask you to do this via email.

What To Do Instead of Clicking Links

In the case of your bank or other institution, just go to the website yourself and log in. Type in the address manually in the browser or click your bookmark. That way you can see if there’s something that needs taken care of without the risk of ending up on a phishing site.

In the case of your friend’s email, chances are that they copied/pasted the link into the message. That means you can see the full address. You can just copy/paste the address into the browser yourself without clicking anything. Of course, before doing that make sure you recognize the website and that it’s not misspelled.

Proofpoint’s bottom line is that unless you explicitly know and trust it, avoid it. That’s all there is to it. Make this a habit and you can avoid one of the biggest mistakes in internet safety.

HCSO warns of jury duty scam (wishtv.com)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2016, Bitcoin, CIA, Confidence trick, email, FBI, Fraud, Identity Theft, IRS, Lottery, Malware, PII, Proofpoint, Ransomware, Scam, Security, Social Security number, SPAM, Tech Support, Western Union, Wire transfer

RB | July 30, 2015

Comments Off

Spear Phishing

As long as there have been people, there have been scammers of some kind. Today, cybercriminals use the same technology email, instant messaging, chats, that helps everyone else in their daily lives. The only difference is that they use it for wrongdoing. The results of a recent JPMorgan Chase company hack prove it. The banking giant fell victim to a spear phishing attack.

The outcome of the JPMorgan Chase & Co., hack says that over 76 million user accounts were compromised. It is also very likely that other banks were breached by the same attackers. The breach of JPMorgan Chase should serve as a reminder that even large, sophisticated businesses can be breached by today’s phishing expeditions.

Attackers were able to penetrate JPMorgan Chase’s defenses and roam their networks undetected for months most likely due to one worker who fell victim to a spear phishing attack. Corporate security and hackers are engaged in an asymmetric fight right now. The good guys have to protect the entire enterprise while the bad guys only need a single point of failure to gain access, just one user to fall victim to a spear phishing attack and they are in.

The bad guys have the advantage

Anyone can claim to be a Nigerian prince from behind their computer screen and bilk unsuspecting targets for their financial information over email. All it takes is a valid email account – personal or otherwise. With the hacker’s advantage in mind, here are some tips to help avoid spear phishing attacks and prevent the attacker’s access to your firm.

Spear Phishing

Today’s phishing attacks are not the crude, typo-filled emails from Nigeria of yesteryear. Spear-phishers carefully research their targets. They will know your manager’s name, the names of your co-workers, and perhaps the projects you’re assigned to. This knowledge and detail make spear-phishing very effective.

No matter what the nature of an email account is, it is susceptible to all the dangers of the Internet. This is bad news for businesses that use email, and a lot of organizations out there fit that bill to a T. The more that a company uses email, the greater the chance that they will experience a data breach of some kind.

There is really nothing stopping a well-crafted phishing scam from appearing in a corporate inbox and fooling an unwitting employee. Here is a look at three of the email-based scams that could be threatening your business right now:

Vendor identity fraud

According to a report from Virginia TV station WHSV, the Better Business Bureau is warning businesses of a recent scam that targets this daily operation as a way to siphon money from corporate bank accounts. The BBB describes the attack:

As part of your job, you pay invoices for several of your business’s vendors … One day, you receive an urgent email from an executive in your company telling you to change how you pay invoices from a vendor. Instead of sending a check, you now need to wire the money straight to a bank account.

SPAM email This phishing attack is made possible by malicious hacking. Cybercriminals break into company emails and gain enough information to impersonate one of the organization’s suppliers. Next, they send off the false email that tells some poor admin to wire the payment to the hackers instead of the supplier and leave businesses out hundreds of thousands of dollars depending on the nature of the vendor.

Hackers impersonate branch of FBI

Nobody likes being accused of crimes that they didn’t commit. This is especially true when the FBI is involved. But a new scheme involving the Internet Crime Complaint Center has many people thinking their arrest is imminent if they do not fork over a hefty fine via online transaction – something that is unheard of in real law enforcement agencies and that the FBI has been forced to address. DailyFinance contributor Mitch Lipka wrote:

The emails claim that the victim is the subject of a criminal report and that charges are forthcoming … They are then told that they have one or two days to respond or risk arrest, IC3 said. Those who respond are told they have to send money via prepaid cards if they want to avoid prosecution.

Fooled by “clients”

Lawyers are trained to always read between the lines and examine the fine print in legal documents, but what about in their supposedly secure communications?

This is one concept that has been inadvertently brought up in New Zealand thanks to a scam targeting law firms and their clients. There are plenty of things that can be done over email, but that doesn’t mean that they should be. Client and lawyer communications are one of these tasks. According to The National Business Review, criminals will pose as either a law professional or someone they currently represent, asking the opposite party to make a payment or carry out a transaction. This not only puts funds in danger but also sensitive information. This may land a law firm in serious legal trouble.

LinkedIn Plugs Hole that Allowed for Spear Phishing Campaigns (tripwire.com)

Category: Uncategorized | Tags: 2015, BBB, Confidence trick, email, FBI, Internet, Phishing, Security

RB | November 6, 2014

Comments Off

Email Etiquette is Good For You

Who remembers when email was a new and exciting technology that the Intertubes brought us? Did AOL’s You’ve Got Mail! Make you giddy? They made a whole chick-flick about it starring Tom Hanks and Meg Ryan. I am pretty sure that thrill has worn off by now. According to marketing researchers, the Radicati Group predicts that by 2015 the average email user will send or receive 125 emails a day. Many of the emails are loaded with threats as I have pointed out here again and again. The ubiquity of email has caused some users to take email for granted and let their guard down.

Relaxed vigilance has led to some high-profile incidents where sensitive business information was exposed via email. Research indicates that at least 22% of companies have experienced an accidental or malicious leak of sensitive or confidential information by employees through email in the past 12 months. While it is may be bad for the firm, it could cost you your job. Here are some tips which will make your emails more effective and more secure:

Treat emails like business letters

It’s better to be more formal than too casual when you want to make a good impression. For example, use a person’s surname until they respond by signing their email with their first name. Never write anything in an email message that you wouldn’t want both your boss and your mom to read!

Company email is never private

If you want to send someone confidential or time-sensitive information, use the phone or meet in person. Emails can be duplicated, forwarded, and printed; anything unfortunate you write could come back to haunt you or your employer. Never use your employer’s email system to look for your new job. That move could cost your current job and the next one too.

Be cautious about the “reply all” feature

If you receive an email that was sent to a multitude of people, including yourself, reply only to those who need a response. Hit “reply all” only if it is crucial that every person on the distribution list see your response. In many cases, the sender is the only person who requires a response. Misuse of “reply all” is a key way in which sensitive business data slips outside the network.

Take care with email attachments

Never open attachments from unknown sources. And before sending attachments yourself, find out if the recipient wants them. Bogus attachments remain one of the most popular ways for cyber-attackers to gain a foothold in business networks, and it’s very easy for hackers to imitate legitimate email addresses.

This infographic includes some pretty amazing stats about email. Did you know?

The average user creates 5,000 email attachments every year?
There are 6 copies of each attachment made?
The government reads over 250 million emails annually?

That is why email etiquette is important.

What Is Phishing? (allstate.com)

Category: Uncategorized | Tags: 2014, AOL, Breach, Data, email, Meg Ryan, Security, Tom Hanks, You've Got Mail

RB | October 16, 2014

Comments Off

How to Spot Phishing

Phishing scams are spam emails sent by cyber-criminals that can lead to identity theft at home and data breaches at work. Phishing attacks pretend to be from a legitimate person or organization to trick you into revealing personal information. A phishing attack begins when a cyber-criminal sends an email that looks like it originates from your bank.

The email might hint at a problem with your account asking you to “confirm” account information by clicking on a link that takes you to a fake website. The fake website asks you to type in your bank account user name and password. The goal is to convince the target that the web page is legitimate so that they will enter their credentials. Once entered, attackers can access an individual’s finances.

Phishing attacks

RSA reports 2013 was a record year for phishing attacks. They report that nearly 450,000 phishing attacks were launched in 2013 with losses estimated to be nearly $6 Billion. The security firm believes that these attacks will continue for the foreseeable future. They point out that it only costs an attacker $65.00 to spam 500,000 email addresses.

Symantec reports (PDF) that 1 in every 392 emails a user receives is a phishing attempt. 71% of the phishing attacks were related to spoofed financial organizations and login credentials for accounts seem to be the main information phishers are looking for. Dell SecureWorks delved into the depths of the online underground economy and found the value of personally identifiable information (PII).

value of personally identifiable information

Visa and Master Card account numbers are worth up to $15
American Express account numbers are worth up to $18
Date of Birth (DOB) is worth up to $25

On his excellent website, Brian Krebs revealed the black market value of hacked credentials.

Active accounts at Facebook and Twitter retail for just $2.50 apiece,
$4 buys hacked credentials at wireless providers ATT.com, Sprint.com, Verizonwireless.com, and Tmobile.com,
Groupon.com accounts fetch $5,
Fedex.com, Continental.com, and United.com accounts for go for $6.
iTunes accounts go for $8 on the cyber underground economy.

medical records

In a new phishing twist, attackers are going after medical records to exploit the broken healthcare industry. Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cybercrime protection company.

With these threats in mind, PhishMe developed an infographic, click on the image below to see the complete image.

PhishMe infographic

rb-

Since many cyberattacks originate with phishing emails, the best way for organizations and individuals to protect themselves online is to recognize and avoid phishing emails.

Phishing attacks target Google accounts, warns Bitdefender (computerweekly.com)

Category: Uncategorized | Tags: 2014, Amex, email, Facebook, FB, Master Card, Phishing, PhishLabs, PII, Security, SPAM, Twitter, TWTR, Visa

RB | January 10, 2013

Comments Off

Patent Trolls Going After Users

Patent trolls have changed their tactics by going after users according to TechEye. Patent trolls have realized that taking on big companies with large legal teams is a risky prospect so they have started looking for softer targets. Ars Technica is reporting the case of Steven Vicinanza and BlueWave, who received a letter ordering him to pay $1,000 per employee for a license for some “distributed computer architecture” patents.

The blog says the troll in question, “Project Paperless LLC.” claims to have a patent covering the ability to scan documents to e-mail and was demanding money with legal menaces. If BlueWave paid, the troll would have collected $130,000. BlueWave was not the only company the troll went after. Lots of other small and medium companies were being hit.

Steven Hill, a partner at Hill, Kertscher & Wharton, an Atlanta law firm represented Project Paperless. The attorney told Mr. Vicinanza that if you hook up a scanner and e-mail a PDF document the company’s patent covers that process. In other words, any company that used office equipment would have to pay up.

In this case, Mr. Vicinanza decided to fight and beat the troll in court. Despite the victory, TechEye says Project Paperless patents claims are continuing to appear. The troll claims were passed to a network of shell companies. Ars found that the patent threats are going out under at least ten differently named LLCs.

These outfits are sending out hundreds of copies of the same demand letter to small businesses from New Hampshire to Minnesota. The article says the troll’s royalty demands range from $900 to $1,200 per employee.

Ars Technica reports that Project Paperless has four patents and one patent application it asserts, all linked to an inventor named Laurence C. Klein. “It was a lot of what I’d call gobbledygook,” said BlueWave’s Vicinanza. “Just jargon and terms strung together—it’s really literally nonsensical.”

Ars provides links to the asserted patents, numbers 6,185,590, 6,771,381, 7,477,410 and 7,986,426. AdzPro also notes it has an additional patent application filed in July 2011 that hasn’t yet resulted in a patent. Ars states that the patents may have been useless from a technologist’s perspective, but fighting them off in court would be no small matter. The problem is that it often costs more in legal costs for small businesses to fight the trolls than it does to pay up and make them go away.

Mr. Vicinanza spent $5,000 on a prior art search and sent the results to the Project Paperless lawyers. He filed a third-party complaint against four of the companies that actually made the scanners, Xerox (XRX) Canon (CAJ), HP (HPQ), and Brother (6448). That could have compelled the manufacturers to get involved in the case.

In the end, Hill dropped its lawsuit against BlueWave and went away and the case never came to court. However, Ars points out a detailed website called “Stop Project Paperless,” with information about the patents and links to the Hill, Kertscher, and Wharton law firm.

TechEye concludes that if a firm wants to make a lot of money from a dubious patent, it is better to sue users than the companies which make products that use it. If Apple wanted to kill off Samsung’s business all it would have to do is sue every Android user. Most of them would never go to court and pay whatever Apple demands. That particular scenario is unlikely, but it does show where the antics of patent trolls are headed.

rb-

The politicians tried to work on the problem with the SHIELD Act which I covered here, but that apparently went nowhere. After all, they are too busy driving us all off the fiscal cliff.

Maybe it was top troll Apple that stopped the law from getting a full House vote, Apple is now the biggest patent troll of them all.

So more proof that Patent Trolls Cost the US $29 Billion which I covered earlier.

Patents still pending on paper, words, breathing (howtospotapsychopath.com)

Category: Uncategorized | Tags: 2013, Apple, BlueWave, email, HP, HPQ, Legal, Patent, Patent troll, Samsung, Scanner, Xerox, XRX

« Older Entries Recent Entries »

Bach Seat

Tag Archive for email

Spear Phishing

The bad guys have the advantage

Spear Phishing

Vendor identity fraud

Hackers impersonate branch of FBI

Fooled by “clients”

Related articles

Email Etiquette is Good For You

Treat emails like business letters

Company email is never private

Be cautious about the “reply all” feature

Take care with email attachments

Related articles

How to Spot Phishing

Phishing attacks

value of personally identifiable information

medical records

Related articles

Patent Trolls Going After Users

Related articles

Meta