You’ve heard of the 12 days of Christmas?  Now there’s the 12 Scams of the Holidays!  

The majority of Canadians will use their computers, tablets and smartphones as shopping tools this holiday season.  Nearly 3/4 of Canadian shoppers will review their items online before purchasing it.  Nearly 2/3 (63%) will visit a store to look for a gift, then buy it for the best price online.  Nearly 1/3 (30%) intend to use their tablet, smartphone, or a combination to assist in their holiday shopping.  64% will do their online shopping via their home or business computer.

As you head online this holiday season to order your gifts, plan travel and spread cheer, be alert and stay aware.  If a deal sounds too good to be true…it usually is!  Learn how to keep your holiday cheer, and avoid the 12 Scams of the Holidays.  Make sure your employees are informed, and keep your computer data safe!

1.  Social Media Scams:

Beware of ads for phony contests, and “stay at home” job postings.  Even if they are from your friends.

2.  Malicious Mobile Apps:  

Only download apps from official app stores, check users’ reviews and read the app permission policies.

3.  Travel Scams:

Be wary of too-good-to-be-true offers.  When on the road, be careful when using free Wi-Fi connections – people can see your computer (and files) if you have it set up wrong.

4.  Holiday Spam/Phishing:

Never respond to spam emails, or click on an included link.  If you’re suspicious of a link, hover your cursor over the link (don’t click!).  The ‘address’ of where the link actually leads to will appear.  If the link doesn’t look like it directs you to where it says it does, don’t click.  Or better yet, if you’re suspicious, just don’t click.

5.  iPhone, iPad, and other hot holiday gift scams:

Be suspicious of deals on hot holiday gift items.  Try to verify them with the retailer.

6.  Skype Message Scare:

Never click on a suspicious link, even if it comes from someone you know.

7.  Bogus Gift Cards:

Buy gift cards from the official retailer and not a third-party source.  And check to make sure the hidden ‘personal ID code’ has not been scratched off before you buy.  Avoid online auction sites where gift cards are more likely to be fake or fraudulently obtained.

8.  Holiday SMiShing:

Remember that legitimate businesses, like banks, won’t ask you to verify personal information via texts.

9.  Phony E-tailers:

Only shop at trusted and well-known e-commerce sites.

10.  Fake Charities:

When you want to share in the Holiday Spirit, visit the charity’s website and do a little research before donating.

11.  Dangerous E-cards:

Check to see that the sender is someone you actually know and it comes from a well-known e-card site.

12.  Phony Classifieds:

Don’t wire money for “deals”, and make sure you don’t pay for an item before receiving it.

If you’re concerned about the security of your company’s data, call Technology by Design at 1-204-800-3166.

We can provide a Network Security Analysis, so you know where you’re vulnerable…and how to fix it!

The holiday season is in full swing.  People (including employees on work computers) use the internet to buy gifts both from the office and at the house.  At the end of November, Black Friday kicked off a month of high-intensity online shopping.  Last year, internet protection company BrandProtect found that almost 3,000 fraudulent Holiday shopping sites were registered.  This year isn’t any better.

These fraudulent sites use “special savings” and “killer deals” as bait for phishing emails, and the scams infiltrate mobile apps and social media as well.  Warn your users that the excitement of getting an amazing deal before it sells out often makes people ignore their tingling spidey-sense, and forget security policy.  This is what these sites count on.

To  make sure they don’t lose out on the “amazing time-limited offer!”, users will click on suspicious links without first hovering to see where it goes (if you hover your cursor over a link – don’t click – it will tell you where the link leads.  If it doesn’t lead to the website that it’s claiming to be – Don’t click!).  They instead open infected email attachments trying to get a great holiday deal.  Now that Black Friday and Cyber Monday are both “held over” for several weeks now, users really need to STOP, LOOK, and THINK before they click.

This is a problem especially when an employee is using a mobile device to do their Holiday shopping.  Insecure online behaviour by employees exposes your network resources and puts your company’s data at risk.  Especially at this time of year, when a deal sounds too good to be true, it usually is.  Warn your users.  Your users are an essential part of your company’s defenses!

If you’re concerned about your company’s data security, call Technology by Design at 1-204-800-3166.  

We can provide you with a Network Security Analysis, so you know where you are vulnerable, and how to fix it!

There is a new version of an old trick going around, which could cost you thousands to get your computer data back!

There is an email being sent out, which contains a link.  Once you click on the link, it downloads malware onto your computer.  The malware encrypts all of your computer files, including any files on attached or networked storage media which makes it impossible to access them at all.  Once this is completed, your a big red message will appear on your computer screen demanding payment via Bitcoin or MoneyPak.  It then installs a countdown clock on your computer that ticks backwards from 72 hours.  Victims who pay the ransom receive a key that unlocks their encrypted files; those who let the timer expire before paying risk losing access to their files forever.  The nice cyber-nasties will let you pay after the 72 hours however, the price doubles.  By the time the virus announces itself, it’s too late.  You’re already infected.

I cannot stress this enough:  If you receive any emails that look suspicious, no matter what they say, DO NOT click on the link.  Avoid suspicious emails, if you can’t verify that it is legit – DON’T OPEN IT, don’t open zip files.  Make sure your computer is free of malware, because this malware is a “Zombie”.  This means takes any kind of malware that is already on your computer, and turns it into itself – meaning it multiplies (kinda like zombies, hence the name).

Some computer security companies are taking the moral high-ground, and advising their customers NOT to pay the ransom.  However, there are many companies that are on the verge of bankruptcy because of the loss of data and the loss of business.

This encryption is virtually uncrackable encryption, and if you want your data back, you have no choice but to pay their ransom.  Not to mention the time and money wasted on having a non-functional computer until the payment goes through.

There is a program that can help block this crypto-locker.  You can download it at:  http://krebsonsecurity.com/2013/11/cryptolocker-crew-ratchets-up-the-ransom/

We have a Spam Filter available that would help to prevent this malware getting through.

And….backups, backups, backups.  In case you missed that subtle hint – backups!  They are more important than ever!

If you think you’ve got this nasty bug, or any other bug –

call us at 204-800-3166 or email helpdesk@tbyd.ca, and we’ll help you get bug-free!

 

After you are done reading this article, do not waste time.  Do not pass go, do not collect $200.  Immediately forward this article to the head of your legal department, or the person in your organization who is responsible for compliance.

Recently, the Department of Health and Human Services in the U.S. reported that bad or no security awareness training is a main cause for compliance failures.  This is true for not only health care, but all kinds of organizations in industries like banking, finance, insurance, manufacturing, and surprisingly, high-tech.  It does not stop with mere compliance failures causing regulatory fines.  Trend Micro reported that 91% of successful data breaches started with a spear-phishing attack.

The problem is that to be “letter of the law” compliant, you only need to herd your users once a year into the break room, feed them coffee and donuts, and give them a PowerPoint Security Awareness Update presentation that, let’s be honest here, most of them will either sleep or play ‘Candy Crush’ through.  Even so, you’ve done your job right?  The courts may not see it that way, and ineffective security awareness training could turn out to be a serious legal liability.

Why?  Cybercriminals go after the low-hanging fruit:  your users.  Why spend time exploiting complicated software vulnerabilities when you can easily social engineer an end-user to click on a link?

So your user goes through the coffee & donuts PowerPoint security awareness update presentation, which was inadequate even if they did pay attention.  Now they go back to their workstation, and falls for the hacker trick.  Their workstation is now infected with a keylogger, and the hacker now knows their login and password.  With this in hand, the hacker penetrates your network.  Simply put:  if it’s the Eastern European cyber mafia, their focus is to transfer out money from your operating account over a weekend while nobody’s in the office.  (See story below).  If it’s the Chinese, they will steal your intellectual property.  If it’s independent hackers, your customer database and credit card transactions are exfiltrated and sold on dark web criminal sites.

In all three cases you run the risk of a lawsuit:

1.  You might sue the bank for negligence, and they might sue you back.  Massive legal fees are inevitable.  If it is found out the attackers came in by social engineering a user, your case is significantly weakened.  Go to Brian Krebs’ site and search for “Patco Construction”, a nightmare scenario.  Here it is:  www.krebsonsecurity.com.

2.  If the Chinese steal your intellectual property and you are exposed to a shareholder lawsuit, there will be a lengthy and costly discovery period.  If it is found out the attackers came in by social engineering a user, your case is significantly weakened.

3.  If hackers get into your network, and an investigative journalist like Brian Krebs discovers a website that has all your customer records and credit card transactions, you can expect a class action lawsuit soon.  (This is the legal profession’s biggest growth industry).  If it is found out the hackers came in by social engineering a user, your case is significantly weakened.

See the trend?  Not training your staff to a level that effectively mitigates the risk you are exposed to, is a severe legal liability.

Within a whitepaper called “Legal Compliance Through Security Awareness Training” written by Michael R. Overly.  In this paper, Michael describes the concepts of acting “Reasonably” or taking “Appropriate” or “Necessary” measures.  Reading this whitepaper may help you to prevent violating compliance laws or regulations.

Do These Two Things:

ONE:  Did you know that you are supposed to “scale security measures to reflect the threat”?  In the whitepaper are some examples of the Massachusetts Data Security Law and HIPAA to explain what is required.  I strongly recommend you download this whitepaper and get up-to-date about the legal repercussions of not providing effective security awareness training:  http://info.knowbe4.com/whitepaper-overly-kb4-13-10-28.

TWO:  Have you ever wondered how effective your current Security Awareness Training program really is, and if you are at risk in case of legal action?  KnowBe4 offers a FREE test that gives you a real quantifyable number as to the percentage of your users that would click through and fail, a simple Phishing email.  Do their FREE Phishing Security Test.  You can do the test right away, and it only takes about 5 minutes:  http://www.knowbe4.com/phishing-security-test.

If you are concerned about the security of your network, or think your network has been compromised,

call Technology by Design at 204-800-3166.

This week, CyberNasties are using a well-known social engineering trick to try to make company employees click on fake invoices to distribute a piece of malware.  This is especially nasty, because they are trying to reach employees that work in company finance departments.  They are hoping the employees either open the attachment, or get it forwarded by a co-worker that is not sure what it is so they send it to Accounting.

The emails are titled “Invoice #3404196 – Remit File”.  They contain the following (or something similar):  “The following is issued on the behalf of the Hong Kong Monetary Authority.  Attached is the invoice (Invoice_3604196 (dot).zip) received from your bank.  Please print this label and fill in the requested information.”

If anyone in your organization opens the attachment, a malware dropper may get downloaded, which will pull down a large amount of malware that allows the CyberNasties to take over the whole machine.

The Moral of the Story:  STOP – LOOK – THINK before you click.

This week the FBI sent out a warning that a commercial strain of malware known as “Beta Bot” can turn off your antivirus, stops access to the websites of antivirus vendors so that your antivirus program cannot call home for fresh definitions, and steals your user name and password when you log into your financial institutions, e-commerce sites, online payment platforms, and social networks.

The Beta Box malware masks itself as the “User Account Control” message box, but when you click on this box, it will infect your computer.  If the above pop-up message or a similar prompt appears on your computer and you did not ask for it, or are not making changes to your system’s configuration, do not authorize this fake “Windows Command Processor” to make any changes.

Beta Bot is commercial malware, meaning it was made by cyber criminals to be sold to other cyber criminals who can then use it to steal your personal information.  It also means the quality is very high, and it’s hard to get rid of when you PC gets infected.  So have another look at the screenshot above, as it is much easier to prevent this infection than cure it which will likely require a call to the helpdesk and lost production time, or a trip to your computer retailer so they can fix it.

A particularly effective scam is growing by the minute.  Though it’s not new, it’s been gaining “popularity” in the last few weeks.

The scam takes over the full screen of the computer, stating that the FBI has locked that PC until a fine is paid.  The computer may look locked down, but the culprit was a cyber-nasty criminal, not the FBI.

This is how your screen will look:

DO NOT PAY!  This is malware on your computer.  Treat it as you should any malware, and clean your system.  The cyber-nasties have found that this is a very lucrative scam that works really well.  Scared PC users are often willing to pay hundreds of dollars to avoid getting in deep with the FBI.  More than $5 million per year is extorted from victims using this scam.

If you need help in freeing your computer of malware and/or viruses, call Technology by Design for an Optimization.  An Optimization deletes unnecessary temporary files, reorganizes your hard drive so your files are accessed faster, removes any malware and/or viruses from your system, and removes any unnecessary tool bars and software from you computer.  Long story short, it electronically cleans out and optimizes your computer so it can work at it’s full potential.  We have removed this malware, as well as many similar, hundreds of times.  This has saved our customers thousands of dollars.

As a rule, a workplace computer should be Optimized at least every 6 months.  Home computers, because of the nature of their use (and especially if you have kids or teens using it) should be Optimized more often.

Call Technology by Design at 204-800-3165 for more information.

The latest phishing scam preys on your curiosity.

The potential victim receives an email from “cara@ChristianMingle” which of course is a spoofed email address.  The email uses your first name in the email, to make you think it’s legit.  They usually start out with “Firstname, Ready to meet your newest match from ChristianMingle?”.  They then go on to state something similar to:  “meishac is 21 and lives in Hollywood, FL, USA.  Want to know more or see meishas photos?  Click here!”.

This is a TRAP.  DO NOT click on any of these links.  At the very least you will lose time, but most times, worse things happen, such as:

– Your computer will become infected with malware

– Your identity will be stolen

– Your bank account will be emptied.

DO NOT click on links in spam or phishing emails that make you curious!  Phishing scams rely on your curiosity to get you to click!