Technology Advisor Blog

Watch Out for Holiday Gift Card eMail Scams

Posted by Ann Westerheim on 11/20/18 5:02 PM

Gift CardIt's the holiday season and people are busy, and it's also a season to beware of scams.  There are many different scams related to gift cards, and here's a new one we just saw locally. 

A user received an urgent message from their boss that he needed to get gift cards for important clients and there was a time crunch to get the task done.  The diligent employee replied and immediately started working on the task.  After a few email exchanges back and forth, the employee went to talk to the boss to clarify some final details, and the scam was revealed - the boss never asked for the gift cards.  They were very close to losing $2000 to a crook.

The original email from the "boss" was actually a "spoofed" message.  This is an email that's made to look like it's from a particular individual or organization (like a bank or the post office), but its actually from someone else.  It's illegal to use an SMTP server without authorization, but this doesn't stop a crook, and its actually very easy to fake an email.  The bosses email was never hacked, it was just a trick that used his email address.  The underlying technical details like the return path, etc, will give away the secret, but on the surface, the email looks like a legitimate return address.

  1. Watch out for emails with with a sense of urgency quickly worded to look like they're from a mobile device (iphone, iPad).  The typos are made to make the email appear more familiar and rushed.
  2. NEVER email financial information.  The email exchanged started getting weird when the crook started asking for the authorization codes via email.  This is a red flag.
  3. Don't get tricked if you see a familiar name in the "from" field.  Scammers are getting good at harvesting emails from websites and social media.  This is their full time job.  Make sure your employees are all aware of this trick.
  4.  When in doubt, have a face-to-face or phone conversation to clarify the details.

Sadly there are so many different variations of scams.  The bad actors are constantly working on different variations to get through all the technical and human defenses. 

User education is key!  Think before you click!

 

 

 

Tags: cybersecurity, Cybersecurity, email scams

Cybersecurity is a LOCAL issue - Massachusetts school district pays $10,000 ransom to unlock its files after cyber attack.

Posted by Ann Westerheim on 5/2/18 3:59 PM

This past week a Massachusetts school district paid $10,000 ransom to unlock its files after a cyber attack.  The Police Chief commented that there is no further investigation of this crime because solving this crime is "impossible". This is unfortunately a sign of the times.

 

At Ekaru, it's been our mission for years to SECURE and EDUCATE our small business clients.  All of us see headlines in the news when big companies get hit with a cyber attack,  and too often we think that's a problem that only happens to large well known companies  (Sears, Equifax, Sony, Target, etc). 

Today's modern threats are automated and indiscriminate.  ANYONE,  no matter how big or small can get hit with a cyber attack.  When an attack is local, it's a reminder that cybersecurity affects ALL of us, and this is a matter of public safety.

In the case of the school, its unclear how the ransomware got onto the network, but one of the most common attack vectors is email, so its vitally important to train employees.  Clicking on phishing emails and using weak passwords are easy to fix with some security awareness education.   In addition, its clear that the school district didn't have a disaster recovery plan or even a robust backup if they had to pay the ransom.  

We're working to spread the word that with some technology, process, and people fixes (training!), we can all greatly reduce the threat of cyber attacks.

Unfortunately, sometimes it takes a case close to home to remind us of how real these threats are.

To read the full article, go to cbsnews.com.

Tags: cybersecurity, cybersecurity, ransomware, Cybersecurity, email scams

Train Your Workforce so They Don't Get Caught by a Phish!

Posted by Ann Westerheim on 8/2/17 11:21 AM

Training.jpgThe US Department of Health and Human Services Office for Civil Rights July #Cybersecurity update reminds you to train your workforce so they don't get caught by a phish!  This statement is specifically targeted to healthcare "covered entities" but really applies to all businesses and computer users.

What is a Phish?  Phishing scams are attempts by scammers to trick you into giving out personal information such as your bank account numbers, passwords and credit card numbers.   The emails are carefully crafted to look like the real thing, but watch out!  Users are trained to not open "suspicious" links, but what if the email looks like an important email from FedEx, your bank, or the US Post Office?  Without training, users can't tell the difference.

Periodically testing users is also needed to make sure that the training is working.  Will your users click on the link?  Run a test and find out.  Otherwise, you really don't know.

A covered entity's workforce is its front line of defense not only for patient care but also to safeguard the privacy and security of its patients protected health information (PHI).  With the growing levels of interconnected smart devices and increased use of interconnected medical record and billing systems, there has been a ten percent increase in the number of providers and health plans that have had HIPAA related security violations in the past two years.

The security rule specifically requires covered entities and business associates to create a security awareness and training program.  

You can read the full post by OCR here.

Not a healthcare organization?  Read on.  The Massachusetts Data Security Law which applies to ALL businesses in Massachusetts has very similar guidelines relating to the protection of personal identifiable information (PII).  Any combination of a name and social security number, drivers license number, bank account number, credit card number, etc MUST be protected.  

If you're concerned about cybersecurity in your practice or business, please contact us to find if you could be doing more to protect yourself.  Short of disconnecting all computing devices, these threats are here to stay, and employee education and training are a key component of cybersecurity protection for all.

Cybersecurity protection involves layers of protection AND a comprehensive training plan for users.

Tags: Cybersecurity, email scams, training

Couple Lost Home over email Scam - What you need to know.

Posted by Ann Westerheim on 5/12/17 9:41 AM

Home for Sale.jpgBuying or selling a home can be a very stressful event, but with scammers on the sidelines, things can go to a whole new level.  This past year, Jon and Dorothy Little were all set to close on their new $200,000 home in North Carolina when their Realtor sent an email to the closing attorney asking for wiring instructions to send money to the escrow account prior to closing.  They received detailed instructions in reply, and promptly wired the funds.  At the closing, they were shocked to find that the money was missing.

It turns out that email scammers had infiltrated the process and set up fake wiring instructions to steal the money.  The fraudulent wiring instructions looked like the real thing, down to the firm's letterhead and the proper bank name - Bank of America.  Unbeknownst to all the parties involved, the funds were actually transferred to a Bank of America account controlled by a willing or unwitting "money mule" and the bulk of the funds (minus 10%) were then wired to another bank account at TD Bank.  Fortunately the FBI was able to freeze the funds as soon as it hit TD Bank.  Had the funds been transferred out of the country, they would be gone forever.

Even though authorities were alerted right away, the situation became complicated in that banks have an obligation to honor transfers to other banks, and even though the Littles were tricked, they were the ones who ordered the transfer.  For more details about this story and a more detailed legal analysis, read the article on  popular security site: Krebs on Security.

The FBI has been keeping a tally of the financial devastation resulting from wire fraud scams with a total of nearly $3.1 billing scammed from 22,000 victims.

The story has a mostly happy ending in that the Littles were able to recovery most of their money ($180,000), but they had to cancel the contract on their desired hom while the haggling between the banks lasted for over four months.

The moral of the story:  Verbally verify any wire transfer.  Never respond to an email with instructions.  Also, act quickly if a wire transfer feels suspicious or didn't go as planned.  The fast response by the Littles was probably the sole factor that enabled them to recover most of the funds.

 

 

 

Tags: Cybersecurity, email scams

Subscribe by Email

Most Popular Posts

Browse by Tag

See all tags...

Connect With Us

Older Blog Posts

For older Ekaru blog posts, go to ekaru.blogspot.com.