Safeguarding Network & Customer Credentials

This sotry is a bit long, kind of dense, but definitely worth the time to read. Years in the making, this FTC case shows how much damage a "bad actor" can cause to public facing networks.

Suppose a lunch companion says, “I think there’s something wrong with this tuna salad.” To determine if the problem is tuna not to their taste vs. tuna gone bad, would you scarf it down? Probably not. Now remove tuna salad from the example and substitute a web browser extension. (Stay with us here.) Let’s say you’ve been warned that an unknown extension could be used for fraud. Should you download it and let it marinate in your company’s network? The FTC says that’s what the owner of ClixSense.com did, and it’s just one example of conduct challenged as deceptive or unfair.

[More]

Tax Related Identity Theft

April 15 has come and gone, but that doesn't mean the scammers have moved on. 

Tax-related identity theft is prominent on the IRS’s 2019 Dirty Dozen list of Tax Scams. Tax-related identity theft is not limited to stealing personal information of individuals. Because of successful efforts to crack down on such identity theft, thieves have shifted their focus to businesses. They create and use, or attempt to use, the identifying information of businesses to obtain tax benefits. For example, as the IRS has noted, cybercriminals that obtain a business’s tax identification number may file a return claiming a tax refund because of a fuel credit or a research credit used as a Social Security tax offset.

[More]

Scammers & Notre Dame Donations

 by Rosario Méndez

Following last week’s devastating fire that destroyed much of the famous and historically important Cathedral of Notre Dame in Paris, fundraising efforts have begun. Many generous people may decide to donate money toward rebuilding efforts – and scammers know that. They’re ready to take donations, too, so here are some things to consider before you give to an organization or a crowdfunding project:

  1. Research the organization first. Search online for the name of the organization plus the word “complaint” or “scam.” Read what others say the about the organization. These organizations can also help your research.

    [More]

Recent Local Spearphishing Attacks

Over the recent week, Cornell and other companies and organizations have been hit with several spearphishing attacks. As you might expect, Cornell is a constant target for nefarious attacks (as are most large institutions), however this one has hit a large number of "Cornell.edu" email accounts. And over the last 24 hours, we've been made aware of several other attacks as well.

What makes this attack particularly challenging, is that the Sender and Subject appear to be legitimate.

However, once the email is opened the content reads something like: 

READ THIS MESSAGE (in a clickable banner)

05:59:47 (Cornell)
Re: "Subject"
Watch before: Thursday

If you clicked on the banner, you are taken to a page with a legitimate company logo - the one we looked at (safely) had the Xerox Logo with lines requesting our Xerox Login Name and Password.

IF YOU OPEN THIS EMAIL, DO NOT CLICK ON THE BANNER AND ABSOLUTELY DO NOT FILL IN ANY LOGIN OR PASSWORD INFORMATION!

[More]

Reasons for Company Executives to Take Security Training

We read about this all to often - a top executive at small and not so small organizations get scammed or spoofed into providing critical company information or make payments that are not legitimate. Of course we also see other employees getting tricked as well. 

For most companies the individuals at the top actually pose the most risk, due to having the most access to sensitive information and critical systems. They need to be the most aware, but when we and others conduct security awareness training, some executives and organizations leaders are noticably absent!

[More]

More Entries