Tech Support Scams

 Click Here to Open Article

Vishing and Smishing

It would be great if technology could solve all of our cybersecurity problems. We rely on security systems such as antivirus software, firewalls, and software updates to protect our devices and data. However, at the end of the day it all comes down to people. According to the Verizon 2022 Data Breach Investigations Report, 82% of breaches involved the Human Element, including Social Engineering Attacks, Errors, and Misuse.
Phishing e-mails continue to be one of the most popular methods of attack used by cybercriminals, but they are not the only method. Let’s review some additional types of social engineering attacks and what you can do to protect yourself.

Voice Phishing (Vishing) and SMS Phishing (Smishing)

• Vishing. In vishing attacks, scammers use phone calls or voice messages to impersonate legitimate businesses and trick you into giving them money or revealing personal information. Sometimes these fraudulent calls are made by actual people; other times they are done via robocalls. Worse yet, the scammers may spoof phone numbers that belong to real companies or individuals to deceive you.
• Smishing. In smishing attacks, scammers send phishing messages via text messages or messaging apps to yoursmart phone or tablet. Like phishing e-mails, you are prompted to open a link to access a website or app. The link may take you to a login page to enter your username and password, a form to provide your personal information, or a malicious app that infects your device.

Common Vishing and Smishing Scams
Below are examples of common Vishing and Smishing Scams to look out for.

• Demands for payment. The scammer pretends to work for a government agency such as the IRS and tells you that you owe money. They may threaten that you will be fined or even arrested if you do not pay.
• Account verification. The scammer poses as an employee of your bank or credit card company and states that they noticed unusual activity on your account. You are asked to provide personal information to verify your account.
• Program enrollment. The scammer represents themselves as a representative of a government program such as Medicaid and offers to help you with your benefits. You are asked for your personal or financial information to complete enrollment.
• Order/shipping confirmation. The scammer sends you a link to track a package or confirm your order, even though you did not order anything recently. The link may ask for your username and password or install malicious software on your device.
• Winning a prize. The scammer informs you that you won a contest. From there, they may ask for personal information or walk you through accessing your bank account so you can receive a deposit.
• Tech support. The scammer offers to fix a computer problem that you didn’t even know you had. They may ask you to visit their support website, install software to give them remote control, or provide them with your accounts and passwords.

How to Protect Yourself from Vishing and Smishing Scams
Here are some tips to help protect yourself from both vishing and smishing scams.

• Pause, think, and act. Scammers will stress a sense of urgency to trick you into doing what they want. Don’t take the bait. Take time to think about what you are being asked to do and why before you take any actions. Think twice before clicking on links in text messages. Instead, visit the organization’s website directly to ensure you are communicating with the real business.
• Do not answer the phone or respond to texts from unknown numbers. If the scammers can’t reach you, they can’t trick you. If you do answer the call, hang up immediately.
• Keep your personal information private. Never give out personal information such as account numbers, Social Security numbers, passwords, or Multi-Factor Authentication (MFA) codes to unknown people.
• Verify the source. If you receive a message from someone who says they represent a company or a government agency, hang up and contact them by using the contact information posted on the organization’s website.
• Enable strong security on your accounts. Creating strong and unique passwords is still a security best practice for protecting your personal and financial information. If you have difficulty creating unique passwords for each of your accounts, consider using password generators and managers to develop more complex passwords and store them securely as well. Enable MFA when available as an added layer of protection for your online accounts.

Additional Resources

• FCC: Caller ID Spoofing
• CISA: Avoiding Social Engineering and Phishing Attacks

Information provided by MS-ISAC

How to Avoid Romance Scams

It’s well known that people online aren’t always as they appear. However, tens of thousands of internet users fall victim to online romance scams each year, and it can happen to anyone. These scams can be incredibly convincing and are increasingly found across dating sites and social media platforms. Bad actors are very good at appealing to victims’ emotions and feigning personal connections, with the intention of stealing large sums of money and personal information. Luckily, there are ways to identify a scam and protect yourself online.

Tips for staying safe online:

• Think before posting about yourself and others online. Consider what a post reveals, who might see it and how it might affect you or others. Consider creating an alternate persona that you use for online profiles to limit how much of your own personal information you share.
• Be wary of communications that push you for immediate action or ask for personal information. Never share personal information through email, especially if you do not know the sender.
• Consider setting your social media profiles to “private”. This will make it harder for scammers to target and communicate with you. A public profile will make it easy for scammers to find your profile and learn about you through old posts and photos.
• If you are unsure if you are being scammed, do a reverse image search of the potential scammer’s profile picture. You may see that image belongs to a completely different person, or has been affiliated with different online identities.

Scammers can be very convincing, however there are ways to identify a scammer, including, but not limited to, the following red flags:

• There’s a request for money for urgent matters, such as medical expenses or a plane ticket. Never send money to someone you haven’t met in person.
• Common forms of money requested by scammers are wire transfers or pre-loaded gift cards.
• The person claims to live far away, overseas or be in the military.
• The relationship is moving very fast.
• They break promises to see you in person.
• There’s pressure to move the conversation off the platform to a different site or text app.

If you believe you or a loved one are the victim of a scam, it is important to take the following steps:

• Cease communications with the scammer immediately.
• Take note of any identifiable information you may have on them, such as their email address.
• Contact your bank or credit card company if you think you’ve given money to a scammer.
• File a police report.
• Report the scammer to the FTC at ftc.gov/complaint and the FBI at ic3.gov.
• Notify the website or app where you met the scammer.

Information provided by National Cybersecurity Alliance

Staying Safe from Tax Scams

As people seek to file their tax returns this year, cybercriminals will be busy trying to take advantage of this with a variety of scams. Citizens may learn they are victims only after having a legitimate tax return rejected because scammers already fraudulently filed taxes in their name. According to the Internal Revenue Service (IRS), there was a 60% increase in 2018 in phishing scams that tried to steal money or tax data. The IRS identified 9,557 fraudulent tax returns as of only February 24th, 2018 for the last filing season. As everyone aims to file their returns among all this fraud, the following advice will explain how tax fraud happens and provide recommendations on how to prevent it from happening to you or how to get help if you are unfortunately affected by a tax scam!

How is tax fraud perpetrated?

The most common way for cybercriminals to steal money, financial account information, passwords, or Social Security Numbers is to simply ask for them. Criminals will send phishing messages often impersonating government officials and/or IT departments. They may tell you a new copy of your tax form is available. They may include a link in a very official looking email that goes to a website that uses an official organization’s logo and appears legitimate, yet is fraudulent. If you attempt to login into the false website, or provide any personal information, the criminals will see what you type and try to use it to compromise your other accounts and file a false return in your name.

Additionally, much of your personal information can be gathered online from sources like social media or past data breaches. Criminals know this, so they gather pieces of your personal information from a variety of sources and use the information to file a fake tax refund request! If a criminal files a tax return in your name before you do, you will go through the arduous process of proving that you did not file the return and subsequently correcting the return.

Criminals also impersonate the IRS or other tax officials, demanding tax payments and threatening you with penalties if you do not make an immediate payment. This contact may occur through websites, emails, or threatening calls or text messages that seem official but are not. Sometimes, criminals request their victims to pay “penalties” via strange methods like gift cards or prepaid credit cards. It is important to remember that the IRS lets citizens know it will not do the following:

• Initiate contact by phone, email, text messages, or social media without sending an official letter in the mail first.
• Call to demand immediate payment over the phone using a specific payment method such as a debit/credit card, a prepaid card, a gift card, or a wire transfer.
• Threaten you with jail or lawsuits for non-payment.
• Demand payment without giving you the opportunity to question or appeal the amount they say you owe.
• Request any sensitive information online, including PIN numbers, passwords or similar information for financial accounts.

How can you protect yourself from tax fraud?

• File your taxes as soon as you can…before the scammers do it for you!
• Always be wary of calls, texts, emails, and websites asking for personal or tax data, or payment. Always contact organizations through their publicly-posted customer service line. If they contact you end the call and call the organization on the phone number on their website. As mentioned previously, the IRS will initiate contact on these issues by mail through the postal service.
• Don’t click on unknown links or links from unsolicited messages. Type the verified, real website address into your web browser.
• Don’t open attachments from unsolicited messages, as they may contain malware.
• Only conduct financial business over trusted sites and networks. Don’t use public, guest, free, or insecure Wi-Fi networks.
• Use strong, unique passwords for all your accounts and protect them. Reusing passwords between accounts is a big risk that allows a breach of one account to affect many of them!
• Shred all unneeded or old documents containing confidential and financial information.
• Check your financial account statements and your credit report regularly for unauthorized activity. Consider putting a security freeze on your credit file with the major credit bureaus. This will prevent identity thieves from applying for credit or creating an IRS account in your name.

If you receive a tax-related phishing or suspicious email at work, report it according to your organization’s cybersecurity policy. If you receive a similar email on your personal account, the IRS encourages you to forward the original suspicious email as an attachment to its phishing@irs.gov email account, or to call the IRS at 800-908-4490. More information about tax scams is available on the IRS website and in the IRS Dirty Dozen list of tax scams.

If you suspect you have become a victim of tax fraud or identity theft, the Federal Trade Commission (FTC) Identity Theft website provides a step-by-step recovery plan. It also allows you to report if someone has filed a return fraudulently in your name, if your information was exposed in a major data breach, and many other types of fraud.

A message from MS-ISAC February 2019 Volume 14, Issue 2

Spoofing Scams on the Rise this Holiday Season

We have recently been made aware of "spoofing" scams in and around our communities. Spoofing is when the caller falsifies the information sent to your Caller ID to disguise their true identity. This tactic is used to trick someone into providing their personal information so it can be used for fraudulent activities. Recent reports include calls seemingly coming from retailers, government agencies and financial institutions.

What you need to know:

Be careful of callers immediately requesting your personal information.

• Never give out your account information, social security number, family maiden names or passwords. Profile Bank will never ask you for your account number even if the call looks like it's coming from the Bank.
• If you are suspicious of the caller, end the call and research the company's contact information. Call the phone number listed on their website to verify any requests.
• If you have a voice mailbox make sure you have set a password for it to prevent hackers from accessing your messages.

How do I report suspected Spoofing?

If you receive a call and you suspect the Caller ID information has been falsified you can file a complaint with the Federal Communications Commission. If you have provided your financial information to the caller you should contact us immediately for information on how to close your account or deactivate your debit card.

Fraud Related to Coronavirus and Stimulus Checks

Please be aware of fraud related to Coronavirus and Stimulus Checks. Fraudsters/scammers may impersonate health organizations or businesses to gather your personal or financial information.

With stimulus checks coming soon to millions of Americans as part of the coronavirus stimulus package, we want provide our customers with the following tips to be safe.

Please be aware:

• Use only trusted government websites to gain information regarding stimulus check payments.
• The Federal Government will not ask you for your personal or banking information.
• They will not contact you by phone, email or text message or ask you for fees to receive your stimulus check.
• Do not respond to or click on any links asking for you to provide this information.
• Do not give out your bank account, debit or credit card number or PIN number to anyone.
• Most people who qualify will likely not need to verify personal information.
• You can stay up to date on the latest scams by visiting the Federal Trade Commission’s coronavirus page at ftc.gov/coronavirus.

New Year, New Privacy Settings

While January 28, 2022 marks the 15th annual Data Privacy Day, each of us faces privacy concerns on a daily basis. If our private information becomes public, it can affect our credit ratings, employment options, and even our safety. In this month’s cybersecurity tips newsletter, we’ll focus on steps you can take to maintain privacy on social media. If you’re one of the lucky few who can live your life unplugged from Facebook, TikTok, and the like, you’re in the clear. If you find yourself among the majority of us who either want or need to engage with others via social media, then here are some tips and tricks to stay safe and secure.

Protect Your Accounts

Social media accounts are under constant attack by cybercriminals. Your account can give a scammer a good way to infect your friends with messages that come from a trusted source (i.e., you). There are three simple steps you can take that will thwart most attacks:

• Use long, unique passphrases: Criminals get your account details from breaches and malware. If you use the same one everywhere, cybercriminals will have access to all of your accounts. Consider using a passphrase with multiple words, such as DenverIsBeautiful. It’s easy to remember and tougher to crack.
• Use Multi-factor Authentication (MFA): MFA, sometimes called two-factor authentication (2FA) or advanced authentication, makes it almost impossible for someone else to log in to your account, even if they have your password. You trade the minor inconvenience of entering a one-time code for the huge benefit of keeping the baddies out of your stuff. Turn this on everywhere you can!
• Update Everything: Yes, everything. Keep your operating systems current on your computers, phones, apps, and internet-connected devices. Turn-on automatic updates and reboot when prompted. Networks are usually not compromised because of brand new, 0-day vulnerabilities. Instead, they are breached because a patch was never installed for a bug that was fixed months (or years) prior.

Reduce Your Attach Surface

• Your attack surface is the sum of all the ways your information can be compromised. Every account with your personal data or app with a security flaw adds to it. You can reduce your potential vulnerability by deleting online accounts you no longer use and uninstalling apps you no longer need so they can’t be used against you. With fewer things to manage and update, you can focus on protecting what is actually important.

Tweak Your Privacy Settings

• All major services offer privacy settings to limit what you share publicly. It may take a bit of exploration to find them, but you can use these tools to control your exposure. Pay special attention to location settings, permissions for facial recognition, who can tag you, and who can see your posts. Also, check the details you publish such as your hometown, birthday, family members, and where you work. Consider removing all of them.
• If it’s allowed by the service you use, you can go a step further by not using real information, such as your full name or actual date of birth. Don’t forget to check who can find you by your phone number and remember to also change your vanity name or username so it won’t give you away.

Don't Let Your Photos Betray You

• The photographs you upload to social media or share elsewhere online can expose your face, your address, the valuables you keep at home, the car you drive, and more. Keep this in mind before you post an image that might tell a stranger things you’d rather keep to yourself. Avoid sharing anything with your house number, license plate, or documents in view. For your kid’s safety, watch what they share online as well.
• Photos uploaded to major social media sites are scrubbed so that the metadata – hidden details that live within a picture or video file – are removed. Not all services protect you in the same way, and these metadata are always present when you email a file. Unless you disable the feature, your camera app is probably set to store your location which makes it easy for a criminal to see the exact latitude and longitude where a photo or movie was taken.

Would You Like To Know More?

These links will lead you to more resources to help protect your privacy:

• National Cybersecurity Alliance: Data Privacy Week
• FTC: Protecting Your Privacy Online
• CISA: Online Privacy Tips

Conclusion

• While it’s almost impossible to remain anonymous in 2022, there’s no reason to make it easier for criminals to take advantage of you. Information you share online, even if it’s restricted today, may go viral tomorrow. The best way to protect yourself is to avoid posting anything you wouldn’t want your grandmother to read in your local paper. You can’t regret a photo you never take.
• Once you upload a picture or write an angry tweet, you lose control of it, and anyone with a screenshot can continue to spread it long after you press the delete button. Search for yourself online every now and again to see what others will find when they look for you. Opt-out of any websites that share your personal details. Invest some time to ensure that a would-be attacker will be frustrated and move on to easier prey.
• Perfect privacy is impossible, but by being careful you can stack the odds in your favor. Stay safe, take care, and have a secure and Happy (Cyber) New Year!

Information provided by MS-ISAC

Data Privacy

General Personally Identifiable Information

Personally identifiable information or (PII) can be any data that identifies you as a specific individual. This information should be kept private and not shared with others. Examples of PII include your Social Security Number, or your name in combination with your date or place of birth.

Recommendations: Be aware of what you post publicly or submit through applications or services. Consider with whom you share your PII, and give extra scrutiny and consideration as to whether you really need to share this information. If someone contacts you requesting PII through email, social media, or a phone call, do not provide the information. If it is a phone call that you think is legitimate, hang up and call the organization back through a publicly listed telephone number so you can verify the caller is who they say they are.

Information About Your Location

Giving out your location when away from home on social media is a privacy risk. This practice can result in your home being targeted for burglary. Additionally, your family and friends may be targeted by scammers seeking financial assistance on your behalf to help with a non-existent “travel emergency.” Three popular methods of this type of location sharing are geotagging (adding a location tag to a social media post or picture), posting a photo in which the background can be easily identified (like Times Square or the Eiffel tower), or “checking in” at a business.

Allowing apps to use your phone’s location services has its own privacy concerns, as the app is likely recording or using that data, and may automatically add geotagging to social media interactions in that app as a result!

Recommendations: Customize your location settings to minimize sharing your location with websites and applications, especially on your mobile devices. You can geotag social media posts, pictures, or videos after returning from vacation, going out to eat, or that business trip. Also, check the privacy settings of apps to make sure they don’t need access to your location. At a minimum, ensure your social media settings are set to only show your posts and profile to friends.

Security Questions & Social Media

Security questions are a way to authenticate your identity and are an extra layer of security on accounts, which makes it extra important to not post these answers on social media. Posting a picture or writing a post about your first car’s make and model, or color of your car, childhood address, favorite ice cream flavor, mother’s maiden name, or elementary school is a bad idea. These are common security questions and by posting this information, you give away the answers, allowing cybercriminals to potentially access your accounts.

Recommendations: When on social media, be aware of what you post (including pictures!) and how it relates to the security questions you selected for your various accounts.

Website/Application Privacy Settings and Permission

All websites and applications have privacy settings. These settings help you control what others are allowed to see, as well as manage your online experience. You should be familiar with these privacy settings and customize them to protect your information. Additionally, when creating an account on a website or application and agreeing to their services, understand what you are giving them permission to do with the data you provide.

Take Responsibility: Protecting your privacy starts with you. Website owners, websites, and service providers have a responsibility to protect your privacy. However, it is up to you to understand the privacy settings on social media, online accounts, and your devices. Knowing these settings, you will be able to customize them for greater security.

Take ownership of your privacy and read privacy policies and end user license agreements on websites (including social media), and update your settings whenever new privacy features are available.

A message from MS-ISAC January 2019 Volume 14, Issue 1

Identity Theft

Learn more at Consumer.gov