Security

What you need to know about Covid SCAMS 

Taking advantage of current events is a common tactic that cybercriminals use to fuel their malicious activities. With the global pandemic of COVID-19 and an overwhelming desire for the most current information, it can be difficult for users to ensure they are clicking on reliable resources. So far, the MS-ISAC has seen malicious activity come through just about every channel: email, social media, text and phone messages, and misleading or malicious websites.

The range of current malicious activity attempting to exploit COVID-19 worldwide varies. A few common examples include:

• Fake tests or cures. Individuals and businesses have been selling or marketing fake "cures" or "test kits" for COVID-19. These cures and test kits are unreliable, at best, and the scammers are simply taking advantage of the current pandemic to re-label products intended for other purposes. For more information on fraudulent actors and tests, check out resources from the U.S. Food and Drug Administration (FDA).

•Illegitimate health organizations. Cyber criminals posing as affiliates to the World Health Organization (WHO), the Centers for Disease Control and Prevention (CDC), doctor’s offices, and other health organizations will try to get you to click on a link, visit a website, open an attachment that is infected with malware, or share sensitive information. This malicious activity might originate as a notice that you have been infected, your COVID-19 test results came back, or as a news story about what is happening around the world.

•Malicious websites. Fake websites and applications that claim to share COVID-19 related information will actually install malware, steal your personal information, or cause other harm. In these instances, the websites and applications may claim to share news, testing results, or other resources. However, they are only seeking login credentials, bank account information, or a means to infect your devices with malware.

•Fraudulent charities. There has been an uptick in websites seeking donations for illegitimate or non-existent charitable organizations. Fake charity and donation websites will try to take advantage of one’s good will. Instead of donating the money to a good cause, these fake charities keep it for themselves.

Government Efforts to Reduce COVID-19 Malicious Activity

 The Department of Justice (DOJ) is actively seeking to detect, investigate, and prosecute cyber threat actors associated with any wrongdoing related to COVID-19. In a memo to the U.S. Attorneys, Attorney General William Barr said, "The pandemic is dangerous enough without wrongdoers seeking to profit from public panic and this sort of conduct cannot be tolerated." Individually, most state law enforcement agencies and other judicial officials are also treating these malicious actions as a high priority. More information can be found at https://www.justice gov/coronavirus. 

Additionally, the FDA has been taking action to protect consumers from fraudulent and deceptive actors who are taking advantage of COVID-19 by marketing tests that pose risks to patient health. If you are aware of any fraudulent test kits or other suspect medical equipment for COVID-19, you can report them to the FDA by emailing FDA-COVID-19-FraudulentProducts@fda.hhs gov. The FDA is now aggressively monitoring and pursuing those who place the public health at risk and are holding these malicious actors accountable.

Recommendations

Exercise extreme caution in handling any email with COVID-19-related subject lines, attachments, or hyperlinks in emails, online apps, and web searches, especially unsolicited ones. Additionally, be wary of social media posts, text messages, or phone calls with similar messages.

Be vigilant, as cyber actors are very likely to adapt and evolve to the nation’s situation and continue to use new methods to exploit COVID-19 worldwide. By taking the four precautions below, you can better protect yourself from these threats:

1. Avoid clicking on links and attachments in unsolicited or unusual emails, text messages, and social media posts.

2. Only utilize trusted sources, such as government websites, for accurate and fact-based information pertaining to the pandemic situation.

• Federal Emergency Management Agency (FEMA) recommends only visiting trusted sources for information such as coronavirus.gov, or your state and local government’s official websites (and associated social media accounts) for instructions and information specific to your community.

3. NEVER give out your personal information, including banking information, Social Security Number, or other personally identifiable information over the phone or email.

4. Always verify a charity’s authenticity before making donations. For assistance with verification, utilize the Federal Trade Commission’s (FTC) page on Charity Scams.

For More Information

If you think you’re a victim of a scam or attempted fraud involving COVID-19, or you think you know of a scam or fraud, you can report it without leaving your home:

• Contact the National Center for Disaster Fraud Hotline via email at disaster@leo.gov at 866-720-5721 or the FEMA Disaster Fraud Hotline at 866-720-5721 to report frauds and scams, including personal protective equipment (PPE) hoarding or price gouging;

• Report scams and frauds to the Cybercrime Support Network ; and

• File a complaint for criminal activity by contacting your local law enforcement agency.

Additional Resources

• CDC, FEMA, and White House | COVID-19

• CDC | COVID-19-Related Phone Scams and Phishing Attacks

• CDC | Know the facts about coronavirus disease 2019

• CISA | Security Tip: Using Caution with Email Attachments

• CISA | Risk Management for Novel Coronavirus

• CISA | Information & Updates on COVID-19

• FBI | FBI Exec Discusses COVID-19-Related Schemes

• FEMA | Coronavirus Rumor Control

• U.S. DOJ | Coronavirus

A message from MS-ISAC April 2020 Volume 15, Issue 4

6 Steps to Securing IoT Devices and Taking Back Your Privacy

In today's world we are more connected than ever — not only to each other, but to our devices. For example, people now have the ability to open and close their garage doors and even start their cars directly from their phones. But what information do we put at risk when we do all of these amazing things?

Securing Internet of Things (IoT) devices and keeping personally identifiable information (PII) safe and secure these days is of the utmost importance.

IoT Information Collection

When you buy the latest IoT device, you need to be aware of two things: First, IoT devices collect your information, and second, that information is always accessible.

So, what exactly is information collection? Think of a common streaming service, like Netflix. Once you sign up, you'll start receiving emails from Netflix letting you know they’ve added a new TV show that you might enjoy. And the thing is, they’re usually right! That's because your viewing history and ratings have been transmitted through an algorithm to determine what else you’d be willing to watch, and thus, continue your subscription. Now imagine every device you have on your home network collecting this type of information. It's a scary thought!

Keeping Your Information Secure on IoT Devices

While technology enables you to control your life from your fingertips, your information is at everyone else’s fingertips as well. Security isn’t fun or flashy, and because of this, some companies do not give it the consideration it deserves before they bring their products to market.

Very often when you buy an IoT device or utilize a company’s service you have unknowingly allowed them to collect information about you. That agreement you have to sign before you can use any of their items is written by their lawyers, and unfortunately, without saying yes you can’t use that fancy new gadget. All of these companies know it, which is why hundreds of pages sit between you and your new purchase.

6 Steps to Protect Yourself and Your Devices

1. Change Default Passwords

On devices that are connected to your network you should always make sure you change the default password. It doesn't matter if it's a new security camera or a new fridge. Creating new credentials is the very first step in securing your IoT devices and protecting your privacy. Research has shown that a “passphrase” is safer than a password. What does this mean? It means 1qaz!QAZ is less secure than Mydogsliketochasethechickensaroundtheyard! which is also much easier to remember.

2. Automatic Patches and Updates

In today's "set it and forget it" society, many electronic devices can take care of themselves. Quite often technology has a setting that allow for automatic updates. This is an important setting to turn on when securing IoT devices.

3. Set-up Multi-factor Authentication (MFA)

MFA security settings are growing in popularity. This is as simple as receiving a text or code that you need to type in while signing on to a system. Often times within the account preferences of your device, you can set up an Authentication Application. If you can’t find this option call customer service, chances are it exists somewhere.

4. Utilize a Password Manager

Keep usernames and passwords unique. Most password manager applications can generate a random password for you, and will allow you to store them safely.

5. Update Default Settings

Check to see which settings are turned on by default, especially if you don't know what they mean. If you are unfamiliar with FTP or UPnP, chances are you are not going to use them, or even notice that they are off.

6. Avoid Public Wi-Fi

It may be convenient to connect to a public Wi-Fi, but think again! If the Wi-Fi network does not require a password, then anyone can listen in on your computer’s information. Some public Wi-Fi networks are deliberately set up in the hopes that people will use it so they can steal information or credentials.

Remember that just like you lock your front door to protect the valuables inside, these days you also need to lock your IoT devices to protect your information and your privacy.

A message from MS-ISAC May 2020 Volume 15, Issue 5

Online Banking Privacy & Security

Safeguarding your personal information when interacting with us via the Internet is extremely important. Profile Bank’s Online Banking has been designed with that in mind. Profile Bank will continue to enhance and maintain prudent security standards and procedures to protect against unauthorized online access or use of your nonpublic personal information and records, applying the same high standards in caring for your personal information as we do for transactions you conduct with us in person.

Secured Forms

Messages sent using the secure forms within our website are secure. Look for the icon of a padlock to verify a form’s security. We preserve the content of your message, your message address and our response, so that we can more efficiently respond to any follow-up questions from you. We also retain this information to meet legal and regulatory requirements.

Regular Internet E-mail is Not Secure. Please do not send confidential information such as social security or account numbers to us via regular e-mail. In instances where e-mail addresses are provided, they are provided for information inquiries of a non-sensitive and non-confidential nature. Since an Internet e-mail response back to you would not be secure, we will not include confidential information in an unsecured e-mail response.

Phishing & Identity Theft

“Phishing” refers to activities of cyber-criminals who create an imitation of an existing legitimate web page and trick people into providing sensitive personal information. We will never send an e-mail that provides a link to the Profile Bank Online Banking logon screen. The recommended best practice is to access the logon screen from the link on our website homepage at www.profilebank.com. 

In the worst case of phishing, you could find yourself a victim of identity theft. With the sensitive information obtained from a successful phishing scam, these thieves can take out loans or obtain credit cards and even driver’s licenses in your name. They can do damage to your financial history and personal reputation that can take years to unravel. But if you understand how phishing works and how to protect yourself, you can help stop this crime.

How it works

In a typical case of phishing, you’ll receive an e-mail that appears to come from a reputable company that you recognize and do business with, such as your financial institution. In some cases, the e-mail may appear to come from a government agency, including one of the federal financial institution regulatory agencies.

The e-mail will probably warn you of a serious problem that requires your immediate attention. It may use phrases, such as “Immediate attention required,” or “Please contact us immediately about your account.” The e-mail will then encourage you to click on a button to go to the institution’s Web site. In a phishing scam, you could be redirected to a phony Web site that may look exactly like the real thing. Sometimes, in fact, it may be the company’s actual Web site. In those cases, a pop-up window will quickly appear for the purpose of harvesting your financial information. In either case, you may be asked to update your account information or to provide information for verification purposes: your Social Security number, your account number, your password, or the information you use to verify your identity when speaking to a real financial institution, such as your mother’s maiden name or your place of birth.

If you provide the requested information, you may find yourself the victim of identity theft.

Note: Please be aware that Profile Bank will never contact you to request or verify information about account numbers, PIN’s, login ID’s, passwords or any other personal information regarding your accounts.

How to Protect Yourself

1. Never provide your personal information in response to an unsolicited request, whether it is over the phone or over the Internet. E-mails and Internet pages created by phishers may look exactly like the real thing. They may even have a fake padlock icon that ordinarily is used to denote a secure site. If you did not initiate the communication, you should not provide any information.
2. If you believe the contact may be legitimate, contact the financial institution yourself. You can find phone numbers and Web sites on the monthly statements you receive from your financial institution, or you can look the company up in a phone book or on the Internet. The key is that you should be the one to initiate the contact, using contact information that you have verified yourself.
3. Never provide your password over the phone or in response to an unsolicited Internet request. A financial institution would never ask you to verify your account information online. Thieves armed with this information and your account number can help themselves to your savings.
4. Review account statements regularly to ensure all charges are correct. If your account statement is late in arriving, call your financial institution to find out why. If your financial institution offers electronic account access, periodically review activity online to catch suspicious activity.
5. Review your credit report at least annually to monitor for unfamiliar transactions. Contact www.annualcreditreport.com or call 1-877-322-8228 for your free annual credit report.
6. Report suspicious e-mails or calls to the Federal Trade Commission through the Internet at https://www.consumer.ftc.gov/features/feature-0014-identity-theft, or by calling 1-877-IDTHEFT.

What to do if you fall victim

Contact your financial institution immediately and alert it to the situation. Report all suspicious contacts to the Federal Trade Commission through the Internet at https://www.consumer.ftc.gov/features/feature-0014-identity-theft, or by calling 1-877-IDTHEFT. If you have disclosed sensitive information in a phishing attack, you should also contact one of the three major credit bureaus and discuss whether you need to place a fraud alert on your file, which will help prevent thieves from opening a new account in your name. Here is the contact information for each bureau’s fraud division: