It would be great if technology could solve all of our cybersecurity problems. We rely on security systems such as antivirus software, firewalls, and software updates to protect our devices and data. However, at the end of the day it all comes down to people. According to the Verizon 2022 Data Breach Investigations Report, 82% of breaches involved the Human Element, including Social Engineering Attacks, Errors, and Misuse.

Phishing e-mails continue to be one of the most popular methods of attack used by cybercriminals, but they are not the only method. Let’s review some additional types of social engineering attacks and what you can do to protect yourself.

Voice Phishing (Vishing) and SMS Phishing (Smishing)

• Vishing. In vishing attacks, scammers use phone calls or voice messages to impersonate legitimate businesses and trick you into giving them money or revealing personal information.  Sometimes these fraudulent calls are made by actual people; other times they are done via robocalls. Worse yet, the scammers may spoof phone numbers that belong to real companies or individuals to deceive you.
• Smishing. In smishing attacks, scammers send phishing messages via text messages or messaging apps to your smart phone or tablet. Like phishing e-mails, you are prompted to open a link to access a website or app. The link may take you to a login page to enter your username and password, a form to provide your personal information, or a malicious app that infects your device.

Common Vishing and Smishing Scams

Below are examples of common Vishing and Smishing Scams to look out for.

• Demands for payment. The scammer pretends to work for a government agency such as the IRS and tells you that you owe money. They may threaten that you will be fined or even arrested if you do not pay.
• Account verification. The scammer poses as an employee of your bank or credit card company and states that they noticed unusual activity on your account. You are asked to provide personal information to verify your account.
• Program enrollment. The scammer represents themselves as a representative of a government program such as Medicaid and offers to help you with your benefits. You are asked for your personal or financial information to complete enrollment.
• Order/shipping confirmation. The scammer sends you a link to track a package or confirm your order, even though you did not order anything recently. The link may ask for your username and password or install malicious software on your device.
• Winning a prize. The scammer informs you that you won a contest. From there, they may ask for personal information or walk you through accessing your bank account so you can receive a deposit.
• Tech support. The scammer offers to fix a computer problem that you didn’t even know you had. They may ask you to visit their support website, install software to give them remote control, or provide them with your accounts and passwords.

How to Protect Yourself from Vishing and Smishing Scams

Here are some tips to help protect yourself from both vishing and smishing scams.

• Pause, think, and act. Scammers will stress a sense of urgency to trick you into doing what they want. Don’t take the bait. Take time to think about what you are being asked to do and why before you take any actions. Think twice before clicking on links in text messages. Instead, visit the organization’s website directly to ensure you are communicating with the real business.
• Do not answer the phone or respond to texts from unknown numbers. If the scammers can’t reach you, they can’t trick you. If you do answer the call, hang up immediately.
• Keep your personal information private. Never give out personal information such as account numbers, Social Security numbers, passwords, or Multi-Factor Authentication (MFA) codes to unknown people.
• Verify the source. If you receive a message from someone who says they represent a company or a government agency, hang up and contact them by using the contact information posted on the organization’s website.
• Enable strong security on your accounts. Creating strong and unique passwords is still a security best practice for protecting your personal and financial information. If you have difficulty creating unique passwords for each of your accounts, consider using password generators and managers to develop more complex passwords and store them securely as well. Enable MFA when available as an added layer of protection for your online accounts.

Additional Resources

• FCC: Caller ID Spoofing
• CISA: Avoiding Social Engineering and Phishing Attacks

It would be helpful if content from threat actors came with a flashing red flag. Unfortunately, phishing attempts are better crafted than we'd like to believe. Cyber threat actors are well versed in manipulation and well-crafted techniques to fool unsuspecting users. When a user falls for a phishing message, the attacker achieves their purpose. 

Phishing messages can appear in a variety of formats to collect personal information, steal account credentials, or install malware on a user’s device. Let’s take a look at some examples that highlight how to identify messages as phishing attempts and hopefully thwart this pathway for cybercriminals.

Message #1: Fake Vacation Loans

Subject: Low-Cost Dream Vacation loans!!!

Dear John,

We understand that money can be tight and that you may not be able to afford to go on vacation this year. However, we have a solution. My company, World Bank and Trust, is willing to offer low-cost loans to get you through the vacation season. Interest rates are as low at 3% for 2 years. If you are interested in getting a loan, please fill out the attached contact form and send it back to us. We contact you within 2 days to arrange a deposit into your checking account [sic].

Please email your completed form to VacationLoans@worldbankandtrust.com.

Your dream vacation is just a few clicks away.

Stephen Strange
World Bank and Trust
1818 Street, NW Washington, DC 20433 USA
www.worldbankandtrust.com

Message #2: “Amozan” Gift Cards

Subject: Free Amozan Gift Card!!!

Dear Sally,

You name has been randomly selected to win a $1000 Amozan gift card. In order to collect you prize, you need to send us your contact information so we can put your prize in the mail. This is a limited time offer, so please respond to the request within 2 business days. Failure to respond will forfeit your prize and we will select another winner. Please email your Name, address, phone # and date of birth to: 

CustomerService@amozan.com

Your gift certificate is just a few clicks away

Customer Service
Amozan

What These Phishing Attempts Teach Us

In the first message, we can see that the phisher wants to give us a low-cost loan with no credit check. We just send him our information, and he gives us the money. This seems too good to be true. If you hover over the link, you see that this is not the email address displayed. It’s the email address of the attacker…

In the second message, we see that “Amazon” is misspelled as “Amozan.”  If you read the message quickly, you will think it says “Amazon” and respond to get your gift certificate.  

Here are some rules to use to protect yourself from becoming a victim of a phish:

Rule #1: If an offer or deal is too good to be true, it probably is.

Rule #2: Hover over the link to confirm its true origin.

Rule #3: Look for misspellings. If company names are close to the correct spelling, you may not initially notice incorrect spelling.

Rule #4: Type the correct URL in the address bar yourself to ensure you are going to the legitimate site.

Rule #5: Look for misspellings in URLs. Some scammers use slight misspellings or letter substitutions in web addresses so that it is not easily noticed (e.g., 1egitimatebank.com instead of legitimatebank.com).

Rule #6: Never respond to an email with sensitive personal information (birthdate, Social Security Number, etc.). There are always more secure methods that legitimate companies will use to get this information.

Rule #7: Be wary of any message that is urging you to take immediate action.

The Federal Trade Commission is the United States entity that collects scam reports and can offer assistance in the event of an attack. If you think you’ve been a victim of a phishing attack or have clicked on a link that may be malicious, you can report a phishing attempt online at https://www.usa.gov/stop-scams-frauds or by placing a call to 1-877-382-4357.

Lastly, you can educate yourself about phishing attempts in all their varieties. This includes spear phishing, which is a more targeted form of phishing. You can learn about this type of attack by downloading our MS-ISAC Security Primer on the topic.

Computers, tablets, smartphones, TVs, thermostats, cameras, doorbells, and coffee pots. What do all these things have in common? They are all devices that connect to your home network and the internet.

Modems and routers act as the gateway between your devices and the internet. Without proper security in place, you can leave the door open for attackers to access and take over your network.

Let’s review some steps you can take to keep your home network safe from potential cyber threats.

Secure Your Modem and Router

• Use current hardware. Technology changes quickly, and if the manufacturer no longer supports your modem and router, a security vulnerability may emerge and not receive a fix. Whether you purchase your own modem and router or lease them through your internet service provider (ISP), consider replacing them at least every five years to ensure your devices receive the support and security fixes you need to keep your home network safe.
• Use a surge protector or uninterruptable power supply (UPS). Prevent potential damage to your modem and router from unexpected power surges, spikes, and lightning strikes by connecting them to a surge protector or UPS. Some models also include surge protection for phone, ethernet, and coaxial cables. 
• Disable remote management. Some routers have the capability for you to manage your home network over the internet. While this does add convenience, it also increases the risk that an attacker will compromise your network. Disable remote management by default, and if you absolutely need it, be sure to enable multi-factor authentication (MFA) to use this feature.
• Change your modem and router passwords from the default passwords to secure passwords. Changing default passwords will prevent others from accessing the configuration, changing settings, and gaining visibility into your network.
• Enable automatic updates and install the latest firmware. Keeping your modem and router up to date with the latest firmware helps protect them as new vulnerabilities emerge and receive fixes.
• Enable the router’s firewall. The firewall helps prevent the devices on your network from accessing malicious sites as well as keeps outsiders on the outside of your network.
• Enable website filtering. Some routers have website filtering and parental controls as added features to prevent users from accessing malicious or inappropriate websites while on your network. If your router does not have these features built in, you can set up free internet Domain Name System (DNS) filtering through services such as quad9, CleanBrowsing, or OpenDNS.
• Reboot your modem and router at least once a month. Malicious software can infect your router without your knowledge. Periodically reboot your modem and router to clear potentially malicious software from memory, refresh your device connections, and keep your internet connection healthy and fast.

Secure Your Wi-Fi

• Change the Wi-Fi network name (SSID). The default wireless network name is typically the brand of the router. As such, it can provide clues to outsiders as to what type of router you are using and what vulnerabilities exist. Make sure you do not use your name, home address, or other personal information in your new SSID name. For added protection, disable broadcast of the wireless network name.
• Enable Wi-Fi encryption. Use Wi-Fi Protected Access 3 (WPA3) if supported by your device and choose a strong passphrase to connect devices to your network. When feasible, choose wired connections over wireless for enhanced security.
• Enable a Wi-Fi guest network. A security best practice is to segregate network devices. Connect your computers, mobile devices, printers, and other trusted devices on your primary wireless network. Additionally, restricting devices such as smart TVs, personal digital assistants, and your refrigerator to the guest network.

Monitor Your Network

According to Deloitte's 2022 Connectivity and Mobile Trends Survey, the average U.S. household has 22 connected devices. Do you know what devices are connecting to your network? Periodically review the devices that are connected to your network and block the ones that you don’t recognize.

We rely on our home internet connections more than ever before for work, school, communication, and entertainment. By following these steps, you can greatly improve the security of your home network and protect you and your family from potential cyber threats.

Special thanks to Jason Balderama, CISO of County of Marin, CA, for providing the content for this newsletter. 

‘Tis the season for holiday gifts and shopping! To avoid waiting in lines and traffic, many people opt out of going to malls and choose to shop online. 

Cyber threat actors (CTAs) are aware of that fact, and it is their time to be active and develop new methods of tricking people. Be vigilant and avoid falling into their traps. Act and protect your personal and financial information.

The security tips below will help reduce the likelihood of your information falling into the wrong hands and ensure that you have a more hassle-free shopping experience this holiday season.

Avoid Using Public Wi-Fi 

• While using public Wi-Fi is convenient, it is not secure. 
• Public Wi-Fi does not protect your sensitive data, and CTAs may access your personal and financial information. 
• Abstain from using public Wi-Fi at all costs while purchasing and placing orders.
• Confirm that you do not allow the "Connect automatically" Wi-Fi network preference on any of your devices.

Shop Safely

While shopping and making payments, verify the following:

• The internet connection is secure. If you are required to provide a password to access a Wi-Fi network, this will indicate that the communication between your device and the wireless router is encrypted.
• Payment sites have SSL protection, i.e., the URL should begin with “HTTPS.” Avoid making any payments to sites that do not have the “s” after the “HTTP.”

Check Shopping Sites

Browse sites that are well-known, legitimate, and secure. Please check for the following:

• The site has a “lock” (padlock symbol) in the URL bar. This means the website is secure, i.e., the information between your browser and the server is encrypted.
• The URL starts with “HTTPS,” which indicates that the site uses encryption and will thus protect your data.

Resist the Urge to Click

• Be cautious with offers that look too good to be true. These may be traps.
• Stop and think before you click and take any action.

Use Credit Cards

Avoid using debit cards. It is safer not to use them since they are related to bank accounts. Use credit cards instead; they offer many protections to users:

• Credit card companies will stop payments that look fishy.
• They may call customers to check if transactions are valid.
• Users can dispute all invalid charges with credit card companies, and these providers will generally nullify all suspicious charges and send a replacement card in the mail.

Be Wary of Emails

• Resist the urge to open emails right away. Check who the email is from. 
• Be cautious when emails look too good to be true. They may be scams to get your information.

Verify What You Are Buying

• Make sure you’re clear about what you are buying and what you are paying for.
• If in doubt about the site, google the company name.

Strengthen Passwords 

• Have strong and secure passwords. This is one of the most secure ways to protect yourself.
• Change your passwords regularly.
• Use paraphrases that make sense to you and are only known to you.

Monitor Your Credit Cards

• Keep track of your credit cards and accounts, especially during the holiday season.
• Monitor your transactions to check if they are valid and legit. 
• If something looks suspicious, reach out to the customer service departments of the credit card companies and/or banks involved by contacting their toll-free number, email, or website chat services.

Use Smartphones Wisely

• Avoid using your smartphones for any purchases.
• Refrain from clinking on links from unknown text messages.
• Protect your smartphones with a password and anti-malware software.

Follow Safety Tips

• Close all browsers after using public Wi-Fi.
• Clean up your browser cache.
• Do not save credit cards, passwords, payments, or any other information on your site.
• Make sure to update your laptop software regularly.
• Install anti-malware software on your laptop. Some solutions are free, such as SUPERAntiSpyware
• Scan your computer for malware at least weekly.

Additional Resources

Some users may still fall victim to identity theft or scams – even if they follow good security practices. For even more information on holiday shopping safety, visit the following resources:

• https://www.memberspluscu.org/blog/2022/10/reduce-fraud-this-holiday-season-with-these-tips/
• https://staysafeonline.org/resources/online-shopping/
• https://securityintelligence.com/articles/holiday-cybersecurity-tips/
• https://securityspecialists.com/blog/holiday-season-safety-and-security-tips-to-remember/
• https://megasystemssecurity.com/holidays-security-tips/
• https://www.ramseysolutions.com/budgeting/home-security-tips

When you log on to a website, make an online payment, send an email, use a social network, post online, or even send a text, you're adding to your online identity. In today’s world, it is unavoidable. The good news is there are ways you can protect yourself.

When logging on to a website, look at the address bar on the browser. If you see a padlock icon on the left-hand side of the address, the site is using encryption and verification. Clicking on the padlock shows the site’s security certificate. Using only these types of sites ensures you are safely sharing your data. If you do not see the padlock icon, steer clear. Your data is vulnerable. When shopping online, visit only legitimate websites and use safe online payment options and digital wallets for a more secure checkout.

Be wary of suspicious emails or texts and never give out information unless you are certain where it is going and how it will be used. Do not open suspicious attachments. If you suspect a piece of communication is malicious, call the sender or company directly instead of replying to the email or clicking on a potentially malicious link or attachment.

Never throw away or give an unwanted device to someone else without factory resetting it and wiping all data from the device.

Bad actors can use your personal data in a variety of ways that can cause great harm. Identify theft is when a person or entity uses your information including your name, contact information, financial accounts, Social Security Number, and other personal information without permission. They can use this information to change your billing address, steal government benefits, open a bank account, apply for loans or lines of credit, use your money to make purchases online, or even commit crimes.

Doxxing is when an unauthorized person or entity collects and publishes personal information including private photos, messages, or other personal data for the purpose of harassing the victim. This is a different kind of identity theft that can jeopardize your safety and right to privacy. Keep your social profiles private and only connect with people you know. Check your privacy settings periodically and disable location tracking for applications installed on your device. When using Wi-Fi in a public space, follow these safe use guidelines:

• Turn off auto-connect features on your phone or laptop to control which networks you connect to,
• Use a VPN to encrypt your data whenever possible,
• Don’t access personal or financial information,
• Don’t shop online,
• Don’t stay permanently signed into accounts,
• Pay attention to warnings, and
• Don’t leave your device unattended in a public place.

You can further protect your online identity by practicing good cyber hygiene.

It is important to choose strong passwords for your online accounts and home network. Create a strong password by combining upper- and lower-case letters, numbers, and symbols. Using a phrase known only to you can help you to remember a lengthy password. Do not use the same password or form of password on multiple accounts. Also, update them every few months. Keeping your devices up to date with the latest operating systems and security patches will help support password strength. If you fill out security questions as a step in resetting a password, make sure they are challenging questions for which only you know the answer.

Use multi-factor authentication. MFA requires multiple factors to verify a user’s identity, combining things you “know,” like a password or pin, with things you “have,” like a special code sent to your smartphone, or things you “are,” like a fingerprint or facial recognition technology.

Creating strong passwords alone may not be enough. Password manager applications can ensure that your passwords are strong, unique, and updated regularly. Reduce your digital footprint by deactivating/deleting old shopping, social media, and email accounts as well as unsubscribing from mailing lists that are no longer of interest.

Though bad actors are serious about their business and constantly finding new ways to get personal data, you can reduce your odds that you will become one of their victims by maintaining your security awareness and cyber hygiene.

We like to think we can trust our co-workers to do the right thing. Unfortunately, this is not always the case. Some people become insider threats; that is, they use their authorized access to systems to harm their organization. For example, someone may sell information from a database to a third party.

There are three types of insider threats:

1. Unintentional –This person does not intend to cause a threat, but they do so through carelessness. They may misplace their laptop or flash drive, fail to update software, or ignore instructions when setting up software or cloud storage. Their attention to detail may be poor and they can make mistakes that damage the organization, such as causing a breach by emailing data to the wrong person.
2. Intentional –This person intends to harm their organization and is often called a “malicious insider.” They may be in it for financial gain, to get revenge for some perceived slight, or for some other motivation. They may leak information to third parties for money or political beliefs, steal information to advance a side business, or destroy data to sabotage the organization.
3. Collusive or Third-party – Collusive threats occur when an insider collaborates with an outsider to compromise an organization. The outsider may recruit an insider to obtain information to commit fraud, intellectual property theft, espionage, or some other crime. Some insiders may be manipulated into becoming a threat and may not recognize that what they are doing is harmful. Third-party threats occur when the insider works for a contractor or vendor who has access to the organization’s network or facilities.

Some of the indicators of an intentional insider threat include:

• Life changes, such as financial, relationship, family, or work problems.
• Behavioral changes, such as signs of depression, anger, or possible drug or alcohol addiction. However, a colleague who seeks help is showing good judgment.
• Changes in work habits such as working through lunch, accessing or asking questions about information or systems not part of the scope of the colleague’s employment, or a disregard for security policies and practices.

Many unintentional insiders are:

• Poorly trained in cyber hygiene, either because the organization does not train staff or because they do not pay attention.
• Disorganized; loses laptops or flash drives.
• Unfamiliar with technology or thinks they know more than they do and do not follow instructions when installing new software or setting up cloud storage.

We all make mistakes, but many unintentional insiders simply do not pay attention to what they are doing. The lack of attention to detail puts their organization at risk for breaches and malware.

To reduce the likelihood of an insider threat, organizations should develop a comprehensive program that includes knowing the people within the organization, identifying the assets and prioritizing the risks, and establishing the proven operational approach of detect and identify – assess – manage.  Organizations should take extra steps to vet third party service providers to ensure they can access only necessary systems and areas of the building.

The Cybersecurity and Infrastructure Security Agency (CISA) has more information about insider threat mitigation at https://www.cisa.gov/insider-threat-mitigation.

As technology continues to evolve, the tools and toys available to your children increase in number and evolve in capabilities. Technology can be used to educate and inspire creativity in kids, but it also exposes them to a risky landscape most of us didn’t have to worry about during childhood. Adults can discuss with children how the digital world is a great resource, but we must remain cyber aware.

We all should be responsible with the information we share and the ways we explore. Here are a few things we should all do to protect our kids and our home networks.

Keep Software Updated

Think of all the devices in your household that connect to the internet – phones, tablets, computers, gaming systems, smart appliances, even lightbulbs! One of the most important things you can do to keep your devices safe is to ensure your devices are up to date and using the latest software. When your devices notify you about a software update, install the update right away or set them to automatically update. Those updates contain security patches that close loopholes that attackers can use to gain entry and access your data like your passwords, payment information, photos, and more.

Always make sure you know what apps are on your children’s devices. Know what those apps do and what type of information they monitor or collect. This can be done easily by checking the app settings and privacy disclosures.

If you have children prone to installing anything that looks new and flashy, consider requiring a PIN or password only you know before allowing installation of new applications.

Internet Domain Name System (DNS) Filtering

As we all know, surfing the web can be a risky business. While we can usually identify scams and malicious links, children may not catch on so quickly and see that the link their friend’s hacked account just sent them for a free game is a malicious website in disguise.

Implementing DNS filtering, which prevents devices on your network from connecting to known bad websites, is a free and easy way to help prevent everything from phishing and ransomware to spyware and viruses. It is so useful that some of largest IT companies in the world have joined forces to provide it for free to public users. This includes no sign-ups, tracking, or personal information saved by those providers. DNS filtering can even be set up on your home router with very little effort, which will help protect anyone or device on your entire network. DNS filtering services can also be used to implement parental controls to deter kids from going to unwanted or inappropriate websites. Additionally, you can limit kids’ screen time and monitor their online surfing activity if you choose to do so. By doing this, you can create a family-friendly online space in your home while also protecting your identity and blocking cyber-villains.

Free DNS filtering options for families –

• Quad 9: When your computer performs any Internet transaction that uses the DNS (and most transactions do), Quad9 blocks lookups of malicious host names from an up-to-the-minute list of threats. Quad9 is also free to use, and no contract is required. It also doesn’t collect any personal information about you.
• Cleanbrowsing: A free DNS system that focuses on privacy for households with children. It provides three free filter options and blocks most adult sites.
• OpenDNS: Owned by Cisco, OpenDNS has two free options: Family Shield and Home. These are incredibly useful for monitoring and preventing adult site access as well as general internet safety and performance.

Talk to Your Kids

Finally, make sure you talk to your kids about cybersecurity. Just like other issues that have the potential to harm our children, keeping an open line of communication regarding cybersecurity is vital to keeping them safe.

Outside of adjusting privacy settings and parental controls on devices your kids use, make sure they learn how to spot unusual behavior and encourage them to tell you about it. Teach your kids about proper online etiquette and encourage appropriate interactions.

Supervise their screen time and make sure you are in the know about who they talk to and interact with online. Talk to them about the importance of keeping some information private such as their name, home address, and phone number.

Check their apps and devices frequently to make sure your kids haven’t turned on location sharing or made their social media accounts public to anyone and everyone. As they get older, remind them that once information is online it can’t be taken back. It’s online forever.

Cybersecurity was not something past generations of parents had to worry about when raising their children, but it is a big part of all our lives now. And even though we may not like all that comes with these technologies, they’re here to stay, so it is imperative that we teach our children how to use them responsibly and safely. Let’s give our children the foundation they need to be able to safely and securely engage in today’s connected world.

Special thanks to the Education and Awareness Working Group for providing the content for this newsletter.

Have you ever taken a tally of every account you’re signed up with? According to a 2021 study done by NordPass, the average person has about 100 passwords and associated accounts (i.e., credentials). Whether or not these accounts are active, we all run the risk of having this information exposed and misused. Given this shocking average, we can take easy steps to ensure our information is protected in cyberspace. While use of multi-factor authentication (MFA) can mitigate the threat of credential misuse by requiring at least two pieces of evidence (e.g., password and code sent to mobile phone) to confirm a user's identity, not all organizations or users have adopted this preferred method of authentication. When MFA is not yet available, the simplest action we can take is to make informed choices when creating passwords, including what mode of protection we apply to them. Because there’s no rest for the wicked, cybercriminals are constantly finding new ways to circumvent what were previously thought to be secure online environments.

Why you should be using a password manager: A secure way to store your passwords is to use an electronic password manager that allows the use of multi-factor-authentication. Not only can a password manager generate strong passwords, but it can also hide them from view. Many password managers will only allow you to view your passwords via multi-factor authentication. The password manager also generates completely unique and long passwords without you having to come up with one on your own, and it stores each unique password for future use. Computers are much better at randomizing characters than humans, so you can rest easy knowing you aren’t inadvertently re-using character patterns – which is a big password no-no. Those previously mentioned 100 passwords likely won’t be learned by heart, and that’s okay, as your password manager has your back! Below are forms of multi-factor-authentication that can be utilized with a password manager to add that extra layer of protection:

• Voice call: Exactly what it sounds like – you can opt in to receive verification calls from many password managers to confirm your identity.
• Biometrics: This is a technology that uses fingerprint or facial recognition software.
• Push: You can download corresponding apps on your phone or laptop that will trigger a notification to click on and verify identity.
• Hardware token: This is a small device that is either connected to or separate from your password manager. It generates a randomized code.
• Email: You receive an email as a form of identity confirmation.
• SMS: Similar to a push notification, you receive a text message to verify identity.

We all have a lot to worry about these days, but taking a small amount of time to research and activate a password manager can help us avoid at least one type of online vulnerability. You don’t have to do much to become cyber-savvy either, as having and using the right tools is sometimes all you need.

Special thanks to Emma Kipniss, Education and Awareness Working Group Chair, for providing the content for this newsletter.

from the desk of Karen Sorady, VP MS-ISAC Member Engagement

We at the MS-ISAC are overjoyed to announce this year’s winning Kids Safe Online poster designs! Each October during Cyber Security Awareness Month, K-12 students across the country focus their creative genius on inventing artwork that teaches us about internet safety and security. As with past years, we received many wonderful pieces, and of those, 13 will grace the pages of our next Kids Safe Online Activity Book. MS-ISAC members nationwide use our posters to spread cybersecurity awareness and inform their employees about cyber threats.

A Look at the Winning Posters

“Wherever you go, your digital footprint follows.” — Madelyn, 8th Grade, New York

Madelyn, an 8th grader from New York, created this stunning design that reminds us to watch our digital footprint. Every text we send, every message we keep, and every file we download can carry dangers with it if we’re not careful. Sometimes, it takes a child to remind us that once we click “send,” it’s too late. In the digital world, it’s impossible to take things back, and any post we make could be misused.

“Don’t Give Out Personal Info Online” — Maylin, 12^th Grade, New York

Maylin, a 12^th grader, submitted an amazing piece of art meant to teach us a lesson about leaving our personal information exposed online. Even details that might seem inconsequential by themselves could be pieced together by a malicious actor. For this reason, it’s important to lock down our social media accounts with smart privacy settings and keep a close eye on what we allow the whole world to see.

“Do Not Fall for Internet Scams” — Megan, 9^th Grade, New York

Megan, a student in 9^th grade, provided useful info in an entertaining format. Takeaways include avoiding malware disguised as games or music and dodging internet scams. The adage that “if it sounds too good to be true, it probably is” applies in the virtual world. When we accept a friend request or chat with someone online, we let them into our circle of trust, and that can be a risky proposition.

“Choosing a Strong Password” — Leila, 3rd Grade, Virginia

Our last winning poster design comes from Leila, a 3^rd grader in Virginia, with three steps to better password security. While we all hope for a beautiful, password-less future, in the present, they still constitute the keys to our various kingdoms. Along with other tips, Leila tells us to choose passphrases – something longer than just a single word – which is good advice to help us ward off brute-force attacks.

Cybersecurity as a Life Skill

Today’s kids have grown up with amazing tech that, if used responsibly, can greatly enhance their lives. No other generation has had so much information at their fingertips just a click away. Of course, there are tradeoffs in an always-connected reality. That’s why cybersecurity is not just a career field but also a life skill. The good news is that there are plenty of opportunities for students interested in learning about security, including great summer options, so these white hats-in-training can practice their art year-round.

Resources for K-12 Cybersecurity Learners:

• Air Force Association’s CyberPatriot
• CyberStart America
• NIST List of K-12 Cybersecurity Competitions
• NSA/NSF GenCyber
• R00tz Asylum
• UTSA’s Culture of Cyber Security: Kids Activities

For two years, you’ve accumulated digital clutter and technical debt at a rate previously considered impossible, at least pre-pandemic. The good news is that spring has sprung, and spring is the time when we all agree to pretend we enjoy cleaning. We power through, at least until there’s a clear path from our WFH desk to the fridge. And we feel a little better when we see the results. In that same spirit, let’s take a moment to clear a virtual path and shore up our digital defenses because winter is always around the corner.

Delete with a vengeance. Be brutal. Be the digital minimalist Marie Kondo would envy. Uninstall apps you don’t use, both on your phones and your computers. Delete files you no longer need. Wipe and securely dispose of electronic media and hard copies. Do you really need to keep those laserdiscs and floppies? Everything we retain has a chance of being lost or stolen. Every item carries a liability and weighs us down.

Reduce your attack surface. Removing unused software makes a dent. It also makes it easier for you to keep everything up to date (and you need to keep everything up to date). Now, let’s shift our focus to your accounts. Haven’t used a website in a year? Don’t just leave your account idle and your login credentials unnecessarily exposed. Close your account. Need help finding targets? Check your spam folder for all those privacy policy updates and Christmas in July promotions. Attackers can’t compromise accounts that don’t exist.

Review your records. Take a good look at your bank statements. This is the 21st century. There’s no need to shuffle through paper records if you don’t want to. Just pull out your phone and scroll. Hunt down the source of anything suspicious, and then do yourself the favor of identifying recurring services you can cancel to save some money too. For IT geeks, when’s the last time you’ve read through your systems’ logs? The concept is the same. Give ledgers and logs some love, and tidy-up things you find.

For the sake of all that is nerdy, turn on MFA! Look, we’re going to set the cleaning metaphor aside for a second because this is important. Multi-factor Authentication (MFA) is the annoyingly beneficial feature that prompts you for a single-use code when you login. App-based is best, but text-based is better than nothing. Enable it everywhere you can. Demand it everywhere you can’t. Your password will be stolen or guessed; that’s a given. When that happens, MFA might be the thing that saves you.

Let your bad passwords enjoy their retirement. It’s time. Sure, ‘badger95’ has served you well since high school, but it’s time for you to thank it and send it on its way. Any password you use for more than one service needs to go. Ditto for any password shorter than eight characters. Use a unique password for every site. And use long passwords. If you need to remember it, use a phrase instead of a word. Better yet, use a password manager and let it invent and remember strong passwords for you.

Google yourself and censor your social media. PR is not just for celebrities. Do a search to see what others find when they look you up. Click into the privacy section of your accounts on Facebook, Twitter, Instagram, Snapchat, and other apps. Turn off anything that feels creepy. Want to achieve real enlightenment? Try the “download my data” feature to see just what tech companies know about you. Oh, and keep calm.

E-liminate your e-waste. Everything eventually falls apart. Or it grows obsolete. If you’re stepping over piles of iMacs and Blackberrys, you know the pain. Stop procrastinating. Is there a school or shelter nearby that could benefit from a donation? Look into trade-in programs your vendors offer when you upgrade. Find a local electronics recycler. The dumpster should be your last resort. And don’t forget to wipe and, if needed, physically obliterate your storage devices like hard drives. A good recycler will even handle that for you and give you a certificate of destruction. Remember, NIST SP 800-88 R1 is your friend. Don’t know where to go to get rid of your old electronics? Here you can locate a recycling facility in your area.

Purge but verify. As we lay waste to our waste, a reasonable person could be forgiven for lying awake at night, wondering whether they’ve trashed something they’ll actually need. You’re right to worry. The antidote is backups. But backups are useless. Or at least they’re useless if they aren’t tested. Backing up is easy. Ensuring restores will work and include everything you need is tough. Backups are likewise worthless if you can’t get to them in an emergency or if they’re not isolated and ransomware encrypts them. Do backups, test restores, and practice your recovery procedures so that your first attempt will happen during calm, daylight hours and not at 2 a.m. in the midst of a real-world disaster.

Finally, be ruthless. Getting your analog and digital lives in order does more than improve your state of mind. It pushes back against the creeping fallout from our hectic daily routines. It eliminates dangers we might otherwise miss, dangers that can lead to compromise. Breaches are seldom the result of a single vulnerability. They arise from cascading failures. They represent a fallen house of cards. Get your house in order. Refuse to abide a mess. Protect yourself and your organization so you can rest easy!

With the NBA and NHL Finals and, of course, March Madness fast approaching, spring is a busy time for sports fans and people that like to gamble. Betting on sporting events can bring excitement–the possibility of financial reward and loss–and cybersecurity risks.

At first you might think to yourself, what does cybersecurity have to do with online sports betting? Due to the recent popularity of online betting, especially during the pandemic, online gambling sites have become a hot target for bad actors. This is because these sites collect and manage large amounts of financial and personal information. This means online gambling companies need to have many layers of defenses to protect themselves. Even with all these layers of defense, cyber threats are an ever-present risk to the industry and the millions of people accessing these sites every year.

According to a recent article from The Wall Street Journal, gambling during the Super Bowl this year reached record highs. It stands to reason that this increase in online betting will continue during the upcoming playoff season. Online betting is dependent on allowing users to easily access their sites, set up profiles, place bets, and more. However, ease of use and access should not supersede the need to protect users and their data.

With any seasonal, popular, or hot topic in the news, sporting events have become a prime target for spammers and bad actors. It might be sharing insider information on injuries, the latest upset, or a new deal, bad actors will leverage any headline that might be considered popular to get users to click on a link or open a document. Untrustworthy sites will even mimic popular sporting and betting sites to get people to click on a link and share their personal and financial information.

So, what can you do to protect yourself? Here are some helpful tips:

• Only use trustworthy online gambling sites that have good cybersecurity and privacy practices, such as enforcing strong passwords, multi-factor authentication, and more
• Only go to known and trustworthy news sites
• Use strong and unique passwords
• Review the privacy terms of online gambling sites before using them
• Watch out for phishing emails and spam
• If you’re using an app, make sure you have installed the latest software updates
• Keep your devices and firewalls up to date with antivirus and advanced threat protections
• Set up monitoring and alerts on your banking accounts
• Educate yourself, your organization, family, and loved ones on the cyber risks
• Set up internet filters to block traffic to online gambling sites
• Sporting events are exciting, and many feel that betting on the events heightens the experience. But don’t let your thrill of the game or the win cause you to lose—to a cyber incident.

If you or someone you know is struggling with a gambling addiction, please reach out to the National Problem Gambling Helpline for help.

Tax season is upon us, a time of year when the scammers go into overdrive. Be extra careful while online, and avoid activities that could put your identity and finances at risk. It doesn’t matter whether you owe money to the IRS or are expecting a refund, as the scammers will target you regardless of your situation.  
Let’s explore some common tax scams, warning signs that you may be victim, and steps you can take to protect yourself, your identity, and your finances.

Common Tax Scams

Cyber criminals use the same tried-and-true methods for tax scams as they do with other targeted attacks.

• Phishing: This tactic involves using email or malicious websites to infect your device or trick you into disclosing your information. Phishing emails may appear to come from real financial institutions, e-commerce sites, charitable organizations, or even government agencies such as the IRS.
• Phone Calls: This tactic involves making phone calls or leaving voicemails of an urgent or threatening nature. In the case of tax scams, the calls may advise you of a refund you are owed or demand that you settle an outstanding payment for back taxes. Caller ID spoofing may be used, making it appear like the person calling is from the IRS.

Scammers using these tactics generally attempt to create a sense of urgency, or have a good story that would tend to compel you to disclose personal information such as such as your date of birth, social security number, driver’s license number, or even usernames and passwords to your accounts. Watch out for these common scams:

• Refund Calculation Scam: “The IRS recalculated your refund. Congratulations, we found an error in the original calculation of your tax return and owe you additional money. Please verify your account information so we can make a deposit.”
• Stimulus Payment Scam: “Our records show that you have not claimed your COVID-19 stimulus payment. Please provide us with your information so we can send it to you.”
• Verification Scam: “We need to verify your W-2 and other personal information.  Please take pictures of your driver’s license, documents, and forms and send them to us.”
• Gift Card Scam: “You owe us back taxes and may be charged with a federal crime. You must pay a penalty to avoid being prosecuted. Purchase these gift cards and send them to us and we will wipe your record clean.”
• Fake Charity Scam: Scammers pose as a legitimate charity, often with a similar name as a real charity, to trick you into donating money to their own cause–filling their pockets.
• Fake Tax Preparers: Watch out for tax preparers that refuse to sign the returns they prepare. If they gain access to your information, they may file fraudulent tax returns redirecting your refund or attempt to access your bank accounts.

Warning Signs

Hopefully you have avoided the common tax scams, but the cyber criminals may have other methods of obtaining your information, such as data breaches of companies you do business with. Watch out for these warning signs that you may already be a victim.

• You attempt to file a tax return, either online or by mail, but are informed by the IRS or your state that they have already received one.
• You are informed by the IRS that an account has been registered in your name at IRS.gov even though you have never created one.
• You receive a transcript from the IRS that you did not request

How to Protect Yourself

• Identity Theft Resources
  • If you believe you have become a victim of Identity Theft, visit IdentityTheft.gov to report it and create a recovery plan.
  • For specific information and resources for tax-related identity theft, visit the Identity Theft Central web page on the IRS web site.
• E-mail and Internet Security Best Practices
  • Never use public Wi-Fi to file your taxes or conduct other business such as online banking. Only connect to networks that you trust.
  • Remember that IRS.gov is the only genuine website for the Internal Revenue Service. All Internet and email communications between you and the IRS would be through this site.
  • Never send sensitive information via email. If you receive an email from an unknown source or one that seems suspicious, do not reply.
  • Report tax-related phishing emails to Phishing@IRS.gov. Visit Tax Scams - How to Report Them on the IRS web site for additional information.
• IRS Representatives – Know How They Operate
  • The first point of contact by the IRS is typically via postal mail. The IRS will not contact you via email, text messaging, or your social network, nor does it advertise on websites.
  • IRS representatives always carry two forms of official credentials, and you can confirm their identity by calling a dedicated IRS telephone number for verification.
  • The IRS does not accept payments by gift cards.
  • Review How to know it’s really the IRS calling or knocking on your door on the IRS web site for additional information.
• Donating to Charities
  • Only donate to charitable organizations that you trust. Beware of charities that require you to give or send cash.
  • Verify charitable organizations using the Tax-Exempt Organization Search web page on the IRS web site.
• Using Tax Preparers
  • Beware of tax preparers that only accept cash payments or offer to claim fake deductions to inflate your tax refund.
  • Only use a preparer that can provide you with their Tax Preparer Identification. You can verify your tax preparer through the Directory of Federal Tax Return Preparers with Credentials and Select Qualifications on the IRS web site.
  • Visit Topic No. 254 How to Choose a Tax Return Preparer for best practices on selecting your tax preparer.
• Secure Your Identity
  • Get An Identity Protection PIN (IP PIN) from the IRS to prevent someone else from filing a tax return in your name.
  • Check with your state to see if they offer a similar program to file your state taxes.