Tips for Spotting a Fraudulent Email
Personal Information Request
Provident will never ask you to respond to an email with any personal information. This includes your Social Security number (SSN) or your ATM or 24 Hour Access Plus Direct Talk Personal Identification Number (PIN) numbers
Threat of closing an account if information is not provided
This type of email informs you that your account will be closed if you fail to "authenticate" or verify your personal information. Provident will never ask you to confirm information in this manner.
Security or system emails.
This type of email indicates that the bank needs you to confirm important information. The email will ask you to update your information online. Provident will never ask you to confirm information in this manner.
An offer that sounds "too good to be true."
This email may ask that you complete a short survey in order to receive money credited to your account. It will ask for your account(s) and bank routing number(s) in order to complete the deposit to your account. Provident will never ask for your information in this manner.
Misspellings and/or grammatical errors.
Emails containing these issues are often an indicator of attempted fraud. Watch for typos, grammatical errors, awkward wording, and poor design.
Unusual URLs.
Many web pages and emails will display the destination URL of the link when you hover over the link with your cursor. (Please do not click the link) A URL formatted provident.suspicious.com will take you to a site that is not a part of the Provident web site even though Provident is contained within the URL.
Please, do not reply to any of these types of emails!
Tips for Secure Passwords
It is critical to use a highly secure password for all of your financial accounts. Never use passwords like your child's name, your pet's name, your Social Security number, your account or PIN number, or anything else that a person with the intention of performing fraud could easily discover. Passwords that are the most secure use combinations of letters, numbers, and special characters. Do not just use an address, phone number, birthdate, or worst of all, simple passwords such as 1111 or 1234. For additional security, please change your password on a regular basis and do not use the same password for multiple accounts.
If you feel you have given out any personal information in regard to your Provident account(s) (such as your account number, password, or PIN), or typed it into a website that may not be legitimate, please contact us immediately. We will take the necessary steps to help you secure your account.
Common Sense Tips
Don't give out financial information such as account numbers, credit card numbers, ATM PIN number, and especially your Social Security number over the phone unless you have initiated the call and know the person/organization you are transacting business with. Please do not give this information to a stranger even if they claim to be representing Provident.
Report lost or stolen checks, credit cards, or ATM cards immediately.
Don't preprint your driver's license, telephone, or Social Security numbers on your checks.
Please notify Provident of any suspicious telephone inquiries that might ask for account information.
Don't write your (PIN) on or with your ATM or credit cards.
Remember that protecting your financial information is often asking the question: How can I protect myself?
Online Banking Account Protection That Works 24/7... Just Like You Do
Provident Bank's Online Banking Identity Verification feature
What is the security feature?
In order to make your online banking experience as secure as possible we have introduced a security feature that watches for uncharacteristic or unusual behavior involving your internet banking access. If anything out of the ordinary is detected, we will ask you to verify your identity.
How does it work?
In the rare case we detect any unusual or uncharacteristic activity, we will ask you to answer security questions or if there are problems with answering the questions, allow us to phone you to make sure that it is really you trying to sign on. Most of the time you will not notice that the security feature is even there, but it will still be protecting you 24 hours a day and 7 days a week.
Do I need to sign up for the security system?
The security system is automatically available to all of our customers. Expect to be prompted at some point while banking online to enter additional information. This may include choosing some security questions that only you know the answers to as well as supplying phone numbers where you can be reached while banking online. Once this occurs, you have added a layer of protection to your Online Banking access and best of all, it's free!
Frequently Asked Questions for our Identity Verification Feature
What is this security system?
As our customer, we know how you typically behave. For example, when and from where you normally access internet banking. If we detect any activities that do not seem like your typical behavior, we will prompt you to further verify your identity. This process will ensure us it is you and not someone else trying to access your information. This will only happen on rare occasions. Normally you will not be asked for any additional information. For example, if someone tries to sign in with your user name and password from a computer in a foreign country shortly after you have logged off from your normal computer at home, we may decide to verify that it is really you trying to access your account.
How do I sign up for the security system?
There is no need to sign up. The security is there right from the start! Expect to be prompted at some point while banking online to enter additional information. This may include choosing several security questions that only you know the answers to, as well as supplying phone numbers where you can be reached while banking online. Once this occurs you have added a layer of protection to your internet banking access!
How much will it cost?
There is absolutely no cost associated with the new security system.
When will I be asked for more information?
You will only be prompted to enter additional information when a particular activity or transaction appears to be unusual or uncharacteristic of your typical behavior. You will also be prompted to enter your information when you are first prompted to set up your security information.
What additional information will I be asked?
If any unusual or uncharacteristic behavior is detected, you will be asked to answer several of the security questions you chose. You may also be asked to answer an automated phone call.
What is unusual or uncharacteristic behavior?
Uncharacteristic or unusual behavior is anything that appears out-of-the-ordinary compared to how you normally would bank online and where you normally bank online. If the action being requested does not appear to be something you would normally do, we will ask you for more information to make sure it is really you and not an unauthorized user.
Will I be asked for more information all the time now?
No, you will only be asked for more information when unusual or uncharacteristic behavior is detected. This will most likely be a very rare occurrence.
How are you able to detect unusual or uncharacteristic behavior?
The security system takes into account factors such as the computers you typically use to access your account, or the typical security settings for your computer. Hundreds of factors, such as these, create a profile that is unique to you that allows us to make decisions about whether the person conducting a given activity appears to be really you.
How do I know it is working?
You only need to complete the set-up process once; afterwards the new security system will work automatically. That means you are being protected every moment; when you are online and more importantly when you are not.
How will my phone numbers be used?
If any unusual or uncharacteristic behavior is detected, you may be asked to answer an automated phone call. Once you answer the phone call, you will be prompted to enter the code that will appear on your computer screen at that time in order to verify your identity. Your phone numbers will not be sold to a third party, nor will they be used to contact you about marketing offers and promotions.
How many phone numbers should I provide?
You must provide at least one phone number but are encouraged to provide up to three. In case we need to verify your identity, you may receive an automated phone call at one of the numbers you have provided. It is important to provide numbers where you can be reached when you are banking online. For instance, if you bank online at work you should provide your work or cell phone number so you can be reached there. This will ensure you can continue your online banking session without any inconvenience.
What if I need to change my phone number?
If you need to change your phone number, please contact customer service at (800) 442-5201 Monday through Friday 8AM to 6PM and on Saturday 9AM to 2PM. You may also be occasionally asked to verify that your information is up to date during your Online Banking session.
What if I cannot be contacted at any of the phone numbers listed?
If you cannot be contacted at any of the phone numbers listed, please contact customer service at (800) 442-5201 Monday through Friday 8AM to 6PM and on Saturday 9AM to 2PM.
Is my personal information still safe?
Yes. In fact, your personal information is safer than ever before because we are making sure it is really you and not an unauthorized user trying to access your information.
I have already set up my contact numbers, why am I being asked for them again?
Occasionally we may prompt you to make sure that the information we have on file is up to date.
How will this help prevent online fraud?
If your user name and password are stolen, the fraudster would have to be able to answer your security questions correctly or answer a call at one of the numbers you provided before being able to access your information. If the user is not able to provide this information or be reached on the phone, the activity would be blocked. This added layer of security helps us protect your information.
I check my account very often, wouldn't I know if something unusual showed up on my account?
It is great you check your account! It is always a good idea to regularly monitor your account for any unusual activities (like payments you didn't make). This security service helps prevent those incidences from ever occurring, so when you check your account everything is exactly how it should be.
I share my computer with someone who has their own account. Can both of us still log in from this machine?
Yes, you can both use the same computer to log on to your individual accounts. There is no limit on how many people can log on the website from the same computer.
I already have anti-virus and a personal firewall. Why do I need this?
We are glad to hear you use anti-virus and a personal firewall. Be sure that you keep both software programs up to date for the best possible protection against viruses, Trojans, and hackers. This new security feature protects against other types of threats such as a stolen user name and password. It works with your other personal security programs, but it does not replace them.
Is Your Computer Secure?
If the computer you are currently using is not protected, identity thieves and other fraudsters may be able to get access and steal your personal information.
If you are using safety measures and good practices to protect your home computer, you can protect your privacy and your family. Here are some tips Provident would like to suggest to help you lower your risk while you're online.
Suggestions from Provident Bank
Install and use a firewall
Definition: A firewall is a software program or piece of hardware that blocks hackers from entering and using your computer. Hackers search the Internet in a similar manner as telemarketers automatically dial random phone numbers. They send out a ping (call) to thousands of computers and wait for a response. Firewalls prevent your computer from responding to these unsolicited calls. A firewall blocks communications to and from sources you don't permit. This is especially important if you have a high-speed Internet connection, like DSL or cable. Some computer operating systems have built-in firewalls that may be shipped in the "off" mode. Ensure that your firewall is on. To always be effective, your firewall must be set up correctly and updated regularly. You can check your online "Help" feature for specific instructions.
Install and use anti-virus software
Anti-virus software helps to protect your computer from viruses that can destroy your data, slow down/ crash your computer, or allow spammers to send email from your account. Anti-virus protection scans your computer and your incoming email for viruses, and then removes them. Anti-virus software must be updated regularly to cope with the latest "bugs" (viruses) circulating on the Internet. Most anti-virus software includes a feature to download updates automatically while you are online. Always make sure that the software is continually running and checking your system for viruses, especially if you download files from the Web or are checking your email. Set your anti-virus software to check for viruses when you first turn on your computer. You should also set the anti-virus software to scan your complete system at least twice a month.
Install and use anti-spyware software
Spyware is software installed without your consent or knowledge that has the ability to monitor your online activities and collect your personal information while you are surfing the Web. Certain types of spyware, called keyloggers, record everything you type in - including your passwords, credit card numbers, and financial information. Signs that your computer may be infected with spyware include a sudden influx of pop-up ads, being taken to websites you don't want to go to, and slower performance.
Spyware protection is included in some anti-virus software products. Review your anti-virus software documentation for information on how to activate the spyware protection options. You also purchase separate anti-spyware software programs. Keep your anti-spyware software up to date and run it regularly.
To avoid spyware in the first place, download software only from sites you know and trust. Piggybacking spyware is often an unseen cost of many "free" programs. Do not click on links in pop-up windows or in spam email.
Update and maintain your system and browser to protect your privacy
Hackers are continually searching and trying to find flaws and holes in operating systems and browsers. In order to protect your computer and all of your information on it, set the security settings in your system and browser at medium or higher. Review the Tools or Options menus for how to do this. Install updates to your system and browser regularly. You should consider taking advantage of automatic updating if it is available. Windows Update is a service offered by Microsoft. It will automatically download and install software updates to the Microsoft Windows Operating System, Internet Explorer, Outlook Express, and will also deliver security updates to you. Software patching can also be run automatically for other systems, including the Macintosh Operating System.
Secure your home wireless network
If you have a wireless network in your home, make sure you take precautions to secure it against hacking. Encrypt your home wireless communications. Select a wireless router that has an encryption feature and turn it on. WPA encryption is considered stronger than WEP. Your computer, router, and other equipment must use the same encryption type. If your router enables identifier broadcasting, be sure to disable it. Note the SSID name so you can connect your computers to the network manually. Hackers know the pre-set passwords of this kind of equipment. Be sure to change the default identifier on your router and the default administrative password. You may want to turn off your wireless network when you are not using it.
Remember that public "hot spots" found in many stores, restaurants and hotels may not be secure. It's safest to avoid accessing or sending sensitive personal or financial information over a public wireless network.
Is your company taking the steps necessary to safeguard information?
Most companies keep sensitive information in their files, whether it's names, Social Security numbers (SSN), credit cards, or other account data that identifies customers or employees. Businesses often need this information to fill orders, meet payroll, or perform other business functions. But if the information falls into the wrong hands, it can lead to fraud or identity theft. The cost of a security breach can be measured in the loss of your customers' trust and perhaps even a lawsuit, which makes safeguarding personal information just plain good business.
A sound data security plan is built on five key principles:
Take stock. Know what personal information you have in your files and on your computers.
Inventory all file storage and electronic equipment. Where does your company store sensitive data?
Talk with your employees and outside service providers to determine who sends personal information to your business, and how it is sent.
Consider all the ways you collect personal information from customers, and what kind of information you collect.
Review where you keep the information you collect, and who has access to it.
Scale down. Keep only what you need for your business.
Use Social Security numbers only for required and lawful purposes. Don't use SSNs as employee identifiers or customer locators.
Keep customer credit card information only if you have a business need for it. Change the default settings on your software that reads customers' credit cards.
Don't keep information you don't need. Review the forms you use to gather data - like credit applications and fill-in-the blank web screens for potential customers - and revise them to eliminate requests for information you don-t need.
Truncate the account information on electronically printed credit and debit card receipts you give your customers. You may include no more than the last five digits of the credit card number, and you must delete the card's expiration date.
Develop a written records retention policy, especially if you must keep information for business reasons or to comply with the law.
Lock it. Protect the information that you keep.
Put documents and other materials containing personally identifiable information in a locked room or file cabinet.
Remind employees to put files away, log off their computers, and lock their file cabinets and office doors at the end of the day.
Implement appropriate access controls for your building.
Encrypt sensitive information if you must send it over public networks.
Regularly run up-to-date anti-virus and anti-spyware programs on individual computers.
Require employees to use strong passwords.
Caution employees against transmitting personal information via email.
Create a laptop security policy, for within your office and when your employees are traveling.
Use a firewall to protect your computers and your network.
Set "access controls" to allow only trusted employees with a legitimate business need to access the network.
Monitor incoming Internet traffic for signs of security breaches.
Check references and do background checks before hiring employees who will have access to sensitive data.
Create a procedure to make sure that workers who leave your organization or transfer to another part of the company no longer have access to sensitive information.
Educate employees about how to avoid phishing and phone pretexting scams.
Visit OnGuardOnline.gov for computer security tips, tutorials, and quizzes.
Pitch it. Properly dispose of what you no longer need.
Create and implement information disposal practices.
Dispose of paper records by shredding, burning, or pulverizing them.
Defeat dumpster divers by encouraging your staff to separate the stuff that's safe to trash from sensitive data that needs to be discarded with care.
Make shredders available throughout the workplace, including next to the photocopier.
Use wipe utility programs when disposing of old computers and portable storage devices.
Give business travelers and employees who work from home a list of procedures for disposing of sensitive documents, old computers, and portable devices.
Plan ahead. Create a plan for responding to security incidents.
Designate a response team led by a senior staff person.
Draft contingency plans for how your business will respond to different kinds of security incidents. Some threats may come out of left field; others - a lost laptop or a hack attack, to name just two - are unfortunate, but foreseeable.
Investigate security incidents immediately.
Create a list of who to notify - inside or outside your organization - in the event of a security breach.
Immediately disconnect a compromised computer from the Internet.
Identity Theft
Identity theft happens when a person uses your name, Social Security number (SSN), or some other personal, financial, or medical information without your permission to commit fraud and/or other crimes. Online threats like phishing, malware, or hacking may also lead to identity theft.
If your personal information is lost, stolen, or compromised, you can reduce the potential damage from identity theft.
View Our Identity Theft Flyer
Protect Your Identity
Do not give out personal or account information over the phone, by mail, emails or through the Internet unless you initiated the contact or you are sure you know who you are dealing with.
Never respond to unsolicited requests for your SSN, or requests to verify your financial information.
Secure your personal information in your home, especially if you have roommates, employ outside help or are having service work done in your home.
Guard your mail and trash from theft. Before discarding, shred all documents containing personal information. (Receipts, statements, etc.)
Check all credit card and bank statements monthly for accuracy.
Never open an email or click on the link provided in an email if you think it is fraudulent or is a request for personal information. Internet pages and email links may look like the official site. Call the institution or type in the site address you are familiar with instead of using the link provided in the email.
Obtain a copy of your credit report yearly and check it for accuracy. You can obtain a free copy of your credit report annually from the three major credit bureaus.
Report suspicious emails or calls to the Federal Trade Commission at:(877) IDTHEFT (438-4338)
If you Become a Victim
Put a Fraud Alert on Your Credit Reports
Contact one of the three nationwide credit reporting companies, so they can put a fraud alert on your credit report:
Equifax: (800) 525-6285 / Experian: (888) 397-3742 / TransUnion: (800) 680-7289
The one company you call is required to contact the others to place fraud alerts on your file.
A fraud alert may make it more difficult for an identity thief to open any accounts in your name. The alert is maintained on your credit report for at least 90 days. After you create an Identity Theft Report, you may request an extended alert on your file.
Review Your Credit Reports
After you place a fraud alert on your credit reports, you are entitled to one free copy of your credit report from each of the three credit reporting companies. Read and review the reports; verify that your name, address, SSN, accounts, and other information are correct.
If the report reflects accounts that you did not open or debts that are not yours, contact the credit reporting companies to report the fraud and have them corrected. You should also contact the security or fraud department of each company where an account was misused or opened without your consent. Ask the company to send you proof that the problem accounts have been corrected or closed.
Create an Identity Theft Report
An Identity Theft Report will help resolve issues with the credit reporting companies, debt collectors, and businesses that allowed the identity thief to open new accounts in your name. The Report can help you:
- Have fraudulent information permanently removed from your credit report
- Prevent a company from collecting debts that result from identity theft or selling the debts to other companies for collection
- Get an extended fraud alert placed on your credit report
Three steps are required to create an Identity Theft Report:
- File an identity theft complaint with the FTC. - Online: http://ftc.gov/idtheft / Phone: (877) 438-4338
- When you file your complaint with the FTC, obtain a copy of the FTC affidavit that shows the details of your complaint. The online complaint site describes how you can print your completed affidavit. If your complaint is filed by phone, ask the counselor how to get a copy of your affidavit.
- Take your completed FTC identity theft affidavit to your local police, or to the police where the theft occurred, and file a police report. Obtain a copy of the police report or the report number.
Your FTC identity theft affidavit plus your police report create an Identity Theft Report. Send a copy of the Identity Theft Report to each company where you report fraud. Request that they remove or correct fraudulent information on your accounts.
To learn more about how to protect your personal information and respond to identity theft go to https://identitytheft.gov
Privacy
Provident Bank values your trust and respects your expectation of privacy. As such, we are committed to maintaining the confidentiality of your personal financial information. This document outlines our privacy policy for visitors to our web site.
In addition to the protections you enjoy through our Online Privacy Policy, your online activities may also be covered by our Online Privacy Policy for consumers. This policy explains our collection, use, retention, and security of consumer information and applies to customers who obtain financial products and services primarily for personal, family, or household purposes.
At Provident Bank, protecting the privacy and security of your personal information is important to us. We collect, retain, and use information about you in order to administer our business and to provide quality products and services that may be of benefit to you. We consider safeguarding your financial information a fundamental part of our business philosophy.
Information We Collect
When you visit our website, we may collect the following information in order to service your accounts:
Information we receive from you on applications or other forms (such as your name, address, Social Security number, assets and income)
Information about your online transactions with us, as well as information about our online communications with you. Examples include your online bill payments and your activity on the website, such as collecting information on product information reviewed.
Visitors to Our Website
Visitors to our website remain anonymous, unless they register for a service or otherwise elect to disclose their identity to us. Although we do not collect personally identifying information about persons who simply visit our site, we do collect certain limited information about visitors, such as their IP address (a numeric address assigned automatically to computers when they access the Internet).
We also may place "cookies" on a computer to track a visitor's use of our website. A cookie is a piece of data that is stored on your hard drive. It takes up very little room on your system and helps us to customize our site and make its navigation easier for you. We sometimes use cookies to help estimate the number of visitors to our site and to determine which areas are the most popular. Unless you register with us for a service (such as our Online Banking service), the cookie does not provide us with any personally identifying information about you, such as your name or address.
Web Browser Settings and Control of Personally Identifiable Information Collection
You may have the ability to activate web browser tracking settings or other mechanisms that give you the option to control the collection of personally identifiable information about your online activities over time and across third-party websites or online services. Our response to these settings and mechanisms will depend on the setting and mechanism and the impact on our collection and tracking practices. At this time, our website only tracks your activities while on our website and, unless you register with us for a service, we do not collect any personally identifiable information about you. The tracking is facilitated using 'cookies' that we place on your computer. If you choose not to accept cookies or remove locally stored cookies, we will not track your activity on our website; however, some features and services on our website may not be available to you. For more information regarding cookies, refer to 'Visitors to Our Website' in this policy.
Third Parties
When you use our website or online service, third parties acting on our behalf may collect the personally identifiable information and website activity identified above. This may include the personally identifiable information collected when you register with us for a service. Depending on the third party websites you visit, as well as any preferences and authorizations you have provided to others, your activity on our website and across other websites, including personally information you provide, may be tracked and collected by third parties. Also, third parties may offer services on our website from time to time. If you access their websites or provide them with information, these third parties may track your activity across websites and collect your personally identifiable information, all subject to the third party's privacy and security practices.
For further details, refer to 'Links to Other Web Sites' and 'Services and Advertisements by Third Parties' in this policy.
Disclosure Of Non-Public Personal Information
We do not disclose non-public personal information about our customers to non-affiliated third parties, except as permitted by law. You do not have to take any action or instruct us to keep your information confidential. We will protect your privacy automatically. If you end your relationship with the Bank, we will continue to adhere to the information policies and practices described in this policy.
There are instances when information about you may be provided to others. For example, we are permitted by law to share information:
- Within the Bank in order to service your accounts or to market other products or services we may offer.
- With non-financial companies that perform services on our behalf, such as check printers, data processing companies, companies that prepare or mail account statements, or companies that perform marketing services on our behalf.
- With credit bureaus about loans we make, whether or not they are handled properly, and about deposit accounts that are not handled properly.
- In order to comply with a number of laws and regulations we are required to furnish various reports to federal, state, and/or local government officials regarding certain transactions or accounts.
- To comply with subpoenas and other legal processes that require us to provide information about your accounts or other business with the Bank.
- If we suspect that a crime involving you or your loan or deposit account may have been committed.
- With our regulatory agencies and agents of the Bank or its affiliated companies, such as our independent auditors, consultants or attorneys, all of who will be bound to protect the information as we do.
- With others that you, or any other person with signing authority over your account, have given us oral or written permission to do so.
Maintaining accurate Information
We have procedures in place that help us to maintain the accuracy of the personally identifiable information that we collect. Please contact us at the number or address set forth below if you believe that our information about you is incomplete, out-of-date, or incorrect. If you are an online banking customer, sign-on to Online Banking to review and correct information about yourself, such as a change in your address or email address.
Links to Other Web Sites
Our web site may feature links to third party web sites that offer goods, services or information. Some of these sites may appear as windows-within-windows at this site. When you click on one of these links, you will be leaving our site and will no longer be subject to this policy. We are not responsible for the information collection practices of the other web sites that you visit and urge you to review their privacy policies before you provide them with any personally identifiable information. Third party sites may collect and use information about you in a way that is different from this policy.
Services and Advertisements by Third Parties
Third parties may offer services from time to time at our web site. If you provide them with information, their use of that information will be subject to their privacy policy, if any, and will not be subject to this policy. If you accept third party goods or services advertised at our web site, the third party may be able to identify that you have a relationship with us (e.g., if the offer was only made through our site).
Minors
We feel strongly about protecting the privacy of children and teenagers. As such, we do not knowingly collect personally identifiable information from such individuals through our web site.
Changes to This Policy
We may add to, delete from, or otherwise change the terms of this Online Privacy Policy from time to time by posting a notice of the change (or an amended Online Privacy Policy) at this website. If required by law, we will send you a notice of the change. Your continued use of our web site or any on-line service following notification will constitute your agreement to the revised Policy.
Questions
If you have any questions or concerns about the integrity of your account information, or any other aspect of our business operations, please do not hesitate to telephone or come in to talk to our staff. You may also write to:
Provident Bank
Attention: Compliance Officer
3756 Central Ave.
Riverside, CA 92506
(800) 442-5201
We value your business and hope you will continue banking with us for many years to come.
At Provident Bank, protecting the privacy and security of your personal information is important to us. In order to proactively combat cybersecurity and decrease the likelihood of you, our customers, being compromised, we have implemented this CyberSecurity Tips Monthly Newsletter. It should help you grow to be security-conscious both at home and at work by providing helpful tips to consider in your everyday activities. A list of our current and previous issues of our newsletter have been provided below.
Disclaimer for links provided in this newsletter: If you click on a link within the following newsletters, you will be linking to another website not owned or operated by Provident Bank. Provident Bank is not responsible for the availability or content of this website and does not represent either the linked website or you should you enter into a transaction. We encourage you to review their privacy and security policies which may differ from Provident Bank.
Cyber Security Tips Monthly Newsletters
2021-02 Top 4 COVID-19 Scams to Watch Out For
Feb 2021
Top 4 COVID-19 Scams to Watch Out For
|
Monthly Security - Tips Newsletter
|
The ability to leverage current events is a dream scenario for modern-day cybercriminals. These criminals use events, such as the COVID-19 pandemic, to fuel their malicious intent.
With the global pandemic comes the desire to stay updated with the most current information. However, it can be difficult for internet users to navigate this information and separate fact from fiction. It is also difficult to ensure that links and resources are reliable. The reality is that malicious activity comes through just about every communication channel: email, social media, text and phone messages, and of course, misleading and malicious websites.
Here are some common examples of what you need to be on the lookout for in the months to come:
1. Malicious Websites
Throughout the COVID-19 pandemic, cyber threat actors have consistently capitalized on global interest surrounding the latest information on the virus. These threat actors take advantage of internet users by registering website domains related to COVID-19. Fake websites and applications typically claim to share news, testing results, or other resources, however, they ONLY want your credentials, bank account information, or to infect your devices with malware.
With many organizations and employees continuing to work from home, users may let their guard down and be more susceptible to emails from unverified senders. NEVER give out your personal information, including banking information, Social Security Number, or other personally identifiable information (PII) over the phone or email.
2. Phishing Emails
Expect phishing emails to be on the rise Cyber threat actors will utilize COVID-19 phishing emails in an attempt to convince the recipient to either reveal sensitive information (i.e. bank account information), or simply try to convince the recipient to open a malicious link or attachment, allowing them to potentially access your system.
COVID-19 vaccine-themed phishing emails may include subject lines such as the following:
- Vaccine registration
- Information about your vaccine coverage
- Locations you can receive the vaccine
- Ways you can reserve a vaccine
- Vaccine requirements
While some phishing emails might be easy for you to detect, never get complacent when reviewing your emails. Expect to receive well-composed phishing attempts that are impersonating well-known and trusted entities, such as government agencies, healthcare providers, or pharmaceutical companies. NEVER open any link or attachment from a source that you cannot clearly identify as being legitimate!
For instance, email phishing campaigns in the past have targeted state-level agencies impersonating the Centers for Disease Control and Prevention (CDC). These emails have requested recipients to click on links in order to view a secured message pertaining to COVID-19 vaccine information. Links such as these could easily direct the user to a webpage that attempts to collect PII, including name, address, date of birth, driver’s license number, phone number, and email address.
Here are some notable indications an email, text, or phone call may be a phishing attempt:
- Inspiring a sense of urgency to click a link or provide information
- Is overly formal or written in an overly complicated manner
- Requests sensitive information or that you review a link or attachment
- Asks users to follow a non-standard process, or a process you might find odd!
3. Fraudulent Charities
For as long as the pandemic is around there will always be consistent attempts by threat actors to create fraudulent charities seeking donations for illegitimate or non-existent organizations. Fake charity and donation websites will try to take advantage of one’s good will, especially during such hard times. Always do your research before donating and providing any information.
4. Unemployment Scams
As tax season is quickly approaching, be wary of identity theft scams involving fraudulent claims, especially surrounding unemployment benefits. This scam has especially skyrocketed during the COVID-19 pandemic as unemployment claims in general have been on the rise. The most typical scams to be on the lookout for (but are not limited to) include telling recipients that they’ve won contests, a cash prize, or are eligible for an award for applying for unemployment.
Recommendations
Phishing remains a prominent attack vector for almost all cyber threat actors. Your cybersecurity best practices will always be your first line of defense against phishing. Here are some recommendations you can take to shield yourself from these threats:
- Establish a properly-configured firewall
- Ensure your internet-connected devices are not connected to any public internet
- Report any suspicious emails to your organization’s IT department
- Enable strong authentication tools, such as Multi-Factor Authentication (MFA).
- Continuously update your passwords and update any default unsecure settings Ensure backup protocols are in place with your devices
- NEVER give out your personal information, including banking information, Social Security Number, or PII over the phone or email
- Always verify a charity’s authenticity before making donations. For assistance with verification, utilize the Federal Trade Commission’s (FTC) page on Charity Scams. This information can be found here: https://www.consumer.ftc.gov/articles/0074-giving-charity
If you suspect you've been impacted by a scam or attempted fraud involving COVID-19, you can file a report with the Cybercrime Support Network. More information can be found here: https://cybercrimesupport.org/covid-19-scam-alerts/
Additional Resources
|
|
|

|
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
|
2021-01 Securing New Devices / Data Privacy Day
Jan 2021
Securing New Devices / Data Privacy Day
|
Monthly Security - Tips Newsletter
|
The holiday season has sadly come to an end, but hopefully you were able to treat yourself to some of the latest gadgets! Just remember that, however impressive the latest iPhone or gaming computer might be, the ability and knowledge to properly secure these devices is more important than ever, as any device that connects to the internet is potentially vulnerable and could become compromised. In honor of Data Privacy Day (January 28), here are five great tips to keep in mind that can help you securely configure your new devices!
1. Multi-factor authentication
If presented the opportunity, always enable multi-factor authentication (MFA) on your devices. This will ensure that only the person who has access to your account is you! If MFA is an option, enable it by using a trusted mobile device such as your smartphone, an authenticator app, or a secure token. For instance, with an iPhone you can utilize your screen lock feature with a PIN or password. MFA can prevent hackers from accessing your accounts, computer, and mobile devices. The availability of MFA is becoming more and more widespread, and for good reason!
2. Disable your location and safeguard yourself from monitoring devices
Location services might allow someone to see where you are located, so make sure you consider disabling this feature when you aren’t utilizing your device. Additionally, consider disabling your Bluetooth feature when not in use as well. Bluetooth can be used to connect to other devices or computers, and disabling this feature when not using your device can help to further secure your private information.
Another form of device to always be cognizant of is your digital assistant. If you use an Amazon Alexa, baby monitor, audio recordable device, or anything of that nature, always be sure to limit your conversations when they are on, and cover any cameras on toys, laptops, and monitoring devices when they are not in use.
3. Consider installing firewalls and antivirus software
Installing a firewall on your home network can help defend it against outside threats. For instance, a firewall can block malicious traffic from entering your network, while also alerting you to potentially dangerous activity. Please note that some firewall features, including the firewall itself, may be turned off by default, so ensure that your firewall is on and all the settings are properly configured, as this will greatly strengthen your security!
In addition to a network firewall, antivirus software can be a very protective measure against malicious activity. This type of software possesses the ability to detect, quarantine, and remove malware. Fortunately, this software is typically very easy to install and adds another protective shield to your security arsenal.
4. Patch & Update!
Quite often, technology has settings that allow for automatic updates to occur, and this is very important! Updates to your devices aren’t always about creating a smoother and slicker interface. Manufacturers will typically issue updates when vulnerabilities in their products are discovered. A perfect example of this would be the update notifications you receive on your iPhone! Whether you have an iPhone or not, make sure that your device is configured to receive automatic updates. If updating your device is something that you need to do yourself manually, it is important that you ensure you are making updates directly from the manufacturer (i.e. Apple), as third-party applications could very well compromise your device.
5. Secure your Wi-Fi Network
The good news is that it isn’t too difficult to make your wireless network and your devices more secure, and this can be completed in a few simple steps:
- The first thing you should do to secure your network is change your router’s default password to something more secure. Using a password manager is a great idea, as it will ensure you are only using strong passwords, such as those with special characters, numbers, upper- and lower-case letters, etc. This will prevent others from accessing the router and allow you to maintain the security settings you desire.
- In addition to changing your password, it is also worth changing your SSID (Service Set Identifier), otherwise known as your wireless network name. Although changing this name won’t necessarily enhance your network security, it will make it clear which network you are connecting to. Make sure you do not use your name, home address or other personal information in your new SSID name.
- To further improve your defenses, you should also use Wi-Fi Protected Access 3 (WPA3). WPA3 is currently the strongest form of encryption for Wi-Fi. Other methods are outdated and thus, more vulnerable to exploitation.
Conclusion
In today's world we are more connected than ever — not only to each other, but to our devices. In the same manner in which you protect your physical assets, such as your bike with a padlock, you need to similarly protect your internet-connected devices! This is how Data Privacy Day came to fruition. This international event occurs every year on January 28, with the purpose of raising security awareness as well as highlighting data protection best practices.
In addition to its educational initiative, Data Privacy Day also promotes events and activities that aim to enhance the development of technology devices which promote individual control over personal information. For further information on Data Privacy Day and how you can get involved, please copy and paste the following link into your browser: https://staysafeonline.org/data-privacy-day/
Here is to a very cyber-safe New Year!
|
|
|

|
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
|
2020-12 Ten Cybersecurity Shopping Tips for the Holiday Season
Dec 2020
Ten Cybersecurity Shopping Tips for the Holiday Season
|
Monthly Security - Tips Newsletter
|
It’s that time of year again -- holiday shopping is in full swing! Even though the shopping insanity of Black Friday, Small Business Saturday, and Cyber Monday have come and gone, holiday shopping is still at the forefront of many consumers’ minds. Due to the fact that many consumers are avoiding stores and buying more online, e-commerce sales are rapidly on the rise, with no sign of consumers reverting to their old ways anytime soon.
Thankfully, online shopping gets more intuitive and simplistic by the day, allowing you to get that perfect gift with ease. However, while embarking on your online shopping conquest, make sure you’re not leaving yourself at risk. It’s clear that businesses are after your dollars during the holidays, but cybercriminals are on the lookout as well, now more than ever.
While you may not have to worry about being pickpocketed in the cyber world, you still need to be careful that you don’t fall prey to criminals. Here are 10 online shopping tips that can help you keep your information out of the hands of those who are most certainly on the naughty list:
1. Do not use public Wi-Fi for any shopping activity
Public Wi-Fi networks can be very dangerous, especially during the holiday season. While they are very convenient, they are not secure, and can potentially grant hackers access to your usernames, passwords, texts, and emails. For instance, before you join a public Wi-Fi titled "Apple_Store," make sure you first look around to see if there's actually an Apple Store in your vicinity, and thus, confirm that it is a legitimate network.
While it is best to avoid public Wi-Fi altogether, if you need to utilize a public network ensure that you never establish an autoconnection, and that you are logged out of all personal accounts, such as your banking sites. Though it is perfectly acceptable to auto-connect to a trusted source such as your home, when out in public, consider shutting off the Wi-Fi option on your phone and use your data plan. Yes, it’s slower, but if you can wait for Santa’s elves at UPS to deliver your presents from Amazon, you can certainly wait the few extra seconds it takes to use the internet, especially if it means your information is not at risk.
2. Make sure the site is secure
Before entering your personal or financial information, you need to ensure that the site you are on is legitimate and can be trusted. When visiting a website look for the “lock” symbol; this might appear in the URL bar, or elsewhere in your browser. Additionally, check that the URL for the website has “HTTPS” in the beginning. These both indicate that the site uses encryption to protect your data.
3. Know what the product should cost
If the deal is too good to be true, then it may be a scam. Check out the company on ResellerRatings.com. This site allows users to review online companies to share their experiences purchasing from those companies. This will give you an indication of what to expect when purchasing from them.
4. Give your debit card a holiday break
When you are shopping online always remember that it is best to rely on your credit cards or payment services such as PayPal. Credit cards offer much more protection and less liability if your information were to be compromised. On the contrary, debit cards are linked directly to your bank account, thus, you’re at a much greater risk if a criminal were to obtain this information. Additionally, in the event of a fraudulent transaction were to occur, credit card companies possess the ability to reverse the charge and hopefully, investigate the issue further.
5. Stay updated
Updating your operating system and software (including anti-virus software) is one of the most important and easiest things you can do to prevent criminals from accessing your information, and needs to be taken very seriously. Most software updates are released to improve your security by patching vulnerabilities and preventing new exploitation attempts by criminal hackers. While waiting for your computer or mobile device to update might seem tedious, the benefits it can provide could be a blessing in disguise. If you see that your device needs to be updated, do it!
6. Outsmart the scammers
During the holiday season we often see an influx of emails with discounts. While many of these discounts and special offers might very well be legitimate, email scammers take advantage of this surge to send out their own viruses and malware, hoping it might get lost in the mix. These scams have evolved over time, to the point that they are depicted as a legitimate discount or special offer. Be wary when opening an email from someone you don’t know or a site you have not visited.
7. Make sure your passwords are complex
Updating and enhancing your passwords is a cybersecurity best practice as old as time itself, and creating unique passwords is arguably still the best security when it comes to protecting your personal and financial information. If you utilize the same password for multiple sites, you are setting yourself up for disaster. If you have difficulty creating a large number of unique passwords for all of your information, be sure to take advantage of password generators and managers to not only develop more complex passwords, but allow you to store them securely as well.
8. Understand your shopping applications
Apps have a way of making everything more convenient for your shopping experience, but certain apps could also make it convenient for criminals to take your information. Make sure you are only installing and utilizing trusted applications from reliable cyber markets, such as the Apple App Store or Google Play Store. Additionally, if you find yourself questioning certain applications, be sure to check out the reviews by legitimate user accounts, as this can help you identify if there is anything suspicious surrounding them.
9. Never save your information
Never save usernames, passwords, or credit card information in your browser, and periodically clear your offline content, cookies, and history. Always utilize strong passwords and consider setting up Multi-factor Authentication (MFA). This is as simple as receiving a text or code that you need to type in while signing on to a system. Oftentimes within the account preferences of your device, you can set up an Authentication Application.
Additionally, when online shopping, consider checking out as a guest user rather than creating an account, as well as utilizing your private browsing feature. For instance, Google Chrome’s Incognito Mode won’t save any of your browsing history, cookies, site data, or information you enter on forms. While the convenience of online shopping is unparalleled, never let this convenience override your security best practices.
10. Keep an eye on your credit
As cyber-safe and secure as you think you might be, we all make mistakes. During this time, pay close attention to your credit report to ensure that nothing out of the ordinary is taking place. The world of online shopping can bring lots of new products to your doorstep and can prove to be a lot of fun when finding that special gift. Just remember to be careful so you don’t make your data a special gift to cybercriminals. Always trust your instincts and make sure you stick to these cybersecurity best practices! ~ Happy Holidays and safe shopping!
|
|
|

|
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
|
2020-11 What You Need to Know About Ransomware
Nov 2020
What You Need to Know About Ransomware
|
Monthly Security - Tips Newsletter
|
What is Ransomware?
Ransomware is a type of malicious software, or malware, that blocks access to a system, device, or file until a ransom is paid. It is an illegal, moneymaking scheme that can be installed through deceptive links in an email message, instant message, or website.
Ransomware works by encrypting files on the infected system (crypto ransomware), threatening to erase files (wiper ransomware), or blocking system access (locker ransomware) for the victim. The ransom amount and contact information for the cyber threat actor (CTA) is typically included in a ransom note that appears on the victim’s screen after their files are locked or encrypted.
Sometimes the CTA only includes contact information in the note and will likely attempt to negotiate the ransom amount once they are contacted. The ransom demand is usually in the form of cryptocurrency, such as Bitcoin, and can range from as little as several hundred dollars up to and exceeding one million dollars. It is not uncharacteristic to see multi-million-dollar ransom demands in the current threat landscape.
Ransomware is primarily delivered through the following means:
- Malicious attachments/links sent in an email.
- Network intrusion through poorly-secured ports and services, such as Remote Desktop Protocol (RDP) (e.g. Phobos ransomware variant).
- Dropped by other malware infections (e.g. initial TrickBot infection leading to a Ryuk ransomware attack).
- Wormable and other forms of ransomware that exploit network vulnerabilities (e.g. the WannaCry ransomware variant).
Why is Ransomware Awareness Important?
Ransomware is a growing and expensive problem. In 2019, the Multi-State Information Sharing and Analysis Center (MS-ISAC) observed a 153% increase in the number of reported state, local, tribal, and territorial (SLTT) government ransomware attacks from the previous year. Many of these incidents resulted in significant network downtime, delayed services to constituents, and costly remediation efforts.
Victims of ransomware are not only at risk of losing access to their systems and files. In many cases, they may also experience financial loss due to legal costs, purchasing credit monitoring services for employees/customers, or ultimately deciding to pay the ransom. The effects of a ransomware attack are particularly harmful when it impacts emergency services and critical infrastructure, such as 911 call centers and hospitals.
Additionally, CTAs target managed service providers (MSPs), a company that manages a customer's Information Technology (IT) infrastructure, to push out ransomware to multiple entities. This occurs when CTAs compromise an MSP and use their existing infrastructure to disseminate the ransomware to the MSP’s clientele. This exploits the trusted relationship between the customer and their MSP.
Over the past few years, the MS-ISAC observed an increase in means that allow CTAs to evade detection and maximize the impact of their attacks. One such means includes what is called “living off the land” (LOTL): deploying publicly-available penetration testing suites or tools (e.g., Cobalt Strike, Metasploit, or Mimikatz), to specifically target domain controllers and Active Directory to gain network wide access and deploy fileless ransomware to evade any signature-based antivirus.
What Can You Do About Ransomware?
Defending against ransomware requires a holistic, all-hands-on-deck approach that brings together your entire organization. While ransomware infections are not entirely preventable due to the effectiveness of well-crafted phishing emails and drive-by downloads from otherwise legitimate sites, organizations can significantly reduce the risk of ransomware by implementing cybersecurity policies and procedures and improving cybersecurity awareness and practices of all employees.
It is up to all of us to help prevent ransomware from successfully infecting our systems. To increase the likelihood of preventing ransomware infections, organizations must implement a cybersecurity user awareness and training program that includes guidance on how to identify and report suspicious activity (e.g., phishing) or incidents. This program should include organization-wide phishing tests to gauge user awareness and reinforce the importance of identifying potentially malicious emails. When employees can spot and avoid malicious emails, everyone plays a part in protecting the organization.
If your organization becomes infected with ransomware, there are some things you can do to respond. The most effective strategy to mitigate the risk of data loss resulting from a successful ransomware attack is having a comprehensive data backup process in place; however, backups must be stored off the network and tested regularly to ensure integrity.
Reporting Ransomware
If your organization is the victim of a ransomware infection, follow your organization’s incident response procedures to report it. Alternatively, the Cybersecurity and Infrastructure Security Agency (CISA) provides a secure means for constituents and partners to report incidents, phishing attempts, malware, and vulnerabilities. To submit a report, visit https://us-cert.cisa.gov/report.
|
|
|

|
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
|
2020-10 Securing Your Remote Office
Oct 2020
Securing Your Remote Office
|
Monthly Security - Tips Newsletter
|
October is Cybersecurity Awareness Month and with the increased cybersecurity risks of working from home, we should all be thinking about how to secure our home office.
After months of remote work, you have become a "work from home" pro. However, there may be some areas where you can shore up your home office cyber defenses. You may have realized that the security best practices you once followed are diminishing. Ask yourself - are you communicating with your colleagues and co-workers in a safe and secure way? Do you keep your passwords properly managed? Can you identify (and report) potential incidents or threats on your network? Answering these questions should make you realize that cybersecurity is more important than ever. For remote employees especially, there are many security risks – three in particular – that pose a threat:
|
Email scams
|
Many scammers send phishing emails with the intent to steal sensitive information from the recipient or the company. Especially in complicated times – like the novel coronavirus pandemic – phishers are hoping to take advantage of trusting victims. They'll often pretend they are someone within the company, like the CEO or a manager, to establish false trust. Remote workers are easy targets because they are not in the office and, therefore, hackers are hoping they won't check to see if the email is legitimate.
|
Unsecured Wi-Fi
|
During this time, many remote employees are using their private home network, which can increase the risk of leaked data. Third parties might be able to intercept and access sensitive emails, passwords and messages.
|
Personal computers
|
Many remote workers admit to using their personal devices rather than their designated work tech. According to Cisco, 46% of employees report transferring files between their work and personal computers. If employees obtain sensitive data and store it on their personal devices, that puts many organizations at risk.
Another source of vulnerability is that if you, as a remote employee, are using your personal computer and are not downloading the latest updates, you are more vulnerable to cyberattacks.
|
What can you do?
While a list of everything you can do would be exhaustive, here are six suggestions that will go a long way towards securing your remote office. Not all of these can be deployed by everyone, but they are worth noting. We have ranked these (somewhat subjectively) in order of ease of implementation.
- 1. Use strong passwords.
Physical devices aren't your only concern. If a hacker tries to access any sensitive accounts, you want to make it as difficult as possible for them to log in. Make sure you are not only utilizing unique passwords for each account, but strong passwords as well. Using a password manager is a great precaution, as it ensures you are only using strong passwords; like those with special characters, numbers, upper and lowercase letters, etc.
- 2. Multi-factor authentication.
Multi-factor authentication (MFA) grants access to the device and all software after the employee provides more than one form of identification. Multi-factor authentication can prevent hackers from accessing your accounts, computer and mobile devices. The availability of MFA is becoming more and more widespread. If it is an option, we strongly recommend you take advantage of it.
- 3. Invest in antivirus software.
Your employer may provide a recommended application for a company-issued device, but if you use your personal laptop for work, you need to keep your system protected.
- 4. Follow company policies to the letter.
Your company likely has clear policies for accessing the company network outside the office. Those guidelines and rules should always be followed, but it's especially important when you're working remotely. Report any suspicious behavior to your IT department immediately and follow basic computer hygiene standards:
- All systems properly patched and up to date. This simply means that the latest updates for your applications have been downloaded, as these are pivotal in securing known vulnerabilities, in which malicious actors could exploit.
- Malware/Antivirus scans completed on a regular basis.
- Do not open email attachments willy-nilly. Look at any received email with a cautious eye. It is still the #1 vector for bad actors to wreak havoc.
- 5. Don't allow family members to use your work devices.
Remember, the computer you do your work on is for employee use only – it's not the family computer. Treat your work-issued laptop, mobile device and sensitive data as if you were sitting in a physical office location. While we understand that this is not always feasible, you should continuously associate your actions with a security-first and data-aware mentality in mind. As an added benefit you will help your family and other users to become more cyber aware and cyber secure. If the option exists to use company-issued equipment, that will always be the first choice. A second choice is a dedicated machine that no one else uses; not for games, nor movies or checking out those tantalizing Facebook posts. Lastly, a shared computer, one that is following all the computer hygiene recommendations above and is being closely monitored.
- 6. Encrypt your messages.
Data encryption helps protect sensitive information by translating it into a code that only people within your company can access through a secret key or password. Even if scammers intercept your data, they won't be able to interpret it properly. This goes for any messages or information you send, receive, or store on your devices. If this is a feasible option at your organization, make sure to check with your IT department for what types of encryption they may offer or you can take advantage of the many free and paid applications that are available. Encryption requires a bit more technical savvy but is not beyond your capability!
Although October is Cybersecurity Awareness Month, please remember that we should all be cyber aware 365 days out of the year!
|
|

|
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
|
2020-09 Malware, Malicious Domains, and More: How Cybercriminals Attack SLTT Organizations
Sept 2020
Malware, Malicious Domains, and More: How Cybercriminals Attack SLTT Organizations
|
Monthly Security - Tips Newsletter
|
Cybercriminals continue to target U.S. State, Local, Tribal, and Territorial (SLTT) government organizations at an alarming rate. Attackers often target SLTT organizations because they know their security teams need to run complex networks, as well as deal with numerous third-party systems and services. Many SLTT cybersecurity teams are also struggling with reduced security budgets and a well-documented shortage of skilled cybersecurity and networking professionals to fill open positions. COVID-19, and the subsequent increase in remote working by government employees and online accessibility requests for government resources by citizens, has only added to their security challenges.
Cybercriminals’ SLTT Playbook
One of cybercriminals’ favorite attack vectors against SLTT organizations is malware. Malware is malicious software designed to perform malicious actions on a device. It can be introduced to a system in various forms such as emails or malicious websites. Various types of malware have distinct capabilities dependent on their intended purpose, such as disclosing confidential information, altering data in a system, providing remote access to a system, issuing commands to a system, or destroying files or systems.
While malware comes in many flavors, the most prolific type used against SLTT organizations is ransomware. Ransomware is a type of malware that blocks access to a system, device, or file until a ransom is paid. Ransomware does this by encrypting files on the endpoint, threatening to erase files, or blocking system access. It can be particularly harmful when ransomware attacks affect hospitals, emergency call centers, and other critical infrastructure. The 2020 Verizon Data Breach Investigations Report (DBIR) found that ransomware disproportionately affects the public sector (over 60% of malware incidents vs. 27% of malware in all sectors). Additionally, incidents observed by the Multi-State Information Sharing and Analysis Center (MS-ISAC) showed a 153% increase in SLTT ransomware attacks from January 2018 to December 2019. In 2019, there were more than 100 publicly disclosed ransomware attacks against SLTT organizations – including an attack on the City of Baltimore’s IT systems that locked out thousands of computers and disrupted nearly every city service. This attack is estimated to have cost the city as much as $18 million.Other common types of malware affecting SLTT organizations include:
- - Trojans are malware that appears to be a legitimate application or software that can be installed. Trojans can provide a backdoor to an attacker and subsequently full access to the device, allowing the attacker to steal banking and sensitive information, or download additional malware. Findings from the 2020 Verizon DBIR show that trojan variants were involved in over 50% of malware incidents in the public sector.
- - Downloaders or Droppers are malware, which in addition to their own malicious actions, allow for other, often more dangerous, malware to infiltrate the infected system. Data collected by the 2020 Verizon DBIR shows that nearly 25% of public sector incidents involved a downloader or dropper.
- - Spyware is malware that records keystrokes, listens in via computer microphones, accesses webcams, or takes screenshots and sends the information to a malicious actor. This type of malware may give actors access to usernames, passwords, any other sensitive information entered using the keyboard or visible on the monitor, and potentially information viewable through the webcam. Keyloggers, which mainly record keystrokes, are the most common type of spyware and ZeuS, the most famous keylogger, has been on the MS-ISAC’s Top 10 Malware list for several years.
- - Click Fraud is malware that generates fake automatic clicks to ad-laden websites. These ads create revenue when clicked on. The more clicks, the more revenue that is generated. Kovter, one of the more prolific versions of click fraud, has been on the MS-ISAC’s Top 10 Malware list for the past few years.
Protecting Your Organization from Malware
Malware most commonly finds its way into SLTT organizations through either malspam, unsolicited emails that either direct users to malicious websites or trick users into downloading or opening malware, or malvertisements, malware introduced through malicious advertisements. The common thread between these vectors and the various types of malware they can introduce to your organization’s IT systems is that they almost always involve either users or the malicious software they unintentionally download connecting to malicious web domains.
To help SLTT organizations protect themselves against these common types of cyber-attacks, the Center of Internet Security (CIS) is partnering through the MS-ISAC and Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) with the U.S. Department of Homeland Security (DHS) Cybersecurity Infrastructure Security Agency (CISA) and Akamai to offer its new Malicious Domain Blocking and Reporting (MDBR) service at no cost to U.S. SLTT government members of the MS- and EI-ISACs. The service allows SLTT security teams to quickly add an additional layer of cybersecurity protection against their systems connecting to malicious web domains and to enhance their existing network defenses.
For organizations not eligible to join the MS- or EI-ISAC, similar protection can be obtained through Quad9. Quad9 is a no-cost, recursive, anycast DNS platform that provides end users robust security protections, high-performance, and privacy. Quad9 was developed by the Global Cyber Alliance (GCA), an international nonprofit organization founded by a partnership of law enforcement and research organizations focused on combating systemic cyber risk in real, measurable ways (CIS is a founding organization of GCA).
About Malicious Domain Blocking and Reporting (MDBR)
The MDBR service is only available to members of the MS- and EI-ISAC. For those who are not eligible for membership, please see the section below on Quad9 for a similar service available to the General Public.
MDBR proactively blocks network traffic from an organization to known harmful web domains, helping protect IT systems against cybersecurity threats and limit infections related to known malware, ransomware, phishing, and other cyber threats. This capability can block the vast majority of ransomware infections just by preventing the initial outreach to a ransomware delivery domain. In just the first five weeks of service, the MDBR service blocked 10 million malicious requests from more than 300 SLTT entities.
Once an organization points its domain name system (DNS) requests to Akamai’s DNS server IP addresses, every DNS lookup will be compared against a list of known or suspected malicious domains. Attempts to access known malicious domains, such as those associated with malware, phishing, or ransomware, are blocked and logged.
Akamai provides all logged data to the MS- and EI-ISACs’ Security Operations Center (SOC), including both successful and blocked DNS requests. The SOC uses this data to perform detailed analysis and reporting for the betterment of the SLTT community, as well as regular organization-specific reporting and intelligence services. If necessary, remediation assistance is provided for each SLTT organization that implements the service.
Any U.S. SLTT government entity that is a member of the MS- or EI-ISAC can sign up for MDBR. They are able to take advantage of this additional layer of cybersecurity protection at absolutely no cost, courtesy of funding support provided by CISA.
To learn more about MDBR and sign up your organization for the service, please visit our website.
About Quad9
Quad9 blocks against known malicious domains, preventing your organization’s computers and IoT devices from connecting to malware or phishing sites. Whenever a Quad9 user clicks on a website link or types an address into their web browser, Quad9 checks the site against a list of domains compiled from over 18 different threat intelligence partners. Each threat intelligence partner supplies a list of malicious domains that are based on heuristics examining factors such as scanned malware discovery, network IDS past behaviors, visual object recognition, optical character recognition (OCR), structure and linkage to other sites, as well as individual reports of suspicious or malicious behavior. Based on the results, Quad9 resolves or denies the lookup attempt, preventing connections to malicious sites when there is a match. Quad9 routes your organization’s DNS queries through a secure network of servers around the globe.
|

|
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
|
2020-08 Working Remotely: How to be Safe, Secure, and Successful
Aug 2020
Working Remotely: How to be Safe, Secure, and Successful
|
Monthly Security - Tips Newsletter
|
Between working at the office, or school, or remotely, the principles of security can become something of a moving target. For some, this creates an uncertainty with making sure that the right policies are applied. Reducing risk on at-home networks, keeping information secure during virtual meetings and having a strong password policy are some best practices that can be implemented quickly and effectively from wherever you are working.
Reducing Risk on Home Networks
Home IT devices, such as unsecured off-site routers, modems, and other network devices are subject to many of the same threats as on-site business devices. They can be attacked from any device on the internet. Remote devices are also vulnerable to unauthorized access from neighbors and passersby.
As we continue to work, attend school, and connect with friends and family remotely, there are steps you can take to reduce the risk and improve the security of home networks. Consider the following list to gauge the amount of risk involved and improve the security of your home network:
- - Are your network devices physically secured?
- - Have you changed the default manufacturer/administrative account password on your network devices (modem and router)? Many routers will come preconfigured with a password. The default password for most router models are easily accessible on the internet, making it extremely important to change the administrative passwords and not use the default.
- - Do you have a unique password and two-factor authentication (2FA) enabled on your network devices (modem and router)?
- - Do you have a password policy in place? Do you have a unique password and 2FA enabled on your internet service provider's web portal?
- - If you use a mobile application for network management, do you have a unique password and 2FA enabled?
- - Have you installed the latest updates for your network devices (i.e., modem, router, laptop/PC) or have you enabled auto-update with the device’s administration page?
- - Does your network device (router/modem) support Wi-Fi Protected Access Version 2 (WPA2) or Wi-Fi Protected Access Version 3 (WPA3)? WPA2 should be the minimum.
- - Have you turned off/disabled Wireless Protected Setup (WPS) and Universal Plug and Play (UPnP) on your network? If enabled, these might allow attackers to connect to your devices without permission.
- - Have you changed the Wi-Fi network name to something unique that doesn’t provide any identifying information?
- - Have you enabled firewall on your network devices?
- - Have you disabled remote management? Most routers offer the option to view and modify their settings over the internet. Turn this feature off to guard against unauthorized individuals accessing and changing your router’s configuration.
- - Have you hardened your device by removing ports, software or services that are unused or unwanted?
- - Do you run updated antivirus and malware protection on your device?
Security during virtual meetings
In order to help protect you and your organization from potential threats, here are some cybersecurity tips on how to securely configure your virtual meetings, whether they be for work or your classroom experience:
Sharing of your information assets during virtual meetings
Managing your information assets and password policy
Remember, just like you protect your physical assets (shed, kayak, or bike) with a padlock, you need to lock down connectivity devices to protect information assets! A resilient cybersecurity mindset contributes towards being able to have a clear view of the objectives. For some, end points might have become a primary concern, for others, the corporate assets might have become even more susceptible in light of the increased amounts of ransomware. This dual pronged problem especially became more evident during this new world of COVID-19 with more staff working remotely.
Have you identified more risk than you initially realized? More information and mitigation techniques can be found at Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA).
Additional Resources
CIS Password Policy Guide
|

|
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
|
2020-07 6 Common Elderly Scams to Watch Out For And How To Stay Safe
July 2020
6 Common Elderly Scams to Watch Out For And How To Stay Safe
|
Monthly Security - Tips Newsletter
|
A scam can be initiated via the computer (email, internet, social media), text, postal mail, in person, or a phone call. No matter the origin of the scam, the characteristics are the same:
- - First, there is something to pique your interest – someone in trouble, big discount offers, lottery win.
- - Second, the individual contacting you seems trustworthy, super friendly, and seems to care about you.
- - Third, there’s a deadline associated with the offer – act fast, act now.
There will always be scams, particularly those targeted at seniors. This month’s newsletter identifies some common scams and some tips to help you take control of the situation and stay safe and stay in control.
Grandparent Scam
One of the most common scams presented to seniors is the Grandparent Scam. The caller claims to be a relative, a grandson or granddaughter, and the call is urgent. Typically, the grandchild is out of town and is in trouble, needs money fast for some emergency, and doesn’t want the rest of the family to know. The caller may have bits of information, some of which could be collected from sources like social media, and prompts the senior to provide more information, making the call appear genuine.
This is not a legitimate call. Hang up the phone and contact your family or the authorities.
Sweepstakes Scam
In this case, the scammer would send their target a check or something else of value, whether in the mail, email, text or phone call, that indicates the recipient won something. In order to claim the “prize,” the recipient may have to send a check or money order to cover taxes and fees, and may be asked for banking information to deposit the winnings, or to buy something to enter the contest. This is so the scammer can obtain private banking information. The name of the sweepstakes may seem familiar – quite often scammers will do this to make it recognizable.
Legitimate contents do not ask for money or financial information up front. Do not respond to these messages with a check, money order or cash. It is always best to never provide identifying information to anyone over the phone, text, or email especially your bank account information.
Home Improvement Scam
Scammers target seniors by providing home improvement services in order to gain access to their home, belongings, and personal information. They will arrive at their target’s house, offer free inspections, or offer services to fix something they deem “needs work”. Scammer will pretend to be working for the local town or county to appear more legitimate.
The homeowner should stay in control of the situation and not be intimidated by the person at their door.
- - Never let them in your home.
- - Be suspicious of unsolicited offers, and ask for identification.
- - If work does need to be done, ask friends and neighbors who they would recommend. Be sure to get references, and only used licensed contractors.
- - Never pay the full amount up front. Pay as the work is completed according to a contract.
Telemarketer Scam
Scammers will target seniors in an effort to obtain financial information by claiming to be from an important institution such as a credit card company, Microsoft, Social Security Administration, Internal Revenue Service, phone company, power company, and so on. Never feel pressured to commit to anything over the phone.
- - Don’t rely upon caller ID to let you know who the call is coming from. Technology today allows for calls to be masked and appear to be from a number you know or can associate with, but it is not.
- - Never give out personal information to an unsolicited caller. Never provide birthday, social security number (even the last 4 digits), your mother’s maiden name, pet’s name, bank account information or anything that can be used as password or identifying information.
- - Hang up and contact the company the caller claims to be with directly if you feel you need to talk to them. Refer to your copy of your phone bill, power bill, or the number on the back of your credit card or bank card to initiate contact.
Internet Scams
There are many ways scammers are using technology to take advantage of seniors. Whether it is a special offer via email, attempts to acquire your user name and password via a scheme, or skimming of information while shopping online, there are ways you can be in control and keep your information safe. If you are computer-savvy, keep these tips in mind to keep your information safe:
Never click on links in emails.
Don’t open attachments for special offers.
- - Be careful of free offers over holidays.
- - Watch for malicious adds and popups.
- - Don’t shop over public wi-fi.
- - Be suspicious of gift card scams –buy from trusted sources.
- - Know what your product costs.
- - Make sure the site is secure – look for the “lock” icon and “https” on your browser address bar when shopping.
- - Make sure all computer anti-virus, malware, and security software is up to date.
- - Don’t save credit card information online; check out as guest if offered on the site.
Charities
While there are many charities that are worthy of your donations, be sure you know who you are donating to.
- - Always verify the charity before making any donation by checking with your Attorney General’s office.
- - Know what the charity is doing with your contribution.
- - Avoid charities that will not answer your questions or provide written information about their programs or finances.
- - Talk with family, friends, or trusted sources before giving to charity.
- - Do not give on the spot before doing research on the charity
- - Never give cash or purchase gift cards for payment.
If you feel you have been scammed, or are concerned that you are a victim of fraud, contact your local law enforcement immediately. Remember to keep a close eye on bank and credit card statements, and report any unusual activity.
Stay informed. Remember, you are in control!
Additional resources
|

|
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
|
2020-06 Virtual Conferencing Platform Security Tips
June 2020
Virtual Conferencing Platform Security Tips
|
Monthly Security - Tips Newsletter
|
With the recent move for many to working from home, there are a lot of questions around virtual conferencing platforms. Much of the attention has focused on the security of some platforms compared to others. However, the majority of the security issues actually have a lot to do with the users' familiarity with these platforms and their proper usage.
The first thing to remember is this: If you are going to download a virtual conferencing application, be certain the download is from a reputable source. Most often the company will host the download themselves or have a link to the download on their website. It is advisable not to trust a download from third-party if you were not directed there by the official website.
Security concerns regarding virtual conferencing
Encryption may not be adequate to secure sensitive information or to protect the privacy of individuals.
- - End-to-end encryption is not an easy task for real-time audio or video connections. In most use cases it takes special hardware or software. It is very important to remember that some topics should not be discussed over a virtual conference. This is especially true regarding sensitive data, personally identifiable information (PII), and regulated data such as the Health Insurance Portability and Accountability Act (HIPAA), Children’s Online Privacy Protection Rule (COPPA), Federal Tax Information (FTI).
- - Consider where encryption key distribution servers are located when evaluating a company’s offerings. Researchers have found that some companies' encryption key distribution servers for U.S.-based meeting sessions were located in Beijing, China. In such situations, companies may be obligated to disclose meeting encryption keys to the Chinese government.
- - Just because a company advertises encryption, doesn’t mean that the best version of encryption being utilized.

Figure 1: Tux the Penguin Encrypted in ECB vs Pseudo-Random Encryption
Source github picoctf-2019-solutions/Cryptography/aes-abc/readme.md
Virtual conferencing applications are vulnerable to multiple attacks
- - Malicious actors are creating fake installation files for multiple meeting platforms including Zoom Meetings, MS Teams, and Google Classroom.
- - Some conferencing platforms have been “conference bombed.” This is when an uninvited guest gains access with the intention to disrupt or eavesdrop on the meeting.
- - Virtual conference meeting users have been targeted to capture potentially sensitive data disclosed during meetings. As well, recorded meetings may not be stored by their meeting host in a secure manner. Attackers have accessed a virtual conferencing meeting provider’s files stored on a provider’s computer and unsecured public cloud environments.
Guidelines for Virtual Conferencing
- - If possible, NEVER share sensitive or regulated data during virtual conference meetings.
- - Become familiar with who may record your meeting. Be aware that individuals may choose to record a meeting using audio or video recording tools outside of the meeting software.
- - Download virtual conferencing clients directly from the manufacturer or your service provider.
- - Always run the newest version of the conferencing client (if required to download and install a client).
- - Password protect each meeting with a unique and complex password using letters, numbers and special characters.
- - Password protect recordings of meetings with a unique and complex password using letters, numbers and special characters.
- - Do not share your meeting link in public forums or on social media. In the event you must advertise your meeting publicly, remove the password embedded in the link and ask attendees to contact the organizer for the password.
- - Use a meeting ID rather than the personal ID associated with a virtual conferencing account. This way the meeting ID should change for each meeting.
- - Disable sharing for all attendees except for the meeting host.
- - Use the waiting room/lobby feature when it is available. This requires the organizers to admit people singly (for small meetings) or all at once (for larger meetings). If an attendee seems suspicious, the waiting room feature allows organizers to prevent them from joining the meeting.
- - Remove and block anyone from meeting rooms with an unrecognizable or unverifiable identity. Once removed, the person or people cannot come back in.
Taking the above steps will help ensure your organization's virtual meetings will remain secure while employees connect and collaborate through these platforms.
|

|
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
|
2020-05 6 Steps to Securing IoT Devices and Taking Back Your Privacy
May 2020
6 Steps to Securing IoT Devices and Taking Back Your Privacy
|
Monthly Security - Tips Newsletter
|
In today's world we are more connected than ever — not only to each other, but to our devices. For example, people now have the ability to open and close their garage doors and even start their cars directly from their phones. But what information do we put at risk when we do all of these amazing things? Securing Internet of Things (IoT) devices and keeping personally identifiable information (PII) safe and secure these days is of the utmost importance.
IoT Information Collection
When you buy the latest IoT device, you need to be aware of two things: First, IoT devices collect your information, and second, that information is always accessible.
So, what exactly is information collection? Think of a common steaming service, like Netflix. Once you sign up, you'll start receiving emails from Netflix letting you know they’ve added a new TV show that you might enjoy. And the thing is, they’re usually right! That's because your viewing history and ratings have been transmitted through an algorithm to determine what else you’d be willing to watch, and thus, continue your subscription. Now imagine every device you have on your home network collecting this type of information. It's a scary thought!
Keeping Your Information Secure on IoT Devices
While technology enables you to control your life from your fingertips, your information is at everyone else’s fingertips as well. Security isn’t fun or flashy, and because of this, some companies do not give it the consideration it deserves before they bring their products to market.
Very often when you buy an IoT device or utilize a company’s service you have unknowingly allowed them to collect information about you. That agreement you have to sign before you can use any of their items is written by their lawyers, and unfortunately, without saying yes you can’t use that fancy new gadget. All of these companies know it, which is why hundreds of pages sit between you and your new purchase.
6 Steps to Protect Yourself and Your Devices
- 1. Change Default Passwords
On devices that are connected to your network you should always make sure you change the default password. It doesn't matter if it's a new security camera or a new fridge. Creating new credentials is the very first step in securing your IoT devices and protecting your privacy. Research has shown that a “passphrase” is safer than a password. What does this mean? It means 1qaz!QAZ is less secure than Mydogsliketochasethechickensaroundtheyard! which is also much easier to remember.
- 2. Automatic Patches and Updates
In today's "set it and forget it" society, many electronic devices can take care of themselves. Quite often technology has a setting that allow for automatic updates. This is an important setting to turn on when securing IoT devices.
- 3. Set-up Multi-factor Authentication (MFA)
MFA security settings are growing in popularity. This is as simple as receiving a text or code that you need to type in while signing on to a system. Often times within the account preferences of your device, you can set up an Authentication Application. If you can’t find this option call customer service, chances are it exists somewhere.
- 4. Utilize a Password Manager
Keep usernames and passwords unique. Most password manager applications can generate a random password for you, and will allow you to store them safely.
- 5. Update Default Settings
Check to see which settings are turned on by default, especially if you don't know what they mean. If you are unfamiliar with FTP or UPnP, chances are you are not going to use them, or even notice that they are off.
- 6. Avoid Public Wi-Fi
It may be convenient to connect to a public Wi-Fi, but think again! If the Wi-Fi network does not require a password, then anyone can listen in on your computer’s information. Some public Wi-Fi networks are deliberately set up in the hopes that people will use it so they can steal information or credentials.
Remember that just like you lock your front door to protect the valuables inside, these days you also need to lock your IoT devices to protect your information and your privacy.
|

|
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
|
2020-04 What You Need to Know About COVID-19 Scams
April 2020
What You Need to Know About COVID-19 Scams
|
Monthly Security - Tips Newsletter
|
Taking advantage of current events is a common tactic that cybercriminals use to fuel their malicious activities. With the global pandemic of COVID-19 and an overwhelming desire for the most current information, it can be difficult for users to ensure they are clicking on reliable resources. So far, the MS-ISAC has seen malicious activity come through just about every channel: email, social media, text and phone messages, and misleading or malicious websites.
The range of current malicious activity attempting to exploit COVID-19 worldwide varies. A few common examples include:
- - Fake tests or cures. Individuals and businesses have been selling or marketing fake “cures” or “test kits” for COVID-19. These cures and test kits are unreliable, at best, and the scammers are simply taking advantage of the current pandemic to re-label products intended for other purposes. For more information on fraudulent actors and tests, check out resources from the U.S. Food and Drug Administration (FDA).
- - Illegitimate health organizations. Cyber criminals posing as affiliates to the World Health Organization (WHO), the Centers for Disease Control and Prevention (CDC), doctor’s offices, and other health organizations will try to get you to click on a link, visit a website, open an attachment that is infected with malware, or share sensitive information. This malicious activity might originate as a notice that you have been infected, your COVID-19 test results came back, or as a news story about what is happening around the world.
- - Malicious websites. Fake websites and applications that claim to share COVID-19 related information will actually install malware, steal your personal information, or cause other harm. In these instances, the websites and applications may claim to share news, testing results, or other resources. However, they are only seeking login credentials, bank account information, or a means to infect your devices with malware.
- - Fraudulent charities. There has been an uptick in websites seeking donations for illegitimate or non-existent charitable organizations. Fake charity and donation websites will try to take advantage of one’s good will. Instead of donating the money to a good cause, these fake charities keep it for themselves.
Government Efforts to Reduce COVID-19 Malicious Activity
The Department of Justice (DOJ) is actively seeking to detect, investigate, and prosecute cyber threat actors associated with any wrongdoing related to COVID-19. In a memo to the U.S. Attorneys, Attorney General William Barr said, "The pandemic is dangerous enough without wrongdoers seeking to profit from public panic and this sort of conduct cannot be tolerated." Individually, most state law enforcement agencies and other judicial officials are also treating these malicious actions as a high priority. More information can be found at https://www.justice.gov/coronavirus.
Additionally, the FDA has been taking action to protect consumers from fraudulent and deceptive actors who are taking advantage of COVID-19 by marketing tests that pose risks to patient health. If you are aware of any fraudulent test kits or other suspect medical equipment for COVID-19, you can report them to the FDA by emailing FDA-COVID-19-Fraudulent-Products@fda.hhs.gov. The FDA is now aggressively monitoring and pursuing those who place the public health at risk and are holding these malicious actors accountable.
Recommendations
Exercise extreme caution in handling any email with COVID-19-related subject lines, attachments, or hyperlinks in emails, online apps, and web searches, especially unsolicited ones. Additionally, be wary of social media posts, text messages, or phone calls with similar messages. Be vigilant, as cyber actors are very likely to adapt and evolve to the nation’s situation and continue to use new methods to exploit COVID-19 worldwide. By taking the four precautions below, you can better protect yourself from these threats:
- - Avoid clicking on links and attachments in unsolicited or unusual emails, text messages, and social media posts.
- - Only utilize trusted sources, such as government websites, for accurate and fact-based information pertaining to the pandemic situation.
- - Federal Emergency Management Agency (FEMA) recommends only visiting trusted sources for information such as coronavirus.gov, or your state and local government’s official websites (and associated social media accounts) for instructions and information specific to your community.
- - NEVER give out your personal information, including banking information, Social Security Number, or other personally identifiable information over the phone or email.
- - Always verify a charity’s authenticity before making donations. For assistance with verification, utilize the Federal Trade Commission’s (FTC) page on Charity Scams.
For more information
If you think you’re a victim of a scam or attempted fraud involving COVID-19, or you think you know of a scam or fraud, you can report it without leaving your home:
- - Contact the National Center for Disaster Fraud Hotline via email at disaster@leo.gov at 866-720-5721 or the FEMA Disaster Fraud Hotline at 866-720-5721 to report frauds and scams, including personal protective equipment (PPE) hoarding or price gouging;
- - Report scams and frauds to the Cybercrime Support Network ; and
- - File a complaint for criminal activity by contacting your local law enforcement agency.
Additional Resources
|

|
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
|
2020-03 Social Media: The Pros, Cons and the Security Policy
March 2020
Social Media: The Pros, Cons and the Security Policy
|
Monthly Security - Tips Newsletter
|
Risks & rewards of social media
Social media is a great tool in your organization’s communications toolbox. Many Americans have accounts on at least one platform and expect to find pages for their favorite brands and communities. If used correctly, it can have many benefits:
- - Providing real-time information. Social media enables organizations to provide information in real-time. This is especially useful if your organization needs to communicate important information quickly. For example, if your organization experiences a time sensitive incident, such as a data breach, you can use social media to share pertinent information and provide steps your followers can take to remediate the damage. Government entities can use social media to disseminate information about programs and public meetings, changes in schedules, road work, and other information that constituents need to know about.
- - Answering questions. Social media allows consumers to ask organizations questions and provide feedback. This means you know what information and product features they want, what you are doing well, and where you can improve. You can change your customer service processes, add new products or change existing ones, or keep doing what you do well. Most importantly, you can be responsive to your customers, which will help grow your image and your business.
- - Humanizing your organization. Consumers can get to know your brand and the people behind it, and vice versa. Because the conversation is person-to-person and not bot-to-person, a company can reach customers using social media in ways that other marketing and advertising can’t. For example, you can adopt a more human voice through social media than you would through traditional advertising. Even a simple “Please PM your information so we can look into your concern” can go a long way toward keeping a current customer happy and maybe getting some new ones.
Of course, the unicorn is the post that goes viral for the right reasons. However, not everything looks rosy when it comes to organizations using social media.
Building a security-focused social media plan
Privacy and security risks associated with social media platforms only increase as the number of users and platforms grow. Cybercriminals mine social media accounts to get valuable intelligence that they can use in malicious campaigns. All organizations should develop a social media policy that takes cybersecurity and privacy into account. The first step is to develop a social media policy that includes what can be posted, who can post, and on what devices (e.g., can they use their personal device, or does it have to be a company-owned device?), and who is responsible for keeping and changing passwords. These are just some of the things that should be addressed; there are guides that will help you write a detailed plan.
Below are a few tips for developing a secure social media plan in your organization:
- - Providing real-time information. Social media enables organizations to provide information in real-time. This is especially useful if your organization needs to communicate important information quickly. For example, if your organization experiences a time sensitive incident, such as a data breach, you can use social media to share pertinent information and provide steps your followers can take to remediate the damage. Government entities can use social media to disseminate information about programs and public meetings, changes in schedules, road work, and other information that constituents need to know about.
- - Answering questions. Social media allows consumers to ask organizations questions and provide feedback. This means you know what information and product features they want, what you are doing well, and where you can improve. You can change your customer service processes, add new products or change existing ones, or keep doing what you do well. Most importantly, you can be responsive to your customers, which will help grow your image and your business.
- - Humanizing your organization. Consumers can get to know your brand and the people behind it, and vice versa. Because the conversation is person-to-person and not bot-to-person, a company can reach customers using social media in ways that other marketing and advertising can’t. For example, you can adopt a more human voice through social media than you would through traditional advertising. Even a simple “Please PM your information so we can look into your concern” can go a long way toward keeping a current customer happy and maybe getting some new ones.
Securing our connected future
Social media has proven to be a powerful communications tool for both business and government organizations, but its powers can be used to harm as well as help. A solid social media policy and security plan that is implemented with care, will vastly improve your social media strategy and protect employees’ privacy.
|

|
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.
Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.
|