CHAPTER 6


Protect Yourself and Your Organization

Every time you write an email, it is in the public domain. There are all these ways where security is not as good as people believe.

—PETER THIEL, cofounder of PayPal, venture capitalist, philanthropist, and author

You don’t want this to happen to you: Lynn (not her real name) lost $8,000 from her checking account through a rather unique scam pulled off by a clever identity theft ring. Here’s how it happened.

Lynn gets a call from the toll-free number of her financial services firm (let’s call them RWA), through which she has a mortgage, savings and checking accounts, and a debit card. The very professional, articulate woman on the phone follows RWA’s customary protocol regarding outreach and member verification. She identifies herself as an agent of the Fraud Department, calling due to a fraud alert on Lynn’s account regarding charges that seem to be outside her normal spending patterns. The RWA agent asks Lynn if she has charged $142 at Walmart in LA or has purchased a $628 one-way ticket from LAX.

Alarmed, Lynn tells the RWA agent that these are definitely unauthorized charges. So the agent proceeds with the process to cancel Lynn’s credit card and issue a replacement card.

As part of the process, the agent confirms Lynn’s address and asks her to verify the 3-digit code on her debit card.

At that request, Lynn feels uncomfortable giving that information without more verification from the agent that she is indeed an authorized RWA agent. So the agent confirms more information about Lynn, specifically her date of birth and her social security number.

After the RWA agent reassures her with that further personal information, Lynn gives the agent the 3-digit code on her debit card. The agent then instructs Lynn to discard her current debit card and to expect a new one via Federal Express the next day.

Five minutes later, Lynn receives another call from the same RWA toll-free number from the same agent. She advises Lynn that there is one more step before she can overnight the new debit card: She needs to send Lynn a text message with a security code, and Lynn is to read it back to her.

Lynn does as she is told to complete the verification process and get her replacement credit and debit card. They end the call.

Within minutes, Lynn starts getting text alerts from the real RWA about withdrawals from her account: 10 ATM transactions of $800 each. Initially, Lynn thinks these alerts involve the same “unauthorized charges” the “fraud agent” called her about just a few minutes earlier.

But growing more uneasy, Lynn calls RWA’s Fraud Department directly. The real RWA fraud representative confirms her fears: RWA did not call her to report suspicious activity. There are no fraudulent Walmart or LAX charges on her account.

At that point, Lynn learns the unfortunate truth: She has been scammed.

Since the scamming incident, with the help of RWA’s investigative team, Lynn has discovered how the thief managed to pull off this scam. Someone had been calling RWA by spoofing Lynn’s mobile number for weeks leading up to this event. Each time the person called RWA, they attempted to get past certain security barriers. Eventually, over time and with several calls, the identity thief found someone at RWA willing to give out tidbits of Lynn’s personal information and allow her to increase the ATM withdrawal limit without RWA’s 2-step authentication process.

Lynn also learned that her debit card had been swiped by a third party (indicating an identity theft ring). A duplicate “scan card” was manufactured so that it could be used at an ATM.

While much of the scam happened by phone, some of the interaction happened by email and text—particularly within RWA. And even the phone interactions with the thief could conceivably have been pulled off by text and email had that been the thief s channel of choice (more about that later).

For now, the point needs no repetition: Cyberspace is shark-infested, and email accounts provide chum. As a user, your chances of becoming a victim are high. According to the UNC survey, 28 percent of respondents reported being a victim of an email scam. Here are the various ways they were scammed (the numbers total more than 100 percent because some victims were scammed more than once).

33%  Clicking on a link in an email

28%  Opening an attachment

27%  Opening an email from a sender they thought they recognized

10%  Through a combination of email, text, and phone

27%  Having an email account hacked

Cyberspace is shark-infested, and email accounts provide chum.

DOUBLE-CHECK THE SENDER’S EMAIL ADDRESS

You are your best defense in protecting your own email. You’ve heard the caution, “Don’t open emails or click on links from people you don’t know.” That warning doesn’t get specific enough.

Hackers and thieves have become snoopers, using social media to pilfer and “borrow” your friends’ names. So even when you recognize the email sender’s name, check out the domain name in the email address. Verify that there’s not a period, apostrophe, comma, double letter, or some other strange symbol at the beginning or end of their name or domain name in the email address.

Unfortunately, I have my own email scam story to add to the annals of email scams and Internet thievery. Here’s how the thief grabbed my credit card by email—during the writing of this book, no less! (Believe me when I say I’m a skeptical soul—but one who was in a big hurry that day.)

A month before the incident, a friend of mine (I’ll call her Jena Storm) had her email address spoofed. Someone emailed me as “Jena Storm,” sending me a link to a party invitation that week. I knew it wasn’t on the up and up because the real Jena was out of the country. So I let my friend Jena know about the incident, assuming she would investigate and then change her address and/or password immediately.

A month later (the morning of the scam), Jena and I are commenting back and forth on Facebook about food and diets—a typical topic for us. I mention that I want to lose seven pounds before a big conference—but that I’ve had house-guests over the weekend and have been cooking and eating far too much!

A few minutes later an email from “Jena Storm” pops into my inbox with this cryptic message: “Interested in this?” (followed by a link).

I glance at the three-word message, remembering our earlier Facebook “conversation,” and click. It’s an ad for a supplement. Although I’ve never in my life bought such a product, I thought, “Why not?” Jena buys supplements all the time. After all, the site looks professional and is loaded with testimonials from well-known people. Within two minutes of inputting my card number, I do a double-take of Jena’s email address. It’s her name all right, but a different domain. I text my friend: “What’s your new email address after you got spoofed or hacked or whatever on vacation?”

Images

Check incoming email for smudged images, odd lettering, unfamiliar domains, and poor grammar.

“I haven’t changed it yet. No one else mentioned that they got a bad email from me. . . . Sorry.”

The sinking feeling hit in the pit of my stomach. I immediately called my credit card company to cancel the card. Scammed and cancelled all within about four minutes. Next time I may not be so fortunate.

So to repeat the warning: Stay alert! Call an organization or a friend directly if the email name or domain name in the address looks odd for any reason.

A hacker’s email may look strange for any number of reasons. A dead giveaway is the grammar: Typically, articles (the, a, an) are missing, and verb tenses are incorrect. Logos and other images may look a little “off.” The email address may look exact—except for an apostrophe or comma at the beginning or a double letter in the center that’s almost unnoticeable at a glance.

Instead of clicking the link or calling the number in the email, look up the actual number from your own directory to see if the company has actually sent such a document. Typically, they’ll have a special mailbox where you can forward the questionable email so they can investigate.

Last, keep in mind that just because an organization or individual has a profile on LinkedIn or Twitter with a few thousand followers doesn’t guarantee that he or she won’t email you a link taking you to dangerous places. Your sender may not even be aware that the link included in his or her marketing email leads to a site that has been recently infected. Landing on one of these sites can lead to a very bad day.

One other scary—and embarrassing—thought before we leave this topic: Having your email account hacked and not knowing it! On several occasions, I’ve received an email from a hacked friend’s account that read something like this: “Dianna, As you may have heard, I’ve been on a speaking tour in East Africa for the past 3 months. I got sick while there and was hospitalized. (Long story) But just as I was being released, I discovered that my passport and all my belongings had been stolen. Unable to connect with anyone on the outside at the moment. Could you wire $200 to XXXXXX so that I can get transportation to the nearest embassy. Will call as soon as I’m back in the States.” (Only the details vary in these emails.)

Within hours—but sometimes days—the real owner of the email account sends the follow-up message: “Sorry about the earlier email. I’ve been hacked. I’m quite healthy, have my passport in my pocket, and am safe and sound in Des Moines.”

If you’re in doubt about whether your email account has been hacked, check your SENT folder for any nefarious emails. You may have to check that folder on your local machine and at the server level. That doesn’t mean, of course, that the hacker has sent out emails under your address. The hacker may simply be snooping around in your email for other information, such as credit card numbers or bank account information. (Doesn’t that make you feel better?)

BEWARE ATTACHMENTS—YOURS AND THEIRS

For years, reporters have not accepted pitches, articles, or press releases (even hot news stories) as attachments. Their routine email auto-response: “Please copy any attachments you’re sending into the body of your email and resend.”

Shocked because they intend to send along a long press release or story, the emailer responds to that notice: “But this release is 800 words, two full, single-spaced pages.”

The reporter replies again: “That’s fine. Please copy and paste it into the body of your email.”

Point made. Attachments deliver viruses of the very worst kind.

INSTALL ANTIVIRUS AND ANTI-MALWARE PROGRAMS

According to the UNC survey, roughly three-fourths (73 percent) of email users are unprotected! Although 41 percent of the respondents report that they do have an antivirus software program installed, that’s not enough in today’s environment. While antivirus programs serve as a first line of defense against common viruses, anti-malware protects against much more: viruses, malicious software, spyware, adware, ransomware, trojans, worms, and the like.

You need both antivirus and anti-malware programs installed on any computer where you access email (popular programs include Bitdefender, Norton, Trend Micro, McAfee, Webroot, and Kaspersky). And after you’ve paused the software for some reason, such as investigating a compatibility issue, click the “Auto-restart after X minutes” button. Never trust your own memory to restart the protection program.

CREATE UNIQUE PASSWORDS

Each year, various security experts publish lists of the most frequently used passwords. Here’s SplashData’s Top 25 Passwords on the last available list:

1.   123456 (unchanged)

2.   Password (unchanged)

3.   12345678 (up 1)

4.   qwerty (up 2)

5.   12345 (down 2)

6.   123456789 (new)

7.   letmein (new)

8.   1234567 (unchanged)

9.   football (down 4)

10.   iloveyou (new)

11.   admin (up 4)

12.   welcome (unchanged)

13.   monkey (new)

14.   login (down 3)

15.   abc123 (down 1)

16.   starwars (new)

17.   123123 (new)

18.   dragon (up 1)

19.   passw0rd (down 1)

20.   master (up 1)

21.   hello (new)

22.   freedom (new)

23.   whatever (new)

24.   qazwsx (new)

25.   trustno1 (new)

Add to this Top 25 list other common words from pop culture or the hit movies of the year or decade and you’ve just about maxed out your colleagues’ creativity. It will take hackers only seconds to hack these passwords. If you’re serious about security, you have to do better than your uncreative colleagues.

While 45 percent of the UNC respondents say they do use unique passwords for each email account, that leaves 55 percent who do not. If you fall into this less creative or less-motivated group, here’s help. Consider the characteristics of strong passwords:

•   Long (up to the maximum your system will allow)

•   A combination of upper- and lowercase letters, numerals, and special characters

•   Unique to each email account, site, or server where you log in

•   Unique to you

Given these specs, how do you create—and remember—unique email log-ons if you have multiple email accounts and change passwords frequently? Or dozens or even hundreds of passwords for other accounts? Develop a scheme for creating new passwords. For example:

•   The first letters of the first five words of a song, nursery rhyme, movie title, or poem (I Will Always Love You by Whitney Houston, the top movie song of all time = IWALY)

•   Your brother’s initials in caps (THJ)

•   Your best friend’s birth year

•   Two symbols (##)

Or whatever. Create your own password scheme. Then when you change your log-on password from time to time, change the “song” component or the symbols. You get the idea.

Then, after going to the trouble to be creative, don’t be careless. Keep your passwords safe. Log off when you leave your computer unattended. Set a password on your screensaver and activate it.

CHANGE PASSWORDS FREQUENTLY

With a system similar to what’s detailed above, remembering your log-ons proves easier. But if you’re logging into multiple email accounts (the average user has more than 3.7 email accounts, according to the UNC survey) plus all other accounts, you’ll need something beyond your memory to enable you to change passwords frequently. Once again, survey responses suggest a lax attitude about security: The largest group (38 percent) change passwords only when prompted or forced to do so.

Use a password manager (like LastPass, Dashlane, Log-MeIn, or 1Password) to keep all your passwords safe and manage them easily. You’ll have only one password to remember.

These programs will generate a unique password for you for each account if you prefer to use their computer-generated passwords. However, security experts report that hackers get past those system-generated passwords faster than your own unique ones. So here’s the best idea: Create unique passwords for your accounts based on your own devised scheme. Then use a password manager to store and remember the unique passwords for you.

USE TWO-STEP AUTHENTICATION WHERE POSSIBLE

Some users complain about the added time required to gain access with a two-step authentication process. But when compared to the time needed to deal with a stolen ID, the extra time for prevention is minuscule.

USE MULTIPLE EMAIL ACCOUNTS

Set up different email accounts for different purposes. Handle your banking and investments from one account. Do online shopping and credit-card purchases with a separate account. Use disposable addresses for other purposes such as downloading freebies. Keep a general email account for your personal or family correspondence. If one account gets hacked, that limits the damage of what a hacker can learn to that single account.

SEGMENT YOUR NETWORK

At home, segment your Wi-Fi network into three areas: one for guests, one for kids, and another for adults. Otherwise, any guest in your home can pick up your Internet traffic and potentially see your passwords as you log on. If you are not technically proficient enough to do that, follow the steps the service provider typically shows on its website. Another option: Watch a YouTube video to learn how.

REMEMBER THAT EMAIL “LIVES” FOREVER

If we have learned one thing from political and corporate scandals, it’s this: Emails don’t go away when deleted. They live forever either on a hard drive (until it’s wiped clean), on an organization’s server, or in cloud storage. And if that’s not enough places to worry about, some colleague probably got copied along the way and has a backup stored.

So assume that whatever you write in an email may eventually be read by others who may not be pleased. If it’s derogatory, your words could jeopardize your job or ruin you financially. Examples fill the news almost daily of corporate and nonprofit executives who’ve been dismissed when their emails containing sexual innuendoes, racial slurs, or unpopular political views surfaced.

Think twice—or five times—about emails you write or documents you forward on company systems. In particular, concern yourself with comments about suppliers, potential suppliers, or clients. They owe you no loyalty.

Should an ugly situation arise at work about which you’ve offered comments in an email, you could be in for some sleepless nights and grueling days.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.139.97.157