12.12.17

Happy holidays, scam spotters!

The Identity Theft Resource Center – @ITRCSD – invited researchers from ESET North America to take part in a Twitter chat, a holiday edition of their #IDTheftChat. The conversation related to scams targeting businesses and consumers, which always seem to increase dramatically at this time of year. The chat took place on December 7th 2017, and you can read the whole thing using that hashtag. However, here are the contributions from Lysa Myers, Aryeh Goretsky, and David Harley.
@ITRCSD: Q1: An @AARP survey discovered that 70% of U.S shoppers failed a short quiz on how to stay safe from holiday #scams. What are some tips for safe #shopping this season?
Aryeh: Scams often prey on victims by offering something which sounds “too good to be true.” If it sounds too good to be true, it probably should be avoided.
Lysa: Enable 2-Factor Authentication on your online accounts wherever it’s available. Use credit rather than debit cards if you can, especially online.
Q2: How are #businesses also targeted by Grinches looking to steal valuable data?
Aryeh: Businesses are often sent fake invoices and waybills which install ransomware. Teach staff to avoid these. If questionable, ask your IT dept to look at it. E-cards have been a target in the past and may be used again in holiday-themed attacked.
Lysa: Many breaches are facilitated by stolen credentials. Make sure staff get regular, positive training for recognizing and avoiding phishing and other scams that use social engineering.
Lysa: Thieves often enter networks by exploiting vulnerabilities in software. Updating promptly can help, but for those systems that can’t be quickly updated, utilize layers of protection to help mitigate risk.
Q3: What kind of impact can #DataBreaches have on businesses and their customers?
Aryeh: A data breach can put a company out of business and subject its owners to fines in the 100Ks to millions range.
Lysa: Lost time and productivity are the most obvious impact. Regulatory fines, lawsuits are also a huge potential impact. Don’t discount the loss of reputation – studies show that this can be a significant $$$$ hit.
Q4: If a #breach does occur, it can feel like a real lump of coal. What are some tips for businesses to stay on the nice list with customers?
Aryeh: Create a policy for handling a data breach, and test it 1-2× a year to see how well it works.
Lysa: Businesses’ response in the wake of a breach can make a huge impact on the loss of reputation. Notifications that are quick, orderly and informative are a much easier pill to swallow.
Lysa: Have a breach-response policy in place (and kept updated!) beforehand so that you know who must do what, and when. This will decrease the number & severity of possible errors that could compound loss of trust.
Q5: Mail theft also increases during the holidays. How can you stop a shady snowman?
Aryeh: Get your mail promptly and don’t leave it out all day. Consider a locked mailbox. Place a security camera on your mailbox to record thieves.
Q6: Looking to be Santa’s helper? What kind of employment scams should you look out for?
Aryeh: Be aware of employment scams that offer guaranteed work-from-home, secret shopper or shipping of packages are usually scams.
David: Some job scams are seasonal. Here are some tips that apply to job scams in general, though.
·         Check that the company offering the job exists before you respond to job offers by email. Especially if you haven’t been looking for job offers.
·         If the company exists, check with them directly – and not via the email or contact points linked in the message –that the jobs exist.
·         Be suspicious of poor English and presentation. But don’t assume that good presentation = a genuine offer.
·         If they insist on making your travel and visa arrangements, be deeply suspicious. Run like the wind in the opposite direction if they want you to pay in advance.
·         Many email providers offer free addresses with minimal or no identity checking. Reputable, reliable companies don’t usually use them to make job offers.
·         An organization large enough to have a Human Resources Department yet so tightfisted as to restrict it to a free email account on mail.com (for example)? Unlikely…
·         An old article here, but has lots more points to watch for:
Q7: Ho-ho-hold on. What are some common holiday #phone scams & tips to protect your information & #finances?
Aryeh: Watch out for fake callers pretending to be from banks, Microsoft support, businesses saying you’ve won a prize or surveys offering a free cruise. They are scams.
Lysa: If you haven’t already, now is a good time to consider freezing your credit.
Lysa: Do you make (and test!) regular backups of your data? Do you encrypt sensitive files on your hard drive or on mobile devices? Have you enabled 2 Factor Authentication?
Q8: Don’t follow that scammer under the mistletoe! How can you spot a sweetheart #scam?
Aryeh: Romance scams prey on older single people. Watch out for unexpected friend requests from people across the country or that claim to be serving overseas.
Q9: “But first, let me take an #Elfie.” Best tips for not oversharing on #social media?
Aryeh: Don’t share information that contains your address/location or holiday travel plans. These let crooks know what, where and when to rob you.
Lysa: The Internet is forever: you can’t put the metaphorical toothpaste back in the tube. Before sharing, ask yourself if you would be comfortable with a total stranger, law enforcement, your boss, or your mom/child seeing this?
David: Remember that even if you only share info with people you trust, they may not be as careful as you are. Your friends may be well-intentioned, but they aren’t necessarily security-savvy.
Q10: Please share more resources to having a merry and safe holiday season both online and offline!
Aryeh: Visit welivesecurity.com for the latest on scams, tricks and threats.
@ESET: And don’t forget our #GiveSecurity contest is still running on Instagram! Enter by 12/22 and you could win a MacBook Air, Samsung Tab S3 and more! https://www.eset.com/us/givesecurity/