Beware Tax Season Scams

Beware Tax Season Scams

Tax season is upon us again and the hackers have been busy with a slew of old and new tricks to try to steal tax refunds. Here are some of the new and old tricks that hackers are employing this tax season and some tips on how you can avoid being taken advantage of by cyber-criminals.

A New Twist to an Old Game

Who wouldn’t be happy to get a bunch of money deposited in their bank account by surprise from the IRS?! Unfortunately for us, the IRS is not just giving us all money and it is a new elaborate scam by hackers to try to swindle you and the IRS out of money. Hackers are using your personal information to file a fraudulent tax return on your behalf but also having it deposited in your bank account. Then they fall back to their old scam of calling or emailing you, claiming to be the IRS and demanding that you send the money back.

Thanks, Equifax…

Due to the massive Equifax data breach, the IRS is expecting a huge uptick in the number of fraudulent filings. To try to help combat some of the fall-out, each employer has been assigned a special Employer Code that is found on the W-2 form to try to make sure that fake W-2s are not used to file claims.

The IRS also has encouraged everyone to try to file their claims as quickly as possible as to not allow hackers a chance to put in a fake claim before you do. If two (or more) claims are filed with your social security number, the IRS will notify you by snail mail (The IRS does not email or call).

If you try to eFile and a claim has already been filed, your claim may be rejected and you will need to contact the IRS (also because of the Equifax data breach, contact the FTC).

Even Children are Affected…

A worrisome discovery this tax season has been the sale of infant and child personal information on the Dark Web. Hackers even are eliciting sale of the information by advertising that it is tax season and buyers should get the information before it is used. The troublesome aspect of having children’s personal information for sale on the Dark Web is that very few parents actually monitor the credit of their youngsters and they may not discover a fake identity for years or even 16-17 years down the road when the child is grown and starts applying for college or credit.

The ol’ W-2 Phishing Scam

Despite IRS warnings and tons of news the past couple of years, hackers are still tricking businesses into sending their employee records. A few years ago, the IRS warned companies of falling for the W-2 scams but despite the continued warnings, businesses (and even government offices like the City of Keokuk,Iowa and Batavia, Illinois) are still falling for phishing scams posing as the company CEO or executives asking for employee summaries and W-2’s.

Employees may be your business’ greatest weakness but they also can be your greatest defender if you take the time to educate them. Inform your employees who have access to sensitive employee data about these types of scams. Don’t just assume that they know.

Teach your employees how to identify phishing scams and when it comes to sharing sensitive data, you can encourage them to seek verbal approval from the requestor. Even though scammers state there is extreme urgency in receiving the response, getting a verbal confirmation from the sender is the best way to protect sensitive information (the same goes for urgent requests for wire transfers to the Finance Department!)

Lastly, sensitive employee data should never be transmitted unencrypted (even if it’s thought to be internal).

Tax Season is Also Phishing Season

Tax Season is Also Phishing Season

As tax season is upon us, it is important to remind ourselves of whaling campaigns, which essentially are phishing scams but on a much larger scale. Whaling scams typically target large amounts of sensitive employee data (tax season = W2’s) or wire transfers for fake invoices. During tax season in 2016, cyber criminals successfully targeted 41 organizations for employee W-2 information. One particularly bad W-2 whaling scam led to the University of Kansas employee paychecks being diverted from their accounts after they received fake emails asking them to update payroll information.

Whaling scams catch people by surprise because they believe that they are receiving a legitimate request from inside their own organization (CEO, CFO, HR). The emails play on emotions with orders for urgent actions to pay invoices, update payroll information, or the need to file tax statements.

Phishing for W-2’s

During tax season, whaling campaigns are particularly lucrative for cyber criminals because with the W-2 information, they can file false tax returns and divert refunds from the actual person. Prior to last year, the IRS would not alert a person if they detected fraudulent tax filings but with the recent spate of data breaches and the number of false filings, the IRS will now does analyse on the filings to check consistency against previous years and will alert the taxpayer if they notice inconsistencies.

Even with all the checks in place, there were still around 275,000 claims of taxpayer identify theft reported to the IRS in 2016 and Experian’s Data Breach group handled more than 70 cases each week tied to W-2 schemes.

Whaling for Big Paydays

In April 2015, Mattel fell to a massive whaling scheme that saw $3 million diverted to Chinese cyber criminals. Luckily for Mattel, the money was wired over a Chinese holiday and they were able to work wiht the Chinese authorities to recover most of the funds.

In May 2016, the CEO and CFO of an Austrian plane manufacturing company both lost their jobs after falling for a whaling scheme that cost the company nearly US$57 million. The company managed to recover some of the money but most of it disappeared into foreign bank accounts.

And in January 2016, a Belgium bank lost US$75 million dollars after an email was sent requesting a money transfer to finalize an urgent business transaction.

So That’s the Bad News, Now How Can Organizations Combat Phishing?

Empowerment, verification, and employee education are key in combating whaling schemes. Anti-virus and anti-malware solutions will not stop phishing emails from being delivered or the links being clicked on or sensitive data being sent to the wrong person. It’s only when an employee is empowered to ask for verification and taught to question unusual circumstances that organizations will be able to defeat phishing scams.

The news of failure is constant but there are success stories everyday due to vigilant and aware employees. One such success story happened with week to a company that Axiom works with in Southern California. The “CEO” emailed his executive assistant and told her to wire money to someone right away. She thought it was odd as he typically did not send those type of emails and asked for verbal confirmation. The answer was “what are you talking about?” and Axiom was called for advice.

‘Tis the Season – The Season for Phishing

‘Tis the Season – The Season for Phishing

Christmas is coming early for phishing scam artists. The day after Halloween, my Inbox started filling up with alerts that I had won a $50 Amazon/Walmart/Costco Gift Card, packages I didn’t order began arriving from UPS/FedEx, LinkedIn change requests, and an assortment of other fanciful clickbait just begging to be clicked on.

Phishing Email from LinkedIn. Look at the From Email Address, Look at the Link (Linked-lower-case L-n), Hovering over the link shows a completely different website address too

Phishing Email from LinkedIn. Look at the From Email Address, Look at the Link (Linked-lower-case L-n), Hovering over the link shows a completely different website address too

Many of us are smart enough not to be fooled into clicking on phishing emails but a recent survey found that those of us who know the dangers of phishing still can’t properly identify  50% of phishing emails that are sent.

Even though surrounded by cyber-security day-in and day-out, one of our employees recently fell for a phishing scam for iTunes credentials. It wasn’t until their credentials failed to log them into the “iTunes” site and someone connected to their iCloud account that it dawned on them that they had been taken by a scam. Scammers are good and the reason why we continue to get emails from Nigerian princes and Nelson Mandela’s wife is that people still fall for the scams and cyber-criminals continue to make a profit.

Hackers are gaining easy access to money, user credentials, and healthcare data through a variety of different phishing scams. And they are sending out an estimated 8 million emails a week. The City of El Paso had $3.2 million diverted through a whaling scam that sent legitimate vendor funds to the incorrect accounts. Bayside Healthcare potentially revealed the health records of 13,000 patients by having one of its employees fall for a phishing scheme.

There is one simple step that everyone can take to defend themselves against phishing attempts:  Hover over links in emails to see what site you are being directed to. Or even better yet, go directly to the vendor (Amazon, FedEx, banks, etc) to see if the offer or information is legit.

Podesta Phishing

The phishing email link that got John Podesta

Clicking on links directly from emails, even if they appear to be legit, carries risk. The email that lead to the hack of John Podesta’s email came from a site that had an address that looked like it was part of the Google Domain but really was not.

Often I see emails that appear to be from banks with an odd misspelling (bankfoamerica.com or  welllsfargo.com– Did you catch the problem?). Scammers have also been getting better at using proper English and grammar by hiring copywriters to make their emails more difficult to detect.

For business owners, implement a system of checks-and-balances for sending funds to vendors or distributing sensitive employee information. Encourage your employees to question unusual and urgent requests for wiring money, even it comes from the highest levels of the company because fraudsters are posing as the CEO, CFO, or HR Director to try to trick your employees.

Scammers take advantage of the whatever season it may be for soliciting for information. During tax season, they pretend to be the CEO or HR Director looking for employee W-2s. During the Christmas season, they send great sounding offers for gift cards and surprises from some of our favorite online stores to elicit information. So as the holiday shopping season is upon us, buyer beware… and buyer be wary. Scammers are out to get you and they are getting cleverer every day.

Don’t Get Baited by Phishing Scams

Don’t Get Baited by Phishing Scams

It seems that every day there is another company being hit with a new phishing scam—PayPal and Dropbox being some of the more notable of the recent victims. Because it is all over the news, we assume that we know exactly what phishing is; but do we really?

What it is & How it works

phishing-attacks

Phishing is a scam where cyber-criminals, sometimes referred to as ‘phishers’, impersonate seemingly trustworthy sources in order to send out electronic communication to their contacts (usually customers) in order to do one of two things: (a) to steal credentials and personally identifiable information (PII) from employees and clients, or (b) to infect the computer or company system with malware. The way they are able to do this is a systematic process that includes planning, setup, attack, and collection.

  1. Planning. First, phishers determine which businesses they want to target and how to get their email address list. This is usually by either stealing information from the social media accounts of finance and HR employees from networks such as LinkedIn, or by guessing employee email addresses, which they then use to infiltrate the company. It is easy for hackers to guess some employee emails if the company uses the standard formatting of ‘firstname.lastname@companyname.com.’ While this is easy for employees to remember, it is also easy for phishers to guess.
  2. Setup. Once they have decided their targeted businesses, phishers determine their delivery method for the scam. Most of the time this is through email, however the PayPal phishing scam is an example of one that uses social media as a means of tricking customers. Two fraudulent Twitter accounts were made to appear as though they were legitimate customer service accounts with an urgent message for users of the site. Targets have been lured into entering their PayPal credentials into the seemingly legitimate, but fake pop-up page. This gives these cyber-criminals the information they need to steal PII from the users as well as transfer funds out of their PayPal accounts straight into the scammers’ pockets.
  3. Attack. This is the stage that most people think of when they think of a phishing attack. This is where the phishing message is actually sent out via whichever means the scammer previously chose, again, appearing to be from a reputable source.
  4. Collection or Infection. Not everyone will click on the phishing message, however, 39% of employees click on emails that they originally believe to be suspicious. Those who do end up taking the bait by either clicking on a link in an email or entering in their information into a pop-up, unfortunately have their information recorded by the phishers who can then use this information for their own personal gain. The collection of information is the goal for one type of phishing scam, but as mentioned above, there are some phishing scams whose goals are to infect the computers or systems of the affected individuals. Ransomware, one of 2016’s hottest cyber-threats, is a very popular malware to be included in a phishing scam–now included in 93% of the phishing emails sent out.

How to Identify a Phishing Message

email-computer

Before any company can protect against a phishing scam, they must first be able to identify one. Here are a few telltale signs that can help you determine a phishing email from a legitimate one (note that these are also included in a previously Axiom blog article on phishing, Gone Phishing: Who’s really on the other end of the line?).

  1. Links- The best way for a hacker to access your information is by making you come to him. Many links in suspicious emails can be verified by hovering your mouse over it; if the link is taking you to an .exe file for example, do not click on it, as these have been known to be the source of various malicious software in other cyber crime situations.
  2.  Threats– When there is a threat in an email, such as forcefully taking down an account or being fined if you do not take instant action, this is usually an indicator of phishing. This can come in the form of both email and phone solicitation and threats are easily identifiable by the request of immediate action or otherwise facing the hacker’s consequences.
  3. Posing as a popular company- Seeing a familiar logo or name on an email or other electronic communication can give you a false sense of security that what you are receiving is a legitimate connection from an accredited company. An indicator that a message is phishing is when the hacker includes the company title in a way that is slightly different from the actual company name (i.e. Twitter Co. instead of Twitter Inc.). Also, if you regularly get emails from a reliable company and you receive one that looks different than usual, this is a sign that it may be a phishing scam.
  4. Spelling and Grammatical errors- If there are clear spelling or grammatical errors throughout the email, it is obvious that this email was not carefully looked over by a member of an authentic company and is likely phishing. This not only includes spelling and grammatical errors, but also when key parts of an email, such as the subject line or a signature, are missing or strangely worded.

How your company can combat phishing, Employee Education

employee-education

Now that we know how to identify a phishing scam, it is important to take the proper steps in protecting businesses everywhere from this type of threat. Companies are the primary targets of phishing attacks, and consequently, they need to amp up their cybersecurity defenses in preparation for combating phishing threats. While employees are some of a company’s greatest assets, they are also the greatest threat to its cyber-defenses. This is why employee education is the most important defense against phishing.

  1. Educate employees—Informing your employees of the indicators listed above will help them to be able to identify a phishing threat.
  2. Take care to assess emails—Encourage your employees to take the time to assess an email before clicking on it or any embedded links it make include. Michele Fincher of Social Engineer, Inc. says, “Adding a couple of seconds on to what you normally do when you receive an email will go a long way (toward safety).”
  3. Utilize checks and balances—Utilizing checks and balances can help to prevent what is known as spear phishing—when hackers pretend to be executives emailing upper level employees in order to gain access to valuable information like financial numbers, wire transfers, and employee information. By having multiple people needed to sign off on something, it is likely that the scam will be caught among them.
  4. When in doubt, ask—Let your employees know that if they are questioning an email, they should ask someone else before clicking on it. It is better to be safe than sorry, and most of the time, if they are questioning it, it is likely a fraudulent email.

If you believe an electronic communication to be malicious or suspicious, do not open it, delete it, and report the incident to your IT department. For small businesses that may not have an IT department or think that cybersecurity is out of reach for your company’s budget, please go to www.axiomcyber.com to learn more about our affordable managed cybersecurity solutions and how we can help your business get and stay secure.

Hailey R. Carlson | Axiom Cyber Solutions | 9/9/2016

Image Source

Gone Phishing: Who’s really on the other end of the line?

Gone Phishing: Who’s really on the other end of the line?

Phishing

Email, social media, smartphones, and other electronic communication are now the norm for communicating across and between businesses of any size. You may even be a part of a company so big that you email back-and-forth with people on a daily basis whom you’ve only met a few times in passing. Or you may be contacting multiple potential clients for your start-up business, many of which you have never met before at companies you’ve barely heard of. If you see that an email is from someone who appears to be an employee at your business or a good potential client, you click on it so as to build and maintain positive relationships with them and help them with whatever it is that they may need. But how do you know if that email is actually from Jim in Accounting or Jane at your strong lead’s firm and not a hacker posing as him or her? When it is really the hackers and not the genuine people you think it is, this is called phishing.

Phishing is a tricky cyber threat—able to stump 20% of employees at J. P. Morgan when the company sent out a fake phishing email—but what is it exactly? Phishing is when impostors pose as reliable entities, such as banks, universities, or other well-known companies, via electronic communication, to solicit personal information which they can then use to steal people’s identities or infect their computers with malware. Phishing is growing at a rapid rate with many other cyber crimes; not even halfway into 2016, there have already been 36 companies that have fallen victim to phishing email attacks where the hackers were in search of employees’ personally identifiable information (PII) to aid the hackers in identity theft. Arguably just as vicious as going after people’s PII, these hackers have begun to steal funds from companies primarily through a form of phishing known as whaling.

 

Whaling, the new Phishing

Whaling, a form of phishing usually synonymous with the term spear phishing, is when hackers target executives for their phishing attacks; either emailing them directly or posing as these high-ranking members to send mass emails to employees (and in turn successfully infecting all employee’s computers who open the malware-ridden emails), in order to gain access to valuable information like financial numbers, wire transfers, and employee information.  A Mimecast survey conducted late last year found that 55% of businesses across the globe had experienced an increase in whaling attacks over the previous twelve months.

Whaling has been in the news recently for having hit Mattel, the producer of such toys as Barbie and Hot Wheels, with a malicious $3 million transfer of money to a hacker based out of the Bank of Wenzhou in China. Cyber criminals posed as a legitimate member of the Mattel executive board—the newly-instated CEO, Christopher Sinclair—to trick finance employees into transferring the sum to their malevolent bank accounts. In order to transfer money, Mattel requires two executives to sign off on the transfer so as to help reduce financial-related risks, one of which being the CEO. When the unnamed financial executive saw what he thought was the CEO’s approval, he assumed the transfer was legitimate and transferred the funds to the Bank of Wenzhou, unknowingly completing the hacker’s mission.

Thankfully, this event happened on a Chinese banking holiday, meaning that the funds were held up and Mattel was able to recover the wrongfully transferred funds almost immediately after finding out about the issue. Though this is good news for the toy-producing giant, most companies do not always have such lucky timing when cyber crimes strike. This is why knowledge and education are crucial defenses on the cybersecurity front. If employees know how to identify suspicious communications, then it is less likely that the company will be subject to phishing and whaling attacks.

 

How to identify a suspicious message

The primary goal in combating phishing and whaling attacks is to make sure that harmful traffic to employees is stopped without hindering the good traffic of current and new clients as well as other reliable entities. The best way to handle a phishing email scam is to prevent it from happening in the first place; employee training on how to identify a fraudulent email is an extremely important step in ensuring workplace cybersecurity, and there are a few telltale signs that indicate whether or not an electronic communication is a scam:

Links- The best way for a hacker to access your information is by making you come to him. Many links in suspicious emails can be verified by hovering your mouse over it; if the link is taking you to an .exe file for example, do not click on it, as these have been known to be the source of various malicious software in other cyber crime situations.

Threats- When there is a threat in an email, such as forcefully taking down an account or being fined if you do not take instant action, this is usually an indicator of phishing. This can come in the form of both email and phone solicitation and threats are easily identifiable by the request of immediate action or otherwise facing the hacker’s consequences.

Posing as a popular company- Seeing a familiar logo or name on an email or other electronic communication can give you a false sense of security that what you are receiving is a legitimate connection from an accredited company. An indicator that a message is phishing is when the hacker includes the company title in a way that is slightly different from the actual company name (i.e. Twitter Co. instead of Twitter Inc.). Also, if you regularly get emails from a reliable company and you receive one that looks different than usual, this is a sign that it may be a phishing scam.

Spelling errors- If there are clear spelling errors throughout the email, it is obvious that this email was not carefully looked over by a member of an authentic company and is likely phishing. This not only includes spelling and grammatical errors, but also when key parts of an email, such as the subject line or a signature, are missing or strangely worded.

If you believe an electronic communication to be malicious or suspicious, do not open it, delete it, and report the incident to your IT department. For small businesses that may not have an IT department or think that cybersecurity is out of reach for your company’s budget, please go to www.axiomcyber.com to learn more about our affordable managed cybersecurity solutions and how we can help your business get and stay secure.

Facebook and Phishing: The New Social Frontier

Facebook and Phishing: The New Social Frontier

With the holidays approaching, it’s not always all about cheer and goodwill. Crime tends to peak during the holidays and cyber crime is included.

Facebook currently has over 1.44 billion users. It’s no surprise that cyber criminals are using this popular social networking service as a gateway to identity theft. An incredibly popular method called ‘phishing’ is a common way for these thieves to trick you in order to gain your personal and financial information. It’s so common that with a simple google search, one can find step by step guides on how to hack Facebook accounts using phishing methods.

So what is phishing and how is it done? To put it simply, phishing is where users are directed to enter details into a fake website that looks and feels like the legitimate one. Basically, these cyber criminals goals are to get you to login to your fake login page and the criminal then successfully gets the Facebook email and password.

PhishingArticlePhoto
Nearly all cyber crime comes from some sort of phishing. National Counterintelligence Executive William Evanina said in a recent interview with the Washington Examiner, “We’ve looked at all of these intrusions and exploitation of personally identifiable information over the years, both government and private sector, and just about 90% of them either started with or were enhanced by a spear phishing success.”

Recently, a colleague shared an experience he had on Facebook. He had received a friend request from someone who he thought he was already friends with. He assumed that maybe his friend had accidentally removed him and was re-adding him. After some small talk, my colleague’s friend sent him a message with a link that said “Hey, have you checked this link out?”

My colleague had an odd feeling at this point. In conjunction with the unique scenario and the poor spelling, he realized something was not right. He then asked his friend “Hey, how exactly do we know one another?” The friend responded but brushed the question aside, “We’ve been friends forever.” After a little more back and forth, the friend refused to share details on their friendship. My colleague successfully avoided this likely phishing attack. Had he clicked on that link, he would’ve been asked for his password, and had he entered it, he would’ve had a problem on his hands.

These phishing attacks can come in many forms. It may look like Facebook is emailing you about a photo violation or maybe a friend is sending you a holiday e-card. Warning bells should go off immediately if it links you to a website and asks you for your password. Odd spelling and a poor use of English is also a dead giveaway when it comes to cyber crime.

Facebook addresses how to keep your account safe with the following tips:

  • Protect your password. Use a combination of at least 6 letters, numbers and punctuation marks. Avoid including your name or common words. Your password should be difficult to guess. Don’t use your Facebook password anywhere else online and never share your password.
  • Never share your login information (ex: email address and password). Sometimes people or Pages will promise you something (ex: free poker chips) if you share your login info with them. If you’re ever asked to re-enter your password on Facebook (ex: you’re making changes to your account settings) check to make sure facebook.com is still in the URL (web address).
  • Log out of Facebook when you use a computer you share with other people. If you forget, you can log out remotely.
  • Don’t accept friend requests from people you don’t know. Sometimes scammers will create fake accounts to friend people. Becoming friends with scammers might allow them to spam your Timeline, tag you in posts and send you malicious messages. Your real friends might also end up being targeted.
  • Never click suspicious links, even if they come from a friend or a company you know. This includes links sent on Facebook (ex: in posts) or in emails. If one of your friends clicks a spam link, they could accidentally send you or tag you in spam. If you see something suspicious on Facebook, report it. You also shouldn’t download things (ex: a .exe file) if you aren’t sure what they are.
  • Watch out for fake Pages and apps/games. Be suspicious of Pages promoting offers that are too good to be true. If in doubt, check to see if a Page is verified. Be mindful when you install new apps or games. Sometimes scammers use bad apps and games to gain access to your Facebook account.
  • Log in at www.facebook.com. Sometimes scammers will set up a fake page to look like a Facebook login page, hoping to get you to enter your email address and password. Make sure that you check the page’s URL before you enter your login info. When in doubt, you can always type facebook.com into your browser to get back to the real Facebook.
  • Update your browser. The newest versions of internet browsers have built-in security protection. For example, they might be able to warn you if you’re about to go to a suspected phishing website. Facebook supports: Mozilla Firefox, Safari, Google Chrome, and Internet Explorer.
  • Run antivirus software. To protect yourself from viruses and malware, scan your computer.

Axiom Cyber Solutions is offering Cyber-Security Protection for Small Business starting as low as $199 per month. We realize that most small businesses do not have a dedicated IT team and business owners may be handling their cyber security matters on their own. Let us take over and provide you with peace of mind. Axiom will provide your business a firewall and manage it so you don’t have to worry about securing your business. We will assess the security risks for your business and will help implement the right cyber security service for your business.

Axiom’s solutions come in different sizes and all our solutions are designed to deal with the attack vectors of today while being adaptive and flexible enough to continue to secure your network for years to come. For more information, check out our website at axiomcyber.com or give us a call us at (800) 519-5070. #FightBackWithAxiom

Worried about the Ashley Madison Hack? Beware before you enter your spouses data on these fake sites

Worried about the Ashley Madison Hack? Beware before you enter your spouses data on these fake sites

Given the constant media attention being dedicated to the Ashley Madison hack, it’s reasonable to expect that there are a number of curious spouses who may be tempted to find out if their partners were using Ashley Madison’s services.

In the past few days, hundreds of fake phishing, malware, and virus ridden websites have popped up encouraging users to enter their spouses personal information with promises to provide confirmation or denial of their involvement.

33 million users were exposed in the breach making any of these concerns valid.

Axiom would like to urge caution and ask netizens to summon the patience and wait for a legitimate security firm to provide a secure tool to analyze the data.

Many of these websites ask for names and e-mail addresses, but some ask for credit card and billing information, as well as partial social security numbers.

On top of these requests , some go as far as to require you to sign up for free and paid services, or take lengthy surveys.

In addition to downloading inadvertent malware, spyware and viruses, providing personal information to these thieves exposes the suspect, and anyone that may be closely associated with them, to inadvertent danger.

Many of these hacks are no longer targeted at identity theft, but instead are targeted at allowing state sponsored entities to create population and citizen databases to discover possible physical and social vulnerabilities leaving you, your family, and your nation at risk.

Axiom data engineers have been analyzing the recently available data dump and can confirm that it will require intervention on behalf of a data warehousing specialist or administrator to render the data searchable in a web friendly format.

To date, our researchers have not found any legitimate services offering database information without significant security risks.

 

Again, we urge caution to those lying in wait and ask that you #FightBackwithAxiom by not falling victim to these predators.