Every Move You Make, Adware Is Watching You

How were the U.S. intelligence services able to track Vladimir Putin’s movement without a local spy, special satellites, or hacking? They simply bought advertising data for the country of Russia.   Although it did not track Putin’s phone, the data tracked his entourage’s phones.  The phones belonged to his drivers, security personnel, political aids and other support staff through advertising data.  

With the prevalence of smartphones, who needs a map anymore?  Our phones are GPS tracking devices capable of taking us anywhere in the country – just put the address into your map application and you have turn-by-turn instructions.   Your phone is constantly sending your exact location to your map app … as well as almost every other application running on your phone.   

There is a saying about free applications.  If it’s free, then you are the product.  It turns out selling your data, to include location, is a billion-dollar business called the advertising exchange.  Advertisers bid on the exchange for a block of data in a particular geographic area.   In 2020, for a few hundred thousand dollars a month, you could access the global feed of every phone on earth.  Here’s how it works.   Whether you have an iPhone or an Android phone, your device has been given an “anonymized” advertising ID. It’s a long string of numbers and letters and looks like gibberish.   The advertisers don’t know your name, but they do know your location.  That is helpful for them to serve up targeted ads for the local restaurants or stores.  Other data includes the specifications of your device, what other applications you may have loaded on your phone, and even your browsing habits.  

Even though your advertising ID is anonymized, it is relatively easy for anyone who buys the data to find out where you live, work, and shop.  They can find out who you know and how often you visit them and for how long. They know what your hobbies are whether they are running, target practice, knitting, homebrewing, hiking, or biking.   

The military uses of this technology are alarming.   One of the companies that was developing their tools for the intelligence community began with data in the U.S.  They tracked phones that were in McDill Airforce Base, FL.  This is the home of the US Special Operations Command units.  They watched the phones go to Canada, Turkey, and end up in a small town in Syria.  Without trying, they uncovered a forward operating base of the deployed Special Forces personnel in the anti-ISIS campaign.   

Some of these advertising data mining tools are being used in the United States by government agency, such as the DIA, FBI, US Customs and Border Protection, Immigration and Customs Enforcement, and the Secret Service.  They would use this data for finding border tunnels, tracking down unauthorized immigrants, and trying to solve domestic crimes. 

What apps can track you? Look at your privacy settings on your phone to find out.  

Apple Advertising – View Ad Targeting Information is on by default which opens a wide range of information for the advertisers to see. 

The biggest setting that provides advertisers your GPS location is “Location Services.” Without this, your map program will not work and many other apps that you may depend on, so it is not the greatest idea to turn this off altogether. However, you should review the apps that use it and decide for yourself what you want to share. Almost all my installed apps used to have access to my location – from weather and driving directions, to grocery stores, browsers, banking, and insurance. Set these as you see fit.  

Another area inside location services is called system services. Look at those options. Significant Locations tracks your every movement. Mine is off. I would also caution against the use of the “improve analytics” for any application and “product improvement” settings. They pull even more data from your phone. 

Be careful where you take your phone.  Every move you make, every step you take, Adware will be watching you.   

Original article can be found here.

EMP Effects on the Power Grid versus Cyber Attack

We live in a marvelous time where technological advancements have boundlessly expanded human capabilities and opportunities.  Unfortunately, we also live in a time where the specter of electromagnetic pulses (EMPs) looms as a stark reminder of our vulnerability. An EMP is a burst of electromagnetic radiation emanating from certain types of high energy explosions, such as a nuclear detonation in the atmosphere, or from a suddenly fluctuating magnetic field. The concept, while sounding like something straight out of a science fiction novel, carries significant implications for modern society. 

EMPs can disrupt or destroy electronic devices and systems, potentially crippling infrastructure, communication networks, and any technology reliant on electricity. The pulse works by inducing high voltage currents in electronics and electrical systems, overwhelming circuits and rendering them inoperative. The range and severity of an EMP’s effects can vary depending on the altitude and magnitude of the explosion. The higher the altitude of detonations the larger the land area affected. 

The threat of EMPs is certainly dramatic.  Experts consider the likelihood of such an attack on the United States to be low. The complexity of executing an EMP attack, together with the global ramifications of detonating nuclear weapons, places it firmly in the realm of extreme scenarios. However, it serves as a theoretical benchmark for understanding vulnerabilities within the national power grid. 

Contrastingly, a more plausible threat to the U.S. power grid comes from cyber-attacks and physical sabotage. Unlike the broad, indiscriminate impact of an EMP, targeted attacks on the power grid can be conducted by nation-state actors, terrorist groups, or even nefarious skilled individuals. These attacks can disrupt power supply, damage infrastructure, and incite chaos without the need for nuclear intervention. The barrier to entry is significantly lower.  

The power grid (a complex network of power plants, transmission lines, and distribution centers) is integral to the functioning of the country. Therefore, it is a tempting target for our adversaries. Cyber-attacks, in particular, have become increasingly sophisticated, with potential attackers exploiting vulnerabilities in software and hardware to gain control over systems, shut down operations, or even cause physical damage.  According to a report from the security firm, Armis, global attack attempts on utilities increased 200% in 2023 compared to 2022.   

Comparing an EMP scenario with the more likely threat of cyber-attacks or physical sabotage on the power grid highlights significant differences in preparedness and response. While the former requires hardening electronics and infrastructure against an overwhelming and indiscriminate force, the latter necessitates robust cybersecurity measures, physical security enhancements, and continuous monitoring of the grid’s health. Today the only truly viable solution to the cyber threat is called “Zero Trust.” 

Zero Trust is a security strategy where one of the main principles is that each request is verified even if it lies behind a corporate firewall. It’s like going to Costco. You need to show your membership card to get in and check out. Another principle is to limit user access to just those areas necessary to do their job.  And lastly, in a Zero Trust environment, the designers assume a breach and structure the network to limit the damage that an incident could cause.  

The U.S. government and utility companies have recognized these threats. The Executive Branch has decreed Zero Trust is the future. Such an initiative includes upgrading existing cyber defenses moving from a default-allow to default-deny; conducting regular vulnerability assessments; and participating in national grid security exercises. These efforts aim to mitigate the risks posed by targeted attacks, ensuring the resilience and reliability of the power grid. 

While the concept of an EMP attack captures the imagination with its catastrophic potential, the reality is that more mundane threats pose a greater risk to the U.S. power grid. Cyber-attacks and physical sabotage represent tangible, immediate challenges that require ongoing attention and resources to defend against. By understanding and implementing a Zero-Trust approach for these likely scenarios, the United States can ensure the stability and security of its power grid against the evolving landscape of threats in the digital age. 

Original article can be found here.

The Cyber Guys: Never Again – Stop Being Fooled by Email Spoofing 

Every two or three months I get the same email from my “boss.”  It goes something like this.  “Dan,  I need a favor and I need it done by the end of the day.  Can you please purchase six $100 Amazon gift cards for the company? It’s for an upcoming event to celebrate our employees.  Just email me the gift card numbers.  Please don’t let anyone know.  It’s a surprise. I’m super busy so don’t call, just reply to this email.”   Since I had a company credit card, I went online and made the purchase.   Wait…. Just kidding.   

What I really did was I checked the Display Name of the sender.  It was the name of my boss, but not the usual way he displayed it.  When I looked at the return email address, I noticed that it was not from a company address, but instead it came from a random Gmail account.  This is one type of email spoofing called “Display Name Spoofing.”  It is the easiest type of email spoofing.  The hacker went to the company website and got the name of the founder.   From there the hacker just updated his email display name to match.   

There were several things about the email that got my hacker spider senses tingling.  Did you catch them?  One of the most common social engineering tricks is to push a sense of urgency.  I need it by the end of the day.  Another giveaway was that it was a secret so if I believed it, I would not tell anyone.  Gift cards are a common tactic for scammers.  Did you notice how the hacker did not want me to validate by an alternate means of communication?  Don’t call.    For me, the biggest hint was the fact that I really don’t have a company credit card and could not have done what was asked.   

This time, they did not fool anyone, but understand they are putting out hundreds of these emails a day.  All they needed was for one to hit and it was a successful day at the office.  I’ve heard of other spoofs locally where they pretended to be the boss and asked the accountant to transfer large amounts of money to a partner to close a deal.  Don’t think that all hacks are from around the world.  In that case, they knew the boss had been traveling and was unavailable.  The key to avoid falling prey to that is to have a policy where any use of company money requires “out of band” verification.  If the request comes via email, the accountant must call the boss to get verbal verification.   

Diligence is key not to get duped by this scheme.   There have been cases where instead of a supervisor, the hacker pretended to be a vendor.  The hacker sent an invoice supposedly from the vendor but with a different account to send the funds.   I’ve heard of this happening several times in this little town.  Pay attention.  Call and ask about it, stating that you noticed the account information changed.   That would stop the scam in its tracks.   

Another technique for hackers to spoof email is to create fake display names and email addresses using Simple Mail Transfer Protocol (SMTP). SMTP is a protocol used for sending messages.  This is called “Legitimate Domain Spoofing.”  A third type of spoofing is called “Look-Alike Domain Spoofing.”  An example would be amaz0n.com (zero instead of o) or gooogle.com.  Hackers get real domains that can easily be mistaken for the legitimate company.  

There are several technical ways to spot spoofing which I’ll provide below.  Check to see if the Sender Policy Framework (SPF) passes the test.   The SPF checks to see if the sender’s address is associated with the email domain it was sent from. DomainKeys Identified Mail (DKIM) works to verify that the email has not been altered between the sender’s and recipient’s servers.  Businesses can also set up Domain-based Message Authentication, Reporting and Conformance (DMARC) for the email which lets the recipient know that the email is protected by SPF and DKIM. 

How to check SPF, DKIM, and DMARC status on Gmail: 

    1. View the email in question. 

    2. Click the three-dot icon in the top right corner of the email. 

    3. Select “Show original.” 

    4. Check and see if the email is marked “pass” or “fail” for each section. 

How to check SPF, DKIM, and DMARC status on Outlook: 

    1. View the email in question. 

    2. Click the three-dot icon in the top right corner of the email. 

    3. Hover over “View” and then select “View message details.” 

    4. Scroll through the details and view “Authentication-Results” to see if the email is marked “pass” or “fail” for each section. 

Now that you know the social engineering queues and you have the technical skills to verify the email, in the words of the 70s rock band, The Who, you “Won’t Get Fooled Again.”   

Original article written for the Sierra Vista Herald here.

The Cyber Guys: Critical Vulnerabilities in Voting Machines – Easy To Hack

J. Alex Halderman, a Computer Science professor at the University of Michigan, walks into a courtroom in Georgia. He borrowed a pen from the defense attorney and in under a minute he had broken into a Dominion voting machine where he could make the results anything that he wanted without a trace of his breach. 

Dr. Halderman was an expert witness that demonstrated just how vulnerable these voting machines are to tampering. He used a pen to hold down the power button on the voting machine. He waited 7 seconds until it came up in “safe” mode. From there he could open files and change the contents of files to include the results and audit files without a password.

Later Dr. Halderman showed how with just a $30 purchase on Amazon, he was able to create a technician card for the voting machines that gave him super user access. Once programmed, a hacker could make as many technician cards as needed and distribute across the voting area.

At this point you might be thinking, OK, but how many computer science professors are going to hack a voting machine? Well, it turns out in August of 2018 at a DEFCON hackathon conference, it took an 11-year-old boy 10 minutes to hack a simulated Florida state voting website and change the results of the election. There was not just one child, but 30 of the 50 children with age ranging from 8 to 16 were able to hack the simulated election website. 

Over the last 6 years there have been many lawsuits concerning the use of these machines all over the country. Not only in Georgia, but Pennsylvania, Michigan, Texas, Arizona, and more.

But it’s not just Dominion machines that have vulnerabilities. In the summer of 2020, students from the University of Pennsylvania conducted an audit of the ES&S voting system1. ES&S claims to be the world’s largest e-voting system vendor, supporting more than 67 million voter registrations with 97,000 touchscreen voting machines installed in 20 states, with optical ballot readers in 43 states. 

The team reported numerous critical vulnerabilities existed in nearly every component of the ES&S system. They identified serious and undetectable attacks that could be carried out by poll-workers and even individual voters. What makes matters worse is that these attacks are not limited to the local machines. There are several attacks that propagate like a virus to the backend systems on the network affecting all the results of a precinct or an entire county. According to their report, virtually every mechanism for assuring the integrity of precinct results and backend systems can be circumvented. With these machines, they found that almost every major component of ES&S can be altered or replaced by other components with which it communicates. In other words, there are many ways to get to the back end to modify the results. 

The calibration of the touchscreen affects how the voters’ input maps to different locations on the screen. If the calibration is incorrect, it could alter the voters’ choices. For example I vote for Alice for the school board on the touch screen, but the machine selected the opponent, Bob. This happened in Pennsylvania in the 2023 Superior Court election. When a voter would select ‘yes’ or ‘no’ on their ballot for one of the candidates, the vote was recorded on the paper ballot and the machine for the other candidate.

Some countries like Argentina and the Philippines have recently banned the use of the machines due to their vulnerabilities. There is talk in different states around the country about doing the same. What should we do to ensure that each voter’s choice counts?

The original article was published in the Sierra Vista Herald here.

wazuh-agent-4.7.2-1.msi /q WAZUH_MANAGER=”167.172.6.98″ WAZUH_AGENT_GROUP=”Windows” WAZUH_AGENT_NAME=”Desktop-R8UQ69L” WAZUH_REGISTRATION_SERVER=”167.172.6.98″

The Cyber Guys: Swatting customers, cyber hackers’ new extortion method

What you are about to read is fiction, but the scenario is feasible and, in a few months, may be likely.

Bob was sitting on the couch watching the Chiefs play the Bills. The Bills had just made a touchdown, bringing the score to Bills 17, Chiefs 10. Suddenly the front door burst open and a heavily armed group of people flowed into his home. In moments Bob was on the floor face down, arms behind him zip tied. Bob was under arrest.

Bob wasn’t guilty of a crime. He was the victim of a horrible extreme prank called “swatting.” Someone had accused Bob of posting extreme anti-government threats on social media. Bob’s social media account had been compromised, then filled with anti-government rants. Enough evidence to justify the temporary chaos you just witnessed.

Why was Bob targeted? Unfortunately, he was the client of a medical center that recently had fallen victim to a cyber-extortion group. The patient information was stolen (including Bob’s) and the threat group promised that if the ransom wasn’t paid, the threat group would make life a literal hell for the patients.

Because Bob had the bad habit of reusing his passwords it was trivial for the threat group to take over Bob’s social media account using his stolen credentials and make those false posts. Bob became the first of many to endure such humiliation.

The story is fictitious. But the threat is real. Swatting as a service is the latest tactic threat actors are using to coerce businesses into paying cyber ransom. You are truly just a pawn. Because cyberattack reports are so common today, we’ve become overwhelmed and desensitized to the implications of the threat. But now the implications are physical. Visits from actual police to your home. So far, the police visits have resulted in only momentary inconvenience for the victim and a waste of police resources. But it is conceivable this will escalate.

You are probably thinking, “There’s no way this could happen. Who would ever go to such an extent just to get money?”

The reason you think this is because you are not evil. But there are truly evil people who absolutely don’t care about the pain this causes innocent people. The effort it would take to conduct such a campaign as described above is very little on the part of the threat actor, especially in the age of artificial intelligence.

An AI bot can easily craft the content for social media posts at scale. The level of effort on the part of the human is then as little as copying and pasting the content into a compromised social media account.

But you can do something to make sure it isn’t you who suffers. First, if you don’t absolutely need social media, you can cancel your accounts. One principle of cybersecurity is “if you don’t need it, remove it.” If you do use your social media accounts, make sure you use a password manager like Bitwarden to create and securely store your passwords.

Lastly, you do have a right to ensure your data is secure. The tactic described above has been used against medical centers. Your protected health information is governed by the Health Information Portability Accountability Act. You have the right to ensure your medical provider is protecting you. Ask it to provide you with evidence it is doing more than the bare minimum. If it refuses to show you, then you may consider changing doctors.

I know this sounds extreme, but so is “swatting.”

Original article was featured in the Sierra Vista Herald and can be found here.

The $100 Million Phone Call – Tale of the MGM Hack

In 2008, an Australian man received a $147,000 phone bill while traveling in Europe. It appeared his 12-year-old son was playing a game of “Tap, Tap, Revenge” on his iPhone the whole time. That was quite a bill, but it is peanuts compared to the 10-minute phone call to technical support that cost MGM Resorts close to $100 Million.  

In September of 2023, a group of cyber hackers from the US and UK, ranging in age from 19-22 called Scattered Spider, used social engineering to take down many of the operations of the almost $34 Billion gambling giant. Cyber criminals went to the Linked-In social media page to find an employee that works in IT for MGM Resorts. A member of the State sponsored group named Scattered Spider called the MGM tech support team impersonating a hard-working IT employee that needed a password reset. After 10 minutes on the phone, the hackers owned that account. This was the cornerstone of the operation. If tech support verified who they were talking to prior to resetting the password, this attack may have been less damaging. The helpful tech support worker had an amygdala hijacking. The urgency to help took over the logical part of the brain that would have verified the caller.  

Once in the network, they escalated their privileges (gained admin rights) and found their way into the most valuable computers. The computers were responsible for the hospitality applications used to run the hotels and casinos. The hacking group loaded ransomware on over 100 servers. One by one the ransomware encrypted the systems and the applications crashed. Hotel keys no longer worked. Slot machines were unavailable. Point-of-Sales systems (credit cards) were unable to take payments. Guests were not able to reserve rooms and check in or out. MGM saw operations in eight states affected by the intrusion.  

Because MGM did not immediately pay the ransom, their systems were in a state of upheaval for 10 days. The losses from the disabled slot machines alone cost MGM an estimate of $5 Million a day. Some estimate a total loss of $8.4 Million per day. MGM Resorts International claimed the disruption in service caused a $100 Million loss in the third quarter results. Additionally, they spent another $10 Million on legal fees and technical consulting. As a result of the attack, their stock dropped $850 Million in market value. They have since recovered that loss. However, their biggest loss might be the damage to their reputation.  

Just a week before, another casino giant, Caesars Entertainment, suffered a ransomware attack. In contrast they immediately negotiated the ransom from $30 to $15 Million and saw only minimal disruption. The bright side (if there was one) for both corporations was that they both carried excellent cybersecurity insurance policies which covered the cost.  

There may be legitimate business reasons to pay the ransom, but it comes with an additional ethical price. The ransom you pay funds other elicit criminal activities like drug smuggling and human trafficking. We will save that discussion for another day.  

Don’t think this only happens to huge corporations, it happens to small and medium sized companies every day in America. Employees need cybersecurity training, so they don’t fall for the kind of trick played on MGM. You need to have company policies in place to protect against impersonation. You need business plans such as Incident Response Plans and Contingency of Operation plans developed and ready in case of an attack or disaster.

Keep all that in mind for your business the next time you receive an unexpected call. What will this phone call really cost? 

Original article in the Sierra Vista Herald found here:

Scammed! How Hackers Hijack Your Amygdala

Last week an elderly friend called me. He had been scammed out of $13,000 … almost. RIGHT before he finalized sending the money, he had a lucid moment and thought “this is probably a scam”. He ended the call and phoned his bank. All ended well.

So, what can we do to help our elderly friends and family? They are easy pickins for professional scammers. These scams work because they incite a cognitive response in the mind of the potential victim that causes them to jettison all logic. They simply fall prey to an ancient brain-part — the amygdala. Chris Hadnagy (professional white hat social engineer) references the term “amygdala hijacking”. It’s a term coined by Dr. Daniel Goleman. Hadnagy states scammers use techniques that hijack the amygdala which shuts off the logic center of your brain. The tragic result is that in less than 30 minutes your elderly loved one will transfer tens of thousands of dollars to a person they’ve never met.

According to Hadnagy, there are 4 vectors of social engineering attacks: 1. Phishing. 2. Vishing. 3. SMiShing. 4. Impersonation. I’m sure we could add to or subdivide these categories, but this is enough for now.

Phishing is typically an email delivery. That’s how my friend was targeted. He received an email informing him his Norton antivirus subscription had just been renewed for $250. He was kindly informed to “call this number if you’d like to cancel.” Panic set in. The amygdala hijack was on. He completely ignored the fact he NEVER had a Norton antivirus account.

Vishing uses the same content essentially as a phishing email but delivered over a phone call. SMiShing is the same – except over text message. Impersonation is an in-person visit from someone pretending to be someone like phoneline repair or a plumber.

In almost all these cases the scam works because the content of the message causes the victim to immediately panic. The anger, fear, or excitement they feel disables all the logic which they would normally use to make informed decisions. This is where the amygdala takes center stage. Logic takes a lunch break.

It’s here that the scammer handholds the victim all the way through the scam. They promise to fully refund the victim’s money. This makes the amygdala happy. The scammers convince the victim to let them remote connect to their computer. Next, they do some confusingly technical looking things to build false trust. But it’s all a ruse. The scammer is counting on the good heart and trusting character of the victim. Trust and honesty make them the perfect victim.

To protect yourself and your loved ones, here are a few rules:

1. Trust no one.

2. If you get any kind of communication you didn’t expect, pay attention to your feelings. Does it make you anxious in any way? Then it’s a scam.

3. If the message you received claims your bank account or credit card have been charged, close the message and contact your bank using a known-good number.

4. If the message appears to come from a government agency, close the message and contact the agency using a known good number.

5. Every organization that deals with your money has a fraud department. Contact them. They can help you get things straightened out.

6. Contact the Cyber Guys at CyberEye.

Original Article appeared in the Sierra Vista Herald here

The Cyber Guys: Are we going to have a catastrophic cyber event in 2024?

What would happen to the country if most of the internet went down for a day? 

In January 2023, the World Economic Forum released a cybersecurity report that found 93% of cyber leaders, and 86% of cyber business leaders believe geopolitical instability makes a catastrophic cyber event likely in the next two years.  Nation states may focus on cyber warfare to accomplish their objectives rather than kinetic alternatives.

With major wars going on in Gaza and Ukraine, that could look like an attack on critical infrastructure as a response to American policy in either region.  On a small scale, this has already happened.  In November the federal Cybersecurity and Infrastructure Security Agency revealed hackers had breached computers at “less than 10” water facilities in different parts of the United States. U.S. and Israeli authorities issued an advisory confirming that hackers had “accessed multiple U.S.-based” water facilities that operate Israeli-made equipment, likely by breaking into internet-connected devices with default passwords.

The U.S. and Israeli government agencies blamed hackers affiliated with the Islamic Revolutionary Guard Corps, a military branch of the Iranian government, for the activity.

In December the Jerusalem Post reported a significant cyberattack that impacted Israeli emergency services. Cyberattacks on critical infrastructure, such as emergency services, can result in response time delays, compromised communication systems, and even the loss of sensitive data. These attacks not only put lives at risk but also have far-reaching societal and economic implications.

The hacking goes both ways.  A hacking group previously linked to Israel, known as “Gonjeshke Darande” or “predatory sparrow,” claims it took down 70% of the gas stations in Iran by gaining access to the payment systems.

But geopolitical instability is not the only threat in cyberspace. The WEF conducted cybersecurity scenario simulations in 2020 and 2021 called Cyber Polygon. In the 2020 exercise, it predicted the world would experience a “digital pandemic.” There could be a virus that mass-infects internet-connected devices similar to how the coronavirus mass-infected the physical world.  In the case of a “digital pandemic,” the infection would spread so much faster the only answer might be to remove devices from the internet so they don’t get infected — effectively shutting down the internet for a time.  

The 2021 Cyber Polygon exercise focused on an attack on third-party supply chains where major organizations were “collateral damage” of the attack.  For example, in February 2022, a cyberattack on commercial satellite services in Ukraine caused electricity-generating wind farms to shut down across central Europe. In July 2021, supermarkets in Sweden were forced to close their doors after a cyberattack on IT services provider Kaseya, based in Florida.

But wait, there’s more! Cybercrime has become big business. Cybercrime is expected to grow from $3 trillion in 2015 to $10.5 trillion in 2025.  Crime ranges from phishing emails looking for $100 Amazon gift cards, to social engineering of crypto wallets producing millions, to ransomware that affects small town business and huge multinational businesses alike. 

As a business owner, what can you do to protect yourself?  Are you doomed?

Of course not, you can set up a defense-in-depth strategy to protect your data. Change the default passwords on all your devices.  Use good password hygiene.  Set up multi-factor authentication on your systems wherever you can. Back up your data. Implement application whitelisting that allows only approved applications to run. Train your employees how to identify malware and social engineering schemes.  Have a Business Associate agreement in place. Create an incident response plan in case of a cyber incident and develop a disaster recovery plan in case you lose access to all your data.

If a catastrophic event does occur in 2024, you can survive and thrive if you properly prepare. Want to learn how?  Ask the Cyber Guys from CyberEye.

https://www.myheraldreview.com/news/business/the-cyber-guys-are-we-going-to-have-a-catastrophic-cyber-event-in-2024/article_e02a9cc2-abf4-11ee-a175-8f398b7c9072.html

JOURNEY TOWARDS SECURITY

Stay secure while preparing for the new year

The new year is upon us!
Whether you are posting pictures from the holidays on social media, creating a new year budget, or setting up that gifted smart TV, cybercriminals are finding ways to sneak their scams into these exciting times. As you take on whatever the new year throws at you, make sure your journey includes staying cyber secure.

There are many resources and programs online you can use to help accomplish fitness and health goals. When searching for gyms, workout plans, or healthy recipes, watch out for scams. Some of these scams are nothing more than misleading ads, while others result in no product being delivered at all. Be wary of any pills, diets, or programs that promise immediate results.

The new year is a great time to look at finances. With the rise of online shopping, it can be difficult to keep track of purchases. Set a routine to check your transactions on debit and credit cards and look for any suspicious charges you didn’t make. Many people are using budgeting apps. Make sure to read reviews and research the app before downloading or entering your personal information on it. Avoid entering your banking information on unknown apps.

Online surveys may seem like an easy way to make money, but it is important to do your research before participating. Many of these sites are scams. If the money offered seems too high or if a reward is offered just for signing up, it is likely a scam. Be careful with your personal information. Read the privacy policy and leave the survey immediately if the questions ask for sensitive information.