The Saga of Joe Public, A Social Media and Email Tragedy
0
Dan Gavin
The Saga of Joe Public, A Social Media and Email Tragedy

This is a story about Joe. Joe could be any one of us. During the day he is a nose-to-the-grindstone, focused, and hardworking employee. After work, however, he is careless and free, enjoying all that social media has to offer: posting photos, catching up with friends, reading the links his friends on social media post, and yes, he does enjoy the occasional cat video. He is active on his email account too.

Unfortunately, Joe is not really keen on cybersecurity hygiene. He clicks on any link he gets via email or social media without checking the URL first. He makes his life easy by using the same password for all his different accounts. Two-factor authentication is too much work and why would he need it anyway. Nobody would hack a regular guy. Since he is so friendly, his social media account is open to the public, so everyone knows everything about him. What he had for his birthday dinner last night; where he was born; his mother’s maiden name; and even the name of his first pet. 

Although Joe seems to be the life of the party when it comes to social media, Joe was not ready for the party crasher. After work, as Joe was ready to relax and catch up on some email, he discovered he could not login – password failed. That’s strange. He had not changed the password to his email account. Ever. So, he decided to check his Facebook account to see if anyone else was having trouble with their email provider. And what do you think happened to his Facebook account? He was locked out of Facebook too. As he sat back to ponder what was happening, a friend from high school called. His friend asked why he was sending out emails pretending to be a Nigerian prince looking for money? He also noticed that Joe started posting advertisements on social media for the Pink Princess Palace. That’s when Joe figured out that he had been hacked! How could this have happened to him?

The hacker could have come in from many different attack vectors. After checking the website, https://haveibeenpwned, Joe noticed that his username and password were compromised in 17 different breaches. Since he used the same username and password for every site, it was easy for the hacker to take over his email and social media. Also, the hacker could have just used Joe’s username combined with all the information on Joe’s Facebook profile to answer the typical “security” questions many web applications use for password resets. 

What does Joe do now to get back into his accounts and secure them? First, he should get in touch with his email and social media providers to let them know what happened to regain access to the account. This could even involve sending Facebook a copy of his Driver’s License to prove his identity. He will need to change his password to a nice long pass phrase – 16+ characters. He will also need to change his password on all his other accounts because the password has been compromised. Next, he should set up two factor authentication for all email and social media; and any other account he doesn’t want breached (like his bank and investment accounts). Two-factor authentication involves having the web service send a text with a one-time code. Even better, Joe would use a third-party application like Duo or Microsoft Authenticator. 

To do this on your Facebook account for example, you need to login to your account. Click the arrow icon in the top-right corner and select “Settings & Privacy” and click “Settings.” In the left-hand navigation bar, choose “Security and Login.” Scroll down to the “Two-Factor Authentication” section and click “Edit” next to “Use two-factor authentication.” Follow the instructions from there based on the way you choose to receive your notifications. All email and social media apps have this option. 

Now that Joe has so many usernames and passwords to remember, he decided to use a password manager to help him out so that he only needs to remember one long password. He downloaded Bitwarden to his computer and added the Bitwarden extension to all his browsers so that he has his secure passwords wherever he goes. 

Joe is so excited about securing his email and social media that he tells his brother, John Q, and the rest of his friends so that they don’t have to go through similar torture. Joe has since become the lead blogger for the Cybersecurity Evangelist.

This article was originally published in the Sierra Vista Herald and can be found here.

Bob’s Social Security Tale, Is Yours Safe 
0
Dan Gavin
Bob’s Social Security Tale, Is Yours Safe 

Social Security benefits are a lifeline for many retired Americans, providing essential income for daily needs and a comfortable retirement. The sad part is that it’s relatively easy to redirect your checks to a threat actor’s bank account. It really is a growing concern. Understanding how this can happen and how to protect yourself is crucial. 

Bob (names have been changed to protect the victim) is a 70-something retiree who had always been diligent about protecting his personal information. He kept his Social Security number safe and was cautious about sharing his personal details. Bob suddenly realized something was wrong when for the second month in a row his social security check hadn’t been deposited. The gnawing in his stomach was overwhelming. He contacted his bank and the Social Security Administration (SSA). He discovered his benefits had been redirected to an unknown bank account. Bob was a victim of a scam. 

Bob’s situation is, unfortunately, not uncommon. Scammers often use phone calls, emails, or even postal mail to impersonate SSA officials. They may ask for personal information, claiming there is an issue with your account or that you need to verify details to continue receiving benefits. Once they have your information, they can use it to change the bank account where your benefits are deposited. 

There are steps you can take to minimize the probability and the impact of this type of scam. First, guard your personal information like it was a pot of gold. Because it is. Never share your Social Security number, bank account details, or other personal information over the phone, email, or online. One way to ensure you survive a phishing attack is to contact the bank or other financial organization using a number you have called before. One you know for sure is the correct number.

Second, remember, the SSA will never call you and ask for personal information. If you receive a suspicious call, hang up immediately without uttering a word. Occasionally the scammer will ask questions designed to get you to say the word “yes”. Then they will manipulate the audio of the call and use it nefariously.

Third, regularly check your bank account and Social Security statements for any unusual activity. If you notice anything suspicious, report it immediately. 

Fourth, if you have created an online account at https://www.ssa.gov/myaccount enable the multifactor authentication to secure your benefits. Also, make sure the password you use here isn’t used anywhere else. Not even a permutation of the password. All the websites you use to manage your money should be secured with the strongest password the app allows, and absolutely enable multifactor authentication. 

Lastly, if you believe you are a victim of identity theft or fraud, contact the SSA and your bank immediately to report the issue and take steps to secure your accounts.

Bob’s story is a cautionary tale. It is a reminder to be vigilant and to trust no one. These simple steps will not guarantee you will never be a victim, but they WILL contribute to a more secure future. 

Any communication, regardless of the form, that causes you to feel an emotional response (urgency, catastrophe, or promise of punishment or reward) is most likely tied to a scam in some way. So, talk to someone you trust face-to-face. This can help calm you down and ensure you take careful methodical measures to resolve an issue.

Scammed! How Hackers Hijack Your Amygdala
0
Dan Gavin
Scammed! How Hackers Hijack Your Amygdala

Last week an elderly friend called me. He had been scammed out of $13,000 … almost. RIGHT before he finalized sending the money, he had a lucid moment and thought “this is probably a scam”. He ended the call and phoned his bank. All ended well.

So, what can we do to help our elderly friends and family? They are easy pickins for professional scammers. These scams work because they incite a cognitive response in the mind of the potential victim that causes them to jettison all logic. They simply fall prey to an ancient brain-part — the amygdala. Chris Hadnagy (professional white hat social engineer) references the term “amygdala hijacking”. It’s a term coined by Dr. Daniel Goleman. Hadnagy states scammers use techniques that hijack the amygdala which shuts off the logic center of your brain. The tragic result is that in less than 30 minutes your elderly loved one will transfer tens of thousands of dollars to a person they’ve never met.

According to Hadnagy, there are 4 vectors of social engineering attacks: 1. Phishing. 2. Vishing. 3. SMiShing. 4. Impersonation. I’m sure we could add to or subdivide these categories, but this is enough for now.

Phishing is typically an email delivery. That’s how my friend was targeted. He received an email informing him his Norton antivirus subscription had just been renewed for $250. He was kindly informed to “call this number if you’d like to cancel.” Panic set in. The amygdala hijack was on. He completely ignored the fact he NEVER had a Norton antivirus account.

Vishing uses the same content essentially as a phishing email but delivered over a phone call. SMiShing is the same – except over text message. Impersonation is an in-person visit from someone pretending to be someone like phoneline repair or a plumber.

In almost all these cases the scam works because the content of the message causes the victim to immediately panic. The anger, fear, or excitement they feel disables all the logic which they would normally use to make informed decisions. This is where the amygdala takes center stage. Logic takes a lunch break.

It’s here that the scammer handholds the victim all the way through the scam. They promise to fully refund the victim’s money. This makes the amygdala happy. The scammers convince the victim to let them remote connect to their computer. Next, they do some confusingly technical looking things to build false trust. But it’s all a ruse. The scammer is counting on the good heart and trusting character of the victim. Trust and honesty make them the perfect victim.

To protect yourself and your loved ones, here are a few rules:

1. Trust no one.

2. If you get any kind of communication you didn’t expect, pay attention to your feelings. Does it make you anxious in any way? Then it’s a scam.

3. If the message you received claims your bank account or credit card have been charged, close the message and contact your bank using a known-good number.

4. If the message appears to come from a government agency, close the message and contact the agency using a known good number.

5. Every organization that deals with your money has a fraud department. Contact them. They can help you get things straightened out.

6. Contact the Cyber Guys at CyberEye.

Original Article appeared in the Sierra Vista Herald here

Copyright © 2024 CyberEye Call us at: ‪(520)224-8981