Watch out for job scams

Watch out for job scams

One security issue most don’t think of is a job scam. There are scams that will reach out with a job opportunity. This can happen in your email, or even on a job board full of job posts. This applies to both students and faculty/staff.

Here are some tips and tricks to keep your on your toes when a job offer comes your way that you weren’t searching for.

Watch for these signs of a job scam:

• The job is TOO good to be true.  
• You are asked to send or transfer money. 
• Bank account or social security number or other personal information is requested up front.  
• The site advertises "secret" job postings for a fee.   
• Poorly written and/or vague job description that may state "no experience needed."
• Questionable email address (e.g., contact email doesn't match company domain).

What can you do to ensure that a job posting is real?

• Research the company website and check to see if the job vacancy is posted.
• Google the company and job and see if there are complaints or a poor reputation.  
• Check the employer's rating with the Better Business Bureau or Missouri Attorney General'soffice.
• Ask questions and get specifics in writing.  

Make sure to flag any emails or posts and forward them to CCHelpDesk@ccis.edu so we can take care of it. A good rule of thumb is, if it’s too good to be true, it probably is.

Data Privacy Day Events

Take a look at the Data Privacy Day events below, and they're starting today! Make sure to get these virtual events on your calendar and stay up on how you can be #PrivacyAware.

If you can't make it online for one of these virtual events, Tech Services will be live tweeting the Twitter chats as well as the online stream so you don't have to miss any information!

Tech Services on Twitter:
@ccistechnology

(click on photo to enlarge event schedule)

BBB Warning: Child predator email scam preys on concerned parents

Here is a news article from a year ago about an email scam that is currently going around again, this email showed up in inboxes again this morning. 

Better Business Bureau: January 26, 2015

"Buffalo, NY--Fake email warnings about a child predator being in the neighborhood are the latest methods scammers are using to steal personal information, warns the Better Business Bureau of Upstate New York.  These “community safety” alerts are designed to look official and come right to your inbox.

How the scam works:

You receive an email alert with the subject line “Pedophile alert” or “Alert: There is a Child-Predator Living Near You!”  The email typically states “you are receiving this email because there may be a risk of sex offender activity in your area,” or “a child-predator just moved into your neighborhood.”

Included in the message is a link to click that says it will take you to the information. Clicking on the link takes the user to a series of redirected sites to land on the website for Kids Live Safe, a service that sells localized reports on sex offenders. But this spam isn’t actually affiliated with Kids Live Safe.

Once you click on the links, it will infect your computer with malware that will attempt to search for stored information such as user names, passwords and credit card numbers. BBB advises people to never click on links in unsolicited emails. For more information about the URL destination - use your browser to search for information before you click.

How to spot an email scam:

• Check out the “from” field. Scammers can mask email addresses, making them appear to come from legitimate sources. Look out for email addresses that don’t match the organization name used in the message.
• Typos and grammar.  Organization logos and email formats can easily be copied, but bad grammar and poor writing typically indicate that a message is a scam.
• Check URLs. Hover over a URL to determine its real destination. Usually, the hyperlink text will say one thing and the link will point somewhere else.
• Personalized emails. Scams often pretend to be personalized, but it is actually blast emails. If the receiver never signed up for custom email alerts, the person should not be receiving them.
• Be careful with “unsubscribe” options. It’s better to just delete this type of solicitation. If you choose unsubscribe, you could open yourself up for more unwanted spam email.

To get information on registered sex offenders in your area, check out the FBI’s directory of state databases or the New York State Sex Offender Registry.

Note: KidsLiveSafe.com is a BBB accredited business."

Source: Better Business Bureau (BBB)

http://www.bbb.org/upstate-new-york/news-events/bbb-warnings/2014/12/bbb-warning-child-predator-email-scam-preys-on-concerned-parents/#sthash.v4xW4I8d.dpuf

New York state considers bill mandating backdoors in smartphone encryption

Wednesday, January 13, 2016, 02:09 pm PT, Roger Fingas

A bill up for consideration by the New York state assembly would force Apple and other smartphone makers to ensure their products can be decrypted for the sake of law enforcement.

The bill was formally introduced by Assemblyman Matthew Titone last year, but was only referred to committee just last week, according to The Next Web. Language in the document proposes that any phone made as of Jan. 1 this year and sold or leased in the state "be capable of being decrypted and unlocked by its manufacturer or its operating system provider."

To ensure compliance, smartphone makers could be fined as much as $2,500 per device breaking the law.

The sort of encryption available in iOS 8/9 and more recent versions of Android may help privacy, the bill argues, but "severely hampers" law enforcement, since it can block access to evidence.

"Simply stated, passcode-protected devices render lawful court orders meaningless and encourage criminals to act with impunity," the bill suggests. It has yet to be voted on by the state assembly or senate.

Apple has vocally opposed any sort of weakened encryption, going so far as to hold the position in front of White House officials. The company's view has been that if it leaves deliberate gaps in its security, that will simply make it easier for hackers to gain access to people's devices and data.

Some government officials, such as FBI director James Comey, have claimed that Apple's position could potentially cost lives if it interferes in preventing acts like kidnapping or terrorism.

Source: Apple Insider https://t.co/7oqFaOt4FQ

Date Accessed: 1/15/16

Columbia Police Department reports phone scam

Reported from CPD January 13, 2016

The Columbia Police Department has received multiple phone calls this morning about an IRS phone scam that has been plaguing city residents. The caller impersonates an employee with the IRS and states a lawsuit has been filed against the victim. The caller attempts to gain personal and financial information from the victim to "settle the lawsuit." Calls are being received from at least one phone number identified as 346-303-9917. In some instances the caller is leaving a voicemail asking victims to "call immediately" in reference to the lawsuit. Note, government agencies do not telephone citizens asking for payment with debit, credit or green dot cards. 

Here are some safety tips:

1.) NEVER give out personal information such as credit card numbers and expiration dates, bank account numbers, dates of birth, or social security numbers to unfamiliar companies or unknown persons.
2.) If you call the number back that called you to verify the information and a recording picks up not stating the name of the company, this is a scam.
3.) Make a phone call to verify the information. A thirty second phone call can save you money.
4.) If something doesn’t seem right, it’s not right.

If you have information about a fraud, report it to your local law enforcement agency.

See original posting here.
Source: Columbia Missouri Police Department, Facebook

January 28th is Data Privacy Day

Data Privacy Day (or DPD) is an international effort held annually on January 28 to create awareness about online security and personal information protection. 

"Data Privacy Day began in the United States and Canada in January 2008 as an extension of the Data Protection Day celebration in Europe. Data Protection Day commemorates the Jan. 28, 1981, signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. Data Privacy Day is now a celebration for everyone, observed annually on Jan. 28.

On Jan. 27, 2014, the 113th U.S. Congress adopted S. Res. 337, a nonbinding resolution expressing support for the designation of Jan. 28 as 'National Data Privacy Day.'" -NCSA

To find out more about the National Cyber Security Alliance and Data Privacy Day, you can visit the official website here. To get involved with DPD, follow the #PrivacyAware hashtag as well as our Twitter and Facebook as we continue to post about ways you can be privacy aware, and the events happening on January 28 that you can partake in such as online sessions and Twitter chats about security. 

One-in-four Americans victimized by information security breaches

April 21, 2015

One-in-four Americans (25 percent) fell victim to information security breaches in the past year, according to a new survey from the American Institute of CPAs (AICPA), which polled 1,010 US adults. This represented more than double the number of people (11 percent) who reported being victimized in a similar survey taken just over a year ago.

No age group is safe from personal information security breaches--regardless of their online activity. The survey showed that 34 percent of adults aged 55-64 fell victim to information security breaches in the last year, compared to the 22 percent of millennials who are typically seen as being the most active age group in digital communications platforms among adults.

Cyber attacks not only put Americans' information at risk; these breaches can have an adverse effect on consumers' personal finances.

One-in-five Americans (20 percent) said identity theft has negatively affected their credit score. In addition, one-in-four Americans (26 percent) reported that their credit score prevented them from doing at least one thing in the past year, including obtaining a personal loan, a credit card, or a mortgage. Eight percent reported they were prevented from renting an apartment and five percent were unable to land a job because of their credit score. These numbers underscore the importance of the issue.

The survey also found that 86 percent of adults reported some concern in businesses' ability to safeguard customers' financial and other personal information, with a majority (51 percent) saying they are "extremely concerned" or "very concerned." The latter figure is up from 39 percent a year ago. Perhaps because digital communication and online payments are so ingrained in their daily life, fewer Millennials (42 percent) reported being extremely concerned or very concerned about businesses' abilities to protect their data, less than any other age group surveyed.

"Data breaches have the potential to seriously affect consumers' finances and wreck havoc on their credit scores. The good news is that we are seeing Americans taking steps to safeguard their information and reduce their susceptibility to these attacks," commented Ernie Almonte, chair of the AICPA's National CPA Financial Literacy Commission.

The survey found more than four-in-five (82 percent) Americans are shifting their purchasing behavior in the wake of increased cyber-attacks, a 13 percentage point increase (69 percent) from a year ago. Fifty-six percent said they are now using more cash and/or checks for purchases, and 40 percent have reduced their online presence--including turning off social media accounts or visiting fewer websites. In comparison, only 34 percent of Millennials have reduced their online presence in the wake of increase information security breaches, the least of any age group.

Protecting personal information has become a major concern. The AICPA's National CPA Financial Literacy Commission offers the following useful tips for keeping your financial information safe and protecting yourself against personal information security breaches.

• Be proactive: Reach out to your bank and credit card companies and ask what safeguards they have available, including fraud alerts and purchase limits. Many companies have these features available, but you may have to opt in. 
• Avoid shopping using a public Wi-Fi connection: It's generally a bad idea to transmit any personal data on a connection that isn't secure--including those in coffee shops and public places. An unsecured connection means hackers may be able to gain access to any personal information you share with the retailer and use it to make unauthorized purchases. 
• Secure your credit cards: Make a list of all of your credit cards (including account numbers and emergency phone numbers of each issuer). Secure this information in a safe place. When you use your credit card in a restaurant or a store, don't let it leave your sight. 
• Avoid clicking on unknown links in emails: Don't click on links in unsolicited emails or social media sites, even if they purport to be from trustworthy retailers, because they may take you to sites that are trying to collect information for identity theft. Instead, type the organization's website address in to your browser's address bar or find it through a search. 
• Follow up quickly: If your financial information has been compromised in any way, ask each credit bureau to place a fraud alert on your credit report. If your wallet or personal identification is stolen, immediately notify the police, your credit card providers, your bank, and the three major credit reporting bureaus. 

http://www.net-security.org/secworld.php?id=18260 

An iPad app glitch grounded several dozen American Airlines planes

April 29, 2015

American Airlines flights experienced significant delays this evening after pilots' iPads--which the airline uses to distribute flight plans and other information to the crew--abruptly crashed. "Several dozen" flights were affected by the outage, according to a spokesperson for the airline.

An investigation by the airline traced the problem to an iPad app made by the Boeing subsidiary Jeppeson, which contains maps of various airport facilities. When a new version of a runway map for Ronald Reagan Washington National Airport was distributed, it conflicted with an older version of the map stored on some pilots' iPads, an airline spokesman told Recode.

No flights were canceled, and pilots have been notified how to fix the bug, by deleting the app and re-installing it. Apple said it had confirmed that the iPads' own hardware and operating system did not crash, and that the issue was with the Jeppesen app.

But when the glitch first surfaced, passengers expressed surprise and frustration at unexpected source of the delay.

"The pilot told us when they were getting ready to take off, the iPad screens went blank, both for the captain and copilot, so they didn't have the flight plan," Toni Jacaruso, a passenger on American flight #1654 from Dallas to Austin, told Quartz.

"The pilot came on and said that his first mate's iPad powered down unexpectedly, and his had too, and that the entire 737 fleet on American had experienced the same behavior," said passenger Philip McRell, who was also on flight #1654. "It seemed unprecedented and very unfamiliar to the pilots."

Other passengers in New York and Chicago also said they were being affected by the outage.

The airline issued this message on Twitter in response to a stranded passenger:

Americans switched its pilots to an iPad-based "electronic flight bag" made by Jeppesen in 2013, replacing the heavy paper-based reference materials that pilots carried previously. American said the change would reduce the frequent injuries incurred by pilots from carrying heavy flight bags, and would save time by making revisions electronically. 

http://qz.com/393909/american-airlines-planes-are-grounded-because-their-pilots-ipads-have-crashed/# 

Good Cyber Security Can't Be Bought at Wal-Mart

By Sue Poremba

Cyber security is a top concern in the IT industry today. In this series, we will look at various threats to cyber security--and what steps businesses can take to meet those threats head on in order to get good cyber security. 

If the solution to the problem of how to get good cyber security was packaged in a box and sold at Wal-Mart, IT professionals would have nothing to worry about. They could arrange fro employees to pick up their security package when activating their new smartphones.

Unfortunately, getting good cyber security isn't that simple. Good cyber security practices aren't purchased in a store: they have to be taught.

And the sad reality is, most employees aren't receiving a solid cyber security education. In fact, according to a survey commissioned by Sungard Availability Services, IT professionals believe that employee behavior is one of the biggest threats to company cyber security efforts. The biggest security-related concerns are employees who are careless with their mobile devices and employees who have poor password hygiene.

"The weakest link in security is between the keyboard and the seat," said Kevin Epstein, Vice President of Advanced Security and Governance with Proofpoint. "There are few security systems that can withstand the efforts of a user with a mouse who's determined to click. Many if not most of the major breaches in the last twelve months have been initiated by a user clicking a link in a phishing email. Education can reduce--though not eliminate--such behavior."

There are several reasons why it is important to educate employees on cyber security. The first is to protect organizational data (e.g. new and current designs) and information related to customers or suppliers, said Gary Griffith, Faculty Member with the School of Information Systems and Technology at Walden University. The second reason is to prevent downtime or loss of productivity due to attacks on the company's technical equipment. "Employees should understand or know about the harm these attacks can cause, including shutting down facilities for days while the IT staff tries to remove the malware and bring all the systems back online," Griffith explained.

Griffith likes to mix real-life examples along with the different types of cyber-attacks in his cyber security education strategy. This allows users to see what those attacks are doing to gather information and how they can affect a business. "I also like to include why it is important that employees understand the consequences of their actions," he added. "For example, if it was reported in the news that customer data had been stolen, what would happen to the company's ability to attract new customers or to keep current customers? What would happen to employees' jobs and careers if leadership had to pay fines for the loss of customer data? It is important to let employees know that what they do daily matters, because they are ultimately the ones that can prevent most cyber-attacks."

Teaching the basics about what a cyber security threat is and how it does damage shouldn't be done in a passive manner. Security education should be hands-on and targeted, Epstein said. "Too many organizations apply a blanket policy or standard training--which bores the sophisticated users and fails to assist the less-technical users. The best education often involves and IT organization understanding which users are most prone to clicking on what lures, then creating focused education around those areas--for example, 'phishing' their own organization."

Overall, the best security practices come down to common sense, not sophisticated technology, according to Ashley Schwartau, Creative Director with The Security Awareness Company. Schwartau uses the following best practices in her security education:

1. Incident response: knowing how and whom to report potential security incidents to.
2. Passwords: knowing how to make strong ones, and change them regularly.
3. Malware: understanding the main types of threats and how they can be avoided.
4. Safe surfing: remembering that you are what stands between the outside world and the inside of the company, and that you represent your organization when online.
5. Phishing and Social Engineering: recognizing phishing attempts and social engineering attacks.
6. Mobile and the Cloud: treating mobile devices as you would any computer and understanding that just because files are stored in the cloud doesn't make them immune to security threats.
7. Preventative Care: backing up regularly, installing anti-virus software, and patching software and operating systems as soon as prompted.
8. Non-Technical and Physical Security: shredding sensitive documents when no longer needed, requiring identification badges for employees and guests, and keeping track of all devices.
9. Privacy:  understanding how identity theft happens and how you can protect against it.
10. Policy: knowing and understanding security policy as well as the consequences of not following policy, and how to quickly find policy when in doubt.

In the end, the best security education is something that employees will regularly practice. The more simple and straightforward it is, the more likely they'll remember to be safer on their computers.

Why some emails are so easy for scammers to fake

By Gary Stoller
Published March 16, 2015

Emails purportedly sent by health insurance companies and large banks are more likely to be fraudulent than those claiming to be from social media companies, a new research study reveals.

An email that appears to come from a health insurance company is four times more likely to be fraudulent--or two times more likely from a large US bank--than an email ostensibly from a social media company like Facebook, according to Agari's 2015 study.

Agari, which provides solutions to detect and prevent cyberattacks, analyzed 6.5 billion emails daily last year in nine industries for the study.

The study should make consumers and organizations more aware of the security of their email and data and "how they can protect themselves from fraud," says Patrick Peterson, Agari's CEO.

The health care industry, which has been hit with massive cybersecurity attacks, has the worst average TrustScore of all industries surveyed, the study says. A TrustScore, based on a zero to 100 scale, indicates how well organizations protect their consumers from email cyberthreats.

The poor TrustScores of health care companies are in line with an FBI warning last year. According to Reuters, the agency warned health care providers that their cybersecurity systems are lax compared to to other sectors, making them vulnerable to hackers targeting American citizens' medical records and health insurance data.

In February, Anthem, the nation's No. 2 health insurance carrier, was struck by a cyberattack that exposesed the sensitive data of up to 80 million customers in all 50 states.

Last July, Community Health Systems, the nation's second-largest-for-profit health system, confirmed that information about 4.5 million patients was stolen in a cyberattack believed to have originated in China.

Agari's study reports that six of 14 major health insurance companies surveyed had a TrustScore of zero. Aetna, though, is an exception. It had a 100 TrustScore in last year's third and fourth quarters--"remarkable for a company in any sector," the study says.

Banks Ranked Low

Email attackers targeted banks and other financial institutions more than any other types of company in 2014, but every category of bank surveyed had a low average TrustScore, the study says. The study looked at large and mega banks in the USA and mega banks in Europe.

"European megabanks, whose customers are some of malicious emailers' most common targets, fared especially poorly," the study says. They had a TrustScore of 33, the second-lowest of nine industries surveyed.

Large American banks had the third-lowest TrustScore, 36, and American megabanks scored 46. Two US banks--Chase and Capital One--had perfect 100 scores.

Most companies haven't implemented technology to prevent "cyber criminals from sending messages that appear to come from their domains--a failure that leaves customers vulnerable to phishing attacks," the study concludes.

The emails from cyber criminals trick people into sharing sensitive information, "leading to identity theft and other crimes," the study says. "Because victims of phishing attacks often blame the companies they thought sent the forged emails, the attacks also erode the trust companies spend years building with customers."

http://www.foxbusiness.com/technology/2015/03/16/why-some-emails-are-so-easy-for-scammers-to-fake/

Why health hacks are worse than credit card hacks

By Erin Griffith
February 5, 2015

Companies in the health care industry have richer data and fewer defenses than those in other industries, making them especially susceptible to attacks.

In the largest-ever security breach of a health insurance company, Anthem revealed on Thursday that the personal data of 80 million customers may have been exposed to hackers.

It's likely that hackers will continue to target health care companies. For one thing, health data is a richer source of personal information than credit card data. Among the bounty; social security numbers, email addresses, birthdays, street addresses, policy numbers, diagnosis codes, billing information, and the names of family members--the sort of information used in security questions for online accounts.

Malicious hackers can use that information for what's sometimes called a "soft hack," or unauthorized entry without the use of sophisticated software. Identity thieves can gain access to a person's account by guessing the right answers to security questions and resetting a password. With the right combination of family and personal information, a thief can also use fake identities to score drugs from pharmacies. This is the major reason why stolen health credentials are worth 10 times more than credit cards on the black market, according to Reuters.

Secondly, health care companies haven't focused on security as much as other industries have, and have been known to rely on outdated software. "Healthcare organizations have invested less in IT, including security technologies and services than other industries," says Lynne Dunbrack, a vice president at market research firm IDC.

That's true for insurers in part because they aren't incentivized to make security a priority. Their end customers often have little choice as to which provider they use, since that choice is typically made my employers. Insurers are not likely to lose as much business over a data breach as, say, a retailer. For example, it is much easier for a shopper to choose Walmart over Target after the latter suffered a massive security breach last year.

In general, companies that administer their data in servers located on-premise are often less secure than companies that rely on major cloud computing vendors, according to Kevin Spain, a general partner at Emergence Capital. "The most vulnerable systems tend not to be cloud-based because security is what they do," he says. A hack like this may not ruin a health insurance company like Anthem, but it could destroy a cloud software company like Salesforce, Spain says: "That's why there is a different level of priority."

http://fortune.com/2015/02/05/why-health-hacks-are-worse-than-credit-card-hacks/