Thursday, March 3, 2022

Protect Yourself This 2022 Tax Season

 


Benjamin Franklin said that the only certain things in life are death and taxes. While we get ready for tax season at the beginning of each year, another certainty exists: cybercriminals will attempt tax-related scams. April 18th marks the Internal Revenue Service’s (IRS) tax filing deadline for 2022. While you might be rushing to file your returns (breathe?….you still have time), you may be the next target for a cyber-attack. During the tax season, fraudsters and cybercriminals use social engineering to lure and deceive people into unwittingly handing out credentials, money, and personally identifiable information (PII).

Many cybercriminals also use the tax season to deliver threats like ransomware, spyware, and banking trojans. Others use fake IRS phone calls and online services to trick taxpayers into sending money to the fraudster’s accounts.

Here’s what you need to know about tax scams and what you should look out for to avoid them.

What are IRS Tax Frauds

First, what is IRS Tax fraud? IRS Tax Fraud are scams usually the beginning part of the year, revolving around tax preparation season. IRS tax scams typically begin with an email posing as the IRS (there are other methods of attacks)and redirect unsuspecting users to phishing and malware-ridden websites. Emails can also have malicious attachments such as spyware, backdoor or banking malware, and remote access trojans impersonating legitimate files. These threats are designed to steal your PII, which an attacker can then use to access your accounts or sell your account info in underground marketplaces.

These threats became so prevalent that, in 2004, the IRS came up with a list: the Dirty Dozen.  Compiled annually, the Dirty Dozen list details the most common scams to help protect taxpayers. Here are the IRS DirtyDozen for 2021

What to Look Out For

Below are some common thing to look out for.

·         Phishing Emails - Emails claiming to be from the IRS, typically promising you with sizeable tax refunds or threatening you with legal action. Variations of these schemes include hijacking your personal bank account, filing fraudulent tax returns, and then asking the you to refund the money by posing as a collection agency or the IRS. Other phishing schemes also target employee financial information (e.g. Form W-2 data).

·         Phone Scams - Unsolicited phone calls claiming to be from the IRS intimidating you with legal action to coerce you into paying a fake tax bill. These scams also include the so-called “robocall,” a text-to-speech recorded voicemail that directs you to contact a specific number.

·         Identity Theft - Tax-related identity theft schemes entail scammers using stolen Social Security or Individual Taxpayer Identification numbers to claim tax returns or refunds. Other cybercriminals target businesses by illicitly filing corporate income tax returns using stolen identities.

·         Return Preparer Fraud - This type of fraud involves tax professionals/preparers filing false income tax returns. This includes claiming inflated or excessive credits, expenses, deductions, and exemptions, sometimes without your knowledge.

·         Inflated Refund Claims - Scammers lure you by promising you credits, rebates, or benefits. Some fraudsters use fake forms (e.g., W-2 or Form 1099) which improperly report taxable income.

·         Falsifying Income to Claim Credits - Like inflating refunds, this kind of fraud involves reporting made up income to increase refundable tax credits. Variations of this fraud include scammers conning you into signing fake forms and providing PII in order to claim a refund.

·         Fake Charities – Fraudsters may set up fake charities then try to deceive you into making donations or giving out your PII, luring you with tax incentives.

·         Pandemic-related scams. These are scams fraudsters have taken advantage of since the 2020 pandemic. These include scams regarding unemployment and stimulus payments, and may also ask you to provide PII to claim tax credits.

The IRS has tons of things to keep an eye out on, check out their Dirty Dozen for 2021 to see what might be going on for 2022. 

How to avoid tax scams

You should exercise caution. Never open links or attachments that come from unexpected or suspicious senders, especially when they claim to be from officials or agents of government organizations. Unsolicited email from an IRS-related component such as Electronic Federal Tax Payment System (EFTPS) should be immediately reported to the IRS via phishing@irs.gov.

To help you avoid IRS scams, here are the things that the IRS will never do:

·         Call and demand immediate payment or call about taxes owed without first having sent a bill.

·         Initiate contact by email to request personal or financial information.

·         Demand tax payment without giving you the opportunity to question or verify the owed amount.

·         Ask you to give out credit and debit card information over the phone or email.

·         Require you to use a specific payment method, such as a prepaid debit card, to pay your taxes.

·         Threaten to bring law enforcement to have you arrested for not paying.

at

Thursday, February 3, 2022

Protect Yourself from Romance Scams




Valentine’s Day, a day when you and your sweetheart remind each other how much you mean to one another. The  day doesn’t have to be just for couples. In fact, for many it is an opportunity to go out and meet someone new.

Sadly, Valentine’s Day has also become another opportunity for scammers, hackers, and cyber thieves to wreak havoc. Whether you’re shopping on-line or looking for a match online this Valentine’s Day, there’s always an element of risk involved. There are many different types of cyber crimes, but in this article, we are going to talk about Romance Scams.

What are Romance Scams

Romance scams are when a criminal adopts a fake online identity to gain a victim’s affection and trust. The scammer then uses the illusion of a romantic or close relationship to manipulate and/or steal from the victim.

Criminals who carry out romance scams will seem genuine, caring, and believable. The scammer’s intention is to establish a relationship as quickly as possible, endear themselves to the victim, and gain trust. Scammers may often times propose marriage and make plans to meet in person, but that will never happen. Eventually, they will ask for money.

If someone you meet online needs your bank account information to deposit money, they are most likely using your account to carry out other theft and fraud schemes.

Reported Scams to the FBI

Believe it or not, according to the FBI, romance scams account for a high financial loss of all web-facilitated crimes. From January 1, 2021 - July 31, 2021, the FBI Internet Crime Complaint Center (IC3) received over 1,800 complaints, related to online romance scams, resulting in losses of approximately $133,400,000, yet the bureau estimates that only a fraction of crimes are even reported, putting the actualnumber much higher. It’s likely that people are too embarrassed to report they were scammed. – (Scammers Defraud Victims of Millions of Dollars in New Trend in Romance Scams)

Tips for Avoiding Romance Scams

Scammers happily take advantage of the peak of online dating activity between New Year’s and Valentine’s Day. They are spending time on apps and websites such as Tinder, OKCupid, Plenty of Fish, Match.com and others looking for their next victim. You should be aware of deceptive profiles.

  • Be careful what you post and make public online. Scammers use methods of social engineering to gather information on you. They can use these details shared on social media and dating sites to better understand and target you.

  • Do not disclose your current financial status, banking information, Social Security number, copies of your identification, passport, or any other sensitive information to anyone online or to a site you do not know is legitimate.

  • Research the person’s photo and profile using online searches to see if the image, name, or details have been used elsewhere. Usually scammers piece together a profile from other content online to sound more believable.

  • Take your time and ask lots of questions. Beware if the individual seems too perfect or quickly asks you to leave a dating service or social media site to communicate directly. A lot of times the scammer may promote an unbelievable investment opportunity for you both to make a substantial amount of profit. They may direct you to different sites they have created which promotes the scam.

  • Never send money, trade, or invest per the advice of someone you have solely met online. If someone you meet online needs your bank account information to deposit money, they are most likely using your account to carry out other theft and fraud schemes.

  • Beware if the individual attempts to isolate you from friends and family or requests inappropriate photos or financial information that could later be used to extort you. A lot of scammers will try to separate you from your support, making you more vulnerable and dependent on them. This can put you in the position to comply with any requests and demands.

  • Beware if the individual promises to meet in person but then always comes up with an excuse why he or she can’t. If you haven’t met the person after a few months, for whatever reason, you have good reason to be suspicious. Some scammers might say they are in a career like the construction industry and are engaged in projects outside the U.S. That makes it easier to avoid meeting in person—and more plausible when they ask for money for a medical emergency or unexpected legal fee.

To report a scam to the FBI IC3, please visit www.ic3.gov.


at No comments:

Thursday, January 13, 2022

New Year, New passwords: 5 Tips for Password Managing in 2022

 

Happy New Year! It’s that time of the year to pin down New Year’s resolutions. It’s a perfect time for you to make changes and focus on things you were maybe not so successful with in 2021. People may be focusing on eating healthier, or working out more often, but have you thought about taking the time to make some changes to your digital hygiene?

As we enter the new year, we must be aware that not a single person is completely invincible when it comes to cyber-attacks. One of the most common ways cyber criminals can unlock your personal information is through your password. Is your password safe? Is your password easy for criminals to crack in less than a second? In order to not become a victim of a cyberattack, here are a few steps you can take to keep your information safe in 2022.

  • Look into investing in a password manager. LastPass and Dash lane are two of many apps that keep your passwords safe. They offer a free as well as a paid version. These apps safely stores your passwords online and can be supported on multiple platform.  According to LastPass, employees reuse a password on average of 13 times.
  • When creating a password we suggest a using a passphrase (a few random words for your password) This is the best way to create a password that is memorable yet strong enough to not easily hack.
  • Another method of creating a password is to take a sentence and turn it into a password. First, select a sentence that you will remember, then assign each word a series of characters to help you remember it.

Here are a few examples

·         May the force be with you! = M@ytef0c3Bw1hU!

·         With great power, comes great responsibility = Whgr@p0rC0m3$G@tr3$p1Biy

·         Be Cougar secure! = b3Cg@rscU3!

  • It is important to regularly change your passwords. The longer you keep your passwords the same, the more likely it will be exposed to hackers. 
  • Make sure you are using different passwords for every app and online site. If a hacker is able to unlock one of your accounts by unlocking your password, this means he/she will now be able to easily hack your other accounts.

Remember, even the people with the strongest passwords still remain possible victims of cybercrimes. Let 2022 be the year we all focus more on our personal and professional cybersecurity and safety. 

Cougar Security Team

Jason Youngquist | John Johnson | Phillip Armstrong

at

Wednesday, December 8, 2021

Don’t get Hacked for the Holidays

‘Tis the season for holiday celebrations and scams!

As retailers deck the halls with amazing deals and limited-time offers, hackers celebrate with their own traditions — trying to trick you into sharing sensitive information in exchange for exclusive holiday deals. 

Keep you and yours safe this holiday season with these online safety tips from our friends at Infosec. 

 


Wishing you a merry, safe and cyber-secure holiday season! 

Cougar Security Team

Jason Youngquist | John Johnson | Phillip Armstrong


at No comments:

Thursday, October 28, 2021

Protect Yourself from Vishing Attacks

 

Most everyone knows of phishing scams, spam emails that ask you to click a link or to send personal information so that someone can access your information. Regular security tests and awareness training help people learn and protect against phishing scams to keep individuals and organizations safe. Some scammers will attempt to call to speak to individuals instead of trying to get them to divulge sensitive information over email. While most people know of these phone scams, most don't know that the process of using a voice call to attempt to illegally obtain sensitive information is actually called Vishing.

Vishing is similar to phishing in that the scammer attempts to trick an individual into giving up sensitive information. Instead of sending an email though, the scammer makes a phone call and will attempt to speak directly to the individual or get the individual to call them back. Scammers will try to get you to give up sensitive information by pretending to be a trusted company or sometimes an official from the government or a bank. Spoofing technology can make it to where the scam call has automated systems or change the phone number your caller ID displays so that the call seems like a trusted number.

Since most vishing attempts will be from an individual attempting to impersonate someone that you would be willing to give sensitive information to, the caller will most likely know some personal information. The caller will likely know your name, contact information, workpace, and might even know your address or social security number. Having this information and being able to readily provide it if asked is one of the dangers of vishing since someone will be more likely to believe someone who has access to the personal information.

How can you prevent information theft through vishing attacks?

Most importantly is to not provide sensitive information over the phone. You should avoid giving out login information, account data, or personal identifiers over the phone. You should always verify the number that you receive a call from belongs to an organization without searching the phone number itself. Look up the company or organization that the individual claims to work with and see if the phone number matches and if the individual appears in a directory if it is available. If a directory is not available and the caller is asking for sensitive information, call the company office from another phone and ask to speak with the caller. If the company states that there is no one by that name in the office or if the person in the office is available you know that the caller is not who they say they are.

If possible, avoid answering calls from unknown numbers and decide if you should respond based on the voicemail if one is left. If you answer a call from an unknown number, do not press keys or respond to automated messages in order to avoid being marked as a potential future target. If you are speaking with someone unknown, try to avoid words that can be recorded and used against you later such as “Yes,” “sure,” “okay,” and “that’s fine.” Hang up at any time on a call that makes you feel uncomfortable or that may be a vishing attempt. 

If you believe that a call may have been a vishing attempt, or if sensitive information is provided over the phone, contact Technology Services so that security measures can be taken.

at

Monday, October 25, 2021

When you’re ahead of the game, you can’t be gamed - 10 Ways to Be Cyber-Secure at Home






Being aware and prepared is one of the best ways to prevent cyber security attacks in the office or at home. When you know what you are looking for, the chances of falling for an attack are slimmer. When you’re ahead of the game, you can’t be gamed. Here are 10 ways to be cyber-secure when you are at home.

  1.  Identify your perimeter - Less is more! The fewer connected devices and entry points you have, the safer your network is.

  2. Update software and devices regularly - Regular updates make you less vulnerable to attack. Only download updates from the manufacturer and enable auto-updates when possible.

  3. Secure your Wi-Fi network - Routers often have default credentials that people don’t know about. Disable the “remote configuration” option in your router and change both your Wi-Fi password and your router password.

  4. Watch out for insecure websites - Always use HTTPS for sensitive communications. Don’t ignore browser warnings and always remember to check the website address carefully for misspellings and oddly-placed letters or numbers. When in doubt, manually enter the URL in your browser.

  5. Back up your files - Backups save your information if your device breaks or is taken over by an attacker. Back up files to a removable device that can be locked away safely, such as a CD or flash drive.

  6. Don’t download carelessly - Files can contain malware, and websites aren’t always what they appear to be. Always verify sender identity before downloading files and remember: If it comes from an oddly-spelled email or is hosted on a site that makes your browser generate a warning, stay away!

  7. Encrypt devices to deter thieves - Encryption renders files unreadable without the correct key. Some devices offer the option to encrypt individual files or the entire device. Consider which solution suits your needs best.

  8. Practice password safety - Choose long passwords containing uncommon words. Use unique passwords for sensitive accounts and a password manager to help you remember them.

  9. Always use antivirus software - Antivirus needs updates, too! Set it to auto-update.

  10. Keep yourself informed - New cybersecurity bugs and attacks pop up every week. Staying informed about the latest threats will help you be safe!
Remember, you can report all suspicious emails to Technology Services at  cchelpdesk@ccis.edu
Even if you know it is a phishing attack and ignore it, by reporting it you can help the Information Security Team identify and mitigate the attack for others.  

Be mindful of the information you post online or on social media.
Social Engineers can use all sorts of information you post to help them take over your identity.

The Information Security Team is growing, and dedicating itself to not only keeping our systems secure, but bring awareness and education to you to help keep you more secure in the office and at home.

Stay up to date with all that we are doing at our blog! 

at

Thursday, October 21, 2021

What is Phishing?




We’ve all been there before. Getting into work, coffee in hand trying to keep yourself awake. You go to check your morning emails and you’ve received what seems to be an email seemingly from management stating that employees need to log in to this portal to fill out a form for work. The unaware might walk themselves straight into a classic Phishing Scam.

 

What is Phishing?

Phishing is a form of online identity theft that uses spoofed or fake emails that lead employees to unknowingly give out their personal usernames and passwords, financial info, or sensitive work data. These scams are usually disguised as a trusted company, such as the bank you use, an online retailer you frequent, or being structured as a work email. As a result, these malicious actors use the data provided to gain access to personal emails, banking information, or even your personal identity. With each passing day, phishing attempts have become more common and more complex.

 

Identifying Phishing

Phishing, in its most basic form, can be identified by an urgent request for personal information via email, or through links in emails. This can be disguised as a bank needing to confirm your login for a transaction, Amazon needing you to login to Prime to claim a reward, or a request from your workplace to verify your identity by logging into your works “software” by clicking a shady link.

 

Threats of Phishing

  •  Identity Theft

o   Ruining your credit with Credit Cards

o   Crimes being made in your name

  • Loss of personal accounts

o   Facebook, TikTok, Instagram, etc.

o   Potential of friends and family falling to these scams as someone portraying you

  • Compromised Finances

o   Loss of bank credentials

o   Money transferred out of your account

  • Theft of Company Data

o   Sensitive customer information

o   Company files

 

Tips on Prevention

  • Be suspicious of any email urgently asking for you to login to your account or to hand out personal information. 

  • Never give out your username, password, credit card information, or social security number to anyone over email. Technology Services will never ask for this information over email and make sure to not provide it to a company requesting it over an email. You can always provide it to them in person or over a phone call.

  • Don’t follow any links in an email unless you are for sure an email is legitimate.

  • If you are in a work setting, or if you are ever unsure, get in touch with Technology Services' Information Security Team for confirmation
at

Monday, October 18, 2021

Where's My Laptop?

 

Having a laptop can make many aspects of work easier. You can take it to meetings, sit down somewhere for a change of scenery, or even just declutter your workspace with a smaller device. However, having a portable computer like a laptop comes with risks that need to be addressed.

A laptop has a 1 in 10 chance of being stolen over its lifetime according to the Kensington tech company. The research technology firm Gartner found that every 53 seconds a laptop is stolen. Over half of stolen laptops result in some form of data breach by accessing sensitive information through the stolen device. A data breach can result in individuals having their personal information stolen; lead to legal/financial issues; or damage the trust the community has in Columbia College keeping their information secure. These issues and more could potentially come from the theft of one laptop. So how can you prevent laptop theft? 

The best way to prevent laptop theft is to keep your computer with you! Unattended laptops are the ones that become targets for those who want to steal. Your laptop should not be left in your car, unattended in a public area, or in an unsecured area like an unlocked office. Don’t ask strangers to keep an eye on your laptop if you have to step away. If you have to leave the area in a public space, take your laptop with you!

While keeping your laptop with you is the best way to protect it, no one carries their computer with them 24/7. Your laptop should be left in a secure area while you are away. It is best to keep the laptop out of sight in a drawer or cabinet with a lock so that anyone passing by won’t see that there is an unattended laptop. There are also laptop locks that connect the laptop physically to an object and require a code to remove the device. The room your laptop is stored in should also be secured by locking the office door or keeping it somewhere where others have limited access.

If you are only stepping away from the computer for a period of time, it is important to either lock the laptop or sign out completely so that others cannot access your laptop. It is still best to secure the laptop and room just in case someone with ill intent comes by. Do not keep your passwords or security information written down anywhere that others can access it. This includes workstations, journals/planners, and other unsecured locations.

If your laptop does get stolen, or it looks like someone accessed your device without your information, contact the Technology Service Center immediately so that steps can be taken to maintain the data security of Columbia College.

at

Thursday, October 14, 2021

Banking Trojan

 










A banking trojan Is a malicious program designed to steal financial information or money from on-line banking apps or other financial platforms.  There are many ways a smartphone/laptop/computer can be infected with a banking trojan.  Some of these vectors include:

  • Malicious Adobe Flash Player update
  • Amazon gift card offer scam
  • IRS email phishing scam
  • Malicious java script file
  • Malicious Macro-enabled Word documents
  • Malicious Pdf files with weblinks
  • Malicious Google Doc
  • Malicious WhatsApp Updater
  • SMS messages with a link to download a malicious program

Almost every day it seems as though there is a new banking trojan that has been released.  Some of the names are:

  • Trickbot
  • Emotet
  • ZeuS
  • QakBot
  • IceID
  • Bizarro
  • And many more

Tips to Stay Secure

  • Only install applications from the vendor (Google/Apple)
  • Keep apps and OS updated
  • Consider whether you should give a certain app the permissions it requests
  • Use an anti-malware program
  • Stay aware and vigilant of the various threat vectors


at

Thursday, October 7, 2021

Mobile/Laptop/Tablet Security












Most folks carry at least one mobile device - ie. a smart phone.  Besides a smart phone, many may also have a laptop and/or tablet.  There are several different types of threats for these devices.

Threats

  • Loss, theft, misplacement – Since devices are small, they can easily be lost or stolen. 
     
  • Unauthorized device and data access – If a device is on, unattended, and the screen is left unlocked, a malicious individual could make changes to the device or access data on the device.

  • Malware – Any electronic device with an operating system such as Windows, OSX, IOS, Android, is vulnerable to malware.  Anti-malware software can be installed on a device to make sure it isn’t infected by malware.

  • Electronic eavesdropping – Malware has the ability to turn on mobile device microphones and/or cameras.  If you have a mobile device in your pocket or near to you, this could be used to listen in on your conversations.

  • Electronic location tracking – Most mobile devices have GPS built-in and this can be good if you misplace your phone you can find it with a tracking application, but it could also be bad because malicious software can use the GPS functionality to track your location.

Tips to Securing

  • Maintain physical control.

  • Don’t leave device in unlocked vehicle.
    • If you must leave your device in a vehicle, put it in the trunk or conceal the item under the seat and lock the doors.

  • Set a passcode and enable auto-lock.

  • Backup data regularly.

  • Apply critical patches/updates to the operating system and installed apps.

  • Use up-to-date antivirus software on smartphones and tablets.

  • Review the rights apps require before installing.

  • Use full disk encryption on the device – Apple FileVault2 or Microsoft Windows Bitlocker.

Register & Track

  • Register the device with the manufacturer.

  • Always keep your registration, make, model, and serial number in a safe place at home.

  • Asset tag, engrave the device, or apply distinctive paint markings (such as indelible markers) to make it easily identifiable.

  • Use commercial location software such as Apple FiindMyiPhone, LoJack Security, etc.

·

at

Monday, October 4, 2021

Cyber Security is Like a Game of Chess

 


And Checkmate! If you are familiar with chess, this is not something that you want to hear. It means that you are in a position with your king piece that you cannot escape. It’s Game Over man! In case you didn’t know, there’s a serious game being played today involving your data and identity. On one side are cyber attackers, and on the other are those who are trying to defend your privacy and personal accounts. Cyber Security is much like a game of chess!

You might be thinking, A game? Like chess? Well let me explain!

Hacking is probably not a new term for you, in fact hacking has been around for many of years. There is an early account from 1971 were a hacker named John Draper, hacked into phone systems using a plastic toy whistle from a cereal box. Crazy, right?  

Well in the early days of the internet and the personal computer, hacking was a game for many hobbyists (There are still people today who participate in hacking championships for fun) The early hackers would test the boundaries of what they could do, and what they could get away with, however, while some treated hacking as a fun innocent game, others began to realize the potential for malicious and criminal behavior. 

Now Jump forward many years, and as cyber attackers have become more sophisticated, the security industry has grown to defend against it. With new types of attacks developing all the time, we develop new strategic defenses to block and prevent them. Security tactics now become outdated as soon as attackers find ways around them, meanwhile, attackers continue to rely more on social engineering tricks that are hard to defend against in general. 

They make a move, then we make a move, and then they make a move, and so on and so on!

For us in the Information Security Department at Columbia College, cybersecurity is a lot like a game of chess. There are many pieces to move, and our strategies needs to keep tabs on all of them. We must adjust to our adversaries’ moves, move quick against attackers and protect your king at all costs. The cybersecurity game continues, but even as the stakes are rising, the rules are changing. It’s now more complicated than ever.

So, what can you do to help keep you ahead in this always evolving cybersecurity game?

  • Complete your Columbia College annual Cyber Security Training. 
    • This will ensure that you are update to date on best practices when it comes to being cyber secure.
  • Follow the best practices and polices outlined by Technology Services
  • Use strong passwords and never share your password.
    • Remember that not ever Technology Services will ask for your Columbia College password.
  • Report all suspicious emails to Technology Services at  cchelpdesk@ccis.edu
    • Even if you know it is a phishing attack and ignore it, by reporting it you can help the Information Security Team identify and mitigate the attack for others.  
  • Be mindful of the information you post online or on social media.
    • Social Engineers can use all sorts of information you post to help them take over your identity.
  • Be Aware
    • The Information Security Team is growing, and dedicating itself to not only keeping our systems secure, but bring awareness and education to you to help keep you more secure in the office and at home.
    • Stay up to date with all that we are doing at our blog! 


at