Cyber Security “Brush-Update”
**All Season Financial Advisors has not previously been targeted by any cyber-security threats**
Recent events warrant an announcement regarding personal information security and the risks of negligent authentication processes (aka “Social Engineering”) regarding financial and informational data. I do not mean to invoke the moment in as far as using couriers to pass along important information, but with such high-level “hacking” going on, we would be remiss for leaving low-level cyber-security scams, hacks, social engineering threats and avoidable mistakes absent from the media of our clients (and non-clients).
As I am not a cyber-security expert, please consider this article as a brush-up and update (Brush-Update) course and not a comprehensive guideline.
Scam 1: Buying a House
Criminals have been known to enter the accounts of Real Estate agents and monitor email correspondence. At the right times, these criminals fabricate an email instructing buyers to wire money into false bank accounts. Once sent, these escrow and other payments are many times unrecoverable by any means.
Thoughts on Scam 1:
Many email providers will alert users when an email account has been logged into from a new device. Be aware that the criminal could just delete this email never allowing the target to know. A step in the right direction in regard to email safety is to have a phone number associated with it for access and authentication in the case of criminal activity.
When executing wires, ensure instructions are accurate! Enough said. Do not send a wire to an account you are unfamiliar with. Agents, Advisors, Bankers and other professionals should be doing their best to protect clients from sending false wires but clients have the final say. When in doubt, call the receiving party to confirm the wire information. Use the same phone number you have always used, not the one in the wire instruction email if it is different.
Scam 2: Alerts About your Account
Criminals pretending to be a service provider will email saying there is an issue with an account and prompt the target to type their username and password, many times onto a page that is not the company “Home Page”. This scam allows the criminals access to all types of accounts.
Thoughts on Scam 2:
The alert scam can be used to gain access to any type of online account. Shopping, Email, Banking, Enterprise and Company software. Be aware and know what to look for. When a service provider indicates a problem, inspect the sender of the email. Ensure the email is actually coming from a legitimate looking address. Also, do not put your credentials into any website other than that of the service provider. Attempt to fix the “issue” by going through the provider, not through the links on a suspect email.
Scams 3-5 Brought to us by Laura Shin, Contributor to Forbes.com and her conversations with Michele Fincher and Chris Hadnagy of Social Engineer, an agency that offers consultation and training in social engineering. See the full article for more detail.
Scam 3: The IRS Scam
From the holidays through to the end of the tax season on April 15, hackers call the target from a “spoofed” phone number — one that masks the caller’s true number and replaces it with a number from, in this case, the Washington, D.C. area — and claims they are calling from the Internal Revenue Service. In this case, the hacker typically knows a lot of information about the target already — the name of the person who is supposed to answer, their address, etc. “The assumption is they’re getting this data off the dark web, usually from one of the health care breaches,” says Hadnagy.
They usually say that an older tax return, maybe from three or five years ago, has accrued late debt, usually around $2,000-$5,000. “They’re not saying ‘you owe us $50,000,” but a number that most people could afford to scrounge up,” says Hadnagy.
If the target falls for it, the hacker says that because the debt has previously been unpaid, bank transfers and credit card payments are not accepted and that the only form of payment possible is a money transfer through a service similar to Western Union (though not Western Union itself) that is nonrefundable and non-traceable.
Scam 4: Ransomware
Hackers are also now convincing their targets to install malicious software onto their computer that then encrypts all their data. The hacker then locks it so it’s inaccessible to the victim, and the software then also explains that the computer is now locked and demands a ransom before the hacker will unlock the computer for you.
Victims are told to go to one particular site or to call one particular number, where the ransom could be anywhere from hundreds to thousands of dollars. Payments are demanded by credit card, bank transfer, a money transfer service like Western Union or Paygram, PayPal and bitcoin. Unfortunately, often, the hacker will take the ransom but not unlock the computer, so now they have both your money or credit card information and also your data, which can allow them into all kinds of other accounts.
The social engineering part of this scam happens several ways.
Perhaps one day you’re browsing the web, when suddenly, a warning that looks like a federal warning, say, from the FBI, pops up saying, “Child pornography was found on your computer. You’re being reported to the FBI. You can avoid this by paying this fine.” But when you click, it downloads the encryption program onto your computer.
Or maybe you get a call from Microsoft saying that the company logged data from your machine that looks malicious, so they want access to your machine. (In this case, the hackers typically target older people.) The Microsoft customer service rep has you install a program called Tame Bureau, which is used for customer support all over the globe, which then gives the attacker control to install their encryption program onto your computer.
Or, maybe you just receive an email offering a coupon or free screen saver, but when you open it, it installs software that takes over your computer and encrypts the drive.
Scam 5: Business Email Compromise scams
In a so-called BEC scam, the hacker aims to get into an email account and obtain the financial data stored there, whether it’s bank statements, login information or other financial data such as verifications of wire transfers or payments in and out of your account.
Sometimes they’ll gain access to the email account by sending the victim a document containing malware. Once opened, the malware infects the computer, allowing the attacker to browse the machine remotely. In the recent case of John Podesta’s email, the hackers sent him a password reset email that linked to a fake page. There, he gave the attackers his email password (called credential harvesting), which gave them the ability to browse his email.
In one variation of a BEC scam, if, say, the CEO’s email was compromised, a malicious attacker could impersonate him or her and send an email to the head of finance, saying, “I’m heading out of town for the holidays and will be on a plane and out of reach for the next several hours, but we need to make a wire transfer asap to bank account #XXXXXXX.”
This is especially common when people are traveling or when people work together but don’t necessarily know each other personally. “This tactic uses the sense of authority or legitimacy,” says Fincher. “If my boss tells me to wire money, I’m not going to question it.”
So if you’ve got 30-character random unique passwords on every account, don’t think you’re immune to a hack. “Social engineering, in general, isn’t about how smart technically you are,” says Fincher. “It’s about what connects you to others, what makes you curious and angry and what might make you act without thinking.”
Please review your personal exposure and information hygiene appropriately. Know the red flags and stay up to date on proper procedures and industry norms.
All the best,
Alex Osmond
