Category Archives: Cybercrime

Blockchain and Cryptocurrency Scam / Ponzi Scheme

Posted on by

“Cryptocurrencies are like ‘pet rocks’.” ~ Jamie Dimon, CEO and Chairman, J P Morgan Chase

A blockchain is a digital ledger associated with an asset, recording the history of that transaction in that asset…who bought it and from whom. In other words, blockchains are simply append-only spreadsheets maintained across decentralized “peer-to-peer” networks, writes Sohale Andrus Mortazavi, in an article entitled “Cryptocurrency Is a Giant Ponzi Scheme”.

What distinctive about blockchain is that the ledgers are supposed to be decentralized: they aren’t sitting on the computer ‘or ledger’ of a single bank or company. They are in the public domain, sustained by protocols that induce many people to maintain records on many servers.

Cryptocurrency blockchains allow users to maintain a shared ledger of financial transactions without the need of a central server or managing authority. Users are thus able to make direct online transactions with one another as if they were trading cash.

Cryptocurrency blockchains generally don’t allow previously verified transactions to be deleted or altered. The data is immutable. Updates are added by chaining a new “block” of transaction data to the chain of existing blocks.

In theory, blockchain and cryptocurrencies were supposed to offer a lower cost and more secure method to keep track of transactions. But, cryptocurrencies don’t produce anything of material value. Investors can only cash out by selling their digital coins to other investors.

Which makes them an experiment in the “greater fool” theory of investing, in which investors attempt to profit on overvalued or even worthless assets by selling them on to the next “greater fool”. Price manipulation plays as much or more of a role than demand in driving prices higher.

Furthermore, the parent company of Tether and Bitfinex, is printing tethers from thin air and using them to buy up Bitcoin and other cryptocurrencies in order to create artificial scarcity and drive prices higher. Sam Bankman-Fried’s company FTX imploded due to similar fake proprietary tokens artificially inflating and propping up risky trades by FTX’s affiliate Alameda.

Tether has effectively become the central bank of crypto. Like central banks, they ensure liquidity in the market and even engage in quantitative easing — the practice of central banks buying up financial assets in order to stimulate the economy and stabilize financial markets. The difference is that central banks, at least in theory, operate in the public good and try to maintain healthy levels of inflation that encourage capital investment. By comparison, private companies issuing stablecoins are indiscriminately inflating cryptocurrency prices so that they can be dumped on unsuspecting investors (greater fools).

Cryptocurrency has been one of the greatest destroyers of wealth in the financial history of mankind. ~ Jay Adkisson

This renders cryptocurrency not merely a bad investment or speculative bubble but something more akin to a decentralized Ponzi scheme. Unbacked stablecoins are being used to inflate the “spot price” — the latest trading price — of cryptocurrencies, like Bitcoin, to levels totally disconnected from reality. If cryptocurrency and NFT markets cannot keep luring in enough new money or capital becomes to expensive due to rising interest rates to cover the growing costs of mining (think Ponzi scheme), the scheme will become unworkable and financially insolvent.

Cryptocurrency has been one of the greatest destroyers of wealth in the financial history of mankind, writes Jay Adkisson, in Forbes.

“Many Bitcoin promoters are simply shilling and attempting to pump the price of Bitcoin up because they themselves are invested in cryptocurrency companies.” ~ Jay Adkisson

“It is hard to imagine cryptocurrency being a suitable investment for all but those who are sufficiently wealthy that they can burn wads of cash off a bridge and not be distressed by it,” writes cryptocurrency watcher Charles Padua. Many Bitcoin promoters are simply shilling and attempting to pump the price of Bitcoin up because they themselves are invested in cryptocurrency companies.

Bottomline, Bitcoin itself may not be a total fraudulent scam, but how Bitcoin and all cryptocurrencies are being promoted and sold by its legions of ‘conflict of interest’ advocates to the average retail investor is the definition of a scam and Ponzi scheme.

References:

  1. https://jacobin.com/2022/01/cryptocurrency-scam-blockchain-bitcoin-economy-decentralization
  2. https://www.forbes.com/sites/jayadkisson/2018/11/20/the-great-cryptocurrency-scam/?sh=fc556be359fe

Cyber Threats are Clear and Present

Posted on by

Cybersecurity threats, malware and ransomware are clear and present danger threats to American businesses and way of life.

This week, Americans wake-up to dire warnings from the federal government in Washington to growing cyber threats and malware from Russia. The federal government warns American citizens, organizations and businesses to enhance their cyber vigilance and security in preparation of cyber attacks originating from Russia targeting critical information and infrastructure.

The latest cybersecurity threats are taking advantage of pandemic induced work-from-home environments, remote access tools, and new cloud services. According to CISA, these evolving cybersecurity threats include:

  • Malware — malicious software variants—such as worms, viruses, Trojans, and spyware—that provide unauthorized access or cause damage to a computer. Malware attacks are increasingly “fileless” and designed to get around familiar detection methods, such as antivirus tools, that scan for malicious file attachments.
  • Ransomware — a type of malware that locks down files, data or systems, and threatens to erase or destroy the data – or make private or sensitive data to the public – unless a ransom is paid to the cybercriminals who launched the attack. Recent ransomware attacks have targeted state and local governments, which are easier to breach than organizations and under pressure to pay ransoms in order to restore applications and web sites on which citizens rely.
  • Phishing / social engineering — a form of social engineering that tricks users into providing their own sensitive information. In phishing scams, emails or text messages appear to be from a known individual or legitimate company asking for sensitive information, such as credit card data or login information. The FBI has noted about a surge in pandemic-related phishing, tied to the growth of remote work.
  • Insider threats — Current or former employees, business partners, contractors, or anyone who has had access to systems or networks in the past can be considered an insider threat if they abuse their access permissions. Insider threats can be invisible to traditional security solutions like firewalls and intrusion detection systems, which focus on external threats.
  • Distributed denial-of-service (DDoS) attacks — attempts to crash a server, website or network by overloading it with traffic, usually from multiple coordinated systems. DDoS attacks overwhelm enterprise networks via the simple network management protocol (SNMP), used for modems, printers, switches, routers, and servers.
  • Advanced persistent threats (APTs) — an intruder or group of intruders infiltrate a system and remain undetected for an extended period. The intruder leaves networks and systems intact so that the intruder can spy on business activity and steal sensitive data while avoiding the activation of defensive countermeasures. The recent Solar Winds breach of United States government systems is an example of an APT.
  • Man-in-the-middle attacks — an eavesdropping attack, where a cybercriminal intercepts and relays messages between two parties in order to steal data. For example, on an unsecure Wi-Fi network, an attacker can intercept data being passed between guest’s device and the network.

A majority of Americans have moved their financial and daily lives online, and thus are more susceptible than ever to of cyber crime, malware and ransomware attacks.

As you might image, today’s world is more interconnected than ever before. Yet, for all its advantages, increased connectivity brings increased risk of theft, fraud, and abuse.

As Americans become more reliant on modern technology, we also become more vulnerable to cyberattacks and cybercrimes.

Every organization—large and small—must be prepared to respond to cybercrime and disruptive cyber incidents, explains the Cybersecurity and Infrastructure Security Agency (CISA). CISA leads the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure.

CISA recommends all individuals and organizations—regardless of size—adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets, like a “zero trust strategy”.

A zero trust strategy assumes compromise and sets up controls to validate every user, device and connection into the business for authenticity and purpose. To be successful executing a zero trust strategy, organizations need a way to combine security information in order to generate the context (device security, location, etc.) that informs and enforces validation controls.

References:

  1. https://www.ibm.com/topics/cybersecurity
  2. https://www.cisa.gov/shields-up

Keep Yourself Cyber Safe

Posted on by

Every American can take simple steps to improve their cybersecurity and protect themselves while online.

As the nation’s cyber defense agency, Cybersecurity and Infrastructure Security Agency (CISA) stands ready to help individuals and organizations prepare for, respond to, and mitigate the impact of cyberattacks and cybercrime.

Currently, CISA recommends all individuals, organizations and businesses —regardless of size—adopt a heightened posture when it comes to cybersecurity and protecting their most critical information and assets.

Every American can take several simple steps to improve their cybersecurity and protect themselves while online. In fact there are 5 things you can do to keep yourself cyber safe. CISA urges everyone to practice the following: 

  • Implement multi-factor authentication (MFA) on your accounts. A password isn’t enough to keep you safe online. By implementing a second layer of identification, like a confirmation text message or email, a code from an authentication app, a fingerprint or Face ID, or best yet, a FIDO key,  you’re giving your bank, email provider, or any other site you’re logging into the confidence that it really is you. Multi-factor authentication can make you 99% less likely to get hacked. So enable multi-factor authentication on your email, social media, online shopping, financial services accounts. And don’t forget your gaming and streaming entertainment services!   
  • Update your software. In fact, turn on automatic updates.   Bad actors will exploit flaws in the system. Update the operating system on your mobile phones, tablets, and laptops.  And update your applications – especially the web browsers – on all your devices too.   Leverage automatic updates for all devices, applications, and operating systems. 
  • Think before you click. More than 90% of successful cyber-attacks start with a phishing email.  A phishing scheme is when a link or webpage looks legitimate, but it’s a trick designed by bad actors to have you reveal your passwords, social security number, credit card numbers, or other sensitive information. Once they have that information, they can use it on legitimate sites. And they may try to get you to run malicious software, also known as malware.  If it’s a link you don’t recognize, trust your instincts, and think before you click. 
  • Use strong passwords, and ideally a password manager to generate and store unique passwords.  Our world is increasingly digital and increasingly interconnected. So, while we must protect ourselves, it’s going to take all of us to really protect the systems we all rely on. 
  • Halt bad practices. Take immediate steps to: (1) replace end-of-life software products that no longer receive software updates; (2) replace any system or products that rely on known/default/unchangeable passwords; and (3) adopt MFA for remote or administrative access to important systems, resources, or databases.

Americans should prepared themselves to respond to cybercrime and to disruptive cyber activity. CISA encourages everyone to put their “Shields Up” and take proactive steps to protect against active and future cyber threats. 

References:

  1. https://www.cisa.gov/shields-up
  2. https://www.cisa.gov/free-cybersecurity-services-and-tools

Preventing Scams and Cybercrime

Posted on by

Fraudsters and cybercriminals are getting sneakier – sometimes even claiming to be your bank or financial institution. Outsmart scammers with these tips.

With more than 2 billion people worldwide accessing the internet through smartphones, hackers have never had greater incentive to devise new scams. Getting scammed is an unpleasant experience, but you can be one step ahead.

For example, you look at your phone and you have a new text message saying it is from your bank or financial institution. The message tells you to click this link and download a new app to secure your identity or customer account. It’s strange because you’ve never received a text from your bank at this number before, and you already have your bank’s app downloaded, or at least you thought?

STOP! Don’t click that link. There are a number of red flags to watch out for to recognize a phishing attack. Although this trick is commonly employed over email, savvy thieves are now trying to install ransomware or steal your financial or personal information by impersonating a bank, credit card company or service provider by phone calls or even text messages. Phishing is when a fraudster tricks a consumer into providing their personal information through a fake app or website. The site may appear have a copy of your bank’s or another company’s logo and appears legit. So how do you tell it’s not?

  • With increasing number of cases related to cyber frauds or online scams, it’s recommended that you follow these tips to detect a scam by text and protect your identity:
      • Check the number and search for how your bank has texted you in the past. Are they different? Don’t click the link!
      Is this message irregular? If you have not recently conducted business, used your cards or logged into your bank via the app, mobile or desktop, it may feel out of context to be receiving this request. Don’t click it!
      Are they using the right terminology for you and your account? Does your bank refer to you as a member but this text message says “customer.” Don’t click it!

    REMEMBER: Do not download any software or click on unknown links sent to you by email or text! Banks will typically never ask you to download software in an email or while you are on the phone with us..

    Emails

    There are some easy ways to ensure the email is from bank. Bank emails typically include a Security Zone to help you distinguish a legitimate email from a fraudulent one. Here is what to look for to help identify authentic emails:

    • Always hover over the sender’s email address to verify who it is from. Banks will only send emails from an address that clearly indicates it is from your bank.
    • To be effective, you must verify the spelling of your first and last name and the accuracy of the last four digits of your USAA member number every time you receive an email from USAA.

    Phone Calls

    RING, RING, RING

    The caller ID says your bank across the top. It’s not a 1-800 or a 1-877 number, but when you answer, the caller says they are with your bank and now asks for your customer service identification number to verify you. The caller may offer to assist with installing software you need for your financial services … what do you do?

    STOP! Don’t share your personal information before verifying the caller. If your bank is calling you, they typically will never ask for your “customer” identification number, credit card number or other personal information.

    Follow these tips to detect a scam by a phone call and protect your identity:

    • Do not share security or personal data: Your bank will never call you and then ask you for your one-time verification code, PIN, password or other personal identification details.
    • Always realize that you can call your bank to determine if any request for information is valid. When you call us, know that we’ll use the multifactor identification code from your phone to verify you.

    “Grandpa, I need your help. My car won’t start. Please send me money using this app…” OR

    “Hi, how are you? I can’t deposit any money into my bank account because I am deployed. Can you send me some money for my phone card so we can continue talking? I really miss you.”

    STOP! Imposters have many tricks up their sleeves when they are trying to access your information or steal your assets. As discussed above, it could be by impersonating a company through a phone call, email or text, but now they are even trying to contact you on third-party social platforms, like Facebook or Twitter, or through dating apps and sites.

    Follow these tips to avoid a grandparent or romance scam:  

    • Never send money to someone you don’t know in real life, especially using a third-party app like Zelle, CashApp, etc.
    • If someone claims to be a family member, verify with that family member by calling them directly! If you think your grandson needs help, call him or call his parents before sending money unintentionally to a scammer.
    • Do your research. If you are getting to know someone online, make sure you look them up, validate they are who they say they are. Some also claim to not have access to common resources overseas because they are serving, which is often untrue.

    If any of these situations should happen to you, reach out for advice before giving out any personal information. And, if you get a suspicious email, text, instant message or phone call, you can report it to your bank or to the Federal Trade Commission at ftc.gov/complaint.

    If a scam does trip you up in real life, get help! The FBI has an Internet Crime Complaint Center at ic3.gov. You can also report identity theft to the Federal Trade Commission to 1-877-ID-THEFT (84338).

    There are also some easy ways to ensure a text message is from your bank.  Based on your request, many banks may send a one-time code as part of its multi-factor authentication process. If you suspect fraud, you should:

    •  REPORT! Even if you didn’t share personal information or click a questionable link, if you suspect fraud, let us know so we can help prevent it to protect you and other members in the future.
    • If you receive a suspicious call from someone claiming to be your bank and is requesting account information or security credential information, hang up immediately!
    • If you provided any personal identifiable information prior to hanging up, alert your bank.
    • If you did not provide any information, you should still send an email to your bank reporting the phone number or text message and message details. This helps them to actively work to shut down fraudulent callers, sites and emails.

    Imposters can come from the least expected places and they are constantly changing their tactics. That’s why it is so important to always be on alert. While financial institutions can use sophisticated detection processes, they are most effective in fighting fraud when they work together with their customers.

     

    Think Before You Click

    Posted on by

    #ThinkB4UClick

    The global pandemic has tested the online security resilience and vigilance of people world-wide, while at the same time the pandemic is pushing more and more individuals to conduct their daily personal and work lives online.

    Unfortunately, cyber criminals have sought opportunities to create havoc and financial gain in the midst of the chaos caused by the pandemic.

    Since our lives have shifted into the digital dimension, educating the online user on cyber security has become more important than ever before.

    As a result, cyber security has become increasingly important domestically and globally. But we must all remember that cyber security begins with a few basic steps such as: being vigilant, changing your password often and most important… think before you click on or open a link.

    Tips for Securing Your Digital Accounts

    Like keeping our doors locked to keep our homes safe from burglars, keeping our online accounts secure is vital to help protect ourselves from cyber criminals – and passwords are the key.

    Here are some tips to help you keep your accounts safe online.

    1. Choose strong passwords

    The stronger your password is, the more difficult it is to hack your account.

    Create passwords that are at least 15 characters long and include a combination of upper and lower case letters, numbers and symbols if allowed.

    A good way to do this is to create a passphrase – use a sentence that includes unusual words, or words from different languages.

    In addition, always use unique passwords for all your online accounts.

    2. Use a password manager

    A password manager is a convenient way to take care of your passwords.

    Several very good password managers are free and easy to use. It will create strong passwords for you and keep them secure.

    If you’d prefer not to use a password manager, write your passwords into a notebook and keep it in a secure place away from your computer.

    3. Enable Multi-Factor Authentication (MFA)

    Multi-factor authentication (like 2FA) provides an extra layer of security to help protect your accounts.

    It is an electronic authentication method where you need to present two or more pieces of evidence (factors) to confirm your identity and access your account, for example a password and a code that is sent to your mobile phone. Your account cannot be accessed without entering this code.

    4. Do all of the above!

    For extra security, use a password manager that will create strong passwords for you and enable multi-factor authentication when available for your best chance to keep your accounts secure.

    References:

    1. https://cybersecuritymonth.eu/resources/top-tips-for-securing-your-accounts/

    Cyber Security Awareness: Ransomware

    Posted on by

    “Organizations and consumers are frequently exposed to the clear and present danger of sophisticated phishing and ransomware cyber attacks.”

    Over the last several years, ransomware has remained a “clear and present” cyber security threat for organizations and individuals around the world. As companies have gone increasingly digital, cyber criminals have sought to maximize their profits by exploiting the vulnerabilities that come with a rapidly expanding cyber ecosystem.

    Global cyber threats include ransomware, common hacks such as phishing and malware, or complex state- sponsored spying efforts like with SolarWinds. And, the frequency of today’s cyber attacks is growing and compelling companies to secure their networks with the most modern threat detection technology.

    Ransomware is a malware that infects computers (and mobile devices) and restricts their access to files, often threatening permanent data destruction unless a ransom is paid. It has reached epidemic proportions globally. According to the Cybersecurity and Infrastructure Assurance Agency (CISA): “Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid.”

    These cyber attacks against U.S. companies and organizations result in shutdown of critical infrastructure, which can create shortages, increased cost of goods/services, financial loss due to shutdown of operations, and loss of money due to having to pay the ransom to the hackers, and worse.

    Ransomware costs include ransom payouts, damage and destruction (or loss) of data, downtime, lost productivity, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hostage data and systems, reputational harm, and employee training in direct response to the ransomware attacks.

    Source: Cybersecurity Ventures

    For example, the DarkSide hacker gang is an organized group of hackers set up along the “ransomware as a service” business model, meaning they develop and market ransomware hacking tools, and sell them to other cyber criminals who then carry out cyber attacks. Additionally, DarkSide steals private data and threaten to make it public unless the victim pays a large sum of money — typically in the range of $200,000 to $2 million, according to CNBC. The FBI has determined that DarkSide was behind the devastating Colonial Pipeline ransomware cyber attack which targeted the company’s billing system and internal business network. Subsequently, the company reportedly paid out $4.4 million dollars in bitcoin. Fortunately, US law enforcement was able to recover much of the $4.4 million ransom payment.

    Human element

    “Ransomware is expected to attack a business every 11 seconds by the end of 2021.” Steve Morgan, Editor-in-Chief, Cybersecurity Ventures

    Ransomware still uses social engineering as its main infection vector,” says KnowBe4’s Sjouwerman. “Some 91% of cyberattacks begin with a “spear phishing” email, according to research from security software firm Trend Micro.

    Spear phishing is an increasingly common form of phishing that makes use of information about a target to make attacks more specific,sophisticated and “personal”. These attacks may, for instance, refer to their targets by their specific name or job position, instead of using generic titles like in broader phishing campaigns.

    According to research firm Cybersecurity Ventures, ransomware damages will reach $20 billion this year, up more than 100% from 2018 and 57 times higher than in 2015.

    As cyber attacks and ransomware continues to grow in frequency and severity, it’s essential that individuals receive security awareness training that specializes in making sure they understand the mechanisms of spam, phishing, spear phishing, malware, ransomware and social engineering and apply this knowledge in their day-to-day online activities.

    Additionally, it’s imperative that organizations employ an endpoint detection and response (EDR) tool which can provide the visibility and cyber protection that organizations need.

    References:

    1. https://www.cnbc.com/2021/05/27/cybereason-ceo-was-in-israel-bomb-shelter-telling-world-about-darkside.html
    2. https://blog.knowbe4.com/bid/252429/91-of-cyberattacks-begin-with-spear-phishing-email
    3. https://illinois.touro.edu/news/the-10-biggest-ransomware-attacks-of-2021.php
    4. https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-20-billion-usd-by-2021/
    5. https://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/

    Cybersecurity Awareness Month Safety Tips 

    Posted on by

    Each and every one of us needs to do our part to make sure that our online lives are kept safe and secure.

    Cybersecurity Awareness Month is a government and private sector partnership that raises awareness about cybersecurity and stresses the collective effort required to stop cyber crimes, online thefts, and scams.

    Malicious cyber activity threatens the public’s safety and America’s national and economic security. Taking the right security measures and being alert and aware when connected are key ways to prevent cyber intrusions and crimes.

    It’s important to understand the more common cyber crimes and risks online, which include:

    • Business e-mail compromise (BEC) scams exploit the fact that so many of us rely on e-mail to conduct business—both personal and professional—and it’s one of the most financially damaging online crimes.
    • Identity theft happens when someone steals your personal information, like your Social Security number, and uses it to commit theft or fraud.
    • Ransomware is a type of malicious software, or malware, that prevents you from accessing your computer files, systems, or networks and demands you pay a ransom for their return.
    • Spoofing and phishing are schemes aimed at tricking you into providing sensitive information to scammers.
    • Online predators are a growing threat to young people.

    The FBI is the lead federal agency for investigating cyber crimes and intrusions. They recommend that you should follow the cyber safety tips below to help protect yourself and your family:

    Cyber Safety Tips 

    • Keep software systems up to date and use a good anti-virus program.
    • Examine the email address and URLs in all correspondence. Scammers often mimic a legitimate site or email address by using a slight variation in spelling.
    • If an unsolicited text message, email, or phone call asks you to update, check, or verify your account information, do not follow the link provided in the message itself or call the phone numbers provided in the message. Go to the company’s website to log into your account or call the phone number listed on the official website to see if something does in fact need your attention.
    • Do not open any attachments unless you are expecting the file, document, or invoice and have verified the sender’s email address.
    • Scrutinize all electronic requests for a payment or transfer of funds.
    • Be extra suspicious of any message that urges immediate action.
    • Confirm requests for wire transfers or payment in person or over the phone as part of a two-factor authentication process. Do not verify these requests using the phone number listed in the request for payment.

    Only together can we achieve safety, security, and confidence in a digitally connected world.

    References:

    1. https://www.fbi.gov/investigate/cyber/national-cybersecurity-awareness-month
    2. https://www.fbi.gov/investigate/cyber

    Avoid These 3 Cybersecurity Mistakes

    Posted on by

    CISA warns of risky behaviours that leave networks exposed to cyberattacks

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA), which leads the national effort to protect and enhance the resilience of the nation’s physical and cyber infrastructure, warns that “”exceptionally risky” [cyber] behaviors that can put critical infrastructure at extra risk of falling victim to cyberattacks”.

    The three cyber security mistakes and behaviors to avoid are:

    1. Using unsupported software,
    2. Allowing the use of default usernames and passwords, and
    3. Using single-factor authentication for remote or administrative access to systems

    According to CISA, these are all dangerous behaviors when it comes to cybersecurity and should be avoided by all organizations.

    Using multi-factor authentication can help disrupt over 99% of cyberattacks. Microsoft

    Use of single-factor authentication – where users only need to enter a username and password – was recently added to the list of risky behaviors. CISA warned that single-factor authentication for remote or administrative access to systems supporting the operation of critical infrastructure “is dangerous and significantly elevates risk to national security”.

    Microsoft says that users who enable multi-factor authentication (MFA) for their accounts will end up blocking 99.9% of automated attacks.

    Change default passwords as soon as possible, and use a sufficiently strong and unique password. CISA

    CISA describes that using fixed or default passwords as “dangerous” and should be avoided at all cost. Default or simple passwords are good for cyber criminals because there’s a much higher chance of them being able to simply guess passwords to compromise accounts.

    CISA also warns against the use of passwords that are known to have been breached previously, as that means they also provide cyber criminals with a simple means of gaining access to networks.

    One in three breaches are caused by unpatched vulnerabilities. ZDNet

    Finally, CISA warns that the use of unsupported or end-of-life software in critical infrastructure. By using software or operating systems that no longer receive security patches or updates, there’s the risk that cyber criminals could exploit newly discovered security vulnerabilities that emerge because old software often doesn’t receive security patches.

    The 2017 WannaCry ransomware attack stands a shining example of what can go wrong when patches aren’t applied. While a patch for the vulnerability exploited by the ransomware had existed for several months, many organizations failed to install the it.

    Takeaway

    Reducing your organization’s cyber risks requires a holistic approach. CISA

    Avoiding the use of single-factor authentication, default passwords and unsupported software will also help protect you and others from falling victim to cyberattacks.

    To reduce risks, here are three cyber security actions that organizations should do first:

    • Backup Data – Employ a backup solution that automatically and continuously backs up critical data and system configurations.
    • Multi-factor Authentication – Require multi-factor authentication (MFA) for accessing your systems whenever possible. MFA should be required of all users, but start with privileged, administrative and remote access users.
    • Security Patch and Update Management – Enable automatic updates whenever possible. Replace unsupported operating systems, applications and hardware. Test and deploy patches quickly.

    References:

    1. https://www.zdnet.com/article/dont-want-to-get-hacked-then-avoid-these-three-exceptionally-dangerous-cybersecurity-mistakes/
    2. https://www.zdnet.com/article/microsoft-using-multi-factor-authentication-blocks-99-9-of-account-hacks/
    3. https://us-cert.cisa.gov/ncas/alerts/TA13-175A
    4. https://www.cisa.gov/sites/default/files/publications/Cyber%20Essentials%20Starter%20Kit_03.12.2021_508_0.pdf

    Avoiding Investment Fraud

    Posted on by

    Financially savvy and experienced investors, along with inexperienced investors, fall prey to investment fraud frequently.

    Researchers have found that investment fraudsters hit their targets with an array of persuasion social engineering techniques that are tailored to the victim’s psychological profile.

    Here are several “red flags” to look for:

    • If it sounds too good to be true, it is. Any investment opportunity that claims you’ll receive substantially more could be highly risky – and that means you might lose money. Be careful of claims that an investment will make “incredible gains,” is a “breakout stock pick” or has “huge upside and almost no risk!” Claims like these are hallmarks of extreme risk or outright fraud.
    • “Guaranteed returns” aren’t. Every investment carries some degree of risk, which is reflected in the rate of return you can expect to receive. If your money is perfectly safe, you’ll most likely get a low return. High returns entail high risks, possibly including a total loss on the investments. Most fraudsters spend a lot of time trying to convince investors that extremely high returns are “guaranteed” or “can’t miss.” They try to plant an image in your head of what your life will be like when you are rich. Don’t believe it.
    • Beware the “halo” effect. Investors can be blinded by a “halo” effect when a con artist comes across as likeable or trustworthy. Credibility can be faked. Check out actual qualifications.
    • “Everyone is buying it.” Watch out for pitches that stress how “everyone is investing in this, so you should, too.” Think about whether you are interested in the product. If a sales presentation focuses on how many others have bought the product, this could be a red flag.
    • Pressure to send money RIGHT NOW. Scam artists often tell their victims that this is a once-in-a-lifetime offer and it will be gone tomorrow. But resist the pressure to invest quickly and take the time you need to investigate before sending money.
    • Reciprocity. Fraudsters often try to lure investors through free investment seminars, figuring if they do a small favor for you, such as supplying a free lunch, you will do a big favor for them and invest in their product. There is never a reason to make a quick decision on an investment. If you attend a free lunch, take the material home and research both the investment and the individual selling it before you invest. Always make sure the product is right for you and that you understand what you are buying and all the associated fees.

    What You Can Do to Avoid Investment Fraud

    • Ask questions. Fraudsters are counting on you not to investigate before you invest. Fend them off by doing your own digging. It’s not enough to ask for more information or for references – fraudsters have no incentive to set you straight. Take the time to do your own independent research.
    • Research before you invest. Unsolicited emails, message board postings, and company news releases should never be used as the sole basis for your investment decisions. Understand a company’s business and its products or services before investing. Look for the company’s financial statements by searching SEC’s EDGAR filing system.
    • Know the salesperson. Spend some time checking out the person touting the investment before you invest – even if you already know the person socially. Always find out whether the securities salespeople who contact you are licensed to sell securities in your state and whether they or their firms have had run-ins with regulators or other investors. You can check out the disciplinary history of brokers and advisers for free using the SEC’s and FINRA’s online databases.
    • Be wary of unsolicited offers.Be especially careful if you receive an unsolicited pitch to invest in a company, or see it praised online, but can’t find current financial information about it from independent sources. It could be a “pump and dump” scheme. Be wary if someone recommends foreign or “off-shore” investments. If something goes wrong, it’s harder to find out what happened and to locate money sent abroad.
    • Protect yourself online. Online and social marketing sites offer a wealth of opportunity for fraudsters. For tips on how to protect yourself online see Protect Your Social Media Accounts.

    You should strive to become an educated investor and to know what to look for. Make yourself knowledgeable about different types of scams and red flags that may signal investment fraud.

    References:

    1. https://www.investor.gov/protect-your-investments/fraud/how-avoid-fraud/what-you-can-do-avoid-investment-fraud
    2. https://www.investor.gov/protect-your-investments/fraud/how-avoid-fraud/protect-your-social-media-accounts

    Ransomware Attacks and Cyber Scams Surge in 2020

    Posted on by

    Ransomware attacks surged 300% in calendar year 2020, according to Chainalysis. And in 2020, $406.3 million was paid out in cryptocurrency ransoms, 337% more than the previous year. This calendar year’s ransom payments are on pace to pass seven figures.

    The attacks have crippled supply chains and critical infrastructure by holding digital information hostage.

    • Colonial Pipeline, one of the largest fuel pipelines in the US, was forced offline for six days in May.
    • An Iowa grain co-op was hit by a cyberattack, and hackers demanded $5.9 million to unlock the organization’s data.

    Ransomware is something that government agencies are extremely focused on these days. They’re viewing it on par with terrorist financing attacks. The victims of ransomware attacks are mostly big businesses, where more sophisticated attack appear to be sanctioned by foreign governments such as Russia, China, North Korea or Iran.

    However, big business are not the only victims of cybercriminals. Nearly 7,000 individual investors lost a collective $80 million to cryptocurrency scams from October 2020 to March 2021, according to the Federal Trade Commission.

    Currently, the biggest type of cybercriminal activity in terms of volume is scamming: your investment scam, your Ponzi scheme, or just a phishing attack. Retail investors are oftentimes more vulnerable to being taken advantage of by scammers. But these scams impact the government as well, because the SEC is chartered to make sure they’re protecting consumers.

    The bottomline is that “illicit activity on the blockchain is heating up, from minor scams to elaborate ransomware attacks”, explained Kimberly Grauer, director of research at Chainalysis.

    The majority of cryptocurrency activity is legal according to the U.S. Treasury Department. But, cryptocurrency can be exploited by cybercriminals and leveraged for ransomware attacks. Crypto’s decentralized nature can make it more difficult to track down hackers.

    The SEC’s Office of Investor Education and Advocacy issues periodic Investor Alerts to help investors identify signs that what is offered as an investment may actually be a scam or fraud. They urge investors to be on high alert in order to protect themselves and others from becoming victims of investment cyber fraud.

    The key to avoiding investment fraud and scams is to be an educated investor. Below are five tips from the SEC website investor.gov to help you avoid investment fraud:

    1. Be Wary of Unsolicited Offers to Invest – Cybercriminals look for victims on social media sites, chat rooms, and bulletin boards. If you see a new post on your wall, a tweet mentioning you, a direct message, an e-mail, or any other unsolicited – meaning you didn’t ask for it and don’t know the sender – communication regarding a so-called investment opportunity, you should exercise extreme caution.
    2. Look out for Common “Red Flags” – Wherever you come across a recommendation for an investment – be it on the Internet or from a personal friend (or both), “red flags” such as (a) It sounds too good to be true since any investment that sounds too good to be true probably is; (b) The promise of “guaranteed” returns since every investment entails some level of risk, which is reflected in the rate of return you can expect to receive; and (c) Pressure to buy RIGHT NOW because should not be pressured or rushed into buying an investment before you have a chance to research the “opportunity.”
    3. Look out for “Affinity Fraud” – Never make an investment based solely on the recommendation of a member of an organization or group to which you belong, especially if the pitch is made online. An investment pitch made through an online group of which you are a member, or on a chat room or bulletin board catered to an interest you have, may be an affinity fraud. Affinity fraud refers to investment scams that prey upon members of identifiable groups, such as religious or ethnic communities, the elderly, or professional groups. Even if you do know the person making the investment offer, be sure to check out everything – no matter how trustworthy the person seems who brings the investment opportunity to your attention (think Bernie Madoff). Be aware that the person telling you about the investment may have been fooled into believing that the investment is legitimate when it is not.
    4. Be Thoughtful About Privacy and Security Settings – Investors who use social media websites as a tool for investing should be mindful of the various features on these websites in order to protect their privacy and help avoid fraud. Understand that unless you guard personal information, it may become available for anyone with access to the Internet – including cybercriminals.
    5. Ask Questions and Check Out Everything – Be skeptical and research every aspect of an offer before making a decision. Investigate the investment thoroughly and check the truth of every statement you are told about the investment. Never rely on a testimonial or take a promoter’s word at face value. You can check out many investments using the SEC’s EDGAR filing system or your state’s securities regulator.

    Investors on the Internet and social media should always be on the lookout for cyber scams and fraud. If you have a question or concern about an investment, or you think you have encountered fraud, you should contact the SEC or FINRA,

    References:

    1. https://www.morningbrew.com/daily/stories/2021/08/23/blockchain-expert-fights-crypto-crime
    2. https://www.sec.gov/oiea/investor-alerts-bulletins/ia_5redflags.html
    3. https://www.investor.gov/introduction-investing/general-resources/news-alerts/alerts-bulletins/investor-alerts/updated-11
    4. https://www.sec.gov/oiea/investor-alerts-and-bulletins/investment-scam-complaints-rise-investor-alert