Tag: cybersecurity awareness month

27 Oct 2022
Social Engineering Scams - It Could Happen to You

Social Engineering Scams – It Could Happen to You!

Social Engineering Scams - It Could Happen to You

Many of us have heard the story about the fake printer repair person who shows up at the office to fix an issue with the intent to gain access to a secure area and collect confidential information. In reality, these things don’t really happen, right? At least not to small businesses or individuals…maybe this happened once to a large corporation and received a lot of press? This level of social engineering doesn’t really happen to someone like me, or does it?

Here’s What Happened to Me

My personal story involves a person visiting my house, a letter in the mail “from the government”, and a friend request on a popular social media platform from someone I knew 20 years ago. Each incident seemed innocent enough at the time, and on its own, did not raise any red flags. But as the events unfolded, I recognized a few mistakes that were made and realized that this was a coordinated effort and a scam!

It started with my doorbell ringing and my six-year-old yelling “Dad, someone’s at the door.” I answered the door to a well-dressed, very professional, middle-aged female with a smile and a government-issued badge around her neck. She promptly showed me the badge and explained she was there to ensure I had received a survey from the Department of Health and Human Services (DHHS). She explained it was important that I fill out the survey to provide the data needed for them to make decisions to properly serve their constituents.

I conduct many surveys at Safe Systems, so I empathized with her need for information and the effort it requires to get people to fill out surveys. I informed her that I had not received the survey she was inquiring about. She then handed me a sample copy of the survey and said that my actual form would have a randomly generated code to help them track when each family had filled out the survey. Even though the survey was anonymous, they used the code to track completion. When I stated again that I had not received the survey, she politely asked me to keep an eye out for it. She said she would check back next week to confirm I had received it. She complimented me on my house and walked away. Although I found the personal stop at my house odd, I didn’t notice any red flags at first. I simply thought this was similar to how they knock on doors for the census every 10 years.

Two days later, when checking the mail, I found a letter addressed to my wife and me. When I opened it, it included a survey that looked like the sample the lady had shown me a few days earlier, but this survey also had the randomly generated code that she told me about. I was still a little suspicious but planned on doing some research online to see if everything checked out.

A few days later, I received a friend invite on Facebook from someone I had not spoken to in 20 years. I’m not a big social media person but I do have a few accounts to keep up with different family affairs. Once I accepted the invite, this person started asking me about life and family. He didn’t ask anything personal, just general questions about how everyone is doing, jobs, etc. He seemed chattier than I remember him from 20 years ago, but we all change over time. I was cordial with my responses but not overly responsive. Over a few days, I got several short messages from him, then I get hit with this question, “have you filled out the DHHS survey?” He said he had seen my name on a list of people who had not completed it, and since he knew me, he thought he would reach out. RED FLAG!

The last I knew he didn’t work for the DHHS so how would he see my name on a DHHS survey list? And how could he be sure I was the same guy he knew 20 years ago living in a different town? Everyone who knows me, knows I go by my nickname. Very few people know my official birth certificate name, which is what was used on the DHHS survey. So, the odds of my name jumping off the page at him is unlikely. RED FLAG! I was curious about where this was going so, I continued the conversation, but guardedly. I admitted I had the survey but had not had a chance to fill it out yet.

Not wanting to let on that I was suspicious of him and the survey, I lied and said I would get around to it at some point. His response was the clincher for me that this was a scam. He said, “Great, just don’t want you to miss out on all the money I got from doing it.” Suddenly, there is money involved with filling out this survey which had not been mentioned anywhere. BIG RED FLAG! Also, it is very unlikely that someone filling out the survey would see a list of others who had received it, especially if it was supposed to be anonymous. RED FLAG!

I decided at this point, I wanted to know how far they would take this scam. I started chatting with him about some trip we went on years ago and how great it would be to do it again (but the truth was we never went on any trip). I never heard from him again, and his Facebook account was deleted and removed 2 days later.

It is important to discuss his Facebook page, as it not only had pictures of him and his family but also indicated that we had a single “mutual friend.” This was meant to convince me of his authenticity but should have also raised a RED FLAG considering how much overlap there was in the people we knew. Apparently, someone had stolen the pictures from his Facebook page and created a new account. I later recalled I was already friends with him on Facebook and compared his actual page to what I had seen on the fake account. They were identical if you just looked at the profile picture and the last post or two. There was almost no history on the fake account, but I had not paid attention to this RED FLAG at the time.

Social Engineering Can Happen to Anyone

In the grand scheme of things, I’m your average American stereotype. I live in a small neighborhood in suburbia with a minimal presence on the internet. Why would anyone have any interest in me? Yet, with no reason to target me, someone came to my house, mailed me a letter, set up a fake profile of someone I knew 20 years ago, and created an elaborate scheme to get me to fill out a survey that asked for personal information.

The moral of the story is if it can happen to me, it can happen to you, your family, and your business! Don’t assume these things only happen to others or large corporations. Social engineering schemes are very real, and they can work if you don’t have your guard up!

As we reach the end of Cybersecurity Awareness Month 2022, I thought this would be an appropriate story to share. As you can see from my story, social engineering can be very elaborate and can use means that are outside of the internet to deceive you into providing access to confidential or personal information and/or your computer systems. So, awareness is key. In the spirit of this month, I hope my story serves as a reminder to talk to your employees and customers about recognizing red flags and staying safe online.

25 Oct 2022
Tips from Cybersecurity Awareness Month 2022

Tips from Cybersecurity Awareness Month 2022

Tips from Cybersecurity Awareness Month 2022

Cybersecurity Awareness Month 2022 is reminding individuals and organizations that there are a variety of ways to protect their data—and practicing the basics of cybersecurity can make a huge difference. This year’s campaign centers around an overarching theme that promotes self-empowerment: See Yourself in Cyber. The initiative’s co-leaders, the National Cybersecurity Alliance (NCA) and the Cybersecurity and Infrastructure Security Agency (CISA), are encouraging people to focus on four key behaviors:

  • Enabling multi-factor authentication (MFA) — Often called two-step verification, MFA is an effective security measure because it requires anyone logging into an account to verify their identity in multiple ways. Typically, it asks the individual to enter their username and password and then prove who they are through some other means, such as providing their fingerprint or responding to a text message.
  • Using strong passwords and a password manager — All passwords should be created so that they are long (consisting of at least 12 characters), complex (including a combination of upper case letters, lower case letters, numbers, and special characters), and unique. This approach should be implemented with all accounts. Because we do more online today, it is possible to have hundreds of passwords to manage. And, if your passwords are long, unique, and complex as they should be, it can be impossible to remember and track them all. Using a secure and encrypted password manager is not only safer than using a physical notebook or a notes app to store your passwords, but it can also provide benefits such as alerting you of potential compromises and auto-generating new hyper-strong passwords that are stored along with the others.

A quality password manager should encrypt all passwords, require multi-factor authentication on your password vault, and not store the keys needed to decrypt the main password that unlocks your vault.

  • Updating software — Updates resolve general software issues and provide new security patches where criminals might get in and cause problems. You should update software often, obtain the patch from a known trusted source, and make the updates automatic if available.
  • Recognizing and reporting phishing — With the right training, you and your employees can learn to identify phishing, a scheme where criminals use fake emails, social media posts, or direct messages to trick unwitting victims to click on a bad link or download a malicious attachment. The signs can be subtle, but once suspect a phishing scam, you should report it immediately, and the sender’s address should be blocked.

Cybersecurity Resources

Cybersecurity Awareness Month is dedicated to providing resources to help individuals and organizations stay safe online. Businesses that need additional resources to address their specific needs can partner with an external cybersecurity expert. For example, Safe Systems offers a wide variety of compliance, technology, and security solutions to help community banks and credit unions safeguard their data.

Some of our cybersecurity products and services include:

  • Cybersecurity RADAR™: A web-based application combined with a team of compliance experts to help you assess your cybersecurity risk and maturity, using the standards set by the FFIEC’s Cybersecurity Assessment Tool (CAT) or the NCUA’s Automated Cybersecurity Examination Tool (ACET).
  • Information Security Program: A solution that allows you to build a customized, interactive, and FFIEC-compliant Information Security Program, complete with notifications, reporting, collaboration, approval processes, and regulatory updates.
  • NetInsight®: A cyber risk reporting solution that runs independently of your existing network and security tools to provide “insight” into information technology and information security KPIs and controls.
  • Layered Security: Build a basic layered approach including a perimeter firewall with content filtering, email threat filters, an endpoint malware solution, and a robust patch management process, or add more sophisticated layers depending on your security needs.

In addition, we continue to provide access to trusted information related to technology trends, regulatory updates, and security best practices on our Resource Center. Our latest white paper focuses on the leading security risk to businesses today, ransomware. Download a copy of “The Changing Traits, Tactics, and Trends of Ransomware” to discover how to better position your institution to prevent and recover from a ransomware attack.