Tips to Keep in Mind for Recent Attacks
- One Ring Phone Scam - Almost everyone has missed a call and called the number back to make sure they did not miss anything important. This new scam takes advantage of this curiosity and exposes callers to fees they would never expect. The scam works by calling people but only letting their phone ring once before hanging up. As people return the call, wondering if they missed something important, they are connected to an "adult entertainment" service which immediately accrues charges against your bill you did not expect or accept. According to a recent article by NBC News the area codes used in this scam include the following so far: 268, 284, 473, 809, and 876. If you receive an incoming call like this, the best thing you can do is ignore the call and be sure not to return the call. NOTE: This scam can affect anyone with a phone.
- Cryptolocker - A ransomware infection spreading via spoofed email accounts pretending to originate from legitimate businesses like FedEx and UPS. This attack encrypts infected user's files denying them access to their own files unless they pay a "data ransom fee" to regain access to their files. Use extra caution with emails from FedEx and UPS, keeping in mind this list could grow at any time, and follow the general email cautions listed below as well. For more information on this attack, read the article posted on US-CERT's website. Note: This scam affects users with devices running Windows 8, 7, Vista, and XP operating systems.
Protect yourself from phone attacks:
- Use caution giving out private information - no matter who the person on the phone claims to be or who they say they are calling on behalf of, do not take this information for granted. Unless you call the company directly, or verify the number calling is a company number, which can be really difficult the bigger the business, it can be hard to be sure the caller is truly who they say they are. Remember, even if you send an email or sign up for an account and expect a call, if your device is compromised, someone else could have captured this data in an attempt to use it against you.
- Be careful giving out passwords - there is almost no reason a company you do business with should ask you for your password. Even if you trust the company, use extreme caution giving out your password to anyone over the phone. Almost every company you have an account with has some sort of support account access to your account to see limited information so they can provide assistance to you. Giving up your password gives full access to your account. If the caller insists you give your password, try calling the company back to speak with someone else first, or log into your account as soon as you get off the phone to change your password.
- Question everything about anyone calling who uses urgency, threats, or fear - no matter what the person on the phone says to you, no matter what they already know about you, thoroughly question everything they say before answering any questions or revealing information to them. People trying to gain access to your private information will use "social engineering" to gather whatever data they can from you before you think to question them. Social engineering involves manipulating a social situation to gather information people would otherwise not reveal to someone. A person calling expressing an urgency and insisting you verify a credit card, an account or password, to "protect you from fraud", or "verify there has not been unauthorized access to your account" is likely using social engineering. Whatever information the person is looking to get out of you, they will use scare tactics like "if you do not give me the information this $4,000 charge will go on your credit card", or "if you do not help me I cannot protect your account from fraud" in an effort to pressure you into revealing information before thinking through what is actually happening. Odds are these callers already have access to some of your data and know enough to appear credible at first. Calling and knowing a family member is at the hospital and claiming something has happened to them would cause alarm in almost anyone. While this could happen to your family member while at an routine appointment, a hospital representative would not call you asking for a credit card. If you remember anything, remember that you have the right to ask as many questions as it takes for you to feel comfortable or to be convinced the caller is a fraud. Do not let them use urgency, threats, or fear to impair your judgement or make you give away information you would not normally give.
Protect yourself from email attacks:
- Do not open emails from senders you do not know - almost everyone has heard this before but as time goes on it gets easy to forget. This is the equivalent of distracted driving. New drivers and drivers who recently had an accident are extremely careful to obey all driving laws, but as time without an accident goes on, it is common nature to begin pushing the limits. Eventually, if not careful enough, this might lead to an accident like opening emails from unknown senders opens your device up to attacks.
- Do not click links or download attachments in emails sent from unknown senders - clicking links can wreak many kinds of havoc on your device. Someone trying to get access to your information might send you a link that redirects you to another site that looks like a legitimate site you do business with to steal your user id and password along the way. These attacks are called "man in the middle attacks" as they forward your data packets to the intended destination only after capturing a copy of your data along the way to and from your intended destination. Other attacks use "keyloggers" which log every keystroke you make in an attempt to gain user id's and passwords for multiple accounts as well as other personal data and contacts. Attacks of this nature can be extremely harmful.
- Do not be fooled by the Subject line - No matter what the subject line is, do not open the email unless you would have opened it no matter what the subject line said. Often we are tricked into action by the use of threats, fear, or even our own curiosity. Keep in mind, if the information is important, the sender will contact you in another way. For instance, if it appears to be from your bank and claims you need to change your password, call the bank directly to verify your account is intact and if they sent the email. If there is a serious issue with your account, your bank will likely send you information in the postal mail.
- Visit well known and trusted websites - visiting websites you already have established as safe, or following links from sites you trust is a safe way to visit websites. Using search and checking the website domain before following the link for appropriate domains related to your search will also help protect your devices. Beware of clicking on links to other website domains from sites you do not know. When you can, use your anti-virus software to protect your online activity and verify the safety of links.
- Make sure websites you enter information into encrypt your information - verify the website address in the URL bar at the top of most browsers begins with the s for secure (https://) so you know your information is being encrypted before being sent.
- Limit the information you put into online forms - be careful what information you input into online forms. Entering private information into websites you do not trust can put your information at risk so use caution when doing so.
- Use caution downloading programs from the Internet - be sure to download programs from reputable companies and make sure you pay attention to all the prompts when downloading programs. Many companies offering free downloads will try to get you to download additional software you did not set out to install. For more information, check out our blog "Safely Downloading Software - Clicking Next Next Next can Surprise You".