Archives For fraud

policeThis Week’s Lesson on Good Security

Physical and digital security aren’t that far apart in principle. This week’s attacks on NY and NJ are another reminder that we need better security.  We’re getting hit on all sides. Governments are infiltrating our data, aggregators are profiling us far beyond any security check point or law enforcement group. And terrorists are hitting us in the streets.

Security is not a political question, it’s a science. Protection, detection, response. Three parts of a well defined system that work, when properly sequenced and timed. On the data side, as I shared with the Allinal Event attendees this week in San Antonio Texas, IT groups have been lulled into unnecessary product purchases, chasing meaningless compliance regulations (not that all of them are meaningless), and putting their faith in technology to keep out the perpetrator.

This morning’s Wall Street Journal offers a sobering insight from someone who’s experienced terrorism overseas as part of their daily life. Bret Stephens writes,

“What’s the lesson here for Americans? This past weekend’s terrorist attacks hold at least two. One is that there is a benefit for a society that allows competent and responsible adults to carry guns, like the off-duty police officer who shot the knife-wielding jihadist in St. Cloud, Minn. Another is that there is an equal benefit in the surveillance methods that allowed police in New York and New Jersey to swiftly identify and arrest Mr. Rahimi before his bombing spree took any lives.”

A change is needed in our mindsets on security. Security isn’t compliance or politics, it’s life. In the digital world our intellectual capital is being taken even day, bank accounts drained from fraudulent transfers, and businesses crippled by ransomware. On the streets, the expectation is that the police will be there just before the bomb goes off, on the network, we expect firewalls and antivirus software to stop every attack in it’s tracks…but they won’t.

Great security means being able to detect something is wrong before it’s too late, and having a well-rehearsed, timed response plan, that can stop if before damage is done. New laws and efforts to keep the bad guys out never work.

© 2016, David Stelzl

P.S. If you’ve not yet read Digital Money, The Smart Business Leader’s Guide to Stopping Hackers – it’s on Amazon right now!

Advertisements

malwareWhat’s the Likelihood I’ll be Hacked Over the Next 12 Months?

That’s the question every business leader should be asking.

The answer – it’s likely.  Over the past week two of my kids have been hit by fraudsters. Neither ended up paying, but both were initially confused. Had it not been for the constant security awareness training that happens in our home, they might have paid the bill.

It could have been malware, but in this case it was a pop-up.  “Call Our Support Desk Now!  You’ve been infected by malware,” the message read. My 20 year old son had one on his iPad; my 21 year old daughter had one on her company laptop. Both came by inadvertently clicking on a pop-up ad.  In my daughter’s case, she did call the number to see what was up (her system was completely frozen at this point.)  The technician on the line wanted to access her system, which is no longer on any Apple support contract. For $250 he promised to set her up on an annual support agreement and remove the malware on her system.

At that point she called me in to talk with him.  First I asked him how he knew we had malware on this system.  He reported that he had received a message from our system telling him.  I probed further to understand what he was planning to do to fix our computer. His explanations were technical but vague. I asked him about malware, bots, and signs of intrusion.  He wouldn’t tell me specifically what the problem was. So then I started asking about remediation steps. Was this a scan, patch, firmware upgrade, etc. He couldn’t explain. It was clear he didn’t know what he was talking about, but he was adamant that we needed a solution. Finally I said, how do I know you work for Apple. He explained that his firm, BTS, was contracted by Apple for this type of support. I took down his number, thanked him, and called Apple. He was a fraudster.

In my son’s case, he simply called Apple support directly, ignoring the phone number on the screen. It too was fraudulent. Apple gave us the right tools to scan both systems to clear them of any adware or malware. And, using Apple’s chat software, the entire process was free.

Your Client’s Don’t Know Any Better

The problem is, your clients don’t know any better. What are the chances they would call and pay?  They’re working hard, trying to get through their day, and suddenly a message pops up, and like my son’s tablet, the system is locked. Apple walked my son through a hard-reset to get back to functionality. How many of your clients would simply call the number and pay the support fee?  Sure, if they work for IT, they’re probably savvy enough to do the right thing. But what about the countless office workers, especially those working in small businesses without dedicated IT support people?

Fortunately, in our case it was a simple hard-reset. It could have been ransomware, malware installed through a support link, or some destructive virus. The point is, your clients are highly likely to be hit with some sort of fraud scheme, malware, or ransomware in the near future. If all you provide is basic managed services, or possibly firewall support, these attacks will continue, and your client is likely to pay for it. Educating them on this is the first step. But then, every one of your clients really does need someone to monitor, detect, and respond to these types of problems. They will only get worse over time.

© 2015, David Stelzl

The thieves go back to social engineering….if you work with financial institutions or small business owners you should be up to date on some of the recent social engineering attacks made against financial planners.  You can read more details in the recent USAToday article – Cybercrooks fool financial advisers to steal from clients.

Sound Bites:

1. Criminals are using e-mail to con financial advisers into wiring cash out of their clients’ online investment accounts – this money is then  transferred to an account controlled by the crook.

2. The victims are found and profiled using social media.  Since “investors now routinely rely on e-mail to authorize personal advisers to execute financial transactions”, this scam is pretty easy to pull off – many of your clients still don’t believe email is insecure.

3. “Instead of managing layers of malicious software, all the bad guys need is e-mail and phone skills.”

4. “This new scam is the latest strain of a long-running crime wave that preys mainly on small and midsize organizations.”

What to do with this information:

This kind of information makes for a great briefing – providing helpful, current security information to small business owners is just one more reason to talk.  You might also be planning an event in the fall (you should start, if you were not planning to), this would be one more reason to have them attend.  To learn this and more about how to keep their data and personal assets safe.

 

 

SMB Sound bites

March 11, 2010 — Leave a comment

While working with the Kaspersky Marketing today in Boston I came across this list of sound bites.  You can read the entire article in USA Today …. this may help move some of the business owners you are working with to a realization that their small companies actually are targets – it’s not just the big banks who are at risk.  These may also work for those of you who are calling on regional banks – notice the impact on business (last bullet)…apparently the banks are not as secure as they lead us to believe.  (these come straight from the USA Today article posted in today’s paper)

  • 55% of businesses reported experiencing fraud in the last 12 months, with 58% enabled by online banking activities.
  • 80% of banks failed to catch fraud before funds were transferred out of their institution.
  • In 87% of fraud attacks, the bank was unable to fully recover assets.
  • 57% of the respondents that experienced a fraud attack were not fully compensated by their banks.
  • 26% were not compensated for any part of their losses.
  • 40% of defrauded businesses moved their banking activities elsewhere.

Note: when the paper says SMB – it is often referring to what many resellers consider mid-size, on down to the very small S-Corp type company.

© David Stelzl 2010