Blog

Doesn't this email look legitimate? Well....don't take the bait.

I recently read about a new phishing campaign posing as Verizon, and ironically enough, I opened my inbox to find this notice (keep in mind, I am not a Verizon customer).

Notice how even though I am not a Verizon customer, I owe $964.02. That’s my first clue this is a phishing campaign. It would, however, be a little harder to detect if I were a Verizon customer.

Isn’t it amazing that this email really does look legitimate? I mean there are links to view and pay my bill, enroll in auto pay, and it links back to Verizon. The email looks similar to emails I receive from other vendors I use and pay for online.

But...Look at the numbers. You know how much you normally pay for a bill. Do you normally receive an electronic receipt or bill? If so, is this a huge difference in payment amount? If you answer “yes” that is your first clue something “phishy” is going on here. If you don’t normally receive electronic bills and you have not enrolled in online payment, this email is a huge red flag.

Another sign this email is part of a phishing campaign is that it is being sent to multiple people (I covered the email addresses as they are probably real, like mine was). Why would Verizon send my bill to a handful of other people? They wouldn’t.

Even if you look at the email and it does seem normal because you are a customer and receive emails like this all the time.... Do not click the link.

I have said this many times when discussing online attacks, but just because something is branded and you trust the company that is emailing you, keep in mind it may not be that company. If you think the email merits contacting Verizon, type in Verizon's address yourself in a new window and contact them directly through your trusted contact information to verify the claim. Never call the number or visit the site provided in the email as it could also be bogus.

These links could direct you to a landing page that looks very familiar to the Verizon environment. In fact, so close that you may not realize anything is different. So, you want to enter in the official verizon address, then locate your account through that.

Do not ever enter personal information into a landing page that comes from an unknown link. This gives phishers exactly what their looking for: your personally identifiable information.

I recently read an article that the Securities and Exchange Commission (SEC) charged an Illinois-based investment adviser with offering to sell fictitious securities on LinkedIn. The SEC issued two alerts in an agency-wide effort to highlight the risks investors and advisory firms face when using social media.

The SEC’s Division of Enforcement alleges that Anthony Fields offered more than $500 billion in fictitious securities through various social media websites. He used LinkedIn discussions to promote fictitious “bank guarantees” and “medium-term notes.”

The SEC provided this .pdf with items to keep in mind while using social media accounts.

The entire .pdf is a great resource, and while it is targeted towards investors and advisory firms, I believe the tips can apply to any organization. Here are a few items I want to highlight:

1. Be sure to check your account’s privacy settings. All your social media accounts have different default privacy settings. I know in Facebook, you can monitor who is able to view your wall posts and even select “friends” to disable them from viewing specific photos or posts you do not want them to see. Make sure you go through your settings and are comfortable with their security level.

2. Pick and choose biographical visibility. Even though you need to fill out specific personal information to create an account, you can set your account so that the information is not visible to your community. Whether it be your birthday, email address or your phone number, make sure you understand which information you have submitted is open for public viewing.

Additional information from my perspective:

3. Make sure you set your account so that you have to approve who you connect with on your sites. While it may seem bothersome to go through and approve everyone individually, it will only benefit you in the long-run. When you approve everyone automatically, a hacker or fraud can easily connect with you and have instant access to your information that you have made public, and you also expose your contacts to fraud as well. Everything you say can be used against you.. so be careful what you say.

4. Be careful what you say. I touched on this in #3, but I need to re-iterate it; everything you say can be used against you. Whether you are struggling financially or are recently out of a job; think before you post that information. An attacker can use any vulnerable information you publish to try to get information out of you.

Learn from others, and don’t fall into these traps. Here is one example of a LinkedIn message I received that can shed light as to some of the scams that are out there. I changed the sender’s name because he could just have been attacked as the sender, but I receive emails like these several times a week.

Since I use LinkedIn often to connect professionally, I need to be extra careful not to fall into traps because it is not only my information that is at risk but also my organization’s. I knew this was a scam because I  do not know the person sending the message, and he was three times removed from me. I am not saying every message you receive from an unknown person is a scam, but that is a starting point to stay cautious. Then I thought it odd that all the message said was to click on a link that I am not familiar with.

If you receive these messages, be weary to click. If you really want to click, look the person up in the search bar and send him or her a separate message asking why the link was sent to you. If the link then seems legitimate, copy and paste it in a search engine search bar. When I did so with this link, nothing came up.

There are many others out there, so while connecting with professionals in your industry that you may not know is a great way to network over LinkedIn, you do need to be weary and smart when connecting and acting on requests from LinkedIn senders.

Are you prepared to tell over 24 million customers there was a security breach at your organization?

Adobe has warned of a vulnerability in Adobe Reader on Windows through which your system could be attacked.

According to Adobe, a critical vulnerability has been identified in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for UNIX, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh.

“This U3D memory corruption vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that the vulnerability is being actively exploited in the wild in limited, targeted attacks against Adobe Reader 9.x on Windows. Adobe Reader X Protected Mode and Acrobat X Protected View mitigations would prevent an exploit of this kind from executing,” posted on Adobe’s security bulletin.

While this information could directly effect you, and I hope you take the needed precautions to make sure it doesn’t, this brings up an even greater point. You never know when and how an attack will happen, and you need to keep up-to-date on security news and information.

To stay updated and read more about these issues on Adobe’s sites:

Team blog at http://blogs.adobe.com/psirt or by subscribing to the RSS feed at http://blogs.adobe.com/psirt/atom.xml.

To find out how we can help you promote a secure environment and reduce the risk of a breach, ask about our security awareness programs.  For more information click here: Security Awareness.  You can also reach us at .(JavaScript must be enabled to view this email address) or 1-866-245-5224

Cisco recently announced that according to their global study, seven out of 10 young employees frequently ignore IT policies, and one in four is a victim of identity theft before the age of 30.

What does this say about a new generation of employees?

They need to understand the purpose of IT policies and the importance of these policies for both the organization and the individual. On-demand access to information is an essential part of this generation’s lives, and according to Cisco, these employees will do what they must to access the Internet, even if it compromises their company or their own security. This includes using or sharing their neighbors' wireless connections to save money on their own service or going to random businesses and accessing their connections.

While the use of others’ Internet may save some money, it comes at the expense of security. These same laptops used at Internet cafes and with the neighbor’s Wi-Fi are used to update business files and contact employees and clients. This opens the door for an organizational compromise with the use of unprotected Internet access.

This report supports why I believe on-demand security awareness training is vital for an organization. This generation needs to be aware of the risks and the measures needed to prevent a security compromise.

I know a college student who told me her university will insert students’ USB devices, left behind by accident in the computer lab, into one of their computers to see if the student’s name is on the device. The student is then notified via email that the device has been found. Students then re-enter them into their computers.

I see several concerns here. First, how does the university know the USB left behind is not a trap? This is placing university information at risk. Second, how does the student know someone did not take the USB while it was left behind and compromise the security of it? Then when they put it in their computers, a virus is downloaded. This generation seems to trust that no one would do such a thing until it’s too late.  While this can be seen as a college policy flaw, it can also be a reason why these students go into the professional world without a security conscious mindset.

They’ve been educated in their craft, but now they need to be educated in Security Awareness. Young professionals are a huge asset to an organization, and offering Security Awareness Training to them and showing them the importance of IT policies will enhance their professional development as well as their secure performance in your organization.