May 19, 2016 by The GLS Team
Jury scams have been around for years, but with email being one of the main forms of communication for people today, scammers have a whole new way to target their victims. Officials in over a dozen states have issued public warnings about scammers contacting individuals pretending to be court officials and seeking personal information.
Jury Duty Phone Scams
All over the US, people are being targeted by phone calls threatening them with legal action for failing to comply with jury service in either federal or state courts.
In the calls, victims are pressured or even frightened into providing confidential data, which can lead to identity theft and fraud. Recipients of the phone calls are threatened with arrest and fines if they do not comply. If the victims say they never received a jury duty notification, the scammers will request confidential information for “verification purposes.”
The types of information that the scammer will ask for are:
- Social Security number
- Date of birth
- Credit card numbers
Scammers will usually use prepaid phones or caller ID spoofing, which makes it look like the call is coming from a local law enforcement agency or court office. They’ll even go as far as to leave a phone number that plays a phony recording that sounds similar to the real one played at the courthouse.
By catching victims off-guard and using scare tactics, the scammers can get everything they need to commit identity theft.
Jury Duty Email Scams
Jury duty email scams use a similar approach to the phone scams, where scammers claim that victims missed jury duty and request personal information to resolve the issue.
Another type of jury duty scam implemented through email was discovered by the federal court system last fall, and at least 14 U.S. court districts were affected. Individuals around the country received emails claiming that they had been selected for jury duty service and were instructed to return the attached online form.
The form requested personal information such as Social Security number, date of birth, driver’s license number, and mother’s maiden name. Additionally, the email stated that anyone who failed to provide the information would have to report to court and could face fines and jail time.
The emails work by appearing as if they come from the “National eJuror Program,” which is an official online registration program used in about 80 U.S. district courts. However, these fake emails are in no way connected to the actual eJuror program.
How to Recognize a Jury Duty Scam
Fortunately, there are a few ways to know if you are being targeted by a jury duty scam. If you receive any correspondence from a court, keep the following information in mind. It will help you determine if it is a scam or not:
- eJuror, the legitimate online jury registration program, never asks that confidential information is sent directly by email.
- Federal courts always use postal mail to contact prospective jurors.
- Social Security numbers are never required when completing online jury forms.
- Court workers will never call to ask for Social Security numbers and other confidential information.
- Most courts follow up via regular mail and rarely, if ever, call prospective jurors.
- Federal courts do not require you to provide sensitive information over a telephone call.
- Court workers will never call you to tell you if you missed jury duty.
What to Do If You've Been Targeted by a Jury Duty Scam
If you gave your personal information to a jury duty scammer, or if you suspect you’ve been targeted by one, take the following action:
- Check your credit card and bank statements for unauthorized charges. Contact your credit card company or bank immediately if you notice anything suspicious.
- Monitor your credit report, and report any fraudulent activity to the Federal Trade Commission.
- Contact the clerk of court’s office at your nearest district court to notify them of the scam.
Be On Guard
Jury duty scams conducted via phone calls or emails are just one of the many phishing scams that criminals use to gain sensitive information from both businesses and individuals. By using scare tactics and impersonating authority figures, jury duty scams can be incredibly effective at getting enough information from victims to commit identity theft.
Awareness and education are both excellent ways to avoid becoming a victim of phishing attacks like this one. We provide phishing training to help your business reinforce its Human Firewall®. Contact Global Learning Systems today for training that will protect both your business and your employees from harmful phishing attacks.
May 11, 2016 by Jeff Bernstein
T&M Protection Resources' Managing Director, Jeff Bernstein, Shares Why Your People Should Be Priority When it Comes to Securing Your Organization:
I’ve worked within the information security industry for over seventeen years and can confidently say that when it comes to information security programs and risk reduction there is one data point that everyone that I meet seems to agree on: more often than not people are the weakest link in an organization's information security posture.
The vast majority of information security breaches are caused by end-users doing something that they shouldn't do like clicking a malicious link in an email message, opening an infected email attachment, using weak passwords, losing laptops or phones or being tricked into giving up their credentials through social engineering attacks. It’s absolutely true and in fact, most security industry data now estimates that over 80% of all of successful data thefts begin with an end-user doing something that they shouldn't do.
Social engineering is the manipulation of people into performing actions or divulging confidential information. Social engineering exploits are utilized by attackers for the purpose of information gathering, perpetrating fraud, gaining system access, stealing sensitive data, intellectual property or dollars. I work at T&M Protection Resources where we provide post-breach forensics investigations. Cases that we investigate include simple website defacements, sophisticated thefts of large amounts of data and sums of money via multi-national organized crime rings, denial of service (DoS) attacks and everything in between. Based on our firm’s unique experience, I can tell you first hand that more often than not a human error is the root cause of most successful breaches that we investigate. Because of this, companies that fail to properly train their personnel to accurately recognize and respond to security threats are only asking for trouble.
As awareness of the threat grows our firm is being asked more and more often to include Phishing and other social engineering studies as a component of our information security assurance testing programs. We sometimes come out of these exercises with a 50% or more conversion rate. "Conversion" meaning that we tricked an end-user into doing something that they should not have done like clicking on a malicious link, entering a user name and password, opening a malicious attachment and the like. When we deliver our results the first question that the clients always ask is "what can we do to fix this problem?" The single best answer to this question is to train internal personnel on security awareness matters. When done correctly, security awareness training is HIGHLY effective in mitigating the threat posed by people and the human element.
Security awareness training programs should include useful information relating to the latest security threats (phishing, smishing, etc.). Effective training programs should also include content specific to the company's security policies and procedures. This should typically include social media, acceptable use, data retention, and bring your own device policies when applicable. During the training program each employee should also be asked to read and accept company policies relating to acceptable usage which puts each employee on notice that they must be vigilant about security in the workplace.
The spirit and overarching theme of any security awareness training program should be that security is the responsibility of everyone in the workplace and that everyone needs to remain vigilant when it comes to recognizing and properly responding to information security threats.
Training should be enhanced with creative tests or studies that measure personnel awareness (email phishing studies, pretext calling, trojan snail-mailings, etc). Testing with frequency matures personnel end-users from a security awareness perspective and also allows the company to gauge retention of the information presented throughout the training curriculum. Testing also allows the organization to gauge improvement in security posture as it relates to security awareness of personnel. Risk reduction now becomes clearly quantifiable. Proper documentation of results over time is meaningful for management, audit and other purposes as it accurately shows where the awareness-related security posture has been, where is it at any given time and in what direction it is progressing. Security managed in this way becomes an enabler to the success of any business.
Achieving absolute security in the enterprise is simply impossible. Improving security usually costs money, capabilities, time, ease of use, civil liberties and more. Many organizations also lack internal resources, expertise, infrastructure and budgeting to deliver effective awareness training programs to their staff. The most effective compensating control to mitigate the most prevalent information security threat (the human element) to the workplace is security awareness training along with regular testing.
What we typically recommend for our clients is that all staff members attend a yearly training course at a minimum. This can take place in person or online depending on the client's preference. For many companies employees work across numerous geographies and because of this it is hard to assemble personnel in live sessions. It is also difficult to measure content retention when dealing with large live audiences. For this reason, many of our clients are choosing online training which is highly effective. Online training also provides a better platform to measure progress and generate reports that can be used internally for compliance and audit purposes. Online training should be highly interactive and not something that can simply be clicked-thru. In additional to the yearly module, we also recommend that our clients deliver an abridged security awareness training primer to new employees as they are hired. This gives new employees an immediate lesson on awareness and also spells out exactly what is expected from them security-wise during their on-boarding. Testing throughout the training module should also be included. This ensures that the lesson's content is being retained by the end-user.
For more information on security awareness training products visit: http://www.globallearningsystems.com/products/security-awareness-training/
About Jeff Bernstein
Jeffrey Bernstein is the Managing Director of T&M Protection Resources (T&M) and has worked within the information security industry for over seventeen years. T&M Protection Resources has been providing a growing portfolio of seamlessly integrated security and intelligence services to leading businesses, financial organizations, investment management firms, corporations, academic institutions and private client since 1981.