July 28, 2016 by The GLS Team
No one likes to be scammed. Not only do breaches of information and finances wreak havoc on personal lives, but a sense of violation occurs as well. Understanding what scams are and how they work prepares would-be victims with awareness and the knowledge to avoid — even stop — this criminal activity.
What is Phishing?
At core, phishing is criminal activity. In action, phishing is the fraudulent acquisition of sensitive information. Such items as Social Security Numbers, driver's license numbers and credit card and bank account information fall into this category of confidential information.
Phone phishing or vishing (voice phishing) uses social engineering via the telephone system to access personal and financial information. The information then can be used to open new accounts or gain access to existing accounts with someone posing as you.
Interactive voice response (IVR) phishing recreates an organization’s IVR system to obtain access to sensitive information. Information gathered using automated customer inputs or voice conversation with a bogus customer service representative is used to gain financial reward for the fraudster.
What Do These Scams Look Like?
Typically, phishing scams work by inducing urgency and panic on the part of the victim. Warnings of fraudulent account activity, crashing computer issues or threats of loss often incite unknowing victims to click or verbally provide information to remedy the situation.
Fake emails that request information by means of the email or by a return phone call can gather passwords and other sensitive information. Unfortunately, these emails often appear to be legitimate. Required password inputs (often requested several times) route this personal information to scammers.
Falsely representing themselves as Intuit, Quickbooks and TurboTax, scammers request account updates, tax information, invoice payment and customer alerts, relying on your trust in these companies in order to defraud you.
Phishing through phone calls often begins with an email or phone message asking the recipient to call a particular organization, perhaps to update information or receive earned rewards. However, the return call does not connect the victim with the business, but instead with a fraudster. Again, on the surface, these calls appear to be legitimate.
Using these phone calls, requests for updated account information, passwords, banking information and other sensitive information are dictated into the waiting ears of the scam artist.
Typically, an email will request a call to an organization to verify information. The standard system then rejects the victim’s login attempts requiring multiple PIN or password entries, disclosing them to the fraudster. The system may even refer you to an imposter customer service agent for further information gathering.
How is Awareness Raised About These Scams?
Raising awareness about targeted scams remains difficult because the strategies and tactics of fraudsters develops right along with technology. As anyone surfing the web knows, truth-bearing facts do not always stand out from inaccurate information.
Making the public aware of the existence of phishing scams helps put people on guard. Naiveté and trust are pitfalls in this sector. Ways to accomplish titering awareness include participating in fraud awareness week or month. These events are created to educate the public through leaflets, posters, brochures, software and more.
Creating Informed Users
Awareness must focus on creating informed internet and phone users. Learning to recognize inconsistencies and check information proves useful in protecting citizens. Alerting the public to agencies and internet sites that provide accurate information regarding scams and fraud protection helps to inform and protect.
Companies like Global Learning Systems offer courses to educate citizens about the risks of phishing and the kind of protections that are available.
Many businesses such as Intuit produce up-to-date lists of current phishing alerts. Giving citizens information about scams to watch for and guard against prepares the public for what might be waiting for them.
Contacting organizations directly and reporting potential phishing attempts also helps to spread the word. Reporting directly to a company, to the Federal Trade Commission, and sometimes to local authorities raises awareness and brings about results.
Examples of Phishing Scams
In this day of technological advancement, there is no shortage of phishing scams. No sector of business seems to be excluded. For examples of phishing scams, check out websites such as APWG (Anti-Phishing Working Group).
Avoiding Phishing Scams
A few tips on how to identify phishing scams can keep us alert. Other reputable sites and courses, such as those through Global Learning Systems, provide more detailed information.
Be leery of a request for personal information.
Do not trust nor click on links within emails. Go directly to the company’s site using your browser.
View websites in plain text to identify URLs linking to other locations.
Use an organization’s customer service number. Do not trust numbers provided on emails or through phone calls.
Contact an organization’s security department to confirm the legitimacy of emails or phone calls.
July 25, 2016 by The GLS Team
Even though the internet has been around for only about two decades, this technological innovation has spread across all walks of life. Although it’s relatively easy for businesses to set up Wi-Fi access for their employees, the process of controlling it properly can often be another story.
Wi-Fi networks use airwaves for communication, with the signal often extending over 300 feet. Because of its availability and range, Wi-Fi offers great potential for hackers to gain access to your network. Fortunately, there are ways to secure your company’s Wi-Fi. Let’s take a look at some of those ways and why it is important to have a secured Wi-Fi network.
How to Secure Your Wi-Fi
Change the router’s default admin password
When you set up your router, you chose a wireless network password, but you might not have changed the router’s default administrative password. The default passwords for numerous router makes and models are easy to find online, and with that information, someone can take control of your network and use your router for nefarious purposes.
Keep the router’s firmware updated
Just as when you update the software on your computer and phone, you need to keep the firmware updated on your Wi-Fi router. This easy task can fix bugs, which includes security vulnerabilities. Many routers will tell you when an update is available, and may even download such updates automatically.
Use Wi-Fi Protected Access (WPA)
You should avoid using the older Wired Equivalent Privacy (WEP) standard because it is easier to hack into; instead, use WPA or WPA2 security standards that are ideal. They also rectify weaknesses found in WEP, thus making it more difficult for hackers to break into your wireless network. You also could use both WPA and WPA2 at access points to provide extra security for your wireless network.
Use strong passwords for your Wi-Fi network
You’ve probably heard about the importance of using strong passwords before, but it’s worth repeating. Someone monitoring your wireless traffic could easily crack your password if you use regular words or proper names. Make your password as long and as random as possible to prevent anyone from hacking your network.
Make a separate network for guests
If you have visitors or customers who are allowed to use your Wi-Fi network on a regular basis, you should provide a separate network for them. Guests will be able to access the internet, but not your primary internal network. This improves security and prevents guests from unintentionally infecting the primary network.
Physically secure your router
Anyone can get around the security measures you have in place by simply pressing the reset button on the Wi-Fi router. Keep your router in a locked room or cabinet. If that’s not possible, mount it high up near the ceiling to thwart any obvious attempts to reset the router.
Risks You Face With an Unsecured Network
Even if you believe sharing your Wi-Fi is harmless, you need to know that it can wreak havoc on your network and your company. Here are some dangers you face by having an unsecured Wi-Fi network:
A skilled hacker can use your router to take control of the network and change the Domain Name System (DNS) settings and redirect your web traffic to fraudulent look-alike sites as a phishing attack. Your employees may give away sensitive usernames and passwords on these sites. Along with a secured connection, teach your employees how to recognize fake websites with Global Learning System’s anti-phishing training course.
If a laptop infected with malware connects to your Wi-Fi, the virus could find its way onto your network. While the spread of the virus might not be particularly malicious, it is certainly preventable by using a secure network and a separate guest network.
Since Wi-Fi is transmitted through the air, it isn’t necessarily confined to the walls of your buildings. With an unsecured connection, anyone can sit outside and enjoy free use of your internet. Not only are there security issues with this, but your employees probably wouldn’t appreciate the sluggish internet speeds they could encounter when outsiders use the network.
Unsecured Wi-Fi opens you up to denial of service (DoS) attacks, which makes your network resource unavailable to the intended users. You may experience an unusually slow connection, no internet connection, unavailability of certain websites, or the inability to access any sites.
While it might seem easier or harmless to make your Wi-Fi available to everyone, doing so can open you up to a host of problems affecting both employee productivity and network security. Security awareness is important in any business, and Global Learning Systems offers a host of courses focusing on internet safety practices, helping you ensure your office network is secure. Contact GLS today to set up training for your company and ensure your employees are using safe internet practices in the workplace.
July 21, 2016 by The GLS Team
If you purchase a new car today, you may encounter enhanced safety features such as automatic braking, rear-view cameras, or beeping alerts if you get too close to an object or veer into the wrong lane. These driver assistance features are great for those times when you’re not paying close attention as you should while you’re driving.
Think of your company’s IT infrastructure like a car without enhanced safety features: you might be trusting your employees to drive an expensive piece of equipment that contains valuable information, but not providing them with the needed assistance features for those times when they aren’t paying close attention as they should. You might have all of the antivirus and software security systems possible and in place, but those systems won’t protect you from one big and unpredictable thing: human error.
Your employees won’t — and sometimes can’t — always be paying close enough attention, and they could end up getting into an “accident” that will cost your company greatly. In fact, user error is one of largest causes of security breaches. Thankfully, behavior analytics and threat management training now exist to act as a kind of “driver assistance” for your employees, and to help prevent costly mistakes from being made.
In response to an environment in which malicious attacks are becoming more frequent, complex, and devastating, an integrated approach to network security is necessary to protect companies from these attacks. Many of these attacks are blended, which means they are a combination of various malware created to cause as much harm as possible. Threat management works to stop attacks before they enter the system, often by detecting negligent users who make a mistake, get infected, or participate in unauthorized file sharing or software installation.
Threat management works to create safeguards against the following issues:
Careful monitoring and analysis can identify areas in which a warning or security control could be implemented to prevent a user error from causing a data breach. Behavior analytics moves from passive awareness and training to a more active approach aimed at shaping behavior. Behavior analytics tracks behaviors and patterns to detect internal threats, both accidental and intentional. A behavior analytics tool typically sets a baseline for employee behavior and uses that to pinpoint anomalies.
Forbes recently released an article with some startling statistics about cyber threats to companies. This article reinforces the need for making sure your employees are educated on safe computing practices:
Before it can infect a target, 90 percent of malware requires human interaction (clicking a link, opening an email, etc.).
Human elements are responsible for 70 percent of IT breaches.
Some 63 percent of employees surveyed admitted to using work computers for personal use every day.
Some 83 percent of employees reported using their computers for personal use at least sometimes.
About 78 percent of employees used their business computers to access their personal email.
Cybercrime costs are estimated to reach $2 trillion by 2019.
While you might expect employees to use common sense and follow company policies and procedures when it comes to computer use, you can’t always guarantee that they will. Therefore, utilizing threat management and behavior analysis to adjust your employees’ behaviors and keep them well-trained is key to maintaining a secure cyberspace for your company.
Global Learning Systems (GLS) offers a Human Firewall approach to security awareness. Partnered with leading insider threat management and behavioral analytics provider ObserveIT, GLS provides real time, injective training or automatically scheduled future training based on detected employee behavior. At the moment of a policy violation a notification is displayed, and the user is connected directly to the appropriate GLS training product to reinforce correct behavior, deter insider threats, and prevent any future violations.
Here are a couple of courses that are available to reinforce your company’s Human Firewall:
SecureGenuis: Over 200 questions assess your employees’ knowledge and skills aligned with common risky behaviors.
PhishTrain: Phishing exploit testing that helps you assess your employees’ abilities to resist phishing attacks
Global Learning Solutions, in its partnership with Observe IT, can deliver these and other useful courses that are part of a content library to your employees at the moment a policy violation or risky behavior is detected. This type of learning solution, known as “just-in-time learning,” makes learning opportunities available at any time of day and/or any day of the week. Security threats don’t wait until scheduled training time to present themselves, so it’s vital to keep your employees prepared for, and educated on, security threats at all times.
When it comes to security awareness, GLS can help you take it to the next level by managing user behavior risks and working to adjust your employees’ behaviors regarding computer security. For more information on developing a Human Firewall for your company, or about any other GLS programs, contact GLS today.
July 18, 2016 by The GLS Team
Identity theft is one of those things that, although we’re all aware of it, we believe that it won’t happen to us. However, with an estimated 8 to 12 million victims annually, it’s evident that criminals have found identity theft to be easy, lucrative, and low-risk. These criminals realize that businesses also have identities that can be stolen, and unsuspecting businesses can be easy targets.
Being informed is the best way to avoid having your identity stolen and the resulting consequences. Read on for more information about what identity theft is, how it happens, and how you can protect yourself.
What is Identity Theft?
The basic definition of identity theft is the fraudulent acquisition and use of a person’s private identifying information (such as a Social Security number), typically to obtain money or credit.
Types of Identity Theft
There are over 25 different types of identity theft that can occur, but they can be broken into three categories:
Financial Identity Theft
Most individuals and businesses have some degree of established credit. Financial identity theft allows criminals to manipulate new or existing financial relationships. Businesses typically maintain larger bank account balances than consumers, which makes them an appealing target. Additionally, it can be easier (in some cases) for a business to open a new account or line of credit than a consumer, and with a higher credit limit.
Businesses often enjoy flexibility in payment terms that allows them to receive goods or services without having to pay for them right away. This allows criminals a window of opportunity to get products under a business name without the threat of immediate detection. Also, large purchases made by businesses might not be scrutinized as closely as they would be if a single consumer were to make them.
Criminal Identity Theft
If an imposter commits a crime in your name, it is much more difficult to clear your name than it is with financial fraud. Also you might have to bear significant legal consequences from the actions, requiring much of your time and energy as well as your finances.
Other Types of Identity Theft
As an employer, you might have to deal with an imposter gaining employment at your company using someone else’s name. This can lead to issues with the Social Security Administration (SSA) and the Internal Revenue Service (IRS). Some other types of identity theft and fraud that could affect your business include commercial loan fraud, investors’ fraud, insurance fraud, workers’ compensation fraud, and money laundering.
How Identity Thieves Gather Information
Unfortunately for companies, especially small businesses, thieves have relatively easy access to the information they need to impersonate you. Small businesses may lack the security and oversight needed in accounting or IT departments to catch identity thieves.
In most states, businesses are required by law to post documents that contain some of their key identifying information such as sales tax identification, business license number, and/or other items. These types of information are available either publicly or can be purchased legally. For example, state business registration information is public record, and it contains information such as structure, owner(s), officers, directors, registered address, and sometimes even copies of the owner’s signature.
While consumer credit reports are protected, business credit reports can be ordered by almost anyone, since they are intended to foster and promote commerce. Business credit reports contain information that can be misused by business identity thieves.
Your business has an Employer Identification Number (EIN), which is basically a Social Security Number (SSN) for your business, but it doesn’t have the same protection that an SSN would have. Many business identity thefts occur — and false accounts are opened — with only a business name, EIN, and address.
Finally, an internet black market exists that contains stolen confidential information from millions of consumers and businesses; this information is sold, traded, and purchased every day.
What Happens if You’re a Victim of Identity Theft
According to the Uniform Commercial Code, businesses have a shorter time frame to report fraudulent transactions. Wire transfers and ACH transactions can occur quickly, and thieves are prepared to withdraw funds as soon as they are available. Because of this, it’s vital that you make protecting your business’ cash accounts your first priority.
If check fraud has occurred using your business’ name, you could be reported to the check verification companies used by merchants, and your business consequently might be denied check writing or checking account privileges.
Credit cards opened or used under your business name should be reported right away to the credit card company’s fraud department. The compromised cards will be closed, and new cards will be re-issued.
How to Avoid Identity Theft
Develop and implement a protection plan to protect your company’s identity.
Keep your company’s documents in a safe and secure location. Shred any unnecessary information and documents before disposing of them, especially if they contain personal information or identification numbers.
Don’t fill out forms online that require identifying numbers if you can avoid it. If you must use identifying numbers, make sure the website is legitimate and secure.
Monitor your business’ credit reports for fraudulent activity.
Ensure that employees complete Security Awareness Training so that they are informed about, and familiar with, identity theft practices, as well as how to best implement internet safety.
Staying informed and protected can help you avoid business identity theft. Global Learning Systems provides multiple courses for you and your employees that will help keep your company secure from online threats. Contact us today for course information.
July 13, 2016 by The GLS Team
Fraudulent activity (and its prevention) is just as much a part of your business as your employees’ payrolls or other business functions. No occupation or industry is immune to this negative aspect of the business world. When fraud takes place, it affects more than just your company’s bottom line. In addition, a small business bears the direct brunt of fraudulent activity because of having to pay for downtime, legal fees, and IT resources.
At the point where the financial damage is done, a company must find a way to pick itself up and move forward (perhaps a little wiser due to its experience with fraudulent activity). An excellent way for companies to fight back against fraudulent activity is to learn how to identify a potential scam and how to stop that fraudulent activity before it has a chance to start.
Take a look at these recent scam examples that businesses might experience, and the practical solutions to eliminate the situations from an organization.
Business Email Compromise
Business email compromise (BEC) is a sophisticated scam that targets companies working with mobile suppliers or that make frequent wire transfers. Using social engineering or computer hacking, scammers obtain a legitimate business email address and conduct an unauthorized transfer of funds.
Unfortunately, this type of scam isn’t caught until the funds have been transferred. The criminals use seemingly legitimate phishing or pretexting scams that make the victims feel pressured to act immediately.
BEC scams continue to be prevalent, and scammers are evolving and attacking businesses of all sizes. This type of scam has been reported in all 50 states and 79 counties, and the exposed loss from BEC scams totaled over $1.2 billion.
Since BEC scams seem to be an effective method for criminals, awareness and prevention are key to avoiding something like this happening to your business. Many of the transfer requests are made with a sense of urgency, so holding any international wire transfers for a period will give you time to determine the legitimacy of the request. Some other proven methods of protection are:
Register all company domains that are slightly different than the actual company domain.
Use a two-factor authentication for verifying fund transfer requests, and never use the phone number in the email as a form of verification.
Know the habits of your customers, such as details of, reason for, and amount of payments.
Keep employees educated with Phishing Awareness Training.
Consumer Complaint Notification from the FTC
Your business may rely on positive customer reviews, so receiving a notification that a customer has made a complaint against your business can be a big deal. Scammers use an email that looks like it comes from the FTC notifying you that a consumer has filed a complaint claiming your business violated the Consumer Credit Protection Act and asking you to follow a link.
These types of emails were first reported to the FTC back in 2014, but they’ve recently made a reappearance. Most savvy employees and business owners recognize the emails as fake, but if you don’t and click the link provided, you could install malware on your computer that might cause your device to crash or allow information to be stolen.
The easiest way to prevent damage from this scam is not to open emails like this in the first place. If the email does get opened, don’t click the link or open any attachments. If you’re unsure of the legitimacy, look up the phone number of the agency and contact them directly.
The FBI’s Internet Crime Complaint Center reports that ransomware schemes are continuing to spread and infect devices across the globe. Targeting both individuals and businesses, the problem begins when an infected advertisement or link is clicked, an email is opened, or an infected website is visited. Once the device is infected with ransomware, files become encrypted and the person or company must pay a “ransom” fee, usually via Bitcoin, to gain access to the files again.
In a year’s time, 992 victims reported CryptoWall-related ransomware schemes with losses totaling over $18 million.
To protect your business:
How to Protect Your Company
Knowledge is power. In the case of protecting your company from scam artists and the fraudulent activity involved, you never can have too much power. The best line of defense you can present against scam artists is a united front.
Consider setting up a training seminar for your staff with Global Learning Systems. It will get everyone operating on the same page when it comes to protecting your company against fraudulent activity. A refresher course in Ethics Training for the office will work to provide protection as well.
Be proactive in your interactions with people outside your organization. Any attempt to solicit money from you should be verifiable if necessary. Verify anything that feels fraudulent with your bank or other financial institution as a means of protecting yourself and your business for years to come.