As we wrap up the 20th Cybersecurity Awareness Month, let’s take a look at this year’s themes and reminders on the threats out there and actions we can take to help stay safe online.
One of the themes of this year’s Cybersecurity Awareness Month is using strong passwords and a password manager, neither of which is really sufficient without also using multi-factor authentication, which is another of this year’s themes. Why, after 20 years, are we still talking about passwords?? And aren’t passwords going away with the advent of passkeys?
The fact is, passwords have been around for decades. They are entrenched in cybersecurity culture, and for most everyday users, protecting their accounts means using a password. Yes, passkeys are more secure, and the hope is eventually they will be the means of choice for accessing accounts, but passwords are likely to be with us for years yet. There is a cost to implementing passkeys as a form of authentication, and while that may be easily absorbed by the big players like Google and Microsoft, not every business has the resources to jump in so quickly.
Also, let’s not forget the human factor. As easy as a password manager is to use, not everyone uses one – and even fewer people use MFA unless they have no choice. And believe it or not, not everyone has a smart phone or an easy way to use a hardware token, or even a computer of their own. Requiring passkeys and not allowing the option to use a password has the potential to widen the digital divide.
Passwords and Multi- Factor Authentication
So it’s worth while to remind people of the need to use good passwords, and ideally to pair them with MFA. Dealing with passwords is made a lot easier by using a password manager, but no matter how you manage passwords, be sure not to reuse passwords.
Reusing passwords makes it much more likely that your accounts will be hacked – just look at all the data breaches in the news (and think about the ones that don’t make the news). If your password is exposed in a breach, any account that you’ve used that password on is vulnerable. MFA adds an extra layer of protection to your accounts, making it harder for the bad guys to get in.
Beware of the Phish
Another way cybercriminals can get into your accounts or systems is through phishing, which is why another theme for this year’s Cybersecurity Awareness Month is “recognize and report phishing.” Many cyber incidents start with a “phish” – an email, phone call, text, or social media message asking for information or trying to get you to click on a link, which may allow malicious software to download on your machine or steal your information.
Red flags to watch for are alarming language which tries to create a sense of urgency that you must respond right away, or links that look suspicious or have misspellings in common domain names. Not all phishing messages have awkward language or misspellings, especially as AI has made it easier to write convincing messages, so be careful of ANY email or message that asks you to click on a link or provide personal or financial information.
If you do receive a suspect message, report it. If it’s a business message, follow your company’s reporting procedures. If it’s personal, you can often report suspicious messages to your email provider or to the organization which supposedly sent the message.
Finally, delete phishing messages. Don’t reply or click on any links, even an “unsubscribe” link – just delete the message.
One of the best ways to stay secure is to update software on your computer, phone, and other devices. Software developers frequently release updates to patch vulnerabilities and fix security issues. Hackers and cybercriminals are continually searching for weaknesses to exploit, so failing to update your software can leave your devices and data exposed to potential threats.
Some updates are designed to enhance data protection and privacy. For instance, privacy settings and data encryption methods are frequently improved in updates to safeguard your personal information from potential breaches.
Turn on automatic updates where possible. You can usually set your computer, mobile phone, and web browsers to automatically install updates, which can help to keep your devices secure with minimal effort on your part. However, don’t forget about other devices connected to your network – at work or at home. Remember to check for updates on printers, routers, and IoT devices to help stay secure.
Keep It Up!
Cybersecurity Awareness Month promotes good cyber practices and provides information on current threats, but it’s important to stay aware of and practice good cyber hygiene year-round. The infographic below is a good reminder to use all year to help us all stay secure.
March 31st, World Backup Day! Well, really every day should be Backup Day, but if you’ve been living on the edge, today is the day to back up and get a plan together to guard against potential mishaps. No one wants to live through a disaster like accidentally deleting most of Toy Story 2. (“Unplug the machine!”)
So, you’re ready to back it up – what steps should you take?
What’s Important To You?
First, identify what you need to back up. Stuff like your accounting data, important documents, and the photos of your cat, because be honest, those are the most important files on your computer. Seriously, back up anything you really don’t want to lose. For a business, you’re going to have financial data, legal data, customer information, a lot of information needed to operate and serve your customers. We also have important data at home, probably financial data also, documents, music, and photos that hold our precious memories (of our cats and other things).
Use The Rule Of Three
Then, determine the means and a schedule for backing up. A true backup strategy should use the “rule of three” for backups:
- Keep 3 copies of any important file – 1 primary and 2 backups
- Keep backups in 2 different formats/media types
- Keep (at least) 1 copy offsite
Some options are to back up important data to an external hard drive or network attached storage device, and also to a cloud service, such as BackBlaze, or using offsite storage such as OneDrive or Google Drive. If you store your primary copies in the cloud – for example, you may keep documents in Google Drive for your team to collaborate on, or use web-based email services – then consider backing up your cloud data in a secure location as well. If you have a website, your web files and database information also need to be backed up in multiple locations.
Test, Test, Is This Thing On?
Finally, test your backups! A backup does you no good if you can’t easily restore it, or worse, if it’s corrupted and you can’t retrieve the data you need. Remember the Colonial Pipeline debacle? When ransomware hit, Colonial Pipeline tried to restore using their backups, but operations stopped for days and they ended up paying an over $4M ransom to be able to get operations back online – and no one knows how much data was actually lost.
So there you have it, some tips to help you celebrate World Backup Day. Remember, backing up your data might not be the most thrilling activity, but it’s certainly one of the most important. So, take some time today to make sure your data is safe and secure. Happy World Backup Day!
According to Patchstack’s State of WordPress Security In 2022 whitepaper, there was a 328% increase in WordPress security bugs last year. But don’t panic! This doesn’t mean WordPress is less secure; in fact, this indicates there are lots of folks out there hunting these issues down to keep WordPress site users MORE secure.
But it does require YOU to take action to keep your plugins, themes, and WordPress core software updated. Patchstack reports that 42% of websites have at least 1 current vulnerable software component installed. That’s like leaving your back window open to a thief.
42% of websites have at least 1 current vulnerable software component installed
Okay, so you’re keeping an eye on your site and updating plugins and themes and WordPress whenever you get a notification. But what about the 26% of plugins with security vulnerabilities that didn’t get patched? Are you regularly monitoring this “threat intelligence” to ensure you aren’t running a plugin or theme that’s “up to date” but still vulnerable? These abandoned software components are a silent threat to website owners who may not even be aware they are running insecure software.
Software supply chain vulnerabilities are also an issue. Just like the economy, open source software like WordPress is dependent on a supply chain consisting of code libraries and frameworks. Vulnerabilities in those libraries can have cascading effects on security, such as that found in the Freemius framework, which is used in a number of plugins and themes. As Patchstack’s white paper says:
The good news was hundreds of plugins that were notified of the security bug in Freemius updated their project’s code and patched the bug. The bad news was dozens to hundreds of projects did not respond to the notifications.
While the numbers and threats seem alarming, Patchstack takes an optimistic view of security for the coming year. With security researchers and developers working together to find and fix vulnerabilities, and continued awareness and action from website owners to keep their sites up to date, the WordPress ecosystem will continue to grow safer.
Check out Patchstack’s whitepaper on the State of WordPress Security. And if you need someone to help keep your site updated, running well, and secure, give Milepost 42 a shout!
Ever hear Brad Paisley’s song about the short, chubby, “hero” who’s “so much cooler online”? The internet makes it easy for people to pretend to be something they’re not. And today’s online dating landscape has made it easy for some cyber criminals to take advantage of people looking for love.
Romance scams, where someone is tricked into believing they’re in a caring relationship with someone who is really just out to steal their money or information, are a growing problem. In fact, during the first half of 2021, the FBI Internet Crime Complaint Center (IC3) received over 1,800 complaints related to online romance scams, resulting in losses of approximately $133.4 million.
Sometimes romance scams are part of a larger cybercriminal ecosystem. International cyber gangs sometimes use dating sites to recruit victims as “money mules” and use them to unknowingly launder funds.
Scammers often prey on victims who are lonely or isolated, and the lockdowns and closings in response to the COVID-19 pandemic have created a fertile ground for this loneliness. If you or a loved one has started an online relationship, be sure to check for red flags such as:
- Requests for money, especially urgent requests. Scammers may try to pressure you into sending money for “urgent” matters, such as medical expenses. Or they may say they want to visit you in person, but need money for a plane ticket. Never send money to someone you haven’t met in person.
- They often make and break promises to come see you in person. The person claims to live far away, overseas, or be in the military.
- The relationship is moving fast and the person professes love quickly.
- They pressure you to move the conversation off the dating platform to a different site or want to continue the conversation through text. Dating platforms search for scammers on their sites. Scammers will want to move their victims off-platform to avoid detection.
If you think you or someone you care about may be the victim of a scam:
- Stop communications with the scammer immediately, and take note of any identifiable information you may have on them, such as their email address.
- Contact your bank or credit card company if you’ve given them money.
- File a police report with your local precinct.
- Report the scammer to the FTC at gov/complaint and the FBI at ic3.gov.
- Notify the website or app where you met the scammer.
Romance scams can happen to anyone at any age, and falling for a scam is nothing to be ashamed of. By speaking out, reporting scams, and encouraging others to do the same, you can help protect others from becoming victims.
Learn more about how to protect yourself from romance scams and other threats at https://staysafeonline.org/stay-safe-online/.
In 2005, the U.S. Senate designated June as National Internet Safety Month, as “an opportunity to educate the people of the United States on the dangers of the Internet and the importance of being safe and responsible online.” While the resolution was born from the recognition that children were increasingly online, the need to understand internet safety extends to all of us – and it’s even more important today than 15 years ago. Just as personal hygiene can protect you from disease (wash your hands), practicing good cyber hygiene can help protect you from internet nasties. Here are 3 common mistakes that compromise your internet safety, along with advice on what you can do to protect yourself.
Internet Safety Mistake 1 – Reusing Passwords
A 2018 study by researchers at Virginia Tech University revealed that an alarming 52% of users reuse passwords on different services – and the MOST reused passwords were for sensitive sites, like email or shopping sites. Not only that, many people were still reusing the same passwords even after the credentials had been leaked in a data breach. Wonder if your password has been exposed? Check Have I Been Pwned? to see if your account has been involved in any of the numerous data breaches reported over the last several years.
Why it’s a problem:
Suppose you’ve set up a really strong password – no dictionary words, you’ve used a passphrase to establish an 18 character password with various alphanumeric characters and even a special character or two. That’s great. But if you use your special strong password for your bank, and your email, and your social media account, and one of those is hacked, all the other services where you use that password are at risk.
What you should do:
Using a strong password is great, and still important. But the best password in the world is of no use if it’s been exposed in a data breach. Use a password manager to help you create and manage strong, unique passwords for the many systems you use. And use two-factor authentication as an extra layer of protection for your most sensitive accounts, like banking or email.
Internet Safety Mistake 2 – Not Updating
You probably get update notifications on your computer or your phone. Maybe you have them set to auto-update, or maybe you prefer to have control over when an update is done, since you’ve heard of problems happening with updates. But do you always make sure the updates are done in a timely manner? You probably have other software on your computer, not just the operating system. Those programs often get updates as well, but they may require you to log in to apply the update. What about the other internet-connected items in your home? When is the last time you updated the firmware on your wireless router? Many smart devices get updates as well, usually automatically, but sometimes an update is interrupted – you should check to be sure all updates are applied.
Why it’s a problem:
Software updates are done either to add new features or to plug security holes. Technology is constantly changing, and new vulnerabilities are discovered all the time; reputable companies do their best to stay on top of this and issue updates or “patches” to fix security issues. Failure to do updates and apply patches is one of the top reasons for data breaches, and this applies to your home systems as well as to big companies. In 2018, a major cyberattack was launched targeting small office and home routers; it allowed bad actors to steal website credentials, extract information, and block network traffic. Most vendors created patches, but routers usually require you to do a manual update.
What you should do:
Be aware of all the connected devices you have – definitely your smart phone and computer, but also think about your router, your smart TV, streaming devices, smart speakers, home control hubs, even your smart watch. If you have a small business, don’t forget about your connected printer, your website, and your file servers. Establish a process to regularly check for updates on all your devices and for the software running on those devices, especially if you don’t have auto-updates.
Remember to check for updates on all the software running on your computer. CCleaner Pro is one program that can help you with this; it can check for outdated software on your computer and in many cases update it for you.
Internet Safety Mistake 3 – Using Public WiFi
Have you ever connected to the “free WiFi” offered at your favorite coffeeshop? Or perhaps you travel for business, or vacation, and use the airport or hotel WiFi. Careless use of public WiFi is one of the biggest mistakes people make when on the go. While having access to WiFi can be very convenient, it comes with a significant security risk.
Why it’s a problem:
Very often, free WiFi offered in public spaces is completely open, with no password or protection at all. A hacker can set up a wireless “sniffer”, which can read all the data you send over that network, such as user names and passwords.
Also, it’s easy for a hacker to set up an inexpensive device and pretend to be a legitimate wireless access point. When you log in to that “FreeAndOpenWiFi” network at the hotel or airport, are you sure it’s really the right network? It could be a bad guy out in the parking lot, who can now view everything you are doing on your laptop or phone.
What you should do:
SurfShark has a great resource explaining the risk of public wifi and what you can do to protect yourself. A couple of quick things to remember:
When using public WiFi, always check with the venue to make sure you’re logging in to the REAL network – and make sure it has at least basic encryption and requires a password.
Even when you’re sure it’s the right network, take precautions to protect the information you’re sending over the WiFi network. It’s best not to do any sensitive business while using public WiFi – for example, don’t log in to your bank using the airport WiFi. If you must use public WiFi, use a VPN service on your laptop or mobile device to encrypt the data you send and keep it safe from cyber thieves.
Don’t make these internet mistakes!
Protect your passwords, update regularly, and be extra careful if you use public WiFi. Keep yourself safe by staying aware of risks and practicing good cyber hygiene!
You may have heard the quote, “Trust, but verify,” (made famous by Ronald Reagan), but based on the information in the FBI Internet Crime Complaint Center’s 2019 Internet Crime Report, you’d do better to verify first. According to the FBI, 2019 had both the highest number of complaints and the highest financial losses since the IC3’s beginning in 2000 – 467,361 reported complaints and over $3.5 billion lost.
Internet Crime – Where The Money Is
With financial losses due to internet crime at the highest levels ever, what are the areas where fraudsters are causing the most damage?
Nearly half the losses reported were due to Business Email Compromise (BEC) or Email Account Compromise (EAC). This is a scam in which a cyber criminal hacks or spoofs a legitimate email account and convinces the recipient of the email to transfer funds to a fraudulent location.
For example, consider this BEC fraud attempt, in which First Business Bank received an email from the business email address of the CEO of a business client, requesting a $15,850.00 wire transfer. The bank employee emailed a blank wire request form, and received a return email with the completed form, including the CEO’s matching signature. The fraud was discovered when the wire desk did additional authentication by calling the client’s phone number of record.
Unfortunately, a woman in Spokane was not so lucky when she fell victim to EAC during the process of buying her dream home. A 75 year old woman lost her life savings of almost $100,000 when she followed emailed wire transfer instructions that appeared to be from her escrow officer. Sandra Lee lost her money and her home, and her only consolation is that the FBI was able to track down one perpetrator with the report and evidence she provided.
Sadly, Lee was also in the age group that loses the most to fraudsters – those over 60. These internet criminals prey on those over 60, since they are believed to have financial resources, as well as being more trusting and less tech savvy.
Elder Fraud, defined as a financial fraud which targets or disproportionately affects people over the age of 60, is a growing problem. According to the statistics in the report, this age group is the most targeted and the group which loses the most to internet crime.
IMAGE: FBI’s 2019 Internet Crime Report
Those over 60 are also the most victimized by another growing problem, Tech Support Fraud. This is a scam in which a criminal pretends to be a customer service or support technician in order to defraud a victim. The infamous computer pop-up claiming “your computer is infected by a virus” is one example, as are calls, texts, or emails purporting to be from a well-known company such as Apple or Microsoft, claiming to have discovered a problem with your system or account and offering to “help” you resolve it. While not the most lucrative or most prevalent scheme, losses due to Tech Support Fraud increased 40 percent in 2019, and the majority of victims were in the over 60 age group.
While BEC/EAC accounts for the majority of financial losses, it’s not the most prevalent scheme. The most common internet crime type by far, with 114,702 reported victims, is Phishing/Vishing/Smishing/Pharming.
IMAGE: FBI’s 2019 Internet Crime Report
Phishing, vishing, and smishing involve unsolicited emails, phone calls, or text messages from criminals pretending to be a legitimate company or even a friend, and asking for login credentials or personal information. Pharming is a tactic which uses a fake website pretending to be a legitimate company’s website, set up for the purpose of obtaining personal or financial information.
For example, you may get an email, phone call, or text purporting to be from your bank, telling you that your account has been compromised and asking you for personal information to confirm your identity. Or you may search for something online and find yourself on a fraudulent site which collects your credit card information.
How Can You Protect Yourself From Internet Crime?
With both victims and losses from internet crime at an all-time high, what can you do to protect yourself?
We can no longer “trust, but verify” – the best preventive measure is to verify first. The Chief of IC3, Donna Gregory, cautions that internet crime is becoming increasingly sophisticated, and she recommends we make a practice of double-checking everything.
Gregory advises, “In the same way your bank and online accounts have started to require two-factor authentication, apply that to your life. Verify requests in person or by phone, double-check web and email addresses, and don’t follow the links provided in any messages.”
Report Internet Crime
The IC3 report includes some appalling numbers on victims and losses due to internet crime, but it’s likely this is only the tip of the iceberg. Many victims don’t report these crimes, either because they are embarrassed or they aren’t aware of how to do so.
If you’re a victim of internet crime, report the crime to the IC3. With timely reporting, the FBI has a chance of stopping a fraudulent transaction and recovering the money. And the more information you can provide, the better it helps the FBI combat the criminals. Matt Gorham, assistant director of the FBI’s Cyber Division, encourages everyone to report internet crime, as “It is through these efforts we hope to build a safer and more secure cyber landscape.”