Recently, the city of Atlanta’s computer system was brought to a halt by a ransomware attack. Hackers, who had gotten past the network’s security measures, uploaded malicious code which locked key files in the city’s 8,000 computers. The cyber thieves then demanded a ransom of $50,000 or they would render all of the affected files permanently unopenable.
What’s most shocking is that there was little the city could do. Computer experts could not simply undo the ransomware, and the thieves (most likely international) had asked to be paid in Bitcoin, so could not be traced. A month after the initial threat, Atlanta had spent $2.7 million in attempts to resolve the issue, but the mayor said that paying the ransom was still up for discussion.
Thankfully, whether out of mercy or some other motivation, the cyber criminals left the city’s wastewater and 911 emergency systems alone.
While full details of how Atlanta’s hackers were able to gain access have yet to be released, it’s thought that they exploited weak passwords on the city’s public facing websites.
Sadly, hundreds of thousands of businesses and private individuals suffer the same fate. Last year, international computer security provider Kaspersky Lab detected and repelled 277,646,376 malicious attacks from online resources located in 185 countries all over the world. They estimate that a business is hit by a ransomware demand every 40 seconds, with an individual hit every 10 seconds.
However, unlike the Atlanta attack, the ransomware viruses that most typically infect people’s computers aren’t placed there by hackers, but unwittingly downloaded and installed by the users themselves. These include malware infections caused by simply visiting a web page or executing a macro on an infected Microsoft Office document.
Gaining Access Through Social Engineering
After serving prison time in the mid-1990s for his computer crimes, legendary hacker Kevin Mitnick decided to change sides and help companies protect themselves from people like him. One of the methods he revealed for gaining access to corporate networks was something he called “social engineering.”
Using this tactic, an online thief fools his target into giving up their sensitive information by posing as someone they know or a company they trust. This can be done through a phone call or social media messaging, but it is most often attempted through email.
Because so much information about us is freely available online, a scammer may only need to gather a few pieces of information to begin stealing from you.
For example, if he can convince you to give up your email password, he can lock you out of your account and then using your email address as a username, click the “I forgot my password” link to gain access to your online accounts like Amazon or PayPal where he can steal from you outright or gain information about your linked bank accounts and credit cards.
Many Ways To Rip You Off
But a thief doesn’t need access to your bank accounts to steal from you.
Time published a surprising list of the ways identity thieves can exploit your sensitive information for their gain. A partial list includes:
•Stealing your frequent flyer miles
•Intercepting your tax refund
•Using your health insurance benefits
•Committing fraud in your name
And the amount stolen can be significant. Using information gathered through social engineering, foreign hackers have even stolen home-sellers’ payouts from their escrow companies. In response, the industry has had to change its transaction processes.
How To Keep From Getting Victimized
The most prevalent method of social engineering, one that’s probably already been tried on you, is the “phishing” email. It’s an email that appears to come from a person or a company you do business with. The graphics, the wording, even some of the links in the message look legitimate. And the call-to-action, usually asking you to confirm your account information, seems reasonable.
If the email is pretending to be from eBay, the message might say, “There’s been a problem with your account. Please login immediately or we will assume it has been compromised by an unauthorized user and cancel your service.”
The click-here button will then take you to a web page that is indistinguishable from eBay’s login. Concerned about your good rating, you type in your username and password. Unfortunately, the moment you click the link to submit your sign in credentials you’ve given the hackers the information they want.
How To Spot A Phishing Email
It’s not hard to spot a message that’s trying to fool you, if you know where to look.
1. Don’t trust the display name.
The “display name” isn’t the actual email address. It’s just the name the sender wishes to be displayed in your inbox. On legitimate email accounts it’s common for the display name to be your first and last name. However, on a phishing email at first glance it might look like you have a message from “Netflix Customer Care.” But the actual sending address might be mailto:firstname.lastname@example.org. And that’s the address you need to look at. If your computer doesn’t automatically display the actual sending address, hover your mouse pointer over the sender’s name or right-click on it to see this. If it looks suspicious, be suspicious. An email from Netflix will end in @netflix.com.
2. Verify any link before clicking.
Just like with the email address, a webpage address that does not have the companyname.com <http://companyname.com/> in the link is probably illegitimate.
A phishing link purporting to be from Netflix may contain the word “netflix” in the address, but scammers cannot use netflix.com <http://netflix.com/> in the URL. So, for example, the web address http://accounts.netflix.com/login could be legitimate, but http://netflix.online-accounts.com/login is not. Unfortunately, this distinction can fool a lot of people at first glance.
If you do click the link, double-check the webpage address at the top of your browser before entering any information. If you determine it’s a phishing page, close that browser tab and delete the email.
3. Other things to watch for:
Legitimate companies will not ask for personal information in an email. If you are being asked for credentials or a login, that’s a red flag.
If an email appears to come from a person or company you trust, but has bad grammar or odd word choices, be suspicious. Additionally, if an email from a friend or colleague seems overly formal or out of character, verify that’s it’s actually from them.
Social Engineering By Phone
Scammers may also call you to try to get sensitive information by phone. Because they use dialing software that can “spoof” the number the call is originating from, you can’t always trust your caller ID. For example an unsolicited caller will claim to be from Microsoft tech support and say that they have detected a problem with your computer and need you to visit a website or give them your login information. No matter how convincing they sound, no legitimate tech company operates this way.
Be Proactive About Protecting Yourself
Keep your personal information safe by making it a habit to protect it. In addition to keeping your computer anti-virus software up-to-date and being aware of phishing scams, we recommend the following.
1. Get a password management program.
Security experts recommend that you use a different password for each account, one that is at least ten characters long and contains a mix of upper and lowercase letters, numbers, and symbols. However, multiple passwords with all these elements will be difficult to remember and challenging to type in accurately each time you use them. Fortunately, you can get software that will remember them for you. A password management program (such as LastPass) will help you generate, store, and retrieve your credentials for optimal security. Logging in to your secure sites will be as easy as copy and paste.
2. Back-up important files.
Your important files may include login credentials, tax records, and legal documents. But they all include anything that would be irreplaceable if lost, files like family photos and videos. Any of these that exist only on your computer’s hard drive are at risk. They can be corrupted by a ransomware attack or virus, or lost permanently in a hardware failure. Back up any important files to cloud-based storage or an external drive. Programs can be reinstalled but lost data is gone forever.
3. Use multi-factor authentication.
Some sites will offer you a two-step security process to authenticate your computer. At login, where in addition to your username and password, they will also ask you to enter a PIN that they’ve sent to your mobile device. This ensures that if your username and password are stolen, a hacker will still not be able to access your account from another computer.
How We Are Protecting Your Sensitive Financial Information
As more and more financial transactions have moved online, so have the opportunities for fraud and theft. So the Securities and Exchange Commission (SEC), the government agency that oversees investments, has added consumer protection by requiring Investment Advisory Firms to adopt a written identity theft program.
A program must include policies and procedures designed to:
•Identify relevant types of theft red flags
•Detect the occurrence of these red flags
•Periodically update the ID theft program
We use the best software-based hacking and fraud prevention tools and protocols. But we also actively look for “red flags”—situations where fraud or theft could possibly occur as a result of social engineering.
If there is a security breach, we respond immediately to protect your account. We take the potential for cybercrime very seriously and encourage you to do the same. Having online access to all your accounts helps make financial transactions fast, easy, and lower cost. By taking basic precautions you can ensure that you won’t become a victim of internet theft.