Showing posts with label awareness. Show all posts

Beware of Coronavirus (COVID-19) Phishing Scams

by in , , , , , , , , , , , 0


Most of us have seen and read in the news about the Coronavirus outbreak, currently known as SARS-CoV-2 or Coronavirus Disease 2019 (COVID-19). We wanted to remind you that during media intense events like this, cyber attackers take advantage of this opportunity and attempt to scam you or launch phishing attacks that attempt to get you to click on malicious links or open infected email attachments. Here are some of the most common indicators that the phone call or email you received is most likely a scam or attack (additional information on identifying scam phone calls and emails may be found at the Federal Trade Commission Consumer Information website).
  • Any messages that communicates a tremendous sense of urgency. The bad guys are trying to rush you into making a mistake.
  • Any message that pressures you into bypassing or ignoring our security policies and procedures.
  • Any message that promotes miracle cures, such as vaccines or medicine that will protect you. If it sounds too good to be true, it probably is.
  • Be very suspicious of any phone call or message that pretends to be an official or government organization urging you to take immediate action. 

For the latest updates consider visiting the World Health Organization website on Health and Disease Control, the Center for Disease Control website, or our own CSUCI Coronavirus (COVID-19) Information website. Please keep in mind Coronavirus scams and attacks can happen at work or at home, via email, text messaging or even over the phone. Don’t fall victim to bad guys playing on your emotions. 

If you feel you have received a phishing attack at work, simply delete the message or if you have concerns report it to your information security team.

Information Resources: 

CSUCI Coronavirus (COVID-19) Information
California Department of Public Health
U.S. Center for Disease Control and Prevention
World Health Organization
CSU Chancellor’s Office
U.S. Department of State
Johns Hopkins Real Time Map
County of Ventura
VC Emergency
Ventura County Public Health
Santa Barbara County Public Health
Federal Trade Commission Consumer Information



Scammers create fake emergencies to get your money

by in , , , , , , , , , , , 0

July 3, 2018
by Carol Kando-Pineda
Attorney, Division of Consumer and Business Education

“I lost my wallet and ID. I’m stranded — please wire money.”

“Your grandson is being held in jail. He needs bail money right away.”
Scammers try to trick you into thinking a loved one is in trouble. They call, text, email, or send messages on social media about a supposed emergency with a family member or friend. They ask you to send money immediately. To make their story seem real, they may claim to be an authority figure, like a lawyer or police officer; they may have or guess at facts about your loved one. These imposters may insist that you keep quiet about their demand for money to keep you from checking out their story and identifying them as imposters.But no matter how real or urgent this seems — it’s a scam.

If you get a call or message like this, what to do?
  • Check it out before you act. Look up that friend or family’s phone number yourself. Call them or another family member to see what’s happening. Even if the person who contacted you told you not to.
  • Don’t pay. Don’t wire money, send a check, overnight a money order, or pay with a gift card or cash reload card. Anyone who demands payment in these ways is always, always, always a scammer. These payment methods are like giving cash — and nearly untraceable, unless you act almost immediately.
  • If you sent money to a family emergency scammer, contact the company you used to send the money (wire transfer service, bank, gift card company, or cash reload card company) and tell them it was a fraudulent transaction. Ask to have the transaction reversed, if possible.
  • Report the message or call at FTC.gov/complaint.

Share this video to help servicemembers and their families avoid family imposter scams.


Additional information on Scam Alerts may be found at  https://www.consumer.ftc.gov/features/scam-alerts 

Equifax Breach Advisory

by in , , , , , , , , , , , , , , , 0

Given the recent announcement regarding the data exposure at Equifax we wanted to share some good “cyber hygiene” and some resources with you. With 143 million U.S. consumers affected it’s a good chance many of us are impacted.

Equifax has said there is no evidence of unauthorized activity in their credit reporting data bases but that there was potentially unauthorized access to information it stored from mid-May to July of this year. That information included social security number (SSN), dates of birth (DOB), addresses and in some cases Driver’s License numbers. Also reported is that approximately 209,000 consumers credit card numbers were exposed as well as other “dispute documents” for 182,000 consumers.

What can you do?
  1. One of the first things typically suggested after a breach is to access credit reporting agencies and request your records to be sure there are no unauthorized accounts or charges. In this case you may want to consider the other agencies, Experian and TransUnion. Also check your online and credit card accounts for suspicious activity. You can check free credit reports from annualcreditreport.com. Check for any accounts or charges you don't recognize.
  2. Be extra wary of scam emails and links. Avoid clicking on links or downloading attachments from suspicious emails. Equifax will send paper mail to consumersbut hackers are sure to use this to conduct Phishing campaigns.
  3. Change your passwords, especially if you have/had an account with Equifax and use similar or the same password elsewhere.
  4. You can check at Equifax here to get information and to check and see if your records are impacted. You can also access your Equifax credit report here which is probably a good idea so you can compare with the ones you get from Experian and/or TransUnion.

1 Million GMail Users Impacted by Google Docs Phishing Attack

by in , , , , , , , , , , , , 0

Reported from ThreatPost May 4, 2017

Google said that up to 1 million Gmail users were victimized by yesterday’s Google Docs phishing scam that spread quickly for a short period of time.

In a statement, Google said that fewer than 0.1 percent of Gmail users were affected; as of last February, Google said it had one billion active Gmail users.

Google took measures to protect its users by disabling offending accounts, and removing phony pages and malicious applications involved in the attacks. Other security measures were pushed out in updates to Gmail, Safe Browsing and other in-house systems.

Additional information by ThreatPost can be found here or on CI's Information Security web site.


Is the IRS really calling/emailing/texting me?

by in , , , , , , , , , , , , , , , , 0


Just like clockwork it happens every year around April. No, I’m not talking about April Fool’s Day or the annual appearance of the Easter Bunny. I’m talking about IRS tax scams.

Every year during the months of February through April tax scammers focus their sights on us whether, at work or at home, and attempt to solicit us to offer up personally identifiable information (PII) such as social security numbers and/or birthdates, or attempt to convince us to send them money directly via credit card or wire transfer.

Some tax scams occur when fraudulent tax returns are filed in the target’s name while other variants occur when the malicious actors call the target and pretend to be Internal Revenue Service (IRS) agents. In addition, there are malicious actors who use the tax season to spread malware and phishing emails.

Of these various types of tax scams, in one type, a return is filed in the victim’s name include identity theft, identity fraud, and tax fraud. This scenario occurs when the malicious actor uses information about the tax filer such as their name, address, date of birth, and Social Security Number to file a false tax return as the target claiming as many deductions as they can to gain the largest refund amount.

In a second type of tax scam, the malicious actor contacts the target by phone and tries to convince the target to do something, such as immediately paying a fine or providing their financial information so a refund can be issued. In these instances, the malicious actor uses what they know about the victim, often information gained from a previously occurred data breach or social networking website, to convince the victim that the caller has access to the victim’s tax information. Frequently during these calls the caller will pretend to be an IRS agent.

In the third type of tax scam, malicious actors use tax related spam, phishing emails, and fraudulent websites to trick victims into providing login names, passwords, or additional information, which can be used in further fraud. Other emails or websites may download malware onto the victim’s computer.

Some things you should look out for:

  • Look for “spoofed” (copied) websites that look like the official website but are not. 
  • Don’t be fooled by unsolicited calls. The IRS will never contact you by phone, email, text or social media, and the IRS will never demand an immediate payment or require you to use a specific payment method such as pre-loaded debit or credit cards, or wire transfers. They will never claim anything is “urgent” or due immediately, nor will they request payment over the phone.
  • The IRS will not be hostile, insulting, or threatening, nor will they threaten to involve law enforcement in order to have you arrested or deported. 
  • Sometimes malicious actors change their Caller ID to say they are the IRS. If you’re not sure, ask for the agent’s name, hang up, and call the IRS (or your state tax agency) back using a phone number from their official website. 
Recommendations

If you believe you are the victim of identity theft or identity fraud, there are a couple of steps you should take:
  1. File a report with your local law enforcement agency. 
  2. File a report with the Federal Trade Commission (FTC) at www.identitytheft.gov
  3. File a report with the three major credit bureaus and request a “fraud alert” for your account (Equifax – www.equifax.com, Experian – www.experian.com, TransUnion – www.transunion.com).
If you receive any spam or a phishing email about your taxes, do not click on the links or open any attachments, instead forward the email to phishing@irs.gov. Other tax scams or frauds can be reported according to the directions on these pages referenced below:

References:

Cloudbleed Bug: What you should know.

by in , , , , , , , , , , 0

Cloudbleed, the latest internet bug that put leaked users private information, was made public late last Thursday, 2/23.  There's still quite a bit of confusion regarding the full impact on people's information, but here are few links to help you unfold what occurred.

Blog article from Cloudflare, the affected source.
CNET's Article
Additional CNET information
Fortune Magazine
Is this web service affected?

The bottom line of all this is you should change all of your passwords for all of the web services you subscribe to.  It's better to be safe in a situation such as this than sorry.

Today's Tip: Is That App Giving Away Your Privacy?

by in , , , , , , , , , 1

Be careful when you install apps on your mobile device. Many apps want more permissions than actually needed for their function. For example, some flashlight apps want access to your contacts. Why? Usually for marketing purposes to build a better profile on you and your friends. Don't install apps that require excessive permissions.

Also, always install apps from a trusted source. This helps ensure the app isn't fake or malicious.


August 2016 - secureCI Monthly Newsletter

by in , , , , , , , , 1


secureCI presents Ouch!

The SANS Monthly Information Security Bulletin at CI



IN THIS ISSUE...
  • What Is Encryption?
  • What Can You Encrypt?
  • Getting It Right

 Encryption

Guest Editor
Francesca Bosco (@francibosco) is a researcher and a project officer, managing projects related to cybercrime, cybersecurity, and the misuse of technology. She is working at the United Nations Interregional Crime and Justice Research Institute and she co-founded the Tech and Law Center.

What Is Encryption?
You may hear people use the term “encryption” and how you should use it to protect yourself and your information. However, encryption can be confusing and you should understand its limitations. In this newsletter, we explain in simple terms what encryption is, how it protects you, and how to implement it properly.

You have a tremendous amount of sensitive information on your devices, such as personal documents, pictures, and emails. If you were to have one of your devices lost or stolen, all of your sensitive information could be accessed by whoever possesses it. In addition, you may conduct sensitive transactions online, such as banking or shopping. If anyone were to monitor these activities, they could steal your information, such as your financial account or credit card numbers. Encryption protects you in these situations by helping ensure unauthorized people cannot access or modify your information.

Encryption has been around for thousands of years. Today, encryption is far more sophisticated, but it serves the same purpose -- to pass a secret message from one place to another by ensuring only those authorized to read the message can access it. When information is not encrypted, it is called plain-text. This means anyone can easily read or access it. Encryption converts this information into a non-readable format called cipher-text. Today’s encryption works by using complex mathematical operations and a unique key to convert your information into cipher-text. The key is what locks or unlocks your information. In most cases, your key is a password or passcode.


What Can You Encrypt?
In general, there are two types of data to encrypt: data at rest (such as the data stored on your mobile device) and data in motion (such as retrieving email or messaging a friend).

Encrypting data at rest is vital to protect information in case your computer or mobile device is lost or stolen. Today’s devices are extremely powerful and hold a tremendous amount of information, but are also very easy to lose. In addition, other types of mobile media can hold sensitive information, such as USB flash drives or external hard drives. Full Disk Encryption (FDE) is a widely used encryption technique that encrypts the entire drive in your system. This means that everything on the system is automatically encrypted for you; you do not have to decide what or what not to encrypt. Today, most computers come with FDE, but you may have to manually turn it on or enable it. It is called FileVault on Mac computers, while on Windows computers, depending on the version you have, you can use Bitlocker or Device Encryption. Most mobile devices also support FDE. iOS on iPhones and iPads automatically enable FDE once a passcode has been set. Starting with Android 6.0 (Marshmallow), Google is requiring FDE be enabled by default, provided the hardware meets certain minimum standards.

Information is also vulnerable when it is in transit. If the data is not encrypted, it can be monitored, modified, and captured online. This is why you want to ensure that any sensitive online transactions and communications are encrypted.  A common type of online encryption is HTTPS. This means all traffic between your browser and a website is encrypted. Look for https:// in the URL, a lock icon on your browser, or your URL bar turning green. Another example is when you send or receive email. Most email clients provide encrypted capabilities, which you may have to enable. A third example of encrypting data in transit is between two users chatting with each other, such as with iMessage, Wickr, Signal, WhatsApp, or Telegram. Apps like these use end-to-end encryption, which prevents third parties from accessing data while it’s transferred from one end system or device to another. This means only you and the person you’re communicating with can read what is sent.

Getting It Right
To be sure you are protected when using encryption, it is paramount that you use it correctly:

  • Your encryption is only as strong as your key. If someone guesses or gets access to your key, they will have access to your data. Protect your key. If you are using a passcode or password for your key, make sure it is a strong, unique password. The longer your password, the harder it is for an attacker to guess or brute force it. Do not forget your password; without your key, you can no longer decrypt your information. If you can’t remember all of your passwords, we recommend a password manager.
  • Your encryption is only as strong as the security of your devices. If your device has been compromised or is infected by malware, cyber attackers can bypass your encryption.  This is why it is so important you take other steps to secure your device, including using anti-virus, strong passwords, and keeping it updated.
  • Many mobile apps and computer applications now offer strong encryption to protect your data and communications. If the app or application you are considering does not support encryption, consider an alternative.

Security Awareness Posters
Learn how to protect your family, friends, and coworkers with this series of friendly and free security awareness posters. Download the posters from https://securingthehuman.sans.org/u/i58

Resources
Encryption Explained      
Passphrases                          
Password Managers            
What Is Malware                
Securing Your New Tablet  

License
OUCH! is published by SANS Securing The Human and is distributed under the Creative Commons BY-NC-ND 4.0 license.
You are free to share or distribute this newsletter as long as you do not sell or modify it. For past editions or translated versions, visit securingthehuman.sans.org/ouch/archives. Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Bob Rudis, Cheryl Conley

SANS Blog - securingthehuman.sans.org/blog

Facebook - /securethehuman

Twitter - @securethehuman

GooglePlus - securingthehuman.sans.org/gplus

Cyber Essentials - I'm Hacked, Now What?

by in , , , , , , , , , , , 0



Continuing our blog series targeted at protecting yourself against cyber threats, today's blog topic covers Cyber Bullying.


Today's guest blog contributor is Eric Varela. Eric is a student here at CSU Channel Islands majoring in Information Technology with a minor in Security Systems Engineering.

Define Hacked: No matter how securely you use technology in your day-to-day life, you may eventually be hacked or more commonly called “compromised.” In this blog, you will learn how to determine if your mobile device or computer has been hacked and, if so, what you can do in response. Bottom line, the quicker you detect something is wrong and the faster you respond, the more likely you can reduce the harm a cyber-attacker can cause.

Clues You Have Been Compromised: It can be difficult to determine if you have been compromised, as there is often no single way you can figure it out. On the other hand, hackers usually leave behind several clues, often called ‘indicators’. The closer your system matches any of these indicators, the more likely it has been compromised:

  • Your anti-virus program has flagged an alert that your system is infected, specifically if it says that it was unable to remove or quarantine the affected files.
  • Your web browser’s homepage has unexpectedly changed or your browser is taking you to websites that you did not want to go to.
  • There are new accounts on your computer or mobile device that you did not create, or new programs running that you did not download and install.
  • Your computer or applications are constantly crashing, there are icons for unknown apps on your mobile device, or strange windows keep popping up.
  • A program requests your authorization to make changes to your system, though you’re not installing or updating any of your applications.
  • Your password no longer works when you try to log into your system or an online account, even though you know your password is correct.
  • Your friends ask you why you are spamming them with emails that you know you never sent. 


How to Respond: If you believe your computer or mobile device has been compromised, the sooner you respond the better. Here are some steps you can take:

  • Anti-Virus: If your anti-virus software informs you of an infected file, you can follow the actions it recommends (delete, quarantine, etc.). (Note: Most anti-virus software will have links you can follow to learn more about the specific infection.)
  • Change your passwords: This includes not only changing the passwords on your computers and mobile devices, but for all of your online accounts. Be sure you do not use the compromised computer to change the passwords. Alternatively, use a different computer or device that you know is secure to change the passwords.
  • Rebuilding: If you are unable to fix the infection or you want to be absolutely sure your system is fixed, a more secure option is to rebuild (reformat) it. Follow your system manufacturer’s instructions. In most cases, this will mean using the built-in utilities to reinstall the operating system. (Tip: If these utilities are missing, corrupted, or infected, then contact your manufacturer for guidance or visit their website.)
  • Backups: The most important step you can take to protecting yourself is to prepare ahead of time with regular backups. (Tip: The more often you back up, the better. Often times, recovering your data from a backup is the only way you can recover from being hacked.)

Derived from sans.org

Cyber Essentials - Anti- Virus

by in , , , , , , , , , , , , 0

Continuing our "Cyber Essentials" blog series targeted at protecting yourself against cyber threats, today's blog topic covers Anti-Virus.


Today's guest blog contributor is Eric Varela. Eric is a student here at CSU Channel Islands majoring in Information Technology with a minor in Security Systems Engineering.


Define Anti-Virus: Anti-virus is a security program you install on your computer or mobile device to protect it from getting infected by ‘malware’. The term ‘malware’ is an encompassing phrase for any type of malicious software, such as worms, Trojans, viruses, and spyware. (The term malware comes from combining the words malicious software.) If your computer has become infected by malware, a cyber-attacker could potentially capture your keystrokes, steal your personal and private documents, or use your computer to attack others.
(Tip: You can purchase anti-virus software as a standalone solution, or as part of a security package.)

How Anti-Virus Works: There are two ways anti-virus software identifies malware: signature and behavior detection. Signature detection works like the human immune system. It scans your computer for specific characteristics or signatures of programs known to be malicious. It does this by referring to a dictionary of known malware. If something on your computer matches a pattern in the dictionary, the program attempts to neutralize it. Like the human immune system, the dictionary approach requires updates, (like when humans get flu-shots), to protect against new strains of malware.
(Tip: Anti-virus can only protect against what it recognizes as harmful. Update daily.)

Anti-Virus Tips:
  1. Obtain anti-virus software only from known, trusted sources and vendors. It is a common ploy of cyber attackers to distribute fake anti-virus programs that are really malware.
  2. Make sure your anti-virus automatically scans portable media, such as USB drives, and ensure real-time protection is on.
  3. Pay attention to on-screen warnings and alerts generated by your anti-virus software.
  4. Do not disable or uninstall your anti-virus software. Disabling your anti-virus software will expose you to unnecessary risk.
  5. Do not install multiple anti-virus programs on your computer at the same time. Doing so will most likely cause the programs to conflict with each other.
  6. Learn to recognize the warnings that your anti-virus software produces. Cyber attackers can create malicious websites that post realistic, but fake, anti-virus warnings and offer to “fix” your computer. 


Derived from sans.org

New PayPal phishing scam hooking victims

by in , , , , , , , , , , , , , , 0

With Phishing and Spearphishing on the rise people need to pay close attention to the email they receive.   The research firm AppRiver is reported a new PayPal phishing scam is making the rounds with this version using a phony security message to obtain personal identifiable information. 


Additional information about phishing can be found at here.

The full article may be found here at SC Magazine.

Cyber 101 Series - Backup and Recovery

by in , , , , , , , , , , , , 0

Continuing our "Cyber 101" blog series targeted at protecting yourself against cyber threats, today's blog topic covers Backup and Recovery.


Today's guest blog contributor is Eric Varela. Eric is a student here at CSU Channel Islands majoring in Information Technology with a minor in Security Systems Engineering.


What are ‘Backups’? Backups are copies of your information that are stored somewhere else. When you lose important data, you can recover that data from your backups. The issue is that most people do not perform backups, which is unfortunate, because they can be simple and inexpensive.

When should you Back Up? Common options include hourly, daily, weekly, etc. For home use, personal backup programs, such as Apple’s Time Machine or Microsoft’s Windows Backup and Restore, allow you to create an automatic “set it and forget it” backup schedule. For university use, backing up your classwork files on your personal computer, and when using university equipment, manually backup your files to a USB flash drive or cloud solution. (Tip: Backing up your classwork could save you unimaginable headaches during the semester.)

How to Back Up? There are two ways to back up your data: physical media or Cloud-based storage.
Physical media is any type of hardware, such as DVDs, USB drives or external hard drives. The potential problem with physical media is that if your location has a physical disaster (theft or fire), then not only can you lose your computer, but the backups as well. You should plan to store copies of your backup off-site in a secure location. For extra security, encrypt your backups.
(Tip: Whichever media you choose, never back up your files to the device that holds the original files.)

Cloud-based solutions are different than physical media. This is a service where your files are stored somewhere on the internet. Depending on how much data you want to back up, this may be a paid service. This solution works by installing a program on your computer that automatically backs up your files for you. There are also solutions such as Google Drive and Apple iCloud that make it easy for you to save information on-the-go and from almost any computer. The advantage with this solution is that since your backups are in the ‘Cloud’, your backups are still safe if a disaster happens to your house or device. Plus, you can access your backups, or often even just individual files, from almost anywhere.
(Tip: If you are not sure which backup option is best for you (physical media or Cloud) keep in mind you can always do both.)

Recovery Backing up your data is only half the battle; you have to be certain that you can recover it. Check every month that your backups are working by recovering file and validating the contents. In addition, be sure to make a full system backup before a major upgrade or a major repair and verify that it is restorable.
(Tip: When rebuilding an entire system from a backup, be sure you reapply the latest security patches and updates before using it again.)

Derived from sans.org

Cyber-Bullying and Cyber-Harassment

by in , , , , , , , , , , , 0


Continuing our blog series targeted at protecting yourself against cyber threats, today's blog topic covers Cyber Bullying.


Today's guest blog contributor is Eric Varela. Eric is a student here at CSU Channel Islands majoring in Information Technology with a minor in Security Systems Engineering.


What is “CyberBullying”? The Journal of School Violence defines it as, “Repeated, intentional and often anonymous act done to harm another person through e-mail, cell phone text messages, social networking websites, chat rooms, and instant messaging. It can be perpetrated by one person or a group of people.”

Types of Cyberbullying:
  • Denigrating: Putting someone down by posting or sending cruel and embarrassing material (text, photos, etc.) about the individual to others.
  • Flaming & Trolling: Posting angry, rude or mean-spirited comments and provoking others to do the same.
  • Harassing: Sending repeated, unwanted messages to another person.
  • Outing: Posting or sending out private information about someone without that person’s permission and with the intent of embarrassing or harming that person.
  • Excluding: Leaving someone out of an online group for malicious reasons.
  • Masquerading: Sending or posting messages, or creating Facebook, Twitter, or other social media profiles as someone else in attempt to damage the victim’s reputation or relationships.
  • Mobbing: Recruiting friends and allies to send hundreds of text messages to the victim’s cell phone or mobile device.
  • Stalking: Threatening harm or intimidating someone else by constantly monitoring their actions and locations. Stalking is a serious issue. Thousands of college students are stalked every year.


What to do if you are Harassed:
  • Decide whether to respond: If you know the person, respond to the first message, telling them to stop. If the first message is anonymous, don’t respond. Don’t respond to any additional messages and block or delete/unfriend/unfollow the person.
  • Document. Document. Document: Take screen shots. Save all communications for evidence. Do not alter them in any way. Keep electronic copies, not just print-outs. Having forms of proof such as the actual text messages, emails, and voicemail makes it easier to build a case for harassment and pursue charges.
  • Report It: Report abusive posts or messages to the service provider—Facebook, Twitter, the harassers’ cell phone provider, or their internet service provider. You can also report the abuse to your Residential Advisor.

How to Help Someone Being Harassed:

  1. Refuse to pass on the harasser’s messages.
  2. Tell Friends to stop the harassment or bullying.
  3. Offer the victim support without blame.
  4. Report abusive posts to the proper authorities.
  5. Block communication with those who are posting or sending abusive messages.

Derived from equity.missouri.edu

Avoiding Online Tax Scams

by in , , , , , , , , , , , , , 0

It’s tax season again, which means it’s also time for tax scams. Some tax scams occur when fraudulent tax returns are filed in the victim’s name while other variants occur when the malicious actors call the victim and pretend to be Internal Revenue Service (IRS) agents. In addition, there are malicious actors who use the tax season to spread malware and phishing emails.

Tax scams where the malicious actor files the return in the victim’s name include both identity theft and identity fraud, as well as tax fraud. This scenario occurs when the malicious actor finds or receives information about the tax filer, including the filer’s name, address, date of birth, and Social Security Number. The malicious actor then uses this information to file a malicious tax return, citing as many deductions as possible, in order to create as large a tax return as possible.

The other variant of tax scams occur when the malicious actor contacts the victim and tries to convince the victim to do something, such as immediately paying a fine or providing their financial information so a refund can be issued. In these instances the malicious actor uses what they know about the victim, often information gained for a data breach or social networking website, to convince the victim that the caller has access to the victim’s tax information. Frequently during these calls the caller will pretend to be an IRS agent.

In the third type of tax scam, malicious actors use tax related spam, phishing emails, and fraudulent websites to trick victims into providing login names, passwords, or additional information, which can be used in further fraud. Other emails or websites may download malware onto the victim’s computer.


What to Watch Out For

  • Watch for “spoofed” websites that look like the official website but are not. 
  • Don’t be fooled by unsolicited calls. The IRS will never call to demand an immediate payment or require you to use a specific payment method such as pre-loaded debit or credit cards, or wire transfers. They will never claim anything is “urgent” or due immediately, nor will they request payment over the phone. 
  • The IRS will not be hostile, insulting, or threatening, nor will they threaten to involve law enforcement in order to have you arrested or deported. 
  • Sometimes malicious actors change their Caller ID to say they are the IRS. If you’re not sure, ask for the agent’s name, hang up, and call the IRS (or your state tax agency) back using a phone number from their official website. 


Recommendations

If you believe you are the victim of identity theft or identity fraud, there are a couple of steps you should take:

  1. File a report with your local law enforcement agency. 
  2. File a report with the Federal Trade Commission (FTC) at www.identitytheft.gov
  3. File a report with the three major credit bureaus and request a “fraud alert” for your account (Equifax – www.equifax.com, Experian – www.experian.com, TransUnion – www.transunion.com
If you receive spam or a phishing email about your taxes, do not click on the links or open any attachments, instead forward the email to phishing@irs.gov. Other tax scams or frauds can be reported according to the directions on this page: https://www.irs.gov/Individuals/How-Do-You-Report-Suspected-Tax-Fraud-Activity%3F.
 

Further Information



Protect Yourself Against Cyber Threats - Mobile Devices

by in , , , , , , , , , , , , , , , , , 0

Continuing our blog series targeted at protecting yourself against cyber threats, today's blog topic covers Mobile Devices.

Today's guest blog contributor is Eric Varela. Eric is a student here at CSU Channel Islands majoring in Information Technology with a minor in Security Systems Engineering.


What is a “Mobile Device”? 

The term “Mobile Device” gets thrown around for anything from a smartphone to a tablet, and while that classification is true, mobile devices encompass items such as Laptops, Chromebooks, “smart watches” (Apple Watch), “smart appliances” (refrigerators, washing machines), and even “smart thermostats” (Nest). Thanks largely in part to technology that allows computer processors, graphics processing, and memory to be the size of a quarter, powerful computing capabilities can be found almost anywhere and in the most mundane of places.

Keep a Clean Mobile Machine: 
Mobile devices are computers at their core with software that needs to be kept up-to-date (just like your desktop PC). Security protections are built in and updated on a regular basis. (Tip: Take time to make sure all the mobile devices in your home have the latest protections).

Suspect Links and Texts: 
Be suspicious of unknown links or requests sent through email or text message. Do not click on unknown links or answer strange questions sent to your mobile device, regardless of who the sender appears to be, as some links are designed to gather your personal information.

Be Careful What You Download: 
Download only trusted applications from reputable sources or marketplaces, as some apps may install harmful code onto your device (malware).

  • Secure Your Phone: Use a strong passcode and lock your phone. 
  • Think Before you App: Review the privacy policy and understand what data (location, access to your social networks) the app can access on your device before you download. 

Protect Your Personal Information: 
Phones can contain tremendous amounts of personal information. Lost or stolen devices can be used to gather information about you, and potentially, others. Protect your phone like you would your computer. (Tip: Only give your mobile number out to people you know and trust and never give anyone else’s number out without their permission).

Connect with Care: 
Use common sense when you connect. If you’re online through an unsecured or unprotected network, be cautious about the sites you visit and the information you release.

  • Get Savvy about Wi-Fi Hotspots: Limit the type of business you conduct and adjust the security settings on your device to limit who can access your phone.
  • Protect your $: When banking or shopping, check to be sure the site is security enabled. (Tip: Look for web addresses with “https://” or “shttp://”, which means the site takes extra measures to help secure your information. 
  • When in Doubt, Don’t Respond: Fraudulent texting, calling and voicemails are on the rise. Just like email, requests for personal information or for immediate action are almost always a scam. 

Derived from NICCS and StaySafe Online

Breach Security Note for Registered Users of RateMyProfessors.com

by in , , , , , , , , , , 0

On December 24, 2015, RateMyProfessors.com observed suspicious activity on one of its backend systems and promptly investigated. As a result of that investigation, RateMyProfessors.com believes that on or about November 26, 2015, hackers gained access to one of the backend systems of RateMyProfessors.com through a decommissioned version of the RateMyProfessors.com website. These hackers acquired email addresses and passwords for some registered users of the active RateMyProfessors.com website (“Site”). We have not seen indications that the compromised information has been used without authorization or that ratings submitted to the Site were implicated in the incident.

 It is important to note that, if you used RateMyProfessors.com only as a non-registered user, no information about you and no ratings you submitted were implicated in the incident.

 Additional information may be found on the RateMyProfessor site at http://www.ratemyprofessors.com/securityFAQs.

Protect Yourself Against Cyber Threats - Social Networks

by in , , , , , , , , , , , , 0

Continuing our blog series targeted at protecting yourself against cyber threats, today's blog topic covers Social Networks

 Today's guest blog contributor is Eric Varela. Eric is a student here at CSU Channel Islands majoring in Information Technology with a minor in Security Systems Engineering.

 Think before you post:  Limit the amount of personal information you post publicly. Do not post information that would make you vulnerable, such as your address or information about your schedule or routine.  If your friend posts information about you, make sure the information is something that you are comfortable sharing with strangers.

Once posted, always posted:  Protect your reputation on social networks.  What you post online stays online.  Think twice before posting pictures you wouldn't want your parents or future employers to see.  (Tip: Recent research found that 70% of job recruiters rejected candidates based on information they found online).

Get smart and use privacy settings:  Take advantage of privacy and security settings.  The more information you post, the easier it may be for a hacker or someone else to use that information to steal your identity, access your data, or commit crimes such as stalking.  Use site settings to limit the information you share with the general public.

Be honest if you're uncomfortable:  If a friend posts something about you that makes you uncomfortable or you think is inappropriate, let them know.  Likewise, stay open-minded if a friend approaches you because something you've posted makes him or her uncomfortable. (Tip: People have different tolerances for how much the world knows about them; respect those differences).

Know when to take action:  If someone is harassing or threatening you, remove them from your friends list, block them, and report them to the site administrator. (Tip: It may also be appropriate to report it to school officials who may have separate policies for dealing with activity involving students).

Derived from NICCS and StaySafe Online

Protect Yourself Against Cyber Threats - Setting up Proper Controls

by in , , , , , , , , , , 0

We are starting a new series of blogs targeted at protecting yourself against cyber threats.  This series will run over the next few months and cover varying subject matter related to cyber threat protection.

Today's guest blog contributor is Eric Varela. Eric is a student here at CSU Channel Islands majoring in Information Technology with a minor in Security Systems Engineering.

Connect securely wherever you are: Only connect to the Internet over secure, password-protected networks. Free public WI-FI, from popular patronage sites such as Starbucks, McDonalds, Subway, etc. - provide convenience over security. If you must use public WI-FI, use it for browsing purposes only and not for private transactions such as banking or emails.

Think before you click: Do not click on links or pop-ups, open attachments, or respond to emails from strangers. Even if an email message has a sender address of someone you know, be sure the email attachments or links were requested from the source. It is possible for sender addresses to be spoofed or taken over. When it doubt, throw it out. A link or attachment could contain malware, and a single click is all it takes to get infected.

Respond only to trusted messages: Do not respond to online requests for personal information such as your date of birth or your credit card numbers; most organizations-banks, universities, companies, etc.-do not ask for your personal information over the internet. (Tip: CSUCI will never ask for your password or login information via email.)

Use passwords properly: Select strong passwords, with a minimum of eight characters and a mix of upper and lowercase letters, numbers and symbols, and change them frequently. Password protect all devices that connect to the internet and user accounts.

You should also remember to:
  • Not share your password with others.
  • Make your password is unique to your life and not something that is easily guessed.
  • Have a different password for each online account.
  • Write down your password and store it in a safe place away from your computer.
  • Change your password several times a year. (Tip: At the beginning and end of each semester.) 


Stay aware: Routinely monitor bank and credit card accounts for unauthorized charges and unauthorized accounts that have been opened under your name. Annually, you are entitled to a free credit report by the three big credit reporting agencies by federal law. Take advantage of these free reports and stay current on your credit score and history.

Google Releases Security Update for Chrome

by in , , , , , , , , , 0

Google has released Chrome version 45.0.2454.85 to address multiple vulnerabilities for Windows, Mac, and Linux. Exploitation of one of these vulnerabilities may allow an attacker to take control of an affected system.

US-CERT encourages users and administrators to review the Chrome Releases page and apply the necessary update.

Mozilla Releases Security Updates for Firefox

by in , , , , , , , , , 0

US-CERT released on Thursday, August 27th, 2015 that the Mozilla Foundation has released security updates to address a critical vulnerability in Firefox and Firefox ESR.  Exploitation of this vulnerability may allow a remote attacker to take control of an affected system.

Available updates include:

  • Firefox 40.0.3
  • Firefox ESR 38.2.1

US-CERT encourages users and administrators to review the System Advisories for Firefox and Firefox ESR and apply the necessary updates.