Thursday, December 13, 2018

In This Issue

'Tis the Season forShopping ScamsWhy Manage Your OwnPasswords?Marriott & Quora:Compromised Data Just inTime for the HolidaysYou've Been Phished – ToShut Down or Not ShutDown?

Key Security Tips:Personal firewalls are able tomonitor and manage connectionsto and from your computer. Alwaysuse a personal firewall to protectyourself from intrusion.

SMiShing is a type of phishingdone by mobile phone. SMiShingis just as dangerous as phishing:learn to recognize the signs.

Identity thieves often target largeretail chains to steal customerdata. Pay attention to the news tolearn about data breaches quickly.

‘Tis the Season for Shopping Scams

Unfortunately, hackers don’t rest during theholiday season. According to ACIWorldWide, there will be a 14% increase infraud attempts during the 2018 holidayseason. This means that as you're searchingthe internet for the best deals, hackers will bewaiting with phishing emails, maliciouswebsites, and in some cases fake applications.

In Risk IQ's most recent e-commerce report, it was calculated that $35.9billion was spent via mobile devices in 2017. This accounts for 33.1% ofonline holiday shopping revenue last year. With sales expected to grow in2018, this makes for an increasingly risky environment for onlineshopping. In this article we will be outlining what to look for and how toprotect yourself from various types of online shopping attacks.

Only download apps from your phone's trusted app stores likeGoogle Play and the Apple App Store. You can also go to thestore's website and look for the app download icon. Apps that arenot downloaded from these trusted sites can be laced with creditcard skimmers, adware, malware, and even ransomware.Never use public Wi-Fi when online shopping. Transactionssubmitted on unsecure Wi-Fi can travel with no encryption, makingit that much easier for cyber-criminals to steal your privateinformation.Keep an eye out for suspicious looking emails. Many companiessend out emails around the holiday season, advertising sales orrequesting information. Phishers will attempt to take advantage ofthis and slide into your inbox when your guard is down. Keep aneye out for the tell-tale signs of a phishing email: incorrect spelling,illegitimate sender email address, attachments, and questionablelinks.Review credit card and bank statements regularly throughout theshopping season and contact your bank or card issuer immediatelyif you see a discrepancy.Type in the URLs manually, and only click top-ranked search resultswhen browsing.

Do not write down your passwordson a list. This list can be lost orstolen giving someone else accessto all of your most sensitiveinformation.

If you click on a link from Twitter, Facebook, or other socialchannels, make sure that you've landed on the authentic website ofthe retailer.Plan ahead and don’t be rushed when shopping. Last-minuteshopping can often lead to absentminded clicking – exactly whatthe cyber-criminals are waiting for.Be on the lookout for scams before you start shopping. Your localand national news channels, as well as sites like the BetterBusiness Bureau, will be reporting on the latest scams.

Follow these tips and your intuition, and you can avoid being anotherholiday shopping scam statistic.

Why Manage Your Own Passwords?

Passwords are a necessary evil in today'sworld where our personal email, work email,social media, and ecommerce sites aloneeasily add up to at least a dozen separatepassword-managed accounts. Add to thatmedical, utilities, credit cards, and othervarious apps that we pick up along the way,and now you’re into the dozens.

Add to that the ongoing question of what makes a strong password. Untilrecently NIST (National Institute of Standards and Technology)recommended passwords that substituted capital letters, numbers, andspecial characters into supposedly hard-to-crack passwords. So, youmight have M@!!S@Nta. Recently, however, NIST concluded that, notonly are these passwords often difficult to remember, but they’re notnecessarily all that effective against sophisticated password crackers. Thecurrent recommendation is to string together unrelated words, likeCatPepperMirror, and then maybe a special character, just because whynot.

But what if there was a security solution that would prevent all thistrouble? Turns out there is! And there has been for years now – passwordmanagers. Password managers such as Dashlane, LastPass, and1Password offer a full-service solution that can do everything fromcreating passwords to storing ones you create. They can alsoautomatically log you into sites and save password recovery questions.

In addition to established password manager veterans like Dashlane,LastPass and 1Password, newer options like the open source KeePasshave popped up to compete in the ever-growing market. As with anythingtech-related, it’s best to conduct research to find out which solution wouldbe the best fit. Chances are, any option would be better than reusing thesame 3 passwords for 3 dozen accounts. You know who you are!

Marriott & Quora: Compromised Data Just in Time for theHolidays

Marriott

At the end of November, Marriott announceda large-scale hack that impacts potentially500 million customers who have madereservations at a Starwood hotel. TheStarwood Hotels and Resorts hospitalitygroup operates many brands, including Sheraton, Westin, Aloft and WHotels. This is one of the largest breaches in history, and the amount oftime hackers had access to customer information makes it especiallydangerous.

Marriot acquired Starwood in 2016, but the hack began in 2014. Thismeans hackers had access to customer data for four years, an extremelylong time in the realm of hackers. Marriott reports that only 170 million oftheir customers had basic information stolen such as names and emailsaddresses, but for the estimated 327 million Starwood customers, thebreach gave hackers access to names, phone numbers, email addresses,dates of birth, gender, trip and reservation information, passport numbers,and Starwood Preferred Guest account information. Marriott reports thatcredit card information was also stolen, but the exact number of victimshas not been confirmed.

In response, Marriott is notifying their impacted customers via email aswell as providing access to a call center and breach notification websitewhere users can look up if their information was stolen and how much ofit. They are also providing enrollment in WebWatcher, an identitymonitoring service, free of charge for one year.

While this hack is especially scary due to the large number of individualsimpacted as well as the kinds of information at risk, Wired recommendsmaking sure to enroll in the free monitoring service, changing yourpassword, and keeping an eye out for any suspicious activity with yourfinancial information.

Quora

Earlier this month, Quora released a statement regarding user databecoming compromised. Specifically, in an article posted on their blog,“some user data was compromised by a third party who gainedunauthorized access to one of [their] systems.” Approximately 100 millionaccounts have been impacted, which means the following information mayhave been accessed by the hacker:

Account information such as name, email address, password, andinformation pulled from Facebook or Google when an account linkhas occurredPublic content and actions such as questions, answers, commentsand upvotesNonpublic content and actions such as answer requests,downvotes, and direct messages

The majority of the content accessed was already public on the website,but even so, users should make sure to take the necessary steps toprotect their privacy. Quora is notifying users that have beencompromised, they have logged out all users that might have beenimpacted and are working to identify the root cause of the issue as well asmake security improvements. Quora recommends users change theirpassword and notes that it is best practice not to reuse passwords acrossmultiple services.

You've Been Phished – To Shut Down or Not Shut Down?

So, you believe you got phished. Don't panic.The first step is recognizing that your systemmight be at risk, and then you can take thecorrect steps to ensure you are not infectingyour organization's network. You should alwaysmake sure to follow your company's policy, butthese are general best practices to followshould this happen to you.

Stop Typing: Some phishing messages can install malicious softwareonto your computer. This software can track your keystrokes or modifyyour system to cause damage or remove data.

Disconnect from the Network: Do not immediately shutdown yourcomputer. Instead, make sure to disconnect your device from the network.Whether this be Wi-Fi or ethernet cable, manually take this precaution toprevent spreading the malicious software to other devices on the network.Shutting down your computer without disconnecting your device from thenetwork means that as soon as it is turned back on, you could spread themalicious software to everyone else.

Report It: Let your IT department know you think you’ve likely clicked on aphishing link. They will have protocols to follow in order to prevent othersfrom receiving or responding to the threat as well as isolating the potentialthreat. Furthermore, they will make sure you follow proper companypolicy.

Once you've completed these steps, take note of the experience.Although you can't do anything to change the fact that you clicked, youcan always learn more about to avoid being a victim of phishing attacks tomake sure it doesn’t happen again.

Inspired eLearning | 4630 N Loop 1604 W | Suite 401 | San Antonio, TX 78249

Forward this email to a friend.

© 2018 Inspired eLearning, LLC. All Rights Reserved. All organizations with an active Security Awareness license are granted permission to republish any or all of the content in our Security

Awareness Newsletter, as long as distribution of that content is limited to employees within the organization.