Posts

Coronavirus Malware Phishing Scams Thumbnail

How Cyber Attackers Use The Coronavirus to Steal Your Data

Coronavirus Email Scams

The recent coronavirus outbreak has motivated cybercriminals to send virus related malware attacks across the world.

Phishing emails claiming to possess information on protecting against the virus have appeared, spreading misinformation and malicious software. These emails encourage victims to open attached documents containing malware that can freeze or completely steal valuable data.

Scammers use fear and uncertainty to manipulate victims into infecting their computer with malware. However, incorporating tragic events, potential pandemics or natural disasters into their attacks is nothing new.

Beware of Phishing After Any Big Event

Attackers customize phishing emails to current or upcoming events like tax season, hurricane season, and holidays. Regardless of the occasion, the goal is the same: to access valuable information. The attacks prey on people’s desperation for answers and suggest that they have can give them to you.

Furthermore, there have been cases of scams emerging in places like Michigan and New York. Officials in these states are warning residents to be vigilant of emails asking for donations or personal payment card information.

Coronavirus scam emails were popping up in early February which prompted Michigan’s Department of Health and Human Services to warn citizens on their dangers.

The Federal Trade Commission even sent out a memorandum advising people on how to spot email scams and stay safe online.

Additionally, the FTC says cyber criminals could be setting up fraudulent websites that sell fake products using illegitimate emails, social media posts and texts to trick people into sending them money or personal information.

An example of a phishing email scam offering fake information about COVID-19.

Common attributes of a fake email are spelling and/or grammar errors.
If you receive a suspicious link, hover your cursor over it to view the destination url.

Protecting Against Coronavirus Phishing Scams

Here are some tips recommended by the FTC to keep safe against scammers:

1) Be suspicious of emails claiming to be from the Center for Disease Control and Prevention (CDC) or anyone purporting to be an “expert” with information on the virus.

2) Avoid emails that allude to any “investment opportunities.” Social scams will promote products claiming they can cure, detect, treat or prevent the disease are fake.

3) If you’re going to donate, do the proper research into the organization and payment method. Don’t be pressured to donate and especially if it’s through an email link.

4) Ignore offers for vaccinations. Ads that say they have the cure or treatment for coronavirus are probably scams. Any medical breakthrough will be announced on mainstream media networks.

5) For up-to-date information on the virus visit the Center for Disease Control and Prevention (CDC) and the World Health Organization (WHO)

Don’t Be Misled

These scams will continue to spread and they won’t go away any time in the near future. In fact, scammers will certainly take greater advantage of the misinformation and fear from media coverage.

Moreover, cyber scammers in China were reported sending malicious emails containing malware. It’s difficult to protect yourself from these types of attacks but

Threat actors also targeted users in Japan with a campaign that spread malicious documents with supposed information on the virus.

Unsurprisingly, these social engineers even sent emails impersonating the CDC to lure unsuspecting users into malware traps.

The Coronavirus is a real threat but it’s important to keep a level head and not expose yourself to even greater harm online.

Ultimately, even Facebook has begun planning to ward off misinformation on the virus. Other social media platforms have voiced concern about the spread of false claims on their platforms as well.

The virus has attracted the attention of a global audience but that doesn’t mean you have to fall victim to those looking to profit off of that attention.

Coronavirus Malware Phishing Scams Leaderboard

What Should Concern Businesses About the New Orleans Cyberattack

The city of New Orleans experienced a cyberattack so severe Mayor Latoya Cantrell declared a state of emergency.

The attack occurred on Friday, Dec. 13 and caused the city to shutdown government computers. Officials announced the shutdown via social media posts.

City Shutdown Government Computers

The attack started at 5 in the morning, according to the city of New Orleans. At around 11 a.m., employees noticed what they considered suspicious activity. As a result, the city’s IT department ordered employees disconnect from Wi-Fi and close down their computers.

Fortunately, an investigations into the attack is currently underway as Federal and State agencies gather more information. As of now, nothing is known about the malware used during the attack and the Mayor said no ransom demands had been made yet.

Louisiana’s Third Cyberattack

This ransomware attack is the third to affect Louisiana in five months. In November, another attack prompted Louisiana’s Office of Technological Services to shut down multiple state agencies. And in July, cyber criminals attacked several Louisiana school districts, shutting down their networks for ransom.

As a result of the schools attacks, Governor John Bel Edwards declare a state of emergency that allowed state agencies to help local governments recover from the attack.

What’s the Damage?

Unfortunately, it’s always difficult to tell the extent of the damage. It could take months and, in some cases, years to truly understand what information was stolen.  Furthermore, hackers could have stolen government employee information, financial information and more from New Orleans.

Moreover, they will have to contact financial institutions and implement new procedures to address cyberattacks like this as well as increase security on their networks.

This begs the question, if State governments have to shut down entire systems and declare a state of emergency to deal with a cyberattack, what will it cost a small business?

Since the attack in November, The National Governors Association (NGA) has urged states to develop a formal continuity plan for responding to cyber threats. Additionally, cyber forensic experts will need to be brought in to investigate the breach.

New Orleans Government Cyber Attack Statistics

 

Cyber Response Plan

The NGA released a State Cyber Response plan in July, that governments are developing and 15 states have made their plans public.

Without a doubt, the impact of ransomware attack is nothing to scoff at and governments are learning the hard way. Ultimately, having a continuity plans in place ensures recovery from a breach runs as smoothly as possible.

Cybercriminals Declare Hunting Season

The FBI issued a warning in October declaring an increase of cyberattacks on “big game” targets. These are targets with money and sensitive information, willing to pay ransoms to restore their systems.

That doesn’t just mean local and state governments, municipalities and agencies. For instance, hackers often target businesses, hospitals, accounting firms and financial advisers for their data.

Additionally, businesses have to adapt and invest in security if they expect to succeed. The first of several security lessons: no one is too big or to small to get hacked.  Sensitive data is always in high demand. More importantly, dark web marketplaces, like Joker’s Stash, are always willing to sell it.

The Future of Cybercrime

Researchers warn that ransomware attacks will intensity in 2020. What’s worse, attacks are getting more sophisticated.

On the other hand,with the year coming to a close and a new one beginning, now is the perfect time to audit your IT infrastructure and verify it’s competency against these types of threats. Fortunately, 2020 will also see the rise of things like cyber insurance, AI and cloud-based security solutions.

Transitioning to a cloud-based solution, like a hybrid cloud,  might help industries across the board avoid scenarios like the ones in Louisiana.

You can read our article on how businesses can protect themselves from a cyberattack.

If you want to know more on cybersecurity news, the cloud, managed IT services and more contact us or visit our blog.

 

CPA Firms Data Cloud Protection

How CPA Firms Benefit from Miami Data Protection

All companies today have data. It could be anything from personal files and client data, to product information and financial transactions. In fact, data is one of the most important assets to a company. For that reason, data protection should be a serious consideration for any company. Data protection included guarding the data and making it available to employees who need it. Moreover, it requires ensuring the data is correct and updated as well as keeping the data confidential.

Data is currently the lifeblood of a business. That is why Facebook and Google became the tech giants they are today. The amount of data they have over their users is so valuable, industries depended on them to drive business, develop relationships and predict behaviors.

Imagine if that data were stolen and used for nefarious purposes. Imagine if it were sold on the black market or bought by a third party. You don’t have to be Facebook or Google to appreciate the severity of a situation like this. If your industry fails to protect both client and employee data, this could destroy your business.

Customers have a minimum expectation that your firm or business will keep that data safe. Data governance builds trust and trust builds a business. There are practices that everyone needs to follow to protect important data from breach.

Now more than ever, you find data hacks and attackers everywhere online. 53 percent of companies experienced a cyber-attack in the last year. This was up from 38 percent the previous year. This is why finding the right services that offer data protection in Miami is a good idea. Ransomware and hackers in particular are hitting accounting, the financial services industry and even educational companies all over the world.

Data protection keeps hackers from taking advantage of human errors

Whether you like it or not, human errors can appear from time to time in just about any business. And yes, they can lead to lots of downtime. Hackers will wait for such an error to appear and they will immediately gain access to your business information. If you don’t store your information adequately, hackers will just attack your business, and that can lead to a huge set of problems in the long term.

Training

This is such a huge issue that government regulations are now in place that make data governance a requirement. An important component of safety measures is security awareness training. Employees need to understand the importance of data security and procedures.

Online Safety

Our online activities reveal aspects of our daily life. What we search, where we enter our names, home address, and phone numbers. Facts about our education, our shopping habits, all of these things are recorded on the internet.

The amount of information that can be found on the internet is staggering. People expose their private lives online on a regular basis and that means these details can be exploited to gain access to employee information at work.

Data protection keeps hackers from taking advantage of human errors.  There are three main human errors that cyber attackers leverage to gain sensitive data:

Error 1: Phishing

Phishing and pretexting account for 93 percent of social related breaches, and email attacks are the most common.
The biggest mistake companies make is to neglect cyber until an attack or breach occurs. What every financial organization, accounting firm, and any business with sensitive data needs to do is create a security focused culture. Taking the time to address important warnings and issues in brief meetings or short five minute videos can give your business a huge advantage over cyber criminals.

Error 2: Poor passwords

81 percent of company data breaches are due to weak passwords. That’s because people recycle the same passwords across their various online accounts. Not only do people use the same passwords, but they continue to use those passwords as long as possible until it they’re told to change it by an IT department or affected by a cyber-attack. Businesses need to take an active role in helping their staff develop password good password hygiene. The reason many people use reuse these passwords are fear of forgetting. In fact, it was the number one reason for reuse. 61 percent of users admitted this in a poll by Lastpass.

There are password manager software applications that collect data and store it in encrypted databases. Nerds Support uses password expiration tools that instructs users to change their password every 30 days.

Error 3: Unauthorized access to devices

Although  industries  have become more mobile through smartphone technology, tablets and laptops, companies still issue devices to their employees. Over half of working adults allow friends and family to access employer-issued devices at home. Furthermore, it’s possible for employees to download malware that could gain access to important data and applications.
Implementing security controls on devices like two factor authentication and password protection is necessary in this case to avoid these risks. Also, introducing a thorough and comprehensive information security plan that addresses such concerns will lead to a more cyber secure culture within the workplace.

This is especially important for accounting firms due to the sensitive nature of their data. Financial firms are also vulnerable to these types of human error and critically impact the business. Nerd Support’s cloud accounting technology mitigates these risks by implementing rigid compliance centered practices.

Data protection Safeguards Against Breaches

Daily data backups, storing your data in an undisclosed location and taking the security measures mentioned above can go a long way. Data protection needs to be a top priority for all industries, because not only will you lose data, you’ll lose trust and eventually clients.

 

CPA Firms Data Protection Statistics

 

Daily data backups, storing your data in an undisclosed location and taking the security measures mentioned above can go a long way. Data protection needs to be a top priority for all industries, because not only will you lose data, you’ll lose trust and eventually clients.

Data Protection saves you money

The average total cost of a data breach is 3.92 million US dollars, according to extensive study by the Ponemon Institute. The average size of that data breach is 25, 575 records. In other words, 25,575 records are stolen on average whenever there is a data breach. Having strong protections is not a luxury, it’s a necessary investment. Most companies don’t realize this until a breach has taken place. The true financial impact is immeasurable when you consider future losses due loss of trust, credibility as well as the fines and fees.

Data protection keeps your company in compliance with the law

All businesses must safeguard their data. In Florida it’s important to remain compliant with the Florida information protection act of 2014. It’s a lot easier to avoid any potential lawsuits this way too. And, the most important thing, this way you can create powerful business relationships with each client.

By following compliance standards many of the vulnerabilities associated with human error are eliminated entirely. So you need to find IT solutions that take compliance not only into consideration but make compliance the basis for those solutions.

For accounting, it’s GAAP compliance standards that should be met. In the case of financial services, using FINRA approved cloud storage services is key.

What Happens When Data Protection is Underestimated?

There were huge data breaches in government run facilities in the past year. Ecuador was victim to a data breach that compromised the information of up to 20 million people. This included adults and children, dead and alive. To give you a sense of scale, Ecuador has a population of 16 million people. These attacks are only getting worse as hackers expose long neglected security weaknesses.

If you want to make sure that your company data is safe, contact Nerds Support for more information. Our dedicated data protection services team can give you a free consultation to discuss your industry and compliance needs.

Phishing Emails - Don't Get Hooked!

social engineering

Spear Phishing

What is spear phishing?

Spear phishing is an email scam targeting a specific individual, business or organizations. It’s like a standard phishing scam except the emails are personalized to target one group or person.

Cyber criminals use these types of attacks with the intention of accessing and selling confidential data to governments and private organizations.

The cyber criminals use individualized methods of social engineering to create a sense of legitimacy to the email. The objective of social engineering is to get anyone from a company or government agency to open a malicious link or visit a virus ridden website.

At that point the cyber criminals can steal the data they need in order to critically affect the target’s networks.

Spear Phishing Could Cost Millions

The city of Naples, Florida lost $700,000 in a spear phishing attack on Monday, August 5.

The money was sent to a fake bank account provided by an attacker posing as a Wright Construction Group representative contracted to work on an infrastructure project in downtown Naples, according to one of their news releases.

The city manager Charles Chapman said the cyber attack was an isolated incident and did not affect their data systems.

Other cities throughout Florida were also targeted in cyber attacks.

How Spear Phishing Works

Phishing and social engineering in general is increasingly becoming a popular method of hacking for cyber criminals, however spear phishing is particularly difficult to detect because they’re designed to appear legitimate and safe. It’s the same with counterfeit dollar bills. The more advanced the counterfeit is, the harder it is to recognize it as fraudulent or fake.
In a spear phishing attack, the hacker gets specific information about their victim to create a sense of trust and security. Like the cyber criminal in Naples who used the information concerning the contract between the city and Wright construction group to his or her advantage. They usually acquire this information through internet research, a previous phishing attempt, maybe a hacked account from within the organization and even social media.

Typical phishing attempts will ask you give some personal information. Sometimes hackers ask for a phone number, other times a credit card or bank account number. Spear phishing attempts follow a similar strategy only more specific. You might be manipulated to click on a link that downloads malware or led to a site that asks for a password or a social security number.

Whaling

There are other forms of spear phishing called “whaling”. Whaling involves targeting institutions posing as a company executive requesting an employee wire money to an account belonging to the hacker. The Naples attack is a modified version of whaling. Instead of posing as the CEO of Wright Construction Group targeting an employee, the cyber criminal posed as a representative of the company targeting one of its clients.

Like phishing, a successful whaling attempt involves coercing someone with a high profile or reputation. The intention can vary but it’s usually all about money. This could mean initiating a wire transfer as in the Naples case or installing malware that infects company servers and steals sensitive data.

Targets of whaling are executives, department heads, spokespeople. This means that they likely have information available to the public that other targets might not. Having importance within a company or an industry means that person is in the public eye. This might limit the pool of targets, but it also raises the reward.

Threats to Businesses

Because of what we’ve mentioned above, spear phishing is not only among the most common types of cyber-attacks, but probably the most dangerous. Most phishing attacks try to cast a wide net, hoping that a handful of email recipients unknowingly give them access to their business and data. All it takes is one person to click and the entire enterprise is at the mercy of a cyber criminal.

Phishing Email Statistics

The Naples example coupled with these statistics are indicative of how effective phishing scams are. It’s important to be aware of how volatile one of these attacks can be and prepare your business against them.

Red Flags of Phishing

The important thing is to avoid clicking on anything until you know what it is and who it’s from with certainty. If someone you know shares a link or a document with you and it’s out of the ordinary that’s a sign it may be malicious.

If the email has a strange address with too many numbers or letters, it’s probably a phishing scam. Another give-a-way is the vernacular contained in the email.

Here’s an example: Let’s say you live in the US and you receive an email from your boss who also lives in the US and was raised in the US. If the email says something like, “Hey, I need you to run some errands for me this afternoon. Send me your mobile.” Mobile is a phrase commonly used in the UK not in the US and could be an indicator of a fake email. A lot of the time cyber attacks will overlook these small but telling details.

This requires a bit of deduction on your part, but if you’re familiar with the person who allegedly sent the email, then it should use this as a way of catching any abnormalities in their word-usage. A little research goes a long way also. If you’re receiving an email from a company, look it up and message them. If things don’t check out, report it through your email provider like Google or Outlook.

When successfully  identifying an email as a phishing scam, alert anyone and everyone in your department. Raise awareness with as many people you can. This puts people in high alert and makes it less likely they fall for the same trick.

Protect Yourself

Phishing and spear phishing specifically might be difficult to spot, but that doesn’t mean you’re helpless against it.
Training employees and raising awareness is the first line of defense against phishing attacks. And with spear phishing becoming more selective, training should expand to clients, vendors and upper management.

Training

Just as we saw with the Naples attack, cyber-attacks are becoming more ingenious and varied. The city of Naples was a client of a construction company and rather than target the company, they targeted the vulnerable client. While employees might protect themselves from phishing attacks by implementing measures put in place by internal IT or a cloud provider, clients might not have these same advantages.

There needs to be a comprehensive training curriculum focused on educating as many people within an industry. Whether it’s clients of a financial firm or the firm itself, for example, there’s no telling who a hacker will target.

Mock tests

Simulating a phishing attack is a helpful tool to assess how employees behave under those circumstances. This would also help in gauging how aware your employees are of phishing attempts.
Spam filters: Once upon a time, spam was just annoying inconveniences that at worst lowered productivity. Now, spam is a useful tool for cyber attackers to target potential victims. Luckily, most spam filters work, and most companies have one.

Be aware of the kinds of information shared on social media. Useful details like birthdays and favorite activities can be found easily in today’s social media culture. Upcoming events can also be used to make spear phishing emails seem more legitimate. Be weary during a big conference or networking event of any strange requests in your inbox.

The Cloud

Cloud service providers often provide the protection and security to prevent a successful spear phishing attack. Nerds Support, for example, advises all its partners to send in any suspicious emails they receive to be analyzed and verified as safe to open. This is a simple technique that comes a long way in safeguarding against these kinds of attacks.
Going back to two factor authentication for a moment,

If an organization moves to the cloud, phishing risks must also be considered. If your company is using a public cloud, you’re accessing any and all relevant applications through the internet. Phishing is most successful when the apps are exposed to the internet, which is standard for a public cloud.

Private cloud hosted apps, like Nerd Support’s have the added security of a VPN (Virtual Private Network). VPN’s simply allow you to establish a secure connection with another network over the internet. However, hacker can always try and find the URL of a cloud service. That allows them to execute targeted phishing attacks on employees of the company.

Two-Factor Authentication

One of the best ways to fight against phishing attacks is a two-factor authentication. This is when you log in and the app or site requires you to log in through another device or apply another password. People see this usually with social media. Instagram and Facebook sometimes ask you to input a code sent to your phone or email. If a user inside a company is compromised in a phishing attack, the attacker won’t be able to access the organization’s IT if the second factor is constantly changing.

Two-factor authentication isn’t typical of most cloud services. Nerds Support offers this feature when you adopt its cloud system but it’s one of few exceptions. Dropbox is another cloud-based h

osting service that adopted a two-factor authentication.

We’re here to help

At the end of the day, its about adopting culture of verification and caution. Nothing is sacred to cyber attackers. They will exploit personal information that appeals to your emotions or they will use a recent tragedy in the news to increase the chances that you “donate” to their cause.

Calling and investigating the sender before replying, double checking with colleagues, making sure that no one is isolated or left out of the loop are all things that make a huge difference.

Hopefully you’ve learned enough to recognize a potential spear phishing attempt so that Naples story doesn’t turn into your own.

To learn more about cyber attacks, phishing and social engineering visit the Nerds Support website or feel free to call and we’ll be happy to answer any questions. Also, check out our video on tips against phishing right here.

If you need any help making your company  safer, feel free to fill out the form here or call us at 305-551-2009.

A business owner working on her laptop

3 Big Security Lessons for Growing Your Business

Ransomware is rapidly becoming the most pervasive cyber threat in the world today. It’s affected large companies like Arizona Beverages and FedEx to government institutions like police departments and schools across the US.

Although many of these organizations are large is size and scope, you don’t have to be a multinational bank or the National Health Service to become a victim of ransomware and other types of malware. As a matter of fact, small and medium-sized businesses are just as likely, if not more, to be attacked by ransomware because in many cases they’re more vulnerable and less likely to recover.

What is ransomware? Ransomware is a computer program or virus that encrypts and freezes your data files unless you pay the perpetrator a fee. These are some things to consider when navigating a business in today’s world. There are the dangers everyone faces.

3 big security concerns for business owners

1.You’re never too small to get hacked

About 70 percent of ransomware attacks in 2018 target small businesses, according to a March report from Beazley Breach Response Services.

Ransomware finds its way into your system by exploiting flaws in your security perimeter, but, more likely, it gets downloaded by an unsuspecting user through an ostensibly harmless email or file. It can infect not only the machine that opened the corrupted file, but all the programs it shares throughout the network, spreading like a dangerous contagion, encrypting all the files on that network.  If the initially infected machine has access to back-up files, it’ll encrypt them as well.

It’s easy to assume big businesses would be the main targets of something like this, but cyber criminals go after small, lower risk payments instead of one large payment. Smaller attacks are likelier to keep them under the radar. It’s also important to know that one cybercriminal alone can target thousands of businesses with little to no difficulty. They use social engineering to manufacture a huge email list and infect countless links and files before sending them off to as many people as possible. All it would take is one staff member or employee in the office to click on a single link. Some businesses may avoid this kind of attack but it’s a numbers game. All it takes is patience and eventually a cyber-hacker will get what they want.

2. Paying Won’t be Easy

So what if you pay the ransom? That’s always an option.  You can pay, get your files back and move on. Well, not exactly.

Hackers and cybercriminals don’t use traditional bank accounts when conducting “business”. They’ll want to be paid in Bitcoin to an anonymous account on the Dark Web. It’s untraceable and easy to manage for even the most novice of hackers. Adding insult to injury, you’ll have to spend time you may not have trying to get your hands on crypto currency you need to make payments to someone that’s extorting you. Even if you go through this strenuous process and pay the hacker their fee, it’s not a guarantee you’ll get your data back.

3. Hacking is a reality that cannot be avoided

Most businesses and even government institutions haven’t taken cyber security as seriously as they should. 43% of all cyber-attacks are aimed at small businesses, according to cyber defense magazine. Small businesses have minimal security and are therefore easier to breach.

In South Florida, it’s reasonable to assume you’ll experience a hurricane at some point. The environment in which you’re in often produces conditions favorable to those types of storms. In today’s world, with ever increasing reliance on technology and computer software in almost every industry, there will always be those looking to exploit vulnerability for profit. If you want to mitigate risks and continue to operate and grow your business, you’ll need to assume that getting hacked is inevitable. Prepare for the worst and you’ll have nothing to fear.

A Nerds Support partner, for example, has all of their files backed-up daily and monitored by our team of experienced engineers and IT professionals at all times. If there’s a questionable email, we can analyze it to ensure it’s safe and legitimate. Nerds Support has can help its partners establish a continuity plan in the case of an attack and snuff out potential risks before they become large vulnerabilities in your system.

A cloud based-infrastructure offers a level of security that is cost efficient and practical for any business. Contact us Today to Start Securing Your Business!