April 2021, Volume 6
- Pandemic - One (1) Year Later
- Automated Calls
- Phishing from Bosses
- So That's What It Means!
- COVID 19 Reminder
Pandemic - One (1) Year Later
Well, here we are one year from the time a global pandemic was declared. Since that time, we have all had to change how we live. On a daily basis, we are having to accommodate the constant shifting directives/restrictions being issued.
In addition to the physical changes that we have had to make (i.e. masks, social distancing, frequent hand-washing, etc.), we have also had to contend with the added stress of our sense of security being shaken, changes to our daily needs/schedules, and even having to reevaluate our work and personal values over this last year.
We have had to acquire new ways to work, learn, interact, and survive.
Many people in specific industries have not been able to work. However, our audience has been fortunate enough to continue to operate with some restructuring, increased reliance on technology, installation of various safety protocols, and creative thinking.
Working remotely (full-time or part-time) was once considered a privilege or a perk; however, in 2020 it quickly became the norm. Now that we have experienced the advantages, as well as the challenges of a remote team, and with many of us slowly returning to the workplace, there are many things to reflect upon and evaluate when slowly exiting from the restrictions.
To effectively and efficiently transition, some of the questions you will need to ask yourself are:
- What have we learned about our business and our industry?
- What have we learned about our customers and service providers?
- What have been some of the challenges?
- Were we able to protect our assets (e.g. data, hardware, customers, team, etc.)?
- How has technology/software supported us through this pandemic?
- What have we discovered about ourselves, as a person, as a leader, and as a friend?
- What have we learned about our team?
- Do we remain fully remote, partially remote, or have everyone back onsite?
- Were we more effective/efficient being remote over onsite?
- What are the costs associated with having a fully remote team, over partially remote, or having the team back in the office?
- How do we effectively manage a remote team?
- How can technology/software assist in managing our team?
- How do we keep our remote team engaged, whether it is the entire organization or specific groups?
Now is a good time to take what you have learned over the last year, from a business perspective, as well as from a personal position, and implement appropriate changes that will make your organization a better place to work and increase sustainability throughout these changing times.
We all get them; we all hate them; we all wish they would stop!
How many times have we shouted…
Though we may not be able to fully stop these annoyances, here are some things NOT to do:
- No, I don’t need my car warranty extended!
- I don’t owe the IRS any money!
- My grandchild is at home and not in a foreign country needing bail!
- How could I win a cash prize when I didn’t enter any contest to begin with?
- No, I don’t need any additional insurance!
- If my banking access has been compromised, I will contact my bank; I will not “press 1” to be connected with someone who will help me change my user name and password!
- No, I don’t want free tickets to the Eldon Yawn, Lady Baba, or Brittany Fears concert!
- Don’t engage with the caller. Though it may be entertaining to string the caller along, you may unwittingly communicate information about yourself, your employer, your family, financial situation, etc. You have already confirmed that the number they called is a working number and that you will answer the phone, which makes your number more valuable for sale.
- If you tell a scammer to stop calling you (i.e. this is my work number or this is my cell), you may inadvertently provide them with information that will make your number much more valuable to someone who may be trying to steal your identity.
- Don’t threaten them with “I’m a lawyer” or “the CEO of __ company”, etc., as that information may assist them in further identifying you.
- Do not record the call unless you are aware of the current laws in your jurisdiction, as you might become the party conducting an illegal action.
- Don’t dial the number back, as you have just provided them with valuable information; it is a good number; potential for your employer’s name or your full name to be communicated to them via Caller ID; and you may incur exorbitant long distance charges.
Here are some things you CAN do:
- Speaking to the scammer allows them to record your words (i.e. yes, no, 1, 2, 3, etc.), which may permit them with certain words/phrases to splice together to use to validate credit card charges, access banking information, or request money from naïve relatives.
- Register your number on the National Do Not Call Registry.
- Download robo-caller blocking apps on your phone - You can find a list of call-blocking apps for mobile phones at ctia.org, a website for the U.S. wireless communications industry.
- Block numbers, as you identify them as robo-callers.
- Decline any numbers not familiar to you.
- Your phone carrier may have additional features or paid-options to filter out robo-calls.
- If someone is calling you claiming to be from ABC company, hang up and call the company from their official company number.
- Change your phone settings to only allow calls from your contact list.
- Report repeat callers to the Federal Trade Commission (FTC).
- Most importantly, use common sense.
Phishing from Bosses
There are many types of phishing that scammers use to fraudulently obtain sensitive company data, user names and/or passwords, or steal money. Some examples are:
- Phishing – usually done by email
- Spear phishing – more targeted email
- Whaling – very targeted email, usually focusing on executives
- Internal phishing – phishing attacks originating from within an organization
- Vishing – done by phone calls
- Smishing – done by text messages
- Social media phishing – conducted using Facebook or other social media posts
- Pharming – compromises DNS cache
“Phishing from Bosses”, also known as “CEO Fraud”, is not a new technique, but has continued to be on the rise in frequency over the last three (3) years and has resulted in business losses in excess of $2 billion in just the last year.
CEO fraud phishing is an email-based targeted attack where hackers impersonate senior company executives (company CEO or chief financial officer) to steal funds or gain access to sensitive business data, login credentials, or initiate a transfer of money to a fraudulent account. Typically, the Finance or Accounting Departments are the primary targets.
The email evokes a sense of urgency in their target in order to incite them to act quickly and by asking a minimum number of questions. In addition, taking on the identity of an executive to address a specific employee for an urgent request can generate a sense of pride in the employee (who wants to take the risk of disappointing an executive who wrote specifically to them?).
CEO fraud phishing attacks often rely on two techniques to perpetrate this type of fraud:
- Sending an email from a compromised email account of a senior employee. Finding the names of the company’s senior executives usually requires only a simple online search, probably on the company’s own website. Scammers can easily figure out the email address naming convention, user names, and passwords.
- Sending an email impersonating a senior employee with an email address at a phony domain that looks very similar to a legitimate domain. The easy method is to create a fake email address that looks like the legitimate one.
For example slightly altering the email address:
Actual Email Address: herman.munster.ceo@ABCcompany.com
Fake Email Address: herman.munster.ceo@ABCcompany.co
(note the lack of the “m” in domain).
They can also use email spoofing, or email address spoofing, where the sender’s address would appear in the message as herman.munster.ceo@ABCcompany.com, but could be linked to another address.
In either case, clicking ‘Reply’ would send the email directly to the scammer, rather than the legitimate recipient (or the similar email).
What can we do to prevent these types of attacks?
- Create a robust training program, where you teach employees:
- How to check for valid email addresses
- To check for bad grammar and typos in emails and domain names
- To be suspicious of emails with urgent demands for action involving money
- Create strict policies and procedures involving sensitive/urgent requests for the transfer or disbursement of company funds. Consider:
- Requiring two-factor authentication for your business email accounts
- Use a security suite that includes email spam filters
- Install anti-phishing software
- Require all emailed requests for transfer or disbursement funds to be verbally validated by the initiator through a telephone call using the number from the company directory and not from the email signature block
- Implement random phishing tests to all employees
- Use a phishing testing provider to initiate periodic emails with imbedded links
- Testing results to be reviewed and used to refine subsequent tests to target weaknesses
- Testing results to be used to enhance the training program
SO THAT'S WHAT IT MEANS!
Bandwidth - Describes the maximum data transfer rate of a network or Internet connection. It measures how much data can be sent over a specific connection in a given amount of time.
Drivers - Software that tells the computer how to interact with a hardware component (like a webcam or printer).
Latency - Refers to time interval or delay when a system component is waiting for another system component to do something.
Router - Connects multiple devices to WiFi; directs the traffic of multiple devices to the Internet.
SSL - Secure sockets layer, is a protocol that allows Internet users to send encrypted messages across the Internet. It is generally used when transmitting confidential information (e.g. personal data or credit card details). A web address that begins with "https" indicates that an SSL connection is in use.
COVID 19 Reminder:
Just because you have received the vaccine, does not mean you still can’t contract the virus or be a carrier and pass it on to people you encounter.
Continue to practice safe protocols.