Tag Archives: smishing

Cyber Risk: Are You the Weak Link?

In 2012, a young scam artist based in Asia posing as a private investigator simply purchased the personal information for more than 200 million users directly from credit reporting giant Experian and then posted it for sale online. The only reason we know about the incident is that the U.S. Secret Service caught it.  Experian didn’t.

Cyber criminals know that the weakest link in most computer networks is the people using it. Verizon’s highly respected Data Breach Investigations Report has repeatedly noted that most attacks start with employees. Attackers use “social engineering” to trick their victims into allowing unauthorized system access, data theft and even specialized stealthy attacks used to quietly steal massive amounts of sensitive data over time. These attacks frequently exploit our natural tendency to want to help others. They can be in person, electronic or over the telephone, and there are a variety of ways they can be used to take advantage of you:

“Phishing” attacks are designed to steal your personal, financial or log-in information through an email, text message (referred to as “smishing”) or even an automated phone call (“vishing”). The attacks often appear to come from well-known and trusted companies like banks, airlines or industry groups and contain attachments or links to websites that look legitimate but are really there to steal account log-in information or host malware ready to attack the recipient’s computer as soon as he clicks on any of the links. These emails and messages can also be used to lure victims into contact with scam artists posing as potential clients or officials offering to release substantial funds if only the target would be so kind as to hand over detailed personal information or a sum up front.

A spear phishing email is a personalized version of a phishing attack looking for the weak link in an otherwise strong network. It will be aimed at a specific target (rather than a general phishing email intended to ensnare whoever falls for it) and typically includes personal or professional information to make the recipient trust the sender. These details can come from online sources like LinkedIn, Facebook and other social networks and contain information available via business-related websites, as well as particulars obtained directly from coworkers via social engineering.

Spear phishing emails often appear to come from a familiar source like a friend, family member, colleague or a business you deal with regularly. This is because of a process known as “spoofing,” in which the actual sender hides his identity, and the “from” field in the email shows the fake sender’s name, not the real one.

The data breach at Forbes earlier this year began with an early morning spear phishing attack against a senior executive.

Whaling is an attack that deliberately goes after senior executives, partners and other high-profile targets within a business. The idea behind this approach is that these targets are “big fish” who have wide access within the network yet may not take the precautions needed to keep their own accounts secure.

Pretexting is effectively in-person phishing to gain information or access to a restricted area. The term “pretexting” refers to the setup used to convince the target that there is a justifiable reason (or pretext) to divulge the information or access the person is after. These attacks can take a wide variety of forms, often revolving around someone (or a team) creating a distraction or masquerading as someone who could have legitimate access to the system they’re targeting. It could be someone who claims to be from “corporate,” a fake contractor, fake IT personnel or something as random as a “fire inspector” allegedly checking the office for imagined safety hazards while an assistant/accomplice surreptitiously places devices to monitor or siphon sensitive data from the victim network.

Another in-person bit of trickery is “tailgating.” That’s when someone who claims to have forgotten their company ID, etc. asks you to hold the door behind you, allowing him into a restricted area. The same term is also sometimes used to describe someone asking to briefly borrow your phone, tablet or laptop to check something quickly and actually downloading malware instead.

Live social engineering attacks can also come by phone, such as fake “technical support” calls offering to fix imaginary problems with your computer if you will just allow the caller to briefly take control of it remotely.

Baiting is a type of attack in which a piece of portable electronic storage media like a CD-ROM, laptop or USB stick drive is left at or close to the target’s workplace to tempt the curious victim into seeing what’s on it. These will often include an official-looking logo or markings to make them especially tempting. How curious would you be to look at something labeled “Senior Executive Compensation – 2014” (with your company’s logo on it)? Of course, once the card, laptop or stick drive is connected, it will quietly download malware onto the network.

And, yes, this initial intrusion into the network will likely be traceable back to you.

What can you do to avoid being the weakest link? The one thing these attacks all have in common is that they rely on you to go along with the story they’re selling. The single best thing you can do whenever you receive an unsolicited electronic message or call from a business or someone you don’t know personally is to assume that it’s fake. Never click on links, open attachments, call phone numbers or use any other method of contact contained in any unsolicited emails, texts or calls. If you think the email, etc. could be legitimate, contact the alleged sender via phone or their official website.

If an email that appears to be from someone you know seems out of character, unexpected or strange in any way, give the sender a call to see if it really came from her.

When someone asks you to help her access something – or someplace – restricted, ask yourself why she needs your help. Also, it never hurts to take a moment to check out the story you’re given. A quick phone call (not using a number she gives you) can derail a social engineering attack before it starts.

Tempting though it may be, opening that conveniently abandoned stick drive, etc.  yourself is a bad idea. Take it to your company security or IT personnel.

Speaking of which, an IT department can (and should) take steps to help protect a network from electronic intruders, including the installation of network security software, but don’t forget that the first line of defense against a social engineering attack is you.

Health Insurance Exchange Scam Alert: Beware of Fake Websites

The Identity Theft Resource Center (ITRC) has growing concerns regarding the potential for new scams concerning the implementation of the Health Insurance Exchange (HIE) websites as part of the Patient Protection and Affordable Care Act (also known as Obamacare). These exchanges are currently online with enrollment due to start on October 1st.

According to the Act, each state must implement insurance exchanges. These exchanges are to serve as online marketplaces (websites) for consumers to compare rates and make choices about which health insurance coverage is best for them. Each state has the ability to determine the best way to manage these exchanges in order to meet the needs of their uninsured residents.

The open enrollment period for these exchanges begins on October 1, 2013. There have already been some predictions that there will be “bugs and glitches,” to quote President Obama, during this process. IT professionals are already voicing concerns regarding the ability to handle the amount of traffic anticipated on the first day of the rollout. However, no one is talking about ensuring that consumers actually know and understand where to go in the first place.

There is huge potential for misinformation and misunderstanding with this new insurance exchange program. Consumers will now be mandated (or face a penalty come tax time) to purchase health insurance if they don’t have existing coverage. The official website, www.healthcare.gov will be used by the majority of the states. But 17 states have opted to manage their own unique exchange with a different URL. This has the potential to cause much confusion for consumers. While it may appear that this information would easily be located via an internet search, our experience was that the official website was not easy to locate. In fact, when we searched for “health insurance exchange official websites” (rather than “website”) the websites for the 17 states that have their own unique URLs appeared, but www.healthcare.gov did not appear on the first page.

From our experience with scams and fake websites, we believe it would be extremely easy for scammers to create multiple websites that will trick consumers into thinking that it is either the federal health exchange website or one of the alternative state websites. Without known and reliable sources, there exists a great opportunity for gaming of the Internet search engines to attract consumers to websites intent on harming them by eliciting the fraudulent collection of personal identifying information (PII). There is a need to present factual information about which websites represent the accredited websites for the new insurance exchanges.

While there is a comprehensive list of insurance exchange websites on www.healthcare.gov, we are concerned that consumers may not find their way there in the first place. Already our searches indicate that there are organizations using keywords such as “Obamacare” and “Health insurance exchange” in the paid advertising section that are not the official insurance exchange websites. While these websites may not be scams, our concern is that it will only be a matter of time before imposter websites intent on real consumer harm surface.

This concern has a historical basis. The Fair Credit Reporting Act (FCRA) requires each of the Credit Reporting Agencies (CRAs: Experian, Transunion, and Equifax) to provide consumers with one free credit report annually. Confusion still exists between www.annualcreditreport.com, which is the court-mandated website hosted by the credit reporting agencies that actually provides annual free credit reports to consumers, and other websites that offer free credit reports or free credit scores such as www.freecreditreport.com, hosted by one of the credit reporting agencies. Soon after the creation of the original mandated website, dozens of look-alike websites were created. Consumer protection organizations, including the Federal Trade Commission, continue to educate consumers about this to this day (Consumer Information: Free Credit Reports) even though the mandated free website was launched in December 2004.

With the operational launch of these new insurance exchanges just a few short months away, consumers will be scrambling to comply before the January 1st, 2014 deadline. We already stated that we expect consumers to use search engines to locate the particular website they are supposed to use, and that the searches are inconsistent. With that knowledge, will regulators put provisions in place to identify, deter, monitor and address imposter websites? Or do they presume that the existing regulatory or enforcement provisions will deter those who create malicious fake websites intended to capture the personally identifiable information of consumers? Information provided to a fake insurance exchange website could be used to commit identity theft and other frauds.

There will be two types of imposter websites that will require redress. Not all imposter websites are created equal. There are differing levels of harm depending upon the type of imposter website consumers discover. There are legitimate businesses cutting corners and engaging in misleading tactics to secure new business and there are outright scam websites, whose intention is to secure personally identifiable information for malicious use.

Phishing and smishing could eventually come into play.

In 2012 “Imposter Scams” ranked 6th (out of 30) in the list of most complained about fraud events according to the FTC Consumer Sentinel Report. The 82,896 complaints represented 4% of the total complaints received by the FTC.

This category is defined by the FTC as “complaints about scammers claiming to be family, friends, a romantic interest, companies, or government agencies to induce people to send money or divulge personal information.” Complaints included the following: Scammers posing as friends or relatives stranded in foreign countries without money, scammers claiming to be working for or affiliated with government agencies, and scammers claiming to be affiliated with a private entity (a charity or company).

By far, the largest subtype of scam was regarding government agency imposters, with over 43,000 of the total in that category. Previous years’ statistics indicate that year over year, government imposters were the most complained about subtype: 47,454 in 2011 and 49,321 in 2010.

This demonstrates that the scammers continue to find impersonating the government to be a lucrative enterprise. Since this is a new program, even those consumers who normally know not to click on strange links in emails or respond to unknown senders of text messages, may feel compelled to respond and potentially share their personally identifiable information via these means. Why should we believe that the health care exchanges will be immune to this kind of impersonation?

If past behavior is an indicator, we can be sure that there will be financial harm to at least some of these victims.

The Internet Crimes Complaint Center (IC3) 2011 report states that it received approximately 39 complaints per day regarding FBI impersonation email scams. IC3 presented a total loss for this type of impersonation scam (via phishing emails) as over $3 million dollars. This number is just for the complaints that the IC3 received and does not take into account all the unreported losses.

A fundamental part of the Identity Theft Resource Center’s mission is to serve as a relevant national resource on topics such as this. In an effort to provide consumers with the important information they need about potential insurance exchange scams, the Identity Theft Resource Center has developed a scam alert and posted additional information on its website to help educate consumers.

The Identity Theft Resource Center is hopeful that there will be strong and coordinated efforts to educate consumers as to the authentic websites for these exchanges. As they differ from state to state, universal messaging will be difficult to coordinate. Of course, there will be glitches, and as with any new process, we will only discover what these are when the actual user experience is reviewed. However, these efforts need to take place now.