Cybersecurity Awareness a Year-Round Job

by

Cybersecurity Awareness Month heightens our vigilance in October, but we can’t let our guards down at any time of year anymore, especially during the holiday shopping season.

Small businesses are not likely to be attacked directly by cyber criminals unless you do business with more valuable targets. You will, however, be attacked with the phishing emails that hackers  deploy in the hopes that some “fish” will take their bait.

Cyber criminals now use AI writing tools to help make their phishing emails more convincing, too.

You can, however, spot phishing emails by remaining diligent at all times.

My Golden Rules for handling emails:

  • If you don’t know the sender, do not click any links or file attachments. Delete the email.
    • If the email is relevant to you, go directly to the sender’s website in your browser.
    • For well-known brands, hover over the link (don’t click) to see if it goes to the brand’s website (i.e., dell.com versus something.com/dell)
  • If you know the sender, but receive an unexpected email from them, do not click links or file attachments until you confirm that the sender you know actually sent it.
    • Do this by phone — a hacker could hijack the email account and make it look like the sender you know is providing confirmation.
  • If you mistakenly click on a link in an unexpected email, and it takes you to a page to change your password, do not enter your password. Close the page.

Below is a phishing email that I received that incorporates elements of many phishes:

Phishing email characteristics

As you can see, this phishing email:

  • Uses the International date format (day / month) versus the month / date format that I would expect in the U.S.
  • The From: email address is not @intuit.com or @quickbooks.com. It’s @updatessoftware.info.
  • The phone number shows up in searches for known scams.
  • Hovering over the link reveals it goes to techsales.info instead of intuit.com or quickbooks.com.
  • Awkward language
  • The text uses fear tactics by claiming the database will be corrupted and backups automatically removed, preventing recovery, if the deadline is missed.

What would I do with this email?

This email caught my attention because I knew that Quickbooks is requiring desktop software customers to upgrade before Sept. 30 if they want to continue using the desktop software instead of Quickbooks Online.

The International date format, however, gave me pause initially. The fake From: email address sealed it.

Had the hackers spoofed a legitimate Quickbooks email address, the other elements would have still confirmed this as a phish.

You also want to protect your passwords as follows:

  • Use a password manager such as one of these.
  • Do not send passwords in emails and text messages unless encrypted
  • Do not use the same passwords for business and personal use
  • Do not store passwords in word processing files or spreadsheets
  • Do not share your passwords with anyone, including co-workers

If you want more in-depth information about cybersecurity awareness, you can visit the Cybersecurity and Infrastructure Security Agency (CISA) website at https://cisa.gov.

Off-Boarding Employees

by

It happens to every business that has employees. At some point an employee will leave for a variety of reasons including retirement, striking out on their own, health reasons or what they perceive to be a better opportunity at another company.

One interesting look at turnover rates comes from a study of employees changing their employers on LinkedIn. It found that 11 percent of employees posted new employers on their LinkedIn Profile during the 12-month period of their study in 2021 and 2022.

That doesn’t surprise me. In fact, judging by the number of LinkedIn profiles of employed people who still advertise their availability, I believe the number could be higher than 11 percent.

So, accepting that you will have turnover, how do you safely off-board those who leave from an IT standpoint?

The following technology off-boarding checklist will help mitigate the risk of losing valuable corporate knowledge and business in the departing employee’s transition.

Knowledge Loss
Be sure to query the departing employee about specific knowledge of their job that might not be in company manuals and procedures.
If involved in Sales, be sure the departing employee provides all contact information for Customers and Leads.

Social Media accounts
Change or delete the employee’s accounts on all Social Media.

Application logins
Change / disable / delete the employee’s login credentials on all Cloud and Desktop applications.

Email logins and forwarding
Change / disable / delete the employee’s Email login credentials.
Set up forwarding of the employee’s emails to someone else within the organization until customers become aware of the replacement.

Company Device Recovery
If the employee uses company devices such as Smart Phones or Tablets, recover the devices.

Recovering Data from Personal Devices
If the employee used his / her own devices, recover all company information from those devices.

Revoking Access
Disable / Delete access to the devices, applications, files and databases the employee accessed over the corporate network.
Revoke access to the physical building(s).

For help setting up an Off-Boarding Policy for your company, contact me at 302-537-4198, ericm@flexitechs.com, or on our Contact form.

Combatting Social Media Phishing Attacks

by

Of all of the attack methods hackers and cyber criminals have deployed, phishing remains their favorite. Not only that, they’ve re-purposed Phishing from emails to phone calls for Social Media like Facebook, Twitter, LinkedIn, Flickr and Instagram.

In the past year, phishing over social media skyrocketed by 103% according to a report by PhishLabs by HelpSystems. There has also been a 100% increase in sign-ups of fraudulent social media accounts.

Phishing on Social Media uses Social Engineering to take advantage of victims’ lowered diligence on social media. We’re socializing and not as aware of phishing scams as we are in our  email. Consequently, we are more susceptible to Ransomware and Credential Theft via friend requests, direct messages, memes and other Social Media communications methods.

Following are some things you can do to decrease the risk you will become a victim to a Social Media Phishing Attack:

Make Your Profile Private

To mitigate the risk that a cyber criminal can clone your profile to phish your connections, make your Social Media Profiles private to your connections only. This might not be advantageous for a business network like LinkedIn where you want prospects to be able to find you but it will help with your personal Social Media accounts.

Hide Your Contact and Friend Lists

You can hide your friends list or contact list on your social media profile by hiding them from the public. This does not prevent hackers from seeing you as a friend or contact on someone else’s profile but it’s another obstacle that the criminals have to navigate to get to you.

Check Links in Posts and DMs Before Clicking!

Always check links in any unsolicited email, social media post … anywhere … by hovering over the link (not clicking) and viewing the resulting popup of the link to see if it is going where you expect it to. If it is not, be very wary. A link from a company, for instance, should include that company’s name in the domain name (the part that ends with .biz, .com, etc., as in flexitechs.com). If it looks like it’s going somewhere else, either don’t click or perform further diligence if  you are truly intrigued.

Don’t Answer Surveys or Quizzes

You know, the Social Media world doesn’t need to know what car you drive or what your favorite song is or what your dog’s name is. But cyber criminals and unscrupulous marketing companies sure would like to know and profit from that type of in-depth knowledge b y using it to guess passwords to your financial, health care or shopping accounts. Avoid answering these types of questions online.

Don’t Click on Social Media Ads

While many legitimate companies advertise on social media, scammers use the same type of advertising for credit and identity theft. Rather than clicking ads, even if they look legitimate, go to the advertiser’s web site to check the product or service out or make your purchase there.

Perform Due Diligence on Friend Requests

It can be tempting to accept friend requests or connection requests on social media but always be wary of such requests as cyber criminals use that tactic to get into your good graces on the way to scamming you. Before accepting, view the person’s profile and check them out on a search engine. If their social media timeline is sparse, that can be a sign of a scam in progress.

The Internet can be a great driver of business and a fun way to catch up or keep up with friends, but like the offline world, you need to be wary. Follow these tips to give yourself a better chance of avoiding becoming the next victim of a cyber criminal.

Beat Password Fatigue With a Password Manager

by

By now, in 2021, you’ve most likely experienced at least one breach of an account password whether you know it or not.

Perhaps the fallout didn’t prove devastating, but could there be a time bomb lurking in that stolen password that could cause significant harm?

The answer lies in our use of a small number of passwords for a large number of login credentials. From online shopping and banking to social media to personal accounts like the local library, we use the same passwords over and over and over again.

Thus, while we often think to change the password on the breached account, we don’t often think about changing it on every single account that uses that password as well, and we certainly don’t think to change all of our passwords on a regular basis.

To do so would require spending hours to determine which other user accounts we use that password on and hours more to change them all on a regular basis.

Cyber criminals knows this and take full advantage of our password fatigue to try to break into more sensitive accounts once they steal a password themselves or purchase a breached password.

To corral the password monster, you should use a password manager. A password manager at a minimum should encrypt your passwords, generate complex passwords, warn you if a password isn’t complex enough, and be set to require passwords to change regularly.

Other Password Manager Considerations:

  • Automatic Logins
  • Web Browser Extension to manage web site credentials
  • Security Audit that scores your overall password strength
  • Alerts for weak and re-used passwords
  • A Dark Web data breach monitor to alert you when credentials have been caught up in a data breach
  • Secure storage of identity and payment information for online forms
  • Temporary Clipboard storage of copied passwords

If you suffer from password fatigue, contact us at FlexITechs to learn more about our password manager, which meets all of the above features.

Call us at 302-537-4198, email me personally at ericm@flexitechs.com, or submit our Contact form.

Regularly Test Your Backups

by

If you have a Managed IT Services Provider like FlexITechs, chances are good your backups are not only being monitored for failures but also being tested on a regular basis to ensure that files restore successfully when needed.

There would be nothing worse than finding out after a natural disaster, a fire, or a Ransomware attack that has encrypted all of your files that your backups either were failing or that they won’t restore properly.

If testing your backups was not discussed when you signed up for an automated backup plan or you simply don’t know if they are being tested, ask your backup provider or backup software company if they are being tested and if not, how to do this.

In general, to test your backups, perform the following procedures:

  • At least once a month, pick a random backup date and restore a handful of files to see if they restore successfully (be careful not to restore over the current version of those files)
  • At least once a quarter, perform a deeper restore operation of numerous files from different backup dates, again being careful not to overwrite the current versions of your files
  • At least once a quarter, check all files in the most recent backup to be sure that you are backing up all files that you would need to restore
  • On a daily basis monitor your backups for failures. Any good backup software will let you know whether the backup succeeded or failed with an email or within the software itself
  • If you see errors at any stage of the backup or restore processes, resolve those issues or have your IT or backup service resolve them for you.

Keep in mind that if your data is critical to the operation of your business, you should perform the steps above more frequently to minimize the risk of partial or complete data loss when you need to restore from your backups.

For help implementing a backup testing program or an automated backup program if you don’t have one, call 302-537-4198 or email me personally at ericm@flexitechs.com.

New e-Book! Business Resolutions for 2021

by

Small business owners and CEOs face a number of continuing challenges, and even though COVID-19 continues to hamper growth, increasing productivity and efficiency while holding off cyber attacks will continue to be the main issues they must deal with.

For that reason, we have written a new e-Book, “New Year Resolutions for Businesses”, that addresses the primary areas small businesses should focus on to securely increase productivity and security.

For your FREE copy, click this link and submit the form and you’ll also be enrolled in our monthly e-letter that provides advice and tips on a variety of small business IT topics.