Trust the Biggest Casualty of Hacking

by

I’m always thinking about the damage caused by the disinformation that inundates us every day.

While disinformation comes in many forms, I’m primarily talking about the social engineering tactics designed to con us into divulging valuable data. Whether they result in tangible losses or not, the results can feel criminal to those victimized by them.

As an IT business owner, I have seen these scams cause data loss, login credential theft, financial and reputational harm, and legal hassles, among other things. They reduce efficiency and increase anxiety at work and home.

Worse, however, is the erosion of our ability to TRUST.

The FBI reported that Cyber criminals cost U.S. consumers and businesses approximately $9 billion in 2023, but their most devastating impact might be the theft of our trust in what we read, hear and see in every aspect of our lives.

Emails, texts, phone calls, books, ads, websites, podcasts, articles, social media, streams, pictures, graphics, videos — the proliferation of false information using such communication methods causes us to reflexively fact-check so much of what we consume — unless we know it to be true from personal experience.

Much of our distrust stems from social engineering. For instance, cyber criminals engineer phishing emails, texts and phone calls to try to trick us into handing over our Personally Identifiable Information, or login credentials to email, financial, healthcare, public utility, government, social media and other online accounts.

Social media, particularly X (Twitter), Facebook and Tiktok, contribute greatly to the loss of our trust, too. The onslaught of false memes and posts threatens to turn right and wrong upside down.

I receive calls and emails from clients every month trying to determine the legitimacy of fake email invoices from brands such as Norton or Quickbooks, extended warranty offers on their car or from Dell, text messages inquiring about a property for sale that they don’t own, or cons preying on their desire to help those less fortunate through donations.

It also gives us pause with good emails, phone calls or texts, as the phish, with the help of AI, look as convincing as legitimate messages. We can become paralyzed trying to decide whether to click or not, whether to open or not, until we get help from another source, such as websites devoted to unmasking scams, or family, friends or colleagues.

It has become so bad that I have customers questioning whether they actually owe payments on invoices with companies that they know they do not do business with.

How do we handle the barrage of this kind of disinformation?

First of all, don’t reply to the email, text, or phone call. I have seen more than one customer, indignant at a fake bill, call the number in the email to dispute it and get burned for thousands of dollars.

Instead, perform due diligence … due diligence … and due diligence.

Whether performing vendor risk assessments, market research, business intelligence, or any other kind of research, or contemplating the legitimacy of an email or text, we must perform due diligence to separate fact from fiction to make sound decisions.

So, be sure to be diligent, and reclaim your ability to TRUST.

For help selecting your next cybersecurity solution or cybersecurity awareness training for your employees, contact me at 302-537-4198, ericm@flexitechs.com or on our Contact form.

Cybersecurity Awareness a Year-Round Job

by

Cybersecurity Awareness Month heightens our vigilance in October, but we can’t let our guards down at any time of year anymore, especially during the holiday shopping season.

Small businesses are not likely to be attacked directly by cyber criminals unless you do business with more valuable targets. You will, however, be attacked with the phishing emails that hackers  deploy in the hopes that some “fish” will take their bait.

Cyber criminals now use AI writing tools to help make their phishing emails more convincing, too.

You can, however, spot phishing emails by remaining diligent at all times.

My Golden Rules for handling emails:

  • If you don’t know the sender, do not click any links or file attachments. Delete the email.
    • If the email is relevant to you, go directly to the sender’s website in your browser.
    • For well-known brands, hover over the link (don’t click) to see if it goes to the brand’s website (i.e., dell.com versus something.com/dell)
  • If you know the sender, but receive an unexpected email from them, do not click links or file attachments until you confirm that the sender you know actually sent it.
    • Do this by phone — a hacker could hijack the email account and make it look like the sender you know is providing confirmation.
  • If you mistakenly click on a link in an unexpected email, and it takes you to a page to change your password, do not enter your password. Close the page.

Below is a phishing email that I received that incorporates elements of many phishes:

Phishing email characteristics

As you can see, this phishing email:

  • Uses the International date format (day / month) versus the month / date format that I would expect in the U.S.
  • The From: email address is not @intuit.com or @quickbooks.com. It’s @updatessoftware.info.
  • The phone number shows up in searches for known scams.
  • Hovering over the link reveals it goes to techsales.info instead of intuit.com or quickbooks.com.
  • Awkward language
  • The text uses fear tactics by claiming the database will be corrupted and backups automatically removed, preventing recovery, if the deadline is missed.

What would I do with this email?

This email caught my attention because I knew that Quickbooks is requiring desktop software customers to upgrade before Sept. 30 if they want to continue using the desktop software instead of Quickbooks Online.

The International date format, however, gave me pause initially. The fake From: email address sealed it.

Had the hackers spoofed a legitimate Quickbooks email address, the other elements would have still confirmed this as a phish.

You also want to protect your passwords as follows:

  • Use a password manager such as one of these.
  • Do not send passwords in emails and text messages unless encrypted
  • Do not use the same passwords for business and personal use
  • Do not store passwords in word processing files or spreadsheets
  • Do not share your passwords with anyone, including co-workers

If you want more in-depth information about cybersecurity awareness, you can visit the Cybersecurity and Infrastructure Security Agency (CISA) website at https://cisa.gov.

Off-Boarding Employees

by

It happens to every business that has employees. At some point an employee will leave for a variety of reasons including retirement, striking out on their own, health reasons or what they perceive to be a better opportunity at another company.

One interesting look at turnover rates comes from a study of employees changing their employers on LinkedIn. It found that 11 percent of employees posted new employers on their LinkedIn Profile during the 12-month period of their study in 2021 and 2022.

That doesn’t surprise me. In fact, judging by the number of LinkedIn profiles of employed people who still advertise their availability, I believe the number could be higher than 11 percent.

So, accepting that you will have turnover, how do you safely off-board those who leave from an IT standpoint?

The following technology off-boarding checklist will help mitigate the risk of losing valuable corporate knowledge and business in the departing employee’s transition.

Knowledge Loss
Be sure to query the departing employee about specific knowledge of their job that might not be in company manuals and procedures.
If involved in Sales, be sure the departing employee provides all contact information for Customers and Leads.

Social Media accounts
Change or delete the employee’s accounts on all Social Media.

Application logins
Change / disable / delete the employee’s login credentials on all Cloud and Desktop applications.

Email logins and forwarding
Change / disable / delete the employee’s Email login credentials.
Set up forwarding of the employee’s emails to someone else within the organization until customers become aware of the replacement.

Company Device Recovery
If the employee uses company devices such as Smart Phones or Tablets, recover the devices.

Recovering Data from Personal Devices
If the employee used his / her own devices, recover all company information from those devices.

Revoking Access
Disable / Delete access to the devices, applications, files and databases the employee accessed over the corporate network.
Revoke access to the physical building(s).

For help setting up an Off-Boarding Policy for your company, contact me at 302-537-4198, ericm@flexitechs.com, or on our Contact form.

How do I Switch from Windows 10 to 11?

by

If you’re ready to upgrade from Windows 10 to 11, consider the first three questions in this series first and your computer’s compatibility with Windows 11.

Windows 11

The Top 5 Questions about Windows 11

After doing so, you need to go to the Windows Update section of your Settings. There, you may see a link to download and install Windows 11 if Microsoft has determined your computer meets the hardware requirements to do so.

If you see it, click the Download and Install button or link and follow the prompts to perform the upgrade to Windows 11.

If you don’t see that, click “Check for Updates” and see if it gives you the link to download and install Windows 11.

If not, download and run the PC Health Check utility from Microsoft.

If the utility deems your computer suitable for the upgrade, see if you get the “Download and Install” button and if so, follow the prompts to upgrade to Windows 11.

Of course, this is Microsoft and at times the procedure won’t be as simple as advertised. Case in point — I have already seen that my 2-year-old Lenovo Desktop with 3.6 ghz processor and 8GB of Ram and 256GB SSD hard drive does not qualify for the upgrade because the processor does not match an obscure setting that Microsoft has decided not to support.

If you don’t see the Download and Install button or link or Windows Update or the PC Health Check utility tell you you can’t upgrade your PC to Windows 11, contact us at FlexITechs to take a look for you.

As always, these upgrades will create conflicts with existing applications and hardware. So, if you need to buy a new computer make sure your existing applications and peripherals will work with Windows 11. For an existing computer, we recommend waiting a couple of months for the bugs to reveal themselves before upgrading.

Tomorrow’s Question — Do I Really Need to Upgrade to Windows 11?