ICAHN Information Technology Blog
Every year, the bad guys take advantage of innocent taxpayers, like you, who are patiently waiting on their tax return.
Last year, the IRS noticed a significant increase in phishing attempts to steal money or tax data, therefore you must be on high alert.
How it Happens: Tax Scams and Malicious Activity
The bad guys have a number of tax-related tricks up their sleeves when it comes to stealing your money and/or sensitive information. Here are a few examples of sophisticated tax scams that have been found in the wild:
- Scammers send emails posing as tax service companies by spoofing emails and using stolen logos. Once you respond to the email with personal data or tax information, they can pocket your hard-earned money.
- Similar to the scam above, the bad guys send look-alike emails containing hyperlinks that lead you to malicious websites or fake PDF attachments that download malware or viruses to your computer.
- Tax scams aren’t limited to emails! Be on the look out for callers posing as IRS representatives claiming you owe money that must be paid immediately. The callers typically threaten arrests, deportation, or suspension of business or driver’s license.
Keep in mind, these are only a few examples and these scam artists are constantly coming up with new ways to fool you.
How Do I Know it’s a Scam?
Always remember the following during tax season, and all year long:
- The IRS will always mail a bill before calling you about taxes owed.
- The IRS will never ask for credit or debit card numbers over the phone.
- The IRS will never immediately threaten to arrest you for not paying taxes owed.
- The IRS will always offer the opportunity to question or appeal the amount owed before demanding your payment.
- The IRS does not use emails or text messages to discuss personal tax matters, such as taxes owed or tax refunds.
Only share sensitive data over email when there is no other alternative and you’re certain the recipient is valid.
If you’re reading this, there is a good chance that you have multiple internet-connected devices in your home. These devices make our lives easier, but they also make us easy targets for cybercriminals. So, whether you are connecting on social media, shopping online, or listening to music on a smart speaker, here are some cybersecurity tips for everyday use:
Social Media Safety
- We recommend keeping your social media profile set to private and only connecting with people who you know and trust.
- Don’t share anything online that you wouldn’t want to be made public. No matter how cautious you are, any information posted on social media can still fall into the wrong hands.
- Watch out for posts that trick you into oversharing. For example, there are a number of popular posts that give you a silly nickname based on random personal details. These personal details, such as your first pet’s name or the year you were born, can be used by cybercriminals to guess passwords, answer security questions, or even to spoof your social media profile.
Online Shopping Safety
- Only shop at well-known, reputable websites.
- Only pay using a credit or debit card. Never agree to send cash or wire money to a seller.
- Shop around—not for the cheapest deal, but the safest. A website that is offering a product for a third of the price of other retailers is a red flag. Remember, if a deal seems too good to be true, it probably is.
Smart Device Safety
- Smart speakers and some smartphones have an “always listening” setting to allow you to call its name when you need assistance. We recommend turning this setting off if you don’t use it. If you do use this feature, mute the microphone any time you’re discussing sensitive information or while working from home.
- Like a web browser, smart devices keep track of your activity history. Review this history periodically to check for any unusual activity. We also recommend clearing your history on a regular basis.
- Keep your devices up-to-date. Smart devices receive important security patches through software updates.
If you’re known to dabble in a little online browsing, odds are you’ve encountered a pop-up once or twice. There are times when a user may think, “Wow, that’s a great deal!” and click on a pop-up. To those users: put down the mouse. Why? That pop-up could be malicious or dangerous.
There used to be a time when malicious pop-ups were only on questionable sites, but those days are gone. Hackers are smart and develop ways to inject malicious malware into pop-ups and online advertisements - even on the most trusted sites.
One of the most common attacks we see occurs when you visit a site and a pop-up appears that says, “Your computer is infected! Download our antivirus now!” If you click on this, a bogus virus scan will start. After the “scan” completes, you’ll be asked to pay for a full-version of the software or to call a helpline to connect with a support representative.
Spoiler alert: The software is not real and the fake support representative will take control of your computer to try and “fix” the issue, but end up causing more damage.
How to prevent
Although hackers are smart, you can be smarter. Here are some tips to protect yourself from these types of attacks:
- Avoid clicking on pop-ups.
- Update your operating system regularly - don’t postpone or snooze updates!
- Use web-filtering software to warn you before accessing potentially harmful sites.
Remember, these attacks are only successful if we fall for them. Stay alert and be cautious!
Facebook now has over a billion users, and that's a mind-boggling number of people who check their page regularly. The bad guys are irresistibly attracted to a population that large, and here are the Top 5 Scams compiled from KnowBe4 Security they are trying to pull off every day of the year.
- Who Viewed Your Facebook Profile: This scam lures you with messages from friends or sometimes malicious ads on your wall to check who has looked at your profile. But when you click, your profile will be exposed to the scammer and worse things happen afterward.
- Fake Naked Videos: There are tons of fake naked videos being posted all the time using the names of celebrities like Rihanna or Taylor Swift that sometimes make it past the Facebook moderators. These scams are in the form of an ad or a post and have a link to bogus YouTube videos. That site then claims your Adobe Flash player is broken and you need to update it - but malware is installed instead!
- Viral Videos: Viral videos are huge on social media platforms. If you click on one of these "videos" you'll be asked to update your video player (similar to the scam above) but a virus will be downloaded and installed instead. To avoid this, type the name of the video into Google and if it doesn't have a YouTube or other legitimate site link, it's likely a scam.
- Fake Profile Scam: Scammers are stealing the name and pictures from an existing profile and "friending" the real person's friends in efforts to scam friends and family by faking an emergency. Be very cautious of accepting friend requests from someone you're already friends with.
- Romance Scams: A specific type of "Fake Profile Scam" where con artists create a fake profile using the photos and stories of another person, and then develop "relationships" with their victims over posts, photos, and Facebook messenger. These scammers typically shower you with romantic language, promise happiness, and eventually con you into giving up personal information, or even money. Avoid personal and financial heartbreak, don't "friend" people you don't know in real life.
Facebook is used for connecting with people you know. Be especially cautious of "friending" strangers, and of clicking on links in suspicious posts, and in messages. Stay away from these traps if you want to avoid giving away personal information or getting your PC infected with malware.
One of the easiest ways the bad guys trick you into falling victim to their fraudulent scams is to exercise a sense of trust by pretending to be someone you know. More than likely, you receive emails from your Human Resources team on a frequent basis. Scammers take advantage of this constant communication by crafting spear phishing attacks using emails that spoof your HR team.
Spear phishing attacks are email scams that typically target an individual or organization by spoofing, or appearing to come from a trusted sender. Don’t blindly trust emails that seem to come from your HR department. See the tips below to learn more about these types of scams.
How Do I Spot a Fake?
Does this sound like typical communication?
- Pay attention to the context in the body of the email.
Look for spelling errors, grammar errors, and odd sentence structure.
- Are you being asked to review unfamiliar policies or procedures?
If you’re being asked to download an attachment or click a link to review a policy you’ve never heard of, think twice before you click.
- Are you being asked to do something that wouldn’t typically be addressed via email?
Beware of emails containing an attachment for your “paid bonus” or any other matter that seems out of the ordinary for email communication.
Who sent the email?
- Does the sender’s email address appear to be from an unfamiliar domain or a third-party company?
If the domain of the sender’s email address is generic, for instance, “humanresources.com”, the email may not be from your internal HR department. Ensure the email is from an address that your HR team typically uses to send mail. But remember, even if the domain is from your organization, it could be spoofed.
- Does the email signature make sense?
Ensure the signature in the body of the email matches the name and job role of the sender. Some HR phishing scam emails have unusual, or inaccurate job titles in the email signature–or have no signature at all.
When in doubt, always pick up the phone and call someone from your HR team to confirm the email is safe and legitimate. They’ll be thankful you used your resources, rather than putting your organization at risk.
Creating strong passwords should be the number one priority in keeping your online world safe. Having weak passwords could result in stolen identities, loss of data or money, and even the loss of a job and/or reputation.
You’ve likely heard recommendations for creating secure passwords before. Experts suggest using long, complex, and random combinations of words, letters, numbers and special characters. Follow the tips below to improve your password safety practices:
- Improve the strength of your passwords. Strong passwords are usually made up of at least eight characters. They should contain numbers, uppercase and lowercase letters, as well as special characters.
- Use passphrases. Recently, security standards strongly recommend using a passphrase rather than a single word. A good passphrase is one that is unique to you so that you can remember it, but is also secret enough that no one else can guess it.
- Never use personal or obvious information in your passwords. For example, never include your name, email address, phone number, birth date, or any other information connected to you.
- Never use the same password for multiple accounts. If cybercriminals steal your password from one account and you’re using that password on other accounts, then you’ve given them the key to all of the accounts where you’ve used the same password.
- Use a password manager. If your organization allows it, use a password manager to create, store, and sync complex passwords across multiple devices. Password managers only require you to remember one master password. Ask your internal IT (or other applicable) team to see if this is something you can do.
Most importantly, if there is one available, always follow your organization’s password policy. Password policies are created to keep you and your organization safe.
Help to protect your organization (and your family) against cybercrime by improving your password safety today!
Visit any website these days, and it’s very likely that you will be viewing ads as well. Sometimes these ads can be tempting, with many offering sales, promotions, or freebies to attract more clicks. Ads on certain websites can even be targeted specifically to you based on past browsing history, making you even more likely to click!
Remember this: just because you are on a reputable, well-known website, it does not mean that the ads on the website are safe to click as well.
How adspace can become infected: Advertisers do not sell their ads to websites one at a time. Websites that want to make money sell their advertising space to an ad network. Advertisers sign contracts with that ad network which then displays the ads on the participating websites. The ad network sits in the middle between the advertisers and the websites and manages the traffic and the payments.
Cybercriminals can take advantage of this system by fooling the ad networks into thinking they are a legit advertiser, but the ads which are displayed on major websites can be poisoned. If you browse to a page with a poisoned ad on it, that is enough to run the risk your PC will be encrypted with ransomware, which can hold your computer or your entire network hostage until you pay the cybercriminal a ransom.
Tips to prevent the effect of harmful ads:
- Disable Adobe Flash on your computer - or at least set the Adobe Flash plug-in to "click-to-play" mode - which can block the automatic infections.
- Keep up-to-date with all the security patches and install them as soon as they come out.
- Download and install a reputable ad blocker plug-in for your browser. These prevent the ads from being displayed in your browser to start with. These ad blockers are getting very popular with hundreds of millions of people using them.
You've probably seen people wearing security badges at their place of business. Can you think of how many different organization badges you recognize in your area? Would you be able to recall the details of the badges you've seen?
Is there a picture on the badge? If so, do you know where it's located? How big is the picture? What color is the badge? Where is the person's name located on it? With all that information, do you think you could make one that looked similar?
That's the sort of detail the bad guys are taking note of when you aren't careful with your security badge. With the advancement of technology and image creation and editing becoming commonplace, it is increasingly easy for attackers to replicate the look and feel of security badges. Within hours, attackers can recreate your badge with their name and picture. They can then use this badge to gain access to your organization.
Badge Security - Do's and Don'ts
It's important that you are responsible for your security badge and practice proper badge use. If your organization has a formal policy on proper badge use, please refer to that policy.
Here are some general guidelines on the do's and don'ts of badge security:
DO: Wear your badge at all times while inside the building.
DON'T: Do not wear your badge while you are in public place. When you wear your badge in public, you are also advertising where you work. Attackers can better target an organization or spear phish an individual, if they know their name and where they work.
DO: If you've lost your badge or suspect it has been stolen, make sure to report it as missing immediately.
DON'T: Never let others use your badge if they have forgotten theirs.
Next time you leave for lunch break or leave the office, put your ID in your purse or pocket so that others cannot easily gather that information from you.
Scammers are seeking to obtain personal information by impersonating Canadian hospital staff over the phone, NEWS 1130 reports. Vancouver Coastal Health issued an alert in which the healthcare provider warned people not to give out their personal information if they receive an unsolicited phone call from someone claiming to work for a hospital. The organization said the scammers may be spoofing the phone numbers of local hospitals, so people shouldn’t trust what appears on caller ID.
How can you tell if an email is safe? Even if you catch red flags in an email, such as typos or poor grammar, an urgent demeanor, or even a spoofed domain, how can you truly decipher the safety of an email? An immediate step you can take is to watch out for more of the most critical tell-tale signs of a phishing email - a mismatched or fake URL. Hovering not only allows you a moment to think before proceeding, it allows you the opportunity to see where a link is going to redirect you. This is especially important because not all links lead to where they appear, or insinuate they'll go.
When you hover, check for the following to ensure you're staying safe and secure:
- If the email appears to be coming from a company, does the hover link match the website of the sender?
- Does link have a misspelling of a well-known website (Such as Micorsoft.com)?
- Does the link redirect to a suspicious external domain appearing to look like the sender’s domain(i.e., micorsoft-support.com rather than microsoft.com)?
- Does the hover link show a URL that does not match where the context of the email claims it will take you?
- Do you recognize the link’s address or did you even expect to receive the link?
- Did you receive a blank email with long hyperlinks and no further information or context?
If you notice anything about the email that alarms you, do not click links, open attachments, or even reply. If everything seems okay, but you're still not sure–verify! Ask your IT team or leadership if the email is legitimate before proceeding. Remember, you are the last line of defense to prevent cyber criminals from succeeding and making you or your company susceptible to an attack.
There has been a significant increase in DNS domain names containing blacklivesmatter or George Floyd's name, and there is a good chance some of those are owned by people with malicious intent. Social engineers and phishing creators love to use newsworthy events to foist new scams. They know that people's interest in the latest events, natural or otherwise, makes potential victims less likely to be as skeptical when an unexpected email ends up in their inbox, especially if that email is enraging. Natural calamities like earthquakes, tornados, floods, and hurricanes have always been phishing draws. Pandemics, celebrity deaths, political upheaval, cultural unrest, and riots are guaranteed to trick a higher number of unsuspecting victims into clicking on a malicious link or downloading a file that requires their password.
Data breaches continue to be one of the many things that keep IT security people up at night. They are becoming more prevalent every day with many of them containing sophisticated and targeted attacks. It is important to note that not all attacks are initiated by externally facing bad actors. A recent report from Verizon shows that 30% of all breaches were caused by internal users. Some of that was through inadvertently giving up information to outside entities through spoofing/phishing but unfortunately, far too many are caused by sheer negligence, complacency, apathy and ignorance. It is imperative that we remain vigilant in our education efforts within our organization to mitigate these threats. This can be done many different ways; through phishing campaigns, classroom discussions, or annual in-service training. Head on over to Verizon’s website to read the article in its entirety.
COVID-19 has changed the IT landscape for the foreseeable future. During this tumultuous time it's imperative to remain vigilant and adhere to all security based guidelines, policies and procedures in place within your organization. Unfortunately bad actors are being just as vigilant in their use of multiple attack vectors, in an attempt to infiltrate our organizations. Jessica Davis over at healthitsecurity.com has released an article explaining one of the most recent attack vectors used by these bad actors and ways to mitigate the threats they pose. Unfortunately, with an increase in employees working offsite our exposure to these attack vectors continues to widen.