Last Friday, while I was in the middle of working with a client at their office, I received a voicemail that set off some alarm bells when I read the transcript. I had received a call from someone claiming to be from the local Sheriff’s department wanting to discuss an important matter. I’ve worked with law enforcement in the past as a consultant on various technical items, so I figured someone had provided my name to this Sargeant as a technology expert. Nope, that was not what he was calling about. This was regarding a “failure to appear” in court on a traffic ticket and a warrant for my arrest.
Talk about “record scratch” moments!
Prior to talking to this person, I had my office call back on the voicemail to verify the number rang through to an actual person. It did, so I called him back. He sounded legitimate, down to the faint southern accent, generous application of law enforcement terminology in our conversation, and the fact that I did have an old fixit ticket that I did resolve – I hadn’t updated my license with my new address after we moved – but was never able to close the loop on, as the ticket was never logged into the county’s online system. (It still isn’t, I just checked again, over a year after it was issued!) He had me sweating for a few minutes, until he brought up the matter of settling this over the phone by paying for a bail bond, which could be done using an app on my phone, as long as either were linked to my bank account. RED ALERT!!! I asked him to verify his identity and badge number, and he also offered to prove he was who he said he was by calling me from their “official” line. He did, and the caller ID displayed a number that, when searched up on Google, showed it was indeed the non-emergency number for the Sheriff’s department he claimed to be from. What he didn’t know was that I know scammers can spoof any number they like, including the Sheriff’s department. Perhaps sensing that he was losing me (a sign of an expert conman) he pulled out all the stops: wanting to know if I was ready to resolve this now or come on down to the Sheriff’s station to turn myself in. When I played dumb and said my GooglePay wasn’t set up with my bank account, he offered to walk me through it.
All throughout this, I was texting with my office to have them actually call the Sheriff’s office to verify this man was who he said he was. While I was verbally fencing with the “Sargeant”, they confirmed my suspicions that this was indeed a known scam, and the person on the phone was not in any way affiliated with the Sheriff’s department. I promptly hung up on the scammer and put in a call to one of our clients who also happens to be one of the top criminal defense attorneys in the county and a former DA. He also confirmed that local law enforcement would not be calling people to post bail via phone, and more importantly, there were no outstanding warrants for my arrest.
Here are the things that set off warning bells on this call, and may provide you with help in identifying similar scams when they inevitably call your cell:
- The scammer absolutely did not want me to hang up with him once he had me on the phone. He went to far as to throw around some official-sounding terminology – “Mandatory Contact Order” that required he stay on the phone with me to make sure this matter got resolved. Ostensibly this is so that I can’t call for help or advice (like I did anyways, via text), and to keep the intimidation factor active.
- Scammers will always want you to use your bank account, or to have you pay via a method that can’t be reversed, like gift cards or money orders. Credit cards are easily charged back, and often have blocks in place that make them non-starters for scams like this. No legitimate law enforcement agency is going to allow you to post bail on any matter via phone – how do they know the person they are talking to is actually the person named in the warrant?
- Don’t accept a call-back by the scammer from a different number as verification of their identity. Spoofing any number is trivial for them. They can pretend to call from any number that can be found on Google. Hang up and call the organization they are supposedly from on a new call, or have someone next to you do it for you.
- Don’t just assume because the person calling doesn’t have a foreign accent that it makes them more credible. I’ve heard from numerous clients about scam calls from people who were clearly native English speakers with a Western (or no) accent.
- Scammers will often use scare tactics to pressure you into a hasty decision – whether it’s being arrested, or that your name showed up on an FBI watch list for child pornography, or you have unpaid taxes and fines that will be levied against your paycheck. The claims will be hard to verify – more so because the scammer will be doing their best to keep you on the phone talking and not independently verifying whether what they are saying is true. They will often be counting on you wanting to avoid possible embarrassment or exposure so as to isolate you. Don’t be afraid to ask for help from someone you trust!
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
They didn’t invent it, but the internet and specifically platforms like YouTube, provided a huge boost to the “Do-It-Yourself” movement. Instead of having to rely on hands-on training, word of mouth, books or walking back and forth between project and the VCR player, we can now bring up at least a dozen or more videos on just about any crafting, repairing, constructing, cooking, etc. endeavor we can imagine. I just watched a video on how to harvest and smelt iron from bacteria found in streams. It was detailed enough that I might have a reasonable chance at actually doing so, if I were so motivated. You never know if we might bomb ourselves back to the stone age and these types of skills might be important again. But at the point where this might actually become important, things like YouTube and smartphones aren’t going to be available. Perhaps a bad example, but damn if it wasn’t an interesting video.
Let’s assume the Apocalypse isn’t imminent
A less extreme example might be the myriad of repair and construction projects you can find on various household amenities. I also just watched a video on how to install a mini-split air conditioning unit, and assuming I have the tools and manual dexterity to not kill myself while operating them, I believe I have a reasonable chance at actually completing something like that. But what happens if things don’t go exactly as they are depicted in the video? What if I spend many thousands of dollars on equipment, dozens of hours of labor and the darn thing won’t turn on – or worse, it turns on but doesn’t actually work as expected? There are certain types of projects that make sense as a DIY project. Bookshelves from recycled materials? DIY. Three-D printed keychain rack? DIY. Mural for daughter’s bedroom? DIY! Email for your organization? DI-wait a second… Malware protection for your work PC’s? Uhhh…nope. Could you implement these solutions for your organization by yourself? Sure. There’s probably even videos on walking you through it. What most videos don’t contain are the instructions on when things go wrong, or how to make sure you’ve implemented the proper security measures that match your business requirements. YouTube videos and website FAQs can only provide the basics. Experience and training are what makes the difference between “hobby-grade” and “enterprise-grade” technology. Trust me when I say your organization deserves (and needs!) technology installed and serviced by experienced professionals. It may cost more up front, but will save you time, money and sanity in the long run.
Image by Peggy und Marco Lachmann-Anke from Pixabay
Though the numbers are dwindling rapidly, there are still plenty of working professionals who have spent more time working without email than with. And now there is a growing labor pool for whom email is seen as yesterday’s technology (they are not wrong!) and probably do not place as much relevance into it as the majority of the world’s current knowledge workers do. Like it or not, email is still a pillar of the world’s work processes, and now that criminals have settled into their “groove” exploiting it, there can be no exceptions to taking email security seriously.
Your email service should be robust and secure
Rather than tapering off like many other types of cyber-attacks, email hacking continues to grow in frequency, sophistication and damage impact. For most folks, as we have frequently said in the past, getting hacked is not a question of “if” but of “when”, but there are ways to keep your email secure. Can it be made perfectly secure? No, but you will greatly improve your chances of fending off an attack when it eventually comes.
- Your email should be professionally hosted by a company that keeps its infrastructure up to date, continually monitors security and can provide human-based support to its customers. Most free-mail platforms can’t/don’t do this, and it follows that your organization should not rely on free-mail services.
- You should have 2-factor authentication enabled for your email accounts. Not having it on is now considered a huge security liability. Not only will it result in your account getting hacked, it may disqualify you from being insured. If I had to guess where we are headed in terms of cyber-liability coverage, I would say we are maybe only a year or two from it being a requirement with no exceptions.
- You need 3rd party email filtering. Even the big boys in email hosting (Microsoft and Google) only go so far with their email filtering. While their baseline capabilities are still light-years ahead of the free-mail platforms (and free versions of their own services), its increasingly obvious that their focus is on the core technology of delivering email and securing your accounts, leaving spam and malware detection to companies that focus only on that.
- If you send confidential data through email, it must be encrypted. This isn’t just good security practice, this is actually the law in some cases especially where it comes to PII, medical and financial information, but email encryption is not something that most email services come with “out of the box” and must be added on through additional configuration or even separate vendors. This is another area that is already being used to determine your organization’s insurability.
- Strongly consider email backup services. Most folks store a ton of information in their email boxes and take for granted that because it’s hosted “in the cloud” that they don’t need to back it up. While it may be possible to have your email provider restore accidentally (or purposefully!) deleted emails, if you don’t notice in time (usually 30 days or less) that email is gone forever. Email backups are extremely affordable and literally require zero-attention from you, just a watchful eye by your IT professional.
Image by CrafCraf from Pixabay
If you are a long-time reader of this blog, you’ll know that while the majority of our focus is on business technology, I like to keep an eye on all technology, especially issues that can affect our quality of life and personal safety. Hondas are very popular (even here in Los Angeles where it seems like every 3rd car is a Tesla) and according to at least one statistics website, Honda accounts for between 8-9% of the U.S. car market in 2020 and 2021, and the Honda CR-V is near the top of the list of best-selling vehicles for the past several years. It’s safe to say that there are probably millions of Hondas on the road right now, and apparently any that are accessed using a key fob are vulnerable to a hack that allows attackers to unlock car doors and remotely start engines if the car has that capability.
What this means for you
If you own a Honda, you may want to give this article a read, which was based a relatively unknown vulnerability dubbed “Rolling-PWN” by the researchers/hackers that discovered it. The vulnerability is documented and published in the National Vulnerability Database run by the National Institute of Standards and Technology, which is about as official as you can get in terms of documenting vulnerabilities. Despite this, Honda has yet to confirm or even acknowledge the issue. Which also means that there is very little you can do about it other than the following:
- Reconsider what sort of valuables you keep in your car, even if you don’t drive a Honda. This particular hack may not be limited to just Honda according to the researchers. It just happens to be the manufacturer they’ve tested and confirmed vulnerable across multiple years and models.
- Even though they may be able to start the car, they can’t drive the car because they can’t exploit the proximity requirements of the key fob…yet. Regardless, if you park your car in a garage, make sure that it is well ventilated. Carbon monoxide kills, and some prankster might put you in real danger by leaving your car running for hours in garage with poor ventilation.
- Perhaps write a letter to your local congress-critter (Representative and Senator) asking them to look into Honda’s seeming disregard for a significant security issue. If you are friendly with a local Honda dealership (because you own a Honda and use them for service), you could also stop in and show them the article and a link to the exploit on the official government website of vulnerabilities as well. If enough of us raise our voices, perhaps some of these big companies will take notice!
You may not realize it, but your organization is probably using one or more free email accounts from platforms like Google and Microsoft. Smaller companies may still be using them as their primary email accounts (let’s talk – you need to stop doing that!), but most have moved up to what we call “enterprise-grade” versions from the same providers. Despite upgrading their email to the more secure, paid services, many companies opt to continue using free-mail accounts for various applications like email copier scanning, Quickbooks invoicing, and automation systems that send out email alerts. In the case of the latter two, not having this functionality could result in some pain or even safety concerns.
What did you do, Google?
I looked back at my long-standing free Gmail account to see if Google sent any notifications out about this change. I don’t see anything in an email, but it’s likely they posted on-screen notices in their webmail interface, which I rarely see as I use Outlook or my phone to view email for this particular account, so I’m going to say this was a stealth change. What changed? They removed the “less secure apps” feature on May 30th of this year. Unless you are a Gmail aficionado or in IT, you probably aren’t going to know what this does, or how it impacts you now that it’s gone. In a nutshell, it allowed you to use your Gmail account with applications that Google considers “less secure” – including Outlook (a little rivalry shade or legit concern?) and more importantly, any device or service that uses SMTP delivery to send emails via their servers, such as your multi-function copier when you scan to email, or your building automation alarms that send emails to engineers or security that there is a leak or a door propped open. If you suddenly find that something that was previously Gmail-powered has stopped sending emails, it’s probably because you were using the less secure apps feature to do so.
How do you fix this?
Unfortunately, it’s not as simple as turning that feature back on – Google has removed it completely. Now you will have to set up an “app password” for your service or function to use. As the name would imply, app passwords are passwords that are set up for a specific application and only that application. You can have multiple app passwords for your email account, and they aren’t recoverable or resettable if you happen to lose them. That’s OK because they can be re-created easily and without additional cost (except for your time) as long as you can log into your Gmail account using your main password. However, in order to enable the app password feature, you have to set up 2-Factor Authentication for your account, and before you think of jumping ship to Microsoft’s Outlook.com free-mail service, they are doing the same thing – requiring 2-factor authentication before you can set up app-specific passwords. You can thank the hackers and spammers for this – they have been abusing free-mail accounts for years and finally the big boys are doing something about it by locking down exploited features of free-mail accounts, but rest unassured – this will only slow them down, and create minor headaches for everyone else. Get used to it – two factor isn’t going away anytime soon.
A little over a month ago, I wrote about how being vigilant wasn’t going to be enough to stay safe on the internet. Don’t get me wrong, being vigilant about technology safety is a base-level requirement, like understanding elemental concepts like “fire hot” and “that scorpion is dangerous”. But knowing you need to be careful and exerting the discipline and training to actually be safe are miles apart in execution. In case you haven’t heard my analogy before, internet security is likely juggling dozens of plates while hackers continually toss more plates into your hands. They win when you drop even one plate, and they have an endless supply of plates and patience while they wait for you to lose focus. But what if you could add some robot arms to your juggling act?
We can all use an extra hand (or two) these days
At one point, it was possible for a normal human being to self-manage their business technology. Many business owners saw it as a rite of passage in securing their own domain name, spinning up a website and email boxes for all their employees, while simultaneously ordering a bunch of computers in black-and-white boxes. You could buy and install virus and spam protection from a friendly nerd named Norton and it did the trick. All was (relatively) well until the internet connected everything and hackers discovered that cybercrime was profitable. Hugely profitable. They upgraded quietly while the rest of the world marched on oblivious, starting an arms race in which our self-built technology infrastructure was outpaced before we even know there was a race. While you were busy running a business (and not a never-ending technology upgrade parade), they were running their own business of dismantling or bypassing your rapidly aging technology security.
Unfortunately, the insurance companies see this, and are now recommending or requiring all companies big and small to use advanced security tools that even the large enterprises with dedicated IT staff are only now adopting. But here’s where you have the advantage in this juggling act: big companies need a lot more robot arms than you do to keep all those plates in the air but, as always, there’s a catch: you still need some robot arms and implementing them isn’t as simple has mail-ordering some parts in a Holstein-colored box. Today’s new security technologies are complicated like you might imagine robot arms to be, and even worse, if you install or use them incorrectly, the insurance companies might even deny your claims. But you have this covered because you are partners with C2, right? Call us and ask about our new security bundle for small businesses – let’s add some robot arms to your juggling act!
Image by kiquebg from Pixabay
Having your company’s operations halted due to a ransomware attack is pretty high up on the list of nightmare situations for any business owner. Depending on the severity of the attack and the state of your backups and business continuity plan, this could mean days of downtime while data is restored, and systems sanitized. In the case of a storied Illinois college, it took them months to restore services after a ransomware attack in December 2021, and by the time systems were brought back online, the downtime was enough to hammer the final nail in the coffin for Lincoln College, a 157-year old institution that was already financially reeling from the Covid pandemic.
What this means for you
It’s unclear from the small amount of information available on the incident on why it took so long to restore systems at the college, but if my time in the higher-education industry illuminated anything for me, it was that academic institutions aren’t always at the forefront of technology security or disaster recovery, mostly because of underfunded technology budgets. If I had to name one thing that always catches ransomware victims off-guard, it’s the misconception that their particular company or organization is not worthy of being targeted for these types of attacks. While cybercriminals are definitely targeting high-value organizations in a very specific and determined manner, there is a wider, more generalized “net casting” of ransomware attacks that are more opportunistic and seem to care not for the financial means of the victim. Lincoln College may have not been targeted specifically – someone with sufficient privileges to key systems may have inadvertently fallen into a widely-cast phishing net (a broadly targeted phishing campaign), and once the hook was set, the hackers moved in for the kill, not caring (or even knowing) that the college was already in dire financial straits. What most people don’t realize is that there is literally no financial disincentive for hackers to attack, hook and ransomware as many targets as possible. It costs them literally nothing to spread ransomware, and if the victim doesn’t pay, they just move on to the one that will. Unfortunately for victims without proper data backups and a business continuity plan, that random attack could shutter the business for good.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
For those of us who’ve been using computers in the workplace for more than a decade or longer, we have frequent “Pepperidge Farm moments” about technology (and other stuff too, let’s be honest!) but for good reason. How many of you have been grinding through emails for the better part of a Monday morning, gathering up a pile of work, and when you go to open that attachment (which you know is safe, right?) and instead of getting to work, you get password checked. More often than not, if you are from my generation or possibly older, you’ll grind your teeth while looking up those credentials and reminisce about those halcyon days when apps just opened and let you get to work. They didn’t need constant updates, repairs and password checks. You opened them, did your work, and maybe left them open for days at a time, because they didn’t need to be relaunched three times a day just to keep it functioning.
Get off my lawn?
I know that joke doesn’t play as well for the younger crowd, but while they are quietly chuckling about our obsession with ancient technologies like email, they too are subject to the same plague of passwords and the various hoops we all have to jump through in our current technology age, and they don’t have those yesteryears to view through nostalgic glasses. Those bygone days may have seemed glorious; some of us remember when your appliances didn’t need Bluetooth to wash clothes, or doorbells needing WIFI to work properly, or needing a phone app to get a date. But those were also the days when pregnant women drank and smoked, kids rolled around in the backseat or cargo space without seatbelts, and computers (and ourselves) weren’t connected to the internet all the time.
The internet is and will be a permanent part of our culture, business and human progress, whether we like it or not. It has allowed us to globalize and democratize in a way that eclipses every other technology before it, but as I have mentioned before, not without a razor-sharp edge that cuts both ways. The rise of cyberthreats have forced our technology tools (and toys!) on a security march at a pace that no sane consumer finds comfortable, and the only way technology companies can keep us (moderately) safe and stay profitable (and therefore viable) is to move their pricing models to subscription-based services to support the constant development costs. Which also means for the foreseeable future you are going to have to regularly prove you have the right to use the technology to which you subscribe. The only way passwords go away is if we find a better way to authenticate you as you, and so far, even though the need and the threat has existed for well over a decade, no one has found a better, cost-effective solution than the password.
Image by Gerd Altmann from Pixabay
Though it won’t be something most of us would like to hear, staying safe in technology is no longer a matter of being savvy, street-smart and vigilant. The concept of “rugged individualism” is considered one of the foremost tenets of American culture and stems from the countless (and most likely glorified) stories of pioneers and young entrepreneurs fighting what seems like impossible odds to come out on top, merely through tenacity, ingenuity and pluck. What the history books fail to share are the numerous accounts of everyone else barely surviving, or in many cases outright failing. Make no mistake, even experienced technology experts are getting hacked, so the chances of you coming out unscathed in today’s dangerous internet environment are slim to none.
What this means for you
Most likely you are in fact experienced, street-smart and savvy. You might be able to troubleshoot basic technology issues, navigate bizarre support bureaucracies to get a password reset, and even change a tire or check your own oil on that Honda Accord that’s still running like a champ after 100k miles. You know better than to use “Secret1234” as a password, and you’ve even figured out how to block some trackers in your browser from sniffing out your shopping habits. Unfortunately, you’ve learned what would be now considered baseline survival on the internet. Unfortunately, the current state of internet security is thus: at no point can anyone, me or the leagues of hardened technology experts, sit back and say, “There! I’ve learned all I need to stay safe online.” Your internet safety habits are the equivalent of learning how to drive, and like most everyone, we still need a pervasive infrastructure, mechanics and engineers to maintain the elaborate systems that have become essential for us to pursue a modern life. The majority of us aren’t expected to be auto mechanics, or even roughly familiar with how a car even works, and likewise I don’t expect everyone to be a technology expert, BUT you mustn’t take it for granted nor undervalue the true costs of staying safe. The more reliant you become on technology, the more you will have to invest in either training yourself, or take the more practical approach of making sure you have an expert like C2 Technology on speed-dial.
Image by Schäferle from Pixabay