Ransomware Attacks and Cyber Scams Surge in 2020

Ransomware attacks surged 300% in calendar year 2020, according to Chainalysis. And in 2020, $406.3 million was paid out in cryptocurrency ransoms, 337% more than the previous year. This calendar year’s ransom payments are on pace to pass seven figures.

The attacks have crippled supply chains and critical infrastructure by holding digital information hostage.

  • Colonial Pipeline, one of the largest fuel pipelines in the US, was forced offline for six days in May.
  • An Iowa grain co-op was hit by a cyberattack, and hackers demanded $5.9 million to unlock the organization’s data.

Ransomware is something that government agencies are extremely focused on these days. They’re viewing it on par with terrorist financing attacks. The victims of ransomware attacks are mostly big businesses, where more sophisticated attack appear to be sanctioned by foreign governments such as Russia, China, North Korea or Iran.

However, big business are not the only victims of cybercriminals. Nearly 7,000 individual investors lost a collective $80 million to cryptocurrency scams from October 2020 to March 2021, according to the Federal Trade Commission.

Currently, the biggest type of cybercriminal activity in terms of volume is scamming: your investment scam, your Ponzi scheme, or just a phishing attack. Retail investors are oftentimes more vulnerable to being taken advantage of by scammers. But these scams impact the government as well, because the SEC is chartered to make sure they’re protecting consumers.

The bottomline is that “illicit activity on the blockchain is heating up, from minor scams to elaborate ransomware attacks”, explained Kimberly Grauer, director of research at Chainalysis.

The majority of cryptocurrency activity is legal according to the U.S. Treasury Department. But, cryptocurrency can be exploited by cybercriminals and leveraged for ransomware attacks. Crypto’s decentralized nature can make it more difficult to track down hackers.

The SEC’s Office of Investor Education and Advocacy issues periodic Investor Alerts to help investors identify signs that what is offered as an investment may actually be a scam or fraud. They urge investors to be on high alert in order to protect themselves and others from becoming victims of investment cyber fraud.

The key to avoiding investment fraud and scams is to be an educated investor. Below are five tips from the SEC website investor.gov to help you avoid investment fraud:

  1. Be Wary of Unsolicited Offers to Invest – Cybercriminals look for victims on social media sites, chat rooms, and bulletin boards. If you see a new post on your wall, a tweet mentioning you, a direct message, an e-mail, or any other unsolicited – meaning you didn’t ask for it and don’t know the sender – communication regarding a so-called investment opportunity, you should exercise extreme caution.
  2. Look out for Common “Red Flags” – Wherever you come across a recommendation for an investment – be it on the Internet or from a personal friend (or both), “red flags” such as (a) It sounds too good to be true since any investment that sounds too good to be true probably is; (b) The promise of “guaranteed” returns since every investment entails some level of risk, which is reflected in the rate of return you can expect to receive; and (c) Pressure to buy RIGHT NOW because should not be pressured or rushed into buying an investment before you have a chance to research the “opportunity.”
  3. Look out for “Affinity Fraud” – Never make an investment based solely on the recommendation of a member of an organization or group to which you belong, especially if the pitch is made online. An investment pitch made through an online group of which you are a member, or on a chat room or bulletin board catered to an interest you have, may be an affinity fraud. Affinity fraud refers to investment scams that prey upon members of identifiable groups, such as religious or ethnic communities, the elderly, or professional groups. Even if you do know the person making the investment offer, be sure to check out everything – no matter how trustworthy the person seems who brings the investment opportunity to your attention (think Bernie Madoff). Be aware that the person telling you about the investment may have been fooled into believing that the investment is legitimate when it is not.
  4. Be Thoughtful About Privacy and Security Settings – Investors who use social media websites as a tool for investing should be mindful of the various features on these websites in order to protect their privacy and help avoid fraud. Understand that unless you guard personal information, it may become available for anyone with access to the Internet – including cybercriminals.
  5. Ask Questions and Check Out Everything – Be skeptical and research every aspect of an offer before making a decision. Investigate the investment thoroughly and check the truth of every statement you are told about the investment. Never rely on a testimonial or take a promoter’s word at face value. You can check out many investments using the SEC’s EDGAR filing system or your state’s securities regulator.

Investors on the Internet and social media should always be on the lookout for cyber scams and fraud. If you have a question or concern about an investment, or you think you have encountered fraud, you should contact the SEC or FINRA,


References:

  1. https://www.morningbrew.com/daily/stories/2021/08/23/blockchain-expert-fights-crypto-crime
  2. https://www.sec.gov/oiea/investor-alerts-bulletins/ia_5redflags.html
  3. https://www.investor.gov/introduction-investing/general-resources/news-alerts/alerts-bulletins/investor-alerts/updated-11
  4. https://www.sec.gov/oiea/investor-alerts-and-bulletins/investment-scam-complaints-rise-investor-alert

Millions of Americans Fall Victim to Identity Theft

While online, your personal information is constantly exposed to bad actors. Take actions to protect your identity and prevent the theft of your identity.

A shocking amount of information about you can be found online. From Social Security numbers to bank account numbers to social media profiles, a savvy thief potentially has access to all the data he or she needs to assume and steal your identity.

Identity theft is a serious crime. It happens when someone uses your Social Security number or uses other personal information about you without your permission to open new accounts, make purchases or get tax refunds. They could use your:

  • Name and address
  • Credit card or bank account numbers
  • Social Security number
  • Medical insurance account numbers

Many Americans whose information was compromised did not realize their identity was stolen until years later when they tried to buy a car, file tax returns or purchase a home.

Experts warn that identity thieves can use social engineering to steal your information. Social engineering is the art of manipulating someone to divulge sensitive or confidential information that can be used for fraudulent purposes.

Social engineering can happen everywhere, online and offline. And unlike traditional cyberattacks, whereby cybercriminals are stealthy and want to go unnoticed, social engineers are often communicating with you in plain sight. Consider these common social engineering tactics that one might be right under your nose.

  • Your “friend” sends you a strange message. Social engineers can pose as trusted individuals in your life, including a friend, boss, coworker, even a banking institution, and send you conspicuous messages containing malicious links or downloads. Just remember, you know your friends best — and if they send you something unusual, ask them about it.
  • Your emotions are heightened. The more irritable we are, the more likely we are to put our guard down. Social engineers are great at stirring up our emotions like fear, excitement, curiosity, anger, guilt, or sadness.
  • The request is urgent. Social engineers don’t want you to think twice about their tactics. That’s why many social engineering attacks involve some type of urgency, such as a sweepstake you have to enter now or a cybersecurity software you need to download to wipe a virus off of your computer.
  • The offer feels too good to be true. Ever receive news that you didn’t ask for? Even good news like, say winning the lottery or a free cruise? Chances are that if the offer seems too good to be true, it’s just that — and potentially a social engineering attack.
  • You’re receiving help you didn’t ask for. Social engineers might reach out under the guise of a company providing help for a problem you have, similar to a tech support scam. And considering you might not be an expert in their line of work, you might believe they’re who they say they are and provide them access to your device or accounts.
  • The sender can’t prove their identity. If you raise any suspicions with a potential social engineer and they’re unable to prove their identity — perhaps they won’t do a video call with you, for instance — chances are they’re not to be trusted.

A thief can get your personal information in person or online. Here are some ways thieves might steal someone’s identity. A thief might:

  • Steal your mail or garbage to get your account numbers or your Social Security number
  • Trick you into sending personal information in an email
  • Steal your account numbers from a business or medical office
  • Steal your wallet or purse to get your personal information

Identity experts share five recommendations for how to protect your identity:

  • Once a year, order and closely review a free credit report from each national credit reporting agency: Experian, Equifax and Transunion.
  • Browse and purchase online while only using a secure connection. Never use autofill features when filling out online forms, unless it is on a trusted site.
  • Refrain from giving solicitors personal or financial information over the phone, by email or through pop-up message.
  • Opt out of pre-screened offers of credit and insurance by mail.
  • Avoid oversharing on social networking sites so you’re not sharing a potential scam with others.

If you do think you’re a victim, call the three major credit bureaus and place a credit freeze and file a report with law enforcement.

Even if you don’t believe it’s that big of a deal, reporting these crimes can help law enforcement prevent others. It took identity theft victims an average of 10 hours to resolve the fraud in 2020, according to LifeLock.

Moreover, you may be responsible for what the thief does while using your personal information. You might have to pay for what the thief buys. This is true even if you do not know about the bills.

How can that happen?

  • A thief might get a credit card using your name.
  • He changes the address.
  • The bills go to him, but he never pays them.
  • That means the credit card company thinks you are not paying the bills.
  • That will hurt your credit.

This is the kind of trouble identity theft can cause for you.

Your best defense against identity theft and social engineering attacks is to educate yourself of their risks, red flags, and remedies. To that end, stay alert and avoid becoming a victim.


References:

  1. https://www.consumer.gov/articles/1015-avoiding-identity-theft#!what-it-is
  2. https://us.norton.com/internetsecurity-emerging-threats-what-is-social-engineering.html
  3. https://www.usnews.com/360-reviews/identity-theft-protection

Zoom Calls Aren’t as Private as You May Think | Consumer Reports

This year has been a challenging year for everyone, throwing just about everything into disarray and forcing people to change the way they live, work and play. Which is where where Zoom come in. Zoom has become one of the primary video conferencing software tools for conducting remote/virtual meetings.

Privacy concerns

Zoom seems to be the video conferencing tool that can do it all. Yet, Zoom does collect and share copious amounts of personal information and data about its users and doesn’t provide a lot of detail about how it’s used for advertising, marketing, or other business purposes, according to Consumer Reports. Users of video conferencing services such as Zoom and Ring Central should think about data-privacy concerns similar to other online platforms such as Facebook or Google.

Most people on Zoom calls don’t realize how much information the company and a host can gather. Depending on what tier of service—from a free option to advanced levels for big companies—a host can make a recording of the conference, have it transcribed automatically, and share the information later with people who aren’t in the meeting.

the free and low-cost versions are also being used by individuals for everything from therapy sessions to video lessons with guitar legends to informal gatherings.

Look at the privacy issues from two perspectives. The first thing to understand is what information Zoom itself can collect, and what it can do with the information. Then there’s the information that the meeting host gets and how it can be shared.

Individuals can take some measures to safeguard their privacy by changing the way they use the service. But Consumer Reports’ advocates say that Zoom should also improve the platform’s privacy practices.

Zoom’s privacy policy is similar to many digital platforms’, claiming the right to collect and store personal data, and share it with third parties such as advertisers.

In Zoom’s case, that extends to what the company calls customer content, or “the content contained in cloud recordings, and instant messages, files, whiteboards … shared while using the service.”

Videos aren’t off-limits, according to the document, and neither are transcripts that can be generated automatically, the documents you share on your screen, or the names of everyone on a call.

Your instant messages and videos could be used to target advertising campaigns or develop a facial recognition algorithm, like videos collected by other tech companies “Zoom isn’t necessarily doing anything users would object to” with the data, says Bill Fitzgerald, a Consumer Reports privacy researcher who analyzed the company’s policies. “But their terms of use give them a whole lot of leeway to collect information and share it, both now and in the future.”

Zoom Hosts

Zoom video conferences are started by what the company calls a “host.” Unlike other services you may have used, Zoom provides the host with rights that might not be immediately apparent to other participants.

A Zoom host can be someone you know, like a friend, an employer, a client, a school official, or a relative stranger from a social gathering. “Zoom puts a lot of power in the hands of the meeting hosts,” says Justin Brookman, director of privacy and technology policy at Consumer Reports. The host has more power to record and monitor the call than you might realize if you’re just a participant, especially if he or she has a corporate account. There are a few things you should know when you’re on a call.

When the video is being recorded, a small red button pops up along with the word “recording” in small type. If a host records a conference, the video could be passed around the same way any video makes the rounds on social media. For that reason, Consumer Reports is recommending that Zoom require participants to click on a consent button before recording can begin. Zoom already has this feature available, but it’s off by default.

Zoom provides hosts with a feature that appears quite intrusive. The host can turn on “attention tracking” to monitor whether any participant clicks away from the Zoom window for more than 30 seconds while a screen is being shared.

CR’s and other online privacy experts have some advice for enhancing your privacy while using Zoom.

  • Keep your camera and mic turned off unless you’re actually speaking. If you feel that you need to have the camera turned on, choose a photo as the background for your video.
  • Do not use Facebook to sign in since it is a poor security practice and dramatically increases the amount of personal data Zoom has access to.
  • Keep your Zoom app updated.
  • Prevent intruders and Zoombombing on your calls: Before you set up a public Zoom call, go to Settings and turn Screen Sharing to “Host only,” disable “Join Before Host,” disable “Allow Removed Participants to Rejoin,” and disable “File Transfers.” If practical, you should also protect your conference call with a password.

References:

  1. https://www.consumerreports.org/video-conferencing-services/zoom-teleconferencing-privacy-concerns/
  2. https://protonmail.com/blog/zoom-privacy-issues/