Security Tip of the Week
From the desk of Sainath Kancharla
Office of Information Security Student Assistant
The information contained in this website is for general information purposes only. The information and articles provided by CSU Office of Information Security and while we endeavor to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on this website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. In no event will we be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website.
An identity thief stole my phone!
Identity theft can happen to anyone. A fraud investigator will tell you about their identity theft.
Knowing how to respond will help you if you ever have to recover your identity. Read more about the identity thief.
Source: Federal Trade Commission - Consumer Information
Student loan scam gets an F from the FTC
The costs of student loans and fees can be overwhelming. You might see online ads that promise to help lower your payments or get your loans forgiven. But be wary of companies that make those promises, and never pay an upfront fee. Read more about the scam.
How fast will identity thieves use stolen info?
If you've been affected by a data breach, or otherwise had your information hacked or stolen, you've probably asked yourself, "What happens when my stolen information is made public?" At the FTC's Identity Theft workshop on May 24, 2017, the FTC Office of Technology staff reported on research they did to find out.
First, they created a database of information about 100 fake consumers. To make the information realistic, they used popular names based on Census data, addresses from across the country, email addresses that used common email address naming conventions, phone numbers that corresponded to the addresses, and one of three types of payment information (an online payment service, a bitcoin wallet or a credit card).
They then posted the data on two different occasions on a website that hackers and others use to make stolen credentials public. The criminals were quick to pounce. After the second posting, it took only nine minutes before crooks tried to access the information.
In total, there were over 1,200 attempts to access the email, payment and credit card accounts. The identity thieves tried to use our fake consumers' credit cards to pay for all sorts of things, including clothing, games, online dating memberships and pizza.
The research shows that Identity thieves are actively looking for any consumer credentials they can find: if your account data becomes public, they will use it.
So what can you do to limit your risk? Well, in this study, two-factor authentication prevented thieves from gaining access to the accounts. Two-factor authentication is a process that requires both your password and an additional piece of information (such as a code sent to your phone). Because these thieves did not have access to the second factor, they were unable to access the accounts. It's not a cure-all, but it can help.
Tech Support Scams
Last week, the FTC announced a bunch of cases against tech support scammers: the people who act like there's a problem with your computer and then try to convince you to fork over money to fix – ahem – "fix" it. Except there never was a problem, and they weren't really from tech support.
If you get an unexpected pop-up, call, spam email or other urgent message about problems with your computer, stop. Don't click on any links, don't give control of your computer and don't send any money. Learn more about spotting tech scams and what you can do if you get a call or pop-up.
Google Spam Email
If you have clicked on the email shown below, more information and recommendations can be found at Phishing Alert - Google Docs Campaign.
How to defend against ransomware
Here are some tips to protect your devices from ransomware, and what to do if you're a victim :
1. Update your software. Use anti-virus software and keep it up-to-date. And set your operating system, web browser, and security software to update automatically on your computer. On mobile devices, you may have to do it manually. If your software is out-of-date, it's easier for criminals to sneak bad stuff onto your device.
2. Think twice before clicking on links or downloading attachments and apps. According to one panelist, 91% of ransomware is downloaded through phishing emails. You also can get ransomware from visiting a compromised site or through malicious online ads.
3. Back up your important files. From tax forms to family photos, make it part of your routine to back up files on your computers and mobile devices often. When you're done, log out of the cloud and unplug external hard drives so hackers can't encrypt and lock your back-ups, too.
What if I'm a victim of ransomware?
- Contain the attack. Disconnect infected devices from your network to keep ransomware from spreading.
- Restore your computer. If you've backed up your files, and removed any malware, you may be able to restore your computer. Follow the instructions from your operating system to re-boot your computer, if possible.
- Contact law enforcement. Report ransomware attacks to the Internet Crime Complaint Center or an FBI field office. Include any contact information (like the criminals' email address) or payment information (like a Bitcoin wallet number). This may help with investigations.
Law enforcement doesn't recommend paying the ransom, although it's up to you to determine whether the risks and costs of paying are worth the possibility of getting your files back. If you pay the ransom, there's no guarantee you'll get your files back. In fact, agreeing to pay signals to criminals that you haven't backed up your files. Knowing this, they may increase the ransom price — and may delete or deny access to your files anyway. Even if you do get your files back, they may be corrupted. And you might be a target for other scams.
Source: Federal Trade Commission - Consumer Information
Free movies, costly malware
"Something for nothing" sounds appealing, but often there's a hidden cost. If the something is a site or app offering free downloads or streams of well-known movies, popular TV shows, big-league sports, and absorbing games, the hidden cost is probably malware. Sites offering free content often hide malware that can bombard you with ads, take over your computer, or steal your personal information.
We recently downloaded movies from five sites that offered them for free. In all five cases, we ended up with malware on our computer. Generally, it served up a slew of unwanted ads.
And if that's not enough to make you pause, downloading pirated content is illegal.
Finally, some free download sites ask for a credit card to process your registration. It's not a good idea to give your credit card number to a site offering illegally downloaded content. They're run by "pirates," not legit business people, and you can't trust them with your financial information.
Don't let utility scams overpower you
When your electricity goes out, you lose power in more ways than one. Daily necessities are out of reach without lights, warm water, and heat or air conditioning.
So if you get a call from someone threatening to shut off your utilities because they say you owe money, you're going pay attention – and you may even pay up. But not so fast. The caller might be an imposter running a utility scam.
How can you tell? The caller wants you to send money – quickly, and in a very specific way. He may say the only way to make the "payment" is by wiring the money or using a prepaid card. That's because scammers want your money quick, and they want to stay hidden. But once you wire money or use a prepaid card, your money is gone for good.
Here are a few ways to protect yourself and your community:
- Make sure you're really dealing with your utility company. Call the company using the number on your bill. You can also check your bill to confirm what you owe.
- Never wire money or send the number from a prepaid card to someone you don't know — regardless of the situation. Once you do, you cannot get your money back.
- Contact the company if you are falling behind on your utility bill. See if you can work out a payment plan to catch up and keep your service on.
- Pass on information about imposter scams to people you know – and keep in touch with the latest scams by signing up for the FTC's scam alerts.
- Report it to the FTC if you think a scammer has contacted you.
Digital Spring Cleaning
Spring cleaning is almost a right of passage. With it we celebrate the renewal of life that
occurs in nature each spring and eagerly await the exciting fun of summer. Traditionally, spring cleaning means cracking our windows and dusting, mopping, and vacuuming, but this year consider taking a few minutes to spring clean your digital life. Cleaning the clutter helps your cyber life run smoothly and protects your security. Here are few tips to get started.
FCC alerts consumers to the "Can you hear me?" scam
The Federal Communications Commission is alerting consumers to be on the lookout for scam callers seeking to get victims to say the word "yes" during a call and later use a recording of the response to authorize unwanted charges on the victim's utility or credit card account.
The scam begins when a consumer answers a call and the person at the end of the line asks, "Can you hear me?" The caller then records the consumer's "Yes" response and thus obtains a voice signature. This signature can later be used by the scammers to pretend to be the consumer and authorize fraudulent charges via telephone. Learn more about the "Can you hear me?" scam.