Cybersecurity

Recently, the CEO of a very successful marketing firm had their Facebook account hacked. In just a weekend, the hackers were able to run over $250,000 worth of ads for their online gambling site via their account and removed the rightful owner as the admin, causing the firm’s entire Facebook account to be shut down. Not only are they uninsured for this type of fraud, but they were shocked to discover that Facebook, as well as their bank and credit card company, was NOT responsible for replacing the funds. Facebook’s “resolution” was that there was no fraud committed on their account because the hacker used their legitimate login credentials, and Facebook is not responsible for ensuring you keep your own personal credentials safe and confidential. Further, they didn’t have the specific type of cybercrime or fraud insurance needed to cover the losses, so they’re eating 100% of the costs.  Not only are they out $250K, but they also have to start over building their audiences on Facebook again, which took years to build. This entire fiasco is going to easily cost them half a million dollars when it’s all totaled. In another incident, another firm logged into their account to find all of their ads were paused. Initially, they thought it was a glitch on Facebook, until they realized someone had hacked into their account, paused all of their legitimate ads and set up 20 NEW ads to their weight-loss spam site with a budget of $143,000 per day, or $2.8 million total.  Due to their spending limits, the hackers wouldn’t have charged $2.8 million; however, due to the high budgets set, Facebook’s algorithms started running the ads fast and furious. As they were pausing campaigns, the hackers were enabling them again in real time. After a frantic “Whac-A-Mole” game, they discovered the account that was compromised and removed it.  The compromised account was a legitimate user of the account who had THEIR account hacked. Because of this, Facebook wouldn’t replace the lost funds, and their account got shut down, with all campaigns deleted. Fortunately, these guys caught the hack early and acted fast, limiting their damages to roughly $4,000, but their account was unable to run ads for 2 weeks, causing them to lose revenue. They estimate their total damages to be somewhere in the $40,000 to $50,000 range.  When many people hear these true stories (with the name of the companies withheld to protect their privacy), they adamantly believe someone besides them should step up and take responsibility, covering the losses. “It wasn’t OUR fault!” they say. However, the simple reality is this: if you allow your Facebook account – or any other online account – to be hacked due to weak or reused passwords, no multifactor authentication (MFA) turned on, improper e-mail security or malware infecting your devices due to inadequate cyber security, it is 100% YOUR FAULT when a hacker compromises your account.  Facebook is just one of the cloud applications many businesses use that can be hacked, but any business running any type of cloud application, including those that adamantly verify they are secure, CAN BE HACKED with the right credentials. Facebook’s security did not cause their account to be compromised – it was the failure of one employee. The BEST way to handle this is to NOT get hacked in the first place. Here’s what you need to do to protect yourself: If you want to ensure your organization is truly secure, click here to request a free Cyber Security Risk Assessment to see just how protected your organization is against known predators. If you haven’t had an independent third party conduct this audit in the last 6 months, you’re due.  It’s completely free and confidential, without obligation. Voice scams are just the latest in a tsunami of threats aimed at small business owners, with the most susceptible being the ones who never “check the locks” to ensure their current IT company is doing what they should. Claim your complimentary Risk Assessment today.

The infamous Xenomorph Android malware, known for targeting 56 European banks in 2022, is back and in full force targeting US banks, financial institutions and cryptocurrency wallets.  The cyber security and fraud detection company ThreatFabric has called this one of the most advanced and dangerous Android malware variants they’ve seen. This malware is being spread mostly by posing as a Chrome browser or Google Play Store update. When a user clicks on the “update,” it installs the malware designed to automate the process of accessing your online accounts and extracting and transferring funds.  Besides being alert to this scam (and you should let your spouse, partners and family know as well), you should be aware of a few ways to protect yourself: But remember, bank fraud can manifest itself in several forms, including:  To protect yourself, use strong, unique passwords for your online banking accounts and never store them in your browser. Also, update your passwords monthly with significant changes to them, using uppercase and lowercase, symbols and numbers that are at least 14 to 16 characters.  Second, always turn on multifactor authentication (MFA) so you’re notified if anyone tries to log into your accounts without your knowledge. Third, set up alerts for large withdrawals. You can ask your bank to require a physical signature for wire transfers to protect you from someone taking money from your account without your signature.  Fourth, get fraud insurance that specifically covers employee and online theft so you are protected in the event a cybercriminal steals money from your account. And, as always, make sure you have strong cyberprotections in place for ANY device that logs into a bank account or critical application. Far too many businesses think that if their data is “in the cloud,” they are safe. Remember, your bank account is “in the cloud,” and the bank likely has a secure portal, but that doesn’t mean YOU can’t be hacked. If you want to ensure your organization is truly secure, click here to request a free Cyber Security Risk Assessment to see just how protected your organization is against known predators. If you haven’t had an independent third party conduct this audit in the last 6 months, you’re due.  It’s completely free and confidential, without obligation. Voice scams are just the latest in a tsunami of threats aimed at small business owners, with the most susceptible being the ones who never “check the locks” to ensure their current IT company is doing what they should. Claim your complimentary Risk Assessment today.

Have you started business planning for 2024? The last few months of the year can get hectic, between trying to close out the end of the quarter strong and mapping out your plan to ramp things up in the new year. One area that small business owners often skip over when creating their new year strategy is cyber security planning. Cyber security is NOT an IT decision, it’s a business decision. Your company hinges on your ability to keep your data – and your clients’ – safe from cybercriminals. To create a reliable plan for the next year, there are a few cyber security basics that every business owner needs to be aware of to avoid being the next victim of a data breach. Cyber issues are becoming such a regular occurrence that it’s easy to become desensitized to the effects of data breaches, which can leave you vulnerable to an attack. Here are 10 BIG takeaways about cyber security that you should keep in mind. Your security depends on it! Hackers love that small business owners think this way because it makes them an easy target. If you have money or data of any size or amount, you are at risk. Takeaway – Protect your business and consult a cyber security expert on what you need. Takeaway – Invest some of your budget in cyber security training for your team. This is true for your web browsers too. If you get a notification about an available update, it often means that a bug or a vulnerability needs to be patched. If you don’t patch it, that’s a little hole in your network that hackers can and will find. Takeaway – Have your IT team run automatic updates and always manually update if prompted. Takeaway – Have an off-site backup and test it regularly to ensure it works properly. Takeaway – Use a VPN, or virtual private network, to keep your network safe from hackers while on the go. The cost of data breaches puts most small companies that get hacked out of business within six months. These can range from hundreds of thousands to millions of dollars, depending on the damage done. Takeaway – Invest in cyber security. Don’t play around and risk everything you worked hard to build. Being compliant means you are fulfilling all the requirements that the government has issued. This does not mean you are 100% secure; it means you have implemented the basics. Takeaway – Consult with a cyber security professional who deals with clients in your industry to make sure that you’re not only compliant but that you have the proper security systems in place to protect your organization. These are helpful, but they aren’t enough to keep you secure. Hackers are routinely finding ways to break through this software, so if you’re not implementing other security measures, you’re at risk. Takeaway – Consult with a cyber security professional to find out what you need. It’s often not as expensive as people think and will cost you WAY less if you ever become a victim of a data breach. When it comes to data breaches, whether you’re at fault or not, you’ll be the one to catch the blame from your customers, employees, attorneys, the media and more, and it will be ugly. Takeaway – You can prevent this by taking a proactive approach to cyber security. Take your security seriously in 2024. We offer a FREE, no-obligation Security Assessment. Even if you already have a cyber security company you work with, it can’t hurt to have a second expert opinion to assess if and where you’re vulnerable to an attack. We have limited spots available and expect to fill up before the holiday break, so if you’re interested, click here to book your assessment with our team now

College has changed since many of us were students. Years ago, we’d be shuffling from class to class, holding a single notebook and a pencil for scribbling down notes. There wasn’t as big a risk of photos or data being stolen online. That’s no longer the case. Students today have at least one – usually two or three – devices readily available. The scary part is, most college-age students think of themselves as tech-savvy “digital natives”; however, a study by Atlas VPN showed that Gen-Zers and millennials are the age groups most likely to fall for phishing scams. In fact, according to the National Cybersecurity Alliance, 20% of Gen-Zers have had their identity stolen at least once. Here are just a few of the terrifying ways cybercriminals attack this young crowd: Sadly, the list goes on and on! How can kids raised on technology fall for so many scams? Here are just a few of the big reasons why: What can you do? We have robust cyber security solutions and 24-hour monitoring to protect the businesses that we work with and can even recommend at-home security software, but what about when your kids go off to school, away from your watchful eye? You certainly can’t pack up and camp out at college to make sure they’re following cyber security best practices. But you can make sure they know what to look out for and give them the tools and resources to stay as safe as possible. Here are 14 actions your child can take to prevent being a victim of cybercrime when they’re off at college: Run through this list with your children! When students leave for college, cyber security is not a priority for them, but unfortunately, if they’re targeted it could negatively impact their lives at a time when they’re just getting started. Cyber security takes just a few minutes of conscious effort but is a critical lesson to learn in this age when nearly everything we do involves technology. The risks of cybercrime will only continue to grow. If your organization could benefit from cyber security training similar to this but more in-depth for employees, so they know the risks and best practices of cyber security, we can help. Start with a completely FREE Cybersecurity Risk Assessment by clicking here.

Cybercriminals know the easiest way to sneak under your radar is to pretend to be a brand you know and trust. These large companies have spent years on marketing, customer service, branding and consistency to build a trustworthy reputation, and hackers leverage this to go after you. The most common method is to use phishing attacks. These thieves set up URLs that look scarily similar to the real company’s website. To slip by your watchful eye, here are some of the simple switches hackers make that can go unnoticed: Some criminals will take it a step further and set up a web page that looks identical to that of the real website. When you click the link – via e-mail, SMS or even through social media – several dangerous results can occur. The first is that malware can be installed on your computer. Clicking a bad link can set off an automatic malware download that contains malicious files with the ability to collect personally identifiable information from your device, like usernames, credit card or bank account numbers and more. The second is the fake website will have a form to harvest your information. This could be login credentials, passwords and, in some cases, your credit or bank information. The third most common issue is an open redirect. The link might look legit, but when you click on it, you’re redirected to a malicious website where the intent is to steal your information. What brand impersonations do you need to look out for? Well, all of them, but according to Check Point’s latest Brand Phishing Report, there are 10 companies that top the chart in overall appearance in brand phishing attempts. Here Are The Top 10 Most Frequently Impersonated Brands In Phishing Attempts In Q2 Of 2023: Take a minute and ask yourself how many of the companies on this list send you regular e-mail communications. Even just one puts you at risk. Cybercriminals go the full mile with these scams. They know what types of messages work best for each company to get your attention. Here are three common phishing attacks cybercriminals have used under these brands’ good names to gain access to your private information. 1. Unusual Activity – These types of e-mails will suggest that someone gained access to your account and you need to change your password quickly. They leverage fear so people will click without thinking, hurrying to change their password before they’re a victim of the attack. They usually have buttons that say, “Review Recent Activity” or “Click Here To Change Your Password.” These e-mails can go as far as to show fake login information detailing the region, IP address, time of sign-in and more, like real messages from the companies do to convince you to click.  2.  Fake Gift Cards – These e-mails suggest that someone sent you an e-gift card. When you open the e-mail, they either redirect you to a website to “claim your gift card” or have a button to “redeem now.” 3.  Account Verification Required – These e-mails suggest that your account has been disconnected, and they need you to verify your information. As soon as you enter your login credentials, the hacker has access. These scams are happening every single day. You’re a target, but so are the unsuspecting employees in your company. Without proper training, they might not know what to look for, panic and try to resolve these “issues” under the radar, ultimately causing the problem. There are multiple steps to making sure your network is secure. One would be getting e-mail monitoring to help reduce the likelihood of these phishing e-mails ending up in your inbox. It’s also important to make sure employees know what to look for so that if an e-mail does get by the phishing detection system, they can still keep your company safe. The best thing to do is to start here with your FREE Cybersecurity Risk Assessment. We’ll evaluate your network and provide a full report on areas where you are vulnerable and what to do to fix them. There’s no obligation, but you should know where you’re at risk. Click here to schedule your assessment now.

Back in May, the company MOVEit, a file transfer platform made by Progress Software, was compromised by a Russian ransomware operation called Cl0p. They used a vulnerability in Progress’s software that was unknown to exist at the time. Shortly after the attack was noticed, a patch was issued. However, some users continued to be attacked because they didn’t install it. The software is used by thousands of governments and financial institutions and hundreds of other public and private companies from around the world, and it’s been estimated that at least 455 organizations and over 23 MILLION individuals who were customers of MOVEit have had their information stolen. Some of the organizations compromised include: The majority of those organizations (73%) are based in the US, while the rest are international, with the most heavily impacted sectors being finance, professional services and educational institutions. Cl0p is a type of ransomware that has been used in cyber-attacks since 2019. Data stolen is published to a site on the dark web – a section of the worldwide web where cybercriminals sell and trade information without having to reveal themselves. The ransomware and website have been linked to FIN11, a financially motivated cybercrime operation that has been connected to both Russia and Ukraine and is believed to be part of a larger umbrella operation known as TA505. What makes this attack so terrible is that many of the organizations compromised provide services to many other companies and government entities, which means it’s very likely their customers, patients, taxpayers and students were compromised by association. And yes, you’re probably one of them. The big question is, were you notified? For some reason, this breach didn’t make mainstream headlines, but when a company is compromised, they are obligated to tell you if your data was stolen. This can come in the form of an e-mail or snail mail letter. However, due to spam filters, e-mail delivery is clearly not a reliable way to ensure an important message is received, and organizing a letter for over 36 million people can take time. If you use the software, you need to ensure that all your passwords and PINs are changed ASAP and you must be on the lookout for any strange activity. Don’t use the same passwords and make sure they are at least 12 characters long, using uppercase and lowercase letters, as well as special characters and numbers. You should also ensure that MFA, or multifactor authentication, is turned on for all critical software applications and websites you use, such as Microsoft Office, QuickBooks, banking and payroll software, your credit card processor, etc. Want to know if your company’s information is on the dark web? Click here to request a free Dark Web Vulnerability Scan for your organization (sorry, we don’t offer this for individuals). Simply let us know your domain name and we’ll conduct the search for free and contact you to discuss what was found via a confidential review (NOT via e-mail). Questions? Call us at 774-241-8600.

In June a popular file-sharing software amongst big-name companies likes Shell, Siemens Energy, Sony, several large law firms, a number of US federal agencies such as the Department of Health and more was hacked by Russia-linked cybercrime group Cl0p. Security Magazine reported that, to date, there are 138 known companies impacted by the breach, resulting in the personal information of more than 15 million people being compromised. More are expected to emerge as the investigation continues. If you’re reading that list of company names thinking, “I’m just a small business compared to these big guys – that won’t happen to me,” we’ve got news for you. Many of these companies have cyber security budgets in the millions, and it still happened to them, not because they were ignoring the importance of cyber security, but because of a piece of software they use to run their business. Progress Software’s MOVEit, ironically advertised as a tool you can use to “securely share files across the enterprise and globally,” “reduce the risk of data loss” and “assure regulatory compliance,” was exploited by a tactic called a zero-day attack. This occurs when there is a flaw in the application that creates a gap in security and has no available patch or defense because the software maker doesn’t know it exists. Cybercriminals quickly release malware to exploit the vulnerability before the software maker can patch it, essentially giving them “zero days” to respond. These attacks are dangerous because they are difficult to prevent and can quickly and easily ruin smaller businesses. Depending on the organization’s motives, the stolen data can be deleted, held for ransom or sold on the dark web. Or, if you are lucky enough to recover your data, you might still end up paying out thousands or more in fines and lawsuits, losing money from downtime and coming out on the other end with a damaged reputation that causes clients to leave anyway. In MOVEit’s case, the cybercrime agency Cl0p has claimed on their website that their motivation is purely financial and has allegedly deleted data obtained from government agencies as they were not the intended targets. What does this mean for small businesses? For starters, it underlines the harsh reality that cyber security isn’t just the concern of big businesses and government agencies. In fact, small businesses can be more vulnerable to cyber-attacks, as they often dedicate fewer resources to protection. It also means that even if your organization is secure, the third-party vendors you work with and the tools you choose to use in your business still pose potential risks. Most of MOVEit’s customers that were affected likely had strong cyber security measures in place. Even though it was no direct fault of their own, at the end of the day, those companies still must go back to their clients, disclose what happened and take the verbal, legal and financial beating that comes with a data breach. The MOVEit hack serves as a grim reminder of the critical importance of cyber security for businesses of all sizes.In the face of an increasingly sophisticated and fast-moving cyberthreat landscape, businesses cannot afford to ignore these risks. Cyber security must be an ongoing effort, involving regular assessments, updates, monitoring, training and more. As this terrible incident shows, a single vulnerability can lead to a catastrophic breach with severe implications for the business and its customers. In the digital age, cyber security isn’t just a technical issue – it’s a business imperative. If you have ANY concerns about your own business or simply want to have a second set of eyes examine your network for vulnerabilities, we offer a FREE Cyber Security Risk Assessment. Click here to schedule a quick consultation to discuss your current situation and get an assessment on the schedule.

Cybercriminals know the easiest way to sneak under your radar is to pretend to be a brand you know and trust. These large companies have spent years on marketing, customer service, branding and consistency to build a trustworthy reputation, and hackers leverage this to go after you. The most common method is to use phishing attacks. These thieves set up URLs that look scarily similar to the real company’s website. To slip by your watchful eye, here are some of the simple switches hackers make that can go unnoticed: Some criminals will take it a step further and set up a web page that looks identical to that of the real website. When you click the link – via e-mail, SMS or even through social media – several dangerous results can occur. The first is that malware can be installed on your computer. Clicking a bad link can set off an automatic malware download that contains malicious files with the ability to collect personally identifiable information from your device, like usernames, credit card or bank account numbers and more. The second is the fake website will have a form to harvest your information. This could be login credentials, passwords and, in some cases, your credit or bank information. The third most common issue is an open redirect. The link might look legit, but when you click on it, you’re redirected to a malicious website where the intent is to steal your information. What brand impersonations do you need to look out for? Well, all of them, but according to Check Point’s latest Brand Phishing Report, there are 10 companies that top the chart in overall appearance in brand phishing attempts. Here Are The Top 10 Most Frequently Impersonated Brands In Phishing Attempts In Q2 Of 2023: Take a minute and ask yourself how many of the companies on this list send you regular e-mail communications. Even just one puts you at risk. Cybercriminals go the full mile with these scams. They know what types of messages work best for each company to get your attention. Here are three common phishing attacks cybercriminals have used under these brands’ good names to gain access to your private information. 1. Unusual Activity – These types of e-mails will suggest that someone gained access to your account and you need to change your password quickly. They leverage fear so people will click without thinking, hurrying to change their password before they’re a victim of the attack. They usually have buttons that say, “Review Recent Activity” or “Click Here To Change Your Password.” These e-mails can go as far as to show fake login information detailing the region, IP address, time of sign-in and more, like real messages from the companies do to convince you to click. 2.  Fake Gift Cards – These e-mails suggest that someone sent you an e-gift card. When you open the e-mail, they either redirect you to a website to “claim your gift card” or have a button to “redeem now.” 3.  Account Verification Required – These e-mails suggest that your account has been disconnected, and they need you to verify your information. As soon as you enter your login credentials, the hacker has access. These scams are happening every single day. You’re a target, but so are the unsuspecting employees in your company. Without proper training, they might not know what to look for, panic and try to resolve these “issues” under the radar, ultimately causing the problem. There are multiple steps to making sure your network is secure. One would be getting e-mail monitoring to help reduce the likelihood of these phishing e-mails ending up in your inbox. It’s also important to make sure employees know what to look for so that if an e-mail does get by the phishing detection system, they can still keep your company safe. The best thing to do is to start here with your FREE Cybersecurity Risk Assessment. We’ll evaluate your network and provide a full report on areas where you are vulnerable and what to do to fix them. There’s no obligation, but you should know where you’re at risk. Click here to schedule your assessment now.

On a recent interview about the Titan sub catastrophe, director of the movie Titanic James Cameron, who has made 33 successful dives to the Titanic wreckage site, pointed out that this tragedy is eerily similar to the 1912 Titanic disaster: the captain of the 1912 RMS Titanic was repeatedly warned about ice ahead of his ship, yet he plowed ahead at full speed into an ice field on a moonless night, resulting in the deaths of over 1,500 innocent souls. The captain of the sub Titan and CEO of the company OceanGate, Stockton Rush, was also repeatedly warned about his vessel’s safety, lack of certification for the vessel’s integrity, lack of a tracking device (think airplane black box), their experimental approach to deep dives (despite the fact that this is a very mature and well-understood practice) and lack of a backup sub. He also proceeded to plow ahead at full speed, taking people in an extremely unsafe vehicle, also killing innocent people. If there was ever a case for willful negligence, this is it. When it comes to IT security and compliance for small business, this kind of willful negligence is rampant. Sometimes it ends with an abrupt, catastrophic “implosion,” as with the Titan, where a company is destroyed by a ransomware attack, operations shut down, unable to transact, employees and clients harmed and their reputation tarnished. In other cases, the risk is there but hasn’t been addressed because nothing bad has happened – yet. Willful negligence in IT security and regulatory compliance to data privacy and protection comes in three forms. The first is willful ignorance. Some people running a business are young and inexperienced, too new to the business world to understand the risks they are incurring by failing to protect their clients and themselves. Often, they are being advised by the wrong people – an IT firm that knows how to make their tech work but lacks the expertise to implement good security protections. You kind of can’t blame them for getting it wrong initially, but at some point they’ll get smacked with a cyber-attack and learn the error of their ways the hard way. The second type of willful negligence is willfully stupid. This group CANNOT claim “ignorance” as their defense. They KNOW they should be protecting their business and their clients’ data from cyber-attacks. They’ve heard the stories, they know the laws and may have been warned by their IT company or person, but foolishly believe “that can’t happen to us,” or choose to assume they’re “fine” because they are using a cloud application that promises compliance (which is correct for THEM, not necessarily for YOU). They trust but don’t verify that their IT person or company is actually doing what they’re supposed to, and often lack cyber liability insurance, choosing to take the risk because they’re cheap or can’t be bothered. The third type of willful negligence is, in my opinion, the TRUE meaning of willful negligence and the most immoral and unforgivable. Determined negligence. These people stubbornly insist on continuing to operate without proper security protocols in place, without a disaster recovery plan, without any insurance, without assessing and inspecting their environment, refusing to acknowledge ALL facts, history and evidence to the contrary. They know they are acting irresponsibly but don’t care. After the tragedy of the sub, multiple experts came forward to point out all the risky behaviors Rush was allowing. The hull had not gone through any type of cyclical pressure testing or thermal expansion and contraction testing. The hatch could only be opened from the outside and not the inside, which wouldn’t allow them to escape if needed in the event of an emergency – one small fire inside would have been catastrophic. No atmospheric system to monitor interior gases such as oxygen, carbon dioxide and carbon monoxide. No emergency air breathing system. The viewing window was only certified to 4,000 feet, not the 12,500 feet of the Titanic wreck. But the most egregious of all was an egotistical assumption by the CEO that he knew better than everyone else around him. I wonder if he put all of this in the brochure and explained that philosophy to the people in the sub who lost their lives that day. Everyone makes mistakes. Everyone has a moment in their lives when they place trust in someone they shouldn’t. Everyone has blind spots, and we’re all ignorant and misinformed about something. The question is do you STAY willfully ignorant or stupid to the point of being determined to hold steady to your course of action to the point where you not only do harm to yourself, but to others as well? If you do, it’s only a matter of time before you have your own ship sunk, your own personal Titanic-size wreck. Sadly, if you’re the CEO of a company that holds financial data, credit cards, medical records, tax returns, Social Security numbers, birthdays or even the contact details of your clients OR employees, YOUR willful negligence in cyber protection will absolutely harm others.