Image of a shield depicting protection against threats

Cyberthreat Prevention

Threat actors continue to be active and take advantage of our business  to commit fraud. SUMA in collaboration with its cybersecurity partners presents the latest security topics to create awareness and educate members to avoid the pitfalls.

How To Avoid Malware On Your Device
The most popular device used across the world today is the smartphone, but people today widely use tablets, laptops and desktop computers as well. With that, it would be a very good idea to find out why you should protect your smartphone from attackers. The cybersecurity methods used to protect a smartphone are almost identical to the protection of other devices as well, with some small variations.
From “Finger Lakes 1” (5/03/2021)

Defending Against Software Supply Chain Attacks
The Defending Against Software Supply Chain Attacks, released by CISA and the National Institute of Standards and Technology (NIST), provides an overview of software supply chain risks and recommendations on how software customers and vendors can use the NIST Cyber Supply Chain Risk Management (C-SCRM) Framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate software supply chain risks.
From “Cybersecurity & Infrastructure Security Agency” (4/29/2021)

Stop Using Your Work Laptop Or Phone For Personal Stuff, Because I Know You Are
I know it's hard not to grab your work laptop or tablet off the kitchen table and use it to help your kids with their homework or complete that home loan application you've been working on. So many of us have been working from our living room couches and kitchen tables for the past year, that the line between our work and personal lives has never been more blurred.
From “Tech Republic” Bill Detwiler (4/26/2021)

Email Security Tips To Prevent Phishing And Malware
We’ve compiled a comprehensive list of email security tips to help your business prevent and mitigate security breaches that often come in the form of email phishing and malware attacks.
From “IT Business Edge” Jan Seitz (4/22/2021)

Spotting Cryptocurrency Investment Scams
Cryptocurrency has gotten lots of attention as a new way to invest. But here’s the thing: scammers are taking advantage of people’s understanding (or not) of cryptocurrency investments, and how they work.
From “Federal Trade Commission” Cristina Miranda (5/17/2021)

Department of Labor Issues Cybersecurity Guidance
The Department of Labor’s Employee Benefits Security Administration today issued long-anticipated guidance on cybersecurity and best practices for protecting retirement benefits. EBSA released three guidance documents, “Tips for Hiring a Service Provider,” “Cybersecurity Program Best Practices” and “Online Security Tips.”
From “Department of Labor” (4/14/2021)

5 New Rules Ransomware Gangs Play By Nowadays
As tech moves ahead in leaps and bounds, cybercriminals are also finding new and more ingenious ways to distribute ransomware and malware, and also how they function. Here are 5 new ways they work.
From “HT Tech” (4/24/2021)

How To Contend With A 21st Century Ransom Note
Financial institutions must be especially keen to these advisories both as a potential target of an attack and potential intermediary of a ransom payment involving a customer.
From “ABA Banking Journal” Matthew White, Alexander Koskey and Emma L. Marion (4/15/2021)
Scammers Target Loved Ones Of Covid-19 Victims
Don’t give your own or your deceased loved one’s personal or financial information to anyone who contacts you out of the blue. Anyone who does that and asks for that information is a scammer.
From “Federal Trade Commission” Seena Gressin (4/13/2021)

Give Yourself Some Credit (Reports)
You want to know that the information on your report is accurate. And if it’s wrong, you want to make sure someone didn’t steal your identity.
From “Federal Trade Commission” Emily Wu (4/08/2021)

New IRS Imposter Scam Targets College Students And Staff
The website asks for personal information, including your name, Social Security number (SSN), date of birth, prior year’s annual gross income (AGI), driver’s license number, address, and electronic filing PIN. Scammers can use or sell this information for identity theft.
From “Federal Trade Commission” Ari Lazarus (4/05/2021)

Bank Loses Customers’ Social Security Numbers After Ransomware Attack
Things don’t get much worse than having to admit to your employees that a gang of cybercriminals have broken into your infrastructure, stolen the private details (social security numbers, names and home addresses) of your staff, and are demanding that your company pays a ransom before further sensitive data is leaked. Well, actually they do.
From “Hot For Security” Graham Cluley (3/25/2021)

How Phishing Attacks Spoofing Microsoft Are Evading Security Detection
In this instance, the customized HTML logo appears in a phony fax notification. Displaying the logo with SharePoint branding, the email contains a link for the alleged notification that says: "Preview or Download Here." Clicking the link briefly takes the user to the China UNICEF site and then redirects to a legitimate web development tool site called CodeSandbox where malware is installed on the computer. The fake table and logo combined with redirects to legitimate sites can trick people into taking the bait.
From “Tech Republic” Lance Whitney (4/28/2021)

Intelligence Leaders Push For Mandatory Breach Notification Law
Wray noted that some type of mandatory breach notification law to encourage the private sector to report cyberattacks would help to “further strengthen the glue between the private sector and the intelligence community and the rest of the government,” which he said would be “the key ingredient to any long-term solution.”
From “The Hill” Maggie Miller (4/14/2021)

Shadow IT Is Your Organization’s Next Remote-Working Nightmare
Employees are increasingly using their own devices and accounts to work from home - largely because it's easier to do so. Yet this rise in 'shadow IT' puts corporate security at risk.
From “Tech Republic” Owen Hughes (3/31/2021)

Corporate Doxing Is On The Rise: Here’s How Hackers Are Doing It And How To Stop Them
Cybercriminals are using a variety of methods to harvest data and turn it against corporations in order to reroute bank transfers, steal paychecks, and perform other nefarious actions. None of them are new, unique or surprising, but they are tricky and can be hard to defend against.
From “Tech Republic” Brandon Vigliarolo (3/29/2021)

Digital Fraud Attempts Up 46% Globally Since Pandemic Began: TransUnion
“Fraudsters can always find identities to buy on the dark web, but they’re now gaining identities through phishing attacks because of COVID. Then, they’re turning around and using stolen credentials at financial institutions – opening credit cards, and going off and buying things,” Gaddis said. “Fraudsters are so good of taking advantage of what’s going on in the world.”
From “Credit Union Times” Natasha Chilingerian (3/25/2021)
OUCH! Newsletter: Identity Theft
Identity theft happens when a criminal steals information about you and uses that information to commit fraud, such as requesting unemployment benefits, tax refunds, or a new loan or credit card in your name. If you don’t take precautions, you may end up paying for products or services that you didn’t buy and dealing with the stress and financial heartache that follows identity theft.
From “SANS” Lenny Zeltser (3/10/2021)

FBI: State And Local Governments Losing Millions To BEC
Attackers are targeting state, local, tribal and territorial (SLTT) government entities, masquerading as vendors and suppliers. They use phishing attacks to hijack email accounts at these companies and send urgent fake invoices to their government clients.
From “Info Security Magazine” Phil Muncaster (3/22/2021)

COVID-19 One Year Later
Unfortunately, some people may take advantage of COVID-19 by using fraudulent websites, phone calls, emails, and text messages. While claiming to offer “help,” they may be trying to trick people into providing Social Security numbers, bank account numbers, and other personal information. Do not divulge your bank or credit card numbers or any other personal information over the phone unless you initiated the conversation with the other party and you know that it is a reputable organization.
From “FDIC Consumer News” (3/19/2021)

Spotting Scammy Emails
Let’s say you get an email about a charge to your credit card for something you aren’t expecting or don’t want. Your first instinct may be to immediately call the company or respond to the email and to stop the payment. Scammers know that, and are taking advantage of it in a new phishing scheme. People tell us they’re getting emails that look like they’re from Norton, a company that sells antivirus and anti-malware software. (Tip: the emails are NOT from Norton.) The emails say you’ve been (or are about to be) charged for a Norton product — maybe an auto renewal or new order. If this is a mistake, the email says, you should call immediately. (Tip: don’t.)
From “Federal Trade Commission” Emily Wu (3/17/2021)

The Financial Fraud Epidemic
According to financial institutions and federal agencies, since COVID-19 began, fraud attempts have as much as tripled, with a wide variety of new scams emerging that prey on those who have been financially been hit hard by the pandemic and subsequent closures and shutdowns, people who have become isolated, as well as good Samaritans who want to be helpful to those in crisis. Indeed, the pandemic has provided a greenfield opportunity for cyber criminals, who are playing to bank customers’ concerns about job loss, financial health and community safety.
From “ABA Banking Journal” Karen Epper Hoffman (3/04/2021)

Tax-Themed Phishing Campaign Emerges
In the latest campaign, if the recipients of a phishing message open what's portrayed as a tax-themed Word document, it displays a blurred background as well as “enable editing” and “enable content” prompts, Cybereason says.
From “Bank Info Security” Prajeet Nair (3/16/2021)

How Ransomware Is Evolving As A Threat To Organizations
The double-extortion tactic also gained more traction in 2020. In this type of attack, the criminals threaten to leak the encrypted data publicly unless the ransom is paid. As such, even victimized organizations that have backups of the stolen data may be more willing to pay the ransom to avoid exposure. At least 16 different ransomware variants are now using the double-extortion plot, according to Unit 42.
From “Tech Republic” Lance Whitney (3/17/2021)

Best Practices When Using Video Conferencing Platforms
As for best practices when using video conferencing tools, first and foremost if you don’t feel secure, don’t share any information that may put you at risk - whether that’s intellectual property, PII, or heck, even pictures of your kids, if you wouldn’t walk around in public showing that type of information, it’s not safe to broadcast over video either. On top of that, it’s the little things that can make a big difference. Always password protect your meetings, never use a personal event link for a public facing meeting, and ensure your service provider encrypts all audio and video transmission - just following these simple tips can help mitigate some of the many attack tools that hackers have at their disposal.
From “Security Magazine” Maria Henriquez (3/15/2021)

Stay Safe Online During Tax Time
Tax season can be a stressful time for many Americans, and scammers are waiting for you to slip up so they can steal your personal information, money and identity. NCSA and the Internal Revenue Service (IRS) want to help you stay safe online while filing your taxes with these best practices, tips, and resources.
From “National Cybersecurity Alliance” (3/09/2021)
OUCH! Newsletter: I’m Hacked. Now What?
No matter how secure you are, sooner or later you may have an accident and become hacked. Below are clues you might have been hacked and if so, what to do.
From “SANS” Maxim Deweerdt (2/03/2021)

It’s 2021: Your IT Security Is Not As Safe As You Think It Is
Now that more companies are using remote and cloud-based technologies to foster work-from-home arrangements, that warning is particularly urgent this year. Based on our experience, we’ve identified seven different security “postures,” which can be ranked in levels. It’s helpful to think about them as if you’re guarding your own home against an intrusion.
From “Forbes” Mitchell Sowards (2/09/2021)

Safety First: Will Insurance Companies Stall Or Accelerate Cybersecurity Progress?
Propelled by the surge of cyber incidents and ransomware attacks, businesses and insurance providers are rethinking and redefining how they engage each other, said Trent Cooksley, chief operation officer at Cowbell Cyber. “In order to maintain a profitable loss ratio, insurers might have to request specific controls on businesses before offering coverage,” he said.
From “SC Media” Teri Robinson (2/08/2021)

Ransomware Fact Sheet
The National Cyber Investigative Joint Task Force (NCIJTF) has released a joint-sealed ransomware factsheet to address current ransomware threats and provide information on prevention and mitigation techniques. The Ransomware Factsheet was developed by an interagency group of subject matter experts from more than 15 government agencies to increase awareness of the ransomware threats to police and fire departments; state, local, tribal, and territorial governments; and critical infrastructure entities.
From “US-CERT” (2/05/2021)

How Much Is Your Info Worth On The Dark Web? For Americans, It’s Just $8
After a data breach or successful phishing campaign, much of the stolen personal information is sold on black markets. Many such marketplaces reside on the dark web. The median credit limit on a stolen credit card is 24 times the price of the card. The median account balance of a hacked PayPal account is 32 times the price on the dark web.
From “Tech Republic” Jonathan Greig (2/08/2021)

Threats Disguised As Online Learning Platforms Surge
Users typically encounter threats disguised as popular video meeting apps and online course platforms through fake application installers, which are often found on unofficial Web sites designed to resemble the real McCoy, or e-mails disguised as special offers or notifications from the platform.
From “IT Web” (2/04/2021)

Fake WhatsApp App May Have Been Built To Spy On iPhone Users – What You Need To Know
In the case of the bogus WhatsApp software, social engineering tricks are used to dupe users into installing configuration files (known as MDM or Mobile Device Management profiles) onto their phones, and these can install unauthorized malicious code onto an device.
From “Bitdefender” Graham Cluley (2/03/2021)
To create a secure home network, you need to start by securing your Wi-Fi access point (sometimes called a Wi-Fi router). This is the device that controls who and what can connect to your home network. Here are five simple steps to securing your home Wi-Fi to create a far more secure home network for you and your family.
From “SANS” Joshua Wright (1/06/2021)

Scam “US Trading Commission” Website Is Not The FTC
Here’s what you need to know. The FTC does shut down scams and return money to people who lost it to dishonest or unfair business practices. But we will never ask for money, or for your bank account, credit card, or Social Security number so that you can get a refund.
From “Federal Trade Commission” Seena Gressin (1/25/2021)

Target For New COVID Scam: Small Business Owners
There’s a new coronavirus-related scam making the rounds, but this time the crooks are targeting small businesses. It starts with an email that claims to come from the “Small Business Administration Office of Disaster Assistance.” It says you’re eligible for a loan of up to $250,000 and asks for personal information like birth date and Social Security number. Let’s do a CSI-style investigation to spot clues that the email is a fake.
From “Federal Trade Commission” Lesley Fair (1/13/2021)

Beware: PayPal Phishing Texts State Your Account Is ‘Limited’
A new SMS text phishing (smishing) campaign pretends to be from PayPal, stating that your account has been permanently limited unless you verify your account by clicking on a link.
From “Bleeping Computer” Lawrence Abrams (1/03/2021)

Ransomware Attackers Are Making Threatening Phone Calls To Their Victims, Warns FBI
As ZDNet reports, the FBI has sent out a PIN (Private Industry Notification) alert to private sector companies warning them that not only are hackers using the DoppelPaymer ransomware in an attempt to extort money from affected organizations, but that they are also making follow-up phone calls to apply further pressure for victims to pay up.
From “Hot For Security” Graham Cluley (12/22/2020)

Get Ready For NCPW 2021!
NCPW is the time of year when government agencies, consumer protection groups, and people like you work together to help others understand their consumer rights and make well-informed decisions about money.
From “Federal Trade Commission” Ari Lazarus (1/21/2021)

Cybersecurity Insurance Has A Big Problem
For companies looking to bring more cyber insurance into their risk management practices — or buy for the first time — a bit of planning is necessary. After all, we’re looking at an environment in which claims are increasing and insurers lack the historical data and overall experience to develop the analytics they’d use in more mature lines of business, such as property. To build up a sufficient amount of cyber insurance, early purchases of smaller amounts with increases over time can help prime the market to grow with the needs of the companies it supports.
From “Harvard Business Review” Tom Johansmeyer (1/11/2021)

How To Level Up Your Cybersecurity In 2021
It’s easy to focus on all the ways 2020 has been a challenging year: the Covid-19 pandemic, a sputtering economy, and (for cybersecurity professionals) an explosion of new and increasingly dangerous cyberthreats. However, we shouldn’t ignore all the ways the changes we’ve witnessed in 2020 — such as the shift to remote work — have actually driven long-overdue reconsiderations of our approaches to communication, collaboration and cybersecurity.
From “Forbes” Zach Schuler (1/11/2021)

We Got Used To SMS Notifications And Phishers Are Capitalizing On It
A rising onslaught of phishing messages delivered via SMS (aka “smishing”) has been hitting mobile users around the world in the last few months. The fake messages impersonate payment, package delivery and streaming services, government and healthcare organizations, popular IT and email providers, online retailers, hospitality organizations, and so on. The attackers’ goal is to get users to share sensitive information either via SMS or by entering it into a spoofed website. The sensitive information the phishers are after includes personal and financial info, online banking and various other account credentials, tax-related information, electronic IDs and associated passwords, etc. Occasionally, the goal extends to getting users to install mobile malware or sign up for pricy services.
From “Help Net Security” Zeljka Zorz (1/08/2021)
OUCH! Newsletter: Securing The Generation Gap
Trying to securely make the most of today’s technology can be overwhelming for almost all of us, but it can be especially challenging for family members not as used to or as familiar with technology. Therefore, we wanted to share some key steps to help secure family members who may be struggling with technology and might misunderstand the risks that come with using it.
From “SANS” Chris Dale (12/02/2020)

Gritzman said to defend against future attacks on mobile devices, users should avoid jailbreaking or rooting any devices, ensure all system updates and app updates take place on time, and obtain apps directly from official app stores.
From “IT Pro” Rene Millman (12/17/2020)

The FBI, CISA, and MS-ISAC assess malicious cyber actors are targeting kindergarten through twelfth grade (K-12) educational institutions, leading to ransomware attacks, the theft of data, and the disruption of distance learning services. Cyber actors likely view schools as targets of opportunity, and these types of attacks are expected to continue through the 2020/2021 academic year. These issues will be particularly challenging for K-12 schools that face resource limitations; therefore, educational leadership, information technology personnel, and security personnel will need to balance this risk when determining their cybersecurity investments.
From “Cybersecurity and Infrastructure Security Agency” (12/10/2020)

If you get a call, text, email — or even someone knocking on your door — claiming they can get you early access to the vaccine, STOP. That’s a scam. Don’t pay for a promise of vaccine access or share personal information.
From “Federal Trade Commission” Colleen Tressler (12/08/2020)

The gang behind the Ragnar Locker ransomware posted an ad on Facebook in an attempt to publicly shame a victim so it would pay a ransom. Security experts say the innovative tactic is indicative of things to come.
From “Bank Info Security” Doug Olenick (11/13/2020)

Data Privacy Day is a global effort — taking place annually on January 28th — that generates awareness about the importance of privacy, highlights easy ways to protect personal information and reminds organizations that privacy is good for business. Data Privacy Day began in the United States and Canada in January 2008 as an extension of the Data Protection Day celebration in Europe. Data Protection Day commemorates the Jan. 28, 1981, signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. Data Privacy Day is observed annually on Jan. 28.
From “National Cybersecurity Alliance” (1/05/2020)

Scammers are calling people and using the names of two companies everyone knows, Apple and Amazon, to rip people off. Here’s what you need to know about these calls.
From “Federal Trade Commission” Alvaro Puig (12/03/2020)

A new Zoom-themed phishing attack is circulating through email, text and social media messages, aiming to steal credentials for the videoconferencing service. The Better Business Bureau (BBB) warned last week that the attack uses Zoom’s logo, and in a message tells recipients that their Zoom accounts were suspended and to click a link to reactivate; or that they missed a Zoom meeting, and to click a link to see the details and reschedule.
From “Threat Post” Lindsey O’Donnell (12/01/2020)

This shift is just getting started. IoT-enabled scams and hacks quickly ramped up to a high level – and can be expected to accelerate through 2021 and beyond. This surge can, and must, be blunted. The good news is that we already possess the technology, as well as the best practices frameworks, to mitigate fast-rising IoT exposures.
From “Security Boulevard” Byron Acohido (11/09/2020)