Tag: securitybytes

For several years now, sporadic attacks that interrupt major networks’ daily programming have been occurring around the world as hackers try to break in and succeed at their digital violence.

In April 2019, the victim was The Weather Channel. The network found itself having to broadcast pre-recorded material while an internal plan to regain channel access was quickly developed and put into place. Because this happened during some peak air morning air time—between 6 A.M. and 7:40 A.M. EDT—a significant number of viewers were affected. Aside from money the network needed to spend on emergency tech measures to get their channel back and rebuild it to a more secure form for the future, this event must have cost them reputation points as it likely didn’t sit well with advertisers.

While the network publicly announced that malware was at play in the attack, there has been speculation about whether this was the result of ransomware. With ransomware, the disruptive effects of malicious software persist until a specified amount of money has been paid. And although the malware attack itself may seem senseless, this stands as a good opportunity for your business to take some precautions to protect itself.

1. Back-up your machines and networks. Having multiple layers of back-ups in place—both locally as well as in the cloud—can help easily restore your systems should a ransomware attack strike. Part of this also includes making sure you set back-ups to happen regularly; this ensures that you have fixed and reasonably recent recovery points to draw upon in the event of an emergency.
2. Break up network access by different machines and user groups. Odds are that very few users if any need to have access to everything in the business; why leave full access open to anyone? They’d be a source of major vulnerability since, should a hacker gain access to their account, everything would be up-for-grabs. Leveraging the limited access of specific user groups or permissions helps contain an attack should one arise, and prevent damage from spreading business-wide. You and anyone on your team might be the exception to this in that you all need total access to be possible somehow. Fortunately, you can always construct a solution, such as several different administrative users with limited permissions, to give you the tools you need for your job while still maintaining high security.
3. Train employees and enforce best practices. Make sure that everyone working at your business understands what steps they can take to protect their computers from hackers as well as how some of the most common types of threats work. Empower your people to set up strong passwords and to know when to trust an attachment or link. Make sure they follow through on some of these precautions by requiring them to take measures such as setting up multi-factor authentication on their accounts. Don’t let weak security be a possibility!
4. Install software to secure your machines and scan for attacks—and make sure you keep it up-to-date. First off, you want to try to make sure your machines and networks are fortified against attacks. Use a well-constructed firewall as a central part of your protection plan. But don’t rely entirely on a strong structure to protect your business, particularly given how rapidly tech evolves. Make sure you have systems in place that anticipate vulnerabilities and keep an eye out for attacks. Some businesses even opt for honeypots, which are like dummy vulnerabilities to bait potential attackers and keep a digital weathervane in place to tell if hackers are likely to try something. Regularly update these scanning tools to ensure they are up-to-speed with the latest hacker trends and potential aggressors.

Malware attacks cost businesses large amounts of money, accounting for as much as about one-third of global cyber attack costs in recent years. In fact, cybercrime in the United States is estimated to cost enterprise companies an average of $27.4 million per year, a number that is only continuing to climb over time. If you’ve been fortunate enough to not experience any recent spikes in malware attack attempts, don’t let that lull your business into a false sense of security. After all, 85% of companies polled had experienced a social engineering or phishing attack in the past year, while 75% had at least one web-based attack. Regardless of your company’s size, remaining vigilant for possible threats and attacks is important to ensure that daily business operations can continue to flow as usual, uninterrupted and uncompromised.

The Tallahassee Democrat reported on April 5^th that a large sum of money had been stolen from the city of Tallahassee’s employee payroll. The perpetrator is suspected to be a foreign hacker.

What was stolen in the hack?

The breach diverted approximately $498,000 from the city payroll account. Still, all city employees have received their earned paychecks. This hack was the second time in less than a month that a breach of city security had occurred.

How did the attack occur?

The city of Tallahassee employs an out-of-state third-party vendor to host their payroll services. Their employees should be paid regularly through direct deposit. However, a foreign hacker apparently targeted this third-party vendor, effectively redirecting the direct deposits to their own accounts.

The city of Tallahassee found out about the breach when their bank alerted them. Of course, employees found out simultaneously when they awoke to realize they had not been paid on payday.

Is there any way to get the money back?

In the majority of large-scale hacks, stolen funds or data is difficult or impossible to retrieve. Still, with help from their bank, the city of Tallahassee has managed to recoup approximately a quarter of the stolen money.

They continue to pursue criminal charges against the hackers with the aid of law enforcement and their insurance provider as well.

How do cyber attacks like these occur?

Successful cyberattacks usually start with some form of email hack. This is usually achieved through phishing.

In fact, before the most recent hack of the city of Tallahassee, an email had been sent out that appeared to be from the City Manager. It was actually from an outside hacker who had included a virus disguised as a Dropbox link in the email.

While it is not suspected that this email was related to the stolen payroll funds hack, this does happen. “Phishing” emails can help hackers procure useful information about accessing in-network files and accounts.

How can you prevent hackers from attacking your business?

Large municipalities such as Tallahassee City are increasingly being targeted in cyber attack thefts. But the truth is, any business — or individual, for that matter — can fall prey to a cyber attack.

Unfortunately, the retrieval rate on hacking thefts is not high, meaning that prevention is key. The best way to prevent a hack is to prevent phishing, as this is how most hackers access your systems and accounts.

Make sure that everyone on your staff is keenly aware of what to look for in terms of phishing emails. When in doubt, suspicious emails should be left unopened. Or, at the very least, links should not be clicked, and personal or account information should never be handed over unless it’s sure the request is legitimate.

It’s also important for businesses to employ the services of a reputable and experienced IT services provider. Look for one who specializes in cybersecurity and has experience dealing with hacking prevention.

In previous years, the first clue that your corporate email has been compromised would be a poorly-spelled and grammatically incorrect email message asking you to send thousands of dollars overseas. While annoying, it was pretty easy to train staff members to see these as fraud and report the emails. Today’s cybercriminals are much more tech-savvy and sophisticated in their messaging, sending emails that purport to be from top executives in your organization, making a seemingly-reasonable request for you to transfer funds to them as they travel. It’s much more likely that well-meaning financial managers will bite at this phishing scheme, making CEO and CFO fraud one of the fastest-growing ways for cybercriminals to defraud organizations of thousands of dollars at a time. Here’s how to spot these so-called whaling schemes that target the “big fish” at an organization using social engineering and other advanced targeting mechanisms.

What Are Whaling Attacks?

Phishing emails are often a bit more basic, in that they may be targeted to any individual in the organization and ask for a limited amount of funds. Whaling emails, on the other hand, are definitely going for the big haul, as they attempt to spoof the email address of the sender and aim pointed attacks based on information gathered from LinkedIn, corporate websites and social media. This more sophisticated type of attack is more likely to trick people into wiring funds or passing along PII (Personally Identifiable Information) that can then be sold on the black market. Few industries are safe from this type of cyberattack, while larger and geographically dispersed organizations are more likely to become easy targets.

The Dangers of Whaling Emails

What is particularly troubling about this type of email is that they show an intimate knowledge of your organization and your operating principles. This could include everything from targeting exactly the individual who is most likely to respond to a financial request from their CEO to compromising the legitimate email accounts of your organization. You may think that a reasonably alert finance or accounting manager would be able to see through this type of request, but the level of sophistication involved in these emails continues to grow. Scammers include insider information to make the emails look even more realistic, especially for globe-trotting CEOs who regularly need an infusion of cash from the home office. According to Kaspersky, no one is really safe from these attacks — even the famed toy maker Mattel fell to the tactics of a fraudster to the tune of $3 million. The Snapchat human resources department also fell prey to scammers, only they were after personal information on current and past employees.

How Do You Protect Your Organization From Advanced Phishing Attacks?

The primary method of protection is ongoing education of staff at all levels of the organization. Some phishing or whaling attacks are easier to interpret than others and could include simple cues that something isn’t quite right. Here are some ways that you can potentially avoid phishing attacks:

• Train staff to be on the lookout for fake (spoofed) email addresses or names. Show individuals how to hover over the email address and look closely to ensure that the domain name is spelled correctly.
• Encourage individuals in a position of leadership to limit their social media presence and avoid sharing personal information online such as anniversaries, birthdays, promotions and relationships — all information that can be leveraged to add sophistication to an attack.
• Deploy anti-phishing software that includes options such as link validation and URL screening.
• Create internal best practices that include a secondary level of validation when large sums of money or sensitive information is requested. This can be as simple as a phone call to a company-owned phone to validate that the request is legitimate.
• Request that your technology department or managed services provider add a flag to all emails that come from outside your corporate domain. That way, users can be trained to be wary of anything that appears to be internal to the organization, yet has that “external” flag.

There are no hard and fast rules that guarantee your organization will not be the victim of a phishing attack. However, ongoing education and strict security processes and procedures are two of the best ways to help keep your company’s finances — and personal information — safe from cyberattack.

Great news! You’ve posted a batch of pricey items from your business on Craigslist, and someone has offered to purchase the lot. However, when you receive the check you realize it’s not for precisely the right amount. Perhaps you contact the seller to get a revised check — and they are so accommodating that they trust you to deposit the full amount and then wire them the difference. You’ve sold your excess inventory or goods and have payment in hand, so where’s the concern?

Unfortunately, this all the hallmarks of a traditional fake check scam. Selling online is one of the three scenarios where you are most likely to find a check scammer, but it pays to always be aware that this could be a possibility. Fake checks are rampant in today’s culture, with scammers making off with millions of dollars on a regular basis. The Better Business Bureau (BBB) estimates that over 500,000 Americans are the victims of swindles involving counterfeit checks, costing each victim an average of $1,200.

How Fake Check Scams Work

First of all, there really isn’t a legitimate reason for someone to ask you to wire money back to them after handing you a check. None. If someone requests this of you, your first thought should be that there is something fishy going on — whether it’s a business or personal situation. The checks that these individuals will pass to you look completely real; even cashier’s checks that portend to be certified by a bank. Unfortunately, you’re responsible for funds from the check that you’ve deposited. This means that you will be liable for the entire amount that you wire to the criminals. Some variations of fake check scams include:

• Foreign lottery: Congratulations! You’re the winner of a (fake) lottery. Here’s your prize money!
• During the job application process you’re asked to submit a check for an application fee.
• An online buyer requests you to set up an account for them to deposit payments into

Scammers are taking advantage of your trusting nature — something that you simply cannot afford to have in today’s society.

Your Liability With a Fake Check Scam

You might think that your liability is limited in the event of a fake check scam, but the opposite is true. While your bank may make deposited funds available to you immediately or within a few days, they are simply acting in good faith that the funds are available from the check you’ve deposited. When it turns out that the check is fraudulent, by federal law you are responsible for any funds that are withdrawn against the check. It often takes weeks to untangle the conspiracy around a fake check, and banks are perfectly within their rights to withhold funds from your use to equal the amount you’ve overdrawn during that period.

Protecting Yourself from Fake Check Scams

Other than simply never accepting a check, there are a few ways to stay safe from this particular type of fraud. Any offer that asks you to submit payment to receive a prize or gift should be immediately tossed. It’s always a good idea to limit how and where you are wiring money — both personally and as a part of your daily business dealings. It’s never a good idea to accept payments that are greater than the amount you’ve requested for a particular online sale, and consider using an escrow service or other third-party payment strategies for more substantial online sales. When you’re working with a new vendor for the first time, it doesn’t hurt to quickly check out their customer service number and even Google their location to ensure that it is on the up-and-up. Avoid any exceptional offer that purports to only be available for a “limited time,” where the buyer is putting extensive pressure on you to act immediately. These are rarely legitimate, and can cause you much more frustration in the future.

The hard fact is that scammers are everywhere, and if something seems too good to be true — it probably is! If you think you have been a victim of a counterfeit check scam, you can report the issue to several government agencies including: U.S. Postal Inspection Service, the Federal Trade Commission and local authorities. Even though it may not save you from losing any funds, you can potentially stop the fraudsters from targeting others in the future.

What is ransomware?

Ransomware is an unusual type of threat because it holds your files for ransom while leaving your systems essentially otherwise operational. A piece of malicious software enters your network and applies an encryption algorithm to your computer files, rendering them unavailable. The files are still there, and you can see them in a file structure, but you will not be able to open them with any program. Additionally, ransomware affects not just the device you are using, but any connected storage devices and mapped network drives. As a result, this type of malware poses a serious threat to your information systems. One infected device can bring your operations to a standstill. The person or group behind the attack provides information as to how to submit a payment, and in exchange, they will provide the decryption key. The attackers demand payment in some form of cryptocurrency, in order to maintain anonymity.

Some victims of ransomware attacks have not been confident in the integrity of their data backups and have paid the ransom to obtain the decryption key, and others have paid the ransom and obtained a key which did not decrypt the files. Both situations can be very expensive to your business.

How does ransomware gain entry to my network?

The purveyors of ransomware can inject the malware into seemingly innocuous documents, like invoices or estimates, or they can use internet links in an email to direct a user to a site that automatically starts a download and installation of the program. Documents containing macros provide an excellent opportunity to run the installer package without requiring direct interaction from the user. Some forms of ransomware take advantage of unpatched and unsolved vulnerabilities in the configuration of your devices and systems.

What are the most effective steps I can take to protect my business?

1. Deploy updates and patches in a timely manner. The operating system and application patches should be tested as soon as they are available, and applied to your systems as soon as your team can verify compatibility. Patching vulnerabilities will reduce the number of ways ransomware can execute itself in your systems.

2. Ensure that your technology team has an effective backup and restore process, and that they are able to fully test a restore from backup. Having a backup and restore procedure that you have validated will allow you to return your business to normal without paying an exorbitant ransom, still running the risk of not being able to decrypt the data.

3. Know the devices on your network and implement the same security procedures on any employee-owned devices touching your network that you have implemented on your business-owned devices. Maintain separate profiles on mobile devices, if possible, allowing only the business-facing profiles access to your network.

4. Disable SMB v1 on all devices on your network. SMB v1 is an outdated protocol and was the window that the creators of WannaCryRansomware exploited a few years ago. There may be some favorite processes that fail with the disabling of this protocol. If this is the case, you will need to perform a risk assessment against the cost you will incur with a ransomware attack.

5. Ensure that all your employees understand the hazards of active content like macros, and that they exercise caution in using them. Train them as well not to execute macros on documents received from external sources. Common documents like invoices do not need macros enabled, and in fact, such documents should be saved without active content before sending. If necessary, ask your vendors to send only documents without active content. Ensure as well that the appropriate teams understand the billing and payment cycles, and that they become suspicious of out-of-cycle documents and requests.

6. Train employees to be extremely cautious about clicking on links in emails. Messages with links unrelated to your line of business, messages themselves unrelated to your line of business, and messages with spelling and grammar errors should raise suspicions. Your employees should also not use links in emails to connect to websites of business contacts unless the employees have verified with the sender that the link is expected, and an explanation of the necessity of the link. When calling contacts to verify the validity of links in emails, employees should use their own contact source, such as a corporate address book, rather than a phone number in the message that contains the link. A message with a malicious link may also contain a compromised phone number.

Can I recover from a ransomware attack?

Possibly, but it will not be a pleasant process. Your best chance of recovery is a restore from a backup, and you will lose the records of transactions that occurred since the last iteration of your backup process. As explained above, paying the ransom may or may not produce a working decryption key. Attackers inexperienced in encryption and decryption have provided decryption keys which failed to release the files back to the owner. Prevention is going to serve you much better than hoping for a recovery, so take the necessary steps now to reduce the likelihood of infection.

On January 22, 2019, The U.S. Department of Homeland Security, DHS, Cybersecurity and Infrastructure Security Agency, CISA, issued an emergency directive. This emergency directive was put into place to address ongoing problems and issues associated with global Domain Name System, or DNS, infrastructure tampering. As a business owner or executive in charge of a business, you may have many questions about this and how it can affect your business. Here is what you need to know about DNS infrastructure tampering.

What is DNS Infrastructure Tampering?

DNS infrastructure tampering involves techniques that allows an attacker access to your DNS. They are able to compromise a users’ credentials, allowing them to make changes to DNS records. Once the records are changed and altered, it allows an attacker the ability to access and intercept many things related to the network, including but not limited to your web address, your mail traffic and web traffic. An attacker can take that information and redirect incoming traffic to an unsafe website that may contain viruses or may collect information about your customer or business. When the attacker accesses your DNS, they also have access to encryption certificates, which allows certain information to be decrypted. And unfortunately, since the certificate is valid, your users will receive no error warnings that the certificate is outdated, so they may feel safe putting in personal information.

How Can DNS Infrastructure Tampering Affect Your Business?

When an attacker tampers with your DNS infrastructure, they basically hi-jack your website. They can control incoming traffic, control where that traffic goes, and see personal information, such as names and credit card numbers. Unfortunately, if your page is hijacked, you have to tell your customers that their personal information may have been compromised, which reflects poorly on you. Your customers and clients expect you to keep your page safe for them, and if you fail to do so, it can be detrimental to your business.

How Can You Protect Your Business From DNS Infrastructure Tampering?

It can be difficult to determine if your DNS infrastructure has been tampered with unless you take the time to carefully review your DNS certificates. It is recommended that you take the time to audit your DNS records, change your DNS account passwords to more complex passwords and add multi-factor authentication to all of your DNS accounts. This should be done within 10 days, as the threat level for DNS infrastructure tampering is so high. This should also routinely be done in the future to ensure your DNS certificates have not been tampered with.

DNS infrastructure tampering can create a security threat to your business. It can negatively affect your business website, and any websites that those within your business frequently visit and interact with. Fortunately, there are steps you can take to help decrease the risk of DNS infrastructure tampering and protect your business. Having the right IT team in place and learning about security threats is imperative to keeping your business safe from threats at all times.

In March 2018, Alabama and South Dakota passed laws mandating data breach notification for its residents.

The passage meant all 50 states, the District of Columbia and several U.S. territories now have legal frameworks that require businesses and other entities to notify consumers about compromised data.

All 50 states also have statutes addressing hacking, unauthorized access, computer trespass, viruses or malware, according to the National Conference of State Legislatures (NCSL). Every state has laws that allow consumers to freeze credit reporting, too.

While those milestones are notable, there are broader issues when it comes to legislative approaches to cybersecurity across the United States. There are vast discrepancies and differences among states when it comes to cybersecurity protection.

What Laws Are on the Books About Cybersecurity?

In 2018, there were more than 275 cybersecurity-related bills introduced by state legislatures in 33 states, Washington, D.C., and Puerto Rico. The legislative action covers a broad range of cybersecurity topics, including:

• Appropriations
• Computer crime
• Election security
• Energy and critical infrastructure security
• Government and private-sector security practices
• Incident response remediation
• Workforce training

For companies, especially those that work across state lines, the variances among state laws creates a challenge in tracking requirements and remaining legally compliant.

For example, while most states require immediate notification of a data breach “without unreasonable delay,” the deadlines are varied. Nine states require notification within 45 days, South Dakota allows 60 days and Tennessee allows as many as 90 days. In addition, most states require written notification while some allow for notification via telephone or electronic notice.

While states have focused much of their recent legislation on data privacy, there are many other components of cybersecurity. Again, there is no uniformity. In fact, most states do not have laws about other important cybersecurity issues:

• Half the states have laws addressing denial-of-service attacks.
• Just five states explicitly cite ransomware in statutes.
• Phishing laws are in place in 23 states and Guam.
• Twenty states, Guam and Puerto Rico have laws regarding spyware.

While broader laws addressing malware or computer trespass may be used to prosecute some of these attacks, the discrepancies further illustrate the different approaches and terminology states use.

What States Have Strong Data Privacy Laws?

Here are a few examples of states that have strong legal provisions within their cybersecurity and privacy laws:

• Arkansas. Parental consent is required before student information can be shared with government agencies.
• California. The state passed sweeping data privacy laws in 2018 requiring businesses to inform consumers of what personal information is being collected, disclosed or sold. The law, which goes into effect in 2020, contains provisions giving consumers the right to opt out of having their data sold to a third party. California is the only state with a constitutional declaration that data privacy is an inalienable right.
• Delaware. Recently passed laws restrict advertising to children and protect the privacy of e-book readers.
• Illinois. The state is the only one to protect biometric data.
• Maine. It’s the only state that prohibits law enforcement from tracking people using GPS or other geo-location tools on computers or mobile devices.
• Utah. The state is one of only two that requires ISPs to obtain customer consent before sharing customer data.

What States Have Weak Data Security Laws?

Despite the growing legislative controls on cybersecurity issues and public expectation for data privacy, there are many states that have laws that are lacking, including:

• Alabama. There are no laws on the books that protect the online privacy of K-12 students.
• Mississippi. To date, no laws exist that protect employee personal communications and accounts from employers.
• South Dakota. Companies can retain personal information on employees indefinitely.
• Wyoming. Employers can force employees to hand over passwords to social media accounts.

How Long Does a Company Need to Retain Personal Identifying Information?

Many companies struggle knowing when or if to hold onto personal information on consumers. The challenge is that laws vary greatly from state to state. As of January 2019, according to the NCSL, only 35 states have laws requiring businesses or government entities to destroy or dispose of this data at all.

Of those 35 states:

• Only 14 require both businesses and government agencies to destroy or dispose of data.
• Virginia requires government agencies only but excludes businesses.
• Nineteen states do not require government agencies to dispose of or destroy personal information.

Where Is the Federal Government in Cybersecurity?

The federal government has many laws and rules regarding cybersecurity, from HIPAA to the Cybersecurity Information Sharing Act, which allows for the U.S. government and technology or manufacturing companies to share Internet traffic information.

Other proposed legislation has hit some roadblocks. Take the Data Acquisition and Technology Accountability and Security Act, which would have established a national data breach reporting standard. State attorneys general strongly opposed the legislation, introduced in March 2018. The 32 state AGs argued that the bill would weaken consumer protections, make state laws stronger, and exempt too many companies.

For companies, the variances from state to state present a complex technical challenge. To remain compliant, they need policies, tools and solutions that ensure data is protected and secure.

Managed service providers (MSPs) offer a powerful option to address many data issues. MSPs provide cloud-based, off-site, secure data storage and automated backups. Data, systems and networks are monitored 24/7 to detect and remove unwanted activity. The advanced firewalls, enterprise-strength anti-virus tools and employee education that MSPs provide help maintain compliance and keep data safe from the attacks that trigger responses.

The growth of state legislation to address cybersecurity issues is welcome. The challenge for companies is finding a reliable solution that allows for responsive and responsible action.

Is someone out there pretending to represent your business to make money? Don’t laugh. It happens. Business identity theft is a growing concern for many companies across the US. According to a recent study by Dun & Bradstreet, business identity theft, also called commercial or corporate identity theft, was up 46 percent in 2017.

The CEO, Mary Ellen Seale, of The National Cybersecurity Society (NCSS) said, “Small business identity theft – stealing a business’s identity to commit fraud, is big business for identity thieves.” However, too few businesses, especially smaller businesses, are aware of the issue. In 2018, the NCSS published “Business Identity Theft in the US” to help publicize the problem, and to provide guidance on how companies can help protect themselves.

Which Types of Businesses Are Targeted by Business Identity Theft?

Corporate identity theft is not just a problem for large corporations or companies operating in a particular industry. It is a crime that can affect any-sized business from tiny Mom and Pop shops on Main St. USA to multinational companies who are involved in any commerce:

• Small companies are usually the initial victims of identity theft since these companies tend to have more lax security in place and are less likely to realize their information is at risk. However, that doesn’t mean that larger companies are immune from having a criminal steal their identity. Plenty of larger businesses have their identities stolen each year.
• Corporate identity thieves use the name and legitimate business information of customers of large vendors’ customers to trick them into fulfilling orders. Busy vendors who fail to put into place procedures to verify whether an order is genuine can end up losing millions of dollars a year to these scams.
• Criminals masquerading as a legitimate business deceive financial institutions to open credit card accounts, establish lines of credit, send or receive wire transfers, and secure loans.
• The list of victims of corporate identity theft even extends to the US government when criminals use stolen company credentials to claim tax refundable tax credits or to exploit other government benefits for corporations.

How Do Thieves Steal a Corporation’s Identity?

Criminals who steal the identities of businesses have a wide range of methods ranging from very simplistic to highly sophisticated. Many lower level identity thieves focus on email phishing scams which target employees of the company in an attempt to gain confidential information such as database passwords or HR records. Other simple scams use spoofed email accounts of company executives to trick vendors and clients of a company into believing they are communicating with someone from the company. Slightly more advanced scams can include setting up an unsecured WiFi network in near a company in hopes that employees will use it to conduct business and then stealing the data.

More sophisticated scams can include dozens of people, building fake websites, using shelf companies, social engineering and even renting office space at the same location as the targeted company. The goal of these higher level scams is typically to create a plausible “Proof of Right” which the thieves can then use to secure fraudulent loans, masquerade as the company in a business deal, or even sell company assets.

How Can You Protect Your Company From Identity Theft?

While there is no way to protect your company completely from identity theft, you can make it harder for cybercriminals by maintaining proper data protection procedures.

• Train your staff. Teach your staff how to recognize phishing scams and how to verify when an email is from a legitimate source. Establish procedures on how to handle data correctly, and have a data loss prevention plan in place including a ‘clean desk’ policy.
• Secure your network. Add additional security to your networks and ensure that everyone is using secured servers. Avoid using a ‘master account’ which allows access to your entire network to limit data breaches. Require two-factor authentication.
• Monitor your financial information. Check your company’s credit report regularly to ensure that there aren’t any unexpected changes such as credit applications or new accounts.
• Consider hiring a company to help prevent corporate identity theft. An outside security company is one of the best ways to protect your corporate identity from scammers.

Amazon is a gigantic player in online sales. It’s estimated that the Seattle-based online e-commerce site will be responsible for roughly 50% of all digital sales during the 2018 holiday season, one of the busiest shopping times of the year in the United States. In other words, one out of every two people shopping during the holiday season will buy something from Amazon.

But Amazon’s very ubiquity has made it a tempting target for cybercriminals and thieves. It’s also widely trusted by consumers, who benefit from the online retailer’s wide choice and speedy deliveries. As a result of the many sales made through Amazon and the trust it has engendered among its customers, scam artists are targeting Amazon shoppers.

A Scam That Sends Fake E-Mail

The most recent scam sends an e-mail to an Amazon shopper telling them that their password needs a reset. One of the most notable elements of the scam is that the e-mail looks very official, using Amazon’s logo. It tells the targeted Amazon shopper to enter their Amazon user ID and new password directly from the e-mail.

But it isn’t Amazon that receives the new password. It’s the cyberthieves who set up and sent the e-mail. Once the target enters the information in response to the scam e-mail, the cyberthieves have the information to their Amazon account.

The thieves often set up Amazon gift cards for themselves, so that they have cash to be spent on Amazon. The gift cards are sent to their e-mail accounts, so they can use it before any theft is noticed. If the target customer has a credit card or debit card associated with their Amazon account, as most people do, the scam artists may shop until the cards are maxed out.

There are several variants to the scam. Sometimes, the cyberthieves set up the e-mail to say that new shipping information is needed or that there is a problem with an existing order.

But in all cases, a crucial element is the same. The e-mail looks official, and asks that the customer’s ID and password be entered directly from the e-mail. Entering it from the e-mail is what allows the cybercriminals to capture the user’s information and use it for themselves.

What Amazon Customers Should Do

Amazon customers need to be aware of the scam. They should never enter any of their account information in response to an e-mail about a problem with an Amazon order. For that matter, they should never enter any account information, of any type, in response to any e-mail, including debit card or credit card information.

If you get an e-mail like this, log out of your e-mail and log in to your Amazon account directly from the company’s web page, www.amazon.com. That page always has up-to-date information on your account and your orders. Customers will be able to see if there is any concern with their orders or shipping address.

If customers do need to change their log-in information, they should always do it directly on the Amazon site, not in response to an e-mail.

Finally, the Amazon site has a “take action” section on their website giving direct information on how to handle suspicious e-mails and scams by cyberthieves purporting to be Amazon. To access the section, click here.

The latest scam is easy to protect against. Customers should never respond to e-mails that look as if they’re from Amazon but always go directly to the Amazon website.