November 2021 Cybersecurity News
Dear Sir or Madam,
This month we'll be talking about staying safe on Venmo. Read on for more information on that, as well as:
- The major Robinhood data breach
- A sneak peek at what cybersecurity will look like in 2031
- And much more
Unexpected money on Venmo? Be cautious
A few weeks ago I received a text from a friend, "A stranger just sent me $400 on Venmo. They requested it back. What should I do?" I had found myself in this situation before, except I was the person who accidentally sent the funds. It was only about $35 for a lunch and once I messaged the stranger, they kindly sent it back to me. The process of requesting money back from Venmo itself can be cumbersome so I was thankful to this person. And while I write about cybersecurity, I never considered the idea that this stranger may have thought I was a scammer.
So when my friend texted me, my initial reaction was that the person made an honest mistake as I did. But after about five seconds, I thought again—"$400 isn't an insignificant amount of money. Is she being scammed?"
I started to do some research and came across headlines such as:
- Scam Alert: This Venmo Scam Sends You Money “by Accident”
- Did someone unknown accidentally send you money on Venmo? Don't send it back right away
What is happening in these scams? According to the Better Business Bureau, people are using stolen credit cards to transfer money to random Venmo users. Then, they message the user saying it was an accident and asking them to send the money back. Once you send the money back to the scammer, they will delete the stolen credit card from their account and add their own card in its place so they receive the money. Eventually, the stolen funds will be removed from your account, and you will be out of that money.
But what does Venmo recommend in this situation?
"If you receive a payment from a name you don’t recognize, you can simply send the payment back to that user with a note explaining that they paid the wrong person. If you receive a payment request from a stranger, you can decline the request.
Remember: When you pay someone on Venmo, that person does not have access to the payment method you used (for example: your bank account information or your debit card number). In other words, when you pay them back, you won’t be sharing any new information with them, aside from whatever you write in the payment note."
And it recommends that the senderr does the same thing. When it comes to support from Venmo, the company says, "If you don’t hear back from them or need help sending a charge request, contact our support team and we’ll do our best to help. While we cannot guarantee we’ll be able to help recover the money, if you reach out to us, we can provide any available options."
What did I recommend?
Before giving any recommendation to my friend, I told her to immediately disconnect her bank account from Venmo and leave the $400 in her Venmo balance. I've written about this best practice in a past newsletter. I wanted to be sure there was no way anyone could access her bank account if she was being scammed.
I also advised her to look at the stranger's Venmo profile. Did it look like a real person? I wouldn't recommend making a decision solely based on this, but if the profile looked off, it would help make a decision. In this case, it really did appear to be a real person who made a mistake.
After talking, we decided she should tell the person to reach out to Venmo for the money back. If they did nothing, we'd regroup and think again about what she should do. She messaged the stranger and told her she wasn't going to deposit the money in her account and asked her to contact Venmo.
A few days later, my friend got a notification that Venmo was taking the $400 back as the payment was a mistake. We were both relieved that the situation was resolved and that Venmo's support team was actually helpful.
A Venmo reminder
While peer-to-peer payment apps like Venmo are very convenient, they can be a playground for scammers. It is important to take steps to protect yourself and your money on these apps. Here are some Venmo best practices:
- Use a strong password with extra security
Any online account that handles your money needs to be protected with a strong, unique password. Check your Venmo password now and make sure it is not a password you use elsewhere. This password should be just for Venmo and should contain letters, numbers, and characters. Use one of Savvy Cybersecurity’s recommendations for creating strong passwords.
Also, be sure you create a special PIN for your Venmo account. Every time you open the app, Venmo will ask for the PIN before any transactions can be made. Even if your password is compromised, a hacker would not be able to get into your account without the PIN. To enable this feature, open Venmo and go to your Settings. You can create a 4-digit PIN or use your fingerprint for Touch ID.
When you are not using Venmo, log out of the app to protect your account in case your phone is lost or stolen.
- Make your account private
By default, your Venmo account is set to public (this is changing soon)—meaning that anyone on the app can see your profile and who you have exchanged money with in the past. This could make you more susceptible to fraud as hackers can use this information to craft text messages that appear to be legitimate.
To make your account private, go to Settings, and then Privacy and Sharing.
- Connect your account to your credit card—not a debit card or bank account
Credit cards offer better protection than debit cards or your bank account if fraud occurs. If fraudulent charges are made with your credit card, you will only be liable for up to $50. With your debit card or bank account, your liability depends on when you discover the fraud. For example, two days after the fraud you are responsible for $500, and after 60 days—you are liable for the total amount. Venmo does charge a 3% fee for using your credit card instead of your debit card but the extra liability protection is likely worth it. If you want to avoid the fee, you can connect your bank account and transfer a certain amount of money to keep in your Venmo account. Once you have done so, disconnect your bank account and use your Venmo account balance for money transfers. Of course, you’ll only want to transfer a small amount of money at a time.
- Beware of text messages or phone call scams
While the above actions will make your Venmo account more secure, you must still be on the lookout for scams. If you receive a text message or phone call that appears to come from Venmo, think twice before acting. Venmo has said that it will never contact you to request a password or verification code. If you get a text or phone call, check your credit card statement or bank account before doing anything. If you do think your security has been compromised, you can email firstname.lastname@example.org but do not expect a quick response. In the meantime, do not provide any code or information to the caller, but monitor your accounts instead.
Robinhood breach exposed information on seven million people. The popular stock-trading app, Robinhood, announced that it has experienced a data breach. According to Robinhood, the hacker accessed information on seven million people and tried to extort the company. This breach provided access to 5 million email addresses and two million full names with more having additional information such as zip codes and dates of birth exposed. Read more about the breach here.
U.S charges two Iranians with attempt to interfere in the 2020 Presidential Election. Authorities recently accused two Iranian nationals of engaging in voter intimidation and election interference during last year's U.S. presidential election. The two were charged for cyber-related criminal activity that included posing as the domestic far-right group Proud Boys to send threatening emails to select voters and obtain confidential voter information in the state of Alaska. You can read more about the indictment and the charges here.
K-12 schools are a leading target for ransomware attacks. While cyberattacks on large companies get the most media attention, K-12 school districts have been quietly becoming the lead target of ransomware attacks. The FBI has said that the "need for schools to rapidly transition to distance learning likely contributed to cybersecurity gaps, leaving schools vulnerable to attack." Read more about the cyber threat K-12 schools currently face here.
What will cybersecurity look like in 2031? The needs for cybersecurity innovation will rapidly increase over the next 10 years as cloud technology will make it faster, cheaper, and easier than ever to put services online and to collect a huge amount of data says Troy Hunt, a cybersecurity speaker and trainer. Some of the top cybersecurity experts break down what the next 10 years look like for cybersecurity.
Biden Administration mandates cybersecurity action. Recently, the Biden administration issued a sweeping new order that mandates nearly all federal agencies patch hundreds of cybersecurity flaws that have been considered major security risks. One of the broadest cybersecurity mandates to ever be imposed on the federal government, it covers around 200 known security flaws discovered between 2017 and 2020. Read more about the order here.
Healthcare systems need to make cybersecurity a top priority. Back in August, McAfee researchers found vulnerabilities in a widely used infusion pump that could allow hackers to change a patient's medication dosage. The U.S. Department of Health and Human Services found that nearly 60% of the ransomware incidents it was tracking globally affected the U.S. health field. However, even with this threat, cybersecurity still does not top most healthcare leaders' priority list. Less than 11% named cybersecurity as a high-budget priority.
Passwords are not enough – it's time to implement simple practices to avoid mistakes. Many security breaches are caused by simple failures. Now, relying on usernames and passwords alone is not enough. Multifactor authentication (MFA) isn't always easy, but it can prevent roughly 99.9% of account compromises. But why do many companies not use MFA? It usually comes down to not being convenient for their employees. It's crucial to take the time to implement some easy security practices and to avoid simple mistakes – it could make all the difference.
Microsoft: Over 50 security vulnerabilities were patched in this month's Microsoft update. Some of the issues are considered "zero-day bugs" meaning they are already being exploited by hackers. The updates affect Microsoft Office, Microsoft Exchange Server, and other software. Your device should prompt you to update. You can read more about the updates here.