October Savvy Cybersecurity Tips
Dear Client/Website Visitor,
Welcome to this Savvy Cybersecurity Tips. This month we continued to see scams related to the Covid-19 pandemic, including ransomware and job fraud. Read on to learn more about those trends, as well as:
- Important security information for online brokerage accounts
- A new FINRA scam targeting advisors
- The state of cybersecurity due to work-from-home policies
- And much more
Hacked! Venmo scam costs $6,500
Cathy saw the text message notification pop up on her phone, and her heart immediately sank. The message was from Venmo, the money transfer and payment app, and it said that someone was trying to use her account.
A minute later, her phone rang. The caller ID displayed Venmo so Cathy answered. The caller said he was from Venmo and asked Cathy to confirm her name and phone number. He told her that six different transactions had been made on her Venmo account totaling $6,500. Cathy hadn't made any of those Venmo charges.
The caller said he would help her freeze the account--he just needed to confirm her identity by sending a six-digit code to her phone and have Cathy repeat the numbers back. She did and the caller said he would start the process to freeze her account.
At this moment, Cathy began to feel uneasy about the interaction. She asked the caller if he could wait while she checked in with her husband. But the caller said he needed to freeze the account right away to prevent other transactions from happening. Cathy agreed. She knew her account was linked to her checking account and didn't want to lose any more money.
After they got off the phone, Cathy checked her Venmo account and saw that the six transactions had gone through. Her account was not frozen. She checked her HSBC bank account and saw $6,500 pending. Cathy knew she had been scammed. The code the caller had asked her for was the two-factor authentication code she had set up to protect her account. Instead, it opened the door for the hacker.
Cathy and her husband called HSBC and explained what happened. The bank said it would freeze their account, but three days later, the $6,500 was gone. At the same time, Cathy got an email from a technology store containing shipping information. The hacker had used her Venmo account to purchase laptops and since her email was connected to Venmo, she received the information including the hacker's address. She contacted the company explaining the fraud and asking them to stop the shipment, but it was too late—the items had shipped.
After spending hours trying to contact Venmo, Cathy has not been able to speak to anyone on Venmo's customer service team. Luckily, HSBC did refund her the $6,500 that had fraudulently left her account. And while Cathy never heard from a person at Venmo, she began to see refunds in her Venmo account as well.
Cathy isn't sure how the hacker got into her account, but she had used her Venmo password elsewhere and believes she may have been compromised that way. Sadly, Cathy's story is not unique. She graciously agreed to share what happened to her with me so she could help protect others from a similar fraud.
Despite her experience, Cathy has not written Venmo off forever. She recognizes the convenience of the app but would take security precautions in the future to protect herself. If you have a Venmo account, here are some security actions to take today.
What you can do to protect your Venmo account
- Use a strong password with extra security
Any online account that handles your money needs to be protected with a strong, unique password. Check your Venmo password now and make sure it is not a password you use elsewhere. This password should be just for Venmo and should contain letters, numbers, and characters. Use one of Savvy Cybersecurity's recommendations for creating strong passwords.
Also, be sure you create a special PIN for your Venmo account. Every time you open the app, Venmo will ask for the PIN before any transactions can be made. Even if your password is compromised, a hacker would not be able to get into your account without the PIN. To enable this feature, open Venmo and go to your Settings. You can create a 4-digit PIN or use your fingerprint for Touch ID.
When you are not using Venmo, log out of the app to protect your account in case your phone is lost or stolen.
- Make your account private
By default, your Venmo account is set to public—meaning that anyone on the app can see your profile and who you have exchanged money with in the past. This could make you more susceptible to fraud as hackers can use this information to craft text messages that appear to be legitimate.
To make your account private, go to Settings, and then Privacy and Sharing.
- Connect your account to your credit card—not a debit card or bank account
Credit cards offer better protection than debit cards or your bank account if fraud occurs. If fraudulent charges are made with your credit card, you will only be liable up to $50. With your debit card or bank account, your liability depends on when you discover the fraud. For example, two days after the fraud you are responsible for $500, and after 60 days—you are liable for the total amount.
Venmo does charge a 3% fee for using your credit card instead of your debit card but the extra liability protection is likely worth it. If you want to avoid the fee, you can connect your bank account and transfer a certain amount of money to keep in your Venmo account. Once you have done so, disconnect your bank account and use your Venmo account balance for money transfers. Of course, you'll only want to transfer a small amount of money at a time.
- Beware of text messages or phone call scams
While the above actions will make your Venmo account more secure, you must still be on the lookout for scams. If you receive a text message or phone call that appears to come from Venmo, think twice before acting. Venmo has said that it will never contact you to request a password or verification code. If you get a text or phone call, check your credit card statement or bank account before doing anything. If you do think your security has been compromised, you can email firstname.lastname@example.org but do not expect a quick response. In the meantime, do not provide any code or information to the caller, but monitor your accounts instead.
Las Vegas school students have Social Security numbers and class grades released after district-wide ransomware attack. The Clark County School district refused to pay ransom after its district network was hit with ransomware. The district will be contacting those students and staff that were affected. Over 300,000 students attend Clark County schools.
Healthcare provider chain, Universal Health Services was hit with a ransomware attack this month affecting facilities in California, Florida, Arizona, and other states. Some of the 400 locations noticed locked computers one morning and were forced to keep patient records by hand. At this time, it does not appear that any patient or employee data was compromised.
Is mail theft on the rise? It is hard to tell. The USPS released data this month showing that mail theft is up 600% over the past three months. However, this data is simply based on consumer complaints and the USPS has no way to track theft. You can read more about the data here.
85% of IT professionals report sacrificing cybersecurity to get remote work up and running quickly. As companies quickly transitioned to work-from-home policies in March, many CISOs had to make quick decisions to allow work to continue. Now, many are seeing cybersecurity issues from those decisions. For example, a quarter of companies reported suffering from ransomware within the first three months of the pandemic. Now is the time for IT and the C-suite to review cybersecurity practices.
Hackers send malware-infected emails while President Trump was being treated for Covid-19. The emails had the subject line, "Recent materials pertaining to the president's illness" and contained a hyperlink to a malicious attachment. If clicked, the recipient would download an Excel spreadsheet and malware. Always remember to E.M.A.I.L, examine message and inspect links.
FINRA warns members about phishing email posing as a FINRA survey. The email appears to come from FINRA with the email email@example.com. That domain does not belong to FINRA any emails coming from that domain should be deleted. You can read more here.
Job scams increase as millions remain out of work. Job seekers report seeing job postings online that seem too good to be true and wind up being scams For example, Kaitie Gibbs landed a gig as a remote shipping agent. In her role, she would receive packages, replace the label, and ship them. She was supposed to be paid $3,500 but never got the money. Read more about the job scams and what to look for here.
Do you have an online brokerage account? Make sure you are using a strong password. Cybersecurity experts are noting that login information for Robinhood, E*Trade, TD Ameritrade, and others are selling on the black market. In particular, multiple Robinhood users have reported being locked out of their accounts and having their portfolios drained. Getting the money back has been challenging for many. If you do have an online brokerage account, be sure it is protected with a unique password and 2 factor authentication.
Barnes & Noble suffered from a cyberattack affecting its Nook customers. The Nook is the bookseller's e-book reader. During the attack, customers had trouble accessing their libraries and previous purchases. Physical Barnes & Noble locations also had issues with cash registers during this time. Customer email addresses, addresses, and transaction history may have been accessed by hackers during this incident.
Amazon Prime Day brought more than deals this year—experts noted a big increase in phishing emails on Prime Day. Many hackers created fraudulent web pages appearing to be Amazon designed to steal usernames and passwords. Other hackers enticed consumers with fake gift card giveaways.
Adobe: Adobe released an update for Flash Player this month that closes a critical security issue. If you have Flash enabled on your Internet browser, be sure to update those as well. You can read more about the update here.
Microsoft: Over 80 security vulnerabilities are closed with this month's Microsoft updates. About 10 issues are considering critical including an Outlook bug that causes malware to be downloaded if a user simply previews a malicious email. Be sure your device is updated and learn more and the patches here.