Congress Just Made It Easier for You to Get Scammed 

I hope you like jail food. Because if you own a small business or you have your assets protected by a trust, you might be eating a lot of it next year. But I wouldn’t expect you to know this. Unless you have the habit of visiting US Government websites like congress.gov, or the press release site for the US Department of the Treasury. 

OK. I’m abusing my hyperbole permissions … a little. Truth is that most people still haven’t heard of the “Beneficial Ownership Information Reporting Rule and Beneficial Ownership Information Access and Safeguards Rule” (BOI). These are new rules imposed by the Financial Crimes and Enforcement Network (FINCEN). You see, as it turns out, Congress “exceed[ed] the Constitution’s limits on [their] power” (AGAIN). Those aren’t my words by the way. That’s a direct quote from the FINCEN website.  

The rule we are now required to comply with (or suffer the consequences) is in connection with the Corporate Transparency Act. According to the US Government, “Corrupt actors frequently use opaque legal structures—such as shell companies—to hide and launder the proceeds of their crimes. In the U.S. anti-money laundering (AML) regime, the lack of timely access to adequate, accurate, and current beneficial ownership information has been identified as a gap.” And as you may have now guessed, you and I get to bridge that gap. They even kindly helped us by making it a felony if you fail to do your part. 

You might be thinking, there you go again Tom, making your baseless accusations. But I’m just the reporter here. On the fincen.gov site, they provided a synopsis of a recent court ruling in Alabama that the US Congress exceeded their constitutional limits with this one.  

“On March 1, 2024, in the case of National Small Business United v. Yellen, No. 5:22-cv-01448 (N.D. Ala.), a federal district court in the Northern District of Alabama, Northeastern Division, entered a final declaratory judgment, concluding that the Corporate Transparency Act exceeds the Constitution’s limits on Congress’s power and enjoining the Department of the Treasury and FinCEN from enforcing the Corporate Transparency Act against the plaintiffs.” 

The plaintiffs in this case are members of the National Small Business Association (NCBA). As a result of the court ruling, FINCEN will not require the members of the NCBA to file the BOI. The rest of us do. So, my question is, if it is unconstitutional for them, isn’t it also unconstitutional for the rest of us? In the suit, the plaintiffs allege that “the CTA’s disclosure requirements exceed Congress’s authority under Article I of the Constitution and violate the First, Fourth, Fifth, Ninth, and Tenth Amendments” (corpgov.law.harvard.edu). 

Additionally, according to law.harvard.edu, “the court determined that the CTA is not authorized under Congress’s taxing powers because, although the collection of beneficial ownership information under the CTA can help the IRS with tax collection, simply being useful to tax collection is not sufficient to invoke tax powers.” There it is. This is really nothing more than an easier way for the IRS to decide who to audit. For auditing must be efficient. Oh, and by the way, banks are already required to provide your businesses information to FINCEN making this redundant.  

There are many reasons a small business owner (including trustees of trusts) should be concerned. But from an information security perspective, this will be another federal government mismanaged database containing vital Personally Identifiable Information (PII) which when it is stolen (and it will be for sure), the threat actors will have you name, address, birthdate, driver’s license number, and the s-corp, LLC, or trust for which you are the owner. The consequences are dire enough that you need to have your attorney help you report. If you do it wrong, you will face fines of $500 per day and up to 2 years in jail. Congratulations. Another tax you never agreed to.  

On the surface, having this information in the hands of a terrorist might not seem like a big deal to you. But think about it like this, if a threat can derive monetary value for your company, they use it to decide whether to target you for data theft. Then they use the information they steal from you to target you and your customers with scams. In the old days, the proportion of bad people who had physical access to you was incredibly small, so your world was pretty safe. The internet has created an artificially high concentration of the worst people on the planet with immediate access to you.  

The United States is a representative Republic. We are the governing body. The three branches of government answer to us. But if we don’t push back, they don’t feel that. 

Airline And Emergency Services Halted Worldwide Thanks to A Simple Update 

On Friday morning, Karen came to work for Delta Airlines at 4:30AM like she always did to help the early bird travelers check in and catch their flights.  When she booted up her computer, she saw something she had not seen in 20 years.  It was the “Blue Screen of Death.”   She asked a co-worker, and her computer was showing the same thing.   What was she going to do with all those travelers that can’t check in?  By 10:00AM EDT, Delta had cancelled more than 600 flights.    By Saturday, July 20th, over 4,000 flights would be cancelled throughout the airline industry globally leaving passengers stranded or dealing with hours of delay.   

What happened?  Shortly after midnight, CrowdStrike, a security software provider, pushed out a single content update to its 24,000 customers worldwide.  It was a small update designed to stop new attacks hackers have been using.   On installation, the configuration update triggered a logic error that resulted in the famous Blue Screen of Death.  CrowdStrike could not just back out the patch.  The customer computers were inoperable.  There is no automated way to back out the software.  It required a “Safe Mode” boot which requires someone to be physically next to the device and enter a set of keystrokes during boot.  Only then could the bogus file be removed allowing the computer to operate as normal.   

The impact of this mistake was felt worldwide.  Several states, including Arizona, experienced 911 service outages.   By 3:00AM, the Federal Aviation Administration announced that all Delta, United, Allegiant, and American flights were grounded.  Transportation services in the Northeast, including trains and buses were experiencing delays.  Global banks reported services disruptions, from Australia, South Africa, Israel, and New Zealand.  Hospitals in Germany and the UK were cancelling all non-urgent surgeries due to the event.   Even locally, Maricopa County reported that their Dominion voting machines were malfunctioning due to the automatic update.   

CrowdStrike is a leader in the cybersecurity space.   Their Falcon Sensor product is an endpoint detection response tool.  It goes onto each individual computer and searches and stops known malware from firing.  The company was founded in 2011.   Some may recall that CrowdStrike was called to investigate the alleged Democratic National Convention server hack in 2016.  Since then, the small company has enjoyed tremendous growth and success.  The company says its customers include 298 Fortune 500 companies, eight out of the top 10 financial services firms, seven out of the top 10 manufacturers, six of the top 10 healthcare providers and eight out of the top 10 food and beverage companies.  With this many big names, you can see why the impact of this failed Falcon Sensor update caused such a huge problem.  

It is appalling that any company, much less a global leader like this, would automatically push out software which they had not validated.      There have been rumblings on the internet that this could have been done on purpose for some nefarious reason, but I disagree.   CrowdStrike should have manually validate their software at the developer level and then again at an independent test and verification department level and then again at a pilot customer site before pushing anything out to the world.    

As for the customers caught up in this, we would not recommend immediate auto-updates for anything.   While working in the industry, we regularly waited a day to test the vendor updates and ran through a suite of tests before releasing it to our customers.  The fact that there was no control at the customer level made this event that much worse. 

This event shows us the need for every business to have disaster recovery and contingency plans. Whether it’s due to cyberattacks, technical issues, or natural disasters, having an effective plan is crucial for maintaining business continuity and minimizing downtime. 

In a world where we are increasingly dependent on computers for our businesses to function, be ready to run the old school way as a backup – just in case.    

The original article was published in the Sierra Vista Herald and can be found here.

MK-Ultra and the Patriot Act: A Privacy Dilemma

MK-ULTRA. It was a “classified covert mind-control and chemical interrogation research program, run by the Office of Scientific Intelligence”. It began in the early 1950’s. The Central Intelligence Agency (CIA) insists it has been shut down. But a 14-year veteran of the CIA, Victor Marchetti, has stated in many interviews, that the claim is a “cover story.” The program is likely still in operation.

From the CIA’s own website we read that the CIA is “prepared to accomplish what others cannot accomplish and go where others cannot go” and that they are “the Nation’s eyes, ears, and sometimes, its hidden hand”.

Since they are the self-declared extra-legal arm of the US government, and from their history the extra-ethical arm of the country, we may deduce there are many activities conducted by the Agency we simply cannot see. Yet.

In a redacted Memorandum for the Record dated June 9, 1953 Director Gottlieb penned these words about MK-ULTRA, “The estimated budget of the project at XXXXXX is $39,500.00. The XXXXXX will serve as a cut-out and cover for this project and will furnish the above funds to the XXXXX as a philanthropic grant for medical research. A service charge of $790.00 (2% of the estimated budget) is to be paid to the XXXXXX for this service.”

The direct quotations printed above are from the CIA Freedom of Information Act (FOIA) page on their website. Therefore, I’m not making any unsubstantiated claims. I’m just the messenger for their own message. From this point forward I will be making wild unsubstantiated claims and speculate like an unrestrained adolescent.

MK-ULTRA isn’t the only CIA program to use US citizens for experimentation. It’s just the one we used for this article. But since smoke indicates fire, maybe we should feel free to speculate. Which leads me to the technical portion of this article.

Most people treat the details of their personal life on the World Wide Web very carelessly. People who (in person) are very guarded and suspicious, disclose the most sensitive information about themselves on Facebook, or in an email. Which, by the way, are both unencrypted and easily accessible by anyone.

Most people use Gmail and Google Docs – the free one. They are under the mistaken impression that since they have it protected with a password, only they have access to it. They forget that Google also has access to it. And through the PATRIOT ACT, so does any arm of the Federal Government, or law enforcement; even without a warrant. The Big Tech companies like Google, Microsoft, Apple et.al. provide wonderful free cloud-based services like email, word processor, spreadsheets, etc. We fail to understand the scope of the reach tech companies have into our lives.

You may think, “but I am a law-abiding citizen. I have nothing to worry about.” The truth is, you are only partially correct. In his blog, Moxie Marlinspike, the creator of the encryption tool Signal, said the following, “Imagine if there were an alternate dystopian reality where law enforcement was 100 percent effective, such that any potential offenders knew they would be immediately identified, apprehended, and jailed.” Our entire culture has evolved when a critical mass of citizens pushed back against laws we collectively decided were outdated or just plain wrong. That couldn’t have happened in a world where even a whiff of social disobedience is detectable.

This may sound a little like the movie “Minority Report”. If law enforcement could peer into the digital lives of us all, would they possibly use artificial intelligence to prognosticate whether someone was contemplating a crime? Would there be a law to punish such a person? Furthermore, have you ever made a comment that might be construed as terrorist leaning? I bet you have but you didn’t know.

Truth be told, maybe we all have lives that we should have the power to keep private. Even from the CIA.

This article was originally published here.

One Click That Shutdown 15,000 Businesses, the CDK Hack 

What started out as a peaceful shift for one of the country’s largest Auto Dealer Software-as-a-Service vendor, turned into a nightmare.  By 2:00AM, the security team determined that they needed to shut down two of their data centers to stop the ransomware from spreading.   

The vendor is CDK Global and they provide software services for over 15,000 car dealerships nationwide. They provide a platform that handles all aspects of an auto dealership’s operation including customer relationship management, financing, payroll, support and service, inventory, and back-office operations.  On June 19th, CDK announced there was a cyber incident they were investigating, and services were not available.   They started restoring service later in the day, but then they had a second cyber incident which caused them to take the systems offline again.   

What makes the problem more complicated is that their clients are always connected to their network through an “always-on” VPN. This provides a tunnel from the client to the data centers.  Normally that would be a good thing, but in this case, the always-on VPN just extended a network that was poisoned by ransomware.  They recommended that the clients disconnect so that the hacker could not “pivot” from the CDK network to the client dealership network.  What was even more critical was that the CDK software had administrative privilege on the client systems to do software updates. Hacking that software would give the attackers admin access to the local computers.  Thankfully no clients reported any contagion.  

This attack caused widespread disruption at car dealerships with no ability to track and order car parts, conduct new sales and offer financing.  Some dealerships shut down completely, while others reverted to the tried-and-true method of pen and paper assisted by spreadsheets.  They are projecting to have all their clients fully operational by July 4th.   However, the damage has been done.  The disruption comes at a cost to CDK and the dealerships an estimated $944M. 

The attacker is purported to be a hacking group identified as BlackSuit, who although only starting a couple years ago, have been responsible for over 95 breaches across the globe.  They are known for using a technique called “double extortion.”  During the breach, they upload the victim’s data to their server before encrypting (locking) the data on the client system.  They request a ransom for the key to unlock the data allowing the victim to continue operations.  Additionally, they also threaten to release the data on the dark web if the victim does not pay a second ransom.  

This breach may have been avoided if CDK fully implemented Zero-Trust methods.  In a Zero-Trust environment, it is assumed hackers are on the network and only trusted applications can run.  Application whitelisting would have stopped this attack in its tracks.  Whitelisting allows only those known trusted applications to run on the network.  Any new application, like ransomware, would not be allowed to run. 

The attack also highlighted the importance of being prepared for anything.  All businesses should have a Contingency Operations Plan written and validated prior to any incident or emergency.  Those dealerships that adapted the process without a computer could continue to sell and service vehicles.  Those that did not have a plan suffered. 

The ray of sunshine in this otherwise dreary incident was that our local dealerships were unaffected by the attack. All the dealerships from Sierra Vista to Tucson escaped this disaster as they do not use the CDK service for their management.  

For CDK, one improper click costs them and their clients a billion dollars.  Implementing Zero-Trust concepts and employing continuous cybersecurity training would have been a much more cost-effective solution.  The problem is many companies don’t really understand that until it is too late. 

The original article was published in the Sierra Vista Herald here.

How Bilbo Baggins Almost Hacked Your Email 

In the story created by JRR Tolkein, “The Hobbit”, little Bilbo Baggins was just a hobbit. But he became a burglar. No one suspected that this little Shireling was capable of such great feats. Although he did have great feet. The least suspecting of all was the dragon Smaug. Smaug had a great treasure. You see dragons love gold. It turns out they love gold even more than dwarves.  

But Bilbo was not after the gold. He was after something much more precious. The Arkenstone.  With his special ring, Bilbo became the first hobbit burglar.  

The next part of the story you are about to read is true. The names have been withheld to protect the victims. 

I received a phone call recently from a client who had a concern about an email. In this case it was an email sent from their own account rather than the typical phishing email one would receive. The email was requesting an ACH wire transfer from my client. My client, I was informed, did not use ACH transfers. How could that be?  This request was coming from their legitimate email account. What happened? 

All the evidence points to a compromised email account. The burglar had created a rule in the account that moved very specific sent emails to a folder called RSS feeds. This folder is almost always added by default to your Outlook client. It’s a folder almost no one uses, and even fewer users look at it. Certain emails were redirected to the RSS folder so that the legitimate user had no knowledge that it existed.   However, it was very easy for the threat actors to simply monitor this folder. As soon as a targeted message appeared, the burglars crafted a follow-on email requesting the ACH transfer. The legitimate email was simply asking if an invoice was payable, and the burglar asked for a transfer of funds to his account.  

Fortunately, this story has a happy ending. Thanks to the diligence of a very astute employee, this discrepancy was caught and the theft was blocked. The resolution to this almost tragic episode was quite simple. Change the password to the email account.  Make the password long and enable multi-factor authentication. Never re-use passwords.  This is like putting a dragon at the gate.  

Unlike Smaug, you don’t have an Arkenstone. But what you may not have thought about is your email. It is often the gateway to your gold. You must be as vigilant with it as if it were gold itself. You may want to consider having two email accounts. One account is for your entertainment, and a separate one is used to access and manage your financial accounts. And the latter? Protect that one with a dragon as if it were the Arkenstone itself.  

This article was originally published in the Sierra Vista Herald here.

Ransomware Shuts Down Municipalities; How To Protect Our Cities

On June 9, 2024, the city of Cleveland, Ohio uncovered a “cyber incident” which was later determined to be a ransomware attack. Since the attack, city hall has been closed to the public for over a week.  Citizen facing services have been offline as well. To contain the damage of the ransomware, the city shut down the affected systems until they could restore them safely.  On a positive note, emergency services, works, utilities and healthcare were not impacted. 

Details about the attack have been kept close-hold as the investigation continues.   Some employees were allowed back to work on the 12th, but many issues remained.  They could not process building permits and birth/death certificates.  After over a week, the mayor’s office still has not disclosed what information was exposed.  The city did say that they were not negotiating with the hackers and will not pay the ransom.

This is not the first major city in the U.S. to get hit with ransomware.  In 2019, the city of Baltimore, MD was hit with a devastating attack that crippled their municipal services for weeks.  The cleanup cost the city over $18M.  In May of 2023, Dallas, TX was hit with ransomware that disrupted the city’s 911 emergency services. New Orleans, Knoxville, and Las Vegas also have joined the Ransomware Victim Club. 

Don’t think that this only happens in faraway places in different states.  The city of Kingman, AZ experienced a significant cyberattack where the city’s computer system was compromised.  The breach included social security and driver’s license numbers mostly affecting employees. 

There are several reasons why hackers target city governments.  For one, cities have valuable data.  This includes sensitive information such as personal records and financial data.  Secondly, hackers assume that municipalities are a soft target.  Municipalities often lack the necessary funding and skilled personnel to address technology challenges.  Often the IT infrastructure is outdated, making them vulnerable to attack.  Lastly, municipalities provide critical services.  Hackers think that if they take down critical services, the city will gladly pay the ransom.  

Many of these municipalities had cybersecurity services which monitored their systems.  So, how did the hacker install the ransomware?  The problem with this method is that the hacker must be actively inside the network before the threat can be identified, and sometimes that is too late. New malware (zero-day attack) is not in the antivirus databases and is not automatically stopped.  

The solution to this problem is “application whitelisting” or “application allow listing.” With this method only applications which have been validated previously can run on the computer.  Even if an employee clicked a malicious link, when the software tried to run on the local system, it would fail. It is not on the allow list.  There is upfront friction with this implementation where users cannot load anything they want whenever they want.  They submit a request for their new software to be put on the allow list.  The cybersecurity personnel validate the software in their testing environment looking for unusual behavior.  If it checks out, the software is approved for use.  

Another cybersecurity aspect which is often neglected by municipalities is continuous cybersecurity training.  The one-time annual cyber classes are not effective. However, if the training is kept short, about three minutes per week every week, delivered to user’s email box, the results are exponentially better. Cybersecurity is top of mind. 

The lesson to be learned is that every government municipality is a target, not just big cities.  The data is valuable to hackers.  If they can take down emergency services, the hackers expect a fast payment.  Does your local government have the proper cybersecurity measures in place, such as application whitelisting and continuous training, to avoid the disaster that Cleveland is experiencing?

The original article was published in the Sierra Vista Herald and can be found here.

The Rising Importance of Cybersecurity in Our Digital Age

Tom and Dan were camping deep in the woods one night when Dan runs into the tent and says “There’s a bear attacking our site, we have to go!” Tom is confused when Dan stops to put his shoes on. Tom says, “What are you doing that for, you can’t outrun a bear?” Dan says, “I don’t have to outrun a bear, just you.” That’s how it is in the cyber world. In general, hackers are lazy. If it’s too hard, they move along to an easier target. 

Cybersecurity is crucial to our very survival. As technology continues to advance, so too do the threats that lurk in the deep recesses of the World Wide Web. From individuals to businesses and governments, everyone is a potential target for cybercriminals who seek to exploit vulnerabilities for their gain. 

Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These cyberattacks are aimed at accessing, changing, or destroying sensitive information, extorting money from users, or interrupting normal business processes. The internet is ubiquitous. The proliferation of connected devices means the scope and scale of these attacks have grown exponentially. Cybersecurity is no longer a concern solely for large corporations or government agencies. It is a critical issue for individuals and small businesses as well.

One of the most common types of cyberattacks is phishing. Phishing attacks involve sending fraudulent emails that appear to come from reputable sources, tricking recipients into revealing sensitive information like passwords or credit card numbers. Another prevalent threat is ransomware. It is a type of malware that encrypts a victim’s files and demands a ransom payment to restore access. Ransomware can have devastating consequences, leading to financial losses, reputational damage, and operational disruptions.

The increasing frequency and sophistication of cyberattacks highlight the need for robust cybersecurity measures. You must be vigilant about protecting your personal information online. Simple steps such as using strong, unique passwords for different accounts, enabling two-factor authentication, using an adblocker on all your browsers, and being cautious about clicking on links or downloading attachments from unknown sources can go a long way in preventing cyberattacks.

For businesses, cybersecurity must be a top priority. It is no longer a cost center. It is a revenue guarantee. Businesses need to implement comprehensive security policies, conduct regular security assessments, and provide continuous cyber education for employees. Small businesses are particularly vulnerable. They often lack the resources and expertise to defend against cyber threats. They can take advantage of various tools and services designed to enhance their cybersecurity posture. For instance, investing in a zero-trust provider can help protect sensitive data and prevent unauthorized access.

Businesses should develop and practice an incident response (IR) plan to quickly address and mitigate the impact of a cyberattack. The IR plan outlines steps taken in the event of a security incident, including notifying affected parties, containing the threat, and restoring normal operations. By being proactive and prepared, businesses can minimize the damage caused by cyber incidents and recover more swiftly.

Cybersecurity is an essential component of our digital world. As cyber threats continue to evolve, it is imperative for individuals and businesses to take proactive measures to protect themselves. By staying informed and implementing robust security practices, we can collectively enhance our resilience against cyberattacks and safeguard our digital future. The key to success is to make yourself a hard target so that the bear goes after the easy prey instead of you. 

The original article was published in the Sierra Vista Herald and can be found here.

The Saga of Joe Public, A Social Media and Email Tragedy

This is a story about Joe. Joe could be any one of us. During the day he is a nose-to-the-grindstone, focused, and hardworking employee. After work, however, he is careless and free, enjoying all that social media has to offer: posting photos, catching up with friends, reading the links his friends on social media post, and yes, he does enjoy the occasional cat video. He is active on his email account too.

Unfortunately, Joe is not really keen on cybersecurity hygiene. He clicks on any link he gets via email or social media without checking the URL first. He makes his life easy by using the same password for all his different accounts. Two-factor authentication is too much work and why would he need it anyway. Nobody would hack a regular guy. Since he is so friendly, his social media account is open to the public, so everyone knows everything about him. What he had for his birthday dinner last night; where he was born; his mother’s maiden name; and even the name of his first pet. 

Although Joe seems to be the life of the party when it comes to social media, Joe was not ready for the party crasher. After work, as Joe was ready to relax and catch up on some email, he discovered he could not login – password failed. That’s strange. He had not changed the password to his email account. Ever. So, he decided to check his Facebook account to see if anyone else was having trouble with their email provider. And what do you think happened to his Facebook account? He was locked out of Facebook too. As he sat back to ponder what was happening, a friend from high school called. His friend asked why he was sending out emails pretending to be a Nigerian prince looking for money? He also noticed that Joe started posting advertisements on social media for the Pink Princess Palace. That’s when Joe figured out that he had been hacked! How could this have happened to him?

The hacker could have come in from many different attack vectors. After checking the website, https://haveibeenpwned, Joe noticed that his username and password were compromised in 17 different breaches. Since he used the same username and password for every site, it was easy for the hacker to take over his email and social media. Also, the hacker could have just used Joe’s username combined with all the information on Joe’s Facebook profile to answer the typical “security” questions many web applications use for password resets. 

What does Joe do now to get back into his accounts and secure them? First, he should get in touch with his email and social media providers to let them know what happened to regain access to the account. This could even involve sending Facebook a copy of his Driver’s License to prove his identity. He will need to change his password to a nice long pass phrase – 16+ characters. He will also need to change his password on all his other accounts because the password has been compromised. Next, he should set up two factor authentication for all email and social media; and any other account he doesn’t want breached (like his bank and investment accounts). Two-factor authentication involves having the web service send a text with a one-time code. Even better, Joe would use a third-party application like Duo or Microsoft Authenticator. 

To do this on your Facebook account for example, you need to login to your account. Click the arrow icon in the top-right corner and select “Settings & Privacy” and click “Settings.” In the left-hand navigation bar, choose “Security and Login.” Scroll down to the “Two-Factor Authentication” section and click “Edit” next to “Use two-factor authentication.” Follow the instructions from there based on the way you choose to receive your notifications. All email and social media apps have this option. 

Now that Joe has so many usernames and passwords to remember, he decided to use a password manager to help him out so that he only needs to remember one long password. He downloaded Bitwarden to his computer and added the Bitwarden extension to all his browsers so that he has his secure passwords wherever he goes. 

Joe is so excited about securing his email and social media that he tells his brother, John Q, and the rest of his friends so that they don’t have to go through similar torture. Joe has since become the lead blogger for the Cybersecurity Evangelist.

This article was originally published in the Sierra Vista Herald and can be found here.

Bob’s Social Security Tale, Is Yours Safe 

Social Security benefits are a lifeline for many retired Americans, providing essential income for daily needs and a comfortable retirement. The sad part is that it’s relatively easy to redirect your checks to a threat actor’s bank account. It really is a growing concern. Understanding how this can happen and how to protect yourself is crucial. 

Bob (names have been changed to protect the victim) is a 70-something retiree who had always been diligent about protecting his personal information. He kept his Social Security number safe and was cautious about sharing his personal details. Bob suddenly realized something was wrong when for the second month in a row his social security check hadn’t been deposited. The gnawing in his stomach was overwhelming. He contacted his bank and the Social Security Administration (SSA). He discovered his benefits had been redirected to an unknown bank account. Bob was a victim of a scam. 

Bob’s situation is, unfortunately, not uncommon. Scammers often use phone calls, emails, or even postal mail to impersonate SSA officials. They may ask for personal information, claiming there is an issue with your account or that you need to verify details to continue receiving benefits. Once they have your information, they can use it to change the bank account where your benefits are deposited. 

There are steps you can take to minimize the probability and the impact of this type of scam. First, guard your personal information like it was a pot of gold. Because it is. Never share your Social Security number, bank account details, or other personal information over the phone, email, or online. One way to ensure you survive a phishing attack is to contact the bank or other financial organization using a number you have called before. One you know for sure is the correct number.

Second, remember, the SSA will never call you and ask for personal information. If you receive a suspicious call, hang up immediately without uttering a word. Occasionally the scammer will ask questions designed to get you to say the word “yes”. Then they will manipulate the audio of the call and use it nefariously.

Third, regularly check your bank account and Social Security statements for any unusual activity. If you notice anything suspicious, report it immediately. 

Fourth, if you have created an online account at https://www.ssa.gov/myaccount enable the multifactor authentication to secure your benefits. Also, make sure the password you use here isn’t used anywhere else. Not even a permutation of the password. All the websites you use to manage your money should be secured with the strongest password the app allows, and absolutely enable multifactor authentication. 

Lastly, if you believe you are a victim of identity theft or fraud, contact the SSA and your bank immediately to report the issue and take steps to secure your accounts.

Bob’s story is a cautionary tale. It is a reminder to be vigilant and to trust no one. These simple steps will not guarantee you will never be a victim, but they WILL contribute to a more secure future. 

Any communication, regardless of the form, that causes you to feel an emotional response (urgency, catastrophe, or promise of punishment or reward) is most likely tied to a scam in some way. So, talk to someone you trust face-to-face. This can help calm you down and ensure you take careful methodical measures to resolve an issue.

Beware: Phishing Attacks Enter the Deepfake Era 

Bob’s boss was asking for something really weird. A wire transfer this big was never done. In all the years Bob worked for Alice, she had never asked for a transfer of this magnitude. But there she was in the zoom meeting, in the flesh (well, digital flesh anyway). How was Bob to know that wasn’t really Alice? 

In the digital dimension, threats to our life aren’t always the mortal kind. They also lurk behind screens, ready to exploit our human weaknesses. Those are the ones that we too often overlook. While phishing attacks are nothing new, they have evolved. Welcome to the Deepfake world. Oh, is that word new to you? Well, buckle up. You need to learn it… and fast. A deepfake is a video or audio of yourself or someone you know created by Artificial Intelligence (AI) out of parts and pieces of other audio or video. With deepfake voice and video capabilities, cybercriminals can now mimic your trusted contacts (like your boss) and authority figures (like your spouse) with alarming accuracy, aiming to deceive and manipulate you. If you use the internet to do banking or email, you are a target. You need to understand the risks and implement precautionary measures to safeguard your online identity and personal information. 

Deepfake technology uses AI to combine audio and video recordings, seamlessly grafting a person’s likeness onto another’s voice or image. This tool, once restricted to Mission Impossible, is real. And it has been weaponized by cybercriminals seeking to exploit your trust in familiar voices and faces. 

Imagine receiving a phone call. On the other end someone is demanding you confirm sensitive account information. The voice on the other end sounds EXACTLY like your boss, complete with the cadence and intonation you’ve come to recognize. Or perhaps you receive an email from your biggest client requesting urgent wire transfers, accompanied by a convincing video message imploring immediate action. In both scenarios, the other person isn’t a person at all. It’s an AI impostor, leveraging deepfake technology to deceive and manipulate you. 

The consequences of falling victim to a deepfake phishing attack can be dire – from financial fraud and identity theft to reputation damage and compromised personal data. The ramifications are deep. Being deceived by someone you trust, even if it was a fake someone, creates a psychological fissure that erodes your confidence in digital communications and exacerbates feelings of vulnerability and distrust. 

The threat posed by deepfake phishing attacks is unsettling. But there are proactive steps you can take to mitigate risks and bolster your defenses. 

Verify Identities: Before responding to any requests for sensitive information or financial transactions, independently verify the identity of the sender through alternative channels. Contact your bank or employer directly by phone using a number you know to be good to confirm the legitimacy of any requests. 

Exercise Caution: Whenever you receive unsolicited emails, phone calls, or messages treat them with profound skepticism. This is especially true if they contain urgent or unusual requests. Scrutinize the content for inconsistencies or irregularities. It may indicate a phishing attempt. 

Stay Informed: Find someone you trust to keep you informed about emerging cybersecurity threats and trends, including advancements in deepfake technology. Educate yourself and your loved ones about the risks posed by phishing attacks.  

Use Multi-Factor Authentication: Implement multi-factor authentication wherever possible to add an extra layer of security to your online accounts. This additional step can help thwart unauthorized access, even if your credentials are compromised. 

Report Suspicious Activity: If you encounter a suspected deepfake phishing attempt, report it to the relevant authorities, such as your IT department, cybersecurity agency, or the Federal Trade Commission. 

The emergence of deepfake technology underscores the evolving nature of cyber threats and the importance of proactive cybersecurity measures. By remaining vigilant, verifying identities, and staying informed, you can safeguard yourself against the perils of deepfake phishing attacks. Together, we can navigate the digital landscape with resilience and confidence, thwarting cybercriminals at every turn. 

The original article was publish in the Sierra Vista Herald and can be found here.