November 29, 2013

Online Shopping Security Tips

Online shopping is convenient,
but comes with its own threats.
Practice safe online shopping.
The online retail market is a growing trend. You can't ignore the convenience of shopping in your pajamas in the comfort of your own home,  plus shopping when you want instead of during store hours. You can begin to understand the appeal from a shopper's standpoint. From a business standpoint, businesses can sell products 24/7 with out having to run staff around the clock, and can sell to geographically different areas from one location.

With the official holiday shopping season having a day called "Cyber Monday," it seems like this market will only continue to increase.  Forbes predicts that the 2013 online holiday sales will increase at a double-digit pace to pull in over $78 billion. If there is a money involved and a large number of people, you can believe you will find cyber-crooks nearby.

Below are some online shopping tips to keep you safe and cyber-crooks at bay.
  • Conduct independent research on sellers. You can check them out at the Better Business Bureau site. If possible, read reviews by previous buyers to learn how they rate their experience. 

  • Use a computer instead of smartphone. Computers have antivirus, spam filters, firewalls, and other software to provide layers of security and alert you to risky sites. The majority of smartphones are lacking this capability leaving you more vulnerable. 

  • Keep your anti-virus and spam filter updated. Companies routinely issue updates to address software vulnerabilities that are exploitable by hackers. Some anti-virus have an Internet add on that alerts you to the safety of the website. While this slows down Internet searches, it is minor and provides a big security pay-off.

  • Google (as in the verb, not the noun) web address instead of typing in the address bar. Scammers often set up fake sites using similar names or common misspellings of legitimate business sites. 

  • Use secure sites. The "https://" or a closed yellow padlock displayed at the bottom of the screen are your clues.

  • Use credit instead of debit cards. The federal Fair Credit Billing Act provides you more protection if you use your credit card instead of your debit card. Additionally, the debit card is directly tied to your bank account, so you're giving potential cyber thieves direct access to your account. I also recommend you designate a credit card with a low credit limit to be used only for online shopping, which will reduce your personal risk should the card accidentally become compromised. 

  • Change passwords. Online businesses like Amazon store your credit card and mailing information in your online account. Ensure you change the passwords to these accounts frequently (i.e. every 90 days), and make them rather complex. Read our The commonly common password to learn our password tips.

  • Protect your personal information. Pay attention to the privacy notice to see how the site would use the information you provide. If it is missing, that is your red flag that the site would use your information for other reasons, and you should have second thoughts about doing business with them.

  • Don't fall for high-pressure tactics. Scammers are notorious for using high pressure sale tactics, such as a "limited time only," "only a few in stock," or "buy now." Some legitimate businesses may use this too, but remember it is your money, you're in control, and it is okay to walk away if it is not something you need. If the deal is too good to be true, it probably is. 

  • Check your credit card statements. While it may be painful to look at how much you spent, checking your statement is important to spot fraudulent charges early.

Junker, N. (27 November 2013). So many shoes, so little security: Your guide to Cyber Monday. Identity Theft Resource Center (ITRC). Retrieved from
Mulpuru, S. (25 November 2013). US online holiday retail sales to reach $78.7B. Forbes. Retrieved from

Tresbesch, L. (27 November 2013). Top 8 tips for holiday shopping online (part II). Better Business Bureau. Retrieved from 
Vancouver Island Better Business Bureau (26 November 2013). BBB offers advice to Black Friday and Cyber Monday shoppers.  Retrieved from 
Enhanced by Zemanta

Security Posters Library

Security Checks Matter decided to gather up the digital security poster collection and offer it as a new feature, Security Poster Library. I added some of the old, cheesy ones for nostalgic purposes, but we have many spanning different decades (going back to WWII) and disciplines (i.e. OPSEC, Cyber, Anti-terrorism).  Periodically, I'll update with new posters and details, so the library continue to expand. Below are some samples you can find in our library that contains over 200 security posters... and counting!

OPSEC Batman

The Dynamic Duo of Batman and Robin come together for an OPSEC poster to remind people not to talk about sensitive information outside of secure include car pools.

This poster is a product of its time period when big ol' USSR was the USA's main enemy. This could be slightly modified to show that Mother Russia Bear is no longer hibernating.

When traveling, try to blend into your surroundings and don't paint yourself as a target of opportunity. The poster shows an array of organization t-shirts and paraphernalia from the USA's Intelligence Community.

A security poster using the villains from the classic cartoon, "Rocky and Bullwinkle," to highlight the continual existence of foreign intelligence services.

Clearly a poster from the 80s using the commercial sensation The California Raisins. If plan on using this one, you may need to explain it to the younger ones in your audience.

An adversary could piece together little bits of information to get the big picture. OPSEC practices protect those nuggets of information.
A vintage WWII style reminder to not discuss sensitive information outside of approved areas.
Enhanced by Zemanta

November 27, 2013

Spam Can: Phishing Basic

Searching through my email's spam folder, I came across another phishing email (I know, a big surprise) that looks similar to the one featured in our "Spam Can: Uncreative Phishing" post. The body of the email lacked any type of real message, and only contained a hyperlink. I suspect the phishers are expecting curiosity to get the best of people to entice them to click as they resort to a minimalist phishing approach. This is a very basic phishing attempt.
Hovering my mouse over the hyperlink shows that I would be directed to a site of a children soccer team in France. While a  site about a children soccer team is rather innocuous, it really has little to do with the main focus of the email, Levitra (an erectile dysfunction drug).  

Simplistic phishing attempt
Reviewing the email's full header showed that the email really came from the address pills_support_online1@***.com and not the "adminsaleshopss3" email address displayed in the default view. It's not uncommon for scammers to spoof email addresses to have the email appear as it came from a trusted site to lull the receiver into a false since of security. Upon further review of the email's full header, the IP address that sent the email is Doing a quick IP search shows that the IP address is registered in India.

Phishing, Spam originator

November 24, 2013

Spam Can: Uncreative Phishing

Every once in a while, I like to go through my email's spam folder; what I often refer to as the "Spam Can." I like to see the items that get caught up in my spam filter. This one made me sad, since it lacked any creativity. It's like they're not even trying!

As you can see from the screen snapshot, all the email body contained was a hyperlink enticing people to click on it for a free prize. In this example, it was free pills to wake up my hot monster! Obviously I didn't click on it, and Yahoo would not give me a clue on what URL the link would direct me to if I did happen to click on it. A classic phishing attempts try to lure the receiver into clicking on a link or downloading an attachment, which would inject some computer virus. My curiosity didn't get the best of me. Besides, I prefer to receive my drugs from trusted, known sources.

Phishing attempt
With a great offer such as free pills to awake my inner monster, why would it need any other information?

 The full header for the email showed it came from the IP address Doing a quick search on the IP address showed me that it was registered in the Ukraine. The Eastern Block countries like to rival the African countries in phishing attempts.

Security reminder!
As always people should be careful when they receive emails with only links in the body. If your email links to somebody, ensure you either digitally sign the email or include texts to alert the receiver that it's really you.

November 23, 2013

Scam U: Instagram "Something for Nothing" Scam

Scammers are taking to Instagram by modifying previously used schemes from other social media platforms such as Facebook. In case you were not aware, Instagram is a quirky photo sharing platform that lets you add various filters and share with friends. In 2012, they were bought out by Facebook. With the growing numbers of people flocking to Instagram, it was really only a matter of time. It's no surprise that scammers are adaptive creatures seeking ways to prey on people.  One of the Instagram scams is what I dub "something for nothing."
How does the scam work?
Users come across an account that looks like an established business. Fake accounts have been found for Ray-Ban, Best Buy, Chipotle, Delta, American Airlines, Southwest Airlines, Apple, and Nike, just to name a few. The fake account offers free prizes, such as flights or coupons, in exchange for likes, shares, follows, or comments. Soon after following the "business," users start receiving messages instructing them to click on a link or provide personal information to "claim" their prize. Of course the user never receives their promised gift.
It's a recycled phishing scam slightly modified, but the scammers are getting trickier. They try to make the URLs used look as close as possible to the legitimate business' site in order to trick people into believing it is a legitimate offer. Some will use old promotions previously ran by the company to further reinforce the notion they are really representing the company.
How to spot an Instagram Scam:
  • The account name contains the words "giveways" or "free." Real business will try to keep their social media accounts with their professional name. Additionally, many businesses are not on Instagram.
  • Account only uses stock photos or doesn't have any photos. Instagram is a photo sharing platform, so users should be leary of any account without photos.
  • Promises something for nothing. As with most phishing scams, if it sounds too good to be true, it probably is.
  • Ask for password or other sensitive information. No legitimate business will ask for your password or your personal information via social media platforms.
What can you do?
  • Be leary of accounts that display any of the above indicators.
  • Don't believe you'll receive free domestic flights just for following an online account of an airline company, or some other great prize for practically doing nothing. There's always a catch! 
  • Don't give out your password or other personal information online to third parties.
  • Contact the company to verify. Use contact information from a different source, and not from the fake Instagram account.
  • If you believe the account is fake, report it, so Instagram can look into it.
Better Business Bureau (22 November 2013). New social media, same old scam accounts. Scam Alert! email.
Scam Detector. Instagram Free Stuff. Retrieved on 23 November 2013 from 

November 13, 2013

Holiday Travel Season

Dr. Seuss
Don't get grinched like
Cindy Lou did.
It's getting close to the season of hustle and bustle, when people make holiday plans and travels. This is also when scammers and thieves are out on the prowl, too. When planning out the details of your holiday travels, ensure you include appropriate security measures to prevent the Grinch from sneaking up on you and ruining your cheer. To remind you to be security minded, we did a travel round up of some of our past posts.
In 2011, AAA projected over 91 million Americans traveled during the holiday season, which means there were are a lot of vacant homes for burglars to choose from. In our Home Security While You're Away post, you can read six simple tips in keeping your home and valuable safe while you're away.
Another thing to think about with all these travelers and shoppers transporting gifts for loved ones, vehicles are going to be cram packed with treasured valuables. A great target for thieves! Traditionally auto thefts spike during the December-January timeframe. Check out our Prevent Vehicle Break-Ins post to learn five easy steps to reduce your risk of a vehicle break-in.
If your travels have you staying overnight in any hotel, don't fall victim to the scam featured in our Phone Scam Targeting Hotel Guests postThis scam is still circulating.
Heading to the airport? Our Know Before You Go! post links you up with informative resources for those expecting to travel abroad.

November 3, 2013

Scam U: Phantom Debt

scamming you
The Better Business Bureau (BBB) and Federal Trade Commission (FTC) are warning people about scammers posing as debt collectors using high pressure tactics to coerce people into paying a debt they do not owe. The con is referred to as the Phantom debt, and the FTC has already received over 3,000 complaints about this tactic. Scammers pose as law firms deceiving victims by leaving official sounding voice mail similar to below:
          "This is the Civil Investigations Unit. We are contacting you in regards to a complaint being filed against you, pursuant to claim and affidavit number D00D-2932, where you have been named a respondent in a court action and must appear... You or your attorney will have 24 to 48 hours to oppose this matter... Call 757-301-4745."
fake debt collectors are calling
Fake debt collectors are calling.
Calls continue at your home and work, as the "debt collectors" claim severe consequences if you do not pay this unknown debt. These threats range from being sued, arrested at work, garnished wages, or out-of-state court appearances. The scammers will also know information about you and your family. Paying these scammers will only entice them to come back for more. Despite the intimidating phone calls, these fake debt collectors do not have any power over you.
What should you do when dealing with these debt collector posers?
  • Know your rights! Debt collectors may not contact you at work if you tell them you're not allowed to accept these types of calls there. Real debt collectors are prohibited from stating you could be arrested, have assets seized, wages garnished or have legal actions taken against you if the debt is not paid. 
  • The Fair Debt Collection Practices Act prohibits debt collection activities from using abusive, unfair, or deceptive practices. If the "debt collector" uses threats, get their business name, address, and contact information. Use this information to file a complaint with the Federal Trade Commission.
  • By law debt collectors are required to provide written notification of the debt, which must include the amount, the name of the creditor, and a statement of your rights under the Fair Debt Collection Practices Act. Inform the caller you refuse to discuss any debts until you receive this official notification.
  • Do not provide or confirm any financial or personal information over the phone until you have verified the caller.
  • Check your credit report for free at or call (877) 322-8228. Any outstanding debt would typically be on your credit report.
  • If the scammer has a significant amount of your personal information, place a fraud alert on your credit report.
Better Business Bureau (1 November 2013). Fake debt collectors threaten victims with lawsuits and arrests. Scam Alert! email.

Federal Trade Commission (February 2009). Debt collection. Consumer Information. Retrieved from

Kando-Pineda, C. (24 October 2013). Haunted by phantom debt? Federal Trade Commission. Retrieved from

November 1, 2013

Home Security While You're Away

Secure your most
valuable asset when away.
The Better Business Bureau reports an estimated 136 million Americans traveled during summer vacation. The holiday travel season is right around the corner, so I suspect the number of traveling Americans will be high again. With all these travelers planning on hitting the road, there will be a lot of vacant homes with precious valuables insides.

The FBI reports there were over 600,000 victims of burglary/breaking and entering in 2011. (2012) While great planning goes into the travel details, we often forget to take some time in planning the security of our homes. Simple security precautions can prevent you from becoming a statistic. Below are some tips in keeping your home and valuables safe while you're away for the holidays.

Limit posting vacation details.  Burglars could use social media posts to determine when you're away. A vacant home is a very lucrative target. According to the stats with Intel's "Stop TMI: Don't Post Vacation Plans" video, 78% of ex-burglars used social media to plan break-ins, since people publicly post too much personal information. Wait to make your traveling posts and picture uploads for when you return.

Keep hedges and bushes trimmed. While overgrown hedges and low hanging tree branches create privacy for you, they provide great hiding places for burglars to work in peace. Minimize hiding spots by trimming shrubbery below three feet from the ground and trimmed away from points of entrance (i.e. doors, windows). Additionally, trim branches of large trees at least seven feet off the ground, and away from points of entrance. The idea is to create a clear zone to easily identify intruders.

Outside lighting. As with the trimmed hedges and bushes, lighting diminishes hiding spots for potential burglars by making him easier to spot. Use lights set on motion sensors over points of entrance. Even cheap solar garden lights around the perimeter can help as well.

A lot of lighting with no place for burglars to hide.
Interior lighting. Set different lights in your house on timers to go on and off at different times throughout the evening. The idea is to make the house have a lived in appearance. You don't turn on every single light in the house on at the same time when you're home, so why set them to go on and off at the same time?

Reinforce doors and windows. Follow the tips in our Home Security post such as make sure exterior doors and their frames are made from sturdy material; use dead-bolts; replace strike plates; and lock your doors.

Arrange for a care taker. While you're away, arrange for somebody to stop by to remove flyers placed on your door, to care for the yard, and check the general well being of the house. Ask that they check at different times, so as not to create a pattern and be predictable.

Better Business Bureau (2013 June 5). Summer smarts: Keep your home safe while you are away. Retrieved from

Chaplan, B. (2013 September 2). Cautious care: How to protect your home against burglars. Dumb Little Man: Tips for life. Retrieved from

Federal Bureau of Investigation (2012). National incident-based reporting system 2011. Uniform Crime Reports. Retrieved from