Cybersecurity Monthly Newsletter November 2023

In this issue:

• Beware: Work-from-Home Scams and Lead to Identity Theft

• Cybersecurity Shorts

• Software Updates

Welcome to your November Savvy Cybersecurity newsletter. Read on to learn more about:

• An update on the Las Vegas cyberattack
• How to stay safe from work-from-home scams
• And much more

Beware: Work-from-home scams can lead to identity theft

A retired family member of mine has recently been looking for a part-time remote job online. They had joined a couple of local online job groups on Facebook. One job in particular caught their eye—data entry for $35/hour—so they applied. They told me about this over the phone and I immediately put my cybersecurity hat on. Something about it seemed suspicious and I told them to be careful moving forward.

A few days later, this company asked my family member to fill out paperwork. They then wanted to send a check to be used to purchase equipment for their at-home work setup. When the check arrived, it was clearly fake.

Luckily, this family member took some caution and created a separate bank account to provide to this company. This move ultimately protected their account from potentially being drained. However, they did share personally identifiable information with this fraudulent company—including name, date of birth, license information, and a social security number.

When I got the call about the fraudulent check that confirmed this job was a scam, we immediately went into clean-up mode. This was the action plan I gave:

1. Immediately call your bank and alert them of the fake check and vulnerable account.
2. Freeze your credit with the big three credit bureaus.
3. Monitor your other bank accounts closely. Ask the bank if they can add any extra layers of security.
4. Contact the DMV regarding the driver’s license information exposed.
5. File a police report.
6. Continue to monitor all financial and personal accounts closely.

Fraudulent job red flags

Work-from-home scams are not new, however, they have become more prevalent following the pandemic. While there are plenty of legitimate remote jobs, some job postings are fraudulent. Here are some red flags to be aware of regarding work-from-home jobs:

1. Jobs posted on Facebook: If you are looking for a remote job, stick to job boards like LinkedIn or other reputable sources. There’s little vetting done before someone can post a job on a Facebook group.
2. Jobs asking you to purchase items: If the job asks you to purchase items with your own money to be reimbursed later—investigate further. This is one of the key signs of a fraudulent job.
3. High pay for the task: If the job is offering very high pay for the task, it may be a scam. Like most scams, if things seem too good to be true—they probably are.

If you or someone you know does fall victim to one of these scams, be sure to share the action plan outlined above with them.

Cybersecurity shorts

SEC charges SolarWinds with fraud. The SEC has charged SolarWinds and its CISO with fraud and internal control failures for allegedly misleading investors about its cybersecurity practices leading up to the Sunburst attack that was discovered in December 2020. Additionally, the SEC has alleged that SolarWinds overstated its cybersecurity practices and failed to disclose known risks from October 2018 up to at least when the attack was discovered in December 2020. You can read more about the charges and allegations SolarWinds is facing here.

K-12 are improving protection against attacks but still remain vulnerable. There are more than 9,000 small public school districts across the country with up to 2,500 students – which is roughly 70% of public districts in the country – that are eligible for free cybersecurity services through a new program called Project Cybersafe Schools. And while cybersecurity services and federal officials have hosted exercises with schools to help them learn how to better secure their networks, many districts are still being lax, which means thousands are still vulnerable to ransomware gangs that can steal their confidential data.

New York is adding rigorous requirements to financial cybersecurity rules. Earlier this month, New York’s watchdog published significant updates to its cybersecurity regulations that added strict provisions around board oversight and ransom payments that go further than recent federal rules. While the updated rules in some areas are similar to those recently approved by the SEC, New York’s rules go into greater detail in some areas. For example, in a new addition, companies now face significant requirements related to ransom payments. You can read more about these newly revised requirements here.

The attackers behind Las Vegas attacks are social engineering experts. The group that is claiming responsibility for major attacks against MGM Resorts, Caesars Entertainment, and Clorox, is composed of experts in social engineering. Scattered Spider, which deploys AlphV ransomware in some of its attacks, uses multiple techniques and tools to gain remote access or bypass multifactor authentication, federal cyber authorities warned in a recent advisory. The FBI and CISA shared technical details but are saying more information is still needed as a lack of reporting hinders law enforcement’s ability to take action.

Software updates

Adobe: Adobe patched over 70 security issues this month—including critical vulnerabilities in Adobe Acrobat and Reader. Be sure to update your software as soon as possible. You can learn more about the updates here.

Microsoft: Over 50 security holes were closed in this month’s Microsoft update. Three of these vulnerabilities are considered “zero day.” These threats allow malicious content to bypass Windows SmartScreen and could result in users downloading malware. Your device should prompt you to update automatically. You can learn more here.

SERVICES WE OFFER RELATED TO THIS TOPIC

The information contained in this post is for general use and educational purposes only.  However, we do offer specific services to our clients to help them implement the strategies mentioned above.  For specific information and to determine if these services may be a good fit for you, please select any of the services listed below.