It's Tax Season! Time for Phishing Scams...

Welcome to March!  


That time of year that everyone dreads is upon us. (No, not Christmas, although I wouldn't be surprised to find that Walmart has started playing that awful Christmas Muzak already...)


I'm actually referring to the "here-before-you-know-it" date of April 17th - Tax Day.  And with each successive year of tax filings, you can always expect a new wave of cyberscams, identity theft and phishing attempts in an effort to separate you from your tax return.  This year is turning out to be a banner year for scammers.


These schemes may include:


1. Receiving a seemingly official phone call, fax, letter or email from someone claiming to be from the IRS needing to verify your bank account information
2. Fake websites that claim to be official IRS sites
3. Malware that can either send you to a fake website, remotely access your computer or copy your keystrokes in order to capture passwords, social security numbers, etc.


The most helpful advice is what you should already know and be practicing in your daily computing life. In case you need a refresher:

1. Do not trust email from unexpected or unknown senders.  Assume it's bogus and call the sender to verify authenticity.  Just because it says it's from UPS or the IRS doesn't necessarily make it true.
2. Do not click on hyperlinks unless you are certain that the email containing them is legitimate.
3. Never reveal social security numbers, passwords, PIN codes or other personal information unless you have verified the requesting source.  Even then, do not send important information like this via email.  It isn't safe and no one reputable will request it by email.
4. Just because the website you are on appeared via a Google or other search engine doesn't mean it's legitimate.  Search engines can be fooled easily enough.  If you are unsure, call the company or organization to confirm the website address and then type it in manually.
5. Always keep your anti-virus and anti-spyware up to date.  This also applies to Windows Updates and software like Adobe Reader, Adobe Flash, Java, etc. (most likely those pop-up reminders you keep clicking "postpone" or "ask me later")

The IRS has even provided us with a handy chart, shown below:

What to do if you receive a suspicious IRS-related communication

If	Then
You receive an email claiming to be from the IRS that contains a request for personal information …	Do not reply. Do not open any attachments. Attachments may contain malicious code that will infect your computer. Do not click on any links.If you clicked on links in a suspicious email or phishing website and entered confidential information, visit our identity protectionpage. Forward the email as-is, to us at phishing@irs.gov. After you forward the email and/or header information to us,delete the original email message you received.
You discover a website on the Internet that claims to be the IRS but you suspect it is bogus …	... send the URL of the suspicious site to phishing@irs.gov. Please add in the subject line of the email, 'Suspicious website'.
You receive a phone call or paper letter via mail from an individual claiming to be the IRS but you suspect they are not an IRS employee …	Phone call: Ask for a call back number and employee badge number. Contact the IRS to determine if the caller is an IRS employee with a legitimate need to contact you. If you determine the person calling you is an IRS employee with a legitimate need to contact you, call them back. Letter or notice via paper mail: Contact the IRS to determine if the mail is a legitimate IRS letter. If it is a legitimate IRS letter, reply if needed. If caller or party that sent the paper letter is not legitimate, contact theTreasury Inspector General for Tax Administration at 1.800.366.4484.
You receive an unsolicited e-mail or fax, involving a stock or share purchase  …	... and you are a U.S. citizen located in the United States or its territories or a U.S. citizen living abroad. Complete the appropriate complaint form with the U.S. Securities and Exchange Commission. Forward email to phishing@irs.gov. Please add in the subject line of the email, 'Stock'. If you are a victim of monetary or identity theft, you may submit a complaint through the FTC Complaint Assistant.   ... and you are not a U.S. citizen and reside outside the United States. Complete the appropriate complaint form with the U.S. Securities and Exchange Commission. Contact your securities regulator and file a complaint. Forward email to phishing@irs.gov. Please add in the subject line of the e-mail, 'Stock'. If you are a victim of monetary or identity theft, you may report your complaint to econsumer.gov.
You receive an unsolicited fax (such as Form W8-BEN) claiming to be from the IRS, requesting personal information …	Contact the IRS to determine if the fax is from the IRS. If you learn the fax is not from the IRS, please send us the information via email at phishing@irs.gov. In the subject line of the email, please type the word ‘FAX’.

How to identify phishing email scams claiming to be from the IRS and bogus IRS websites

• Sample of phishing emails
  • First sample of an actual IRS-related phishing e-mail - PDF
  • Second sample of an actual IRS-related phishing e-mail - PDF
  • Is it a phishing website posing as the IRS? - PDF
• Sample of FAX scam
  • Sample of recent fax scam requesting EIN - PDF
• Are you a victim of Identity Theft?
  • Contact the Federal Trade Commission 
  • Visit the IRS Identity Theft resource page

---

The IRS does not initiate contact with taxpayers by email to request personal or financial information. This includes any type of electronic communication, such as text messages and social media channels.

The IRS does not ...

... request detailed personal information through email.... send any communication requesting your PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.

How to secure your PC in 10 easy steps

Don't be a victim this Holiday season!

One in every 10 American consumers has been a victim of Identity theft.  In 2009, that means 11.1 million people were victims of this particular crime.  


It may be easier to avoid thinking about this issue and just hope that you are not one of those unlucky 10%.  But keep in mind that the average amount taken from each victim amounts to $4,841 and that it takes an average of 330 hours to repair the damage done by identity theft.

As we enter the holiday season, more people will be shopping online, offering more opportunities for those that prey on consumers.  There are, however, a few things that you can do to help lower the chances that you will suffer from this crime.  Even implementing a few of these options can make a big difference.



There's one thing you can do to avoid being the victim of identity theft: follow this 10-step PC security plan.

Encrypt your network connection
Most popular sites offer HTTPS connections at least some of the time. In Gmail, click the gear icon in the top-right corner and select "Always use https" under the General tab.

To select Facebook's HTTPS setting, click the down arrow in the top-right corner and choose Account settings. Select Security in the left pane and Edit in the Secure Browsing section of the main window. Check "Browse Facebook on a secure connection (https) when possible" and click Save Changes to activate the feature.


Continue to the rest of the blog.


As always, please feel free to post comments here or on our FaceBook page.  If you would like help making these changes, please call or send us an email.

Heidi Klum the 'most dangerous' celeb on the Net

As if we needed a new reason to fear about people casually surfing the interwebs at work or at home.  The following post from CNET.com (using data gathered from McAfee) highlights the dangers lurking around search results - even from reputable sources like Google and Bing.  The bottom line?  Be careful what links you click.  Keep your anti-virus and anti-spyware up to date and above all, if it looks even remotely suspicious, assume the worst and avoid it.

If you think you are infected, immediately run a scan from your anti-virus AND your anti-spyware.  If you are unable to resolve it, it may be time to call in the big guns for help.

Move over, Cameron Diaz, there's a new leader in the race to be the "world's most dangerous celebrity."

Former Victoria's Secret model and current host of "Project Runway," Heidi Klum, is the Internet's "most dangerous celebrity," security firm McAfee announced today. According to McAfee, when users input Klum-related queries into a search engine, nearly 10 percent of the results are "malicious."

Read more: http://news.cnet.com/8301-13506_3-20106648-17/heidi-klum-the-most-dangerous-celeb-on-the-net/#ixzz1Y2Dp3Snp


As always, feel free to comment here or drop me a line.

How Spammy Facebook Scams Still Manage to Claim Millions of Victims

As Facebook scams continue to loom and infiltrate news feeds, web security firm Websense has conducted a study to tabulate just how far these campaigns stretch. The news isn't encouraging, with scams on Facebook estimated to reach more than a million users in a matter of days. 

According to a Websense study of two recent Facebook scams, upwards to 1700 Facebook users interacted with the scam every few seconds during each campaigns’ peak days. A July scam based on malicious Wall posts took just over a week to hit peak numbers while a second in August took only two days, according to a post on Websense's Security Labs blog.

Read the rest of the article at Threatpost.

Please feel free to post questions and comments here or email us directly.

Google Search Now Displaying Warning About Malware Infections

Google is taking the unusual step of displaying a message at the top of its search results pages for some users, alerting them to the fact that their computers may be infected with malware. The action is the result of an investigation in which the search giant discovered that some malware-infected PCs were sending their search requests through one of a number of proxies.

The move by Google is an unprecedented one, and may mark the beginning of a shift in the way that the company and others--such as Microsoft, Yahoo and Facebook--that have massive presences on the Web and see enormous amounts of traffic deal with the issue of their users' security. Many ISPs in Europe and some in the United States have taken to actively warning their customers when they have an infection and some go so far as to prevent the offending machine from accessing the Internet until it's cleaned.

Read the rest of the article at Threatpost.

Please feel free to post questions and comments here or email us directly.

6 Simple Privacy Tricks Everyone Should Use

Protecting your privacy on the internet can seem like a monumental task, but there are some surprisingly easy things you can do to protect your privacy with just a few clicks of your mouse. Here are some simple tips.

6. Use Temporary Credit Cards for online shopping

Many people are nervous about using credit cards to shop online.  Whether you are concerned that someone might steal your credit card information or you simply want to control any possible automatic billing or overbilling, temporary credit cards are a great help. Many card issuers have them and you are usually allowed to choose the card's spending limit, expiration date and more. Using this method, you are protected from either real or unethical automatic monthly billings, stolen credit card information or even legitimate recurring billings that you may have meant to cancel but forgot about.  In each situation, there is a finite amount of money on the card and when it runs out, charges are simply denied.

5. Limit the personal information you give out

It seems that no matter what you want to do on the Internet, many sites request that you sign up and give them a lot of your personal information.  Most of the data these web sites ask for during the sign-up process is completely unnecessary and sometimes even unsafe. Identity thieves can do quite a bit of damage with minimal information that may seem harmless to you - like your birthday. Make sure you don't post both the date and the year of your birthday on anything public like Facebook, Linked-In or any other social media.  If a website DOES require you to use it for a web signup, make sure you change either the day/month or the year to something different.  If you want to help the site keep their demographic data intact, feel free to use the correct year but change the day/month.  Make certain to use an easily memorable fake date, such as January, 1, 1900 so that you will be able to remember it if the site uses that information as a security question or to reset a password.

4. Use HTTPS Whenever Possible

Your first question is most likely, "What is HTTPS?"  In a nutshell, HTTPS provides encrypted communication and secure identification of a network web server.  In other words, it's a more secure way of browsing the internet and it is used by banks, shopping sites, credit card sites and more.  Any time you are shopping online or looking at sensitive information online, you should be using HTTPS instead of the standard HTTP.  There are a number of other websites that can use it that you might not even know about.  For instance, you can enable it on Facebook, Twitter, and Gmail by just ticking a checkbox.

3. Use an ad blocker when browsing

AdBlock Plus is a slick add-on for both Firefox and Chrome browsers.  It can remove all the advertisements on a webpage or you can limit it to only stopping those annoying Flash or Javascript ads that not only slow down the time it takes to launch a webpage but are capable of distributing malware as well.  You might have heard about software like this, but chose to ignore it because you want to help support the sites you visit by viewing their ads. If that is the case, this may not be for you.    

2. Use Disposable Email Addresses to Avoid Spam

This one ties in directly with #5.  One of the quickest ways to flood your inbox with spam is to use your real email address(es) when signing up for an online service that requires you to authenticate your email address.  Unless you carefully scrutinize every site's privacy policy, you have no idea who may be buying or selling your information.  One of the easiest ways to avoid this is to use a disposable email address for any website that doesn't actually need your real email address. If you visit a site that requires an email address but that you don't fully trust, try using a service like 10 Minute Mail.  You can use a quick temporary email address to get the necessary "confirmation email" and ignore any future spam that might come your way.

1. Keep Security Questions as Private as Passwords

This follows up closely with a previous blog posting.  Strong passwords are imperative, but they're utterly useless if your "security question" is something anyone can guess the answer either by knowing a bit about you or by glancing at your Facebook page. If you are given the choice, ALWAYS opt to create your own security question(s) and be sure to make them unusual (i.e. something only you would know the answer to).  If you must use a standard slate of questions and they are the usual bland, easy-to-guess-at type, feel free to supply an answer that makes no sense or that has no direct relationship to the question.  Of course, you want to be careful to keep any unusual answers written down somewhere safe so that you avoid being so secretive that you end up locking yourself out of any of your accounts.

As always, feel free to leave any comments or questions.  You can always reach me via email, too. 

Do's and Don'ts of Password Security

1. Don't recycle passwords between different websites.  This is probably the one most people are guilty of doing.  Even using minor variations such as password1, password2, password3 is a bad idea.  Malicious hackers routinely re-use passwords they capture on unimportant sites on Web vendors that are likely to store credit card information, such as Amazon, iTunes and so on.


2. The second big no-no for passwords is using words that are found in the dictionary.  Using a word like "frog", "baseball" or "family" as a password is music to a hacker's ears.  They have programs that can search through thousands of dictionary words in a short amount of time to crack your password.


3. As a follow-up to #2, do NOT use easy or obvious passwords that even a non-hacker would be able to guess.  Examples of shamefully obvious passwords include: "password" , "12345" , "abcde" , "qwerty" , etc.  If you make a password so obvious that you can't forget it, it means it's most likely a password that will be cracked with ease.


4. Don't use words or themes closely associated to you - hobbies, occupation, kids/spouse/pets name, etc.  The point is to make things as difficult as possible for a stranger to guess at.  Don't make his job easier for him.


5. This one ties into #4.  On sites that require you to keep answers to  security questions, don't use answers that can easily be found on your Facebook, LinkedIn or other social media websites.  Always choose to create your own question(s), if possible.  That way you can be sure to have a question and answer that will not be easy to guess at or find elsewhere.

6. Use a combination of capital/lowercase letters, numbers and other alpha-numeric characters.  You have an entire keyboard at your disposal.  Don't be shy about using a good combination such as "!4winDows{".


7. If you must have a commonality amongst your passwords, consider devising a formula you can use on each site.  For example, on every website, your password will start out as the name of the site but will begin with a random symbol (@, #, $, &, etc.), capitalize the second letter, use "3" for every "e" and "0" for every "o" and end with a number.  An example:  your facebook password might be something like - %fAc3b00k7.


8. One of the easiest and safest routes to pursue if you want to have top-notch security is to use a password creator/keeper program.  These programs will randomly generate extremely tough passwords for each site that you sign up on.  They store the passwords and will automatically log you in when you return to any sites it has stored for you.  This way, the only password you need to know is the one that opens up the password program - it will remember everything else.  Some examples of this software are LastPass and RoboForm.

9. If you choose to keep your passwords stored the old-fashioned way, just take a few precautions.  Most importantly, don't keep your passwords in plain site (i.e. on a sticky note taped to the monitor or keyboard).  Keep them in a locked drawer or even hidden in a nearby book - just not out in the open where a mischievous co-worker or child can stumble upon them easily.


If you have questions or comments or would like help keeping your passwords from prying eyes, please post here or contact us via our website.

10 Ways to Control Your Privacy on Social Networking Sites

Social networking sites are growing in popularity at an exponential rate. With 500 million users, Facebook has become a common occurrence in our daily lives — among all generations. In fact, according to a study by Nielsen research, Americans spend a third of their online time (36 percent) communicating and networking across social networks, blogs, personal email and instant messaging.


And while they are a great way to stay in touch with old friends, find new friends, keep family up-to-date, post pictures, and so on; they are also now very popular places for people who have bad intentions. Just think about what your account may contain — email address, home address, date of birth, pictures — the list goes on. That's valuable information to cyber criminals and scammers.


Twitter's global surge in popularity has encouraged spammers and other online criminals to take advantage of the tiny URL links used within Twitter to target unsuspecting users. New Facebook scams seem to make emerge on a daily basis.


According to Consumer Reports' 2010 State of the Net survey, more than half of social network users share private information about themselves online, opening themselves up to a variety of online dangers, including identity theft.


So what can you do to stay safe one these kinds of sites? Here is our top 10 list of the ways you can restore or maintain your privacy on social networking sites.


1. Check your privacy settings
Make sure you know what information is being shared publicly — and what information can be accessed by applications. You may be sharing more than you intended. Keep in mind that without taking the precaution of adjusting your privacy settings, when you visit partner sites, they may able to obtain information from your Facebook account, including your name, profile photo, and information on your interests. For more information on Facebook settings, please visit "A guide to privacy on Facebook"  http://www.facebook.com/privacy/explanation.php?ref=pf


2. Create strong passwords
Create complex passwords that are at least 10 characters long by mixing letters, symbols and numbers (don't just use words that can be found in a dictionary). When creating passwords, think about the information that you have available about yourself online (a pet's name, your place of birth, etc); make sure that you do not include obvious references like these as part of your password.
You should also keep from including this kind of personal information about yourself when answering security questions on websites; most of these questionnaires are only used by the site to help identify you and allow you to regain access to your rightful account. Revealing the correct facts (like you mother's maiden name or the last four digits of your social security number) is not necessary... Just make sure to remember what information you entered!

3. Have a clear understanding of what sensitive information is - and don't share it.
Always remember, once shared online, your information is no longer private. Before posting any personal information, think about how much data you want available about yourself online. Even facts that may seem mundane to you at first glance can be valuable to scammers, who are able to mine information, and connect the bits of personal data you make available. This can be used for a variety of scams and even identity theft.


In order to limit the amount of potentially sensitive information about yourself — and to limit your susceptibility to theft or abuse — reconsider publically posting the following:
Your full name
Your full date of birth
The names of your children or family members
Your full home address
Dates and details of trips, vacations and time spent away from home


4. Think twice about who you add, follow, or connect with.
It's a good rule of thumb is to only connect and share with people that you know in real life. By 'friending' people online that are strangers, you open yourself up to added privacy and security risks. According to a study from Cloudmark, nearly 40 percent of new Facebook profiles are fake, created by malware writers and spammers.

5. Think before you post.
Always remember, once shared online, your information is no longer private. Personal information like date of birth, home address, and email address can be used for a variety of scams and even identity theft. And just think how valuable it would be for the bad guys to get a hold of your dates and details of trips, vacations and time spent away from home.


6. Be careful what you click.
Never, ever click on suspicious links, even if they look enticing. A lot of scams and malware in the social network world is spread through links and rogue applications. You may have seen recent posts such as "I just got the Dislike button, so now I can dislike all of your dumb posts lol!!" or "Student attacked his teacher and nearly killed him" with a link attached to it. Take caution when clicking on links — even if it comes from a friend. Many of these applications are given access to post items — without you knowing — when you install them.


7. Limit your use of applications and extras (like games and quizzes).
Software applications that are available for download to run on the site may not undergo any type of security approval, verification, or review. These applications can potentially be leveraged by cyber thieves to compromise your information. What's more, you may be handing over private information in your profile to the applications developers when you install the new app, even if you use privacy settings.


8. Monitor your kids.
Networking sites can potentially open up children and young adults to many unfavorable aspects of the Internet — including bullying, online predators, and cyber scams. Make sure to prepare kids with information that can help them to make safe decisions, and to have an open dialogue about safe and appropriate web use.


9. Take action if you see suspicious activity.
There are several ways to report potential spam or scams. Check your social network of choice for more details. If you think your account may have been compromised, immediately change your password. If status updates are appearing on your Facebook page that you didn't make, you may have a rogue application. Remove the suspicious application from your Facebook profile as well as the related message from your status, News Feed, and your Likes and Interests in the "Edit my Profile" menu.

10. Have basic security software in place and keep it up-to-date.
Protecting your PC with anti-virus, anti-spyware and a firewall (and making sure the software is always up-to-date) is critical in keeping safe from malware and online scams. For trusted security solutions from Lavasoft, check the Lavasoft website. Also make sure that your computer is up-to-date with the latest security patches.


Words to live by? If you wouldn't give a stranger the information, you probably shouldn't be posting it online.


Re-printed from April 2011 Lavasoft News http://www.lavasoft.com/company/newsletter/2011/04/article_privacy_on_social_networking.php?x-source=email&x-email=news&x-news=news-2011-apr-3for1&x-news-2011-apr-3for1=articles&tracking=yesmail,

10 Tech "Don'ts" for Small Business

** The following list was originally created in the Trend Micro Small Business Customer Newsletter **

1. Don't leave your IT support to an employee who isn't a tech professional. In many small businesses, tech troubleshooting and user support falls to whoever knows something about computers. But if that person was hired to do something else - like accounting or sales - the time they spend on computer tasks is only detracting from their real work, and their lack of professional expertise could be putting your business at risk.

2. Don't rely on manual backup procedures. Backups should be regularly scheduled and automatic. If you're relying on a human to push a button to start the process or to remember to remove backups to an offsite location, you're asking for trouble anytime that person is out of the office or simply forgets.


3. Don't forget that smartphones are actually handheld computers that can make phone calls. If your employees are using smartphones for business, those phones need security protection just like their computers do. Smartphones hold increasing amounts of vital business information and should be included in any business-wide security policy.  Lost, missing or stolen smartphones should be reported to the IT person(s) immediately.


4. Don't just throw out old equipment. By all means, replace old or failing equipment - but before you do, make sure your hard drives are wiped and that your apparently worthless old computers and printers don't become a gold mine for an identity thief. If the equipment cannot be donated or re-used, make sure it goes to a recycling facility, which is kinder to the environment than consigning your computer to a landfill.


5. Don't assume your employees can read your mind. Spell out the rules for protecting customer data, using social media responsibly and using external devices like USB drives and smartphones. Better to have your policies in writing than to assume your employees will use common sense - and be proven wrong.


6. Don't jump into social media without a plan. Many small businesses have set up Facebook pages and Twitter accounts. But the numbers of businesses - small and large alike - that have suffered PR disasters from embarrassing tweets show that poorly-thought-out social media moves can backfire.


7. Don't skip training sessions. Buying a new printer, laptop or software will be a waste of money if you and your employees don't know how to use it to its full potential. If you're like most small businesses and you don't employ full-time IT support, it pays to provide basic training for new technology purchases. You don't have to hire a trainer, but everyone on staff should be familiar with the instruction manuals and any online help/training sites.


8. Don't leave home without your security smarts. Many people assume that work-based email and Internet security are bulletproof, which can lead to risky online behavior. If you wouldn't click on a suspicious link or visit a strange website from your home computer, don't do it from your work computer either.


9. Don't ignore negative customer reviews. Online reviews can make a huge impact on the public's perception of your business. If somebody complains about your service and writes about it on a blog or a review site like Yelp, by all means follow up with a response that shows you're listening and you want to address the person's concerns.


10. Don't use pirated software. If you're a legitimate company, you need legitimate software licenses. Not only will it help avoid potential malware and viruses but it's the only way you'll be able to get support from your vendor, and it's also the right thing to do.

Anti-virus "scareware" hits a new low.

Most people who use a computer regularly have probably experienced first-hand or know someone who has been infected by a rather annoying piece of scareware that goes by various names including Trojan:Win32/FakeXPA or Rogue:Win32/FakeXPA.  Until now, a savvy user could usually spot the fake anti-virus due to the rather generic names they used such as "Anti-virus-1" or "AntivirusXP."  (See Figure 1, below)

Fig. 1  An example of a variant of a fake anti-virus.

These fake programs have various negative results, not including scaring the daylights out of you when a pop-up suddenly appears telling you that you have hundreds or thousands of previously unknown infections.  You may also notice that you are: not able to disable/remove the pop-up window; not able to browse on the Internet; re-directed to sites you did not intend to go to.  In a worse-case scenario, this malware may lock up your computer or even cause it to give you the dreaded Blue Screen of Death (BSOD).


The main goal of these programs is to scare you into either purchasing a "full" copy or registering your software with them.  If you make the mistake of doing that, you will not only lose whatever amount they charge you on your credit card but you run the risk of having your credit card number stolen as well as possibly downloading more malware onto your system.


A new, more sinister development has emerged.  A new variant of this scareware now closely mimics a respected anti-virus company, AVG, who provides both a free and paid version of their software.  Until now, these devious scammers refrained from mimicking legitimate anti-virus companies but that may not be the case any longer.  Even a seasoned user is liable to fall for something that looks this real.  (See Figure 2)

Fig. 2  A screenshot from the fake AVG scareware.

The bottom line is this - things will only get worse going forward as people find better, more effective ways of separating you from your money.  Your best bet is to keep your system as protected as possible, including:


1. Use up-to-date anti-virus software (and be sure you know what brand it is!)
2. Use at least one real-time anti-malware software in addition to your anti-virus
3. Make sure you have a firewall on (either the built-in one or a third party)
4. Make sure you enable Automatic Updates
5. Set up automatic scan times or run them manually at least 2-3 times a month.


If you do get infected and are not able to remove it by yourself, don't panic.  Most reputable computer consultants have probably dealt with this type of infection many times already.  Don't be afraid to reach out for help.