Identity Thieves Are After W-2 Forms Fraudsters continue to double down on W-2 phishing scams, also known as business email compromise - BEC - or CEO fraud attacks. These involve attackers, often pretending to be the CEO, tricking someone in a company into giving them W-2 tax records or other useful information. Scammers behind these Business Email Compromise (BEC) emails have added some tricks to increase their chances of success. In particular, they now try to engage victims in an email exchange to gradually build trust, instead of sending emails with wire transfer and/or payment instructions at the outset. Why steal W-2 forms? Because they contain employees' names, addresses, Social Security numbers and wages -- essentially every piece of data needed to compromise a victim's identity. Fraudsters can use the information to file fake tax returns and obtain a refund, among other types of identity theft. As reported by cybersecurity journalist Brian Krebs earlier this week, scammers also are now selling 2016 employee W-2 forms that were phished or otherwise stolen from victim organizations, peddling individual W-2 tax records for between $4 and $20 apiece. No organization or institution is immune. Reports of these attacks have occurred against companies ranging from Silicon Valley startups, technology companies, government agencies, to local school districts. The IRS noted some of the details contained in the phishing e-mails:
0 Comments
The American Red Cross is asking residents in disaster areas to unlock (open and disable passwords) their in-home WiFi networks. At first thought, this seems like a good idea and a way to help those who need it the most.
Understand, in disaster-like conditions, reliable communication (or communication at all for that matter) is a big challenge and major concern for both residents and responders. But, it seems the potential negative impacts from doing this could actually outweigh the short-term benefits. Security practitioners preach the risks and dangers of connecting to and using "open" hotspots and WiFi networks. Home WiFi networks should be considered trusted and for most of us, often transmit lots of fairly sensitive information. While you would hope and maybe even expect that human beings would have the best interest at heart for victims in these types of situations, society and history would tell us this is not always the case. People will try to take advantage of others, and this could be a risky proposition. At a minimum, people should be careful and thoughtful before opening their home WiFi networks for public use. For those technically-savvy enough, consider enabling the guest network option if your router is capable. Or dust off and power up an old router that can be isolated to a certain extent. It's great to see people helping others in times of need. So be helpful, but also careful. Read more about this http://www.bbc.com/news/technology-37186290 I often get asked about my thoughts on banking from mobile devices. There's no doubt about it: increasing demand for banking on mobile devices has become a critical component of most financial institutions’ (FIs’) offering. But my concern is that I don't think FIs or account holders fully appreciate the potential risks of banking on mobile devices.
I know a lot of industry folk claim that security professionals often hyperbolize about mobile banking threats. But here is the reality: surprisingly many mobile banking applications are often designed without proper security controls built in. And even when the apps have proper built-in security, it may not be enough. Why? Well, as we deploy more sophisticated controls, fraudsters also adapt their techniques. Couple insufficient security with the proliferation of malware attacking mobile devices, and you have a threat that is very real and will continue to grow, evolving from running up bogus charges from cellular carriers—which is minor in comparison—to the potential of credential-stealing and theft of financial data. Theft of financial data from mobile devices, you ask? You bet. But with the right approach, I know we can defeat fraudsters. This is why I'm so passionate with FIs about establishing a multi-layered security strategy, which focuses on the entire banking session, from login and authentication thru transaction submission. In the face of a myriad of threats, layered controls should be deployed to ensure a secure banking experience. Examples include the use of OOB OTPs and tokens, behavioral modeling to detect and prevent anomalies, multi-factor authentication, and the use of dual controls. Why layered controls? This approach ensures the weakness of one control is compensated by the strength of another. And of course, these controls cannot be set and forgotten. They must be revisited as the attack landscape changes. My question to you: Is your FI investigating or using a multi-layered security approach? Implementing such a strategy will go a long way towards mitigating threats. |
ArchivesCategories |