The Great Phishing Scamdemic
Have you been noticing an abundance of suspicious looking emails flooding your inbox over the past few months? You aren’t alone! In the age of COVID-19, InfoSecurity Magazine reports that phishing scams have soared by over 600% since the end of February. Unfortunately, many of these scammers prey on fear and uncertainty in order to worm their way around barriers. And working from home means those barriers aren’t often as well maintained as they would be in the office.
So what can you do to help keep your passwords and accounts secure? When it comes to phishing, awareness is often the best defense. With that in mind, we’ve put together a guide to help you navigate some of the common tricks and scams to watch out for during these trying times.
CDC Alerts
If you receive an email claiming to be from the CDC or WHO, you should be careful. It is most likely a scam! These messages often contain links claiming to list coronavirus cases in your area along with an urgent request to review those cases and see if you were in contact with anyone affected. The links may look legitimate on the surface. However, hovering a mouse pointer over the link and examining the actual target underneath reveals that it actually points somewhere more nefarious.
Health Advice
Phishers have been sending many scam emails purporting to offer important health advice related to the pandemic. These often appear to come from a specialist, doctor, or expert of some kind. These emails may contain a link or even an infected attachment. If you receive one of these messages, do not open any attachments or follow the links. Delete the email immediately. If you feel uncertain about your health, it is always best to contact your own doctor directly.
Workplace Policy Updates
You may receive occasional updates from your employer while working from home. This is normal and expected, but if you receive one of these notices, review it carefully before following any links or downloading any attachments. Cybercriminals have been sending highly targeted “Policy Update” messages appearing to come from your employer. These messages appear to link to an updated company wide policy due to the pandemic. Always double check the link by hovering your mouse over the text and checking where it really goes. If you are unsure, reach out to your employer directly and ask whether or not the message came from them.
Charitable Appeals
Many scammers are exploiting people’s best intentions by requesting financial support to help victims of the virus and front-line workers. Although these types of emails may not always be phishing scams, the charities they fund are usually illegitimate. Rather than helping to fund relief efforts, the money instead goes straight into the scammer’s bank account. Always do your research before donating to any charity. If you receive a charitable appeal via email, it is most likely fake.
SMS Recovery Hack
You may receive an email or SMS from someone claiming to be your employer or email provider. The attacker typically claims that someone breached your account and they need you to forward a forthcoming SMS code to restore it. The attacker then initiates an account recovery process which automatically sends out an SMS code to the account owner’s phone. If you unwittingly forward that code to the attacker, they will be able to take over your account.
These attacks have become very popular lately and have seen widespread success. There is even a variation of this scheme affecting WhatsApp users. To ensure this doesn’t happen to you, never forward any account codes to someone else. Your email provider should never require this information. If your employer legitimately needs it to rescue your account, contact them directly over the phone or video conference to ensure you know exactly where you are sending it.
Smudged Screen
Since touch devices have become the norm, a new type of attack targets these devices by simulating a smudge, hair, or piece of dust on the screen. Many people are already educated about the dangers inherent with clicking unknown links in an email, but wiping smudges from their touch screen is almost a reflex. However, if the smudge is actually a disguised link, that reflexive swipe may be detected as a tap. If you’re using a touch device, it’s always a good idea to close your email and browser before cleaning the screen.
Fake Ads
Scammers have been placing ads around the web and over email claiming to offer cures and treatments for the virus. Norton Security reports that the websites these ads lead to sometimes contain malware. Even in the best case scenario, the products and services they offer are useless.
How to Avoid Phishing Scams
Now that you are aware of some of the more malicious phishing scams going around right now, here are some general practices that will help protect you and your accounts from these threats:
- Avoid opening unsolicited email.
- Hover your mouse pointer over links to see where they really lead.
- Do not download attachments from any email unless it was something you were expecting to receive and you are certain of where it came from.
- Do not supply personal information to anyone via email.
- Watch out for sloppy spelling and grammar. Although this is not always a guarantee (they get more convincing all the time), poor grammar and spelling usually indicates the email is coming from a fake source.
- Be wary of urgency. Emails that try to create a sense of urgency are almost certainly scams.
- Stay calm. People can be more easily manipulated when they are in a state of panic. Try not to fall victim to fear-inducing emails or messages. This is a tactic used by social engineers to bypass your natural defenses. Instead, keep a steady hand and delete such emails.
How to Stay Safe Online During the COVID-19 Outbreak
The COVID-19 outbreak has taken the world by surprise. In these unprecedented times, it is important to know who you can trust. Unfortunately, there are some people who are looking to benefit off of the grief and anxiety of others. COVID-19 scams are running rampant right now. We’ve outlined how to stay safe online during the COVID-19 pandemic.
Malicious Coronavirus Emails
Scammers are sending emails while posing as various professional health organizations such as the CDC and the World Health Organization. Most of these emails are known as phishing emails, which are used to lure the receiver to click a malicious link. These links often impersonate other websites like banks or other accounts. The fake websites prompt you to log in or enter credit cards information. The consequences of handing this information over a malicious site can be crippling. Other links may send you to websites that install Malware onto your computer.
How to Spot COVID-19 Scams in Your Email
The number one rule of thumb is to always be cautious. Therefore, never immediately click a link or download attachments from ANY email. You want to be 100% sure of its authenticity. Here is how to tell if an email is a legitimate and avoid COVID-19 scams:
- Check the sender’s email address
If the sender’s email address does not end with the company’s domain (for example, an email from the CDC would look something like email@cdc.gov), it is almost always a sure sign of spam. Flag the email and trash it. If it does match, that is a good sign. However, it is possible for hackers to spoof emails to look like the real thing, so check for the next things as well. - Look for typos and grammar mistakes
Professional emails are usually read by a few pairs of eyes internally before it gets sent out to the public masses. This means typos and grammar mistakes are generally caught before the email hits your inbox. Scam emails are often written by one person. Additionally, it is not uncommon for the emails to have poor English translations if its origin is international. If you notice any typos or grammar mistakes, it is best to flag and trash the email. - Check the destination URL of any links
Hyperlinks allow the sender to type whatever they want and have that text link to any website on the web. This means that just because you see a link to a website, doesn’t mean your destination will be that website. This is one of the main ways hackers obtain your information. To check the actual destination of a link, hover your mouse over it and you should see the revealed URL somewhere in your email program or browser.Test this by hovering over this link to the CDC’s website: https://www.cdc.gov/coronavirus/2019-ncov/
As you can hopefully see, this actually links to our homepage. Refrain from clicking any link that will not bring you where you’d expect. Remember that this method of link checking works on hyperlinked images and regular text as well. If you receive a notice, you can always call your vendor directly to check on a notice or browse out directly to the vendor’s website instead of clicking on the email’s link.
Working From Home
If you are working from home or have employees working from home, you may be leaving sensitive information vulnerable. Hackers are targeting more and more people working from home in hopes to gain corporate information. Keeping yourself and your team informed on the email information above can tremendously minimize the risk of a data leak.
Another thing to do is to provide legitimate resources for employees to go to if something goes wrong. Whether it’s your internal IT department or the Microsoft help desk, giving a direct resource minimizes the chance of being baited by fake tech support.
Lastly, make sure you and your team have secure WiFi network and have changed the default password on their router. You will be off the secure work network, so double check that you are not leaving yourself to potential risks.
Stay Safe
Being vigilant is the best way to stay safe. If you’re unsure about an email, asking for a second opinion is better than taking the risk. Run it by a colleague, or contact Appletree with any questions. We can provide tech support and help you identify suspicious emails or web pages.
Why You Need an SSL Certificate on Your Website
Have you ever visited a website and been greeted by a warning stating that the site is “Not Secure” or something similar? It is definitely off-putting to visitors when this happens. If you are a site owner and notice your site doing this, it is actually pretty easy to fix. All you need to do is install an SSL certificate.
What is SSL?
SSL stands for “secure sockets layer”. This essential technology encrypts data as it moves between a web server and browser. In other words, it stands between you and the rest of the internet, 
jumbling whatever information you send (such as usernames, passwords, credit card info, etc) into nonsense that can only be decrypted by a special “private key” held by the intended recipient. This protects you from hackers who could otherwise intercept your info while it is in transit. You’ll know you’re on a site with an SSL certificate if you see a padlock to the left of the URL in the address bar.
What if My Site Doesn’t Collect Personal Information?
Google encourages every site to obtain an SSL certificate. As a reward, your website gets a boost in search ranking. By not having one, you ultimately rank worse regardless of your data collection policy. If you’re running a small business, building a good Google ranking is essential to help bring in customers. This reason alone is good enough to justify the effort – you can outrank your competitors!
In addition to that, not having an SSL certificate causes some browsers to display a warning. Google Chrome, specifically, shows a “Not Secure” label (as mentioned earlier). This can be alarming to potential visitors, redirecting them away before they even land on your site. If enough visitors “bounce” because of this, it can ruin your website’s performance and eventually even harm your company’s credibility!
Keep Your Information Safe
If you manage your website using a content management system like WordPress, your administrative login credentials could become compromised if your site does not have an SSL certificate. Without it, your username and password are sent as plain text over the internet. Credentials sent this way can easily be picked up by hackers. Another way to combat unauthorized logins is by using two-step verification. Enable that whenever it is available.
Stay Cautious
Sometimes even phishing & scam websites are able to obtain legitimate SSL certificates. Just seeing a padlock in the corner does not necessarily mean you should trust the site with your personal information. Usually, you only have to worry about these types of scams coming through your email, so make sure to keep your guard up and know what to look out for.
Now that you know how important SSL certificates can be for you and your customers, help keep your website visitors safe and comfortable by installing one as soon as possible. This will boost your reputation as well as your organic search rankings over time. Not sure how to install SSL yourself? The experts here at Appletree would be happy to assist – we do this all the time! Don’t hesitate to drop us a line and let us know how we can help.
Subscribe to the free Appletree MediaWorks E-Newsletter to get bi-weekly tech tips, scam notices and more, straight to your email!
Microsoft Scam Calls are Still Rampant
Microsoft scam calls have been around for a while, but they’re still detrimental. In 2018 alone, it’s estimated that tech support scammers managed to take a whopping $55 million out of the bank accounts of over 140,000 innocent people. These scammers call you out of the blue to catch you off guard. This is why it is important to know exactly how to handle scam calls and get real support when needed.
How to Identify Fraudulent Support
Unsolicited calls from anyone claiming to work for a software company and asking for bank information are not real. Similar calls telling you that your computer/device is infected are usually not real. The best thing to do would be to hang up, report the incident, and block the number. Unfortunately, some of these scams are becoming a little more sophisticated. Sometimes Microsoft scam calls may appear on your caller ID as the real number for Microsoft. This is called caller ID spoofing.
Caller ID spoofing is done through a computer program that allows the user to change the outgoing number to anything. This makes it harder to block and report the scammers.
In the event that you receive a call from any company such as Microsoft, you can always hang up and contact them yourself to confirm if the call was real or not. On Microsoft’s website, they have an option to instantly chat with a real Microsoft support person. You should be able to verify if you were actually being contacted by Microsoft or not. You can also find their real customer service numbers on the Microsoft website if you prefer talking on the phone.
If you are ever prompted with a pop up telling you to call immediately because something is wrong with your computer or information has been stolen, you can rest assured that it is not real. Microsoft error and warning messages will never have a phone number for you to call. Follow the steps below to get rid of and avoid these pop-ups.
How to Get Rid of Pop-Ups
Browser Pop-Ups
If you are browsing the web when you receive a pop-up, all you have to do is close out of it. The best way to do that is by pressing CTRL+W. This will close the tab that is currently in focus without you having to click on anything. This minimizes the risk of you accidentally downloading malware by clicking a false X or initiating other hidden downloads. If you see something did get downloaded, do not click on it in the downloads bar. Go to your downloads folder of your computer and delete the download, followed by clearing your recycling bin to make sure it is completely off your machine.
To avoid browser-based pop-ups like this, make sure you have your pop up blocker enabled. We also recommend that internet users download an ad blocker like Adblock Plus. It is completely free and blocks any intrusive or misleading ads, but whitelists legitimate ads that are clearly labeled as advertisements. If pop-ups persist, check your browser extensions and make sure to uninstall any extensions that you do not recognize.
System Pop-Ups
In the case of receiving odd system pop-ups, this is probably caused by a virus that is already on your computer. If these pop-ups are new and you recently installed some software, you might have missed something in the installer that was packaged with the software. Make sure to uninstall any non-native programs that you do not recognize. If you’ve been having pop-ups for a while and can’t pinpoint where they’re coming from, scan your computer with Windows Defender Antivirus which is built into Windows 10 (if you’re not running Windows 10, make sure to update soon to keep your computer secure).
Never Be Too Sure
It’s important to never immediately trust any email, phone call, or computer message that you receive. Make sure to confirm that you’re talking to the people you think you are to avoid falling victim to a scam that has claimed the dollars of so many. Keep your computer and your money safe and sound. Appletree clients frequently forward us emails and text messages that they’ve received. Many of these scams appear to be legit until we look closer at them. Check out our blog for how to spot a scam email.
When in doubt, feel free to contact Appletree, we’re happy to provide peace of mind.
Windows 7 End of Life Approaches
The Windows 7 end of life date is quickly approaching. If you’re still behind, you should mark your calendar. Microsoft is ending extended support for this popular OS on January 14, 2020. After this date, they will stop patching security holes. Users who do not upgrade will be exposed to an ever increasing number of online threats. If you are still using Windows 7, what should you do to prepare? Read our simple guide below to find out!
Keep applying patches – especially now!
Although we always recommend updating your software, it is especially important to apply updates frequently through July of 2019. This is because Microsoft will be changing the way it supplies patches to its users. If updates were not applied leading up to July, Microsoft will stop supplying security updates altogether. This would potentially open your system up to attack a full 6 months before the official sunset date.
Upgrade to Windows 10
Since Windows 7 will no longer be viable after January 14, it is important to upgrade your operating system before that crucial date. Although there are many operating systems to choose from (we recommend Linux if you have the know-how), for most the obvious choice will be Windows 10. This offers the easiest transition since in most cases you do not need to convert any files. Also, your favorite programs will continue working without any interruption. Follow these steps to upgrade from Windows 7 to 10.
- Make sure your device can support Windows 10. The latest version of Windows requires a 1GHz or faster processor, 1GB of RAM, and 32GB of hard drive space. Read the full requirements here and make sure your system or device will work. If not, you may need to upgrade your hardware as well.
- Purchase Windows 10. The free update period expired back in 2016. Although some people have reported that they are still able to upgrade for free, the rest will need to purchase a new Windows 10 product key from microsoft.com.
- Create a full backup. Although this upgrade process is usually seamless, it can sometimes fail and you may lose data. To avoid any problems, it is best to make a full backup of your system so that you can roll back if necessary. Windows 7 comes with a System Image Backup tool to make this process easier.
- Uninstall unnecessary software. Windows 10 will do its best to migrate all of your programs. However, some outdated or uncommon programs may cause problems. To minimize this possibility, we recommend using the Programs & Features tool to remove any software that you no longer need.
- Download and install Windows 10. Finally, download the Windows 10 Disc Image (ISO File) tool. Once downloaded, run the executable and follow the on-screen instructions. When prompted, select “Upgrade this PC now” and later on, be sure to select the “Keep personal files and apps” option. During this process, you will be prompted to enter your Windows 10 product key. Use the key you purchased from microsoft.com.
An Alternative
Not happy with Windows 10? Is your device a little too old to handle the latest system requirements from Microsoft? Fortunately, Linux still runs on most anything and is available for free. There may be a bit of a learning curve, but popular distributions such as Ubuntu have made it much more user-friendly over the years.
If you decide to install Linux, be sure and make a full backup of all your essential files and documents on a thumb drive or external disc before making the jump. Remember that most Windows programs do not work natively in Linux, although there are workarounds and Linux versions available for some of them. Overall, prepare to re-learn some tasks and to spend time searching for alternative programs. This option is for moderate-to-advanced users who aren’t trying to do anything essential or time sensitive during the transition.
Can’t upgrade it? Recycle it!
If all this seems a little daunting, you may be better off just buying a new system with a more recent operating system already installed. In today’s market, low- to mid-level desktops are very affordable, especially when you subtract the cost of a Windows 10 license. If you go this route, a simple thumb drive can be used to transfer files and documents from your old system to the new.
Once all of your documents have been transferred, read our guide on recycling to learn how you can safely recycle your old system without compromising on security. Remember that old systems and devices contain batteries (whether you can see them or not), so it is important to discard them properly so they don’t leak toxic chemicals into the water supply.
Common Email Scams to Lookout For
As technology progresses, we’re finding new ways to do things better. One downside of this is, that also means scammers are finding new ways to do things better. Here is some spam to look out for.
Sextortion Email Scam
One scam that was popular last year had the scammer proclaiming that an amount of money (usually ranging from $600-$3000) in Bitcoin is enough to destroy video that they supposedly have of you. The scammer sometimes even supplies a password of yours within the email. They then threaten to release webcam video of you viewing pornography to your family, friends, and colleges. At this point, you may be nervous.
Here is an example of this scam:
What should you do?
If you’re still using the password they put in the email, you should certainly change it. Do not respond to scammers ever, just report the email and delete it instead.
Various Phishing Scams
If you haven’t heard of phishing yet, you’re probably at a higher risk of falling for it.
Phishing is a “bait” scam method (hence the relation to “fishing”) where scammers will have an imitation site that strongly resembles the real thing. It takes is a split second for them to get you. From adding a malicious extension to typing in billing information to a “failed transaction” from a fake Amazon, these scammers will pretend to be pretty much anything to get your money from you.
Here is an example of phishing (extremely authentic looking):
What should you do?
If you get an email that contains an external link, don’t click it right away.
– Double check who the sender is. Sometimes this can be a giveaway. Don’t recognize the email? Doesn’t look real? Don’t click the link.
– Use a website like https://www.urlvoid.com/ and paste the link that was provided. It will tell you the destination of the link. If anything..phishy.. comes up, don’t follow through. The link given to you in the email should be the same website as the destination.
– If nothing else, it’s better to be on the safer side. Never provide any information to a link you’re at all suspicious about.
Lottery Scams
These are emails or texts from a fake lottery company saying that you won a lot of money or very valuable prizes out of nowhere. They will tell you that there are fees and/or taxes that have to be paid before your prize can be released to you.
Here is an example of a lottery scam:
What should you do?
Simply report and delete the email. Remember that you can’t win something you didn’t enter to win.
Hallmark eCard Scam
This scam would be an example of phishing, and it comes and goes pretty frequently. It’s a fake Hallmark email that is extremely real looking. If you click the link within the email to open the supposed eCard sent to you by a “friend”, a virus will launch and install malware onto your computer.
These emails will look just like Hallmark eCards.
What should you do?
Don’t click hyperlinks without knowing the destination. Attempt to verify the eCard on Hallmark’s website directly instead of clicking the link. Report and delete any unauthentic emails.
Hitman Scam
This scam would be terrifying for any victim unfamiliar with how internet scams work. Scammers here give you the option to live or die if you do not pay up. They claim a “friend” of yours gave them a lot of money to end your life, but they are giving you a chance to save it for a price ranging anywhere from $1000-$100,000.
Here is an example of the hitman scam:
What should you do?
If you notice an email like this in your inbox, delete it without even opening it. Read below to learn where to report scams.
Protection
There are ways to keep yourself protected from scams. The most important thing is to know. Don’t believe everything that comes through your inbox and do your research.
How scammers get your information?
The scammers likely retrieved your email (and possibly an old or current password) from a database of leaked information that was obtained during a breach. To check and see if your email is associated with any data breaches, head to haveibeenpwned. You can type your email in and it will tell you if it’s ever been compromised. Also during which exact breach. Be sure to change your password if you haven’t since the last breach you were involved in.
What to do with spam
If obvious spam ever does come through your inbox, just delete it without opening it. A lot of scam emails contain what is commonly called a “pixel”. This acts as a read receipt. It will tell the scammer that the email was opened. It can also supply them with other information, such as:
- Browser you’re using
- Operating system
- IP Address
- The exact time the email was opened
Thankfully for us, there is a program that can tell us whether or not an email is being tracked. It’s called Ugly Email. It makes an eyeball appear next to the subject of any email that is being tracked. The slight downsides of this are that it’s only for Gmail and is only out for Chrome and Firefox at the moment. If you fall under the criteria, this can be a really useful tool.
Report Scams
You can help eliminate a popular scam by not only reporting it to your email provider, but to the IC3 as well. They are a branch of the FBI that deals with internet crime. Make sure to file a complaint for scams you may get – especially reappearing ones.
10 Steps: Protect Your Website From Hackers
A little bit of insurance advice for websites.
So you’ve spent a couple thousand dollars on a really nice website with all the bells and whistles, your organization has put in dozens of hours tweaking it to be just right but what have you done to protect your website from hackers? Just like with a vehicle or your other belongings, you need a plan to keep your investment safe.
Step 1 – Make daily/nightly backups.
[space10]
Automatic backups may already be available from your website hosting company, or you may need a third party program to do this for you. In our experience, some web hosts can restore your files from a certain point; some for a fee, some for free. Check with them to see what’s available and what the restore process is BEFORE you have website issues. If your host doesn’t offer anything, look for a reliable third party program or have your web developers do this for you. We include a full offsite backup service for every website we manage here at Appletree.
Step 2 – Keep your plugins and files updated.
[space10]
Some website content management systems will alert you when updates are available, some do not. When a website update becomes available, run it. We’ve talked over and over about how non-updated sites have wreaked havoc on organizations from information leaks to election hacks. Set aside time on your calendar to run updates, maybe check for them every morning during that first cup of coffee. Or sign up for an affordable maintenance package with a professional web firm.
Step 3 – Run security programs.
[space10]
If you’re on WordPress there are several security plugins available. Most are free, but some offer premium services for a charge. We recommend Wordfence. But again, if you don’t keep your security plugins updated, it can’t keep you safe from new vulnerabilities.
Step 4 – Watch for signs of website issues.
[space10]
If your website is broadcasting “Error connecting to database” or general “Error” messages there may be something going on behind the scenes. Perhaps your website is running slower than normal. It may be time to call in a website professional to take a look at website logs from the back end. Brute force login attacks sometimes go undetected until they kick in the door or a website professional spots them in a log and bolts the door shut.
Step 5 – Choose a good website host.
[space10]
Shared website hosting is the cheapest hosting out there, but sometimes it’s like living in an old apartment building with a fire in one apartment. If one site gets hacked, all sites are now vulnerable. Read the reviews on your webhost, check their Twitter and Facebook accounts for real user comments. Cloud hosting has been all the talk over the last couple of years, but with the latest “cloudbleed” blunder even cloud hosting is being questioned. Dedicated website hosting is a little more expensive, but depending on the type of information you’re storing about your users, its likely worth the cost.
Step 6 – Keep an eye on who has access.
[space10]
Limit not only the user accounts that have access your website, but also the programs that interact with your website. Apps that allow remote access to your website are easy targets for website hacking. These API programs allow for other programs such as social media to add content to your website. Unfortunately, they seldom encrypt your stored website login and password. This open door gets ignored by most website security programs because you granted access on purpose.
Step 7 – Update your computer.
[space10]
If you don’t keep your computer updated and always run antivirus software with updated virus definitions as well as a good spyware program and malware program then you’ve left the keys in the car to be stolen. If your computer has been compromised, a keystroke logger could be recording all of your passwords.
Step 8 – Don’t use the same password.
[space10]
It may be easy and convenient to remember one password for everything. However, if that password gets compromised on one service, it can be used to access your other services. You’d be surprised how many website databases do not store passwords as encrypted. Lax industry standards like this may leave your password open to prying eyes without you ever being aware.
Step 9 – Don’t store your passwords in browsers.
[space10]
Your internet browser seems so helpful when it offers to remember a website password for you, but those passwords are stored in your browser unencrypted and are easy to access if your computer itself is compromised. Use a program that encrypts passwords and stores them safely. We recommend LastPass. It also recalls those password for you when you visit a website but stores them behind the scenes in a fully secured, encrypted way.
Step 10 – Scan your computer periodically.
[space10]
Schedule a morning or afternoon every week to scan your computer for viruses and malware. Since this can take upwards of an hour maybe let it run during your phone calls for that day. If your software finds something, clean it up and scan again until all scans come back clean.
Feel Secure with Website Maintenance
Last week we celebrated Safer Internet Day. For many people it was just a hashtag holiday. For us website professionals it was a reminder of just what our jobs entail: keeping websites up to date and keeping up with security standards to avoid being part of the latest breach.
Let this sink in – 2 out of 3 people have already had their data stolen in a security breach. It doesn’t matter if they had a secure password or two step authentication, somewhere there was a breach. From Yahoo to Home Depot to the latest breach for Arbys patrons, 64% of Americans have had their data stolen through breaches according to WordFence.com.
Stolen credit cards are one thing – the repercussions can be minor (or HUGE). But if a hacker steals someone’s debit card number, they could empty that person’s bank account. This could leave their entire family homeless while trying to recover.
What about the even bigger problem of cyber hacks?
Election 2016 Hack Comes From WordPress
[space10]
Just days after Safer Internet Day the US Department of Homeland Security released a report that hackers used WordPress as a command and control server during the 2016 Election Hack. Yep, WordPress – the same website program used by businesses large and small – had an open door.
How did this happen? Basically, the site’s owner never updated a WordPress plugin even after its author released a security fix last year. A single click to update the plugin would have prevented this type of attack.
Website Defacements on the Rise
[space10]
It seems Safer Internet Day also became a competition to hackers with website defacements on the rise by over 26% in just 24 hours. To put that in numbers, that’s over 1 million websites defaced with messages from the hackers bragging about having breached your website. From small sites to the National American University, no website was safe. Not sure if your WordPress website is susceptible to this vulnerability? Get ahold of Appletree MediaWorks. We can determine the status of your website and help you get things updated and safe.
You Need a Website Maintenance Package
[space10]
There is a reason why good web development firms offer monthly maintenance packages to keep your website updated and running: security. The majority of our clients take advantage of our affordable maintenance packages. They trust in our union team to stay up on threats and updates. We’ve had clients that choose to save a couple of bucks each month and maintain their own sites. Some of them are diligent about running updates and stay safe. However many of them don’t, leaving themselves open to security holes like the websites we keep hearing about in the news.
Email is Not Secure
Email Is Not Secure Naturally.
Lately we’ve been hearing about email servers and scandals involved with email in the news. Some people have commented: “So what? Email is secure.” But it’s not, there are steps you must take to make your email secure! We have had clients ask us to email them passwords or other important information. We do not agree with being careless in the handling of very sensitive information. Instead, we pick up the phone and give them a call or use another method such as a trip to their office.
Email was not designed with any privacy or security in mind. Email was designed back when the internet was a much smaller place for simple messages.
How Can Email Get Intercepted?
Email must travel through several servers while making its way from sender to recipient. A message sometimes “hops” through more than a dozen servers on its journey. Each server it touches is mandated by law to store the message, sometimes for several years afterwards. Furthermore, the distance traveled between hops is often spent unencrypted.
The networks where your emails pass through are a series of routers and switches. All of these connections are owned by different people with varying security standards. It is safest to assume that anything you write in an email can be intercepted and read by anybody, as if it had been published to the front page of a newspaper.
Email servers are where your messages are physically stored before being downloaded to your email browser. Email servers are insecure by default. If a message was originally sent unencrypted across unencrypted networks, it’s going to come onto the server unencrypted.
Even after reaching its intended destination, many computers do not have a login screen or a lock screen code – same with many phones and tablets. If you leave your tablet at the local coffee shop with no lock code, for example, you’ve just compromised all of the email stored inside.
What Are My Options to Keep My Email Secure?
Encrypted Email
Use end-to-end encryption. This is a process which scrambles the message using a complex mathematical formula that can only be solved using a long public key stored on the receiving end. This can prove to be logistically daunting depending on the number of people you contact regularly. This is because all of them must have a copy of your public key set up in their email program in order to read your emails. Even with this type of encryption, email headers are still left open. You won’t be able to hide who you are sending an email to. The NSA has even touted scanning email headers for information during digital pat downs.
Mix It Up
You could send an email to a client letting them know that you’re texting them a password, for example. Then send the text with no additional references about what it’s for. Sending sensitive messages in multiple parts using different channels reduces the likelihood that a man-in-the-middle will receive enough information to do damage.
Use a Service
For sending passwords, LastPass is still one of the most secure services around. You can share passwords in LastPass with other LastPass users.
Messaging apps get mixed reviews from a security standpoint. For example, Skype used to be considered a good encrypted chat service. That is, until it was confirmed that Microsoft had built in a dangerous back door for themselves. Even if you trust Microsoft, back doors very seldom go unexploited once they’re known to exist.
File Services
Services like DropBox are also useful and fairly secure. Since Dropbox encrypts everything you upload and download over a secure HTTPS connection, your file transfer should be secure from start to finish, though mobile DropBox is not secure. You could also create and send an encrypted ZIP file.
Staying Secure
It’s important to continue downloading and applying updates for the services you use. Even if you are using a mainstream app, it could still be insecure if you haven’t updated it lately. For a long time, iMessage was thought to be secure. Then vulnerabilities were found and Apple had to release security patches to close those holes. If you’re not sure about a security patch, visit the provider’s website and check their support area for recent updates.
LinkedIn and QuickTime Vulnerable
Feeling vulnerable today?
You will after reading this blog post recently shared during a radio interview on The Union Edge: Labor’s Talk Radio show.
LinkedIn Breach Announced
LinkedIn recently announced that they had been made aware of a data hack that happened back in 2012. Stolen information included email addresses, passwords, and member ID numbers. LinkedIn became aware that the stolen account information was being sold online. So LinkedIn emailed all of their members.
What does this mean to me?
Big deal, it was 2012. BUT some people use the same passwords for most of their online accounts AND never change their passwords from year to year… so if you were using the same password that you had on your LinkedIn account elsewhere then you may have more to do than just updating your LinkedIn password.
What to Do
- Don’t use the same password across online accounts.
- Update your passwords on account at least once every 6 months.
I know keeping track of different passwords is difficult and updating it at intervals is even more work. Make your life easy and get yourself a password keeper such as LastPass or KeePass.
Better delete QuickTime!
The Department of Homeland Security issued an alert after Apple announced they will no longer be providing security updates for the QuickTime video player.
“Cyber security experts at the Zero Day Initiative and Trend Micro said they had identified two vulnerabilities in QuickTime for Windows, that could allow hackers to take control of affected computers. The bugs would allow hackers to attack PCs if users visit a compromised web page or open a tainted file.” via DailyMail.com.
QuickTime for Mac OSX is still being supported and updated, so Mac users need not remove QuickTime from their computers. But Windows users should definitely remove the product from their PCs as there are no security updates to fix the current and future security vulnerabilities of the program. The only way to protect against an attack via QuickTime is to remove QuickTime completely from your PC.
How Un-Install QuickTime
You have a couple of ways to properly remove QuickTime from your PC.
Control Panel
1. Go to your computer’s control panel
2. Choose Programs and Features
3. Scroll to QuickTime, click on it once
4. Choose “Uninstall” from the toolbar and follow prompts.
Start Button
1. Click on your Windows Start Button
2. Choose All Programs
3. Locate the QuickTime folder and click on it once
4. Choose Uninstall and follow prompts.
Left out in the cold
Many applications on Windows computers and websites require Quicktime, so now what? It’s time to seek an alternative such as VLC Media Player or XBMC. Both are free alternatives, there are others out there that work too.
Bring back the warm fuzzy
So after installing a Password storage program and a new alternative to QuickTime today, go for the extra credit and run a virus and malware scan on your computer and make a backup. You’ll thank us later or maybe send us a gift card for a coffee.
Visit our blog at AppletreeMediaWorks.com for more information.