Welcome back to the TCE Strategy monthly technology and cybersecurity newsletter! The mission of this publication is to cut through the clutter of cybersecurity news stories and provide you with the most important, relevant and actionable cybersecurity information.
If this newsletter adds value, fantastic! That is the goal. Please forward it on to friends/colleagues. If not, no hard feelings. Please look to the bottom for an easy to click "unsubscribe" button.
I’ve had so many calls/emails from customers recently regarding malicious text messages that I’ve decided to focus this month’s newsletter on this issue. The scam normally works like this:
You start a new job with a new employer. Good for you!
You post the new job as part of your LinkedIn profile. Lots of people congratulate you. Virtual high fives and way-to-go messages abound.
A few days into your new job, you get a very realistic text message from the president of the company. It is from his actual cell phone number, it addresses you by name, and it states that it is from the name of the president of your new employer.
The text states that he/she is stuck in a meeting but the company needs some Amazon gift cards, Apple gift cards, or some other gift card for a client or for the sales team or some other group.
The text asks you to go to a retail store and get those cards. The company will reimburse you.
The text has a strong sense of urgency to it.
The text will ask you to keep this confidential so that the client/sales team/etc. doesn’t catch wind of it before they are delivered their cards.
After you get the cards, another text will come in asking you to take pictures of the cards and send those pics to the president via a text message. It will also ask you to scratch off the cover on the security code on the back of each card.
As soon as you send those pictures, you will never hear anything from the president again.
When you email or call the president to ask about getting reimbursed, he/she will have no idea what you are talking about, because those texts were all sent by a cybercriminal.
This is a very common scenario, and I have seen it hit employees at all levels, from interns to CIOs. Here is how the scam works:
There have been lots of breaches of cell phone companies where personal data is stolen, and that means that it’s easy for a cybercriminal to know your cell phone number and the cell phone number of your company’s president.
It’s just that easy. A bot notifies a cybercriminal that you have a new job, the cybercriminal looks up your cell number, who the head of your new company is, the cell number of the head of your new company, and the cybercriminal starts texting you.
There is a very simple way to avoid this type of scam: education. If the head of a company wants gift cards, they can buy them. Or, they can reach out to you in person to ask you to do it. Or, they could call you (but only if you are on a first-name basis with them). Never believe a text (or email) asking you to spend your own money on behalf of a company on a moment’s notice. Even if you have a company credit card, the same rules apply. I’ve never heard of a gift-card emergency before, so don’t believe anyone pretending to have an “urgent need” for gift cards.
Until next month, stay safe!
Upcoming Speaking Events
Live events are back in action! Here is a list of the cities that I will be in for 2022. Please feel free to reach out if you have an event in mind.
June 14th-21st, San Francisco, CA
July 8th-13th, Nashville, TN
August 4th-10th, Kauai and Honolulu, HI
September 14th-16th, Chicago, IL
October 19th-21st, Durham, NC
November 7th-9th, Tulsa, OK
Having tangled with Karakurt before, I feel this CISA alert is very accurate. Cybersecurity is often about the basics. This is a very good example of bad people exploiting bad cybersecurity hygiene.
"Fundamentally, that is the problem. You scan the QR code and there is some inherent trust that it points to where you think it should point, or at least that it is not malicious. But Noe’s research illustrates just how easy it is to exploit that trust."
"The term 'white hat' is as old as the internet, and it originally comes from Western movies, where the good guys wore white hats, and the bad guys black hats ... In the world of crypto, though, colors tend to bleed."
Social Media Awareness During the Summer/Travel Season
As you travel for the upcoming holiday weekend, embark on summer adventures, and spend more time away from home while the weather is warmer, there are some things you can put into practice while using social media to make sure the things you share with others don’t put you, your home, or your belongings at risk:
1) Limit posting.Avoid posting your travel plans and, if possible, hold off on posting photos and updates until after you return to your home. This goes for events that are in-town as well. It only takes a few minutes to burglarize a home.
2) Avoid geotagging your location.Social media platforms often offer this option when users post status updates or photos. It’s best to decline. You can also turn off the geolocation feature on your smartphone and tablet.
3) Check your privacy settings.You can limit a post’s exposure by setting limits on who can view your profile and updates. For example, in Facebook you can select for your posts to be visible to “Friends”, “Public”, “Me Only”, or “Custom”. You can also choose to have to approve things that friends and family might post to your timeline.
4) Don’t post your address online.While most of us would not blatantly post our home address online, you should avoid posting photos of the exterior of your house or of your neighborhood that could include things like house numbers, street signs, or unique decorations that could give away the location of your home.
5) Unplug!Enjoy your time with friends and family this summer and limit your exposure to cybercriminals skimming social media by taking a break from it when you can.