New Mortgage Scam

The American Dream, to own our slice of realty, is something most of us work toward. It can be exciting to have a place of your own to plant roots and start up a new life. After all the searching and the negotiating, you’re finally ready to sign the contract… and then find out your settlement fees have been stolen.

Hackers have been using an email and money wiring scam in order to steal closing deposits from buyers. They’ve been accessing some real estate professional’s email accounts in the hopes of acquiring as much information on the transaction as possible. Once they have the closing dates, the scammer sends the buyer an email posing as their trusted realtor, or title company, requesting the funds be sent to a new account after a last minute change has been made to the wiring instructions. By replacing the legitimate account, hackers fool the unsuspecting victim into depositing all the closing costs into a their account.

Should you be in the mist of purchasing and receive an email with money-wiring instructions, please do not respond to it. Realtors and/or title companies should never request such sensitive information via email.

Contact your agent on the phone, verify the instructions with them and do it in person.

  • Email is never a secure way of sending private information.
  • If you’re giving your financial information online, make sure the site is secure (https://)
  • Don’t open attachments from unknown senders. Verify with known senders prior to downloading anything.
  • Keep all your anti-virus, firewalls and browsers up-to-date.
  • Report all phishing emails to the FTC

To learn more about protecting yourself from cyber threats, visit our site MySecurityAwareness.

Posted in Security Awareness | Tagged , , , , , , , , , , , | Leave a comment

Be on the Alert for Tax Refund Fraud & Scare Tactics

Tax season is here — and for some people, so is an experience with tax identity theft or IRS impostors. The Federal Trade Commission (FTC) said it received 109,063 complaints last year about tax-identity theft. Tax identity theft happens when someone uses your Social Security number to get a tax refund or a job. You usually find out something’s wrong after you file your tax return (one reason to file early).

Also, IRS imposters work year-round placing aggressive, threatening phone calls claiming you owe taxes. They might know all or part of your Social Security number, and can modify caller ID information to make it look like it really is the IRS calling.

Phone scams and email phishing schemes are among the “Dirty Dozen” tax scams the IRS highlighted on their website this year in a warning to taxpayers. You can protect yourself when you get a telephone call that sounds real or an email that looks authentic. Here’s how:
• Don’t give personal information over the phone, through the mail or on the Internet unless you have initiated the contact or you are sure you know who you are dealing with.
• Don’t click on any links in emails that you’re not expecting.
• Don’t give a business your SSN or ITIN just because they ask. Give it only when required.
• Don’t carry your Social Security card or any documents with your SSN or Individual Taxpayer Identification Number (ITIN) on it.
• Protect your financial information.
• Check your credit report every 12 months.
• Secure personal information in your home.
• Protect your personal computers by using firewalls, anti-spam/virus software, update security patches and change passwords for Internet accounts.
If your tax records are not currently affected by identity theft, but you believe you may be at risk due to a lost or stolen purse or wallet, questionable credit card activity or credit report, contact the IRS Identity Protection Specialized Unit at 800-908-4490, extension 245. Additional information about tax scams is available on IRS social media sites, including YouTube and Tumblr, where people can search “scam” to find all the scam-related posts.

Posted in Security Awareness | Tagged , , , , , , , , | Leave a comment

Social Engineering: Pretexting

Social engineering is a hacker’s clever manipulation of the natural human tendency to trust, with the goal of obtaining information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system. Pretexting is the act of using an invented scenario to persuade a targeted victim to release information or perform some action, usually over the telephone. The ultimate goal is to get enough information from enough people to either sell this information or use it to commit fraud.

Social engineering is generally successful because people are naturally helpful. Most people – especially in departments like Customer Service, Help Desk or in positions of service like business assistants and secretaries – are already trying to help. These jobs require helping people all day long and it is not natural to question the validity of every call.
Pretexting is more than just creating a lie. In some cases, it can be creating a whole new identity used to impersonate people in certain jobs and roles in order to create a scenario where a target is comfortable with releasing information they normally would not.


Pretexting works best when the pretexter gives a convincing performance, complete with the proper technical jargon or other insider information. A social engineer will have to develop many different pretexts over their career, and all of them will have one thing in common: research. If the social engineer’s alias, story, or identity has holes or lacks credibility or even the perception of credibility the target will most likely catch on. The right pretext provides the proper cues and can disarm a target’s suspicions or doubts and open up the doors, so to speak.
Most of the information sought by social engineers seems innocuous, but seemingly innocuous information can be (and is) used against you: like who handles your dumpster removal, your cafeteria food, paper shredding, and antivirus, as well as what PDF software and browsers you use, and more. Details like these can give a good social engineer all the information he/she needs to compromise your company. No matter how innocuous it may seem, never give out information on the phone, via email, snail mail or the Internet unless you’ve initiated the contact or unless you’re sure it’s safe and you can positively identify the person you’re talking to.

Social engineers use pretexting to get info from call centers at banks, phone companies, and other financial institutions to gain access to personal sensitive info.
No matter how much technology changes or the amount of money your company dumps into security measures, devices, and even protocols, it will still be most vulnerable to old fashioned persuasion. The best defense a person can take against these types of attacks is to be aware of their surroundings. Visit MySecurityAwareness for more tips.

Posted in Security Awareness | Tagged , , , , | Leave a comment

Social Engineering: Impersonation

No matter how secure a system is, there’s always a way to break in. While software companies are learning how to strengthen their programs, hackers and malicious social engineers are turning to the weakest part of the infrastructure – the people.

Impersonation is when a person plays the role of someone you are likely to trust or obey convincingly enough to fool you into allowing access to your office, to information, or to your information systems. This type of social engineering plays on our natural tendencies to believe that people are who they say they are, and to follow instructions when asked by an authority figure. It involves the conscious manipulation of a victim to obtain information without the individual realizing that a security breach is occurring.

Most common impersonation roles fall under the category of someone with authority, which leads us to ingratiation. Most people want to help, so they will go to great lengths to provide the required information (or access) to anyone with authority.

These tricks work because we all regularly interact with people we don’t know. Still, it’s human nature to trust these credentials like badges and IDs that we most likely do not know how to truly verify.

Before releasing any information to anyone you should:

  • consider the sensitivity of the information being requested
  • your authority to exchange or release the information
  • the real identity of the third party (positive identification)
  • the purpose of the exchange of information.

Always verify the identity of anyone who shouldn’t be allowed inside your organization, in case any impersonators may be posing as someone who may frequent your institution.

One of the best technological tools at the disposal of a social engineer, especially those posing as a technical support person, is a USB thumb drive. They can also be planted in different locations around the workplace in the hopes that employees will find them, use them, and unwittingly install a Trojan on the system, which can be used to gain passwords and login information or to provide the attacker unfettered access to the network from a remote location.

By following some common sense rules and using your best judgment, you can defend against these attacks and better protect yourself, your company, and your customer’s information.

  • When in doubt about the validity of an individual or a request, contact your manager or the manager of the requester, for authority to comply with the request.
  • Ensure the physical security of your premises and don’t enable tailgating.
  • If you are unsure about a person’s authorization or access permission, report the situation to the appropriate staff.
  • Make sure you know who is in range of hearing your conversation or seeing your work.
  • Use a computer privacy screen to deter shoulder surfing, especially in public places and adopt a healthy dose of skepticism for anything out of the ordinary, especially strangers who endear themselves to you.
  • Finally, make sure to adhere to the policies and procedures within your organization that stipulate how you should manage situations that may be social engineering attacks.

It is up to the watchful eye of every company employee to prevent social engineering attacks. You are the first line of defense against crime. Learn more at

Posted in Security Awareness | Leave a comment

How to Protect Yourself from Identity Theft Tax Refund Fraud

Identity Theft Tax Refund Fraud
Tax season is officially upon us. It’s time to gather your W-2s, crunch numbers and mail your annual income taxes to Uncle Sam. It’s also time to learn about the number one fraud of the season: identity theft tax refund fraud. Understanding how cyber criminals pull it off and what the consequences are for victims can help protect yourself.

Identity theft tax refund fraud occurs when someone uses another person’s Social Security number to file a tax return in the hopes of attaining a fraudulent refund. The odds of getting away with it are good, if the victim hasn’t yet filed their taxes, which is one good reason to file your taxes early.

How cyber criminals pull off the fraud
Virtually every organization acquires, uses, and stores personally identifiable information (PII). Businesses are expected to manage this private data appropriately and take every precaution to protect it from loss, unauthorized access or theft. However, there is no such thing as absolute privacy. Malicious data breaches occur every day and expose personal information to unscrupulous individuals who use it for their own financial gain or sell it to others who will equally abuse it.

Personal information isn’t all that difficult to obtain. Did you know that 87% of the U.S. population can be uniquely identified using only gender, date of birth and ZIP code? There are many ways to obtain personal information and many people are all too willing to provide it through email, phone conversations, or in their social media profiles.

Once a cyber-criminal obtains enough personal information about you, they can easily use it to submit a fraudulent tax return.

How to reduce your risk
Regardless of how your personal information is exposed, you can avoid becoming a victim of identity theft tax refund fraud. The IRS provides several tips to keep important information private.

Keep your Computer Secure
• Use strong passwords and keep them safe.
• Use updated security software like firewall and anti-virus.
• Keep personal information private and out of sight.
• Back up your files.
• Use only reputable companies you’ve investigated.

Avoid Phishing and Malware
• Don’t assume ads or emails are from reputable companies.
• Be wary of emails claiming to be from known companies or agencies.
• Don’t click on links, type them down or simply visit the official website.
• Don’t download attachments from unknown senders.
• Use a pop-up blocker.
• Don’t post personal info on social media sites.

Protect personal information
• Every time you are asked for your personal information think about whether you can really trust the request.
• Give personal information over encrypted websites only. Look for “https” at the beginning of the web address (the “s” is for secure).
• Shred any document that contains vital information (credit card number, address, SS, etc.)
• Review your bank accounts, credit card statements and Social Security Administration documents often.

Being a victim of Tax fraud can be overwhelming. However, the government offers many ways of getting help. Learn what to do if you become a victim of identity theft tax refund fraud.

To protect yourself, be prepared. Sort out your accounts, take preventive cyber security measures and file your taxes early. Not only will it prevent tax identity theft but it will give you peace of mind.

*Note: The IRS does not initiate contact with taxpayers by email to request personal or financial information. This includes any type of electronic communication, such as text messages and social media channels.

Have you ever, or do you know of anyone who has fallen victim to any of these scams? What other types of scams do you know of? Share your tips and tricks.

Posted in Security Awareness | Tagged , , , , , , , , , , , | Leave a comment

2015’s Consumer Risk Index

A survey conducted by Hart Research Associates, from June 24 to July 26, 2015, among 1,029 USA participants ages 18-69, for Travelers tallied 2015’s Consumer Risk Index. This annual survey, third year ongoing, includes findings of consumer’s awareness on finances, privacy, cyber threat, and physical risks.

The top three consumer risks in 2015 were:

  • Financial Concerns & Risks– 66% of contributors showed a priority in this area.
  • Personal Privacy or Identity Theft– 60%, or six out of ten people, worry about having their identity stolen or usurped, along with their privacy being exploited.
  • Cyber Risk– 57%, an increase of 21% from the previous year, of participants were concerned with cyber threats, predominantly on bank account and/or financial asset hacking (62%).

Surveyors also showed major concern over:

  • Computer and mobile virus- 60%
  • Identity theft, both off and online- 59%
  • Loss of personal information from a retailer hack- 58%
  • Medical records data breach- 43%


In light of this cyber awareness, the survey states that users are creating strong passwords, limiting personal information used on social sites, updating their browsers with regularity and keep up-to-date firewall and anti-virus software. These improvements in security habits are sure to pay off. Learn more at MySecurityAwareness.


Posted in Security Awareness | Leave a comment

Shop Safely Online!

The Holiday Season is officially upon us, and with its magnificent splendor, the joyous music and glistening lights comes the shopping rush. In the midst of all the celebration we must keep in mind the holidays are also prime season for cyber thieves. As we have seen in the past with Target’s huge Data Breach last Christmas, where 40 million debit and credit card numbers were stolen, we are all at risk.

So, here are some tips for a safe online shopping spree:

  • Use credit or prepaid cards to protect your bank account information. In the case of a data breach, your checking and saving account won’t be affected.
  • Have a firewall and antivirus software, at a minimum, in your computer.
  • Don’t utilize public Wi-Fi to shop online.
  • Only shop from secure SSL certified sites “https://” with a padlock icon.
  • Always create strong passwords to all your online accounts, and change them at least every 3 months.
  • Be wary of deals that are too good to be true. Avoid opening links or popups that encourage you to get their “special promotion.”
  • Always read the fine print, especially when making big purchases. Take the time to read the retailer’s privacy policy and warranty information.

So, this Black Friday and Cyber Monday be ready to get amazing deals, while keeping your personal information secure. For more tips, please visit MySecurityAwareness.

PS: Did you know?


Posted in Security Awareness | Leave a comment

How to effectively manage Technology Service Providers (TSPs), reduce cyber risk, and ensure compliance

Data breaches continue to make headlines – it’s important to make sure that third-party vendors are not putting your business at risk. 

By Brian Smith


Vendor risk is real. Two out of three companies rely on third parties. The value that third-party technology service providers (TSPs) bring can quickly be eroded by the associated cyber risks. You need to know what’s happening and what to do before the problem strikes.  The Federal Financial Institutions Examination Council (FFIEC) expects financial institutions to be more diligent in managing their TSPs under the new guidance release in February 2015. So how can your financial institution effectively manage its third-party service providers, reduce cyber risk, and ensure compliance with a variety of regulations?

An effective vendor management program provides appropriate oversight and risk management of significant third-party relationships. The FFIEC defines third-party service providers broadly to include “all entities that have entered into a business relationship with the financial institution, whether or not they are a bank, regulated or nonregulated.” All vendors that have access to customer information and vendors who are deemed to be mission critical should be thoroughly evaluated, typically on an annual basis.

An effective vendor management program includes a risk assessment, due diligence in selecting a third-party, contract provisions, and third-party reviews, oversight and ongoing monitoring.


Risk assessment

A solid vendor management program begins with a cyber risk assessment. The risk assessment will reveal how critical each vendor is to a financial institution’s operations, which vendors have access to customer data, and whether or not the activities vendors perform present additional risk to the institution.

A cyber risk assessment should enable management to ensure that capital is sufficient to support the institution’s underlying risk exposures and that the third party is operating in a manner consistent with federal and state laws, rules, and regulations, including those intended to protect consumers as well as the institution.


Due diligence in selecting a third party

When performing your community bank’s risk assessment, take into account the due diligence performed before selecting a vendor. Make sure your bank understands what the relationship will accomplish for the institution, and why the use of a third party is in your best interest. Performing periodic due diligence throughout the vendor relationship may take into account the vendor’s financial condition, the scope of their internal controls, cyber security and privacy protections, their use of subcontractors, their SSAE16 or Service Organization Control (SOC) reports (if they store sensitive customer information); as well as their business continuity planning efforts.


Contract provisions

Once a third party is selected and prior to entering into an agreement, your community bank should ensure that the associated written contract outlines the specific expectations and obligations. Such expectations and obligations should include a requirement that the third party complies with all applicable laws and regulations; that authorization for access to records of the third party as are necessary or appropriate to evaluate compliance with laws and regulations; that insurance coverage to be maintained; and that authorization to monitor and periodically review the third party for compliance with the agreement.

Other considerations may include outlining the fees to be paid; clearly defining industry and performance standards; stating the reports to be received from the third party; delineating how nonpublic information is to be handled; and ensuring the third party’s disaster recovery and contingency plans are adequate and complete.


Third-party reviews and oversight

An oversight program will generally include monitoring the third party’s quality of service, cyber risk management practices, financial condition, and applicable controls and reports. Institutions should periodically review the third party’s operations to verify that they are consistent with the terms of written agreements and that cyber risks are being controlled.


The review and oversight the institution puts in place should address all the requirements set forth by the FFIEC.  As stated by the FFIEC, operational risk is the primary risk associated with technology service providers, because operational risk may arise due to inadequate or failed processes or people-related issues.  Additionally, these operational risks may also affect other risks such as, credit, interest rate, liquidity, price, compliance, strategic or reputation.


Not only should the institution have a well-defined risk management approach, the institution should perform due diligence on the service providers’ risk management approach to ensure they don’t have inadequacies that require corrective action.  Identified weaknesses should be documented and promptly addressed. The level of supervision required is, of course, dependent on your community bank’s risk assessment for the service being provided.


Consequences of non-compliance

FDIC examiners review a financial institution’s management of these relationships to ensure that its third parties comply with consumer protection laws and regulations. Examiners pay special attention to an institution’s ability to assess, measure and control the risks associated with service providers.

It’s worth emphasizing that an institution’s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, as well as for identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution.

Examiners may pursue corrective actions for deficiencies found that pose a safety or compliance violation during the examination. Deficiencies can result in corrective actions or fines against the institution and potentially the directors.

Billions of dollars are spent on cybersecurity, yet breaches still happen. Simply increasing spend is not the always the best option – InfoSight is helping customers build programs that respond to their material business risks while balancing resource expenditures. We can help you understand your risk profile with an IT risk and vulnerability assessment, and then help you manage risks in line with the complexity and risk profile of your institution. This assessment is part of a full range of information security services we offer to help you develop and maintain a comprehensive cyber security program.

Contact us for free copy of our Vendor Management Toolkit, or visit our website to learn more about our solutions and service offerings.


Brian Smith ( is Chief Information Security Officer at InfoSight Inc., a company in Miami, Fla., that provides managed security, IT compliance and vulnerability management services.


Posted in Compliance & Business Continuity | Leave a comment

New Ransomware Takes Websites Captive

Ransomware is a growing problem that is now affecting websites around the world. This newly-discovered ransomware variant called Linux.encoder attempts to infect Linux-based machines, specifically the folders associated with serving web pages. The malware requires administrator privileges to run and once it lands on a server, it encrypts any files, images, pages, scripts and source code it finds. It leaves behind a text file detailing how victims can pay the single Bitcoin ransom in exchange for a key to decrypt the files.

After paying the ransom, you expect your website would be restored and would be free of malware, but will it be? To be entirely sure, you should expect that, if you get hit by this ransomware, you are not going to get your website back.

What can you do about it?

  1. Back up your website files

It has always been, and always will be, best practice to protect against data loss with regular backups. Ask your website hosting provider to immediately back up your website files, if you don’t host your own website in house. Back up the files to an external drive or backup service, one that is not assigned a drive letter or is disconnected when it is not doing backup. Be sure to develop and implement a regular backup regimen. That way, no matter what happens, you will always be able to restore your website quickly.

  1. Create a complex password.

The responsibility of webmaster can change hands through turnover and mergers, so be sure you have a record of your current password and that the password used is complex.  Hosting providers are reluctant to disclose passwords and it could take months to recover it.

  1. Update your website’s contact information.

Keep your domain names’ registrant, administrator, technical, and billing contact information (also known as your Whois information) updated at all times. Also, ensure that your domain registration is locked which prevents anyone from transferring your account or modifying it in any way (DNS modification, renewals, etc.) without your knowledge.

These three tips are meant to deal with website ransomware. Contact us if you are concerned about how to protect against other forms of ransomware.

Posted in Security Awareness | Leave a comment

How safe is Online Banking?

A Kaspersky Lab and B2B International IT Security Risks Survey conducted this year, in which over 5,000 companies from 26 different countries participated, states that our online banking transactions are not as secure as we thought. Over 30% of the participants admitted they don’t offer a secure channel in which customers can make online payments. What’s more, 29% of them agree that it’s cheaper to deal with fraud once it happens than to prevent it altogether.

This study shows that banks and financial institutions are having a hard time discerning between real and fraudulent transactions, for which their response is “we’ll deal with it as it happens”. It is left at the hands of the consumers to safeguard their accounts, being mindful that electronic transactions are still a fairly new playing field for banks and an open playground for cyber criminals. The best solution is to educate yourself on cyber security and you can start here.

Read the whole article, written by Bank News, on “Banks Failing to Provide Secure Connection for All Online Paymentslink on image below


Posted in Security Awareness | Leave a comment