Deidre Frith Deidre Frith

How to Protect your SaaS Based Applications

Top recommendations by RealTime CISO to better to prevent future attacks on Microsoft Office 365 by hackers aka bad guys.

NEW ADVICE FROM REALTIME CYBERSECURITY

One of our vendors has released a security trends report using the monitoring data of SaaS (Software as a Service) application usage across ~7500 Small Businesses (SMBs) who use their cloud security service. About 70% of the businesses monitored use Microsoft 365. These insights are the summation of the data collected from monitoring almost 1 million accounts across ~7500 small businesses whose SaaS environments were monitored from Jan 1, 2022 – Dec 31, 2022:

  • 7500 Small Businesses’ SaaS environments monitored

  • 980,000 end user accounts

  • 1 Billion events logged

  • 701,000,000 of these events came from Microsoft Office 365

Where ARE the attacks originating?

Most of the attempts come from outside of the United States. More than 53% of attempted unauthorized logons originated from just these five countries: China, Vietnam, India, Brazil, and South Korea. Interestingly, Russia isn’t in this top five this year, most likely due to cyber-attacks from Russia focusing on Ukraine in 2022. Have you ever heard of a Brute Force Attack? This is a common tactic where bad actors will target known cloud-based accounts and try multiple credentials (usually derived from data thefts) in hopes that one works. 

Just this week, this service alerted me that my own account was being subjected to a brute force attack! The system alerted me to the event, it blocked the attackers from further attempts, and the alerts showed me they were unsuccessful. Whew! 

What this event also showed me is that there was something we could do better to prevent this specific attack vector in the future, which will help us all be more protected in the future.

Top recommendations on
how to protect your SaaS based applications

…and really almost all of this applies to any technology environment.

  1. Enable and enforce Multi Factor Authentication.

  2. Monitor all of your SaaS applications for unusual or unauthorized activity.

  3. Enforce proper configuration of your SaaS applications and monitor for changes.

  4. Monitor unauthorized file sharing activity.

  5. Delete unnecessary guest accounts on a regular basis.


-by Todd Swartzman, RealTime CISO

Read More
Blog, I.T. Todd Swartzman Blog, I.T. Todd Swartzman

Protect the Elderly: 370,000 targeted in fraud attacks annually

Attention children of elderly parents! RealTime Chief Information Security Officer, Todd Swartzman, is taking a hot-button issue of fraud abuse against the elderly. In this article, Todd brings to life the scary truth about what is happening to our parents in their vulnerable stage of life. Todd shares personal examples as well as suggestions for prevention and many resources to help protect your parents and grandparents. Take time to read and share this post to save the most vulnerable population.

FRAUD PERPETRATED AGAINST THE ELDERLY

Pictured: Todd Swartzman, RealTime Chief Information Security Officer

RealTime Chief Information Security Officer, Todd Swartzman, is taking a hot-button issue of fraud abuse against the elderly. In this article, Todd brings to life the scary truth about what is happening to our parents in their vulnerable stage of life. Todd shares personal examples as well as suggestions for prevention and many resources to help protect your parents and grandparents. Take time to read and share this post to save the most vulnerable population.

ATTENTION CHILDREN AND GRANDCHILDREN:

This post is to help make you aware and help protect our elderly parents, friends, and relatives. The Internet Crime Complaint Center discusses many types of fraud that we should all be aware of so that we don’t fall for them. Unfortunately, those most at risk of falling victim to these types of fraud are also those least prepared to recognize them – the elderly.

Photo by Andrea Piacquadio

THE PROBLEM EXPLAINED WITH personal examples

Here are several personal examples to illustrate some real-life fraud attacks:

  •  MY MOTHER GOT HER FIRST COMPUTER IN 2006 AT AGE 70…

    and quickly learned to email friends and family. That was about the extent of her technical prowess save printing emails for my dad to read. I’m sure many of you are nodding your heads along with me. As you might imagine, any “problem” with the computer resulted in calls to her sons asking for help.

    Fast forward a few years and a tech support scam was perpetrated against mom – this one fortunately just got her credit card number and it was quickly resolved. When asked why she didn’t call us about this message that popped up on her screen about a virus and to call this number to fix it, aka Tech Support Scam, she said that she didn’t want to bother us. I explained what the scam was and why she should never, ever give anyone access to her computer except for myself or my brother. It happened again about six months later, this time via a phone call purporting to be from her internet provider who noticed a virus and they had to fix it or they’d disconnect her from the internet. Another credit card compromise that ended up costing her about $500 that we managed to get back eventually.

  •  A WIDOW AT MY CHURCH FELL FOR A SIMILAR SCAM VIA EMAIL…

    A $900.00 lesson was learned. To add insult to injury, the criminals emailed her an annual renewal for technical support services some months later that fortunately, she asked me about since she recognized this might be another scam.

 Read this one on ic3.gov website something just like this happened in our area just last week. It probably happened more than 1000 times just today.

 HOW WIDESPREAD ARE THESE SCAMS?

Photo by Andrea Piacquadio

During research for this article, I was surprised the AARP reported that almost 370,000 incidents targeting just the elderly are reported to authorities annually in just the U.S. Like many cybercrime statistics, the problem is much worse than this as we only know what was reported to authorities. The two examples I mentioned above were not, and it’s safe to say most of these scams against the elderly don’t get reported. Outside the scope of this article is the fact that most fraud perpetrated against the elderly is done by people known to them.

The Alabama Bankers Association has an excellent article on elder abuse that talks about this and more.

WHAT CAN WE DO ABOUT IT AS CHILDREN OF ELDERLY PARENTS?

One shortcoming I see with the information available regarding the various scams and how to recognize them is a lack of specific guidance on how to prevent or at least limit the damage a successful scam can cause. By that I mean if the criminals trick mom, dad, or grandma into disclosing their banking information, how can we limit the amount of money the criminals can transfer out? Or maybe require a phone call before completing a transfer? Or how can you or another trusted individual be alerted that this sort of thing is happening?

I’m looking for speed bumps to slow the theft down so we can stop or minimize the damage. In the business realm, I’ve had customers who would have been victims were it not for electronic funds transfer rules that required added verification above a certain dollar amount.

Disclaimer: It is the individual account holder's responsibility to safeguard their assets and credentials. This guide is provided as general information that we hope will spur action on the part of the reader to learn more about this subject and help vulnerable family members and friends take appropriate action to protect themselves.

 WHAT STEPS CAN BE TAKEN TO LIMIT POTENTIAL DAMAGE?

To attempt to answer this question, I called a major bank and asked them why my business bank account limits wire transfers to $25,000 before additional verification takes place, while others can get scammed out of tens or hundreds of thousands of dollars in their personal accounts.

Their answer was “it depends”: The account holder must take action to ensure that their account limits and alerts are set up appropriately.

Photo by Andrea Piacquadio

I’m guessing most people don’t even know there are limits and what those limits are.

Each bank is going to use slightly different terms, and the settings might be found in various places (mobile app, online portal, talk to someone, or something else entirely depending on the bank), so I’ll just give you the basics. My best advice is for you to work with your bank to make sure you have things set up correctly and that you understand what the various settings do and how they protect you.

  •  Set account transfer and electronic fund transfer limits that make sense for your situation. Note that limits apply to online banking transactions. In-person transfers are a different subject and may not have limited other than how much money you have.

  • Disable the cash apps like Zelle (or whatever your bank offers) if you don’t use it.

  • Consider having alerts on certain transactions go to a trusted family member – You can do with without giving that person access to your bank account. Your bank may or may not have this capability.

  • Consider having account statements go to trusted family members – again, they don’t have to have account access to receive the statements. This would be useful in noting potential problems you can discuss together.

 These same items should be applied to your investment accounts and any other financial assets you might be concerned with. Please consult with your banker and/or financial advisor to help set your accounts to be protected from unauthorized activity.

 PREVENTION

Education on the potential threats, how to recognize them, and what actions to take is the key to preventing falling victim to these scams.

Photo by Anete Lusina

BLOCK SPAM CALLERS

Your mobile carrier probably has scam call-blocking apps available like T-Mobile’s Scam Shield, Verizon’s Call Filter, and AT&T Call Protect, just download them from the app store for your mobile device. Each takes a minute to set up. I just installed the Verizon Call Filter and there is a free and paid version – the free one looks like it’ll work just fine for me. I’ll know more as time goes by.

 OTHER GENERAL TIPS

  • Never, ever let someone remotely connect to your computer that you do not already know from a prior relationship.

  • Back up any important information on your computer to a safe place.

  • Keep your computer and the installed applications up to date.

  • Uninstall applications you no longer use.

  • Install and maintain a reputable anti-virus/anti-malware program. Microsoft Defender, free with Windows, is very good, almost certainly better than almost any other free av you might install.

COMMON FACTORS OF SOCIAL ENGINEERING

 All of these various scams are social engineering.

Social Engineering is the art of manipulating, influencing, or deceiving to trick someone into making security mistakes or giving away sensitive information. The criminal’s goal is to get you to grant them access to something they want, be it your bank account, email account, your password, or your computer.

In the context of Elder Fraud, the most common techniques:

  • tech support scams

  • fake virus alerts

  • phishing emails.

 LESSONS TO LEARN AND SHARE

If you are being asked to do something out of the ordinary with your money or your accounts, STOP, HANG UP with the person you are talking to. Call a trusted family member to make sure you’re safe and not being scammed.

Trust your instincts: if you feel like you’re being pressured, rushed, manipulated to feel guilty, scared, or fear missing out on something “big”, you are almost certainly being scammed. You need to immediately take steps to protect yourself.

THE FIRST STEP IS to hang up the phone and then reach out to someone you trust and explain the situation.

 HOW TO TELL IF SOMEONE IS TRYING TO SCAM YOU

Here are some specific areas where the scammers make their intentions clear once you realize it’s a scam.

Photo by Kampus Production

  • Emotions

    The perpetrator may use emotional manipulations to make the victim feel pressure to act, often fear, or fear of consequences for inaction. Urgency is reinforced to try and get you to act before you think, or get advice from someone else. Being forced to hurry is a hallmark of a scam. STOP. Hang up and call someone you trust and explain the situation. Your bank can also help you navigate these situations.

  • Money

    If the funds are being requested in the following fashion, STOP what you are doing and reach out to someone you trust – you are being scammed.

    • Obtain gift cards or Apple iTunes Cards, or similar, then scratch off the back and send the caller the numbers.

    • In-person Electronic Funds Transfer: Especially If the amount is under the amount triggering the 2nd verification by the bank (amounts just under $100,000 for example, since $100K is a common trigger to get a second person involved from the bank).

    • Cash:

      • Asking you to withdraw cash and then send it to them via services like Western Union, Money Gram, etc.

      • Asking you to mail cash to them in such a way that postal inspection might not detect the cash.

      • Asking you to meet them somewhere like Walmart.

    • In any of the above situations, the caller asks you to keep them on the phone while you do this – No legitimate transaction will ask you to do this. Ever. This is a scam. Give them nothing and hang up and don’t answer their calls as they will call, again, and again, and again.

    • If you find yourself emotionally invested in the transaction, argue with the bank that you must transfer this money because “it’s your money and you can do what you want.” Or threaten to take your business elsewhere if they won’t do the transfer… you were probably coached on how to handle some questions by the banker doing the wire transfer. This is another hallmark of a scam. FYI, international transfers have a 45-minute waiting period which you can rescind the transfer (if the caller tries to keep you distracted after the transfer.. another red flag you really ought to pay attention to.) After those 45 minutes expire, it gets harder or impossible to get the funds back depending on how long and where it went.

    • Crypto Currency: The FBI is noticing an increase in scammers asking their victims to pay in crypto currency since it’s almost impossible to get back after it’s stolen. If the caller wants you to pay via crypto currency, hang up. Yes, they’ll help you do this and have all sorts of good reasons why you should pay them via crypto currency… it doesn’t matter, it’s a scam.

  • Too good to be true. That winning lottery ticket, that you didn’t buy. The “accidental” check sent to you, or mistaken deposit that they want you to send back, or “they’ll lose their job!” Only you can save them! Scam.

  • If you didn’t ask for it, don’t engage (open the email, click the link, answer the phone/text) with it. These communications from people you don’t know are almost always trying to sell or steal something from you. It’s very easy to just ignore it.

  • No legitimate company will ever call you to tell you that you have a computer problem. Microsoft isn’t going to call you that they discovered a problem with your computer or account.

  • Your bank will never, ever, not even once, call or email you asking you to confirm your account information or password – they already know it.

  • If someone from your bank, investment firm, mobile phone company (or hundreds of other services/warranties, etc) calls you telling you that you owe money, or they want to process a refund, or you need to cancel something you don’t recall purchasing… Just hang up, it’s a scam. If you think it could be legitimate, still hang up. Then call that company directly using a number previously known to you (look on an old invoice for the customer service number) and you can address the issue with them and see if it might be legitimate. Your bank can also help you navigate these events as they’ve seen it all.

  • Social Security, the IRS, or any other government agency will not call you unless you previously initiated contact with them. They also won’t try and get you to pay them with a gift card.

  • Don’t trust caller ID or the phone number displayed for the caller. Callers routinely hide their real phone numbers, so if you don’t recognize a number, just don’t answer.

  • To become more aware of the other types of scams perpetrated against the elderly, this article talks about some common ones https://www.ic3.gov/Media/Y2019/PSA190919 In our area, S.E. Alabama and Florida panhandle, the FBI has seen increasing Romance scams with single elderly people being the bulk of the victims. Be sure you know what your parents are up to!

Photo by RODNAE Productions

 REPORT IT!

 Should the worst happen, and the criminals do trick you or someone you know into divulging account info and subsequently completing unauthorized transfers what do you do?

Report it. Speed is of the essence. Report the fraud online to www.ic3.gov and report it to your bank ASAP along with resetting all of your account information. IC3.gov is designed to field and respond to these sorts of incidents. You should report the theft to local law enforcement but after the other steps. Should you contact the FBI? It won’t hurt, but capabilities vary widely in the field offices so I wouldn’t call this my first stop. Some states have state-level elder abuse-type organizations.

 If you or someone you know has let the bad guys/girls remotely connect to their computer, disconnect that computer from the internet and contact competent help. Assume that the computer is compromised and that all activity can be monitored by the bad guys until proven otherwise.

These same scams can happen to anyone, so this is good information to share with the entire family.

Read More
I.T., Blog Todd Swartzman I.T., Blog Todd Swartzman

5 Steps To Prevent Cybercrime

You may believe that cybercrime only happens to large corporations or big businesses. However, Scott Augenbaum, retired FBI special supervisory agent, found that there are four commonalities of instances with victims. To help keep yourself off the victim list, here are five simple steps to help prevent cybercrime in your personal life and your business.

You may believe that cybercrime only happens to large corporations or big businesses. However, Scott Augenbaum, retired FBI special supervisory agent, found that there are four commonalities of instances with victims. To help keep yourself off the victim list, here are five simple steps to help prevent cybercrime in your personal life and your business.

Photo by Andrea Piacquadio: https://www.pexels.com/photo/smiling-formal-male-with-laptop-chatting-via-phone-3760263/

5 STEPS TO PREVENT CYBERCRIME

  1. STOP USING THE SAME PASSWORD FOR EVERYTHING

    If you do nothing else, stop using the same password for everything, or for more than one thing. Using the same password for different accounts just hands over your password to the bad guys. Fact: Compromised credentials are used in more than 40% of data breaches. Almost all of those credentials came from other hacks where the criminals pulled down huge lists of usernames, usually email addresses, and passwords. If you use the same password for LinkedIn and your business email, and Mr. and Mrs. Criminal got a copy of the LinkedIn user database (and this has happened multiple times)… now they have access to your email. Yes, it’s that simple. Read this article from LastPass for more details on the risks: https://blog.lastpass.com/2021/09/breaking-the-cycle-of-password-reuse/

  2. ENABLE MULTI-FACTOR AUTHENTICATION (MFA) ON AS MANY ACCOUNTS AS POSSIBLE

    Enable MFA on as many accounts as possible, especially your business email account. According to Microsoft, 99.9% of BEC, Business Email Compromise instances would have been prevented if MFA was in use. The majority of cases we have been involved with didn’t have MFA enabled. It’s such a simple precaution and acts as a safety net for your passwords that do leak out.

  3. LEARN TO RECOGNIZE PHISHING AND SOCIAL ENGINEERING SCAMS

    Educating yourself and your business on these most common threats will really decrease the risk of falling victim to a phishing email. All data breach events were the result of one of two things: (A) Someone did something they should not have done, such as clicking that link in the phishing email, or using the same password multiple places, or (B) Someone didn’t do something they should have, such as updating software to close a vulnerability.

  4. USE A PASSWORD MANAGER

    Supporting bullet point #1, use a password manager to handle all of your good, secure, unique passwords.

  5. GET CYBER INSURANCE FOR YOUR BUSINESS

    Get an appropriate Cyber Insurance policy for your business. Every business should have coverage because you never know what can happen.

WILL THESE TIPS WORK?

I will guarantee you this: If you take this advice and diligently follow these 5 strategies, you will greatly reduce your risks of falling victim to all manner of cybercrime in your business or personal lives.

IS THIS ALL I NEED TO DO TO PROTECT MYSELF OR MY BUSINESS?

No. But without these foundational security strategies in place, spending all manner of money on fancy cyber tools, BCP/DR services, Intrusion Detection Systems and all the fancy buzzwords in the cyber security space, won’t yield the results you expect.

 LEADING CAUSE OF CYBERCRIME

Every single breach that RealTime has been consulted on was the result of failings in these subjects. The highest leading cause of cybercrime was successful phishing attempts which provide criminals access to their business data and communications. The second leading cause was poor password hygiene, usually in the form of using the same passwords everywhere.

 What are four things victims of cybercrime have in common? Read now!

Read More
I.T., Blog Todd Swartzman I.T., Blog Todd Swartzman

4 Things Victims of Cybercrime Have in Common

Scott Augenbaum, is a retired FBI Special Supervisory Agent, author, and keynote speaker specializing in cybercrime investigations. Scott shared his experiences this week of working with the victims of cybercrime over the past 20+ years, from huge multinational businesses to mom-and-pop retail shops. These are the four things that cybercrime victims have in common.

Scott Augenbaum photo, retired FBI agent

Scott Augenbaum, retired FBI Special Supervisory Agent

Scott Augenbaum, is a retired FBI Special Supervisory Agent, author, and keynote speaker specializing in cybercrime investigations. Scott shared his experiences this week of working with the victims of cybercrime over the past 20+ years, from huge multinational businesses to mom-and-pop retail shops. These are the four things that cybercrime victims have in common.

  •  No victim ever expected it to happen.

  • Once the bad guys break in and steal your data, the chances of Law Enforcement fixing it are about ZERO.

  • The bad guys won’t go to jail.

  • Most victims could have prevented the attack.


NO ONE EVER EXPECTS IT TO HAPPEN

Quite common and really, who expects to become a victim of crime anyway? In the online world, you are a target, usually of opportunity. We all receive phishing emails, sometimes dozens a day, so logically we’re all aware of this attack vector. Everyone should realize that a cyber event that causes data loss and service interruptions, regardless of how large or small our companies are is probable depending on your industry. While we only hear about the big guys getting breached like Target, Colonial Pipeline, Maersk, Experian, Sony, etc., understand that for every one of these headline grabbers, there are hundreds or thousands of small businesses getting successfully breached that we never hear about. If we understand that the bad guys are always looking for victims, we should admit that it’s at least a possibility and take positive steps to reduce our risks. 

LAW ENFORCEMENT CANNOT FIX IT

Law enforcement cannot fix it after it happens. It’s the nature of cybercrime – most people/businesses don’t know they have become a victim until after it’s happened. No one can turn the clock back on an attack unless you planned ahead with solid, tested backups and recovery processes, practiced how your business would respond to various cyber events, and took steps to reduce the likelihood of a successful attack. This doesn’t mean don’t notify law enforcement, there are financial crimes that need to be reported immediately in order to have a chance of recovering a fraudulent transfer, for example, but that is outside the scope of this article. Your IR (Incident Response Plans) should outline your plans based on the type of cyber security event experienced.

 THE BAD GUYS WILL NOT GO TO JAIL

Due to the international nature of cybercrime, it’s very rare for someone to be held accountable for a crime. Even if they do get caught, the likelihood of you being made whole because of this is next to zero.

MOST VICTIMS COULD HAVE PREVENTED THE ATTACK

With simple preventative measures, you can reduce the likelihood of becoming a victim.

ABOUT SCOTT AUGENBAUM
After joining the Federal Bureau of Investigation (FBI) in the New York Field Office in 1988 as a support employee, Scott Augenbaum became a Special Agent in 1994 and was assigned to the Syracuse, New York Office, where he worked domestic terrorism, white collar and hate crimes, and all computer crime investigations. Author of the Book: The Secret to Cybersecurity: A Simple Plan to Protect Your Family and Business From Cybercrime

Interested in Five Simple Steps to Prevent a Cyberattack? Read our tips now.

  

Read More
Todd Swartzman Todd Swartzman

Pig butchering

Pig butchering is a new scam designed to steal your money, just like every other scam. This one appears to start primarily on dating apps and sites, or perhaps with a wayward text message sent to the "wrong" person. Remember your parents saying "don't talk to strangers?" Well, they were right! The FBI is noting a big uptick in victims of this particular scam this year, and people are being taken for large amounts of money.

A new scam to be aware of, with a catchy name to boot: Pig butchering.

WHAT IS PIG BUTCHERING

Pig butchering is a new scam designed to steal your money, just like every other scam. This one appears to start primarily on dating apps and sites, or perhaps with a wayward text message sent to the "wrong" person. Remember your parents saying "don't talk to strangers?" Well, they were right! The FBI is noting a big uptick in victims of this particular scam this year, and people are being taken for large amounts of money.

FIVE TIPS FROM THE FBI TO AVOID CRYPTOCURRENCY-RELATED SCAMS:

  1. Never send money, trade, or invest based on the advice of someone you have only met online.

  2. Don’t talk about your current financial status to unknown and untrusted people.

  3. Don’t provide your banking information, Social Security Number, copies of your identification or passport, or any other sensitive information to anyone online or to a site you do not know is legitimate.

  4. If an online investment or trading site is promoting unbelievable profits, it is most likely that—unbelievable.

  5. Be cautious of individuals who claim to have exclusive investment opportunities and urge you to act fast.

This advice applies in principle, to ANY scams online. Learn not to engage financially or emotionally with persons you met only online. Don't share personal details with these "online only" people. Share these tips with your family, young and old need to hear this. These online criminals exploit our "trust" thousands of times daily to steal sensitive information and money from everyday people just like you. 

More details by Brian Krebs here.  

Read More