STE WILLIAMS

The approach was simple, a combination email scam and social engineering phone call. All it took was a call to St. Ambrose Catholic Parish, claiming to be Marous Brothers Construction, a company working on a church renovation project for the past two months. But the phone call wasn’t from Marous Brothers Construction. The scammers told the church that payments were late.

A statement from the Saint Ambrose Catholic Parish’s Father Bob Stec said:

On Wednesday, Marous Brothers [construction] called inquiring as to why we had not paid our monthly payment on the project for the past two months totaling approximately $1,750,000. This was shocking news to us, as we have been very prompt on our payments every month and have received all the appropriate confirmations from the bank that the wire transfers of money to Marous were executed/confirmed.

The scammers convinced the church that the construction company they hired had changed their bank. Hindsight being 20/20, whoever received the call should have confirmed with another source. But they didn’t. Father Stec explained:

Upon a deeper investigation by the FBI, we found that our email system was hacked and the perpetrators were able to deceive us into believing Marous Brothers had changed their bank and wiring instructions. The result is that our payments were sent to a fraudulent bank account and the money was then swept out by the perpetrators before anyone knew what had happened.

According to the FBI, the criminals breached the church’s email account, then began a waiting game during which the hackers sat back and read all of the conversations in the inbox. Eventually, they were able to glean enough information to convince the church to wire them money. Before the church realized, it was out $1.75 million in the middle of a major renovation, and all it took was a few emails, some Photoshop skills, and a phone call to derail the good intentions of the parish.

Protect Thyself: Even the Sacred Are at Risk
In 2019, even a cyberattack on a church shouldn’t surprise anyone. According to the FBI, cybercrime losses doubled in 2018 over the previous year. It wouldn’t be shocking, based on trends, for 2019 to up the ante even further. With cybercrime prevention all over the news, more individuals and organizations are realizing that they must get proactive at protecting themselves; this story should serve as a warning to all organizations, even those not operated for profit or that are religiously affiliated. 

A good first step is to shift your security strategy from cybersecurity to cyber resilience, which is essentially a change in emphasis from reactive to proactive. The important point is not to be intimidated by the universe of potential security processes, tools, and strategies. Start with a few simple things.

• Be brilliant at the basics. Simply put, this means doing the small things right, such as staying on top of routine maintenance such as patches, updates, and access permissions.
• Embrace the cloud for security. Take advantage of the secure storage space offered by cloud providers to make data less accessible to cybercriminals.
• Implement data-centric security by encrypting data and restricting access to sensitive information. 
• Demand application security by design. Implement best security practices and test them often. With the continuing popularity of phishing, experts would recommend employee training in how to recognize attacks, followed by test fake attempts to evaluate response.
• Engage in proactive defense. A proactive defense includes a firewall, security software, and a strong virtual private network (VPN). The first two provide a protective perimeter that detects, blocks, and removes inbound malware and viruses. The latter creates an anonymous, encrypted internet connection that makes it harder for snoopers to find, intercept, or read data. 

Saint Ambrose lost nearly $2 million as a result of the cyberattack, and may or may not get it back. The cost to prevent it could have been as simple as:

• A few hours of paid time for a cybersecurity consultant
• Employee training on how to not get phished
• A few hundred dollars’ worth of software (firewall, VPN, etc)

Related Content:

•  7 Recent Wins Against Cybercrime
• Cognitive Bias Can Hamper Security Decisions
• The Minefield of Corporate Email

Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphases on technology trends in cyber warfare, cyber defense, and cryptography. Previously, Sam was a defense contractor. He worked in close partnership with architects and … View Full Bio

Article source: https://www.darkreading.com/network-and-perimeter-security/how-hackers-emptied-church-coffers-with-a-simple-phishing-scam/a/d-id/1334971?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Image Source: Adobe Stock: pogonici

Summer has arrived and it’s time for a vacation — but don’t forget that hackers are lurking, just waiting for you to let your guard down.

Plenty of people do, says McAfee, which in a recent blog reported that 42% of Americans either do not check the security of their Internet connections or they willingly connect to an unsecured network while traveling.

Gary Davis, chief consumer security strategist at McAfee, adds that nearly two in five Americans have been putting companies at risk of cyberattacks because they connect their work devices to unsecure Wi-Fi networks while traveling.

As always, common sense will go a long way toward staying safe while on the road. Here are six tips that will keep you safe and worry-free when you’re ready to take some well-deserved time off.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/6-security-tips-thatll-keep-the-summer-fun-/d/d-id/1335003?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The cost of cyberattacks spiked more than $1.5 million in the past year, going from $3 million per incident in 2018 to $4.6 million in 2019. Pricier breaches are becoming more frequent: The percentage costing $10 million or more nearly doubled from 7% in 2018 to 13% this year.

Radware researchers who compiled the report “2019 C-Suite Perspectives: From Defense to Offense, Executives Turn Information Security into a Competitive Advantage” found there are four main business impacts after a cyberattack: customer loss (45%), brand reputation loss (44%), and revenue loss and operational effects (32% each). Cybersecurity has also become an executive issue, with 72% of executives reporting it’s on every board meeting agenda.

Respondents are now working to meet the expectations of an increasingly cyber-savvy customer base; people want to know what companies are doing to protect their information. Three-quarters of executives say security is a key part of their marketing messages. Half of businesses sell dedicated security products and services; 41% offer security features as add-ons.

Still, companies have a long way to go. Seventy percent of senior executives polled in North America and Europe say their organization experienced a cyberattack in the 12 months prior. Three-quarters of those in EMEA admit their networks are vulnerable to cyberattacks.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/perimeter/cost-per-cyberattack-jumps-to-$46m-in-2019/d/d-id/1335008?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Today Google announced two new features intended to protect Chrome users from deceptive sites, which are becoming a broader threat as cybercriminals advance their fraud strategies.

Google Safe Browsing has been blocking phishing attacks for more than a decade, the company reports in a blog post on the updates. It automatically analyzes websites known via Google Search Web crawlers and creates lists of sites considered deceptive or dangerous. The new Suspicious Site Reporter extension lets users help to identify and report suspicious sites.

Those who install the extension will see an icon appear when they arrive on a potentially malicious website, as well as more details about why the site was deemed suspicious. If they click the icon, users can report these unsafe sites to Safe Browsing for further investigation.

Google is also taking steps to weed out deceptive websites with confusing URLs — for example, go0gle[.]com. Chrome 75 will bring a new warning to direct users away from these URLs, which many often click without taking a closer look at the text. The warning compares the URL of the page someone is visiting with URLs of pages the person previously visited. If the URL looks similar and may cause confusion, an alert displays a warning to help the user virtually relocate to safety.

(Suspicious Site Reporter. Image: Google)

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/google-targets-deceptive-sites-with-new-chrome-tools/d/d-id/1334994?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Identity theft and fraud have been around for decades. The schemes and approaches have just shifted and evolved over time — particularly as of late. What started as the impersonation of an individual through physical means — beginning with a stolen wallet or identification card — has transformed into digital fraud, which is a much more sophisticated blueprint. With most people performing life’s daily tasks online, the general population has become more exposed and susceptible to these attacks.

As our society embraces both technology and the digital lifestyle, businesses and agencies need to be more responsible about the protection of people’s digital identities and information. Unfortunately, there’s a profound change that makes that objective increasingly difficult. In the past, the foundation of a person’s identity has always been rooted in personally identifiable information (PII) such as name, address, date of birth, and Social Security number. With today’s influx of data breaches, and the emergence of a sophisticated Dark Web marketplace for nefarious data exchange and sale, these core elements of a person’s identity have more than likely been exposed multiple times. So much so, in fact, that we should now assume all PII has been compromised. Yet, many businesses still rely on these foundational components to verify, authenticate, and uniquely identify and inventory individuals when conducting transactions online.

With the unlawful exposure of PII, criminals today have direct access and the means to manipulate and assume identities, create wholly new and fraudulent ones, take over online accounts, and fraudulently purchase hundreds of thousands of dollars in products and services. Businesses that rely on these data elements alone can no longer confidently verify an individual is who they say they are. In fact, the illegitimate availability of personal information has even made passwords unreliable (because people use the same password for multiple online accounts). And yet, we know that many businesses still use passwords as an authentication measure.

Protecting PII Is Not Enough
Moving forward, PII should only serve as a definitional element of a person’s identity. Just as criminals continue to evolve their fraud strategies and tactics, the definition of an identity needs to be fluid and proportional to the type of relationship a business has with a consumer and the means by which they interact. This means businesses and agencies should continuously explore innovative ways to recognize, identify, and assess individual risk in order to both remove friction for legitimate customers and to stay ahead of equally innovative fraudsters. To successfully adapt to the new digital environment, businesses and agencies need to maximize technology and innovation, as well as the expertise of their own internal workforce.

As odd as it may sound, fraud prevention and identity management need to be about more than the protection of data and information. Businesses and agencies need to factor in the customer experience as foundational to operations and a means to gain competitive advantage. According to Experian’s 2019 Global Identity Fraud Report, 74% of consumers see security as the most important element of their online experience, followed by convenience. 

People expect convenience, and will look for alternatives when it is not provided. It’s part of the reason for the near-universal adoption of technology and a digital environment. The next wave of identity- and fraud-prevention tools must minimize the effort required of a consumer without passwords, which require remembering dozens of different passwords and the painstaking task of unlocking an account, should a person forget.

The future of identity should be rooted in intelligence, passive recognition and authentication, and an improved customer experience. Using advanced analytics, such as machine learning and artificial intelligence, businesses already have the ability to detect patterns and anomalies that may indicate a fraudulent identity or transactional attempt. Additionally, the technology and infrastructure exists for businesses to leverage advanced innovation, such as physical and behavioral biometrics (facial recognition, how a person holds a phone or inputs data into an online form) device intelligence (device prints, characteristics, and histories), document validation and verification (autofill, facial recognition, and comparison) and digital behavior (transaction behavior, transaction velocity). In fact, the report shows that 77% of consumers are more confident in the security of a financial institution when physical biometrics are present.

Authentication’s New Frontier
The true power behind these innovative approaches is the behind-the-scenes nature of the authentication process. Many of these identity verification techniques work without the knowledge of the individual. For example, a person purchasing a new laptop via their mobile phone may need to use their fingerprint to approve the purchase, but there are secondary and tertiary checks in the background. Is the individual holding the phone in a typical manner? Is the device connected to an often-used IP address? Is the transaction part of the individual’s normal purchasing behavior? Is the personal information provided or captured being used consistently and in a low-risk fashion across time and disparate applications?

Separately these techniques can help minimize fraud. But together, the power of identity management and fraud prevention increases significantly. Businesses and agencies can be more confident during onboarding and ongoing authentication processes while ensuring a higher-quality customer experience for the vast majority of interactions which are legitimate.

Keep in mind that a silver bullet for fraud prevention doesn’t exist. But together these techniques and attributes, when contextually layered and invoked, can help create a new frontier of authentication and identity management. Fraudsters are quick to evolve, so businesses and agencies need to stay a step ahead. Data and technology can help businesses make the right fraud decisions, protect people’s identities, and create an improved customer experience. The foundational elements of a person’s identity need to be reassembled, and the innovation is in place do that.

Related Content:

• 8 Ways to Authenticate Without Passwords
• Microsoft Builds on Decentralized Identity Vision
• Focusing on Endpoints: 5 Steps to Fight Cybercrime

Kathleen Peters is Experian’s senior vice president and head of fraud identity, where she is responsible for the strategic direction of the company’s fraud and identity products and capabilities. In 2018 and 2019, Kathleen was named a “Top 100 Influencer in Identity” by One … View Full Bio

Article source: https://www.darkreading.com/perimeter/the-evolution-of-identity/a/d-id/1334969?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Some of the largest advertisers in the world have joined together to push major social media and advertising platforms to reduce fake and dangerous online content.

The Global Alliance for Responsible Media includes advertisers, advertising agencies, and advertising platforms. According to a statement by the group, the initial focus will be on content dangerous to society, such as that promoting or recruiting for terrorism. The alliance will work to to reduce the impact of such material by developing protocols and processes that platforms can use to police themselves.

Members of the alliance include Procter Gamble, General Mills, Mastercard, Facebook, Twitter, Google, Omnicom Media Group, and GroupM.

The alliance is scheduled to hold their first face-to-face meeting in Cannes, France, on Wednesday.

Read more here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/advertising-alliance-plans-protocols-to-reduce-dangerous-content/d/d-id/1334997?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple