Cybersecurity – Don’t Overlook These Risks Within Your Organization

It’s easier than you think for organizations and their leaders to overlook cybersecurity.  Unfortunately, the nature of the threat means some of the biggest worries for your organization might actually be out in plain sight. Here are five cybersecurity risks that are regularly overlooked.

  1. Inconsistent or Nonspecific Cybersecurity Training. In many cases, people are the weakest link.  “From falling for phishing emails, and clicking on links or downloading documents that turn out to be malware, to being a victim of business email compromise scams that end up losing the company a lot of money, employees are a company’s greatest liability when it comes to cyber security.”1   More specifically, it’s how well and how consistently they’re trained on security essentials.  Since you don’t want to assume any one employee is automatically better versed on digital security than another, it makes good sense to standardize the training. Everybody should be on the same page about the reality of the risks and how necessary a good human element is these days, even with all the anti-virus and anti-malware software available.  The understanding of what a phishing email looks like comes in handy just as much at home as it does in the office.  Even though most employees don’t like the idea of extra meetings, specific cybersecurity training helps employees feel a greater sense of ownership over the company and its processes and assets.
  2. Passwords.  Ensure that any accounts associated with your organization are secured by a strong password, and two-factor authentication, if possible. It is always recommended that employees cannot reuse passwords from other online accounts for any of their work accounts. You can make it part of your IT policy that employees must change their passwords within a specific time limit.  Communicate with your team that they should not share their passwords with anyone else.
  3. Patch Management. Keeping software patches up-to-date is a critical component to keep your company network safe from newly discovered vulnerabilities. The importance of keeping software updates current was underlined in a dramatic way during the WannaCry and Petya outbreaks.  The primary way both of those attacks were spread was by exploiting a critical vulnerability in the Windows operating system known as Eternal Blue. Eternal Blue allowed the malware to spread within corporate networks without any user interaction, making these outbreaks particularly virulent.“The WannaCry outbreak occurred in May; the patch for the Eternal Blue vulnerability had been released by Microsoft in March. If the patch had been widely applied the impact of WannaCry, which mostly hit corporate networks, would have been greatly reduced. You would imagine that a high-profile incident like WannaCry, which underlined the importance of keeping patches up to date, would have ensured people and companies did just that. However, despite all the publicity the WannaCry outbreak received when it occurred in May, the Petya outbreak in June was still able to use the same Eternal Blue vulnerability as one of the ways it spread.”2“To be fair to the IT managers in the various companies that were hit due to the Eternal Blue vulnerability being exploited, updating software on company networks is not always entirely straightforward. IT managers can often be fearful that updating one part of the system could cause another part of it to break, and this can be a particular concern in, for example, healthcare organizations, which were heavily impacted by WannaCry.” 3 However, incidents like the above do underline the importance of protecting vulnerable systems, and patching is a key way to do that. The point is not that clicking refresh on software updates all day long will prevent every possible instance a cybercriminal could exploit a vulnerability or back door.  Setting everything you can to auto-update at a convenient time, daily, does stand a chance of keeping you safer.
  1. Other Companies. A problem that many businesses encounter in the current business climate is that it is not just their cyber security practices that they have to worry about: they also have to worry about the cyber security protocols of other businesses they work with. Your company may have stringent cyber security practices implemented, but if a third party your company deals with is compromised then attackers could potentially gain access to your network. Network segmentation, or dedicated servers that vendors can use so that they do not connect directly into your company’s network, can help safeguard against weak links in third parties’ cyber security. If that isn’t possible, it is wise to at the very least have a conversation with potential vendors before doing business with them to ensure they take cyber security seriously, and have appropriate practices in place.
  2. Unsecured Personal Devices. “BYOD culture — or bring your own device — is a great thing for employees and employers alike. It lets employees perform their duties in a digital workspace they already know and feel comfortable in. On the employer side, the lack of a serious learning curve and the small bump in productivity are welcome.   What’s less welcome are the cybersecurity risks that BYOD culture brings. It’s possible to permit and even encourage your teams to work on their own laptops and tablets, but this shouldn’t be done without a comprehensive and robust BYOD policy drawn up by your IT team. At a minimum, you should require that users access on-premises internet connections using VPNs and that all accounts are equipped with two-factor authentication.”4

In today’s connected workplaces, here’s no single department within an organization whose job it is to ensure cybersecurity.  In fact, that’s the major message all across the digital landscape: No matter how large or small the organization, it’s vital to speak and act as one when it comes to protecting digital assets and company property.  As with so many of the issues mentioned on this list, employee education is key: employees need to understand what good cybersecurity practices are, and the potential consequences for the company if they are not followed.

 

References:
1-4:  Symantec Security Response Team:  Cybersecurity Weak Links. www.symantec.com/security-center – Bryley Systems is an SMB Specialized Symantec partner.
www.bitsighttech.com
https://www.us-cert.gov/

October is National Cybersecurity Awareness Month

Connected devices are essential to our professional and personal lives, and criminals have gravitated to these platforms as well. Many common crimes—like theft, fraud, harassment, and abuse—are now carried out online, using new technologies and tactics. Others, like cyber intrusions and attacks on critical infrastructure, have emerged as our dependence on connected systems revealed new vulnerabilities.

FTC Warning: Beware of Card Skimming at the Gas Pump

The Federal Trade Commission recently posted an article advising consumers to keep an eye out for card skimmers when paying for gas at the pump.

Skimmers are discrete devices which can be attached to payment terminals, allowing criminals to capture your credit card information.  Once they have your information they will either sell it to another party, or use it to make purchases on their own.

Unfortunately these devices are hard to spot and tend to blend in, especially when our attention is focused on pumping gas.

By educating yourself on what to look for, however, you stand a good chance to avoid becoming a target of criminals employing this technology.

The FTC has several examples posted on their website of what to look for.  They also advise:

  • Look for a seal (sticker) on the gas pump.  If the seal is broken or appears to have been tampered with, use a different pump and alert an attendant.
  • Check to see if the card reader at your pump looks different than the readers at other pumps.  If it does, move to a different pump and let an attendant know.
  • Keep a close eye on your credit card statements.  Be sure to report any fraudulent charges to your bank or card issuer.

Click here to read the full article on the FTC’s website.

Let Trusted Eyes Watch Over Your Network

A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted internal network and an untrusted external network, such as the Internet.  Firewalls block unauthorized access to your computer network from hackers, malware and viruses. They monitor data as it passes between your computer, your server, and the Internet to make sure that nothing harmful or unintended slips through. A firewall may block certain downloads, or require system administers to grant authority before opening files that fail to meet their security standards.

Firewalls are a critical component to effective security, and so is the configuration. A poorly-managed firewall can block legitimate activity, causing workflow errors and excess frustration for the end user. Or, a firewall with overly lax restrictions could miss harmful data packets, lending the user a false sense of security while malware and viruses penetrate your network.  If firewalls are not managed and implemented properly, it can leave gaping holes in your security and give hackers the keys to your kingdom.

A firewall should always be properly configured.  Knowing when to override its rules and let data through, as well as to understand how to respond in case of an alert, are judgement calls that require specialized knowledge and experience.  Fortunately, a trusted IT partner like Bryley Systems will not only recommend the proper firewall, but configure, manage, and support it so that your network is locked down.

Regardless of your organizations size, no business owner wants the horrible consequences that a security breach can bring.  Larger organizations often have greater resources to dedicate towards security. If you are a small to mid-sized organization, you generally have fewer resources and smaller budgets, and having your IT network brought down by a cyberattack can bring an organization to its knees.

Unauthorized access to your system files can result in the loss of important data, the leak of confidential client information, or the compromise of other security features.  A properly managed firewall can nip this problem in the bud.

Internet usage has become a surprising sore point in employer-employee relations, as they are often used to block access to certain sites online. While some employees feel that blocking access to popular social media sites and other types of Internet browsing during work hours is simply a way to micromanage personal habits, many business owners feel it is necessary to cut down on the type of distractions that eat up productivity, as well as open up security issues at the office.

There are definite pros and cons to each side, but by prohibiting access to all but a select group of websites (or by using strict controls to determine what other websites are permissible) business owners can safeguard against employees accidentally visiting a dangerous website by mistake. This type of protection can prevent an unsuspicious employee from falling victim to a phishing scam or from entering important information into an insecure website.  A managed firewall/Internet-security solution that provides website filtering can help your organization identify which websites your employees need to be able to access, based upon the type of organization you are, and what the employee’s job role is.  It can even create a custom configuration of settings to block problematic websites for safer Internet browsing.

Having your firewall and Internet-security solution managed properly by an IT partner dramatically reduces the disruption of your day-to-day business tasks while providing you with the protection you need. Your managed IT service provider will maintain proper system configurations and monitor your network for potential security threats and will respond to alerts in a timely manner. Furthermore, your managed IT provider should be up-to-date with new technology, proper certifications, and security compliance regulations that might affect your organization. While you focus on running your business at peak efficiency, your managed IT provider also ensures your software and hardware remains up-to-date.

Educate your staff about the importance and significance of firewall protection and other Internet-security measures. This training can also help your employees spot potential scams before they fall victim to them.

Your organization should also consider other safeguards, such as monitoring software that can spot suspicious activity, or programs designed to detect and remove viruses from your system.

One of the most secure ways to protect your most valuable data is by limiting user access. Make sure to store your most secure files in as few locations as necessary. Only allow access to those employees who need it, and protect it with encryption and strong passwords.

If you would like a more thorough audit of your current security network strategy and needs, please Contact us at 978-562-6077, or by email at ITExperts@Bryley.com to learn more. We are here to help.

Another Annoying Robocall. Help!

How many times have you answered your phone only to hear a recorded message instead of a live person?  It’s annoying, it’s illegal and it’s known as a robocall.  “The FTC has seen a significant increase in the number of illegal robocalls because internet-powered phone systems have made it inexpensive and easy for scammers to make illegal calls from anywhere in the world, and to hide from law enforcement by displaying fake caller ID information.

To date, the FTC has brought more than a hundred lawsuits against over 600 companies and individuals responsible for billions of illegal robocalls and other Do Not Call violations.

The FTC also is leading several initiatives to develop technology-based solutions. Those initiatives include a series of robocall contests that challenge tech gurus to design tools that block robocalls and help investigators track down and stop robocallers. They are also encouraging industry efforts to combat caller ID spoofing. Here’s the FTC’s game plan to combat robocalls:

  • continue aggressive law enforcement
  • build better tools for investigating robocalls
  • coordinate with law enforcement, industry, and other stakeholders
  • stimulate and pursue technological solutions

There are options for blocking robocalls and other unwanted calls.

Mobile Apps.  Call blocking apps let you create blacklists – lists of numbers to block from calling your cell phone. Many of these apps also create their own blacklist databases from numbers that have received significant consumer complaints and some even use complaints to the FTC as a source.  They also let you create whitelists – numbers to allow – that are broader than just your personal contacts.

Some mobile apps let you choose which types of calls you want to block. For example, you might block all calls except contacts, or all calls except your contacts and numbers on a whitelist that you have created. Some apps offer additional features: reverse call look up, providing data on incoming numbers (like community-based reviews or data about the number from a search engine), blocking unwanted texts, logging the number of calls received from a number, and silent ringers for unknown callers. Some mobile apps give you choices about how to respond to an incoming call. For example, you can send a prewritten text message to the caller or file a complaint with the Federal Trade Commission. And some apps let you block calls based on the geographic location or area code of the incoming call.

Many call-blocking apps are free or only cost a few dollars. However, some apps may upload your contact information, along with information about what numbers you call or call you. The app’s privacy policy should explain how it gets and uses your information.

Features Built Into Your Mobile Phone.  Many mobile phones come equipped with features built into the device that can block calls from specific numbers. These features can let consumers block specific contacts, identify unwanted incoming calls for future blocking, and set “do not disturb” hours. You must manage these lists on your own, and the device may limit the number of calls you can block.  Since these features are built into the phone’s operating system or come pre-installed, you may not need to download an app unless you want some more sophisticated features, like tapping into a database of blacklisted numbers.

Cloud-Based Services.  Cloud-based services can block unwanted calls for mobile phone lines or phone lines that operate over the internet, like phone service provided by a cable company. Your carrier may give you information about a cloud-based service operated by another company. The service might be a mobile app or a service that requires you to register your phone line. Cloud-based services reside on large, shared computer systems that can collect data from lots of users and use it to build crowd-sourced blacklists.  These services rely on accessing your call data to add to their databases. Some cloud-based services and mobile apps require all calls to be routed through their service, where they are instantly analyzed.  You may have choices about how unwanted calls are handled – for example, they might ring silently, go straight to a separate voicemail, or go to a spam folder. Some cloud-based services are free and some charge a monthly fee.

Call-Blocking Devices.  Devices that block unwanted calls can be installed directly on a home phone. Some devices use blacklist databases of known spam numbers and allow you to add additional numbers to be blocked. Other blocking devices rely on you to manually create and update your own blacklist. Some devices divert the call after one ring, and some show a blinking light when an unwanted call comes in. Other devices connect the unwanted caller to a recording with options that allow legitimate callers who were mistakenly blacklisted to ring through.

Some devices rely on a whitelist that limits incoming calls to approved numbers.  Some also allow you to set up “do not disturb” hours. You’ll have to pay to buy a call-blocking device, and not all devices work on all types of home phones and carriers.

Carrier Services.  You may consider using services provided by your phone service carrier. Carriers typically have solutions for all phones – landline, cable, internet and mobile devices. Many carriers allow you to block between 10-30 numbers, but you are responsible for identifying the numbers to block. Robocallers frequently shift the numbers they use, so the robocaller may still be able to get through by changing the number they use.

 

Many carriers also allow you to block calls from anonymous callers – those who prevent their phone number from appearing on a CallerID device, or whose number shows up as “ANONYMOUS” or “PRIVATE.” But robocallers often show fake numbers on your CallerID. Some carriers also offer services that allow you to block calls or divert them to voicemail for periods of time. This lets you set up quiet or “do not disturb” hours.”1

Some carriers provide these services for free; others charge a fee. You can check your carrier’s website or call customer service for more information.

Reference:
The Federal Trade Commission (FTC) is the nation’s consumer protection agency.
Federal Trade Commission, Privacy, Identity and Online Security.

End-Of-Life Hardware – Retire or Not Retire?

Many IT departments have processes to keep costs under control and systems running smoothly. However, most organizations fail to adequately plan and properly manage the end-of-life (EOL) transition for routers, firewalls, switches and other critical network infrastructure. A device that is fully depreciated does not yield cost savings – these devices actually represent potentially higher costs due to non-compliance, chance of failure and lack of adequate support.

There are many reasons why organizations do not proactively manage EOL network assets. Two of the most common reasons include:

  1. Reluctance to spend money and time on something that is working
  2. Insufficient resources to prioritize the task of managing network assets

However, underlying risks and costs exist if you do not establish and follow a well-defined process to transition EOL devices out of your network.  Operating legacy hardware poses a significant risk and higher operating cost due to the following reasons:

  • Regulatory non-compliance
  • Excessive support costs
  • Decreased productivity
  • Business disruption

Regulatory Non-compliance:  Non-conformance costs will become an issue if the device is unable to achieve control objectives defined by your policies. This may be due to a lack of technical capability or because the device is no longer able to receive updates that address security vulnerabilities.

Excessive Support Costs:  The primary reason for increasing support costs are due to vendor end-of-sale and EOL policies. As a device approaches EOL, the support services can become more expensive. Failure to secure or renew a maintenance agreement before critical EOL dates expire will prevent you from receiving vendor technical support and maintenance upgrades. Therefore you may be forced to develop or maintain more expensive in-house skills or contract externally for those needed services.

Decreased Productivity:  IT technology is a significant business productivity driver. Therefore when new IT technologies are not adopted and utilized, then opportunity costs may negatively affect bottom-line financial performance. This is also a problem when the organization wants to expand service only to discover that the underlying infrastructure won’t support the business requirements because it is no longer supported. This discovery then forces unplanned expenditures and cost overruns.

Business Disruption:  This risk often produces a broad spectrum of affects caused by catastrophic device failure and often leads to business disruption and accompanying lost revenue and/or brand damage. These problems are amplified when remediating a legacy device consumes even more time because spares cannot be located or the replacement device requires extensive install and configuration effort.

Tracking EOL devices can be difficult because of the challenge to effectively manage, track and verify the information.

  • There is no pattern for how long a vendor will keep a product in market or when they will issue an EOL announcement.  Therefore, you simply can’t perform this research annually (without the likelihood of missing several announcements throughout the year). Vendors make it your responsibility to watch for these announcements. If you miss any announcement then you will miss out on important transition dates and options.
  • Vendors often communicate end-of-sales/end-of-life announcements according to a product series as opposed to a specific model or part number. Therefore an EOL announcement may, or may not, apply to your specific device.  Tracking EOL dates takes time because you have to carefully read each applicable announcement and determine how it applies to your equipment.
  • It is very important to have an accurate inventory of your devices, including serial numbers, part numbers, etc.
  • All of this data has to be well integrated with management, and if it’s not part of your network management system, it will require more effort to properly manage all of this data.

If you don’t have an internal system for tracking this information, your managed service provider should be tracking this for you.  Any organization running EOL technology faces many unknown and potentially costly challenges. It’s important to work with a firm that has vast experience and expertise in helping organizations transition to newer technology.

Rely on Bryley Systems as your trusted partner to assist your organization properly phase out EOL technology and adopt new technologies, so that your IT functions are operating at its maximum potential.  Contact us at 978-562-6077, or by email at ITExperts@Bryley.com to learn more. We are here to help.

My Software Has Reached End of Life. Now What?

When software reaches end of life (EOL), all of a sudden you find yourself wondering what impact will this have on our organization?  Take a moment to understand what vulnerabilities may be at hand and what are some best practices for planning ahead.

Never just ignore EOL timelines because there are some risks to be concerned about.

EOL Software Dangers:

  • Security vulnerabilities: When using software that’s no longer supported, computers become a gateway for malware.  When vulnerabilities are no longer patched, it leaves the door wide open for hackers.
  • Software incompatibility:  New applications are optimized for the most recent operating systems. That means when using EOL operating systems, you can’t upgrade to the latest and greatest, so you’ll have to hold onto legacy applications which are likely also EOL, or soon to be.  When the legacy applications come to their EOL, they are extremely difficult to migrate onto new infrastructure, costing your business time and money.
  • Poor performance and reliability: Chances are, if you’re still running legacy apps or old versions of Windows, then you have some aging servers and workstations too.  This will add to your risk because these likely out-of-warranty devices are prone to breaking down. Consider the downtime alone could be more costly than an overdue upgrade.
  • High operating costs: If technology is out-of-date or out-of-warranty, both cost and downtime are magnified when a failure occurs.  Your organization can’t afford a mission-critical app failing, and trying to maintain and bug-fix any post-EOL software can be very expensive.
  • Compliance issues: Regulated industries like healthcare and e-commerce deal with lots of sensitive customer data. Entrusting your critical information to a decade-old OS or an insecure application?  In addition to security lapses, it could result in big fines, company shutdowns, or more legal issues that could ruin your organization.

There is no bulletproof way to run EOL software.  Security, compatibility and compliance are all challenges with EOL software.

 

What are some best practices to plan ahead?

  1. Define business service management requirements:   Identify nice-to-have capabilities desired for incident management, service level assurance, problem resolution, change management, configuration management, self-service options, and integration requirements.
  2. Evaluate needs:  Focus on options that will enhance profit, ease business operations, increase revenue and reduce company operational costs. Know what you are looking for and what you want to do for an EOL replacement.
  3. Focus on processes for operations:   Identify service management processes that are unique to your business when considering vendors and purchases.
  4. Leverage modern technology:  A good objective in EOL replacement is to apply the benefits of newer technology to resolve the most obvious pain points in your IT management organization. Investing in the latest software is great, but being mindful about outdated operating systems is even better.

EOL software poses a large risk to organizations every day.  With an adequate understanding of the risks involved, advanced planning, and help from Bryley Systems, you can identify and migrate away from EOL software.  Contact us at 978.562.6077, or by email at ITExperts@Bryley.com to learn more. We are here to help.

Refund and Recovery Scams

The following information was posted by the FTC on their website.

Scam artists buy and sell “sucker lists” with the names of people who already have lost money to fraudulent promotions. These crooks may call you promising to recover the money you lost or the prize or merchandise you never received — for a fee in advance. That’s against the law. Under the Telemarketing Sales Rule, they cannot ask for — or accept — payment until seven business days after they deliver the money or other item they recovered to you.

How the Scams Work

Many consumers might not know that they have been scammed by a bogus prize promotion, phony charity drive, fraudulent business opportunity or other scam. But if you have unknowingly paid money to such a scam, chances are your name is on a “sucker list.” That list may include your address, phone numbers, and other information, like how much money you’ve spent responding to phony offers. Dishonest promoters buy and sell “sucker lists” on the theory that people who have been deceived once have a high likelihood of being scammed again.

These scammers lie when they promise that, for a fee or a donation to a specific charity, they will recover the money you lost, or the prize or product you never received. They use a variety of lies to add credibility to their pitch: some claim to represent companies or government agencies; some say they’re holding money for you; and others offer to file necessary complaint paperwork with government agencies on your behalf. Still others claim they can get your name at the top of a list for victim reimbursement.

The Federal Trade Commission (FTC), the nation’s consumer protection agency, says claims like these often are false. Although some federal and local government agencies and consumer organizations help people who have lost money, they don’t charge a fee. Nor do they guarantee to get your money back, or give special preference to anyone who files a formal complaint.

Seeing Through a Recovery Scam

Here are some tips to help you avoid losing money to a recovery scam:

Don’t give money or your bank or credit card account number to anyone who calls offering to recover money, merchandise, or prizes you never received if the caller says you have to pay a fee in advance. Under the Telemarketing Sales Rule, it’s against the law for someone to request or receive payment from you until seven business days after you have the money or other item in hand.

If someone claims to represent a government agency that will recover your lost money, merchandise, or prizes for a fee or a donation to a charity, report them immediately to the FTC. National, state, and local consumer protection agencies and nonprofit organizations do not charge for their services.

Before you use any company to recover either money or a prize, ask what specific services the company provides and the cost of each service. Check out the company with local government law enforcement and consumer agencies; ask whether other people have registered complaints about the business. You also can enter the company name into an online search engine to look for complaints.1

 

If you get a call like this, hang up, and report it:   ftc.gov/complaint.

 

Reference:

1. Reprinted:  The Federal Trade Commission (FTC) is the nation’s consumer protection agency. The FTC works to prevent fraudulent, deceptive and unfair business practices in the marketplace.

Federal Trade Commission, Consumer Information

“Free” Security Scan? Beware of Scammers.

“Messages telling you to install and update security software for your computer seem to be everywhere. So you might be tempted by an offer of a “free security scan,” especially when faced with a pop-up, an email, or an ad that claims “malicious software” has already been found on your machine. Unfortunately, it’s likely that the scary message is a come-on for a rip-off.

The free scan claims to find a host of problems, and within seconds, you’re getting urgent pop-ups to buy security software. After you agree to spend $40 or more on the software, the program tells you that your problems are fixed. The reality: there was nothing to fix. And what’s worse, the program now installed on your computer could be harmful.

Scammers have found ways to create realistic but phony “security alerts.” Though the “alerts” look like they’re being generated by your computer, they actually are created by a con artist and sent through your Internet browser.

These programs are called “scareware” because they exploit a person’s fear of online viruses and security threats. The scam has many variations, but there are some telltale signs. For example:

  • you may get ads that promise to “delete viruses or spyware,” “protect privacy,” “improve computer function,” “remove harmful files,” or “clean your registry;”
  • you may get “alerts” about “malicious software” or “illegal pornography on your computer;”
  • you may be invited to download free software for a security scan or to improve your system;
  • you could get pop-ups that claim your security software is out-of-date and your computer is in immediate danger;
  • you may suddenly encounter an unfamiliar website that claims to have performed a security scan and prompts you to download new software.

 

Scareware purveyors also go to great lengths to make their product and service look legitimate. For example, if you buy the software, you may get an email receipt with a customer service phone number. If you call, you’re likely to be connected to someone, but that alone does not mean the company is legitimate. Regardless, remember that these are well-organized and profitable schemes designed to rip people off.

How Do the Scammers Do It?

Scareware schemes can be quite sophisticated. The scam artists buy ad space on trusted, popular websites. Even though the ads look legitimate and harmless to the website’s operator, they actually redirect unsuspecting visitors to a fraudulent website that performs a bogus security scan. The site then causes a barrage of urgent pop-up messages that pressure users into downloading worthless software.

What to Do

If you’re faced with any of the warning signs of a scareware scam or suspect a problem, shut down your browser. Don’t click “No” or “Cancel,” or even the “x” at the top right corner of the screen. Some scareware is designed so that any of those buttons can activate the program. If you use Windows, press Ctrl + Alt + Delete to open your Task Manager, and click “End Task.” If you use a Mac, press Command + Option + Q + Esc to “Force Quit.”

If you get an offer, check out the program by entering the name in a search engine. The results can help you determine if the program is on the up-and-up.

Good Security Practices

Check that your security software is active and current: at a minimum, your computer should have anti-virus and anti-spyware software, and a firewall. You can buy stand-alone programs for each element — or a security suite that includes these programs — from a variety of sources, including commercial vendors and your Internet Service Provider. The security software that was installed on your computer when you bought it generally works for just a short time — unless you pay a subscription fee to keep it in effect.

Make it a practice not to click on any links within pop-ups.  Report possible fraud online at ftc.gov/complaint or by phone at 1-877-FTC-HELP. Details about the purchase — including what website you were visiting when you were redirected — are helpful to investigators.”1

Reference:

1 Reprinted:  The Federal Trade Commission (FTC) is the nation’s consumer protection agency. The FTC works to prevent fraudulent, deceptive and unfair business practices in the marketplace.

Federal Trade Commission, Consumer Information

Note: This article was previously available as “Free Security Scan” Could Cost Time and Money.

 

Beware of Tech Support Scams!

There are scammers who will call and claim to be a computer tech associated with well-known companies like Microsoft or Apple.  Other scammers send pop-up messages that warn about computer problems.  They say they’ve detected viruses or other malware on your computer.  They claim to be ‘tech support’ and will ask you to give them remote access to your computer.  Eventually, they’ll diagnose a non-existent problem and ask you to pay for unnecessary – or even harmful – services.

If you get an unexpected pop-up, call, spam email or other urgent message about problems with your computer, STOP.  Don’t click on any links, don’t give control of your computer and don’t send any money.

How the Scam Works

Scammers may call, place alarming pop-up messages on your computer, offer free “security” scans, or set up fake websites – all to convince you that your computer is infected. The scammers try to get you on the phone, and then work to convince you there’s a problem. Finally, they ask you to pay them to fix that non-existent problem.

To convince you that both the scammers and the problems are real, the scammers may:

  • pretend to be from a well-known company – like Microsoft or Apple
  • use lots of technical terms
  • ask you to get on your computer and open some files – and then tell you those files show a problem (when they don’t)

Then, once they’ve convinced you that your computer has a problem, the scammers might:

  • ask you to give them remote access to your computer – which lets them change your computer settings so your computer is vulnerable to attack
  • trick you into installing malware that gives them access to your computer and sensitive data, like user names and passwords
  • try to sell you software that’s worthless, or that you could get elsewhere for free
  • try to enroll you in a worthless computer maintenance or warranty program
  • ask for credit card information so they can bill you for phony services, or services you could get elsewhere for free
  • direct you to websites and ask you to enter your credit card number and other personal information

These scammers want to get your money, access to your computer, or both. But there are things you can do to stop them.

If You Get a Call or Pop-Up

  • If you get an unexpected or urgent call from someone who claims to be tech support, hang up. It’s not a real call. And don’t rely on caller ID to prove who a caller is. Criminals can make caller ID seem like they’re calling from a legitimate company or a local number.
  • If you get a pop-up message that tells you to call tech support, ignore it. There are legitimate pop-ups from your security software to do things like update your operating system. But do not call a number that pops up on your screen in a warning about a computer problem.
  • If you’re concerned about your computer, call your security software company directly – but don’t use the phone number in the pop-up or on caller ID. Instead, look for the company’s contact information online, or on a software package or your receipt.
  • Never share passwords or give control of your computer to anyone who contacts you.

If You Were Scammed

  • Get rid of malware. Update or download legitimate security software and scan your computer. Delete anything the software says is a problem.
  • Change any passwords that you shared with someone. Change the passwords on every account that uses passwords you shared.
  • If you paid for bogus services with a credit card, call your credit card company and ask to reverse the charges. Check your statements for any charges you didn’t make, and ask to reverse those, too. Report it to gov/complaint.

Refund Scams

If you paid for tech support services, and you later get a call about a refund, that call is probably also a scam. Don’t give the person any personal or financial information.

The refund scam works like this: Several months after a purchase, someone calls to ask if you were happy with the service. If you say “No”, the scammer offers a refund. Or, the caller says the company is going out of business and giving refunds. The scammer eventually asks for your bank or credit card account number, or asks for access to your bank account to make a deposit. But instead of putting money in your account, the scammer takes money from your account.

If you get a call like this, hang up, and report it: ftc.gov/complaint.1

Reference:

1 Reprinted:  The Federal Trade Commission (FTC) is the nation’s consumer protection agency. The FTC works to prevent fraudulent, deceptive and unfair business practices in the marketplace.

Federal Trade Commission, Consumer Information