New Year, New You. Same W-2 Tax Scams

Tax season is in full swing, which means criminals will go to great lengths to separate you from your money, your identity, or anything of value that is within their reach. They may offer seemingly legitimate "tax services" that are actually designed to steal your identity and your tax refund. Often times, criminals will lure you in with an offer of larger write-offs or refunds. Such scams might include fake websites and tax forms that look like they belong to the Internal Revenue Service (IRS) in order to trick you into providing your personal information.
 
Due to the rise in data breaches, you should always take steps to minimize your risk of identity theft and other online-related crimes; this is especially important this time of the year. Below are some warning signs to look for and basic precautions you can take to minimize risk and avoid becoming the next victim!
 
WARNING SIGNS OF AN ONLINE TAX SCAM
  • An email or link requesting personal and/or financial information, such as your name, social security number, bank or credit card account numbers, or any additional security-related information.
  • Emails containing various forms of threats or consequences if no response is received, such as additional taxes or blocking access to your funds.
  • Emails from the IRS or federal agencies. The IRS will not contact you via email.
  • Emails containing exciting offers, tax refunds, incorrect spelling, grammar, or odd phrasing throughout.
  • Emails discussing "changes to tax laws." These email scams typically include a downloadable document (usually in PDF format) that purports to explain the new tax laws. However, unbeknownst to many, these downloads are almost always populated with malware that, once downloaded, will infect your computer.
HOW TO AVOID BEING THE VICTIM
  • Never Send Sensitive Information in an Email: Information sent through email can be intercepted by criminals. Make sure to consistently check your financial account statements and your credit report for any signs of unauthorized activity.
  • Secure Your Computer: Ensure your computer has the latest security updates installed. Check that your anti-virus and anti-spyware software are running properly and receiving automatic updates from the vendor. If you haven't already done so, install and enable a firewall.
  • Carefully Select the Sites You Visit: Safely searching for tax forms, advice on deductibles, tax preparers, and other similar topics requires great caution. NEVER visit a site by clicking on a link sent in an email, found on someone's blog, or in an advertisement. The websites you land on might look like legitimate sites, but can also be very well-crafted fakes.
  • Be Wise with Wi-Fi: Wi-Fi hotspots are intended to provide convenient access to the internet, however, this convenience can come at a cost. Public Wi-Fi is not secure and is susceptible to eavesdropping by hackers, therefore, never never use public Wi-Fi to file your taxes!
  • Look for Clear Signs: Common scams will tout tax rebates, offer great deals on tax preparation, or offer a free tax calculator tool. If you did not solicit the information, it's likely a scam.
  • Be on the Watch for Fake IRS Scams: The IRS will not contact you via email, text messaging, or your social network, nor does it advertise on websites. Additionally, if an email appears to be from your employer or bank claiming there is an issue that requires you to verify personal information, this is most likely a scam as well. Don’t respond to these types of emails; always contact the entity directly.
  • Always Utilize Strong Passwords: Cybercriminals have developed programs that automate the ability to guess your passwords. To best protect yourself, make your passwords difficult to guess. Passwords should have a minimum of nine characters and include uppercase and lowercase letters, numbers, and symbols.
The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.

Cyber Hygiene: Improving Health and Online Security

What is Cyber Hygiene?
Wellness is a popular topic in today’s world, and rightfully so. It’s tough to achieve your dreams and goals if you neglect to take care of your physical, emotional, family, social, and career needs. To set ourselves up for success, we attempt to eat healthily, visit the doctor for an annual checkup or physical, choose to spend quality time with friends and family, read up on topics of interest, and generally put ourselves in a positive position to get what we desire.

When it comes to security, cyber hygiene is similar to taking care of your own wellness. Some individuals and organizations invest a lot of resources into making sure they are mitigating risk from today’s big cyber threats, such as ransomware and data breaches. Conversely, some individuals and organizations haven’t made much investment into the basics of cybersecurity protection – otherwise known as cyber hygiene – to keep themselves from being the low-hanging fruit for online attackers looking for an easy target.
Common Cyber Hygiene Issues
Today, many organizations have more than just computers in need of cyber hygiene. All hardware (workstations, servers, smartphones, firewalls, connected devices, etc.), software programs, and online applications should be included in a regular, ongoing maintenance program. Each can open vulnerabilities into the organization when not managed properly. Some problems that can arise due to poor cyber hygiene include:
  • Loss of Data: Hard drives and online cloud storage that aren’t backed up or maintained can be vulnerable to hacking, corruption, and other problems that could result in the loss of important information.
  • Misplaced Data: Improper file system organization can lead to misplaced files and is becoming increasingly commonplace as organizations grow.
  • Data Breach: The most severe and damaging to organizations is the data breach. There are constant and immediate threats where a single click can mean a slow and costly recovery. Phishing, malware, spam, viruses, and a variety of other threats exist in the modern threat landscape, which is constantly changing as new vulnerabilities and social engineering techniques emerge.
  • Software Vulnerabilities: Out of date software and failures in patch management are one of the leading causes of breaches at organizations and have led to many reputable organizations suffering unnecessary incidents. Patches and updates to software (not just Windows operating systems, but other software like Microsoft Office, Adobe, Java, Flash, and many others) are released to fix known vulnerabilities that hackers exploit in those software applications to access computers and networks.
  • Malicious Software: New versions and variants of malware are released daily, challenging traditional antivirus applications to work harder just to keep up. Traditional antivirus software and other security software must be updated at least weekly to keep pace with the ever-changing threat landscape. Also, consider more advanced forms of anti-malware solutions, like Carbon Black or Cylance, which look at the behavior of files and applications, rather than relying on outdated signatures to catch only the known-bad malware.
Know What You Have
Before you can understand how to protect your organization, you must know what you have in the first place. Taking an inventory of your assets - which can include hardware, software, applications, and information - is a crucial component of properly managing the risk of today’s threats. Implementing a plan to document all current equipment and software programs will help improve the security of any environment. Your assets can be broken up into the following groups:
  • Hardware: any computer, connected device, or mobile device
  • Software: any and all programs used on the network and installed onto computers
  • Applications: web and mobile apps, including apps not installed directly on devices (i.e., websites used by your organization to perform daily job duties)
Creating a Cyber Hygiene Culture
Below are items that should be taken into account when considering cyber hygiene:
  • Password Changes: Complex passwords changed regularly can prevent many malicious events. Passwords should be at least 10 characters for regular user passwords and 15 characters for administrative passwords. Password managers can be an easy way to maintain complex passwords without the need to remember each individual password for applications. Multi-factor authentication adds another layer of security on systems and applications that support it.
  • Software Updates: Poor patch management mixed with the right phishing emails can spell disaster. Operating system and third-party patches need to be applied on a timely basis to mitigate the chance of malicious software taking advantage of unpatched systems. Having a strong patch management program is one of the best things any organization can do to mitigate the risk of a data breach or incident.
  • Manage End of Life Systems: End-of-Life (EOL) must be a consideration for computer hardware and software in a business environment. Systems utilized after their EOL introduce great risk to the organization because security patches and updates are no longer being pushed out from the provider.
  • Limit Users: Only those who need admin-level access to programs should have access. Standard users should have limited capabilities and not be allowed to install software or applications on their local computers without administrative permission.
  • Back-Up Your Data: All data should be backed up to a secondary source (i.e. hard drive, cloud storage). A general rule to follow is the 3-2-1 backup rule: three (3) copies of data stored on two (2) different storage media, with one (1) located offsite (and offline).
  • Employ a Cyber Security Framework: Businesses may want to review and implement an industry-standard framework for cybersecurity within their organization (e.g., the NIST Cybersecurity Framework or the Center for Internet Security Top 20 Critical Security Controls). Cybersecurity frameworks help organizations by providing a starting point for implementing good cybersecurity practices (you don’t have to implement everything in such a framework). Remember, the most important step is to start.
Putting It All Together
Cyber hygiene is a necessary component for your organization’s security and the overall health of your digital environment. Failing to fully consider the risks will open any organization to financial and reputational damage. Management of both hardware and software assets from acquisition to sunset, in addition to creating a good culture of cyber hygiene, moves any organization to a greater level of security maturity. If your organization is not already regulated with cybersecurity standards, the NIST Cybersecurity Framework and The Center for Internet Security Top 20 Controls will provide a good starting point for any organization that understands the importance of protecting its computers, network, and data. 

Written by: Eric Chase, Information Security Consultant, SBS CyberSecurity, LLC
 

Safeguarding Your Information

Safeguarding your personal and financial information is a responsibility we take very seriously at Border Bank. However, you should also remain vigilant against potential threats to "Identity Theft". Identity Theft affects millions of people each year.

Thieves can get your personal information by many means, both technology based and people based, including, but not limited to:

  • Stealing your purse or wallet
  • Pilfering information from your mail box such as bank statements and pre-approved credit card applications
  • Obtaining your Driver's License number or Social Security number if imprinted on your personal checks
  • Observing your transactions at ATMs or store check-out terminals to capture your personal identification number (PIN)
  • Going through trash for credit card receipts or loan applications
  • Utilizing different types of fraud (e.g. Phishing, Vishing or SMiShing scam)
  • Operating other common fraud schemes and scams. The FBI maintains a current listing of these schemes and scams on its website: http://www.fbi.gov/scams-safety

Here are a few simple tips to always keep in mind:

  • Get notified with Border Bank Account Alerts* sent by text, email, or App for your personal accounts
  • Border Bank Online Banking and Mobile Banking are great resources for monitoring your accounts and transactions*
  • Change your password at least every 90 days
  • Never disclose personal information to anyone without authorization to access your accounts. Unless you initiate the contact or we are completing an application for you, Border Bank will NOT request your personal information (e.g. account number, PIN, Social Security number, or mother’s maiden name) through email, U.S. mail or phone
  • Do not print your driver’s license number or Social Security number on personal checks
  • Report lost or stolen checks or bank cards immediately
  • Store new and cancelled checks in a secure location
  • Select and memorize a PIN that never uses information readily found in your wallet or purse (e.g. your house number or date of birth)
  • Promptly review monthly financial statements yourself and report any discrepancies immediately. Never ignore suspicious charges on your statements. If regular bills or statements stop coming to you, call the company's customer service number to determine if someone has filed a false change-of-address notice to divert your mail
  • Retain all receipts from ATM, debit and credit card transactions until they have been reconciled to your statements and ensure your account number is not readable when you dispose of them
  • Be sure to sign new bankcards immediately
  • Only carry important documents as needed (e.g. Social Security card, passport or birth certificate). If lost or stolen, a thief could use them
  • Destroy cards you no longer use, making sure the numbers are not recognizable
  • Shred unnecessary financial documents, including old bank statements, invoices, and unwanted pre-approved credit offers
  • Never provide your financial information to an unfamiliar website
  • Be careful in responding to “Work from Home” ads as this is a common method for fraudsters to attract money mules unknowingly. Money mules transfer money acquired illegally on behalf of others and are typically paid a small part of the money transferred for their services
  • Report suspicious emails or phone inquiries (e.g. requesting account information to “award a prize” or “verify a statement”) to your phone company, Border Bank or the local authorities. Call Border Bank to report this activity.
  • Forward any suspicious emails to marketing@border.bank that appear to be from Border Bank and request that you click on a link to enter your login credentials or personal information
  • Consistently validate that each of your computers has up-to-date software installed including operating system, personal firewall, anti-virus, anti-spyware and current browser. Ensure your anti-virus and anti-spyware software is enabled and performing scans on a regular basis. Use reputable internet tools to scan your browser for known vulnerabilities.

If you believe you have been a victim of fraud related to your Border Bank accounts, notify us immediately by calling your local Border Bank, so we can take action to help you. A formal complaint can also be filed with the Internet Crime Complaint Center (IC3) at www.ic3.gov.

*Use of these features and services requires internet and/or data access through a computer or mobile device. Subject to availability and the same limitations as any service available through the internet. Border Bank is not responsible for matters that are outside of its reasonable control that might impact availability and functionality. Border Bank reserves the right to suspend service for any reason at any time. Your mobile carrier’s text messaging and data charges may apply.


Ten Essential Cybersecurity Best Practices

The continued development of the internet has put the world at anyone’s fingertips, which has made protecting personal information much more critical. With the constant development of new technology, comes massive innovation, and nonetheless, massive vulnerabilities. Due to these vulnerabilities, breaches and security implications by digital attacks are becoming far too common in today’s fast-paced, technology-ruled world. As a result, innocent people are frequently becoming the victims of identity theft, phishing scams, and many other digital crimes. In order to help reduce cybersecurity related threats, SBS CyberSecurity has developed ten essential “Cybersecurity Best Practices” to help protect digital processes and information.
  1. LOCK IT UP: Always lock your computer before leaving your desk. While this best practice seems trivial, one would be surprised at how often this is not done in the workplace. Our computers house sensitive information and business processes and when a workstation is left unlocked there is a possibility an attacker could have unrestricted access to the system. To avoid possible information leaks, embarrassing photos being spread, or the occasional practical joker, simply remember to lock your computer before leaving your desks.
  2. PROTECT YOUR MACHINE: It is imperative to properly install and continually update software firewalls on every machine that contains digital information. A firewall helps to prevent unauthorized access to or from a network. It is the first line of defense when it comes to guarding digital information not intended for the public eye. Patching your operating systems and applications is a vital security practice as well. Patches are often released on a scheduled basis, however, there are times when patches are sent out “off schedule” in order to defend against new found threats. When these patches come out, it is important to immediately install them. Keep in mind, as time passes new threats will be found, so system patching will be a constant security measure.

  3. THINK BEFORE YOU CLICK: This best practice tip is essential to keep in mind when it comes to clicking on links online. Once a link has been clicked it is possible that malicious software, like a virus, can install itself on the user’s computer. Don’t click on any link unless you know you can trust the source it is being sent from and you are certain of where the link will send you. If you are unsure about a link, the best thing to do is call the individual prior to clicking on the link. Double checking the address from where the link came from can aid in determining if the link is actually valid or not. You can hover the mouse over the link and check in the bottom of the browser to see if the actual URL link matches the link in the message.
  4. WATCH FOR THE "S": One of the most common methods of secure communication online is https. “Http” stands for hypertext transfer protocol, while the “s” at the end stands for security. It is important to make sure that “https” is displayed as part of a URL you visit, as it shows the authenticity of the security certificate on the webpage you are visiting. If you are surfing the web and attempt to access a webpage with a certificate that is expired or no longer secure; there is a chance you are accessing a website that could be loaded with malware, viruses, trojans, or even eavesdroppers.
  5. BE A CAUTIOUS SURFER: Surfing the web can be risky if you aren’t careful, so use caution. This is due to the fact that it is possible for users to pick up malicious code that can infect a computer with viruses and other unwanted malware. Picking these viruses up could be as simple as clicking on a link that you think takes you to clothing website. It is also imperative you do not surf the web if you are on an account that has administrator privileges. If you pick up malware using a computer with administrator privileges, you have successfully just given the malware the same administrator rights that you have on your user account.
  6. MIND YOUR MOBILE MANNERS: With the introduction of the smartphone it has become far easier for people to surf the web, check emails, or update social media statuses. When connected to the company network on an unprotected phone, there is potential to cause a lot of damage if one clicks on a bad link or visits the wrong page. If employees are allowed to use the company network, then proper security measures should be taken to secure the mobile device. Proper measures include phone encryption, using the guest Wi-Fi network, and using strong phone passwords
  7. BE ALERT: People are the weakest links when it comes to keeping sensitive information secure. One method used to gain sensitive information is called social engineering. Social engineering is the attempt to gain unauthorized information or access to facilities through the manipulation of someone. The social engineer will research the organization in an attempt to learn employee information that could aid them. They typically call the victim with a made up story designed to steal or access information. To help combat this, employees must be trained to be helpful, but stern when it comes to giving out information, as well as how to identify a potential social engineering attack. The employee should ask questions that would be difficult for the social engineer to answer. If incorrect information is provided the employee should politely decline the individual, and alert management on the attempt to gain access to sensitive information.
  8. USE STRONG PASSWORDS: It is critical for everyone to use and support strong passwords. Strong passwords contain at least 12 characters, upper and lower case letters, numbers and special characters. Passwords are used to ensure the safe keeping of sensitive information. They are an essential line of defense on a users’ workstation, and will stop any attempt to gain access to restricted networks or systems. It is also necessary to set up strong passwords that are unique to one person and are not used in any other personal or business account by that person. Passwords should be changed or updated every 60 to 90 days, and should never be shared.
  9. EDUCATE, EDUCATE, EDUCATE: If all employees have a basic understanding of security or know how to identify a potential incident your business is less likely to fall victim to an attack. On the first day of work new employees should be taught about the company’s information security policies and their role in protecting sensitive information. They should be informed on all policies regarding computer interaction, company networks, and the internet. They should know the expectations when it comes to the limitation of personal use on company provided equipment. Employees should be asked to sign a statement acknowledging that they understand the company’s business policies and any penalties that result if guidelines are not followed. Having all employees well-trained in the basics of network, system and information security is a huge step in today’s cyber world and is one of the best investments that can be made.
  10. BACK IT UP: Data Loss Prevention (DLP) software should be used to keep private information safe. There are a number of DLP software functions a user can choose, ranging from cloud prevention services all the way to e-mail services. The goal of DLP software is to monitor and protect each users’ sensitive data. A user that has DLP software installed on their system will be undoubtedly safer due to the fact that there is a “double-check safe guard” for information being processed on their workstation. For example: if an employee goes to send an e-mail and accidentally includes the sensitive information of customer at the institution, the email will not send until the info or data is erased from the message. DLP software should always be looked at as a viable option for information security.
Resources: 
Written by: SBS Institute, SBS CyberSecurity
 

Small Business Security 101

Small business security is something that is often overlooked, with IT responsibilities seemingly assigned to the person who knows the most about computers in many cases. While fulfilling the basic needs of the company, assigning such important responsibilities carelessly leaves your business vulnerable to a cyber attack that could result in the loss of customer information or severely damage your reputation.
 
IGNORANCE IS BLISS, OR IS IT?
Smaller businesses are attractive targets to attackers because most small businesses rely on technology to perform day-to-day operations. Many businesses would not be able to thrive without the ability for customers to view its website, make online transactions, or even the ability for employees to send an email to employees or customers around the globe. Small businesses must realize that the technology that allows you to grow and be profitable can also pose the greatest threat to your business if not properly managed.Without training your employees to identify and understand the risk of cyber attacks, many businesses are sitting ducks for an attacker to simply harvest customer information. That’s what we call a low-risk, high-reward opportunity. The reputational damage caused by a cyber attack could very well force your business to close its doors completely.
 
WHERE TO START
An understanding of information security and how a well-managed program operates significantly reduces the risk of data being lost or stolen due to a cyber attack. In 2017, Manta conducted a poll of 1,420 small business owners and found that 87% felt they were at risk of experiencing a data breach.  Additionally, only a 17% noted that they had basic IT security controls in place. Basic security controls like antivirus and a firewall are critical to the health of the organization and its responsibility of protecting the customer information it possesses. Below are five (5) areas that any organization that utilizes the Internet NEEDS and is EXPECTED to have in place. If your business has not addressed these five (5) security control areas, stop what you’re doing and figure out how to protect your organization immediately.
 
  1. A business-class firewall: Home routers can be inexpensive and are great for simple tasks such as streaming online videos. Focus on investing in something that is made for businesses and allows you to change default settings.
  2. Anti-virus/anti-malware: You can choose either or both; just make sure you pay for the subscription and use its features.
  3. Email filtering: 93% of all data breaches begin with a phishing email. A single phishing email has the potential to cause significant damage to a business and is the most widely attack used; make sure you do everything you can to keep junk and phishing emails our of your environment.
  4. User access controls: Not limited to just strong and unique passwords; user access controls should be based on the principle of least privilege. Administrator accounts should never be used for regular duties. Reducing privileges for users drastically reduces the risk of an employee accidentally installing a malicious program onto their workstation.
  5. Patch management: It is paramount that systems are patched in a timely manner as soon as new patches are available. Be sure your third-party programs are included in your patch plan.
 
HOW TO IMPROVE (Don’t Be the Low Hanging Fruit)
IT security is not something you put in place and never touch or think about again. It is a continual process of improvement to stay one step ahead of the bad guys. Proactive security keeps businesses mindful of new threats and how you can protect yourself vs. reactive security where businesses are running to catch up with threats after they have happened. Now that some basic areas of security have been defined, businesses need to continue to grow their security posture for the future. Here are five (5) additional controls that businesses can implement to improve security:
 
  1. Vulnerability scanning: This is an excellent way for a business to understand and measure how successful the patch management program is or if there are additional vulnerable programs on the network.
  2. Password managers: These are a powerful tool that can be used to create extremely strong and unique passwords for all employee’s accounts. One master password is used to unlock a digital vault where passwords to websites can be securely stored and viewed. Password vaults can stop employees from using the same password for everything and worrying about remembering 200 different passwords (the number of unique websites that today’s consumer logs into on average).
  3. Ongoing security awareness training: Social engineering attacks are the most common way a network is compromised today. Continued education for employees about the dangers of phishing emails and how to identify them is critical. Additional training covering ransomware, customer identification, and other common social engineering attacks will dramatically reduce the risk of a successful cyber attack.
  4. Phishing testing: Phishing assessments provide insight into how the business will fair during a simulated phishing attack. Testing provides employees a chance to see how authentic phishing emails can seem and the results can be used to further increase employee education and awareness.
  5. Back up your information: Backups can also make or break a business. Ransomware, viruses, and hardware failures can cause everything that a business is storing digitally to be lost in an instant. A business should follow the 3-2-1 strategy, meaning at least three (3) total copies of your data are available, stored on two (2) differed mediums (backup tape AND external hard drive, for example), and at least one (1) copy stored offsite.
Small businesses cannot afford to lag in information security. Every business must understand and implement basic information security needs to prevent the most basic and automated of attacks. Once addressed, a proactive approach to security will keep the business and its customer information secure and avoid being a low hanging fruit that is easy for an attacker to reach.
Written by: Eric Chase, Information Security Consultant, SBS CyberSecurity, LLC