The holiday season means different things to different people. For many criminals and scammers, it’s another opportunity to steal money from unsuspecting users.
US-CERT recently sent an alert related to holiday phishing scams and malware campaigns.
Be Vigilant
US-CERT reminds users to remain vigilant when browsing or shopping online this holiday season. Ecards from unknown senders may contain malicious links. Fake advertisements or shipping notifications may deliver infected attachments. Spoofed email messages and fraudulent posts on social networking sites may request support for phony causes.
To avoid seasonal campaigns that could result in security breaches, identity theft, or financial loss, users are encouraged to take the following actions:
- Avoid following unsolicited links or downloading attachments from unknown sources.
- Refer to these security tips to learn more about Shopping Safely Online and Avoiding Social Engineering and Phishing Attacks.
- Read the Federal Trade Commission’s blog on Don’t let scammers take away your holiday cheer.
- Visit the Federal Trade Commission’s Consumer Information page on Charity Scams.
If you believe you are a victim of a holiday phishing scam or malware campaign, consider the following actions:
- File a complaint with the FBI’s Internet Crime Complaint Center (IC3).
- Report the attack to the police and file a report with the Federal Trade Commission.
- Contact your financial institution immediately and close any accounts that may have been compromised. Watch for any suspicious charges to your account.
- Immediately change any passwords you might have revealed and do not use that password in the future. Avoid reusing passwords on multiple sites.
Each of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action. You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important. Over 300 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes: Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it. If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for other exams. This SY0-601 study guide is for any IT or security professional interested in advancing in their field, and a must-read for anyone striving to master the basics of IT security.The 601 Version of the Study Guide
The CompTIA Security+: Get Certified Get Ahead: SY0-601 Study Guide is an update to the top-selling SY0-201, SY0-301, SY0-401, and SY0-501 study guides, which have helped thousands of readers pass the exam the first time they took it. It includes the same elements readers raved about in the previous four versions.
Watch Out for Fraudulent Ecards
Many Ecards are legitimate. However, because they are, criminals and scammers also use them to send malware. Scambusters.org has some good advice on spotting fake ecards. Here are a few telltale signs of a fake ecard that they list on their site.
- Spelling mistakes — e.g. congratulation! Or your name is misspelled.
- Errors in the message — e.g. it says you sent a card, not received one.
- The sender isn’t someone you know.
- The sender has a bogus name (Joe Cool, Agatha Tragonawar, Card Sender, Secret Admirer, etc.).
- A URL that appears odd — e.g. www.http:// rather than http://www.
You Only Need to Make One Mistake
Criminals and scammers send out more than four billion emails with malicious attachments every day. That’s 2.3% of 205 billion emails sent out daily.
Note that this doesn’t count phishing, spear phishing, and whaling emails that have links to driveby download sites.
Of course, everyone doesn’t fall for these scams. However, if you do just once, you may find all of your data locked up until you pay a hefty ransom.
Worse, if an employee in your organization falls for one of these scams, your entire organization may be held hostage.
This is one of the reasons that so many organizations value employees with a security certification such as the Security+. Knowledgeable employees are less likely to fall for the scams.
In contrast, uneducated employees don’t realize how much damage they can do to an entire organization by making a single mistake.
As an example, consider the Hollywood Presbyterian hospital. A single employee clicked a malicious link. The malware installed itself on this employee’s machine and then spread itself throughout the network. Eventually, the malware encrypted a significant amount of data and criminals demanded a ransom to unlock this medical data.
Criminals demanded $3.4 million, but the hospital reportedly paid about $17,000 to gain access to much of their data. From another perspective, employees had to work for more than a week without traditional computer access.
Why?
Again, this is because a single employee didn’t understand the dangers of malicious email.
Do you?
