Category Archives: Scams

The 2016 Election, Lessons Learned in Cybersecurity, 1

It was 40 years ago this past Sunday, June 11, that I received my BA in Computer Science.  A relatively new academic discipline, even in 1977, it was hard to imagine then that 39 years later computing, and its ubiquitousness, could have any effect on a national political campaign.  While politicians and investigators try to determine what cyber-meddling (and perhaps, cyberwarfare) was performed by Russia during the 2016 election campaign, there are several lessons to be learned by all individual users, the first related to access control.

Userids and passwords.  We all hate them, and yet we all can’t live without them.  They provide access to our most important personal secrets, whether those secrets are in our bank accounts, our credit card accounts, our Facebook posts, our online trove of photos, or, our e-mail accounts.  We should change them frequently, although there are many different theories on how frequently they should be changed.  However, we should be careful about changing them when just arbitrarily prompted to, which was the case for several staffers and senior advisers to the Hillary Clinton campaign.

As described in the New York Times article The Perfect Weapon: How Russian Cyberpower Invaded the U.S., these advisers, including senior adviser John Podesta, were presented with an e-mail, purportedly from Google, imploring them to change their password.  Naturally, those e-mails were not from Google, they were from Russian hackers, and once the user changed the password, it was harvested by those hackers, who now had access to all of the e-mails in the affected account, including e-mails from other Clinton campaign staffers who had not changed their gmail password.

So what’s the lesson here? Without getting into the politics of the situation, the fact is that, as I teach my students, there are several things the average user should do regarding changing their passwords.

  1. If presented with an e-mail as those campaign staffers received, ask yourself, “am I expecting such an e-mail?”   “Why would I be getting such an e-mail?”
  2. “Mouse over” the link to the sender (the sender’s e-mail address) and the link to the password change page.  It shouldn’t display a legitimate gmail administrative address, or the address of your organization’s e-mail administrator.  It’s not always easy to “mouse over” a link on a smartphone (depends on your phone), so the you have to take the attitude that the world is not going to come to an end if you don’t change it immediately – wait til you can get to a laptop or desktop computer to do this.
  3. And most importantly, don’t ever change the password from a link in an e-mail.  Sign into your e-mail account, click on the settings, and change it there.  As I stated in point 2 above, the sky isn’t going to fall if you don’t change your password immediately.

You aren’t running for President – but you DO have valuable private information that you don’t want compromised.  Don’t fall into the same trap that the HRC campaign staffers did – apply proper, simple Cyber Security methods and hygiene when changing e-mail passwords.  You’ll save yourself a lot of grief and perhaps even money.

 

 

New Year, Same Scams

The Tax Season is upon us, and once again the “IRS Scam” will be rearing its ugly head.  As I teach my students, as I’ve discussed in public lectures and presentations, this is one of the most insidious scams out there, and one that’s easily avoided.  Except that most people, especially seniors who were raised to trust and respect authority, continue to fall prey to it.  Face it, if you’re confronted with a phone caller who tells you that you might be served a warrant, your first instinct would be to be scared.  Your second might be to comply.  Except that you shouldn’t.

That’s because the IRS will NEVER initially call you regarding ANY issue.  The keyword here is initially.  If the IRS wants to contact you, they will initially send you a letter.  That’s right, via “snail mail,” i.e., the US Postal Service.  Once you have that letter, you might need to call THEM, and then you can establish a phone dialogue, but their initial contact with you will be via mail.  If you receive a phone call that you are not expecting from someone claiming to be from the IRS, just hang up (or, if you are being more adventurous, dare them to serve you with the warrant, and then hang up!).

It’s not just the IRS scam.  The Microsoft Tech Support scam is still alive and well, especially now that many have downloaded and installed Windows 10.   When you get a call from someone saying that they’re from “Microsoft Tech Support,” the first thing you must ask yourself is, “am I expecting this call?”  The second thing you must ask yourself is “how do they even know what operating system I’m running”?  But, in the end, you need to know that the REAL Microsoft Tech Support will never call you out of the blue. They will call in response to a request from you, but never without such a request.  If you get a call like this, you could play around with the caller a bit and ask him or her if they know what OS you’re running, what service pack or version you’re running (even if you don’t know what version you’re running), but it’s best just to hang up.  And never, never, never, give any identifying information (userids, passwords), let alone a credit card number.  Just hang up.