What Is Ransomware?

According to the FTC, ransomware is a form of malicious software that infiltrates computer systems or networks and uses tools like encryption to deny access or hold data "hostage" until the victim pays a ransom, frequently demanding payment in Bitcoin.  According to the FBI, after the initial infection, the ransomware attempts to spread to shared storage drives and other accessible systems. If the demands are not met, the system or encrypted data remains unavailable, data may be deleted or leaked online as a form of extortion. 

How Is Ransomware Delivered?

According to the FTC, ransomware often arrives through email phishing campaigns, which typically require the user to take an action such as clicking on a link or downloading a malicious attachment. Other campaigns use drive-by downloads, where a user visits a malicious website or a site that has been compromised, and the act of loading the site causes the ransomware to automatically download onto the user's computer. In addition, ransomware is delivered through "malvertising" campaigns, where malicious code is hidden in an online ad that infects the user's computer. These attacks can occur even on trusted websites through third-party ad networks that redirect the user to an infected server.

• Scam emails with links and attachments that put your data and network at risk. These phishing emails make up most ransomware attacks.
• Server vulnerabilities which can be exploited by hackers.
• Infected websites that automatically download malicious software onto your computer.
• Online ads that contain malicious code — even on websites you know and trust.

What Are the FBI Recommendations for Responding to Ransomware?

The FBI recommends that organizations do the following.

• Isolate the infected computer immediately, and remove infected systems from the network as soon as possible to prevent ransomware from attacking network or share drives.
• Isolate or power off affected devices that have not yet been completely corrupted.
• Immediately secure backup data or systems by taking them offline, and ensure backups are free of malware.
• Contact law enforcement immediately.
• Collect and secure partial portions of the ransomed data that might exist if available.
• Change all online account passwords and network passwords after removing the system from the network if possible, and change all system passwords once the malware is removed from the system.
• Delete registry values and files to stop the program from loading.
• Implement security incident response and business continuity plans.
• Conduct a post-incident review of the response to the incident, and assess the strengths and weaknesses of the incident response plan. (See the FBI's brochure, Ransomware Prevention and Response for CISOs.)

How Should You Report Ransomware to Law Enforcement?

The FBI is requesting that victims reach out to their local FBI office and/or file a complaint with the Internet Crime Complaint Center with the following ransomware infection details (as applicable).

• Date of infection
• Ransomware variant (identified on the ransom page or by the encrypted file extension)
• Victim company information (industry type, business size, etc.)
• How the infection occurred (link in email, browsing the Internet, etc.)
• Requested ransom amount
• Actor's Bitcoin wallet address (may be listed on the ransom page)
• Ransom amount paid (if any)
• Overall losses associated with a ransomware infection (including the ransom amount)
• Victim impact statement (See the FBI public service announcement from September 15, 2016, "Ransomware Victims Urged To Report Infections to Federal Law Enforcement.")

Should Organizations Pay the Ransom?

The FBI does not support paying a ransom to the adversary because it does not guarantee the victim will regain access to their data. In fact, some individuals or organizations are never provided with decryption keys after paying a ransom. Paying a ransom emboldens the adversary to target other victims for profit and could provide an incentive for other criminals to engage in similar illicit activities for financial gain. Although the FBI does not support paying a ransom, it recognizes that executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers.

There are serious risks to consider before paying the ransom. USG does not encourage paying a ransom to criminal actors. However, after systems have been compromised, whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees, and customers. Victims will want to evaluate the technical feasibility, timeliness, and cost of restarting systems from backup. Ransomware victims may also wish to consider the following factors:

• Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after paying a ransom.
• Some victims who paid the demand were targeted again by cyber actors.
• After paying the originally demanded ransom, some victims were asked to pay more to get the promised decryption key.
• Paying could inadvertently encourage this criminal business model. 

What Prevention and Continuity Measures Exist?

The FBI recommends organizations consider implementing the following prevention and continuity measures to lessen the risk of a successful ransomware attack.

• Regularly back up data, and verify the integrity of the backups.
• Secure backups, and ensure backups are not connected to the computers and networks they are backing up.
• Scrutinize links contained in emails, and do not open attachments included in unsolicited emails.
• Only download software, especially free software, from known and trusted sites, and verify the integrity of the software through a digital signature before execution when possible.
• Ensure application patches for the operating system, software, and firmware are up to date, including Adobe Flash, Java, Web browsers, etc.
• Ensure antivirus and antimalware solutions are set to automatically update and regular scans are conducted.
• Disable macro scripts from files transmitted via email, and consider using Office viewer software to open Microsoft Office files transmitted via email instead of full Office Suite applications.
• Implement software restrictions or other controls to prevent the execution of programs in common ransomware locations, such as temporary folders supporting popular Internet browsers or compression/decompression programs, including those located in the AppData/LocalAppData folder. (See the FBI's brochure, Ransomware Prevention and Response for CEOs.)

The FBI also recommends that organizations do the following.

• Enable strong spam filters to prevent phishing emails from reaching the end users, and authenticate inbound email using technologies like Sender Policy Framework, Domain Message Authentication Reporting and Conformance, and DomainKeys Identified Mail to prevent email spoofing.
• Scan all incoming and outgoing emails to detect threats, and filter executable files from reaching end users.
• Configure firewalls to block access to known malicious IP addresses.
• Consider disabling Remote Desktop Protocol if it is not being used.
• Conduct an annual penetration test and vulnerability assessment. (See the FBI's brochure, Ransomware Prevention and Response for CISOs.)

Following are additional considerations for businesses.

• Focus on awareness and training. Because end users are often targeted, employees should be made aware of the threat of ransomware, how it is delivered, and be trained on information security principles and techniques.
• Patch all endpoint device operating systems, software, and firmware as vulnerabilities are discovered.
• Manage the use of privileged accounts by implementing the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary, and they should operate with standard user accounts at all other times.
• Configure access controls with least privilege in mind.
• Use virtual environments to execute operating system environments or specific programs.
• Categorize data based on organizational value, and implement physical/logical separation of networks and data for different organizational units.
• Require user interaction for end-user applications communicating with Websites uncategorized by the network proxy or firewall.
• Implement application white-listing. Only allow systems to execute programs known and permitted by security policy. (See the FBI public service announcement from September 15, 2016, "Ransomware Victims Urged To Report Infections to Federal Law Enforcement.")
• Organizations also should conduct a cyber-security risk analysis of the organization and have and test an incident response plan. 
• Finally, organizations should take into account insurance coverage, including cyber-liability/cyber-extortion coverage.

Is There an Example of a Recovery Plan Specific to a Ransomware Attack?

The National Institute of Standards and Technology Guide for Cybersecurity Event Recovery includes an example of a recovery plan in the form of a playbook for a ransomware attack. (See the NIST's special publication (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-184.pdf) Guide for Cybersecurity Event Recovery. While the guide applies to US federal agencies, it should be useful to any organization.

Could a Ransomware Attack Result in a Breach under HIPAA?

The Department of Health and Human Services (HHS) provided guidance in Fact Sheet: Ransomware and HIPAA that states:

• A breach under the HIPAA Rules is defined as, "… the acquisition, access, use, or disclosure of [protected health information] PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI." See 45 C.F.R. 164.402.6.
• When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a "disclosure" not permitted under the HIPAA Privacy Rule.
• Unless the covered entity or business associate can demonstrate that there is a "… low probability that the PHI has been compromised," based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414.

Internet safety

• Never open suspicious files.  Assume that any file you receive may be potentially infected, even if you know the sender well. Viruses, spyware and other malicious code typically originate from an infected PC and its address book, thus it will most likely come from family, friends, or business associates. When working with your email, browsing websites, or chatting via an Instant Messenger, do not accept any unsolicited files from anyone since they could contain malicious code.
• Clicking Unknown Links.  Avoid going to any URLs in email messages that may be questionable. Hackers often infect web pages with malicious code, so do not visit any website that you are not familiar with.
• Anti Virus.  Always keep your anti-virus, anti-spyware, and firewall protection up to date. New threats emerge regularly so it is critical that you keep your protective software and firewall technology current. In addition, scan your system monthly with the settings recommended by your Internet security provider.
• Restrict Administrative Privileges.  It is important to make sure that all employees have a level of administrative access equal to their job responsibilities. This includes not allowing employees to install software, music files, games, etc., as well as restricting access to external services such as web mail and remote control services. These types of restrictions will help protect your organization from spyware such as keystroke logging.
• Operating Systems.  Keep your operating system and your application software patches up to date. In order to prevent being infected by malicious code, keep the software patches up to date for your operating system, i.e.: Windows, Linux, Apple, as well as for your applications, i.e.: Internet Explorer, Firefox and Safari.
• Stay Informed and Educated.  It is important that not only your IT department stays up to date on the latest threats but that your employees and your business customers are also advised of them and that you educate them about the techniques of "safe computing." Internet security providers release formal alerts on the latest threats and vulnerabilities and how to protect against them.
• Spam.  Spammers scan the internet to find computers that aren't protected by security software, and then install bad software - known as "malware" - through those "open doors." That's one reason why up-to-date security software is critical. Malware may be hidden in free software applications. It can be appealing to download free software like games, file-sharing programs, customized toolbars, and the like. But sometimes just visiting a website or downloading files may cause a "drive-by download," which could turn your computer into a "bot."Spammers take over your computer is by sending you an email with attachments, links or images which, if you click on or open them, install hidden software. Be cautious about opening any attachments or downloading files from emails you receive. Don't open an email attachment - even if it looks like it's from a friend or coworker ' unless you are expecting it or know what it contains. If you send an email with an attached file, include a text message explaining what it is.
• Don't Let Your Computer Become Part of a "BotNet" Some spammers search the internet for unprotected computers they can control and use anonymously to send spam, turning them into a robot network, known as a "botnet." Also known as a "zombie army," a botnet is made up of many thousands of home computers sending emails by the millions. Most spam is sent remotely this way; millions of home computers are part of botnets
• Use Security Software That Updates Automatically.  The bad guys constantly develop new ways to attack your computer, so your security software must be up-to-date to protect against the latest threats. Most security software can update automatically; set yours to do so. Also, set your operating system and web browser to update automatically.   If you let your operating system, web browser, or security software get out-of-date, criminals could sneak their bad programs – malware – onto your computer and use it to secretly break into other computers, send spam, or spy on your online activities. Don’t buy security software in response to unexpected pop-up messages or emails, especially messages that claim to have scanned your computer and found malware.  Scammers send messages like these to try to get you to buy worthless software, or worse, to "break and enter" your computer.
• Treat Your Personal Information Like Cash.  Don’t hand it out to just anyone. Your Social Security number, credit card numbers, and bank and utility account numbers can be used to steal your money or open new accounts in your name. So every time you are asked for your personal information – whether in a web form, an email, a text, or a phone message – think about whether you can really trust the request. In an effort to steal your information, scammers will do everything they can to appear trustworthy. Learn more about scammers who phish for your personal information.
• Check Out Companies to Find out Who You’re Really Dealing With.  When you’re online, a little research can save you a lot of money. If you see an ad or an offer that looks good to you, take a moment to check out the company behind it. Type the company or product name into your favorite search engine with terms like "review," "complaint," or "scam." If you find bad reviews, you’ll have to decide if the offer is worth the risk. If you can’t find contact information for the company, take your business elsewhere.  Don’t assume that an ad you see on a reputable site is trustworthy. The fact that a site features an ad for another site doesn’t mean that it endorses the advertised site, or is even familiar with it.
• Give Personal Information Over Encrypted Websites Only.  If you’re shopping or banking online, stick to sites that use encryption to protect your information as it travels from your computer to their server. To determine if a website is encrypted, look for https at the beginning of the web address (the "s" is for secure).  Some websites use encryption only on the sign-in page, but if any part of your session isn’t encrypted, the entire account could be vulnerable. Look for https on every page of the site you’re on, not just where you sign in.
• Protect Your Passwords. Here are a few principles for creating strong passwords and keeping them safe:

1. The longer the password, the tougher it is to crack. Use at least 10 characters; 12 is ideal for most home users.
2. Mix letters, numbers, and special characters. Try to be unpredictable – don’t use your name, birthdate, or common words. 
3. Don’t use the same password for many accounts. If it’s stolen from you – or from one of the companies with which you do business – it can be used to take over all your accounts.
4. Don’t share passwords on the phone, in texts or by email. Legitimate companies will not send you messages asking for your password. If you get such a message, it’s probably a scam.
5. Keep your passwords in a secure place, out of plain sight.

• Back Up Your Files.  No system is completely secure. Copy important files onto a removable disc or an external hard drive, and store it in a safe place. If your computer is compromised, you’ll still have access to your files.  

Web Browser Security:

One of the most critical points of entry to your computer or gadgets is your Web browser. Unfortunately, your Web browser can have hundreds of security holes that hackers can, and do, exploit. Maybe your browser isn't updating, or perhaps you have add-ons or plug-ins installed that have their own security holes.
1. KEEP BROWSER UP TO DATE

One of the easiest ways to keep hackers away is to make sure your Web browser up to date. A lot of times, browsers like Microsoft's Edge, Mozilla's Firefox and Google Chrome issue patches and fixes for bugs they know about. Typically, they get most of them before hackers can have a field day exploiting vulnerabilities.
Fortunately, most browsers these days are automatically updated. For instance, if you installed Microsoft's new Windows 10 operating system, its default setting is to automatically update your software and issue patches, including for its Edge browser.
Firefox and Chrome also have default settings for automatic updates. You just need to restart them occasionally for the latest updates to install. If you're not sure if you're set up for automatic updates, here's how to check:
Chrome: Google Chrome updates automatically, and turning that off isn't easy. That's good. But to make absolutely sure you've got the latest version, you can click on the Menu icon (little box with three horizontal lines in the upper right corner of your page). Choose "Help and About," then "About Google Chrome."
If you need to change the update settings, go to Menu>>Settings, and then click the "Show Advanced Settings" link. Click or un-click "Protect You and Your Device From Dangerous Sites" to turn automatic updates on or off.
Edge: If you're using Windows 10, go to Start>>Settings, then click "Update & Security." Windows Update should say your device is up to date. If it's not, choose "Advanced Options," then "Choose How Updates Are Installed" and select "Automatic (recommended)."
Internet Explorer: In Windows 8, using a mouse, right-click in the lower right corner of the screen and choose "Control Panel." If you're using a touch screen, swipe from the right of the screen and tap "Settings," then "Control Panel." In Windows 7 and Vista, go to Start>>Control Panel.
In Control Panel, click "System and Security." Under "Windows Update," choose "Turn Automatic Updating On Or Off." Choose "Install Updates Automatically" from the drop-down menu.
Firefox: Click the Menu icon (far upper right-hand corner; it's three horizontal lines) and choose "Options" and then "Advanced" in the left-hand column. Select the "Update" tab on the right, and under "Firefox Updates," make sure "Automatically Install Updates (Recommended: Improved Security)" is selected.
2. UNINSTALL UNNEEDED PLUG-INS
To do this in Windows 10, go to Start and select "All Apps." That's essentially Windows 10's version of the Control Panel. That will list all the programs installed on your device. Right click on the one you don't want; then select Uninstall.  In older versions of Windows, go to Start>>Control Panel, then under "Programs," click "Uninstall a Program." Select the plug-in you want to remove, and click Uninstall.
3. SECURE YOUR WEB BROWSER
Today, web browsers such as Microsoft Internet Explorer, Mozilla Firefox, and Apple Safari are installed on almost all computers. Because web browsers are used so frequently, it is vital to configure them securely. Often, the web browser that comes with an operating system is not set up in a secure default configuration. Not securing your web browser can lead quickly to a variety of computer problems caused by anything from spyware being installed without your knowledge to intruders taking control of your computer.
There is an increasing threat from software attacks that take advantage of vulnerable web browsers. We have observed new software vulnerabilities being exploited and directed at web browsers through use of compromised or malicious websites. This problem is made worse by a number of factors, including the following:

• Many users have a tendency to click on links without considering the risks of their actions.
• Web page addresses can be disguised or take you to an unexpected site.
• Many web browsers are configured to provide increased functionality at the cost of decreased security.
• New security vulnerabilities are often discovered after the software is configured and packaged by the manufacturer.
• Computer systems and software packages may be bundled with additional software, which increases the number of vulnerabilities that may be attacked.
• Third-party software may not have a mechanism for receiving security updates.
• Many websites require that users enable certain features or install more software, putting the computer at additional risk.
• Many users do not know how to configure their web browsers securely.
• Many users are unwilling to enable or disable functionality as required to secure their web browser. As a result, exploiting vulnerabilities in web browsers has become a popular way for attackers to compromise computer systems.

4. ENABLE CLICK-TO-PLAY PLUG-INS
Adobe Flash. There have been many holes in Flash and we recommend that you disable or at least limit this Plug-In.  
It's called click to play. Instead of a plug-in always running, you have to click on it to activate it. Here's how to do that.
Chrome: Menu (horizontal lines in the upper right corner)>>Settings. Click "Advanced Settings" at the bottom of screen. Under "Privacy," choose "Content Settings." Under "Plug-ins," choose "Let Me Choose When To Run Plug-in Content."
Edge: This browser doesn't really have click-play. You have to disable and re-enable plug-ins manually.
Windows 10:  Right-click on the Start menu and choose "Control Panel." Click "Network and Internet" and then under "Internet Options" click "Manage browser add-ons." Click the "Manage add-ons"  button and then highlight a specific plug-in in the "Toolbars and Extensions" area. If a plug-in is enabled, click the "Disable" button in the lower-right corner.
If you're just interested in Adobe Flash, in Edge, click the icon with the three dots in the upper-right corner, then select "Settings." Click the "View Advanced Settings" button and you'll see the "Use Adobe Flash Player" option. Turn this off when you don't need to use Flash.
Internet Explorer: In the far top right corner, click on the little gear icon and choose "Manage Add-Ons." Highlight a specific plug-in in the "Toolbars and Extensions" area. If a plug-in is enabled, click the "Disable" button in the lower-right corner.
Firefox: Menu (horizontal lines in the upper right corner)>>Add-Ons. Choose "Plugins" in the left-hand column. Next to each plug-in, you'll see a drop-down menu. Change each one to "Ask To Activate."
5. GET RID OF UNNEEDED BROWSER EXTENSIONS
Browser plug-ins and browser extensions are easy to confuse. Plug-ins handle video or other content that the browser can't handle on its own. Extensions are bits of code that add new features to the browser.
Extensions have a downside, though. Many of them need your passwords to do their job. That opens up extensions to hackers, who use extensions to install malware.
A couple of tips: Before you install an extension, make sure it's coming from a trustworthy source and has been around for a while. Second, be sure to review your extensions every once in a while, to weed out the ones you don't need any more. If you're not using an extension, or you suspect it's not from a reliable company, delete it. Here's how:
Chrome: Go to Menu>>More Tools>>Extensions, then click "Remove" on each extension you don't need.
Edge: Microsoft's new browser is going to start introducing extensions sometime this year.
Internet Explorer: This browser does not support extensions.
Firefox: Menu>>Add-Ons. Choose "Extensions" in the left-hand column, then select the ones you don't want and click "Remove."
6. RUN ANTI-EXPLOIT SOFTWARE
While most security software is great at detecting and stopping the millions of viruses out there before they can install, security holes in your browser and other programs give viruses a better chance to slip past unnoticed. Unfortunately, you don't even know there's a security hole in a program until the developer releases an update. Until now.
Software companies are starting to release anti-exploit programs. This watch your programs for signs that someone might be trying to use them to sneak on to your system. Then it blocks those attempts.
If you think of your main security program as the castle wall and the army guarding it, an anti-exploit program is the guy watching for traitorous citizens trying to open the backdoor.
7. TYPOSQUATTING
One mistyped letter could lead to ID theft.  Missing just a few letters in a web address can cost you the money in your bank account, or start an all-out identity theft attack, because of a type of fraud called "typosquatting." The typosquatter's URL will usually be one of four kinds, all similar to the victim site address:

• A common misspelling, or foreign language spelling, of the intended site: exemple.com
• A misspelling based on typos: xample.com or examlpe.com (xample.com redirects to a scam site that tries to trick you into downloading malware, it is not suggested you visit it)
• A differently phrased domain name: examples.com
• A different top-level domain: example.org

An abuse of the Country Code Top-Level Domain (ccTLD):  example.cm by using .cm or .om.  A person leaving out the letter o or c in .com in error could arrive at the fake URL's website.
Once in the typosquatter's site, the user may also be tricked into thinking that they are in fact in the real site; through the use of copied or similar logos, website layouts or content.  The fraudulent site is trying to get you to login with your user name and password or download malware with a fake "flash updater" pop-up, for example.
Stay Safe:

• When visiting any web site, double-check the URL before logging in.

• Be very careful entering things. If you're going to PayPal or you're going to your bank, just be very careful and pay attention to what you type.

• Make sure you're on the real website by looking at the address bar on your browser. 

Common Misconceptions:

Misconception:  Windows Updates Make Antivirus Software Unnecessary

Since Windows updates are crucial to your PC’s security, if you’re diligent about installing patches you can forget using an antivirus. This, however, is a deadly mistake.

Truth: Windows Updates Come After The Fact.  Windows Updates patch known vulnerabilities, but aren’t meant to protect from everyday threats.  While keeping Windows up-to-date is a necessary part of security, it can’t replace an antivirus, which works nonstop to protect you.  Also remember that anti-virus software is a management tool to catch already known viruses.  AV software does not stop brand new viruses or social engineering scams.

Misconception:  Malware Infections Are Obvious

Truth:  A Lot of Malware Is Silent.  There are dozens of rogue applications that are spying on you without making a sound. Many of these create zombie computers, which are responsible for much of the spam and website attacks that happen constantly. Additionally, if you fall for a phishing scam and a password falls into a thief’s grasp, they could be accessing your accounts — quietly, of course, so that you don’t suspect anything.

Don’t assume that just because everything looks normal that it is. Change your passwords regularly to be sure that someone isn’t getting in behind your back.

Misconception: I Don’t Do Anything Important On My Computer, So I Don’t Need To Be Careful

This is probably the most common reason people give for not keeping their computer safe. Sadly, it’s a poor excuse and those who give it are wrong.

The Truth:  At the bare minimum, a virus or other malware infecting your PC — even if your financial info isn’t at risk — is going to take time to deal with. Your time is valuable, and if you’re recruiting a tech-savvy friend to fix your PC after your neglect, their time is affected too. Wiping your computer and starting fresh thanks to malware means more time and effort to get your programs re-installed and running just the way you like.  In addition, Malware isn’t looking to steal files on your system. Rather, it’s tracking your every keystroke, stealing passwords, or even hacking into your webcam to spy on you. 

Misconception:  I don’t run Windows, so I’m immune to Malware

The Truth:  All platforms are vulnerable and this includes iPad, iPhone, Android and other  mobile devices.  While Windows viruses won’t affect Mac computers, Macs can still get infected with viruses.  In addition, you can fall for phishing tricks, perhaps via email or social media, no matter what platform you use.   Accidentally handing your password over to a fake site is going to yield the same result no matter if it’s done on Windows, Mac, or Android.

Misconception:  My Apple or Andoid tablet is secure

The Truth:  There is a plethora of mobile-based malware and viruses out there today.  Never let your guard down and carelessly open a web site, email or attachment on a smart phone or tablet.  These devices can be infected and can infect a corporate network if connected as a BYOD device.

Misconception:  Windows Is Inherently Insecure

The Truth:  Ever since Windows 7 hit the scene, the virus problem has been significantly curtailed. The problem is that most Windows users don’t care enough to update their systems with pertinent security patches. Microsoft is good about plugging security holes as they’re found, but if users don’t apply those updates, they leave themselves vulnerable.  At that point, Windows itself is no longer at fault.

Moreover, Windows is the world’s most popular operating system. Combine that with the fact that Windows does not require its users to be tech-savvy and you’ve got a recipe for high number of security incidences. 

Misconception: You don’t need security software

The Truth:  The ones who create malware and viruses are always looking for new ways to facilitate the spread of malicious software, which means that their methods are always evolving.

But more importantly, we are human. Humans make mistakes. We can’t keep our guards up 24/7 and sometimes we’re lazy, forgetful, or reckless. All it takes is one lapse in judgment for your computer to be infected and that’s the real value of antivirus software: it protects you through your mistakes.

If you aren’t using antivirus software, install one now along with a virus scanner. Afterwards, if you find that you have an infection, clean it up as soon as possible.

Misconception: All You Need Is Security Software

The Truth:  Malware and virus creators are always engineering new ways to spread their code.  Antivirus companies are always one step behind (they have to study a virus to understand it’s signature before they can protect against it) which means that the notion of antivirus is fundamentally reactionary.  AV software does not stop brand new viruses or social engineering scams.

Laptop:

A minor distraction is all it takes for a laptop to vanish. If it goes missing, all the valuable information stored on it may fall into the hands of an identity thief. Keep these tips in mind when you’re out and about with your laptop:

• Treat your laptop like cash.
• Lock your laptop with a security cable.
• Be on guard in airports and hotels.
• Consider an alarm for your laptop.
• Consider carrying your laptop in something less obvious than a laptop case.
• Don't leave your laptop unattended — even for just a moment.
• Don't put your laptop on the floor.
• Don't leave your laptop in the car.
• Don't keep passwords with your laptop or in its case.

Tablet:

Having your tablet stolen is another security threat. Device theft, including tablets and smartphones, happens so frequently that in most cases, law enforcement personnel are unable to help recover a stolen device, although there are a few steps you can take to improve the odds that it will be found.

Here’s a brief security checklist to keep on hand, in case your tablet is stolen:

• Write down or save your device’s serial number (found in the Settings menu) in a place other than your tablet to help prove ownership of a stolen tablet.
• Make sure the GPS function on your device is activated when you start using it, and keep it activated at all times.
• Keep your tablet locked with a password, so a thief can’t gain immediate access to your data.
• Immediately contact the police if your tablet is stolen. The longer you wait, the harder it will be for law enforcement personnel to track it down.
• Have remote wiping capabilities set up ahead of time, so you can delete all your personal data from your tablet in the event that you’re unable to recover it quickly.

Secure Software:

While every tablet has some security features built into the device, you can strengthen your tablet’s security by using third-party software for additional protection. There are several types of security software for tablets, including apps and programs. These include:

• Location software like Find my iPhone for the iPad or Lookout Mobile Security for Android devices
• Remote locking and wiping software
• Anti-virus and anti-malware scanning programs
• Backup, recovery and data loss prevention solutions

Using mobile devices in public:

• With people increasingly using tablets in public places, users are at risk of sharing more than they might want to with the people around them.  Larger screens may make it easier to browse the web, read ebooks and use apps on the go, but it also makes it easier for wandering eyes to catch sight of whatever it is you’re doing with your tablet or smartphone.
• It might be that someone is innocently interested in a good-looking app, or has caught sight of a catchy news headline. Yet if others can clearly see what you're doing with your device, it can put your privacy at risk.
• To prevent onlookers staring at your display, you might move into a corner, cover information with your hand or move the display closer to you. However, while such actions require personal compromise, one accessory can help you lower the risk without moving at all: a screen filter. 
• Screen filters are designed to prevent anyone apart from the user (sitting directly in front of a device) from getting a clear view of what’s on a screen. Screen filters could well be a must-have for security conscious business users, and those who regularly use mobile banking, for example, while on the move. 

What is cloud computing?

In simple terms, cloud computing is a method of storing files and data in a centralized network that can be reached from anywhere and by any type of device. This includes mobile phones, tablets, laptops and desktops. The notion of the "cloud" is because this data is placed in a network where say someone in NYC could access as well as someone in California.

Many people use cloud-based computer services and they don’t even know it. Consumers access and share information using remote server networks whenever they log on to social networks, like LinkedIn or Facebook, edit photos on Flickr, blog with WordPress, or create files using Google Docs. These are examples of cloud computing, which, simply defined, is how we store and share data, applications and computing power on the Internet.

Is it safe?

While there are so many advantages from using the cloud to store your data, of course there’s the question of safety and security. Primarily, the method of cloud computing is an extremely safe way to store data. Most companies have a system in place with their own firewalls and anti-virus software to protect their data stored on the premises. The issue comes about when computing is outsourced, and the control over security is no longer in your hands

Here are some tips to protect your data in the cloud:

• Look for a Secure Web Address: Before shopping online or giving any sort of personal information, look at the URL—if the website is secure connection enabled, it will have an ‘s’ after the ‘http’ portion of the URL. An ‘https’ URL tells you the website has an SSL license, meaning your information is scrambled as it travels across the internet. 
• Don’t Provide Personal Information: Don’t put anything in the cloud you would not want others to see, especially the government or a private litigant. A credible website will never need sensitive personal information, like your social security, PIN, or bank account numbers. If a site you don’t trust asks you for anything personal, don’t trust it! It could be a phishing scam trying to gain access to your personal information.  Pay close attention if the cloud provider reserves rights to use, disclose, or make public your information.
• Create Strong Passwords: Make long passwords with at least eight or more characters. For added security, include punctuation, symbols and a mix of upper and lowercase letters. Don’t ever use the same password for all of your accounts and change them at least once a month.
• Be Wary of Downloads: Don’t ever download a file from a website you don’t trust. There’re many malicious websites out there which let you download corrupted files with viruses and trojans that can infect your computer and steal your personal information.
• Check for Site Updates: Credible websites are updated often with security measures. Look around to see when the site was last updated. If it’s been more than a couple of months, you might not trust the site.
• Look for Contact Information: If you’re thinking about purchasing something from a website, look for the company’s contact information, including a physical address and a telephone number. This information is usually in the website’s footer. Don’t assume that a phone number is real—always call and ask questions to make sure the company is legitimate.
• Read the Privacy Policy: Read the privacy policy before placing your information in the cloud. If you don’t understand the policy, consider using a different provider. Also make sure that the cloud provider gives advance notice of any change in the terms of service or privacy policy.  Read the Terms of Service before placing any information in the cloud. If you don’t understand the Terms of Service, consider using a different cloud provider.
• Leaving the Cloud: Know exactly what happens when you remove your data from the cloud provider. Does the cloud provider still retain rights to your information? If so, consider whether that makes a difference to you.
• Delete Cookies Often: Cookies are small files designed to track your web activity. When you enter information into a site, such as a user name and password, the site uses cookies to remember your information so you don’t have to enter it the next time you visit. Hackers can use cookies to gain access to your accounts, so you should delete them often. Deleting cookies differs depending on which browser you use, but it’s usually found in your browser’s privacy settings.

Criminals are actively using e-mail schemes to defraud financial institutions and their customers—billions of dollars in possible losses.
E-mail Compromise Fraud:  Schemes in which criminals compromise the e-mail accounts of victims to send fraudulent wire transfer instructions to financial institutions in order to misappropriate funds. The main types of e-mail compromise fraud include:
Business E-mail Compromise (BEC):  Targets a financial institution’s commercial customers.
E-mail Account Compromise (EAC): Targets a victim’s personal accounts.
How BEC and EAC Schemes Work
Unlike account takeover activity, e-mail-compromise schemes involve impersonating victims to submit seemingly legitimate transaction instructions for a financial institution to execute. In account takeover activity, criminals access victims’ accounts and are able to directly execute transactions without submitting transaction instructions.
While BEC and EAC schemes have unique aspects, as noted below, both focus on using compromised e-mail accounts to mislead financial institutions and their customers into conducting unauthorized wire transfers. Both BEC and EAC schemes can be broken down into three stages:
Stage 1 – Compromising Victim Information and E-mail Accounts: Criminals first unlawfully access a victim’s e-mail account through social engineering or computer intrusion techniques. Criminals subsequently exploit the victim’s e-mail account to obtain information on the victim’s financial institutions, account details, contacts, and related information.
Stage 2 – Transmitting Fraudulent Transaction Instructions: Criminals then use the victim’s stolen information to e-mail fraudulent wire transfer instructions to the financial institution in a manner appearing to be from the victim. To this end, criminals will use either the victim’s actual e-mail account they now control or create a fake e-mail account resembling the victim’s e-mail.
Stage 3 – Executing Unauthorized Transactions:  Criminals trick the victim’s employee or financial institution into conducting wire transfers that appear legitimate but are, in fact, unauthorized. The fraudulent transaction instructions direct the wire transfers to the criminals’ domestic or foreign bank accounts. Banks in Asia—particularly in China and Hong Kong—are common destinations for these fraudulent transactions.
Business E-Mail Compromise (BEC) Schemes
BEC schemes target financial institutions’ commercial customers. Criminals seek to access unlawfully the e-mail accounts of a company’s executives or employees to:

• Directly submit fraudulent transaction instructions to the company’s financial institution by impersonating company employees through e-mails and documentation related to the requested transfer; or
• Mislead a company employee into submitting fraudulent transaction instructions to the company’s financial institution by impersonating a supplier or a company executive to authorize or order payment through seemingly legitimate internal e-mails.

To illustrate, BEC schemes often take the following forms:
SCENARIO 1 – CRIMINAL IMPERSONATES A FINANCIAL INSTITUTION’S COMMERCIAL CUSTOMER:A criminal hacks into and uses the e-mail account of a Company A employee to send fraudulent wire transfer instructions to Company A’s financial institution. Based on this request, Company A’s financial institution issues a wire transfer and sends funds to an account the criminal controls. In this scenario, the criminal impersonating the financial institution’s customer prompted the financial institution to execute an unauthorized wire transfer.

SCENARIO 2 – CRIMINAL IMPERSONATES AN EXECUTIVE:A criminal hacks into and uses the e-mail account of a Company B executive to send wire transfer instructions to a Company B employee who is responsible for processing and issuing payments. The employee, believing the executive’s e-mailed instructions are legitimate, orders Company B’s financial institution to execute the wire transfer. In this scenario, the criminal impersonating a company executive misled a company employee into unintentionally authorizing a fraudulent wire transfer to a criminal-controlled account.

SCENARIO 3 – CRIMINAL IMPERSONATES A SUPPLIER:A criminal impersonates one of Company C’s suppliers to e-mail and inform Company C that future invoice payments should be sent to a new account number and location. Based on this fraudulent e-mailed information, Company C updates its supplier’s payment information on record and submits the new wire transfer instructions to its financial institution that direct payments to an account controlled by the criminal. In this scenario, the criminal impersonating a supplier provided fraudulent payment information to mislead a company employee into unintentionally directing wire transfers to a criminal-controlled account.

E-Mail Account Compromise (EAC) SchemesUnlike BEC, EAC schemes target individuals instead of businesses. Individuals who conduct large transactions through financial institutions, lending entities, real estate companies, and law firms are the most likely targets of this type of scheme. EAC schemes often take the following forms:
Scenario 1 – Lending/Brokerage Services: A criminal hacks into and uses the e-mail account of a financial services professional (such as a broker or accountant) to e-mail fraudulent instructions, allegedly on behalf of a client, to the client’s bank or brokerage, to wire-transfer client’s funds to an account controlled by the criminal.
Scenario 2 – Real Estate Services: A criminal compromises the e-mail account of a realtor or of an individual purchasing or selling real estate, for the purposes of altering payment instructions and diverting funds of a real estate transaction (such as sale proceeds, loan disbursements, or fees). Alternately, a criminal hacks into and uses a realtor’s e-mail address to contact an escrow company, instructing it to redirect commission proceeds to an account controlled by the criminal.
Scenario 3 – Legal Services: A criminal compromises an attorney’s e-mail account to access client information and related transactions. The criminal then e-mails fraudulent transaction payment instructions to the attorney’s financial institution. Alternatively, the criminal may compromise a client’s e-mail account to request wire transfers from trust and escrow accounts the client’s attorney manages.
BEC and EAC schemes are similar and, therefore, may exhibit similar suspicious behavior, which can be identified by one or more of the following red flags:

• A customer’s seemingly legitimate e-mailed transaction instructions contain different language, timing, and amounts than previously verified and authentic transaction instructions.
• Transaction instructions originate from an e-mail account closely resembling a known customer’s e-mail account; however, the e-mail address has been slightly altered by adding, changing, or deleting one or more characters. 

For example: 
Legitimate e-mail address - john-doe@abc.com
Fraudulent e-mail addresses - john_doe@abc.com, john-doe@bcd.com

More Red Flags:

• E-mailed transaction instructions direct payment to a known beneficiary; however, the beneficiary’s account information is different from what was previously used.
• E-mailed transaction instructions direct wire transfers to a foreign bank account that has been documented in customer complaints as the destination of fraudulent transactions.
• E-mailed transaction instructions direct payment to a beneficiary with which the customer has no payment history or documented business relationship, and the payment is in an amount similar to or in excess of payments sent to beneficiaries whom the customer has historically paid.
• E-mailed transaction instructions include markings, assertions, or language designating the transaction request as "Urgent," "Secret," or "Confidential."
• E-mailed transaction instructions are delivered in a way that would give the financial institution limited time or opportunity to confirm the authenticity of the requested transaction.
• E-mailed transaction instructions originate from a customer’s employee who is a newly authorized person on the account or is an authorized person who has not previously sent wire transfer instructions.
• A customer’s employee or representative e-mails a financial institution transaction instructions on behalf of the customer that are based exclusively on e-mail communications originating from executives, attorneys, or their designees. However, the customer’s employee or representative indicates he/she has been unable to verify the transactions with such executives, attorneys, or designees.
• A customer e-mails transaction requests for additional payments immediately following a successful payment to an account not previously used by the customer to pay its suppliers/vendors. Such behavior may be consistent with a criminal attempting to issue additional unauthorized payments upon learning that a fraudulent payment was successful.
• A wire transfer is received for credit into an account, however, the wire transfer names a beneficiary that is not the account holder of record. This may reflect instances where a victim unwittingly sends wire transfers to a new account number, provided by a criminal impersonating a known supplier/vendor, while thinking the new account belongs to the known supplier/vendor, as described in the above BEC Scenario 3. This red flag may be seen by financial institutions receiving wire transfers sent by another financial institution as the result of e-mail-compromise fraud.

Threats are continuously evolving but your firewall protection may not. Now is the time to look beyond traditional network security and incorporate protection against malware and exploits that pass through PCs and mobile devices when users browse the Internet, send or receive email and download applications. 

These schemes include: 

Extortion - Locking up or disrupting computers, then charging money to have the disruption undone. Often, these attacks take the form of a worthless computer scan and the sale of equally worthless "anti-virus" software. This technique can be used to harvest credit card information. Sometimes the purchased software is "scare-ware" which drives additional purchases or continues to exact "subscription" payments. 

Theft - Stealing electronic assets. These can include: personally identifiable information (identity theft) from employee or customer records; financial account information and passwords; proprietary trade and business assets which can be sold to competitors; email accounts, including address books, to be used for spam mailings (from seemingly trusted sources); and even computer resources themselves (zombies) which are controlled by the criminals for everything from spam mailing to hosting pornography. 

The software which enables these crimes is categorized as malware. As worrisome as malware is—and it continues to get worse—there are straightforward and extremely effective ways to address it. But first, know your enemy. Typical malware consists of six main types—viruses, worms, Trojans, spyware, adware and rootkits. 

Viruses 

Probably the best known type of malware is the virus. Computer viruses have been around for decades, however the basic premise has remained constant. Typically designed to inflict damage against the end user, computer viruses can purge an entire hard disk, rendering data useless in a matter of moments. 

Just as biological viruses replicate themselves when infecting a host cell, computer viruses will often replicate and spread themselves through an infected system. Other types of viruses are used for ‘seek and destroy’ where specific files types or portions of the hard disk are targeted. Criminals conducting cyber-thefts will often unleash a virus on penetrated systems after extracting the desired information as a means of destroying forensic evidence. 

Computer viruses were originally spread through the sharing of infected floppy disks. As technology evolved so too did the distribution method. Today, viruses are commonly spread through file sharing, web downloads and email attachments. In order to infect a system, the virus must be executed on the target system; dormant computer viruses which have not been executed do not pose an immediate threat. Viruses typically do not possess any legitimate purposes and in some countries are illegal to possess.

Worms 

Computer worms have existed since the late 1980s, but were not prevalent until networking infrastructures 
within organizations became common. Unlike computer viruses, worms have the capability of spreading themselves through networks without any human interaction. 

Once infected by a worm, the compromised system will begin scanning the local network in an attempt locate additional victims. After locating a target, the worm will exploit software vulnerabilities in remote system, injecting it with malicious code in order to complete the compromise. Due to its means of attack, worms are only successful at infecting systems on the network which are running specific operating systems. Worms are often viewed more as a nuisance than a real threat. However, they may be used to spread other malware or inflict damage against target systems. 

Trojans 

Like viruses, Trojans typically require some type of user interaction in order to infect a system. However unlike most worms and viruses, Trojans often try to remain undetected on the compromised host. Trojans are small pieces of executable code embedded into another application. Typically the infected file is an application the victim would use regularly (such as Microsoft Word or Calculator). The goal is for the victim to unknowingly execute the malicious code when launching an otherwise innocent program. This often results in Trojans infecting a system without triggering any type of notification. There are several types of Trojans, each fulfilling a different purpose. Some Trojans are designed specifically to extract sensitive data from the infected system; these types of Trojans typically install keyloggers or take screenshots of the victim’s computer and automatically transmit the information back to the attacker. Other, more dangerous "remote access Trojans" (RATs), will take control of the infected system, opening up a back door for an attacker to later access. Remote access Trojans are typically used in the creation of botnets. 

Spyware / Adware 

Like some types of Trojans, spyware is used to collect and relay sensitive information back to its distributor. 
Spyware typically is not malicious in nature. However, it is a major nuisance, typically infecting web browsers, making them nearly inoperable. Spyware is often used for deceitful marketing purposes, such as monitoring user activity without their knowledge. At times, spyware may be disguised as a legitimate application, providing the user with some benefit while secretly recording behavior and usage patterns. 

Like spyware, adware is a major nuisance for users. But it is usually not malicious in nature. Adware, as the name implies, is typically used to spread advertisements providing some type of financial benefit to the attacker. After becoming infected by adware, the victim becomes bombarded by pop-ups, toolbars and other types of advertisements when attempting to access the Internet. Adware usually does not cause permanent damage to a computer. However, it can render the system inoperable if not removed properly. 

Rootkits 

Arguably the most dangerous type of malware is the rootkit. Like remote access Trojans, rootkits provide the attacker with control over an infected system. However, unlike Trojans, rootkits are exceptionally difficult to detect or remove. Rootkits are typically installed into low level system resources (below the operating system). Because of this, rootkits often go undetected by conventional anti-virus software. Once infected with a rootkit, the target system may be accessible by an attacker providing unrestricted access to the rest of the network. 

Knowing when you’ve got one Malware in network traffic or on a computer makes its presence known one of three ways: 

• "signature" is a fingerprint or pattern in the file that can be recognized by a network security system like a firewall even before it gets to a computer. If such a file actually gets to a computer, the anti-virus/anti-malware software on the machine should catch it. 
• A suspect file type appearing out of context, like an executable (.exe) or registry value hidden in a compressed file like a .zip. 
• Behavior; even a rootkit may reveal itself when it "phones home" to the operator who controls it. If this behavior is abnormal—for instance, in volume or time of day—this can be an indicator of a compromised system. 

One of the most sophisticated types of phishing attacks is called spear phishing. This is when a hacker will target a specific group or organization and will tailor their attacks to make them look relevant to the recipient.  When receiving emails, users should look at the following:

• Do you know the sender, and is the email address one you would expect them to use? An email purporting to be from your CEO, but sent from a Gmail account, should always ring alarm bells.
• Are you expecting a message from the person? Does the email look suspicious? Does the link look genuine?
• The content of the email can be a giveaway. One of the most basic reasons that phishing attacks work is that they prey on a user’s emotional response – fear, curiosity or reward, and emails that evoke strong emotions such as these should be considered triggers.
• Is the email specific? Does it make sense? Although criminals have a lot of information about individuals they will still keep messages generic to pique your interest, and make you take action.
• And of course, while grammar has improved in recent years, mistakes are often an indicator that all is not as it seems.

Phishing is one of the most common attack methods for cyber-criminals, however an effective training program and user awareness will minimize the risk of employees falling victim.  Once employees know what to look for they will be able to quickly identify any potential phishing emails and report them before any damage is done.

Here are some qualities that identify an attack through an email:

• They duplicate the image of a real company.
• Copy the name of a company or an actual employee of the company.
• Include sites that are visually similar to a real business.
• Promote gifts, or the loss of an existing account.

Phishing doesn't only pertain to online banking
Most phishing attacks are against banks, but can also use any popular website to steal personal data such as eBay, Facebook, PayPal, etc.

Phishing knows all languages
Phishing knows no boundaries, and can reach you in any language. In general, they’re poorly written or translated, so this may be another indicator that something is wrong. 

Have the slightest doubt, don't risk it
The best way to prevent phishing is to consistently reject any email or news that asks you to provide confidential data. Delete these emails and call your bank or credit union to clarify any doubts.

Social media sites can have infected links. For example, you receive an Instagram picture from a friend. It's a great picture so you decide to share it by clicking the Facebook "like" button underneath the image. This can be dangerous even if the picture came from a trusted source, it's a real Facebook button and you are not downloading anything. If you can see the picture, you could have downloaded Malware. If the Facebook "like" link was fake, you also could have inadvertently download Malware. Malicious software (Malware) can be disguised as a Facebook "Like" button, picture or audio clip. When you click a link or open an attachment, malware installs on your device. Unlike early PC malware, it doesn't ask your permission, and your device is figuratively in the hands of a criminal.

Free wireless can be dangerous. While at local coffee shop, airport, or public gathering place DO NOT connect to the "free wireless" network if you are asked to create a temporary LOGIN to get access to the free wi-fi. Don’t Assume a Wi-Fi Hotspot is Secure. Most Wi-Fi hotspots do not encrypt the information you send over the internet and are not secure. When using a Wi-Fi hotspot, only log in or send personal information to websites that you know are fully encrypted. If you use an unsecured network to log in to an unencrypted site - or a site that uses encryption only on the sign-in page - other users on the network can see what you see and what you send.

Free public wi-fi network can be dangerous. Whenever you have access to a free public wi-fi network, you should NOT use that free wi-fi connection instead use your mobile wireless connection. Be smart on open Wi-Fi networks. When you access a Wi-Fi network that is open to the public, your phone can be an easy target of cybercriminals. You should limit your use of public hotspots and instead use protected Wi-Fi from a network operator you trust or mobile wireless connection to reduce your risk of exposure, especially when accessing personal or sensitive information. Always be aware when clicking web links and be particularly cautious if you are asked to enter account or log-in information.

Do not include this information on your social networking profile:

• Your date of birth, including the year 
• Your phone number
• Your physical address 
• The name of your high school
• Your pets name

Users of social media sites were at greater risk of physical and identity theft because of the information they were sharing. If you participate in social networking, you should safeguard your information. Posting your full birthdate and place of birth, phone number, physical address, and any information that could be used to guess your password - such as your mother's maiden name - could provide fraudsters with information to help them gain access to your financial accounts. So be sure to keep this information safe and update the privacy settings for your profile.

Be careful when you click on a Pinterest "pin" to enter a any type of promotion.  Pay close attention to the URL these pins lead to before clicking on them. If the URL doesn't seem like anything official to you, don't click it and don't re-pin it. licking the pin can redirect you to a third party website, have you rep-in the pin or fill in a survey providing personal details. These tricks can install malware or gain access to information about you in order to steal your identity.

Be wary of social network invites.  If you receive a message from a friend on Facebook inviting you to join a new social network, you should suspect that the message is fraudulent and contact your friend to verify. Don't trust that a message is really from who it says it's from. Hackers can break into accounts and send messages that look like they're from your friends, but aren't.

Do not allow access about your contacts.  If you join a new social network and receive an offer to enter your email address and password to find out if your contacts are on the network, you should decline the offer and DO NOT allow the social network site access to your email address book. To avoid giving away email addresses of your friends, do not allow social networking services to scan your email address book. The site might use this information to send email messages to everyone in your contact list or even everyone you've ever sent an email message to with that email address. Social networking sites should explain that they're going to do this, but some do not.

DO NOT accept a social media connection request from a stranger of the opposite sex as long as the person looks honest and knows other people you know. Be selective about who you accept as a friend on a social network. Identity thieves might create fake profiles in order to get information from you. That lack of caution can be extremely costly. Most networking sites contain personal information. When you friend someone, you give them access to that information and that can be used by fraudsters.

Deleting pictures or videos from your social networking sites will NOT permanently remove them from the Internet. You need to contact the support department at the social networking site to make sure they are removed. Assume that everything you put on a social networking site is permanent. Even if you can delete your account, anyone on the Internet can easily print photos or text or save images and videos to a computer.

You can be at risk even if you download Apps on social networking sites that look official and the App install link is within the social networking site. Be careful about installing extras on your site. Many social networking sites allow you to download third-party applications that let you do more with your personal page. Criminals sometimes use these applications to steal your personal information. To download and use third-party applications safely, take the same safety precautions that you take with any other program or file you download from the web. Modify your settings to limit the amount of information apps can access.

Do not respond to social media requests. If you receive an e-mail requesting you to update your Facebook, Twitter, LinkedIn, eBay, or PayPal accounts, do NOT click on the link in the email and DO NOT LOGIN and update your account as requested. Before writing your username and password look at the web address in the browser. The fake ones look similar to this: http://k2nxw.com/cgi-bin/login/ or www.paypal5281.com. If you are not sure, log into your real account just like you usually do, by typing the web address in the browser by yourself and not using the links provided.

More tips

Use multiple passwords everywhere.  It is NOT okay to use the same passwords for social networking sites as long as you use different passwords for home banking type sites. It is correct to use a different password for home banking type sites. However, social networking sites may not have the security your online financial institution but using the same password on those sites is like trusting the weakest link in a chain to carry the same weight. Every site has vulnerabilities, plan for them to be exploited.

If you do receive offers of pre-approved credit, you should shred the offer before putting them in the trash. First you should purchase a cross-cut shredder and shred all your pre-approved credit card offers. Next you should remove your name and opt-out of receiving these offers by visiting the web site: https://www.optoutprescreen.com

Understand how your financial institution communicates with you.  If you receive an e-mail with your bank's name and e-mail address, explaining that, for security reasons, you had to click on a particular Internet link and log in to your account to update your settings. You should delete the email without taking any action, call or otherwise contact your bank to ensure credibility and report it to your bank as SPAM. Financial institutions DO NOT ask for personal or account information via email.

Always be skeptical of attachments.  If you receive a message to view a file or video on a social networking site and from someone within your network (a trusted source), it is still NOT safe to open the attachment. Criminals are avid fans of social networking sites. They hijack user accounts to send phishing invites to an account holder’s entire contact list, post poisoned links to a variety of malicious sites, and send credible emails with malicious links - abusing the trust that friends normally share. Some creative criminals have tailored messages to appear to come from the social networking site itself, designed so that users will divulge their login credentials or download a Trojan.

Technology-based security measures such as firewalls, encryption, anti-virus, spam filters, and strong authentication will NOT prevent social engineering fraud. No matter how much security technology you implement, you can never get rid of the weakest link - the human factor. A social engineer is someone who uses deception, persuasion and influence to get information that would otherwise be unavailable.

If you receive an email from a friend or trusted source, it is NOT always safe to click on a link or attachment within that email. The email account of your friend or trusted source could have been compromised and is being sent to you by a criminal with the intent of getting information or to have you click a link or open an attachment.

Feedback when incorrect: The email account of your friend or trusted source could have been compromised and is being sent to you by a criminal with the intent of getting information or to have you click a link or open an attachment.

It is NOT always safe to click a link as long as the link is through a popular search site like Yahoo, Google or Bing. Search engine poisoning makes up 40% of malware delivery on the Web. The practice is when malware and spam attackers inundate search results with links to bait pages that will take users to malicious websites that will download malware to a computer. People want to be able to trust that what they search for in Google, Bing or Yahoo is safe to click on.

Access web sites through your web browser.  Typing the address of a web site directly into your Web browser will ensure that you are going to the legitimate Web site and not a phishing site that was designed to mimic the look of the real thing. Unless the site was hijacked or your computer has a virus, typing the web address yourself is the best way to guarantee the authenticity of a web site.

Tech support scams are very popular.  If you receive an e-mail from a Microsoft support person saying that your computer is infected by a virus and suggests that you install a tool available on their Internet site to eliminate the virus from your computer. You should NOT click on the link even though the email looks official and has the legitimate support@microsoft.com email address. Email spoofing is e-mail activity in which the sender's address and other parts of the e-mail header are altered to appear as though the e-mail originated from a different source.

Be skeptical when there are big news events happening.  If you hear on the news that your insurance company has recently been breached and soon after you receive an email from your insurance company that explains the breach and provides the necessary steps for you to take. These steps include clicking on a link to update your personal information and change your user name and password. You should NOT follow all instructions to keep your information protected. Now that the criminals have information about you, they may try to trick you into giving up more information through fraudulent emails. Be suspicious of urgent emails requesting information and never open attachments you aren’t expecting even if it’s from someone you know.

If you are unsure about a link in your email, do NOT copy and paste the link in your web browser. You could still end up at the malicious site and potentially load malware on your computer or network. If you are unsure whether a link you received in an email is safe, it is not safe to copy and paste the link in the URL section of your web browser.

If you are unsure about a link in your email, it is NOT safe to forward the link to have it tested by someone else. By forwarding an email, all you've done is forward a potentially dangerous and malicious email that could infect someone else's computer or network.

Criminals could strike very quickly. For example, within hours of hurricane, you receive an email from the Red Cross asking for a donation to help the victims. This email is most likely a high-profile phishing scam that receives media attention and is on the forefront of peoples minds. These scams are effective because they rely on your emotions and compassion.

Be aware of web site extensions. For example, out of these six web addresses, the "whitehouse.com" is phony because any official U.S. government web site will end in .gov and not .com.

• https://www.usa.gov
• https://cio.gov
• http://www.ssa.gov
• https://www.ssa.gov
• http://www.fdic.gov
• https://www.whitehouse.com

Clues that an email is fake can include: poor spelling, grammatical errors, offer of a reward, typos, information request, threatening tone.
 

Both ACH (automated clearing house) transactions and wire transfers are forms of electronic fund transfers (EFTs). Wire transfers typically involve larger sums of money and are transferred between banks. ACH transfers are scheduled transactions, like online bill payments, that typically involve smaller amounts of money.
ACH (automated clearing house)
ACH fraud is the theft of funds through the Automated Clearing House financial transaction network. The ACH network acts as the central clearing facility for all Electronic Fund Transfer (EFT) transactions in the United States, representing a crucial link in the national banking system. Payments linger in the ACH network awaiting clearance for their final banking destination.
Here are a few examples of ACH fraud:

• The criminal accesses a commercial customer's credentials, generates an ACH file in the originator's name, and quickly withdraws funds before the victim discovers the fraud. 
• The criminal accesses a retail customer's credentials and sets himself up as an automatic bill pay recipient. 
• In an insider threat scenario, an employee of the target company or a bank modifies ACH files to steal money.
• In a variation on check kiting -- a scam in which funds are juggled back and forth between bank accounts at separate banks -- a criminal takes advantage of the time lag in transactions.
• In a spear phishing scam, an employee with authorization for ACH transactions receives an email that leads him to an infected site, which installs a keylogger to access authentication information. The thief can then impersonate the company's authorized representative and withdraw funds. 

ACH fraud prevention tips:

• Reconciliation of all banking transactions on a daily basis.
• Initiate ACH and wire transfer payments under dual control, with a transaction originator and a separate transaction authorizer.
• If possible, and in particular for customers that do high value or large numbers of online transactions, carry out all online banking activities from a stand-alone, hardened and completely locked down computer system from which e-mail and Web browsing are not possible.
• Be suspicious of e-mails purporting to be from a financial institution, government department or other agency requesting account information, account verification or banking access credentials such as usernames, passwords, PIN codes and similar information. Opening file attachments or clicking on web links in suspicious emails could expose the system to malicious code that could hijack their computer.
• Install a dedicated, actively managed firewall, especially if they have a broadband or dedicated connection to the Internet, such as DSL or cable. A firewall limits the potential for unauthorized access to a network and computers.
• Create a strong password with at least 10 characters that includes a combination of mixed case letters, numbers and special characters.
• Prohibit the use of "shared" usernames and passwords for online banking systems.
• Use a different password for each website that is accessed.
• Change the password a few times each year.
• Never share username and password information for Online Services with third-party providers.
• Limit administrative rights on users' workstations to help prevent the inadvertent downloading of malware or other viruses.
• Install commercial anti-virus and desktop firewall software on all computer systems. Free software may not provide protection against the latest threats compared with an industry standard product.
• Ensure virus protection and security software are updated regularly.
• Ensure computers are patched regularly particularly operating system and key application with security patches. It may be possible to sign up for automatic updates for the operating system and many applications.
• Clear the browser cache before starting an Online Banking session in order to eliminate copies of web pages that have been stored on the hard drive. How the cache is cleared will depend on the browser and version. This function is generally found in the browser's preferences menu.
• Verify use of a secure session (https not http) in the browser for all online banking.
• Avoid using an automatic login features that save usernames and passwords for online banking.
• Never leave a computer unattended while using any online banking or investing service.
• Never access bank, brokerage or other financial services information at Internet cafes, public libraries, etc. Unauthorized software may have been installed to trap account number and sign on information leaving the customer vulnerable to possible fraud.
• Stay in touch with other businesses to share information regarding suspected fraud activity.
• Immediately escalate any suspicious transactions to the financial institution particularly, ACH or wire transfers. There is a limited recovery window for these transactions and immediate escalation may prevent further loss by the customer.

Here is an example of wire fraud:

• The organization’s legitimate email domain is @company.com.
• The attacker registers domain names deceptively similar to the organization’s (for instance, @conpany.com, @cornpany.com, @cmpany.com).
• The attacker learns the names of the Designated Executive and Designated Employee through social engineering or online research.
• The attacker sends an email purporting to be from the Designated Executive, using a deceptively similar email domain.
• The Designated Employee receives this email and sees that it is from "Designated Executive" <Designated.Executive@conpany.com> directing the Designated Employee to have $1 million wired to account number 123456789.
• The Designated Employee, following procedure, checks to see that the email came from "Designated Executive."
• But the Designated Employee fails to notice the misspelling in the email domain @conpany.com, mistaking it for a legitimate company email address.
• The Designated Employee logs into the online banking portal account and requests an outbound wire transfer for $1 million to account number 123456789.
• The bank, following procedure, checks to confirm that the request for the wire transfer did come from the Designated Employee’s account on the online banking portal.  
• The bank wires $1 million to account number 123456789.
• Meanwhile, the actual Designated Executive has no knowledge of this wire transfer.

Stop large international wire transfers

For international wire transfers over $50,000, call your regional FBI office: https://www.fbi.gov/contact-us/field-offices and local police.  The FBI offers a Financial Fraud Kill Chain (FFKC) process to help recover large international wire transfers stolen from the United States.  The FFKC is intended to be utilized as another potential avenue for U.S. financial institutions to get victim funds returned. 
The FFKC can only be implemented if the fraudulent wire transfer meets the following criteria:

• the wire transfer is $50,000 or above
• the wire transfer is international
• a SWIFT recall notice has been initiated by your financial institution
• the wire transfer has occurred within the last 72 hours.

If this criteria is met, the following information will be needed:

• Summary of the incident
• Name of victim
• Location of victim (City and state)
• Originating bank name
• Originating bank account number
• Beneficiary name
• Beneficiary bank
• Beneficiary account number
• Beneficiary bank location (if known)
• Intermediary bank name (if known)
• SWIFT number
• Date
• Amount of transaction
• Any additional information that may be available, such as "for further credit," or "in favor of"

Any wire transfers that occur outside of these thresholds should still be reported to law enforcement: http://www.ic3.gov/ but the FFKC cannot be utilized to return the fraudulent funds.

• Keep Only What You Need.  Reduce the volume of information you collect and retain to only what is necessary. Minimize the places you store personal data. Know what you keep and where you keep it.
• Destroy Before Disposal.  Cross-cut shred paper files before disposing of private information. Also destroy CDs, DVDs and other portable media. Deleting files or reformatting hard drives does not erase data. Instead, use software designed to permanently wipe the drive, or physically destroy it.
• Safeguard Data.  Lock physical records in a secure location. Restrict access to employees who need to retrieve private data. Conduct employee background checks and never give access to temporary employees or vendors.
• Safeguard Data Privacy.  Employees must understand that your privacy policy is a pledge to your customers that you will protect their information. Data should only be used in ways that will keep customer identity and the confidentiality of information secure. Of course, your employees and organizations must conform to all applicable laws and regulations.
• Update Procedures.  Do not use Social Security numbers as employee ID or client account numbers. If you do so, develop another ID system now.
• Establish Password Management.  A password policy should be established for all employees or temporary workers who will access corporate resources. In general, password complexity should be established according to the job functions and data security requirements. Passwords should never be shared.
• Secure All Computers.  Implement password protection and require re-logon after a period of inactivity. Train employees to never leave laptops or PDAs unattended. Restrict tele-working to company-owned computers and require use of robust passwords that are changed regularly.
• Control Use of Computers.  Restrict employee use of computers to business. Don't permit use of file sharing peer-to-peer websites. Block access to inappropriate websites and prohibit use of unapproved software.
• Keep Security Software Up-To-Date.  Keep security patches for your computers up to date. Use firewalls, anti-virus and spyware software; update virus and spyware definitions daily.
• Encrypt Data Transmission.  Mandate encryption of all data transmissions. Avoid using Wi-Fi networks; they may permit interception of data.
• Manage Use of Portable Media.  Portable media, such as DVDs, CDs and USB "flash drives," are more susceptible to loss or theft. Allow only encrypted data to be downloaded to portable storage devices.
• Establish an Approval Process for Employee-Owned Mobile Devices.  With the increased capabilities of consumer devices, such as smart phones and tablets, it has become easy to interconnect these devices to company applications and infrastructure. Use of these devices to interconnect to company email, calendaring and other services can blur the lines between company controls and consumer controls. Employees who request and are approved to have access to company information via their personal devices should understand and accept the limitations and controls imposed.
• Govern Internet Usage.  Most people use the internet without a thought to the harm that can ensue. Employee misuse of the internet can place your company in an awkward, or even illegal, position. Establishing limits on employee internet usage in the workplace may help avoid these situations. Every organization should decide how employees can and should access the web. You want employees to be productive, and this may be the main concern for limiting internet usage, but security concerns should also dictate how internet guidelines are formulated.
• Manage Email Usage.  Many data breaches are a result of employee misuse of email that can result in the loss or theft of data and the accidental downloading of viruses or other malware. Clear standards should be established regarding use of emails, message content, encryption and file retention.
• Govern Social Media.  All users of social media need to be aware of the risks associated with social media networking. A strong social media policy is crucial for any business that seeks to use social networking to promote its activities and communicate with its customers. Active governance can help ensure employees speak within the parameters set by their company and follow data privacy best practices.
• Oversee Software Copyright and Licensing.  There are many good reasons for employees to comply with software copyright and licensing agreements. Organizations are obliged to adhere to the terms of software usage agreements and employees should be made aware of any usage restrictions. Also, employees should not download and use software that has not been reviewed and approved by the company.
• Report Security Incidents.  A procedure should be in place for employees or contractors to report malicious malware in the event it is inadvertently imported. All employees should know how to report incidents of malware and what steps to take to help mitigate damage

How Data Breaches Occur 

• Lost or stolen laptops, computers or other computer storage devices
• Backup tapes lost in transit because they were not sent either electronically nor with a qualified human escort
• Hackers breaking into systems
• Employees stealing information or allowing access to information
• Information bought by a fake business
• Poor business practices - for example sending postcards with Social Security numbers on them
• Internal security failures
• Viruses, Trojan Horses and computer security loopholes
• Information tossed into dumpsters - improper disposition of information  

Vendor fraud can be committed by employees acting alone or in collusion with vendors. This type of fraud can also be committed by vendors on their own.

Examples of vendor fraud are:

Billing schemes - In a billing scheme, an employee generates false payments to himself/herself using the company’s vendor payment system either by creating a fictitious vendor (shell company) or by manipulating the account of an existing vendor.
Bribery and kickbacks - An employee participates in a bribery scheme when he or she accepts (or asks for) payments from a vendor in exchange for an advantage.
Check tampering - A check tampering scheme involves forging, altering or creating unauthorized checks. An employee steals checks for payment to a vendor and alters the payee or forges the vendor’s signature to deposit them in his or her personal account.
Over billing - A vendor pads invoices to charge the company for more goods than it ships or to charge a higher price than agreed. This can be done in collusion with an employee, who receives a kickback or by the vendor alone to defraud the company.
Price fixing - This type of fraud occurs when competing vendors collude among themselves to set a minimum price or price range. This makes both vendors’ prices appear competitive and ensures the company pays an inflated price no matter which vendor is chosen. While employees of the company are not usually involved, they sometimes provide information to the vendors about pricing and budgets to facilitate this fraud.

To prevent and detect vendor fraud:

• Conduct thorough background checks on new employees.
• Implement checks and balances on payments to vendors.
• Separate the functions of check preparer and check signer.
• Rotate duties of employees in procurement.
• Conduct random audits of vendor files.
• Conduct due diligence when setting up vendors by verifying:
• Vendor’s business name
• Tax Identification Number (TIN)
• Phone number
• PO box and street address
• Bank account
• Vendor contact person
• Use data mining to uncover anomalies and patterns.
• Compare vendor addresses with employee addresses.
• Implement a dual review process for master vendor file management.
• Review the vendor master file to check that volume of billing is reasonable and consistent.

16 Ways to Identify Fictitious Vendors

1. Look for vendors whose mailing addresses are PO boxes.
2. Identify companies that are not on a list of approved vendors.
3. Look for invoices with even dollar amounts or no taxes added.
4. Flag invoices for vague services or services that don’t seem necessary.
5.  Look for payments without supporting documentation.
6. Compare names, addresses, bank account numbers and telephone numbers of vendors and employees.
7.  Look for vendors who are also health or life beneficiaries of an employee.
8. Look for invoices created using Microsoft Excel or Word invoice templates.
9. Identify vendors with above-average revenues for investigation.
10. Look for invoices from the same vendor with consecutive invoice numbers.
11. Compare names of vendors with other similar vendor names and investigate whether payments have been diverted from one to the other.
12. Check names of accounts payable employees against Secretary of State records to determine whether they are principals or registered agents of a company that is a vendor.
13. Look for vendors without a taxpayer identification number or with an invalid one. A valid taxpayer ID number has nine digits with the first two digits separated by a hyphen.
14. Compare employer identification numbers, taxpayer identification numbers or DUNS numbers to see if more than one vendor has the same number.
15.  Look for drastic changes in prices, services or products provided by a particular vendor.
16. Look for vendor names that consist only of initials and match those against employee initials.

Insider fraud or Asset Misappropriation schemes include:
Check Forgery - An employee forges a signature on a check made out to himself/herself or to someone else.
Check Kiting - An employee writes checks on an account that doesn’t have sufficient funds with the expectation that the funds will be in the account before the check clears.
Check Tampering - An employee alters the payee, amount or other details on a check or creates an unauthorized check.
Inventory Theft - An employee steals product from a company, either by physically taking it or diverting it in some other way.
Theft of Cash - Most common in retail environments where cash exchanges are common, this type of fraud covers simply:

• Stealing cash
• Not registering a sale and pocketing the cash.
• Return fraud (an employee colludes with someone else to return goods fraudulently for a refund)

Theft of Services - An employee misuses company services or company-funded services.
Expense Reimbursement Fraud - Also called expense fraud, this type of fraud includes:

• Forging receipts - Double claiming for expenses
• Submitting false reimbursement claims
• Inflated expense claims

Procurement Fraud - This type of fraud includes schemes such as over-ordering product then returning some and pocketing the refund, purchase order fraud where the employee sets up a phantom vendor account into which are paid fraudulent invoices, or initiating the purchase of goods for personal use
Payment Fraud - This can include vendor fraud schemes as well as creating false customer accounts to generate false payments.
It also includes:

• Altering payee details on checks and payables
• Self-authorizing payments
• Colluding with others to process false claims for benefits or payments

Workers’ Compensation Fraud - In these types of fraud, an employee exaggerates injuries or a disability, invents injuries that did not occur or attributes injuries that occurred outside of the work environment to work to receive compensation pay.  Employees also commit workers’ compensation fraud when they lie about their health or work status while receiving compensation.
Health Insurance Fraud - An employee conspires or colludes with health care providers to defraud an insurance company by submitting false or inflated receipts. An employee claims a reimbursement for medical or health services not received.
Commission Fraud - An employee inflates sales numbers to receive higher commissions, falsifies sales that did not occur or colludes with customers to record and collect commissions on falsified sales.
Personal Use of Company Vehicle - This is similar to theft of services, but involves the employee using a company vehicle (and often the company-issued credit card for fuel) for unauthorized personal activities.

To prevent and detect asset misappropriation:

1. Conduct thorough background checks on new employees.
2. Implement checks and balances.
3. Separate the functions of check preparer and check signer.
4. Rotate duties of employees in accounts.
5. Conduct random audits of company accounts.
6. Don’t pay commission until goods are services have been delivered.
7. Keep checks in a locked cabinet and destroy voided checks.
8. Implement an anonymous ethics hotline to encourage employees to report wrongdoing.