Steve Levinson
Steve Levinson, Vice President & Chief Security Officer (CISO), of OBS Global’s Cybersecurity practice leads a vibrant, pragmatic, risk-based, business-minded security consulting practice that focuses on right-sized security. As the Vice President of OBS Cybersecurity, Steve leads a vibrant, pragmatic, risk-based, business-minded security consulting practice that focuses on right-sized security. This includes a wide variety of services including advisory services, governance/program management and risk assessments (PCI, HIPAA, ISO, NIST, FedRAMP and preparation for SOC2) technical security services (vulnerability scanning, penetration testing, red teaming, and secure code development), data protection and privacy, cloud security, and specialized security services for the healthcare and financial industries. Steve is considered a thought leader in the cybersecurity community, delivering captivating presentations and webinars, and having penned dozens of insights for many publications. Steve is an active CISSP, CISA, and QSA with an MBA from Emory Business School and has over twenty years of IT security experience, and over 25 years of IT experience. Steve’s strong technical and client management skills combined with his holistic approach to risk management resonates with clients and employees alike. He has performed or participated in hundreds of risk assessments and compliance assessments, starting his consulting career with Verisign and AT&T Consulting, where he provided cybersecurity consulting leadership. Since then, Steve has served as a key strategic advisor for hundreds of clients and has gained the trust of many industry partners and affiliates, earning him a seat as a respected voice around the PCI SCC’s Global Assessors Round Table. In addition to serving as virtual CISO for several clients, Steve has also performed security architecture reviews, network and systems reviews, security policy development, vulnerability assessments, and served as cybersecurity subject matter expert to client and partner stakeholders globally. Wherever Steve’s travels take him – and he travels a lot – he makes friends and finds time in his busy calendar to gather as many local like-minded security professionals, colleagues old and new, to share ideas, foster connections, and build on ideas. His true professionalism and his earnest nature, together, make up the ‘magic’ that fuels the passion of those he leads. It was exactly this combination of Steve’s vision, passion, and his connections around the world that recently helped form OBS’s EMEA division, expanding the organization’s security and digital transformation footprint internationally. Keeping up with the latest security trends and threats is easier than keeping up with Steve; when he’s not connecting with clients or fighting cybercrime, Steve is making meaningful memories with his family, keeping pace with his beloved pups, catching the early surf just after sunrise, or charging down a mountain slope. “Where’s Steve?” is a common phrase jested amongst colleagues around the virtual OBS office. But not to worry, if you miss him, he will circle back again soon.
October is Cybersecurity Awareness month, so one of my annual October rituals, similar to Charlie Brown and the Great Pumpkin, is to share my team’s wisdom pertaining to the latest cybersecurity hacks and scams. I’ve spent the better part of the past quarter century helping organizations of all sizes, and humankind in general, protect their digital, intellectual, and reputational assets from the ever-changing threat landscape. Anyone could fall prey to scams and ransomware attacks, and with the increasing power of AI, we are being bombarded with potentially malicious emails, texts, and phone calls.
One common theme? These hacks and cyber-attacks commonly play on human emotions or gullibility, including, but not limited to fear, urgency, love, laziness, humiliation, and things that are, well, just too good to be true.
While we share plenty of cybersecurity wisdom with our hundreds of clients, this is the one blog post every year that we share with everyone – clients, friends, and family alike.
Don’t Trust UNTIL You Verify
We used to say “Trust BUT verify,” but in the increasingly digital world, it is easy to make assumptions because it’s “easier.” If there is one key thematic takeaway from this post, it’s this: ANY time you are asked for unprompted account information such as account number, password, or passcode, you should NOT provide it. If you have any doubt pertaining to a message whatsoever, reach out directly to the institution/bank/company that is requesting it (using the phone number/website that you usually use and not the one in the message, as you should NEVER use the info from the unprompted message).
Oftentimes bad actors will pose as a bank or financial institution representative to tell you about “fraudulent activity” or “account compromises,” so remember to stick to the mantra: Do NOT respond to the text, email, or phone call, even if the message appears legitimate as the bad actors are REALLLLLY good at making these things look real (e.g., the caller ID may look like your bank or the email address may be close that that of your financial institution), and AI is just helping them up their game. Don’t fall for an “urgent” tone of things. It can wait until you’ve had time to think it through. The same holds true for “famous” people who want to connect with you – highly unlikely it’s really them.
Oh, and those texts that come from unfamiliar sources… there is a high likelihood that they are from imposters – anything from messages purportedly from your bank or from a random person who asks how you’re doing. I rarely respond to an unsolicited or unexpected text from a number that isn’t in my contacts, especially if it came unexpectedly.
Is It Really That Important?
Any message that claims to be urgent probably isn’t. The scammers are just trying to get you to react. Take a breath. It’s OK if you take the extra few minutes to sort things out. Tones that may give it away:
- “Secure your accounts with this guaranteed system right now."
- “This opportunity is available for the next 20 minutes only.”
- “Respond immediately, or your account (or storage, or phone, or insurance…) will be suspended.”
- “Your wages will be garnished if you don’t contact us right away.”
- “There is a warrant out for you and you must call (or email or DM) us right now!”
All truly important messages, especially from your bank or the government, never ask for personal information or payment by email, text, or social media. Legitimate communications are typically sent through official postal mail or posted to your secure online account (such as your banking portal, IRS/CRA account, or other verified government platform). Oh, and they’ll never ask you to pay for anything with gift cards or at a cryptocurrency machine.
One-time Passwords
We’ve been recommending that everyone use one-time passwords (OTPs) for any accounts that are worth protecting (e.g., banking/finance, investments, healthcare, etc.) as they provide an important layer of protection. (What are OTPs? Usually something like a code, usually from an Authenticator app, the company’s own app, or sent via text or email that you need to enter to prove you’re actually you.) (Note: If you are NOT using OTP for important accounts, you should make it a priority to make that so). This technology has become quite ubiquitous over the years and easy to use (e.g., your credit card company may send you a six-digit code to allow you to log in). That said, bad actors have devised creative schemes to trick users into providing OTPs. While you should continue to use OTPs, if you receive an OTP that you did not request, contact the issuing institution directly to confirm the validity of the message (as mentioned above). And if someone claiming to represent your financial institution asks for your OTP, NEVER share it. – Again, if you have doubt, reach out directly to the issuing entity.
Imposter Scams
In addition to the scams pertaining to financial institutions, some of the recent scam genres include:
- Social Security Administration (SSA) Scams: Scammers impersonating SSA employees contact victims by email, phone, or text. They may claim the victim’s identity was stolen or attempt to trick them into giving up their Social Security number through other means. Take the time to contact directly – don’t mind the long hold times as it’s better than being scammed.
- Internal Revenue Service (IRS)/Canada Revenue Agency (CRA) Scams: Fraudsters posing as IRS/CRA officials may threaten victims with legal action over unpaid tax bills. They may also bait victims with false claims of a tax refund, a tax rebate, or of the tax return being rejected to trick them into providing personal information. Keep in mind – the only way the IRS/CRA communicates with taxpayers is by good old fashioned snail-mail or by posting to your secure online account.
- Package Delivery Scams: The victim of this scam may receive an unsolicited text message about a fictitious USPS, UPS, or FedEx delivery. Ultimately, the sender of the text wants the victim to click on a malicious link (under the guise of package tracking) to gain access to personal information. Again – if you ARE expecting to receive a shipment, go directly to the shipper’s website to get status. DON’T be lazy and just blindly click the link.
- Toll Road Trolls: The scammers spoof phone numbers not just from the US but all over the world.
- Cryptocurrency Scams: We’ve seen a plethora of “Coinbase Support” scams. These are more sophisticated vishing (voice phishing) scams that follow the basic social engineering playbook. They’re helpful and non-confrontational but instill a sense of urgency. If confronted or questioned, they may double down on the urgency and may also become confrontational.
Artificial Intelligence (AI) Fueled Fraud
Let’s face it – we are all riding the AI wave, whether we know if or not. While there are many good news stories about how AI has made the world a better place, there are certainly many areas where we should be concerned. AI is helping scammers make fraud appear more legitimate than ever before. As AI continues to grow more sophisticated, scammers are finding creative ways to exploit this technology to their advantage, not only with how they are making messages appear “more real,” but also from a technology use perspective:
- AI-enabled Voice Cloning: Scammers use AI to mimic the voice of someone the victim knows, like a family member, to request funds for a fake emergency.
- Deepfake Impersonations: Fraudsters create realistic AI-generated videos or audio of a person the victim knows and trusts to trick them into transferring funds.
Here are a few (trusted!) links to some of the many related stories pertaining to nefarious AI activities as the future is now – this stuff is real!
1. https://edition.cnn.com/2023/04/29/us/ai-scam-calls-kidnapping-cec2. https://www.ft.com/content/b977e8d4-664c-4ae4-8a8e-eb93bdf785ea
3. https://www.latimes.com/california/story/2025-09-24/she-thought-a-general-hospital-star-was-in-love-with-her-then-she-lost-everything
Improve Your Vigilance
Many financial institutions (banks, credit cards, investments) allow for you to set up alerts (text or email) whenever there is activity in your account (and oftentimes, you can select thresholds). On top of that, there are many free or inexpensive credit monitoring/locking services that allow you to lock down any activities associated with your identity/accounts or that provide monitoring of any suspicious activities. Or, you could also “freeze” your credit report through a bureau without paying someone like LifeLock.
To check your credit report for free you can visit www.annualcreditreport.com or https://www.transunion.ca/credit-report. While this won’t prevent fraud, it can help you react promptly to nefarious activity.
Cybersecurity is a year-round habit, not a seasonal special. By the time Charlie Brown and the Great Pumpkin return each October, make sure your defenses are already in place. Together, we can build a safer digital community. Check out our previous Cybersecurity Awareness posts for tips to stay safe year-round or message us directly to learn how we can help.
About the Author
Steve Levinson is the VP & CISO of OBS Cybersecurity and leads a pragmatic, business-focused security consulting practice centered on right-sized protection. An active CISSP, CISA, and QSA with an MBA from Emory, he brings over 20 years of cybersecurity expertise and extensive experience in risk and compliance assessments. Formerly with Verisign and AT&T Consulting, Steve now advises hundreds of clients and serves as a respected member of the PCI SSC’s Global Assessors Round Table (GEAR).
Submit a Comment