October is Cybersecurity Awareness month, so one of my annual October rituals, similar to Charlie Brown and the Great Pumpkin, is to share my team’s wisdom pertaining to the latest cybersecurity hacks and scams. I’ve spent the better part of the past quarter century helping organizations of all sizes, and humankind in general, protect their digital, intellectual, and reputational assets from the ever-changing threat landscape. Anyone could fall prey to scams and ransomware attacks, and with the increasing power of AI, we are being bombarded with potentially malicious emails, texts, and phone calls.
One common theme? These hacks and cyber-attacks commonly play on human emotions or gullibility, including, but not limited to fear, urgency, love, laziness, humiliation, and things that are, well, just too good to be true.
While we share plenty of cybersecurity wisdom with our hundreds of clients, this is the one blog post every year that we share with everyone – clients, friends, and family alike.
We used to say “Trust BUT verify,” but in the increasingly digital world, it is easy to make assumptions because it’s “easier.” If there is one key thematic takeaway from this post, it’s this: ANY time you are asked for unprompted account information such as account number, password, or passcode, you should NOT provide it. If you have any doubt pertaining to a message whatsoever, reach out directly to the institution/bank/company that is requesting it (using the phone number/website that you usually use and not the one in the message, as you should NEVER use the info from the unprompted message).
Oftentimes bad actors will pose as a bank or financial institution representative to tell you about “fraudulent activity” or “account compromises,” so remember to stick to the mantra: Do NOT respond to the text, email, or phone call, even if the message appears legitimate as the bad actors are REALLLLLY good at making these things look real (e.g., the caller ID may look like your bank or the email address may be close that that of your financial institution), and AI is just helping them up their game. Don’t fall for an “urgent” tone of things. It can wait until you’ve had time to think it through. The same holds true for “famous” people who want to connect with you – highly unlikely it’s really them.
Oh, and those texts that come from unfamiliar sources… there is a high likelihood that they are from imposters – anything from messages purportedly from your bank or from a random person who asks how you’re doing. I rarely respond to an unsolicited or unexpected text from a number that isn’t in my contacts, especially if it came unexpectedly.
Any message that claims to be urgent probably isn’t. The scammers are just trying to get you to react. Take a breath. It’s OK if you take the extra few minutes to sort things out. Tones that may give it away:
All truly important messages, especially from your bank or the government, never ask for personal information or payment by email, text, or social media. Legitimate communications are typically sent through official postal mail or posted to your secure online account (such as your banking portal, IRS/CRA account, or other verified government platform). Oh, and they’ll never ask you to pay for anything with gift cards or at a cryptocurrency machine.
We’ve been recommending that everyone use one-time passwords (OTPs) for any accounts that are worth protecting (e.g., banking/finance, investments, healthcare, etc.) as they provide an important layer of protection. (What are OTPs? Usually something like a code, usually from an Authenticator app, the company’s own app, or sent via text or email that you need to enter to prove you’re actually you.) (Note: If you are NOT using OTP for important accounts, you should make it a priority to make that so). This technology has become quite ubiquitous over the years and easy to use (e.g., your credit card company may send you a six-digit code to allow you to log in). That said, bad actors have devised creative schemes to trick users into providing OTPs. While you should continue to use OTPs, if you receive an OTP that you did not request, contact the issuing institution directly to confirm the validity of the message (as mentioned above). And if someone claiming to represent your financial institution asks for your OTP, NEVER share it. – Again, if you have doubt, reach out directly to the issuing entity.
In addition to the scams pertaining to financial institutions, some of the recent scam genres include:
Let’s face it – we are all riding the AI wave, whether we know if or not. While there are many good news stories about how AI has made the world a better place, there are certainly many areas where we should be concerned. AI is helping scammers make fraud appear more legitimate than ever before. As AI continues to grow more sophisticated, scammers are finding creative ways to exploit this technology to their advantage, not only with how they are making messages appear “more real,” but also from a technology use perspective:
Many financial institutions (banks, credit cards, investments) allow for you to set up alerts (text or email) whenever there is activity in your account (and oftentimes, you can select thresholds). On top of that, there are many free or inexpensive credit monitoring/locking services that allow you to lock down any activities associated with your identity/accounts or that provide monitoring of any suspicious activities. Or, you could also “freeze” your credit report through a bureau without paying someone like LifeLock.
To check your credit report for free you can visit www.annualcreditreport.com or https://www.transunion.ca/credit-report. While this won’t prevent fraud, it can help you react promptly to nefarious activity.
Cybersecurity is a year-round habit, not a seasonal special. By the time Charlie Brown and the Great Pumpkin return each October, make sure your defenses are already in place. Together, we can build a safer digital community. Check out our previous Cybersecurity Awareness posts for tips to stay safe year-round or message us directly to learn how we can help.
About the Author
Steve Levinson is the VP & CISO of OBS Cybersecurity and leads a pragmatic, business-focused security consulting practice centered on right-sized protection. An active CISSP, CISA, and QSA with an MBA from Emory, he brings over 20 years of cybersecurity expertise and extensive experience in risk and compliance assessments. Formerly with Verisign and AT&T Consulting, Steve now advises hundreds of clients and serves as a respected member of the PCI SSC’s Global Assessors Round Table (GEAR).