Our Blog

Cybersecurity Awareness: A Tradition Worth Keeping Year-Round

Written by Steve Levinson | Oct 16, 2025 4:32:09 PM

October is Cybersecurity Awareness month, so one of my annual October rituals, similar to Charlie Brown and the Great Pumpkin, is to share my team’s wisdom pertaining to the latest cybersecurity hacks and scams. I’ve spent the better part of the past quarter century helping organizations of all sizes, and humankind in general, protect their digital, intellectual, and reputational assets from the ever-changing threat landscape. Anyone could fall prey to scams and ransomware attacks, and with the increasing power of AI, we are being bombarded with potentially malicious emails, texts, and phone calls.

One common theme? These hacks and cyber-attacks commonly play on human emotions or gullibility, including, but not limited to fear, urgency, love, laziness, humiliation, and things that are, well, just too good to be true.

While we share plenty of cybersecurity wisdom with our hundreds of clients, this is the one blog post every year that we share with everyone – clients, friends, and family alike.

 

 

Don’t Trust UNTIL You Verify

We used to say “Trust BUT verify,” but in the increasingly digital world, it is easy to make assumptions because it’s “easier.” If there is one key thematic takeaway from this post, it’s this: ANY time you are asked for unprompted account information such as account number, password, or passcode, you should NOT provide it. If you have any doubt pertaining to a message whatsoever, reach out directly to the institution/bank/company that is requesting it (using the phone number/website that you usually use and not the one in the message, as you should NEVER use the info from the unprompted message).

Oftentimes bad actors will pose as a bank or financial institution representative to tell you about “fraudulent activity” or “account compromises,” so remember to stick to the mantra: Do NOT respond to the text, email, or phone call, even if the message appears legitimate as the bad actors are REALLLLLY good at making these things look real (e.g., the caller ID may look like your bank or the email address may be close that that of your financial institution), and AI is just helping them up their game. Don’t fall for an “urgent” tone of things. It can wait until you’ve had time to think it through. The same holds true for “famous” people who want to connect with you – highly unlikely it’s really them.

Oh, and those texts that come from unfamiliar sources… there is a high likelihood that they are from imposters – anything from messages purportedly from your bank or from a random person who asks how you’re doing. I rarely respond to an unsolicited or unexpected text from a number that isn’t in my contacts, especially if it came unexpectedly.

 

Is It Really That Important?

Any message that claims to be urgent probably isn’t. The scammers are just trying to get you to react. Take a breath. It’s OK if you take the extra few minutes to sort things out. Tones that may give it away:

  • “Secure your accounts with this guaranteed system right now."
  • “This opportunity is available for the next 20 minutes only.”
  • “Respond immediately, or your account (or storage, or phone, or insurance…) will be suspended.”
  • “Your wages will be garnished if you don’t contact us right away.”
  • “There is a warrant out for you and you must call (or email or DM) us right now!”

All truly important messages, especially from your bank or the government, never ask for personal information or payment by email, text, or social media. Legitimate communications are typically sent through official postal mail or posted to your secure online account (such as your banking portal, IRS/CRA account, or other verified government platform). Oh, and they’ll never ask you to pay for anything with gift cards or at a cryptocurrency machine.

 

One-time Passwords

We’ve been recommending that everyone use one-time passwords (OTPs) for any accounts that are worth protecting (e.g., banking/finance, investments, healthcare, etc.) as they provide an important layer of protection. (What are OTPs? Usually something like a code, usually from an Authenticator app, the company’s own app, or sent via text or email that you need to enter to prove you’re actually you.) (Note: If you are NOT using OTP for important accounts, you should make it a priority to make that so). This technology has become quite ubiquitous over the years and easy to use (e.g., your credit card company may send you a six-digit code to allow you to log in). That said, bad actors have devised creative schemes to trick users into providing OTPs. While you should continue to use OTPs, if you receive an OTP that you did not request, contact the issuing institution directly to confirm the validity of the message (as mentioned above). And if someone claiming to represent your financial institution asks for your OTP, NEVER share it. – Again, if you have doubt, reach out directly to the issuing entity.

 

Imposter Scams

In addition to the scams pertaining to financial institutions, some of the recent scam genres include:

  • Social Security Administration (SSA) Scams: Scammers impersonating SSA employees contact victims by email, phone, or text. They may claim the victim’s identity was stolen or attempt to trick them into giving up their Social Security number through other means. Take the time to contact directly – don’t mind the long hold times as it’s better than being scammed.
  • Internal Revenue Service (IRS)/Canada Revenue Agency (CRA) Scams: Fraudsters posing as IRS/CRA officials may threaten victims with legal action over unpaid tax bills. They may also bait victims with false claims of a tax refund, a tax rebate, or of the tax return being rejected to trick them into providing personal information. Keep in mind – the only way the IRS/CRA communicates with taxpayers is by good old fashioned snail-mail or by posting to your secure online account.
  • Package Delivery Scams: The victim of this scam may receive an unsolicited text message about a fictitious USPS, UPS, or FedEx delivery. Ultimately, the sender of the text wants the victim to click on a malicious link (under the guise of package tracking) to gain access to personal information. Again – if you ARE expecting to receive a shipment, go directly to the shipper’s website to get status. DON’T be lazy and just blindly click the link.
  • Toll Road Trolls: The scammers spoof phone numbers not just from the US but all over the world.
  • Cryptocurrency Scams: We’ve seen a plethora of “Coinbase Support” scams. These are more sophisticated vishing (voice phishing) scams that follow the basic social engineering playbook. They’re helpful and non-confrontational but instill a sense of urgency. If confronted or questioned, they may double down on the urgency and may also become confrontational.

 

Artificial Intelligence (AI) Fueled Fraud

Let’s face it – we are all riding the AI wave, whether we know if or not. While there are many good news stories about how AI has made the world a better place, there are certainly many areas where we should be concerned. AI is helping scammers make fraud appear more legitimate than ever before. As AI continues to grow more sophisticated, scammers are finding creative ways to exploit this technology to their advantage, not only with how they are making messages appear “more real,” but also from a technology use perspective:

  • AI-enabled Voice Cloning: Scammers use AI to mimic the voice of someone the victim knows, like a family member, to request funds for a fake emergency.
  • Deepfake Impersonations: Fraudsters create realistic AI-generated videos or audio of a person the victim knows and trusts to trick them into transferring funds.
Here are a few (trusted!) links to some of the many related stories pertaining to nefarious AI activities as the future is now – this stuff is real!
1. https://edition.cnn.com/2023/04/29/us/ai-scam-calls-kidnapping-cec
2. https://www.ft.com/content/b977e8d4-664c-4ae4-8a8e-eb93bdf785ea
3. https://www.latimes.com/california/story/2025-09-24/she-thought-a-general-hospital-star-was-in-love-with-her-then-she-lost-everything

 

Improve Your Vigilance

Many financial institutions (banks, credit cards, investments) allow for you to set up alerts (text or email) whenever there is activity in your account (and oftentimes, you can select thresholds). On top of that, there are many free or inexpensive credit monitoring/locking services that allow you to lock down any activities associated with your identity/accounts or that provide monitoring of any suspicious activities. Or, you could also “freeze” your credit report through a bureau without paying someone like LifeLock.

To check your credit report for free you can visit www.annualcreditreport.com or https://www.transunion.ca/credit-report. While this won’t prevent fraud, it can help you react promptly to nefarious activity. 

 

Cybersecurity is a year-round habit, not a seasonal special. By the time Charlie Brown and the Great Pumpkin return each October, make sure your defenses are already in place. Together, we can build a safer digital community. Check out our previous Cybersecurity Awareness posts for tips to stay safe year-round or message us directly to learn how we can help.

 

About the Author

Steve Levinson is the VP & CISO of OBS Cybersecurity and leads a pragmatic, business-focused security consulting practice centered on right-sized protection. An active CISSP, CISA, and QSA with an MBA from Emory, he brings over 20 years of cybersecurity expertise and extensive experience in risk and compliance assessments. Formerly with Verisign and AT&T Consulting, Steve now advises hundreds of clients and serves as a respected member of the PCI SSC’s Global Assessors Round Table (GEAR).