identitytheftsolutionstx.com

Leave Survivors Passwords to Resurrect Your Digital Life

Wed, 12 Jan 2022 18:12:18 GMT

Survivors generally desperately want to honor the last wishes of loved ones who have died. That's problematic when final wishes haven't been shared. An absence of guidance can double the pain of losing a dear friend or relative.

The same is true if you agree to manage their estate. You can't imagine some of the questions that will hit you if you're appointed executor. You won't even realize you lack the answers until it's too late.

Survivors struggling with grief don't need the added burden of an informational scavenger hunt, but in today's world, they run into one significant obstacle— accessing the digital records left behind . Increasingly, digital devices contain the primary history of the life someone lived, and those files probably need a guardian as much as any minor child would.

Misconceptions Abound

When someone dies, it can be difficult to gain access to password-protected phones and laptops. A death certificate is rarely enough. Further, a simple photo won't unlock that device via facial recognition.

Don't believe friends who tell you a funeral home can help access someone's smartphone after death. Many biometric evaluations run on infrared sensors or radio frequencies. These days, facial recognition programs can evaluate heat signatures or signs that the owner is paying attention to the screen. Biometrics that measure electrical conductivity may be hindered; the body's currents are no longer present.

Fingerprints won't be easy to utilize after death, either. Today, one major smartphone company disables Touch ID if it's not used in 48 hours also.

If you're close to a person in failing health and know you're designated to manage their final accounts, discuss how to gain access to all digital records. Being well-prepared will deliver peace of mind to both of you.

Discuss adding a second individual's fingerprints to devices before the need arises. In addition, some smartphones will allow you to add one additional face to your Face ID unlock formula to cover issues such as unexpected death.

The No. 1 Reason You Can't Find a Will

You'd think that more individuals would write Wills or establish estate plans. Unfortunately, the numbers tell a different story. A tally of Americans who've executed a Will decreased significantly over the last four years, and the numbers were surprisingly low before that decline.

Only 1 in 3 Americans has prepared a Will to guide survivors, according to a 2021 industry survey. Check this list of well-known folks who died without a Will—many worth millions: Jimi Hendrix, Pablo Picasso, Michael Jackson, Prince, Abraham Lincoln, Martin Luther King Jr. and Amy Winehouse. They all died without executing legal papers—a situation known as dying intestate. In these instances, estate wrangling and litigation have been costly.

Documents Survivors Need

Here's a shortlist of documents a single company might require from the executor or personal representative before they'll even disclose the balance of a deceased person’s 401(k) account:

Social Security card or an official document including the complete number
A bill with the deceased's current address to confirm their last residence
Birth certificate(s) for the dead and any children
Death certificate
Marriage papers, if applicable
Divorce documents, if applicable
A driver's license or photo ID for the deceased
Letters of Appointment for the executor or personal representative

Collecting these documents to determine assets requires real detective work. The same is true for debts. If you inherit stacks of disorganized papers and need help locating vital pieces, this task becomes daunting. For example, most of us can't find our own Social Security cards , so what are the odds an executor can successfully locate one for the departed?

Each institution establishes its own rules. Some credit card issuers require a death certificate to cough up data, for example. Others don't. One gatekeeper may want to see photo IDs while another will disclose details immediately for someone identified as a close relative. Even the decedent's cat's health insurance provider might require official records to access the kitty's policy.

What To Know About Device Lock Out

Hopefully, some written instructions can guide you. When your father, daughter, brother or cousin dies without a Will, there is no road map. If estimates are correct, the average person holds 100 or more online accounts. That's a lot of data to comb through, even when you've located the needed credentials for access.

Cell phone and email providers aren’t likely to hand over passwords . They're serious about privacy even if the departed probably isn't entitled to protection.

What is Risk-Based Vulnerability Management?

office@egs-solutions.com (Stephani McGirr) — Wed, 17 Nov 2021 18:13:00 GMT

Risk-based vulnerability management (RBVM) is a cybersecurity strategy in which organizations prioritize remediation of software vulnerabilities according to the risk they pose to the organization. A risk-based vulnerability management strategy has several components.

The need for risk-based vulnerability management The need for risk-based vulnerability management is driven by the fact that large enterprise networks contain more vulnerabilities than their cybersecurity teams can fix . Simply put, the scale of vulnerability management at large organizations makes the practice challenging. Cybersecurity executives at large organizations can manage, on average, 80,000 IT assets including laptops, servers, routers, and internet-connected printers. Combined, these assets may hold 40 million vulnerabilities. However, research by Kenna Security shows that companies have, on average, the capacity to remediate just one out of every ten vulnerabilities on their systems. Traditionally, organizations prioritized the vulnerabilities they needed to patch according to a mix of gut feeling, regulatory and compliance needs, and the theoretical damage a successful attack could do. For example, one common metric, the Common Vulnerability Scoring System (CVSS), scores vulnerabilities according to the damage it would do if exploited. But many vulnerabilities with high CVSS scores pose little or no risk of exploitation. Patching a vulnerability that is not likely to be exploited represents a waste of scarce resources. Sounds pretty hopeless right? It certainly has been for many companies, but that’s where risk-based vulnerability management comes in. If you look at the behavior of real-world hackers, they attack only a small subset of security flaws. Our research indicates that only 5 percent of enterprise vulnerabilities have known exploitation events . Therefore, organizations can drastically improve their security and minimize their risk by identifying and remediating the small subset of vulnerabilities prone to exploitation. How to succeed with a risk-based vulnerability management program The success of risk-based vulnerability management depends on the quality of the data used to predict exploitability. Since 2009, data scientists at Kenna Security have worked to identify the factors threat actors use when choosing which vulnerabilities to exploit and weaponize. Some examples of the factors that predict weaponization of an exploit include:

With knowledge of which factors make a vulnerability more likely to be exploited, security teams can not only prioritize vulnerabilities that pose an immediate risk but also patch software flaws before an exploit is developed. The risk-based vulnerability management revolution Risk-based vulnerability management is revolutionizing the way large organizations approach vulnerability management. By prioritizing vulnerabilities likely to be exploited, a risk-based system drives tremendous efficiency gains while improving risk posture. To be clear, a risk-based vulnerability strategy will leave some vulnerabilities unpatched but allows companies to do so with confidence that these weaknesses pose an acceptably low level of risk to the overall security of the company. It is this ability to delay work that opens up efficiency gains and reduces the risk of IT outages due to excessive change. At the same time, security risk is reduced. Risk-based vulnerability management really is a win-win for IT and Security. Written and published By Kenna, Jason Rollesten, Chief Product Officer

Which States Have the Highest Rates of ID THEFT!

office@egs-solutions.com (Stephani McGirr) — Wed, 10 Nov 2021 17:21:00 GMT

How does Nevada stack up in terms of identity (ID) theft rates? Or Alaska. Or North Carolina. Logical thinkers might predict that ID theft per capita would be the same across the nation, but they would be wrong. Some states have much higher rates of identity theft than others. Knowing your state's rate helps you understand the risks in your vicinity. That knowledge could prove priceless in protecting your identity from fraud or abuse. First, however, you'll need to grasp what drives the statistics as well as the raw numbers.

How State Rates Are Obtained

The federal government tracks ID theft rates and sorts them by state. Annually, The United States Federal Trade Commission (FTC) releases the Consumer Sentinel Network (CSN) yearly report, which covers identity theft, fraud, imposter scams and an array of other crimes.

Complaints arrive at CSN from 25 states, the Better Business Bureau, local law enforcement groups, the FBI and other entities. In addition, hundreds of crime-tracking agencies feed case data into the CSN report .

In 2020, FTC offices received 2.2 million fraud complaints directly. CSN added another 2.5 million to the year's total. Over 1.4 million complaints concerned identity theft, with some individuals reporting their second or third ID theft experience. These thefts topped CSN lists.

"In 2020, people filed more reports about Identity Theft (29.4% of all reports), in all its various forms, than any other type of complaint. Imposter Scams, a subset of Fraud reports, followed with 498,278 reports from consumers in 2020 (10.6% of all reports)," according to Sentinel reporting.

Are Identity Thieves Moving North?

A decade ago, Florida often topped the list of states where ID theft occurred. Today, Florida has been dethroned as the nation's ID theft queen. Since 2019, Georgia, Washington and Louisiana have surpassed the Sunshine State. During the first half of 2021, Florida ranks #9 on the list.

Kansas, Rhode Island, Illinois, Nevada and Washington occupied the top five state slots on the list in 2020. Massachusetts ranked #6, followed by Georgia, Arkansas, Maine and Louisiana.

Top 10 States Where ID Theft Occurred in 2020

1. Kansas 2. Rhode Island 3. Illinois 4. Nevada 5. Washington 6. Massachusetts 7. Georgia 8. Arkansas 9. Maine 10. Louisiana

Source: U.S. Federal Trade Commission Consumer Sentinel Network Data Book 2020

Ranking is one way to spot emerging hot spots for identity thieves. But it's too early to predict a northward migration by identity thieves because the pandemic skewed some of the statistics. Government benefits fraud, for example, soared due to widespread unemployment compensation theft.

Unemployment fraud recently hit Kansas very hard, which might explain some of its meteoric rise to the top of the heap. Kansans experienced 1,438 identity theft problems per 100,000 state residents in 2020. Neighboring Nebraska reported only 113 per 100,000 inhabitants.

For the first half of 2021, Rhode Island claimed the top spot. Still, that rise may prove fleeting if Hurricane Ida spread lots of personally identifiable information (PII) documents around that coastal state. In just six months, Rhode Island reports 1,705 identity theft claims per 100,000 residents.

Check out the FTC's interactive state map on identity theft; this tool lets you select different years and states. Individual states will rise or fall in the rankings each year, but the device illustrates state progress in thwarting ID theft. What you want to see is a downward trend for your location.

Reasons Why Some States Struggle

You might think Florida became a perennial problem because of its aging population. That's one potential factor, but natural disasters also pump up the opportunity for crooks, and Florida endures more than its share of those. All those years in the spotlight made the Sunshine State a target not only for thieves. The U.S. Attorney's Office, Postal Inspector and other government agencies made the state a major focus and probably triggered its decline in the ratings.

Coronavirus has likely impacted recent ID theft rates significantly. Jumps in areas where unemployment hit an all-time high may soon start to reverse. While advanced age may factor into scammer target selection, millennials get targeted more and often fall harder for identity theft ploys.

Weather and population density can also influence rankings. For example, more temperate states could see more dumpster diving for discarded PII. There's more activity in the Southern and Southwestern states in the winter months, which may also feed stolen ID statistics. And, naturally, urban areas are hot spots because they offer more targets to exploit.

Written and Published By IDShield,

Scam of the Month: Phony Free Gift Texts. Don’t Click That Message

office@egs-solutions.com (Stephani McGirr) — Wed, 10 Nov 2021 17:05:00 GMT

Loaded' Text Messages on the Rise

"Here's a gift for you." Those words have a nice ring to them, don't they? The message sounds terrific, but data security specialists urge caution. You're now the proud owner of what's sometimes referred to as a loaded text. This type of SMS message has increased rapidly in the past two months, earning this tactic a turn in the spotlight as our Scam of the Month.

Fraudulent text tactics aren't new. In 2014, the Federal Trade Commission (FTC) settled a complaint against a group of shady text senders who promised free gift cards to anyone that replied. The agency also reclaimed $2.5 million consumers had lost. Unfortunately, this ploy has aged well over time—for the scammers at least.

Smish This!

This technique to invade digital devices is known as smishing—a mash-up of SMS or short message service and phishing. What's worthy with our Scam of the Month honoree is a wave of imposters claiming to be your cell phone provider. The ploy has hit AT&T, T-Mobile and Verizon users hard.

Texts read "Here's a gift for you" or "Here's something for you." One text approach claims to be a "thank you" gesture for your recent bill payment. Another discusses "service concerns" or "recent disruptions" in service. It would be swell if cell carriers provided compensation for system downtime, but they generally don't make such offers.

Texts offering free stuff often prove difficult to resist. Messages will boost their credibility by addressing you by name. Your cell number and name paired together were most likely compromised in a recent data breach like T-Mobile's August attack that lost these exact details for 850,000 customers. Information from older data breaches can also work.

Do not click this bait! If you do, you're likely to land on a spoofed website that perfectly impersonates the real deal. The page requires you to log in at AT&T or Verizon, for example, and presto! The hacker now has your account credentials and can roam through your usage, spend your money or even switch passwords to lock you out of the device. You may also receive a download of malware while visiting the imitation web page.

Patterns Persist

The root cause of a data leak often proves challenging to trace back to the initial breach or source. However, that wasn't the problem when a lower-priced service started to see actual device takeovers in early October of this year. Instead, the company blamed the breaches on credential stuffing —a practice of using breached login details on hundreds of different websites to determine what additional accounts they might unlock. An essential element in such hacks is the terrible practice of password recycling. Using the same password for numerous access points is a terrible idea.

Worst of all, these intruders can authorize large purchases that flood your credit card on file with the carrier. Some customers reported $1,000 purchases, for example, that could max out cards. While the company addressed through social media , it quickly took its strategy private responding on a case-by-case level via direct messages (DMs).

Detection Tools

The old standby of hovering your mouse cursor over an embedded link won't work here. Senders employ a link-shortening site like bitly.com to cloak their accurate web address. You could end up anywhere if you clicked that link.

It doesn't always take a rocket scientist to spot the scam. For example, a text on your work device could address you personally. Likewise, one from a cell carrier you don't use is a dead giveaway. Perhaps, a past provider shouldn't be texting you at your current number regarding bill payments. Con artists are persistent, however, and sooner or later, you'll get a loaded text you won't be able to evaluate easily.

Written and Published By, IDShield

Ransomware Hits Businesses & Consumers in the Wallet

office@egs-solutions.com (Stephani McGirr) — Wed, 10 Nov 2021 16:56:00 GMT

The headlines sure grab your attention:

Worrisome headlines, for sure. So, what is ransomware? Isn’t this primarily a business problem? Consumers don’t need to be concerned, right?

Constantly Evolving Threat

Ransomware continues to evolve rapidly, and answers to these questions change with each emerging version. Nevertheless, this tactic impacts everyone and everyone should be concerned.

When the concept first appeared in 1989, 20,000 individuals attending a World Health Organization AIDS conference in Stockholm became targets. The distributer was a biologist and AIDS researcher who sent floppy discs to the list of attendees. Once recipients loaded the floppy data into a computer, a message popped up demanding the device owner send $189 to an address in Panama. It was just a hint of the power this concept would eventually possess.

Over the past decade, ransomware has spread like wildfire, and its use has altered. First, the lure of financial gain switched the focus from attacks on individuals who might cough up $200 toward big-time targets with much deeper pockets. As a result, higher-value targets are now the norm.

Today’s ransom demands can squeeze a single business for $10 million or more. While a company may pay the bill or hire a forensic cybersecurity firm to search for alternatives, you’ll feel the pain, too, if you’re a customer of that company. Damages can be swift and severe.

Defining Ransomware

Ransomware is a software tool that infects digital devices like laptops and desk computers to prevent the owners from accessing their stored data. Crooks have always offered something in return for their hefty fee—a decrypt key is standard—but these keys don’t always work. Increasingly, hackers also include threats of exposing the stolen data online. In some cases, blackmail delivers big payoffs.

Damages tend to trickle down to all sorts of folks. That’s why you should learn all you can about the problem, solutions that work, those that don’t, and which proactive steps might help if hackers zeroed in on your business.

Deep Damages

Ransomware senders initially used a shotgun approach to hit targets. Thousands of individuals were peppered with emails that carried malware, and names like WannaCry or CryptoLocker dominated the news cycle. Today, detailed research can lead to aiming at a single entity.

Phishing emails still deliver malicious code. For example, if a worker clicks a link in a targeted email while using a company machine, hackers often access several company data systems. In other instances, malware arrives when a device user visits a harmful website.

Once the target’s data system is locked down, hackers then download files to misuse later. Business operating systems like digital checkout registers won’t work, making it impossible to buy goods. Gas pumps may run dry. So yes, ransomware impacts us all.

“Ransomware is a long-standing problem and a growing national security threat,” a spokesman for the United States Department of Justice said this summer when unveiling a new collaborative way to report and share information about recent attacks.

Roughly $350 million in ransom was paid to malicious cyber actors in 2020—more than a 300% increase from the previous year. Unfortunately, 2021 has already featured jaw-dropping ransomware attacks, and the trend continues to worsen.

Top Targets

Hackers are generally one (or more) steps ahead of the hard-working people who work to block intrusion attempts. So cyber investigators play catch up as they study the hacker’s moves and search for data exfiltration.

Top targets include:

Massive attacks make headlines, yet government experts say they don’t tell the whole story. According to U.S Department of Justice (DoJ) calculations, roughly 75% of all ransomware attacks zero in on small businesses .

“Like most cyber-attacks, ransomware exploits the weakest link. Many small businesses have yet to adequately protect their networks,” the agency stated.

Small businesses face direct attacks but also suffer from attacks on their service providers. For example, in 2021, hackers aimed at a Florida-based IT firm called Kaseya. The company delivers IT assistance for businesses too small to have their own info tech departments. Perpetrators seized massive amounts of data, and schools, grocery stores and an estimated 2,000 additional firms felt the impact. Hackers demanded $70 million to reverse the damage.

Making Headway

Government investigators work around the clock to track down perpetrators after an attack like Colonial’s. The FBI and other law enforcement groups strongly recommend against paying a ransom, but media reports indicate that Colonial and JBS both paid millions for a decryption key.

In Colonial’s case, the price tag reached around $4.4 million, but the software received was so slow, the company couldn’t use it. As a result, the pipeline shutdown caused panic in southeastern states and empty gas tanks up and down the coast.

In late October, a group of U.S. agencies including the Secret Service, U.S. Cyber Command and the FBI collaborated with foreign governments to hack back at a ransomware gang responsible for numerous attacks. Their takedown plan knocked REvil, a group with apparent ties to Russia, offline after the crew claimed responsibility for the JBS attack and several other major incidents.

Reporting Figures Accurate?

The attacks we hear about are alarming, but there’s an additional dimension—businesses that don’t report ransomware or other data breaches. Anonymous surveys of business IT teams indicate that those rates could be 35% or higher.

In June, the DoJ launched a dedicated website to address the ransomware issue and hopefully prompt more reporting. StopRansomware.gov is a collaborative effort between government agencies and the private sector. It’s hoped that a single collection point for filing reports and sharing information about new attacks will finally put a dent in hacker success rates.

The FBI’s Internet Crime Complaint Center (IC3) recently confirmed that 2021 ransomware attacks are on pace to smash the record set in 2020. Today’s thieves have doubled up on extortion efforts, too. In the current climate, some damages cannot be reversed even after the ransom is paid.

“Cybercriminals have also increasingly coupled initial encryption of data with a secondary form of extortion, in which they threaten to publicly name affected victims and release sensitive or proprietary data exfiltrated before encryption,” a recent FBI alert warned.

Written and Published By IDShield

Shocking Stories of Identity Theft and the Unbelievable Damages They Trigger

office@egs-solutions.com (Stephani McGirr) — Wed, 27 Oct 2021 19:23:00 GMT

Candida Gutierrez. Stephen Echols. Marcus Calvillo. They aren't household names, but their experiences with identity theft were epic. Their "total" identity theft stories provide lessons we should study and heed. These abuses continued for decades. These three examples have been resolved but should not be forgotten. Unfortunately, similar thefts continue to impact other consumers today.

Government agencies may take up an individual case of ID theft, and their experts know a single identity theft issue may take years to resolve. Plus, that clock doesn't start until the victim discovers the crime .

Houston Teacher's Total Theft Case

After a 12-year struggle, elementary school teacher Candida Gutierrez finally faced her identity thief in federal court. Benita Cardona-Gonzalez, was an undocumented immigrant from Mexico who'd exploited that identity to find work, buy a house, obtain medical care, and provide for a growing family. Cardona-Gonzales was in court to receive an 18-month sentence for her crimes to be followed by automatic deportation.

During the years when both women used Gutierrez's identity, the Houstonian had a wide range of crimes linked to her name. She eventually told her story to the Associated Press, and the tale of her "total" ID theft spread around the globe.

"(Gutierrez) recounted how she learned that her identity had been used to take out a mortgage loan and even to get medical care for the birth of two children," read the statement from the U.S. Attorney's Office for Kansas which prosecuted the case.

The victim first learned of her identity theft when the bank rejected her own mortgage application. Twelve years of what officials view as complete or total identity theft required lots of government documents. Cardona-Gonzalez obtained a Social Security card and a Texas birth certificate in the name of another woman. Her thief even had a driver's license in Gutierrez's name and used that moniker on her own kids' birth certificates.

One woman's quest to live the American dream had become the other's nightmare. In its wake, a mess of tangled records required correction to give Gutierrez a shot at restoring her good name.

My Neighbor, My ID Thief

Stephen Echols had no idea he was an ID theft victim back in 1999, but he was about to receive his first clue.

"It began one day in 1999 when he found several police officers with guns drawn standing on his front lawn. He was taken into custody and spent 5 and ½ months in jail before being released," a Military.com article on his experiences with identity theft said.

When the arrest occurred, Echols was a college student. Charges included stalking and making terrorist threats, so bail was set at $250,000—an amount he couldn't raise. Finally, after five months in jail, Echols was released and given court documents that indicated he wasn't the man wanted for this crime.

At the time, Echols thought a case of mistaken identity triggered his arrest. The concept of identity theft never entered his mind.

In 2000, a detective requested he stop by the station to look at some photos. One image jumped out at Echols; it was a photo of a bully from Echols' childhood. His neighborhood menace had misused Echols' name, even obtaining a new driver's license using it.

The military veteran went on to secure a job at Los Angeles International Airport which required a security clearance. His high-tech job calibrating security equipment at LAX paid well. Clearance holders must complete extensive background checks frequently, but Echols had a letter from a judge indicating his innocence in two police cases involving his bully's crimes.

Unfortunately, he couldn't know that one discussion had been incorrectly recorded as an arrest, or he would have reported it to his employer. Accused of lying about an arrest, Echols lost the security clearance he needed to work. As a result, he and his new bride ended up homeless and living in their car after exhausting all their savings.

It took over three years to clear up the government's mistake. Meanwhile, Echols applied for an estimated 3,500 jobs, and his wife lost two pregnancies. Finally, unimaginable stress prompted the couple to move to a new state and begin their lives again.

26 Years of Headaches

Someone stole Marcus Calvillo's identity when he was around 15. Over the years, that thief used his ID to write bad checks and rack up dozens of parking tickets that were never paid. The con artist was also convicted of child sex abuse—under Calvillo's name.

Those actions cost Calvillo his driver's license, countless work opportunities and several jobs. His ID thief also secured jobs using the stolen identity, and Calvillo received IRS bills for back taxes on jobs he'd never held.

He despaired of ever mending his damaged identity—until he read the story of Candida Gutierrez. He called the U.S. Attorney's Office for Kansas that had sent her ID thief to jail. Calvillo finally had an audience for his story.

After two decades, the damage was extensive. He’d lost his home, ended up in divorce court and had no way to pay child support for his six kids. Thankfully, the U.S. Attorney's Office assisted in correcting court records and convictions improperly linked to his name.

A Glimmer of Hope

These cases are just a few of the extreme identity theft cases reported to government agencies or the media. Each yields a vital lesson in self-protection.

These three victims understand the value of guarding their personally identifiable information (PII) the right way. But the time to do throw up walls around your data is before a major theft, not after. IDShield is in the business of monitoring member PII around the clock so our members can sleep well and worry less. If their data leaks, our firm can alert them rapidly and advise them.

We think you'll love the peace of mind that comes with the knowledge that someone's watching your data 24/7.

Electronic Medical Records and Their Risks

office@egs-solutions.com (Stephani McGirr) — Wed, 27 Oct 2021 18:37:00 GMT

Hackers Love to Steal Medical Records. Reduce your Risk.

Electronic medical records (EMRs) were once heralded as the ideal way to store patient files. Paper files were inches thick. Pages could fall out. The filing was a nightmare, and all those inches of files added up to massive stacks taking up lots of office space. So, the concept of digitizing a patient’s records had instant appeal. But since its debut in 1972, EMRs have proved to be both a boon and a bust for the medical field.

EMRs also offered a fantastic way for medical professionals to share patient records with emergency rooms, specialists and other providers and share them fast. Facilities would store patient data, and EMRs would be accessible on a network. Doctors could find critical data with a simple search instead of paging through a stack of paper. Data accuracy would improve.

Ransom Demands

Reality has fallen short of such lofty predictions, some professionals argue. One reason is the genuine risk to electronic information storage. That risk comes from data breaches, or a system infected with ransomware —computer malware that can lock up the system making files inaccessible.

As ransomware continues to soar—some experts estimate it has increased 1,000% in the past year over the preceding 12-month period—EMRs have become a double-edged sword. Electronic records take up less space and might be more accurate. It’s easier to keep prying eyes out of EMR files if login credentials are not widely available. However, hackers can crack open a computer, and recent studies have detailed an alarming rate of password sharing amongst medical workers. Such a mix of good and evil isn’t reassuring when your personal health information, or PHI, is at stake.

The Current Reality

Hospitals, doctor’s offices, laboratories and clinics are clear targets. Last fall, CISA, the federal government’s cybersecurity and infrastructure security agency, and the FBI issued an advisory to the medical field.

The agencies stated they possessed “credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers.” While the joint effort included offering facilities advice on how to prepare, it’s not known how many provider organizations followed that advice.

Shortly after that October 2020 warning, a Maryland medical center experienced a ransomware attack that locked patient files. The intruders demanded a ransom paid in bitcoin within three days, or they’d destroy patient records. In May 2021, a San Diego hospital was the target. The medical center had to divert patients suspected of stroke or heart attack to other facilities, and these were just two of the hundreds of medical attacks in the past year.

Ransomware tactics occur weekly, if not more frequently, around the United States. The damage is significant. Government cyber groups reported, “activities include credential harvesting, mail exfiltration, crypto-mining, point-of-sale data exfiltration, and the deployment of ransomware.”

Medical identity theft and insurance fraud can result. Medical identities sell for hefty prices—much higher than stolen credit card data. The hacker’s goal is economic, but these crimes also create life or death consequences for the sick and the injured.

The Challenge

Television series like Chicago Med and Grey’s Anatomy create scripts around the chaos that would ensue when a hospital cannot access its records system. Doctors cannot read lab test results or patient histories. Specialists cannot share patient records with others who treat the same patient. It seems fictional, but these scenarios are facts.

As hospital and clinic attacks rise, institutions don’t know whether records were transferred or accessed before the lockdown and ransom demand. As a result, some institutions treat these attacks like a data breach notifying the federal government and patients; others do not.

Responses to a ransom demand vary. Some facilities are desperate to get back up and running. Others discover their files were corrupted during an intrusion. For some organizations, the cost of recovering from an intrusion without paying the ransom and hacker help could equal or exceed the ransom requested, so they pay up.

The FBI is clear in its opposition to paying a ransom for data. The bureau warned that there are no guarantees that hackers will restore data access and paying encourages more hacks.

The U.S. Department of Health and Human Services (HHS) tracks medical data loss whenever it impacts more than 500 individuals. These days, most entries cite “Hacking/IT incident” as the cause. While some cases involve a small number of patients, others like August’s hack of a New Mexico university hospital involve over half a million individuals or more.

Developing Solutions

Solutions for the health providers and their patient groups will differ. There is no one-size-fits-all fix.

For providers, a backup not connected to the network is a strong option. Dividing or segmenting central computer systems to limit hackers’ access if they breach the system slashes risk. Patient records can be robustly encrypted. And a regular review of cyber response plan helps, too.

Shield Yourself

For patients, the risks are very personal. In an emergency, no paper record exists to fall back on. If the EMR is locked down, you may not receive needed treatment.

Be proactive. Scan your personal medical files to digital form and save them on a computer. Password protect the drive , too A thumb drive loaded with the entire batch could be helpful at the emergency room during a medical event.

In addition to emergencies, your medical data gets protected against corruption or unrecoverable files. That’s worth a great deal. While no one can offer a 100% guarantee that you’ll be immune to a hospital ransomware attack, this logical step reduces the impact.

We see many cases of data theft at IDShield, and medical identity theft is one of the worst manifestations. A clever individual can use your identity to receive but not pay for medical care. You get the bills.

Even worse is the co-mingling of your accurate health records with those of an imposter. That’s the key reason why our members request monitoring for health policy numbers. If your insurance data is discovered somewhere on the Dark Web, we’ll alert you and work with you to find a solution. Try our identity services free for the first 30 days. We're confident you will recognize the value and peace of mind that IDShield delivers every day.

My Identity’s Been Stolen. Can Identity Monitoring Still Help?

office@egs-solutions.com (Stephani McGirr) — Wed, 27 Oct 2021 18:30:00 GMT

No one wants to deal with identity theft—ever. It’s time-consuming, often costly and leaves a trail of emotional damage and stress in its wake. First-time victims often experience total panic initially, but that reaction accomplishes little, as 1.4 million individuals who experienced identity theft discovered in 2020 .

That’s an average of 3,836 identities stolen each day of the year. Yikes! If you’ve been victimized don’t lament the fact that you didn’t purchase identity monitoring a month ago. There are still ways that IDShield can assist now.

We offer invaluable guidance after theft detection. The initial damage has already occurred, so your ID theft is viewed as a pre-existing condition, but new members receive instant access to other services. You can still tap into consultation with trained experts. We’ll help reduce the harm and restore your good name .

Identity Restoration Is Complex

Whether someone else stole your identity to buy goods, rent an apartment , get free medical care or land a job, the devastation spreads like wildfire. So, the first goal of any recovery plan is: Stop the bleeding.

You need to uncover all the details you can about how and where that breach of your personally identifiable information (PII) occurred. Where should you begin? You may find it challenging to interpret if you receive a breach notification letter from a business you’ve patronized.

Access to professional identity experts is priceless now. They’re familiar with the steps to implement first and fast. You won’t spend hours locating the proper authorities to notify, either.

Restoration assistance should include these key elements:

Should you file a police report ? Absolutely, but your local authorities might reject a request to submit one. They’re understandably swamped. If an online filing option with law enforcement isn’t available, try Plan B. Report the identity theft to the Federal Trade Commission (FTC). If large sums are involved, ask your homeowner's or business insurance company what they require first.

Money losses hit a significant slice of identity theft victims. Unfortunately, you won’t be eligible for IDShield’s full restoration policy that can cover funds you lost for a pre-existing theft. Still, you may find your renter’s or homeowner’s policy includes a small amount of coverage for losses. It could provide several hundred dollars up to a few thousand in protection. IDShield members who sign up before identity theft occurs are covered up to $1 million.

There’s no reason to wait if you fear your identity has been compromised. With the IDShield mobile app , you can summon help with the touch of a finger. So, you won’t have to wait a minute to launch the recovery and reclamation process.

Abandoned Online AccountsJune 04, 2021 | Social Media

office@egs-solutions.com (Stephani McGirr) — Mon, 11 Oct 2021 17:45:00 GMT

How many social media accounts do you participate in?

How many sites are there where you have an account that you no longer use to socialize with others? Now consider two more questions, “What personal information of yours is stored within that account, even if it’s just the account profile?” and “What could happen if those abandoned accounts were breached by a hacker who then stole the data?”

Old online accounts have at least two vulnerabilities: They could be viewable by others and the database of the website could suffer a data breach. When social networking first began, users were less aware than they are today of the need to restrict who could see their posted information. Someone viewing an old account of yours could potentially pick up data that would help them find information they could use elsewhere such as with answering security questions such as “Where were you born?,” “Where did you attend school?,” etc.

Data breaches suffered by social networking sites are becoming commonplace. Within just a six-month span of time in 2016, nearly one billion records from only four social networking or online dating sites were potentially accessed by hackers. A thief could take the user ID and password collected in a breach and then try it on other websites to see if the person who created the account used those same credentials on other accounts. Then they can collect personal information from that account as well or takeover the account and make use of it.

What can be done about old accounts?

If you are no longer using an account, delete it if possible. If not possible, replace your personal information with random data so that the account is not useful to a potential identity thief. The website www.accountkiller.com is a valuable resource of directions for closing online accounts of all kinds. Also, by reviewing it’s extensive list of websites, you may be reminded of an old account you forgot that you created.

What to do going forward: If you’ve been in the habit of using the same login credentials on all of your websites, change the passwords (or user ID and password, if possible) so that you use different credentials for each account. Keep a list of the accounts you create online so you know where you information is online. Be particular about what personal information you add to your accounts. Every question doesn’t need to be answered in your account profile. Set privacy and security settings to have some control over who can see your data. Use backup email addresses on every account so that if you lose access to the primary email because of a job change or switch in email service provider, you can still access the account.

SIM Swapping Lets a Scammer Take Over Your Smartphone. Learn the Risks to Avoid This Scam

office@egs-solutions.com (Stephani McGirr) — Mon, 11 Oct 2021 16:57:00 GMT

SIM. It stands for Subscriber Identity Module—a small object that’s an essential part of your smartphone. While SIMs do not contain a complete record of your phone’s usage, they contain important data regarding your account and carrier account details. Some also store contacts. Without this card, the device won’t make or accept any calls.

Your SIM key looks like the golden chip that’s on the front of most credit cards in circulation today, but bigger. Think of this microdevice as an on/off switch for your phone.

SIMs offer flexibility in several situations. International travelers use SIMs to handle multiple phone numbers, for example. It’s handy to have a local number for the country you’re in so callers won’t have to pay international rates to reach you.

SIM cards can pop in and out quickly, but a tiny, pointed object might help trigger the release. A thief who gets hands on your phone can also remove that SIM. However, that’s not the looming risk. The biggie is hackers who trick your cell carrier into moving your account and phone number to a SIM card they possess.

How SIM Swapping Works

Porting your phone number to a different SIM card is common if your device is lost or damaged beyond repair. Switch the SIM, and your smartphone disconnects from the cellular network. From there, the possibilities for damage or account takeover are massive.

Unauthorized SIM card diversions are so common they’ve earned their own name—SIM swapping. It starts when a thief calls your carrier and attempts to persuade or convince a service rep into believing that they are you. A spoofed caller ID using your name adds an element of credibility to this pitch. A naïve, hasty, or unseasoned customer support agent then authorizes the requested swap.

“If your provider believes the bogus story and activates the new SIM card, the scammer—not you—will get all your text messages, calls, and data on the new phone,” the Federal Trade Commission (FTC) warns consumers.

After the substitution occurs, the scammer receives any communications meant for you, including one-time login codes. For example, if you’ve enabled multi-factor (MFA) or two-factor authentication (2FA) for sensitive websites, a crook must enter these digits for access. Then, with code in hand, the thief completes the second step to log in. As a result, your accounts become wide open to criminals. Their first step will probably be to change your passcode to shut you out.

Data breaches like the recent massive T-Mobile breach leaked buckets of personal information for 53 million applicants and users. All these details boost a scammer’s odds of success—even when faced with security questions they must answer. Would-be con artists already possess the last four numbers on your Social Security card and payment card or know where to buy those details.

Risky Business

What could possibly go wrong? A year ago, a group of Princeton University researchers released study results on the authentication process of five wireless carriers that offered prepaid plans. T-Mobile, Verizon, and AT&T were on that list. The researchers’ conclusion? Quite a lot can and does go wrong.

“We found that all five carriers use insecure authentication challenges that can easily be subverted by attackers,” the authors wrote.

The group also examined 140 popular websites identifying 17 websites that had questionable security. Princeton’s team then notified those 17 companies last spring. After 60 days passed, the team found that just over half of the businesses had failed to fix their vulnerabilities. That 2020 list included PayPal, Venmo, AOL and Amazon. It’s unknown whether those sites were later updated or not.

If 2FA is easily defeated, what about other options like one-time tokens or keys? While some experts may advocate for alternatives like one-time tokens or keys, not all websites offer an alternative to 2FA.

A Time-Consuming Headache

Here’s how one FTC.gov reader explained her SIM swap experience: “The only clue that something was wrong was the text from ATT stating my account password had been changed. SCARY. Needless to say, I have since changed all my social media and email passwords again.”

Another victim described the experience this way, “It ruined my life for at least 3 weeks while I went around plugging holes. They got into everything using my sim: email, bank account, credit card even the credit card processing for my business.”

The mess that a SIM swap creates can take weeks to clean up. The surge in recent data losses worldwide keeps feeding the market for new attacks on unsuspecting customers. So, a rise in SIM swaps may be just around the corner.

Time loss is not the worse impact, either. If you’re the victim of a SIM swap, the intruder proceeds to crack accounts like Amazon or Costco along with bank holdings. Hackers hunt for credit accounts where card data has been stored. They can run up huge bills before detection. Gift cards are a popular purchase as they’re readily monetized.

That said, financial losses could be temporary thanks to federal consumer protection laws. Credit issuers generally don’t hold cardholders liable for unauthorized purchases. Even banks routinely restore stolen funds, but these actions can take days or weeks. However, gift cards probably aren’t covered if you voluntarily surrender access details.

Shield Yourself

Take some proactive steps to prevent a swap. These include:

IDShield monitors member phone numbers 24/7 along with bank account and credit card details. We can detect stolen Social Security numbers for sale on the Dark Web , too. If your data turns up anywhere it shouldn’t be, we alert you and work with you to solve the problem. Check out IDShield's individual and family monitoring plans .

Cybercrime Risk: Small Business

office@egs-solutions.com (Stephani McGirr) — Tue, 28 Sep 2021 19:49:00 GMT

Running a small business is no small task. While handling all of the moving parts involved in a successful small business, it’s easy for cybersecurity to slip through the cracks. According to Symantec *, 43 percent of cyber attacks target small businesses . From phishing to ransomware to data breaches, there are several ways that cybercriminals target small businesses. Let’s discuss the risks and the recovery process involved in these cyber-attacks:

1. Phishing

We’ve all seen phishing attempts come to our inbox. An email with urgent language like “click now” or “action required” pops-up. The purpose of phishing emails is to use social engineering to get you to click the malicious link in the message. At first glance, the email may even appear to come from a sender that you recognize. It’s important to pay attention to detail; are there misspellings? Does the email address match the contact name?

If you or someone within your small business clicks on a phishing email, your entire network could be at risk. These attacks should be taken seriously, we highly recommend that you consider security awareness training for your staff. Our sponsor, KnowBe4 , has phishing simulation software to prepare your employees for phishing attempts. Once a phishing email is clicked, you should immediately remove the infected device from your small business’s network and change all passwords. Run a virus scan on all devices to determine the extent of the damage. For detailed information on how and where to report the phishing incident, visit us here .

2. Ransomware

Ransomware is malicious software that holds your organization’s information or systems hostage. Ransomware typically enters your network via a phishing email or a malicious website. If the ransom is not paid, the cybercriminal threatens to delete the data. It’s important to note that even if you pay the ransom, the data may not be returned.

If your organization is exposed to ransomware, the first thing you need to focus on is damage control. Immediately remove infected computers or devices from your business network and change all of your account and network passwords. Report the incident to the FBI Internet Crime Complaint Center (IC3) and visit us here for recovery help.

3. Data Breach

A data breach is an incident where confidential data stored within your organization is leaked. This data may include banking information, Social Security numbers, passwords, emails, and other private employee or customer information. In 2018, Verizon * found that 58 percent of data breach victims are small businesses. As a small business owner, the risk of a data breach is considerable.

If a data breach occurs, start by changing any compromised passwords or credentials. Our affiliate partners, WhiteHawk and TechStak , can help you begin the recovery process. Review your state’s data breach notification laws on the NCSL’s website . Properly reporting, recovering and reinforcing your organization’s cybersecurity after a data breach is crucial. Visit FraudSupport.org’s data breach incident recovery page.

There are several cybercrime risks facing small businesses every day. We aim to provide relief in the wake of cyber-attacks. For recovery help and next steps to get your small business back on track, utilize our online resource database FraudSupport.org .

Sources* Verizon: https://enterprise.verizon.com/resources/reports/DBIR_2018_Report.pdf Symantec: https://www.symantec.com/security-center/threat-report

2021 Cyber Attack Statistics, Data, and Trends

office@egs-solutions.com (Stephani McGirr) — Tue, 28 Sep 2021 19:46:00 GMT

A cyber attack is an attempt to invade a computer system, multiple computers, or a network infrastructure with the intent to cause some sort of harm. Cybercriminals launch cyberattacks to disrupt, disable or gain unauthorized access to someone else’s computer or network. A successful cyberattack can enable cybercriminals or hackers to steal, manipulate or destroy critical data on the victim’s computer. Alternatively, cybercriminals can also leverage a compromised system to further launch attacks against other computers or environments.

From financial gains to swaying public opinion to cyber warfare, there’s a multitude of objectives driving cyber attacks. And over the years, the bad actors have evolved from the script kiddies of the 90s to the sophisticated, advanced cybercriminals, and groups that have access to nation-state technology, and resources. They are forcing IT and cybersecurity teams, already grappling with the stringent budgets and the widening skills gap, to prioritize their resources to combat the new wave of advanced cyber threats.

Forewarned is forearmed. So, here we have compiled relevant data and statistics for cyber attacks in 2021 to give you a better idea of the evolving threat landscape and enable you to strengthen your defenses and strategically invest in cybersecurity.

General Cyber Attack Stats

Let’s take a look at the cost, facts, and implications of cybercrime incidents as they unfolded over the past year.

Although the average cost of a data breach has gone down from $3.92 million in 2019, the trend wasn’t consistent across all organizations and industries — those that were prepared with the best cybersecurity practices and processes and trained incident response(IR) teams were clearly at an advantage.

And yet, the staggering number of organizations still lacking an effective incident response and prevention strategies is alarming.

Let’s also take a look at some of the most common vulnerabilities and security loopholes that have exposed companies and their data over the past year (and beyond).

Despite the abysmal stats regarding security vulnerabilities, cyberattack preparedness — or the lack thereof — and the questionable effectiveness of implemented strategies, there are some positive trends on the horizon.

Biggest Cyber Attacks and Data Breaches

A ransomware attack on the Dusseldorf Hospital in Germany allegedly claimed the life of a patient in need of urgent care. It could very well have been the first human death directly related to a cyber attack. However, a detailed investigation later revealed that the outcome would’ve been the same regardless of the cyber attack. But the incident was a huge wake-up call for public and government organizations to see the writing on the wall — it’s just a matter of time before the ramifications of cyber attacks start extending beyond monetary and reputational loss.

Here are some of the most notorious cyber attacks and data breaches from the past years:

1. Malware Statistics

Malware is a blanket term for all kinds of malicious software that are designed to damage computer systems. Different types of malware include viruses, trojans, worms, ransomware, adware, spyware, botnets, and rootkit. Existing since the early 1970s, malware has been used for causing disruptions, making money, implementing cyber warfare strategies, and much more.

2. Ransomware Statistics

Ransomware is a type of malware that encrypts the files in the infected system, often displaying a message that specifies an amount that must be paid to retrieve the encrypted files. Depending on the type of ransomware, it may either be downloaded on opening a malicious file or email attachment, or it can be self-propagating like a worm — making it even more difficult to contain.

3. Phishing Statistics

One of the most prevalent forms of cyber attacks, phishing involves a malicious actor impersonating a trustworthy entity to obtain private data. Such attacks can be carried out via emails, websites, or other means. Attackers can either trick victims into providing sensitive information — such as credit card information or passwords — or downloading malicious attachments.

4. DDoS and IoT Statistics

A DDoS is a cyber attack that disrupts the availability of online services or systems by overwhelming the server with huge traffic/request volume. To launch a DDoS attack, attackers must first assume control of multiple computer systems, including IoT devices.

5. Cryptocurrency Statistics

Cybercriminals can utilize the victim’s computing resources to mine cryptocurrency. This type of cyber attack is also known as cryptojacking. Cybercriminals can either infect a website with cryptomining code or convince a user to click on or download a malicious link.

Cyber Attack Stats by Industry

The statistics and impact of cyber attacks can vary greatly from industry to industry. For instance, while the average cost of a data breach in heavily regulated industries like healthcare and financial services is $7.13 and $5.86 million respectively; it is less than $2 million for others — such as media and hospitality. Similarly, the average lifecycle of a data breach in the healthcare sector is 329 days, whereas the overall average is 280 days.

So, here are some industry-specific cyber attack statistics to give you an idea about the current state of cybercrimes in each sector.

1. Energy Statistics

2. Healthcare Statistics

3. Financial Statistics

4. Education Statistics

5. Government Statistics

6. Gaming Statistics

Small Business Statistics

Cybersecurity Statistics

Managed Service Provider Cyber Attack Statistics

COVID-19 Statistics

Cyber Attack FAQs What are the most common types of cyber attacks? The most common types of cyber attacks are: – Malware like ransomware, spyware, and viruses. – Phishing and spear-phishing – DDoS – SQL injection – Zero-day exploit – DNS tunneling – Man-in-the-middle How many cyber attacks happened in 2020? About 445 million cyber attacks occurred just in the first half of 2020. What percentage of cyber attacks are successful? In a recent survey, 45.5% of survey respondents claimed that their organization faced between one and five successful attacks during the past year. What is the most dangerous cyber attack? Malware and DDoS attacks can be the most dangerous attacks depending on the scale of the attack and the targeted industry. For instance, a DDoS attack launched against a hospital can prevent patients from accessing critical care and put several lives at risk. Where do cyber attacks come from? Cyber attacks are launched by threat actors — a person or a group behind malicious activities and incidents.

Category: Cybersecurity By Ashley Lukehart February 23, 2021

Protect Your Kids’ School Data Without Locking Yourself Out

office@egs-solutions.com (Stephani McGirr) — Tue, 24 Aug 2021 19:43:00 GMT

This might be your child’s first year of Kindergarten or their final college year. It doesn’t matter. Student admissions, registrations, and activities demand a lot of each child’s private data, and hackers know that very well. Schools and universities are high-value targets, so you should know how they guard your child’s data. Often the answer can surprise you since educators are in the business of sharing data, not locking it up.

Each education milestone in your child’s life brings risks and pitfalls. Learn all you can about ID theft involving kids, school data breaches, ransomware, and other hacks that can siphon off your child’s private data in an instant. It will be time well spent.

Earlier Education

First-time parents with a preschooler or 1st grade student may be stunned by the scope of data schools collect. Some details are needed, but others are not. Be selective with what you share. Ask yourself if private data is required before filling in the blanks or leaving those lines blank.

Social Security Numbers (SSN) are a top request. It’s best to decline these demands whenever possible. Years ago, doctors, dentists, school principals and other care providers required your child’s SSN on forms. That was before the Age of Identity Theft, which we all live in today. If the data’s really needed, someone can track you down after registration to make a case for getting your child’s sensitive, 9-digit number.

An SSN is probably the most critical data point each of us needs to guard throughout life so protect your child’s well. Younger kids can experience massive child identity theft without your knowledge. Their particulars are valued for synthetic identity theft too.

When college applications come around, remember that some institutions won’t consider your student for scholarships without that SSN.

You won’t need a FERPA release or a PoA for your elementary or high school kids unless they are already18. The federal law also gives parents and students an opt-out if they don’t want their contact information shared in a school directory or other documents like event programs.

Most schools provide an online student portal or website for everything from absences to trips to the zoo. Field trip and other activity forms often reside here. Such electronic advancements may help with permission forms lost on the way home, but electronic files do carry more risk of data loss.

The College Years

It’s often a shock for parents who’re paying college fees and tuition to learn they have no legal access to their child’s college files. The Family Educational Rights and Privacy Act (FERPA) considers your kid an adult at age 18, and that could leave parents who bankroll higher education with no access to grades or other vital data.

Planning for college is the right time to discuss having that young man or woman sign a FERPA release. Higher ed institutions often provide an online form to complete if you desire or expect access. Still, most operate on the belief that students should handle their affairs with no parental involvement. None.

Some parents view FERPA releases as an invasion of their offspring’s privacy, but others believe that they’re the banker, so they deserve access to records. Think of it as the “Trust but Verify” approach.

Note: the U.S. Dept. of Education states that parents retain access rights if the student’s still a dependent on your tax return, but colleges and universities may not know that. It’s just easier to have a FERPA release in their student file.

Even the most reliable college student could take an unexpected detour. If you want to know whether your kid is attending classes or turning in assignments, you’ll need a release.

Financial and health matters are parents’ top two concerns. You’ll need a Health Information Privacy & Portability Act (HIPAA) release to get data from the campus health clinic. Again, most centers catering to students should provide the forms.

Legal and banking matters are quite a different story. For example, if your child runs into a police problem or experiences a hack of their checking account, a Power of Attorney (PoA) signed by your student is needed to gain access.

Power documents are a service members receive from IDShield's sister agency, LegalShield.com . Medical PoAs let you determine care if your 19-year-old is incapacitated and can’t make medical decisions. These are also available through LegalShield.com.

Self-Protection and Data Selectivity

The trick is sharing only a few details you need to divulge. Ask why other information is required. Then ask a second official if that answer doesn’t make sense. Intake forms have contained a spot for SSNs for decades, and everyone may be familiar with the request, but that doesn’t make it wise. Share only what you must when you must.

Beyond Graduation

Recent graduates are also top hacker targets, given their limited experience in finance matters, renting, and other adult transactions. Be sure to warn them of bogus scams like the federal student tax, which doesn’t exist.

Student loan scams are also prevalent. (DJ link to July scam of the month when you post that) Recent federal records show those fraud involving government student loans jumped 188% in 2019. Non-government loan fraud reported was up 74%. Statistics on loan fraud trended even higher in 2020. A popular theme is loan consolidation to lower monthly payments, but that savings break could also wipe out federal benefits of loan forgiveness for those who qualify. Costs could end up being more than the current loans, in the long run, so urge caution here and do the math.

Shield Yourself and Yours

The best time for action is today. Or tomorrow. Don’t wait until a significant data loss occurs. Ask any school your child attends for its data privacy policy. You might be surprised by some of the details or omissions. A policy should delineate how the institution shares the data, too.

Learn all you can about why hackers love student data . Hackers are always seeking a new angle to compromise that personally identifiable information or PII.

Identity theft and oversharing data should be family concerns. They can inflict financial damages or impact your child’s personal safety. That’s one reason why IDShield provides a family policy that will cover your kids until age 26—even if you have 10 of them.

IDShield is a product of Pre-Paid Legal Services, Inc. d/b/a LegalShield (“LegalShield”). LegalShield provides access to identity theft protection and restoration services. For complete terms, coverage, and conditions, please see an identity theft plan. All Licensed Private Investigators are licensed in the state of Oklahoma. This is meant to provide general information and is not intended to provide legal advice, render an opinion, or provide any specific recommendations.

The T-Mobile Data Breach Is One You Can’t Ignore

office@egs-solutions.com (Stephani McGirr) — Fri, 20 Aug 2021 18:14:00 GMT

Hackers claim to have obtained the data of 100 million people—including sensitive personal information.

NOT ALL DATA breaches are created equal. None of them are good, but they do come in varying degrees of bad. And given how regularly they happen, it’s understandable that you may have become inured to the news. Still, a T-Mobile breach that hackers claim involved the data of 100 million people deserves your attention, especially if you’re a customer of the “un-carrier.”

As first reported by Motherboard on Sunday, someone on the dark web claims to have obtained the data of 100 million from T-Mobile’s servers and is selling a portion of it on an underground forum for 6 bitcoin, about $280,000. The trove includes not only names, phone numbers, and physical addresses but also more sensitive data like social security numbers , driver's license information, and IMEI numbers , unique identifiers tied to each mobile device. Motherboard confirmed that samples of the data “contained accurate information on T-Mobile customers.”

A lot of that information is already widely available, even the social security numbers, which can be found on any number of public records sites. There’s also the reality that most people’s data has been leaked at some point or another. But the apparent T-Mobile breach offers potential buyers a blend of data that could be used to great effect, and not in ways you might automatically assume.

“This is ripe for using the phone numbers and names to send out SMS-based phishing messages that are crafted in a way that’s a little bit more believable,” says Crane Hassold, director of threat intelligence at email security company Abnormal Security. “That’s the first thing that I thought of, looking at this.”

Yes, names and phone numbers are relatively easy to find. But a database that ties those two together, along with identifying someone’s carrier and fixed address, makes it much easier to convince someone to click on a link that advertises, say, a special offer or upgrade for T-Mobile customers. And to do so en masse.

The same is true for identity theft. Again, a lot of the T-Mobile data is out there already in various forms across various breaches. But having it centralized streamlines the process for criminals—or for someone with a grudge, or a specific high-value victim in mind, says Abigail Showman, team lead at risk intelligence firm Flashpoint.

Brian Barnett, The Wired report, 08/16/2021

What is Risk-Based Vulnerability Management?

office@egs-solutions.com (Stephani McGirr) — Tue, 10 Aug 2021 19:02:00 GMT

Conventional vulnerability management has been in the market for nearly two decades, with an initial emphasis on identifying vulnerabilities. Discovery and scanning drove innovation, and the only deliverables were reports that detailed the vulnerabilities identified by scanners. The teams responsible for fixing or remediating those vulnerabilities worked largely on their own to decide which ones should be remediated. Moreover, there were fewer vulnerabilities to worry about in the early days of vulnerability management: 4,932 vulnerabilities were published in the National Vulnerability Database (NVD) in 2005, compared with 17,306 in 2019. Those figures account for just new vulnerabilities published, and don’t include the cumulative totals of the years prior, a much larger number in 2019 than 2005, when the CVSS vulnerability scoring system was introduced.

During this time, there were no tools to assess the risk of individual vulnerabilities on networks beyond the CVSS score: a good first step, but a flawed metric when relied solely upon. Only in the past few years have we seen an emergence of technologies and solutions that work to classify the risk of individual vulnerabilities on individual networks.

What are the Basics of Risk-Based Vulnerability Management?

Risk-based vulnerability management is a strategy for handling the myriad vulnerabilities on a typical enterprise network, according to the risk each individual vulnerability poses to an organization. At first blush, the concept of risk-based vulnerability management sounds relatively simple. But when most organizations are confronted with tens of thousands (or hundreds of thousands, or millions) of vulnerabilities, determining which pose the most risk to the organization is a significant undertaking. The key to risk-based vulnerability management – and the primary departure from the static, one-size-fits-all CVSS score – is a comprehensive analysis of each vulnerability in its context on the network and in the current external threat environment.

Five basic vulnerability management categories are used to construct a context-based risk score. Each category contains multiple subfactors, totaling more than 40. The categories are:

By considering these factors when assessing the risk of an individual vulnerability, security operations teams can receive a 360-degree view of potential threats to the organization. Doing so for each vulnerability means the organization can risk rank all its vulnerabilities, no matter how numerous, and make intelligent decisions on where to deploy precious remediation resources. This is the essence of risk-based vulnerability management.

What is the Strategy Behind Risk-Based Vulnerability Management?

Risk-based vulnerability management is designed to address two key objectives:

Confronted by an existing vulnerability count that can number in the millions on some enterprise networks, security and IT teams are often overwhelmed by the sheer volume of vulnerabilities. Couple that with seemingly endless pronouncements about the latest “critical” vulnerability that must be patched “ASAP,” and it’s difficult to overstate the confusion and challenge confronting organizations pursuing legitimate vulnerability risk reduction.

Risk-based vulnerability management helps to confront the vulnerability overload challenge that just about every organization encounters. With the means to identify the vulnerabilities that truly pose a risk to the organization out of the hundreds of thousands on the network, risk-based vulnerability management suggests a remediation roadmap for IT teams to follow. If followed, that roadmap ultimately leads to a legitimate reduction in enterprise vulnerability risk.

Is Risk-Based Vulnerability Management Easy?

With the advent of modern vulnerability management solutions, including advanced tools like contextual vulnerability prioritization, risk-based vulnerability management is certainly easier than ever. There is an argument that practically accomplishing a risk-based vulnerability management program has only been possible with the introduction of such technical capabilities. For example, if an organization had to manually determine which vulnerabilities out of 200,000 pose the highest risk to the organization, that simply isn’t feasible.

A solution like Secureworks® Taegis™ VDR can evaluate each vulnerability on a given network. VDR is driven by machine learning and features a software-driven contextual prioritization engine that uses more than 40 factors to determine the relative risk of each vulnerability, all without any human intervention. Such technology makes implementing a risk-based vulnerability management program infinitely easier than it would have been just a few years ago.

Is Prioritization Important in Risk-Based Vulnerability Management?

Meaningful vulnerability and remediation prioritization is not only important, it is the essence of risk-based vulnerability management. It’s simply impossible to have one without the other. The operative word is “meaningful.” There are many superficial ways to prioritize vulnerabilities, but only a comprehensive, contextualized view of the risk of each vulnerability provides the confidence remediation teams need to trust the result. Risk-based vulnerability management assumes that not all vulnerabilities are going to be remediated, so it’s very important those identified as high risk and earmarked for timely remediation be the right ones.

Key Takeaways from President Biden’s Cybersecurity Executive Order

office@egs-solutions.com (Stephani McGirr) — Tue, 10 Aug 2021 18:33:00 GMT

Over the last week, Americans have been riveted by scenes of panic buying at the pump after a ransomware attack shut down the Colonial Pipeline, a critical source of fuel for the entire East Coast. For the first time, many are reflecting on the national security implications of cybersecurity attacks on everyday life – and the US government is responding. On May 12, 2021, President Joe Biden signed an Executive Order (EO) on “Improving the Nation’s Cybersecurity,” signaling potentially increased regulatory oversight of cybersecurity laws and regulations.

The EO responds to recent high-profile cybersecurity attacks, including the most recent Colonial Pipeline incident. On May 7, Colonial Pipeline announced that a cyberattack forced the company to proactively close down operations and freeze IT systems. The Georgia-based company provides roughly 45% of the East Coast’s fuel, transporting more than 100 million gallons of fuel daily from Texas to New York – and the shutdown soon resulted in shortages and panic buying across the Southeast in particular.

During a May 13 press conference, President Biden assured the American public that fuel lines would soon be restored. However, the President noted that “it is clear to everyone that we need to do more than what we are doing now and the federal government can be a significant value added in making that happen.”

The President announced that the new EO “calls for federal agencies to work more closely with the private sector – to share information, strengthen cybersecurity practices, and deploy technologies that increase resiliency against cyberattacks.” Accordingly, the EO aims to make significant contributions to modernizing the federal government’s cybersecurity practices, particularly its software security, and under an aggressive timeline.

Broadly, the EO:

While announcing the EO, the President argued that the US is competing with the world economically, adding, “we’re not going to win it competing with an infrastructure that is out of the 20th century. We need a modern infrastructure.” Likewise, the former US Secretary of Transportation, Rodney E. Slater, noted that “this administration is taking the timely lead to make significant investments in our digital infrastructure and make the bold changes necessary to secure America’s national security interest.”

Biden officials will continue prioritizing cybersecurity and its respective enforcement of cybersecurity laws and regulations, as means to continue to protect the everyday American and the country’s economic recovery more broadly. For companies of all sizes, industries and locations, this means ensuring that your organization has conducted due diligence to mitigate the risk of, and be prepared to respond to, cyberattacks as they arise.

Business Identity Theft is a Big Threat to Small Business

office@egs-solutions.com (Stephani McGirr) — Tue, 20 Jul 2021 15:36:00 GMT

Identity theft is a serious problem—not just for individuals, but for businesses as well. Last year almost 16.7 million individuals were victims of identity theft. There was also a 46 percent increase in the number of reported cases of business identity theft, according to the National Cybersecurity Society (NCSS).

“Small business identity theft—stealing a business’ identity to commit fraud—is big business for identity thieves,” says Mary Ellen Seale, CEO of NCSS.

Unlike larger corporations, small businesses don’t always have the required security controls in place to detect and deter fraudulent activity, which can make them easier targets. There is also a general unawareness, among large and small businesses alike, of the magnitude of the threat and the devastating effects that business identity theft can have.

What information are business identity thieves after?

Business identity thieves focus on stealing key business identifiers and credentials—such as officers’ names or your federal tax employer identification number—in order to manipulate or falsify state business filings and impersonate the business in other ways. Armed with this information, criminals can open a line of credit, obtain better terms with vendors, or apply for a loan. And, business credit cards, with credit limits of up to $100,000, provide another avenue for thieves to make purchases at the expense of small businesses .

Stealing a business identity or creating a new one is easy

Criminals can capitalize on the abundance of information made available to the public online. Businesses are required by law publish sensitive details which may include financial statements, stakeholder information, and key identifiers such as employee identification numbers, and sales tax and business numbers.

This information and more can also be purchased legally through the internet. Often times, an application for a line of credit is approved based on public and re-cycled information found on the web.

How identity thieves operate

Today, criminals are finding more sophisticated ways to impersonate and defraud businesses. While emulating a company’s letterhead, or sending fake correspondence are commonly used methods, other more advanced tactics are continuing to emerge. Some of these include

Stopping business identify theft

Most states have criminal statutes that only recognize identity crimes against individuals. In 2006, California became the first state to establish identity theft laws that officially recognized crimes targeting business entities. Effective October 2015, Florida implement new law that provides businesses the same protection as individuals when it comes to identity theft.

So, what does this mean in terms of managing the investigation and prosecution of inter-state and business identity crimes that fall under federal jurisdiction? As is the case with state laws, the statutory language contained in federal identity theft laws does not include business entities, making it extremely difficult to prosecute inter-state crimes.

As it appears the threat of business identity theft is not going away anytime soon, it is important that businesses, both small and large, recognize the real risk that identity theft poses, and take the necessary precautionary measures to prevent serious financial loss and other damages.

Could business ID theft put you out of business?

office@egs-solutions.com (Stephani McGirr) — Tue, 20 Jul 2021 15:22:00 GMT

Identity theft hits millions of Americans each year. What many business executives don’t know is that ID thieves are using a variation on the crime to prey on legitimate companies.

What’s the crooks’ modus operandi ? They typically alter business records filed with a state government so they can impersonate companies in good financial standing. For example, thieves might change official documentation that lists a business’ address, corporate officers, or its registered agents. Using altered documents, they’ll get lines of credit in the company’s name and siphon off money. Once they’ve drained a business dry, they move on to the next victim, leaving the company with its credit — and reputation — in shambles. Banks and retailers take a hit, too, with a stack of worthless receivables rung up by the con artists.

The National Association of Secretaries of State (NASS) is taking the lead on getting out the word about business identity theft, steps to prevent it, and what your business can do to fight back. What’s NASS’ advice for businesses?

Identity Theft Doubled in 2020: What Steps Are You Taking to Protect Yourself?

office@egs-solutions.com (Stephani McGirr) — Thu, 15 Jul 2021 14:43:00 GMT

Hackers, scammers, thieves, criminals – whatever you want to call them – thrive in times of confusion. That’s not a throwaway comment, either. As soon as the full force of the coronavirus pandemic hit last year, it became clear that scammers would look to capitalize. They knew, for instance, that there would be confusion over stimulus checks; you would be getting more packages delivered than usual; that you might be filing for unemployment for the first time. All of these things help scammers with successful phishing campaigns, which were increased during the pandemic.

But perhaps the most notable criminal byproduct of the pandemic has been the rise in identity theft. The FTC reported that the number of reported cases doubled in 2020, with around 1.4 million people said to have been impacted. As mentioned, the criminals involved see an opportunity in the pandemic and the seismic changes in work-life and society. One of the notable rises was in the identity theft used to apply for government benefits, with a rise of almost 3,000% recorded by the FTC.

So, with so many scammers looking to profit from folks right now – what are the best ways to protect yourself from identity theft? Below we have highlighted some of the key advice from USAGov:

Protection available from insurers

The above is just a small selection of the advice given by the government, but it clearly might not be enough. Nobody expects to be a victim of identity fraud – but it happened to 1.4 million Americans last year. Many insurance companies do have protection plans in place that both prevent identity theft through sophisticated monitoring software and get you back on your feet should the worst happen. Zander Identity Theft is one of the industry leaders in this area and worth checking out if you are worried.

One area where the USAGov official advice does not fully cover is social media. Ask yourself this question – how much could a fraudster learn about you by scrolling through your Facebook , Twitter or Instagram accounts? Your date of birth? The names of your kids? Your address? Your place of work? The dates you are on vacation? We live our lives virtually now – more so during the pandemic – and we leave so much of a print on our feeds. Nobody is saying you shouldn’t celebrate a birthday with your friends on Facebook, but it is certainly worth making sure you have the right privacy settings.

Indeed, some of the things we might see as innocuous can be scams. Consider those (silly in most people’s views) games you find on social media, which claim they can tell something about you by inputting information. They might ask you the name of your pet or the first street that you lived on or your mother’s maiden name – all common security questions for banks and other sensitive accounts. Most of these games are harmless, but some most definitely are not.

You can take the advice of the government and, perhaps, add some identity theft protection from an insurer. But above all, you should have a mindset that you, too, can fall afoul of identity theft scams. There is sometimes a sense that scams of this sort happen to other people because they are foolish. Sure, some may have been lax and made a mistake, but the majority do not – the only thing they have is the hindsight after the identity theft happens. Live your life as normal, online and offline. But take precautions and be aware that it could happen to anyone.

FBI warns pandemic created a pathway for identity theft

office@egs-solutions.com (Stephani McGirr) — Fri, 09 Jul 2021 14:51:00 GMT

What You Need To Know

According to FBI data, in the first four months of 2021, the FBI received about 30,000 cases of identity theft nationwide. Compare that to the 40,000 cases the FBI received all last year. “I got a strange email from someone I never dealt with, asking me why I sent them a bill for photography services for almost $1,000,” said Michael Pagano, who had his identity first stolen in February. Pagano says he immediately called law enforcement and filed a report, which is exactly what the FBI recommends. “You absolutely want to file a police report, because that will be part of your proof when you contact the companies to try and dispute the charges or anything that has happened to your identity,” said FBI Special Agent in Charge Ronald Hopper. But in the following four months, Pagano says someone opened up a credit card in his name, changed his mailing address, and even signed up for informed delivery — a service which allows you to track your mail before it’s delivered. “They were then able to see all our mail coming in, and it wasn’t just me at that point, it was also my daughter and wife,” said Pagano. According to FBI reports, in 2019 — there were 2,953 reports of identity theft in Florida. In 2020, there were 6,334 reports. And for 2021? "It's on track to grow three times what it is already currently and the pandemic is a large part,” said Hopper. Hopper says with more people working from home and networking online, criminals from anywhere in the world have easier access to your personal information. “Personally, I was a victim of it. I actually have a set up on my credit card anytime more than $1 is charged, I get an email or text and I verify it,” said Hopper. “I was a little shocked at first, but it makes you realize that no one is immune to it.” Pagano describes the online world as the wild, wild west — one with few security measures. “To file a change of address, there’s almost no background check,” said Pagano. The United State Postal Service is investigating Pagano’s case, but declined to share details. An agency spokesman says it processes 37 million address changes a year and says most are legitimate. The spokesman issued a statement reading in part, “… As these situations arise, the USPS reevaluates their internal controls to address security concerns.” For Pagano, while he’s taking all the precautions he can, he still doesn’t feel totally protected. Hopper says unfortunately, it is difficult to find those criminals, which is why he is urging everyone to take the safety steps before you’re a victim. He says the most important step is creating strong passwords, and changing them every few months. Protect Yourself

Report Fraud If you're a victim of identity theft or have information about these types of crimes, you can:

Cyber Crime Vulnerability Tips The following tips can help protect individuals and businesses from being victimized by cyber actors: DO:

DON'T:

If private sector partners have additional questions, you can reach out to local FBI Field Office Private Sector Coordinators. If you have evidence your child's data may have been compromised, if you are the victim of an internet scam or cybercrime, or if you want to report suspicious activity, please visit the FBI's Internet Crime Complaint Center at www.ic3.gov .

Widespread ransomware attack likely hit ‘thousands’ of companies on eve of long weekend

office@egs-solutions.com (Stephani McGirr) — Tue, 06 Jul 2021 15:09:00 GMT

Hackers hit a major IT software provider, which allowed their attack to spread downstream into many small businesses that now face ransom demands to unlock their computer networks.

Listen to article 5 min

July 3, 2021 at 11:17 a.m. CDT

A sprawling ransomware attack that hit hours before the beginning of the July Fourth holiday weekend has already affected hundreds of businesses and is likely to hit many more, researchers said. On Saturday morning, the information technology company Kaseya confirmed that it had suffered a “sophisticated cyberattack” on its VSA software — a set of tools used by IT departments to manage and monitor computers remotely. The company said that only about 40 customers had been affected. But because Kaseya’s software is used by large IT companies that offer contract services to hundreds of smaller businesses, the hack could have spread to thousands of victims. Kaseya told all of its nearly 40,000 customers to disconnect their Kaseya software immediately. The cybersecurity firm Huntress Labs said it had tracked 20 IT companies, known as managed-service providers, that had been hit. More than 1,000 of those companies’ clients, mostly small businesses, also had been affected by the hack, Huntress Labs said on Reddit . Advertisement “I wouldn’t be surprised if it was thousands of companies,” said Fabian Wosar, the chief technology officer of Emsisoft, a company that provides software and advice to help organizations defend against ransomware attacks. “We just don’t know yet because of the long weekend in the U.S.” A major grocery chain in Sweden said Saturday that its IT provider had been hit by an attack and that its cash registers were locked up. It had to shut down hundreds of stores, the company, Coop Sweden, said on its Facebook page . Because of the vast number of companies potentially affected, the attack could prove to be one of the biggest in history. Researchers said REvil, the hacker group that attacked the meat processor JBS this spring, was behind this attack. The Biden administration seeks to rally allies and the private sector against the ransomware threat The assault could increase tensions between the United States and Russia, as it comes just weeks after President Biden met with Russian President Vladimir Putin in Geneva, warning him that the United States would hold Moscow accountable for cyberattacks that originate in Russia. Many cybersecurity threat analysts think that REvil operates largely from Russia. The recent spate underscores the challenge the Biden administration faces in deterring ransomware attacks conducted by criminals given safe harbor in countries like Russia. Advertisement Instead of a careful, targeted attack on a single large company, this hack seems to have used managed-service providers to spread its harm indiscriminately through a huge network of smaller companies. Unlike most ransomware attacks, it doesn’t appear that REvil tried to steal sensitive data before locking its victims out of their systems, Wosar said. “At this point, at least it seems it was more a spray-and-pray attack. They didn’t try to exfiltrate data from all the victims,” he said. “It was more like carpet bombing.” “We believe that we have identified the source of the vulnerability and are preparing a patch to mitigate it,” Kaseya CEO Fred Voccola wrote in a statement Friday night. JBS paid $11 million in ransom after hackers shut down meat plants Researchers said cybercriminals were sending two different ransom notes on Friday — demanding $50,000 from smaller companies and $5 million from larger ones. Advertisement The U.S. Cybersecurity and Infrastructure Security Agency urged companies in a statement to follow Kaseya’s advice and said it is “taking action to understand and address the recent supply-chain ransomware attack.” “It is absolutely the biggest non-nation-state supply-chain cyberattack that we’ve ever seen,” Allan Liska, a researcher with the cybersecurity firm Recorded Future, said Friday. “And it’s probably the biggest ransomware attack we’ve seen, at least the biggest since WannaCry.” He noted that it could be the largest number of companies hit in one ransomware attack. The companies affected could include a wide range of small to large firms, and many are likely to be small to midsize businesses that use managed IT services. Kaseya also counts a number of state and local governments as customers, Liska said. Advertisement The WannaCry computer worm affected hundreds of thousands of people in 2017. The National Security Agency eventually linked the North Korean government to the creation of the worm. Ransomware is a national security threat and a big business — and it’s wreaking havoc Ransomware attacks increased significantly in frequency and severity during 2020. A report from a task force of more than 60 experts said nearly 2,400 governments, health-care systems and schools in the country were hit by ransomware in 2020. Organizations paid attackers more than $412 million in ransoms last year, according to the analysis firm Chainalysis. After a May attack on Colonial Pipeline — which led to panicked lines at gas pumps and empty fuel stations — the U.S. government increased its emphasis on addressing cybersecurity issues and urged corporate America to strengthen its computer security. Ransomware attacks have been on the rise as hackers band together and form cybercriminal gangs to extort companies for payment. The attacks are often carried out by attackers in Russia and Eastern Europe. Advertisement Hackers gain access to a company’s computer system using tactics such as sending “phishing” emails, which are designed to trick employees into inadvertently installing malware on their computers. Ransomware claims are roiling an entire segment of the insurance industry Once inside, cybercriminals will lock down parts of a company’s networks and demand payment to release them back to the owner. Additionally, hackers often steal private company information and threaten to leak it online if they are not paid. It is still unclear how attackers gained access to Kaseya’s system. The company has been a popular target of REvil, Liska said, probably because it serves so many other organizations as customers. The attackers included a ransom note directing victims to a website to make a payment, although Liska said the site had been down all of Friday afternoon and evening. Ransomware attacks could reach ‘pandemic’ proportions. What to know after the pipeline hack.

0 Comments

Synthetic Identity Theft Rises in Southeast Asia

office@egs-solutions.com (Stephani McGirr) — Tue, 29 Jun 2021 15:43:00 GMT

imply stated, synthetic identity theft is when a fraudster combines the personal information of different real-life people to create an authentic-looking digital identity.

These identities can include Personally Identifiable Information (PII) such as name, identity card number, birth date and home address (including the use of children’s IDs since they have no credit records).

This data often comes from the global breaches we hear about on a near-daily basis.

When these data points are combined in the right way, new identities are crafted to use the real-world parts to create a convincing online consumer.

Yet, synthetic identity theft isn’t a quick crime of opportunity but a complex and large scale fraud scheme that designs user accounts to mimic a real-world person in order to trick a bank or company into providing goods or lines of credit to a user who doesn’t exist.

And while this fraud scheme can take months to years to develop, it’s growing in Asia.

How Big of a Threat is Synthetic Identity in Asia?

FICO, during its Asia Pacific Fraud Forum in 2018 , reported that 6 of the 10 banks in Asia Pacific were experiencing a rise in application fraud with synthetic identities.

And as the Aite Group predicts in a recent BankInfoSecurity article, synthetic identity fraud may grow to $2.42 billion in 2023 .

These accounts not only seem real, fraudsters use these accounts to acquire items or credit and pay the bills for these accounts, just like good customers.

Over time, with the increased credit, the fraudsters apply for additional accounts with bigger lines of credit from lenders.

They may take months or years to nurture an identity to preserve the integrity of these profiles and establish credibility.

A talented fraudster might create synthetic identities to maintain strong credit scores. A Singapore fraudster may take time to build a solid CBS Credit Score.

Their American counterpart, meanwhile, has spent months or even years building a high FICO score.

Then, all of a sudden, the credit cards get maxed out and the money, and the user, disappear. Attempts to recuperate money fail because the user was never a real person, making it harder to find those responsible.

Spotting Fraud

With growing demand for lenders and goods, it is often difficult for any business to ensure that their customer base is free of these criminals.

In Ekata’s eBook, Synthetic Identity Theft , readers can learn more about the common techniques fraudsters employ to commit fraud, why synthetic identity is difficult to find and how Ekata can help reduce the threat.

Data breaches: Most victims unaware when shown evidence of multiple compromised accounts

office@egs-solutions.com (Stephani McGirr) — Tue, 22 Jun 2021 14:39:00 GMT

t’s been nine years since the LinkedIn data breach, eight years since Adobe customers were victims of cyber attackers and four years since Equifax made headlines for the exposure of private information of millions of people.

The number of data breaches and victims has multiplied rapidly over the past decade or so, but aside from these well-publicized cases, most participants in a recent University of Michigan study remained unaware that their email addresses and other personal information had been compromised in five data breaches on average.

In the first known study to ask participants about actual data breaches that impacted them, researchers from the U-M School of Information showed 413 people facts from up to three breaches that involved their own personal information. The international team from U-M, George Washington University and Karlsruhe Institute of Technology found people were not aware of 74% of the breaches.

“This is concerning. If people don’t know that their information was exposed in a breach, they cannot protect themselves properly against a breach’s implications, e.g., an increased risk of identity theft,” said Yixin Zou , U-M doctoral candidate.

The researchers also found that most of those breached blamed their own personal behaviors for the events—using the same password across multiple accounts, keeping the same email for a long time and signing up for “sketchy” accounts—with only 14% attributing the problem to external factors.

“While there’s some responsibility on consumers to be careful about who they share their personal information with, the fault for breaches almost always lies with insufficient security practices by the affected company, not by the victims of the breach,” said Adam Aviv , associate professor of computer science at George Washington University.

The Have I Been Pwned database used in this study lists nearly 500 online breaches and 10 million compromised accounts over the last decade. According to the Identity Theft Resource Center, the overall number of data breaches affecting U.S. consumers is even higher, reporting more than 1,108 breaches in the United States in 2019 alone.

Prior research asked about concerns and reactions to data breaches in general, or it relied on self-reported data to determine how a particular incident impacted people. This study used public records in the Have I Been Pwned dataset of who was affected by breaches. The research team gathered 792 responses involving 189 unique breaches and 66 different exposed data types. Of the 431 participant email addresses queried, 73% of participants were exposed in one or more breaches, with the highest number of 20.

Of all information that was breached, email addresses were compromised the most, followed by passwords, usernames, IP addresses and dates of birth.

Most participants expressed moderate concern and were most worried about the leak of physical addresses, passwords and phone numbers. In response to their compromised accounts, they reported taking action or an intention to change passwords for 50% of the breaches.

“It could be that some of the breached services were considered ‘not important’ because the breached account did not contain sensitive information. However, low concern about a breach may also be explained by people not fully considering or being aware of how leaked personal information could potentially be misused and harm them,” said Peter Mayer , postdoctoral researcher at Karlsruhe Institute of Technology.

Risks range from credential stuffing—or using a leaked email address and password to gain access to other accounts of the victim—to identity theft and fraud.

Most of the breaches never made the news, and often they involved little or no notification to those impacted.

“Today’s data breach notification requirements are insufficient,” Zou said. “Either people are not being notified by breached companies, or the notifications are crafted so poorly that people might get an email notification or letter but disregard it. In prior work , we analyzed data breach notification letters sent to consumers and found that they often require advanced reading skills and obscure risks.”

At the end of the study, researchers showed participants the full list of breaches affecting them and provided information for taking protective steps against potential risks from data breaches.

GUIDE TO AVOID DATA BREACHES FOR DATA BREACH VICTIMS:

REDUCE CHANCE OF BREACHES

“The findings from this study further underline the failure and shortcomings of current data and security breach notification laws,” said Florian Schaub , U-M assistant professor of information. “What we find again and again in our work is that important legislation and regulation, which is meant to protect consumers, is rendered ineffective in practice by poor communication efforts by the affected companies that need to be held more accountable for securing customer data.”

The researchers point to Europe’s General Data Protection Regulation that legislates hefty fines for companies that don’t protect consumers as a means toward solving the issue. The law led companies worldwide to retool their privacy programs and safeguards.

Free Genetic Test is Really Medicare Fraud

office@egs-solutions.com (Stephani McGirr) — Tue, 15 Jun 2021 14:26:00 GMT

This Medicare scam is back! Con artists are claiming to offer “free” genetic testing kits that allegedly screen for heart conditions or cancer. It’s really a ruse to steal your Medicare information for fraudulent billing and/or identity theft.

How the Scam Works

You get a call from someone claiming to be from Medicare or an official-sounding organization. (One victim reported to BBB Scam Tracker receiving a call from “the Cardiac Test Center.”) The caller claims to be providing free genetic testing kits. All you need to do is agree to receive a kit in the mail, swab your cheek, and return the vial. The test will tell you if you have a genetic predisposition to heart disease, cancer, or another common condition. The caller insists that the test will be totally covered by Medicare.

This sounds like a useful (and free) test, so you agree. Of course, there’s a catch! Before the company can mail your kit, they need your Medicare ID number and a lot of personal information. Targets of this scam report being asked extensive questions about their health, such as their family medical history and previous diagnoses.

As always, there are several variations of this con. Previous versions involved scammers going door-to-door or setting up tables at health fairs. Con artists may even provide gift cards or other giveaways in exchange for your participation.

While genetic testing is a legitimate service—some victims do actually receive a genetic testing kit—the scammers are trying to commit fraud by billing Medicare for the unnecessary tests. For the victims, these cons can lead to medical identity theft and, in some instances, a bill for thousands of dollars. Consumers should always consult with their primary care doctor before agreeing to tests.

Protect yourself from this scam:

Be wary of any lab tests at senior centers, health fairs, or in your home. Be suspicious of anyone claiming that genetic tests and cancer screenings are “free” or “covered by Medicare.”If a product or test is truly “free,” you will not have to provide your Medicare number.

Don’t share your Medicare number. If anyone other than your physician's office requests your Medicare information, do not provide it. Also, protect your Medicare card by keeping it in a safe place (not your wallet).

Do not trust a name or phone number. Con artists often use official-sounding names or appear to be calling from a government agency or related area code. Medicare will never call you to confirm your personal information, your Medicare number, or ask questions about your personal health.

Report Medicare fraud. If you think you are a victim of Medicare fraud, be sure to report it. Go here on Medicare.gov to get started.

High Court Clarifies When Employee’s Data Misuse Violates Federal Fraud Act

office@egs-solutions.com (Stephani McGirr) — Tue, 08 Jun 2021 17:14:00 GMT

employees who are authorized to access information on a work computer violate the Computer Fraud and Abuse Act (CFAA) if they use such information for unauthorized purposes?

In a 6-3 decision , the U.S. Supreme Court found that a person violates the CFAA when he or she accesses a computer with authorization but obtains information—such as files, folders or databases—located in areas of the computer that are off-limits to him or her.

However, the court said, the act does not cover people who misuse information that is otherwise available to them.

"This is a common concern in business settings, where employees have daily access to work computers and proprietary data," noted Scott Wenner, an attorney with Schnader in New York City and San Francisco.

Here's what employers need to know about the ruling.

When Is Authorized Access Exceeded?

The dispute in Van Buren v. United States focuses on how to interpret the CFAA, which generally targets computer hackers and makes it a crime to intentionally access a computer without authorization or to exceed authorized access.

In this case, a police officer allegedly accepted money from a criminal to log into a law-enforcement database and search for a license plate number. He used valid credentials to access information he was authorized to obtain, but he did so for non-law-enforcement purposes, which violated a department policy.

The question in the case was whether the officer's conduct "exceeds authorized access" under the CFAA. The term "exceeds authorized access" means "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter," according to the statute.

The officer and the government agreed that the officer accessed the computer with authorization, but they disagreed on whether he was "entitled so to obtain" the information.

The Supreme Court found that, while the officer's conduct "plainly flouted his department's policy," it did not violate the CFAA. The act "does not cover those who … have improper motives for obtaining information that is otherwise available to them," the court said.

So what does the ruling mean for employers? Employers can't sue criminally under the CFAA but can refer matters to federal authorities for criminal prosecution, noted Mark Srere, an attorney with Bryan Cave Leighton Paisner in Washington, D.C. Or, employers can sue civilly where damages are $5,000 or more.

"Ultimately, employers will not be able to use the CFAA to gain a 'hook' into federal court where an employee or former employee misappropriates confidential information, if the employee had access to such information for proper business purposes," explained Dawn Mertineit, an attorney with Seyfarth Shaw in Boston. However, she said, "the impact of this decision is lessened by the fact that the Defend Trade Secrets Act (DTSA) of 2016 confers federal jurisdiction on trade-secret misappropriation claims."

For employers, the main concern is when an employee absconds with confidential information that does not meet the DTSA's definition of a "trade secret." In that case, she said, the employer will need to rely on any contractual provisions prohibiting disclosure or misuse of confidential information.

Workplace Implications

The Supreme Court cautioned that if the CFAA's "exceeds authorized access" clause criminalized every violation of an employer's computer-use policy, "then millions of otherwise law-abiding citizens" would be criminals, perhaps by checking sports scores or paying bills on a work computer.

"Employers commonly state that computers and electronic devices can be used only for business purposes," Justice Amy Coney Barrett wrote for the court. So "an employee who sends a personal e-mail or reads the news using her work computer" would violate the CFAA under the government's reading of the statute.

The court said that the only question in the case was whether the officer could use the department's system to retrieve license-plate data. "Both sides agree that he could," the court noted. Accordingly, the officer did not exceed authorized access to the database, even though he obtained the data for an improper purpose.

"This case is a good reminder that employers should make sure that they strictly limit their employees' computer access solely to the information that they need for business purposes," Mertineit said. Employers can still bring CFAA claims against employees who access information that they aren't authorized to access (which is known as internal hacking), but it will no longer be sufficient under the CFAA to say that employees lawfully accessed information and used it for an improper purpose, she explained.

Identity Theft: Impact on Victims Is Getting Worse

office@egs-solutions.com (Stephani McGirr) — Tue, 08 Jun 2021 14:06:00 GMT

The Identity Theft Resource Center, a nationally recognized nonprofit organization established to support victims of identity crime, has published research that shows nearly 30% of people who contact the ITRC are victims of more than one identity crime.

The ITRC 2021 Consumer Aftermath Report includes a special focus on victims of pandemic-related identity fraud, including 33% who did not have enough money to buy food or pay for utilities, 40% who were unable to pay their routine bills and 14% who were evicted for nonpayment of rent or mortgage.

Both fraud rates and the trauma that victims experience continue to increase, says Eva Velasquez, the president and CEO of the ITRC. “The one thing that isn't increasing are the resources that we're providing to victims,” she adds.

To tackle the problem, Velasquez would like “to see industry step up efforts with multifactor authentication.” She also recommends the creation of more uniform processes, similar to the credit freeze, “where people can create an account, lock it down and freeze it so that even if someone does have access to your identity credentials, they still will not be able to use them.”

In a video interview with Information Security Media Group, Velasquez discusses:

Velasquez is the president and CEO at the Identity Theft Resource Center. She previously served as the vice president of operations for the San Diego Better Business Bureau and spent 21 years at the San Diego District Attorney’s Office. She is a recipient of the National Crime Victim Service Award from the Department of Justice and the Office for Victims of Crime and the Florence Kelley Consumer Leadership Award from the National Consumers League.

ITRC's Eva Velasquez on Reducing ID Fraud and Increasing Victim Resources

Forbes Advisors, voted IDShield best restoration service 2021

office@egs-solutions.com (Stephani McGirr) — Fri, 21 May 2021 18:05:00 GMT

Our Verdict

IDShield offers comprehensive identity monitoring and credit monitoring services for individuals and families. Pricing is higher than some of the competing identity theft companies offering services today, but the value you get in return is exceptional. We like the fact that you get a 30-day free trial, and that all of their plans come with up to $1 million in identity theft protection coverage.

Our Verdict

IDShield Plans are unique because they all come with comprehensive identity theft monitoring and protection, the only difference being that you can pay for monitoring of one of your credit reports (TransUnion) or all three. You can also choose a plan for an individual or a family plan that covers up to 10 children. IDShield plans start at $11.95 per month for individuals, or $15.95 per month for monitoring of all three credit reports. If you’re considering a family plan, you’ll pay $24.95 per month or $29.95 per month depending on whether you want one bureau or all three credit bureau reports overseen. All IDShield plans come with incredibly comprehensive benefits that help them stand out against the competition. You may pay more for identity theft monitoring from IDShield, but you’ll get more coverage and monitoring than some competitors offer for a slightly lower monthly rate. Here are the main protective benefits you can expect from your plan from IDShield:

The biggest benefit of signing up for identity theft protection is the peace of mind you gain. However, there are some ways to make the most use of your plan, and these include:

Other Benefits All IDShield plans come with an array of benefits that can help protect you if you’re a victim of fraud. However, IDShield does include some unique perks worth noting. These include:

Fine Print IDShield plans are free of hidden or fine print for the most part, but there is one important detail you should know about their plans. IDShield says that pre-existing identity theft issues are not covered under the full restoration benefit, so you cannot expect to get this coverage with your plan if you wait to buy it until after you’re a victim of identity theft.

For the highest level of protection, we recommend paying more for monitoring of all three of your credit reports. Before you pull the trigger, however, we suggest spending some time comparing all the top identity monitoring providers on the market today. You may find that one company offers a plan with exactly what you want for an amount you’re willing to pay, but you’ll never know how providers stack up unless you

Vulnerabilty Management, The Front Line Protection For Small Businesses

office@egs-solutions.com (Stephani McGirr) — Wed, 19 May 2021 14:43:00 GMT

Today’s business environment constitutes highly connected devices, security products, applications, and users, significantly increasing the complexity and the attack surfaces. To take advantage of this scenario and use this advantage when exploiting their victims, attackers continuously develop and reinvent sophisticated and intrusive attack techniques. Consequently, cyberattacks have become highly targeted and pervasive.

It is just a matter of “when” an organization comes under cyberattacks in such a situation.

Cybercriminals often go for low-hanging fruit and exploit publicly disclosed vulnerabilities that are less complicated and require fewer resources, in general. Therefore, it is critical for an organization to manage risk by timely detecting and to mitigate various vulnerabilities in their infrastructure, essentially vulnerability management.

Vulnerability management is a proactive process of finding, classifying/prioritizing, and fixing security vulnerabilities to create a less attack-susceptible environment. It is a continuous process that involves:

• Identification and classification of assets

• Vulnerability assessment

• Risk classification and prioritization

• Patch evaluation

• Pre-test the patch

• Approve of the patch

• Deploy the patch

• Re-scan and verify that patches are deployed and functioning correctly

Looking at the recent trends in cyberattacks, cybercriminals actively target small businesses as those organizations are more prone to cyberattacks. Because the small businesses have the lesser ability (could be due to the budget and/or lack of skilled cybersecurity resources) to keep up with the current security threats and trends. Thus, such businesses need to develop vulnerability management strategies to remediate risk proactively.

Some of the strategic considerations in vulnerability management for small businesses are as follows.

• Reduce product clutter

As the network grows, organizations tend to add more products to their security stack in the hope of creating a cyber-resilient environment. However, these added devices are the seed to creating a complex business environment, which is the source of vulnerability. With complexity, the number of vulnerabilities increases.

Thus, the first step to manage vulnerabilities is to identify all the devices in your infrastructure, identify their capabilities, and retire those products that are no longer required. You will be amazed to see that there could be multiple devices with similar features, and removing the redundant will surely enhance the security posture.

• Deploy advanced vulnerability management tools

Employ vulnerability management tools with automation capability to minimize manual management, maximize accuracy, and dynamically remediate vulnerabilities faster.

Various vulnerability management tools scan assets for vulnerabilities and prioritize vulnerabilities based on the severity of the risk and the threat to the business. Then, it automates the mitigation process to fix the vulnerabilities timely. Overall, small businesses should deploy vulnerability management tools that fix the vulnerabilities from start to finish.

Security for Everyone (S4E) is one of the most trusted and affordable security solutions for vulnerability management. S4E provides a repository of more than 500 free cybersecurity assessment tools to meet different needs. These tools can effectively help to prioritize vulnerabilities and the application of patches. Moreover, S4E understands the technology and automatically prioritizes and performs security assessments without needing technical expertise.

• Red team and blue team exercise

The red team and blue team together can measure the performance of security controls. While the red team focuses on penetration testing and vulnerability assessment, the blue team assesses the capability of controls to counter attacks.

S4E consists of certified professionals who deliver excellent penetration testing services to help both red and blue teams achieve their targets.

Moreover, S4E also provides services to test IoT and mobile applications. IoT and mobile devices are the prime reason for an increase in vulnerabilities in an organization that raises severe security concerns such as data privacy, identity theft, and security breaches. So, assessment of such devices is an essential component of vulnerability management by both the team.

• Continuous monitoring

Continuous monitoring is a proactive approach to manage vulnerabilities and risk. As vulnerabilities can be introduced at any time, organizations should be vigilant and stay ahead of attackers to secure assets. In this effort, organizations should

• visualize critical assets and all path that lead to the assets,

• conduct threat hunting and identify threats,

• conduct a vulnerability assessment to identify and mitigate business-critical vulnerabilities

Organizations can utilize a wide range of assessment tools readily available from S4E to hunt for vulnerabilities and fix them before attackers can do any harm.

• Create a security attitude and security culture

Security is everyone’s responsibility.

If an organization is built up in a culture where employees think security is the IT department’s issue, then there is a problem. The organization cannot thrive and create sustainable security in such an environment. Because humans are the weakest link to security, and an organization can only be as secure as its weakest link. Thus, it is vital to change the attitude towards cybersecurity, and when it comes to security, everyone should be held accountable.

For this, cybersecurity awareness training is critical. S4E is equally committed to providing training and education needed towards building organization-wide security. With quizzes and social engineering attack scenarios, employees will be able to understand real-world issues and apply such learning in everyday duty.

Finally, all businesses need to enforce vulnerability management policy to avoid the possible repercussion of cyberattacks and reduce potential financial, reputational, and compliance damage. We are aware that managing all these risks is difficult, and that's why we are here. Days in secure.

What Is The Cost Of A Data Breach?

office@egs-solutions.com (Stephani McGirr) — Mon, 10 May 2021 18:06:00 GMT

Data breaches are big news in the modern digital workplace; the impact and detriment upon the targeted victim are of growing concern. Privacy breaches are a consequence of a cyberattack directed against a specific organization or government entity. Globally, data breaches adversely affect millions of people every single year.

The Department of Homeland Security defines a data breach as "the unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information."

Our researchers have investigated what the real-world cost of a data breach is in terms of fiscal implications, business impact and the ongoing harm faced by a company as a consequence of a data breach.

Is the cost of data breaches on the rise?

Information collected by the Privacy Rights Clearinghouse suggests that, surprisingly, the number of records breached in cyberattacks is actually declining. PRC reported over 4.8 billion in 2016, 2 billion in 2017 and nearly 1.4 billion in 2018.

These results are debatable, as we may never fully understand the true figures. It is still unknown how many data breaches go unreported or undetected. However, high-profile cyberattacks are on the increase , and the associated financial costs are skyrocketing.

PROMOTED

According to research conducted by the Ponemon Institute, for the past 14 years, the U.S. has endured the most expensive data breaches on record. The average total cost per breach has increased from $3.54 million in 2006 to $8.19 million in 2019.

Healthcare organizations are reported as a major contributing factor. The PRC has identified 58 reported data breaches thus far in 2019 and nearly 1.4 million records breached. This resulted in 60% higher costs to healthcare than the global average of all other industries, according to the Ponemon Institute.

The type of costs.

A recent study conducted by IACIS titled "Economic Costs and Impacts of Business Data Breaches" shows great insight into the financial burden threatening targeted institutions. The research identified three types of costs associated with a data breach: direct costs, indirect costs, and hidden costs.

• Direct costs. These relate to the detection and notification processes of a data breach. The immediate monetary impact is usually on sales revenue, resulting in a significant reduction of income. This will affect operational activities and business productivity.

The company share price will likely drop. Large payments to legal services may be required to control the fallout of litigation, and costs may surge if investigative consultancy firms are needed to find the root cause of the data breach.

Costs are incurred when implementing a post-breach response, such as setting up an emergency call center for affected customers. Public relations activities, which may include the financial reimbursement or settlement costs to impacted customers, will also surge.

• Indirect costs. Indirect loss is attributed to a damaged reputation, a loss of consumer trust and missed business opportunities. Profits typically decline as customers abandon ship in favor of direct competitors.

Investors may be less likely to buy the company stock, resulting in a reduced market share and restricted growth. Talented employees may also choose to leave the organization as the business reputation declines.

Third-party costs will likely increase, as business insurance hikes and associated cost charges from cloud service providers may increase to bolster cybersecurity.

• Hidden costs. The hidden cost of losing business is very difficult to measure, the impact may be felt for years after the data breach. Extensive costs are incurred from lost business hours as employees divert efforts to resolve the breach.

Future technology investments will likely increase substantially as the future technology strategy of the business is likely to change to counteract the impact of the breach.

How can you minimize costs?

The key is to invest in robustly secure information technology that focuses on cloud computing, with digital transformation initiatives and the establishment of DevSecOps work practices. Implementing encryption safeguards on sensitive or valuable data is a necessity to minimize costs.

The Ponemon Institute discovered that implementing an incident response team and having an incident response plan reduced costs up to $360,000 per breach. Security testing and a DevSecOps security model saved up to $10.55 per compromised record.

Enforcing a data encryption policy at a technical and administrator level is a great way to minimize the risk of a data breach that, in turn, minimizes costs. Your policy should enforce encryption at every applicable layer of the IT system, including notably email services, cellphones, mobile devices, storage platforms and cloud services.

This should include a strict policy on portable storage, such as USB sticks, pen drives, mobile phones and digital media. You can enforce this is by denying access to all portable storage devices. Using endpoint security software on all company assets should help you achieve this.

Having a tried and tested business continuity plan (BCP) is another necessity for organizations that heavily rely on information systems. A BCP includes every step that must be followed if a disaster such as a total system outage or ransomware breakout strikes your business.

The ability to stand up business services and information systems in a geographically disparate location will create disaster recovery capabilities that enable business-as-usual agility. Having minimal downtime will naturally minimize expenditure.

Investing in automation technology that provides failover disaster recovery technology, AI-powered automated threat detection software or enhanced auditing can also provide security operations capabilities that could ultimately minimize expenditure.

Coupled with regular training initiatives, this approach to technical data encryption safeguards will automatically apply to all employees, reducing the burden on individual staff to achieve compliance.