Login
Over the past year and a half, workers everywhere have gotten used to working from home. They have adopted an entirely new work from home mindset and diverted their weekly commuting hours to other productive and more enjoyable pursuits. As parts of the world return to a “new normal,” another change is on the way: a gradual return to the office.
The hybrid working model is met with mixed reviews from employees and business security teams alike. For some employees, a clearer separation between work and home is a welcome change. CTV News reports 66% of Canadian respondents to an International Workplace Group poll say they are looking forward to splitting their working hours between the office and home.
For business security teams who are just catching their breath after the monumental shift to a remote workforce, they are now gearing up for the new online safety challenges posed by the hybrid work model. According to a VMware Canada Threat Report, 86% of security professionals agree that cyberattacks aimed at their organizations have become more sophisticated since the onset of the pandemic. Additionally, 91% of global respondents cite employees working from home as the cause of cyberattacks. Challenges of the hybrid workforce include the constant back-and-forth of company-issued devices, the lack of control over home office setups, and mixing personal and company devices with company and personal business respectively. For example, if you pay your bills or shop online using your work device, it opens several new avenues for a hacker to walk right onto the corporate network. When your guard is down even a little bit when you are off the clock, you could fall victim to e-skimmers, fake login pages, or phishing scams.
No matter how advanced your company’s threat detection system, hackers know where vulnerabilities lie and are on the hunt to exploit them. Check out these tips to ensure you are not the weak link in your organization.
A virtual private network (VPN) is a service that scrambles online browsing data, making it impossible for nefarious characters to decipher your activity. This is an excellent way to deter hackers from tracking your movements and picking up sensitive pieces of information.
VPNs are essential if you are working in a public area, sharing a wireless network with strangers, or using a Wi-Fi connection that is not password protected. Public Wi-Fi networks are notoriously easy pickings for hackers seeking entry into unsuspecting users’ devices. On the days where you are not in the office, make sure your wireless connection is secure.
While a VPN is an excellent tool, security measures and your accounts are vulnerable without a strong and private password or passphrase to protect them. The gigantic Colonial Pipeline hack is being blamed on a hacker gaining entry through an unused VPN that was not secured with multifactor authentication. Multifactor authentication is an online safety measure where more than one method of identity verification is needed to access the valuable information that lies within password-protected accounts.
Consider using a password manager to organize all your passwords and logins. Password managers remember each pairing so you don’t have to, plus most managers are secured with multifactor authentication. A password manager makes it easier to add variety to your passwords and prevents you from ever having to write them down.
Professionals who travel between their home and an office are likely transporting their devices back and forth, increasing the number of opportunities for devices to be forgotten at either location or in transit. As convenient as it may be, never use your personal device for official business. Even if you pride yourself on sound online safety habits, your company device likely has more defenses ingrained in its hardware than your personal devices.
With your personal devices, you should carefully vet everything you download. With your work-issued devices, this vetting process is even more important as company information is at stake. The Information and Privacy Commissioner of Ontario states that employees should never download applications to their work devices without permission from the IT team. Apps and programs often have security vulnerabilities that could open a gateway for hackers.
Zero Trust is a security philosophy that is exactly what it sounds like: trust no one. Businesses are employing Zero Trust models to greatly limit who has access to sensitive data sources. Adopt your own personal Zero Trust philosophy concerning your passwords, logins, and device access. This means never sharing passwords or log in details, especially over email, instant messenger, or over a video conference. Hackers commonly eavesdrop on all three mediums. Also, even your most trusted coworker could mishandle your passwords and login details, such as writing them down and leaving them in a public place.
A key aspect of the Zero Trust model is only granting employees access to platforms that are vital to their job. Sharing your logins with coworkers who may not be authorized for using that platform undermines all the hard work the IT team does to keep tabs on data access.
Every time you turn on the nightly news, another ransomware attack has hit another organization, each one bigger than the last. This heightened prevalence is a reflection on the wiliness of hackers, but also the number of security holes every company must plug.
There are several vulnerable points of entry in every company, and some of those vulnerabilities are heightened by the hybrid work model. Always heed the advice of your company’s IT team, and make sure to do your part to keep your devices and work information secure.
The post Hybrid Workplace Vulnerabilities: 4 Ways to Promote Online Safety appeared first on McAfee Blog.
Happy National App Day! No, we don’t mean apps of the mozzarella stick and potato skin variety, but your mobile apps that let you order dinner, hail a taxi, stay connected to your friends, and entertain you for hours with silly videos. While they’re undoubtedly useful, mobile apps are also a weak spot in some people’s digital safety. Cybercriminals take every chance they get to trick people through all kinds of technology, and mobile apps are no exception.
To celebrate National App Day, here are a few tips to keep your mobile and your personally identifiable information (PII) safe.
Did you know that there are hundreds of apps on the Android and Apple app stores whose only aim is to steal your passwords? In 2022, Meta identified more than 400 fake apps disguised as various utilities that targeted users to weasel Facebook login and password combinations.1 Malicious apps also regularly masquerade as photo editors and wallpapers but their real purpose is to run malware in the background of the mobile device, such as this Squid Game app from 2021.
Little-known apps aren’t the only ones you have to be wary of either. The biggest companies are also falling to cybercrime. For instance, more details recently came to light about a breach at Uber that leaked the PII of 57 million users. Plus, the popular mobile payment service, Cash App had the personal details of 8.3 million current and former users leaked.2
To keep your cellphone free of malicious software and your PII and password secure, take these five mobile security tips with you into the new year.
The new year is as good a time as any to unload any unnecessary baggage, emotional, literal, or in this case, digital. Go through your phone and delete the apps you haven’t used in the last six months. Make sure to completely delete your account with that app and not just hide it from your homepage. The smaller your digital footprint, the less at risk your PII is of being compromised in a breach.
Before you download any new app, it’s a good idea to conduct some background research on it. How many detailed reviews does it have? Who is the app developer? A phony app usually reveals itself through its lack of reviews. Consider apps with less than 50 reviews fishy. Skim the reviews for specific details and typos. If it’s lacking in detail but brimming with typos and grammatical mistakes, it could signal a fake. This research should take about five minutes, so don’t worry; it shouldn’t be too much of an inconvenience, and that time will be well spent.
Just like it’s a good idea to keep on top of global news, set up news alerts for cybersecurity breaches. If a company falls to a cybercriminal, the alert will give you the valuable time you need to act quickly to either delete your account or change your password.
For every online account, it is essential to create a unique password or passphrase. That way, if you do get hacked through an app or get tricked by a fake one, you don’t have to worry about cybercriminals using that password to walk into your other accounts. Password managers are an excellent way to keep all your passwords secure and free up your brain space for things other than dozens of passwords.
When you sign up for a new app, you can expect to give it a username, a password, and maybe your first name; however, if it has optional fields for your full birthday or your address, consider leaving those blank. The less information the company has about you, the less that can end up in cybercriminals’ hands if the app is breached.
The first step to better cyber habits is arming yourself with the knowledge of the threats that are out there. The best advice here is to slow down, observe and think about your next move every time you download a new app. The signs of a fake are usually not difficult to spot. Then, once you’re confident in its legitimacy, limit the amount of PII you share with it. In this digital world we live in, consider everyone susceptible to a breach.
To give you peace of mind, supplement your great habits with a tool, like McAfee+ Ultimate, that will cover all your bases and be your partner to live your best private life online.
1Tech.co, “Data Breaches That Have Happened in 2022 So Far.”
2Termly, “98 Biggest Data Breaches, Hacks, and Exposures.”
The post 2023’s Top 5 App Security Tips appeared first on McAfee Blog.
Your phone buzzes. You hope it’s a reply from last night’s date, but instead you get an entirely different swooping feeling: It’s an alarming SMS text alerting you about suspicious activity on your bank account and that immediate action is necessary.
Take a deep breath and make sure to read the message carefully. Luckily, your assets could be completely safe. It could just be a smisher.
Smishing, or phishing over SMS, is a tactic where cybercriminals impersonate reputable organizations or people and trick people into handing over their personally identifiable information (PII) or financial details. Sometimes they can seem very credible with the information they have, and you may have even been expecting a correspondence of a similar nature.
So how can you tell when an SMS text is real and requires your attention? And how should you deal with a smisher to keep your identity safe?
Like email phishing and social media phishing, SMS text phishing often tries to use a strong emotion – like fear, anger, guilt, or excitement – to get you to respond immediately and without thinking through the request completely. Vishing is another phishing tactic over the phone, though instead of a text, the scammer leaves voicemails.
In the case of one coordinated smishing attack, cybercriminals not only impersonated financial institutions but collected PII on their targets ahead of time. The criminals then used these personal details – like old addresses and Social Security Numbers – to convince people that they were legitimate bank employees.1 But since when does a bank try to prove itself to the customer? Usually, it’s the other way around, where they’ll ask you to confirm your identity. Be wary of anyone who texts or calls you and has your PII. If you’re ever suspicious of a caller or texter claiming they’re a financial official, contact your bank through verified channels (chat, email, or phone) you find on the bank’s website to make sure.
Scammers also keep up with current events and attempt to impersonate well-known companies that have a reason to reach out to their customers. This adds false legitimacy to their message. For example, in the summer of 2022, Rogers Communications, a Canadian telecommunications provider, experienced an extended loss of service and told customers they could expect a reimbursement. Smishers jumped on the opportunity and sent a barrage of fake texts requesting banking details in order to carry out the reimbursement.2 However, Rogers credited customers directly to their Rogers accounts.
If you receive a suspicious text, go through these three steps to determine if you should follow up with the organization in question or simply delete and report the text.
Do you have text alerts enabled for your bank and utility accounts? If not, disregard any text claiming to be from those organizations. Companies will only contact you through the channels you have approved. Also, in the case of the Rogers smishing scheme, be aware of how a company plans to follow up with customers regarding reimbursements. You can find information like this on their official website and verified social channels.
ChatGPT might make it more difficult than spot smishing attempts because AI content generation tools usually use correct grammar and spelling. However, the tone is a good indicator of a scammer. If the tone of the text urges you to act quickly or proposes a dire consequence of ignoring the message, be on alert. While suspicious activity on your credit card is serious, your bank will likely reimburse you for charges you didn’t make, so you have time to check your bank account and see recent activities. Official correspondence from financial institutions will always be professional and will try to put you at ease, not make you panic.
Whenever you get a text from someone you don’t know, it’s a good practice to do an internet search for the number to see with whom it’s associated. If it’s a legitimate number, it should appear on the first page of the search results and direct to an official bank webpage.
Once you’ve identified a fake SMS alert, do not engage with it. Never click on any links in the message, as they can redirect you to risky sites or download malware to your device. Also, don’t reply to the text. A reply lets the criminal on the other end know that they reached a valid phone number, which may cause them to redouble their efforts. Finally, block the number and report it as spam.
A great absolute rule to always follow is to never give out your Social Security Number, banking information, usernames, or passwords over text.
To give you peace of mind in cases where you think a malicious actor has access to your PII, you can count on McAfee+. McAfee+ offers a comprehensive suite of identity and privacy protection services to help you feel more confident in your digital life.
1PC Mag, “Scammers Are Using Fake SMS Bank Fraud Alerts to Phish Victims, FBI Says”
2Daily Hive, “Rogers scam alert: Texts offering credit after outage are fake”
The post What Is Smishing? Here’s How to Spot Fake Texts and Keep Your Info Safe appeared first on McAfee Blog.
In the fall of 2021, cryptocurrency value skyrocketed. Ethereum and Bitcoin had their highest values ever, causing a huge stir in interest in online currencies from experts, hobbyists and newbies alike … and in cybercriminals seeking huge paydays. Since then, cryptocurrency value has cooled, as has the public’s opinion about whether it’s worth the risk. Huge cryptohacking events dominate the headlines, leaving us to wonder: Is cryptocurrency losing its credibility?
In this article, you’ll learn about recent unfortunate crypto hacks and a few cryptocurrency security tips to help you avoid a similar misfortune.
A crypto wallet is the software or the physical device that stores the public and private keys to your cryptocurrency. A public key is the string of letters and numbers that people swap with each other in crypto transactions. It’s ok to share a public key with someone you trust. Your private key, however, must remain private — think of it like the password that secures your online bank account. Just like your actual wallet, if it falls into the wrong hands, you can lose a lot of money.
A malware called Mars Stealer infiltrated several crypto wallet browser extensions, including the popular MetaMask. The malware stole private keys and then erased its tracks to mask that it had ever gained entry to the wallet.1
One way to completely avoid a breach to your software crypto wallet is to opt for a hardware wallet. A hardware wallet is a physical device that can only be opened with a PIN. But there is some risk involved with a hardware wallet: if you drop it down the drain, all your crypto is gone. If you forget your wallet PIN, there is no customer service chatbot that can help you remember it. You are solely responsible for keeping track of it. For those who are confident in their hardware’s hiding spot and their personal organizational skills, they can benefit from its added security.
For anyone less sure of their ability to keep track of a hardware wallet, a software wallet is a fine alternative, though always been on alert of software wallet hacks. Keep an eye on crypto news and be ready to secure your software at a moment’s notice. Measures include un-downloading browser extensions, changing passwords, or transferring your crypto assets to another software wallet.
In the case of the Mars Stealer malware that affected MetaMask, being careful about visiting secure sites and only clicking on trustworthy links could’ve helped prevent it. Mars Stealer made its way onto people’s devices after they clicked on an infected link or visited a risky website. Stick to websites you know you can trust and consider springing for well-known streaming services and paying for software instead of torrenting from free sources.
Cryptocurrency enthusiasts often spread their crypto investments across various currency types and blockchain environments. Software known as a bridge can link numerous accounts and types, making it easier to send currency.
The cross-chain bridge Horizon experienced was on its Harmony blockchain, where a hacker stole about $100 million in Ethereum and tokens. The hacker stole two private keys, with which they could then validate this huge transaction into their own wallet. To hopefully prevent this from happening in the future, Horizon now requires more than just two validators.2
According to one report, in 2022, 69% of all cryptocurrency losses have occurred in bridge attacks.3 If you exchange cryptocurrencies with other users and have various accounts, it’s almost inevitable that you’ll use bridge software. To keep your assets safe, make sure to extensively research any bridge before trusting it. Take a look at their security protocols and how they’ve responded to past breaches, if applicable.
In the case of Horizon, the stolen private keys were encrypted with a passphrase and with a key management service, which follows best practices. Make sure that you always defend your private keys and all your cryptocurrency-related accounts with multi-factor authentication. Even though it may not 100% protect your assets, it’ll foil a less persistent cybercriminal.
Phishing attacks on bridge companies in conjunction with software hacks are also common. In this scenario, there’s unfortunately not much you can control. What you can control is how quickly and completely you respond to the cybercrime event. Remove the bridge software from your devices, transfer all your assets to a hardware wallet, and await further instructions from the bridge company on how to proceed.
Decentralized finance, or DeFi, is now one of the riskiest aspects of cryptocurrency. DeFi is a system without governing bodies. Some crypto traders like the anonymity and autonomy of being able to make transactions without a bank or institution tracking their assets. The drawback is that the code used in smart contracts isn’t bulletproof and has been at the center of several costly cybercrimes. Smart contracts are agreed upon by crypto buyers and sellers, and they contain code that programs crypto to perform certain financial transactions.
Three multi-million-dollar heists – Wormhole, Beanstalk Farms and Ronin bridge – occurred in quick succession, and smart contracts were at the center of each.4 In the case of Wormhole, a cybercriminal minted 120,000 in one currency and then traded them for Ethereum without putting up the necessary collateral. In the end, the hacker cashed out with $320 million. Beanstalk Farms lost $182 million when a hacker discovered a loophole in the stablecoin’s flash loan smart contract. Axie Infinity’s Ronin bridge was hit for $625 million when a hacker took control over and signed five of the nine validator nodes through a smart contract hole.4
To be safe, conduct all crypto transactions on well-known and trustworthy software, applications, bridges, and wallets that are backed by a governing body. What you lose in anonymity you gain in security by way of regulated protocols. Hackers are targeting smart contracts because they do not have to depend on large-scale phishing schemes to get the information they need. Instead, they can infiltrate the code themselves and steal assets from the smartest and most careful crypto users. Because there’s almost no way you can predict the next smart contract hack, the best path forward is to always remain on your toes and be ready to react should one occur.
Don’t let these costly hacks be what stops you from exploring crypto! Crypto is great as a side hustle if you’re committed to security and are strategic in your investments. Make sure you follow the best practices outlined and arm all your devices (mobile included!) with top-notch security, such as antivirus software, a VPN, and a password manager, all of which are included in McAfee +.
Privacy, excellent security habits, and an eagle eye can help you enjoy the most out of cryptocurrency and sidestep its costly pitfalls. Now, go forth confidently and prosper in the crypto realm!
1Cointelegraph, “Hodlers, beware! New malware targets MetaMask and 40 other crypto wallets”
2Halborn, “Explained: The Harmony Horizon Bridge Hack”
3Chainalysis, “Vulnerabilities in Cross-chain Bridge Protocols Emerge as Top Security Risk”
4Protocol, “Crypto is crumbling, and DeFi hacks are getting worse”
5Cointelegraph, “Beanstalk Farms loses $182M in DeFi governance exploit”
The post Cryptohacking: Is Cryptocurrency Losing Its Credibility? appeared first on McAfee Blog.
The Internet, while a useful tool for the exchange of ideas and information, can equally be a dangerous place. This is largely due to nefarious practices that compromise the safety and privacy of individuals, and one such practice is doxing. Here’s all you need to know about this alarming phenomenon.
Doxing, a shorthand term for ‘dropping documents,’ is a form of online harassment where individuals share personal, identifying information about others without their consent. This information often includes sensitive data such as home addresses, phone numbers, email addresses, and even Social Security numbers. The practice, which is illegal in many jurisdictions, is often used to intimidate, harass, harm, or exert control over the targeted individual.
But why should you worry about doing it? Well, the answer is quite straightforward. In the current digital age, privacy is increasingly becoming an elusive concept. Your personal information can be leveraged against you in various ways, from identity theft to stalking cases. By understanding the ins and outs of doing so, you can better protect yourself and your loved ones. So, without further ado, let’s delve into everything you need to know about doxing.
Doxing isn’t a modern concept, contrary to what many people believe. While the digital age has facilitated its widespread adoption, doxing has a long and storied history dating back decades.
In the early days, doxing was a tactic primarily used by hackers, who would leverage private information to intimidate or harm their rivals. For instance, they would publish a rival’s real name, address, and other sensitive data on bulletin board systems and early Internet forums. The purpose was to inject an element of fear, as anonymity was often critical in the hacking community.
Over the years, doxing has dramatically evolved, becoming increasingly pervasive and more harmful. With the advent of social media and other online platforms, individuals now have a wider audience and a variety of channels to disseminate personal information. This increased visibility has seen doxing become a go-to tactic for cyberbullies, internet trolls, and even organized hate groups.
In recent years, we’ve seen several high-profile doxing cases, underscored by a toxic combination of personal vendettas, political disagreements, and cyber warfare. These instances have brought issues of online privacy, internet regulation, and cyberbullying to the forefront, prompting calls for more comprehensive legislation to curb the practice.
At its core, doxing is about information gathering and dissemination. It revolves around collecting personal and identifying information about an individual and publicly sharing it – typically over the internet. But how is it done?
Typically, the doxing process begins with identifying the target – this could be anyone from a public figure to an ordinary internet user. The perpetrator then embarks on collecting information about their target. This is often done by combing through the individual’s digital footprint. For instance, they can scrutinize social media profiles, forum posts, online directories, websites, and databases to gather information.
In some cases, doxers employ more sophisticated tactics, such as hacking, phishing, or even social engineering. These techniques can be incredibly invasive, allowing doxers to access even more sensitive information than what’s publicly available. Once the information is collected, it’s then published online, typically on social media platforms or public forums. In extreme cases, the information can be sent directly to the victim’s family, friends, or employer, causing severe emotional distress and potential reputational damage.
While the process may seem straightforward, the implications are anything but. The fallout from doxing can be long-lasting and incredibly damaging, leading to a myriad of personal and professional problems for the victim. This underscores the significance of understanding and combating doxing.
The dangers of doxing cannot be overstated. Depending on the extent of the information released, doxing can lead to a wide array of harmful scenarios, ranging from online harassment and cyberstalking to identity theft and physical attacks.
Primarily, doxing strips individuals of their privacy – a fundamental human right – leaving them feeling vulnerable and exposed. This can lead to psychological fallout, driving victims into anxiety and depression. The invasion of privacy can also lead to social implications, damaging relationships as friends, families, and even employers are drawn into the ordeal.
Social media platforms have unintentionally played a significant role in facilitating doxing. These platforms, designed to foster connections and share information, have instead become tools for malicious activities, including doxing.
On social media, users often unknowingly provide an abundance of information that can be exploited by doxers. Moreover, the platforms provide an easy way for doxers to disseminate the collected personal information to a wide audience. Some social media platforms have taken steps to curb doxing; however, these efforts are often insufficient, as doxers continue to exploit loopholes and other tools to carry out their malicious activities.
Due to the severe implications of doing so, it’s critical to implement measures to protect yourself from becoming a victim. However, this can be challenging due to the sheer amount of personal information individuals share online, often without realizing it. Consequently, prevention strategies often revolve around being cautious about the information you share online and taking steps to enhance your digital security.
Firstly, it’s crucial to limit the amount of personal information you disclose online. This includes being mindful of the information you share on social media platforms, forums, and other online spaces. Be cautious about what you post, who can view it, and how it can be interpreted. Moreover, when signing up for online services, ensure you only provide the minimum required information.
Secondly, regularly review and update your privacy settings on various online platforms. Most platforms have settings that allow you to limit who can view your information. However, these settings often change with platform updates, so it’s essential to regularly review them. Similarly, when downloading apps, review the permissions before installation and disable any that seem unnecessary.
Thirdly, Exercise caution when downloading apps, particularly third-party apps. Some applications may harbor malware or viruses that can compromise the security of your device. To delve deeper into this topic, explore our informative blog for valuable insights and tips on ensuring the safety of your digital experience.
Finally, consider investing in tools and services that enhance your digital security. This includes antivirus software, firewalls, and services such as VPNs that encrypt your internet connection, masking your IP address and other identifying information. Using a password manager can also help protect your accounts from hacking attempts.
As mentioned earlier, doxing is considered illegal in many jurisdictions due to its invasion of privacy and potential for harm. However, the law hasn’t fully caught up with the digital age, and legal measures against doxing vary widely across different countries and regions. That being said, it’s essential to know your legal options should you fall victim to doxing.
When it comes to civil law, victims of doxing may have multiple potential claims, including invasion of privacy, infliction of emotional distress, defamation, harassment, or even stalking. In some cases, these claims can result in monetary damages, cease and desist orders, or other forms of relief.
Under criminal law, doxing may fall under various categories, including identity theft, cyberstalking, or harassment. Depending on the severity of the case, perpetrators can face significant fines or even jail time. Nevertheless, successful legal action often depends on the specific circumstances of the case and the availability of evidence. Therefore, it’s advisable to consult with legal professionals if you’ve been a victim of doxing.
Despite the challenges, many jurisdictions are making efforts to strengthen laws against doxing. For instance, some are proposing laws that explicitly outlaw doxing and provide stronger protections for victims. While these measures are encouraging, legal remedies often come after the fact, underscoring the importance of prevention and preparedness in combating doxing.
Doxing is a pervasive and serious issue in the digital age. The practice not only violates one’s right to privacy but also opens up a Pandora’s Box of potential harm, including harassment, intimidation, and even physical attacks. However, by understanding what doxing is, how it works, and its potential implications, you can better protect yourself and your loved ones from this harmful practice.
Furthermore, it’s critical to be vigilant about your digital footprint and take proactive measures to enhance your online security. This includes being mindful of the information shared online, regularly reviewing privacy settings, and investing in tools that enhance digital security. Additionally, while legal measures against doxing vary, knowing your legal options can be empowering should you fall victim to doxing.
Ultimately, as with many facets of the digital age, navigating the issue of doxing requires a balance between leveraging the benefits of online spaces and protecting against potential pitfalls. With vigilance, preparedness, and an understanding of the risks, you can enjoy the online world while safeguarding your personal information and privacy.
The post 5 Things About Doxing You Should Know appeared first on McAfee Blog.
FreshRSS 