Why are you getting this?

You signed up to receive the Tips, initiated contact with Rebecca and/or Privacy and Security Brainiacs (PSB), and asked to stay in touch, or you consented to receive the Tips. Please read our Privacy Notice & Communication Info at the bottom of this message for more information. You may unsubscribe from there as well.

Rebecca

We would love to hear from you!

We hope you are finding all this information valuable. Let us know! We always welcome your feedback. 

November Tips of the Month

• Monthly Awareness Activity
• Privacy & Security Questions and Tips
• Data Security & Privacy Beacons*
• Privacy and Security News
• Where to Find the Privacy Professor

December 21 is Crossword Puzzle Day. About 50 million people do these challenges daily! How about a crossword puzzle filled with security and/or privacy terms? It can be a fun activity for employees, friends, or family to do together.

Here are several possible puzzles from the cool Word Mint site. They can even be customized!

Or, make a unique crossword puzzle, using specific terms to fit your organization, using your own internal privacy and/or security terms and priorities. Simply use one of many crossword puzzle generator sites, like this.

What other activities do you suggest for Crossword Puzzle Day? Are you planning to do my suggested activity or your own? Or are you doing an awareness event for a different recognized day or week in December? Let us know!

Rebecca includes a list of 250 security and privacy awareness activities and resources within her book, "Managing an Information Security and Privacy Awareness and Training Program." If you’d like more ideas, check it out.

Here are a few questions we’ve received over the past several months about common scams and We’ve received many! Plus, we received a great question about gifts.

Are the answers interesting and/or useful to you? Please let us know! Keep your questions coming!

Q: Can I control spam emails? I've had my email address for a LONG time. I get A LOT of spam. Fortunately, AOL does a good job of identifying spam and moving it into my spam box. I spent time and effort moving spammers’ addresses into the AOL “block” list, expecting that to reduce spam even further. But the next day, I received even more spam, most of which came from similar addresses with a few changed characters. Is there a way to try using the "root" address and an “anything” character that might work? Which character? Thanks for all you do. Marty

A: Thank you for your kind words and great question, Marty. First, longevity contributes to an increase in spam. As time passes and you use your account for more purposes, more breaches occur. Over time, email addresses are also sold and/or shared with many other entities that use them for cybercrimes, fraud, and spamming. 

You’re correct. When a specific email is put on a blocked list, the spammer will know. They typically get some type of notification that their email didn’t reach the intended target. Many spammers will then create many emails with just one character changed in the hopes that the spam blockers will let at least one of them through. Here are some actions that might help:

1. Scammers will often try to trick you by showing a different viewable email address from the actual email address. Check the message headers to see if they did this. For example, if you use Outlook, go to File => Properties => Look at the Internet Headers for the "From:" email at the bottom of the list. If the email address shown is different from the sender's real address that you see, add the sender’s real address to the block list.
2. Many people believe that unsubscribing to email newsletters is the way to stop receiving spam. That works for legitimate newsletters. However, pay close attention to newsletters you did not receive from someone you asked to be in contact with or specifically subscribe to. Malicious spam newsletters are sometimes used to determine whether your email address is valid. If the message is malicious, your address ends up on thousands of databases that data brokers sell, typically to advertisers and marketers. Do not click the unsubscribe link at the bottom of malicious spam messages. 
3. Set up alternative email addresses for websites, social media forums, and other locations where a wide range of third parties might see and take your address. Here is a good list of places to get free email accounts.
4. Many email services and local clients allow you to create rules for handling incoming emails, to identify the common words within spam emails, and then send them directly to your Deleted email folder. If you do this, review your Deleted folder frequently and scan messages to make sure legitimate emails containing those words were not moved to spam. Use only words that would not be expected within your email messages, based on your business, clubs, friends, family, etc. Here is an article that lists 394 terms that could be useful.
5. Think carefully before blocking emails by filtering IP addresses. An IP address is comprised of two parts: the network ID and the host ID. ISPs often use the network ID to filter spam. However, many different ISP customers may be using that ID. So, filtering spam in this way will likely inadvertently prevent emails from legitimate customers (along with spammers) from getting into inboxes. Use caution when utilizing IP address spam filtering.

Always remember: No matter what you do, no solution is 100% effective. A few sneaky spam messages slip through the spam blockades. That’s why you must always be aware of the signs of spam.

I hope that helps, Marty. Please let us know in a few months if your spam email situation has improved.

Q: Some people on our neighborhood social media page asked for people on the site to give them their old computer equipment, electronics, and smartphones that they no longer need because they were going to make sure they work and then donate them to underserved groups. Should I be aware of any security or privacy risks?

A: That sounds like a noble cause! But we’re glad you’re thinking about security. If you still have personal information or other sensitive information on your devices, remove it before donating the device. IDs, passwords, business systems, and files can all be used by new owners to gain access to your accounts, perform malicious activities (that could be attributed to you), and even drain your bank accounts or go on shopping sprees. One good deed could result in ongoing mayhem!

Once you’ve gathered your computing and storage devices: 

1. Back up the data you do not want to lose. Identify files like photos, videos, financial information, and other important documents. Back them up to an offline storage device. A USB stick or external drive can be secure if you encrypt all the files on the device, and physically secure the device. Or, if you have a cloud storage area that is encrypted end-to-end (accessible by ONLY you), back up your files to that location.
2. Irreversibly erase data in all the storage areas, including SIM cards and any of the external storage drives or USB drives you’re donating. Most operating systems have a program to erase all your files from the computing device. We recommend you use a degausser to remove any data remnants and/or overwrite the storing to make any data remnants unrecoverable effectively. Then reset your device to factory settings. More details can be found in U.S. Department of the Army Pamphlet 25–2–8 Information Management: Army Cybersecurity: Sanitization of Media. If you cannot remove all the sensitive files, consider physically destroying computing and storage devices. Yes! Take out a hammer, put on gloves and safety goggles, and whack away!
3. Donate your device(s). If, for some reason, your equipment isn’t wanted, dispose of it securely and in an environmentally-sound way. The U.S. Environmental Protection Agency (EPA) has information about that here. 

Even if you fully trust the neighbor who is collecting equipment, be aware of who might ultimately receive it., Personal and sensitive information, proprietary, licensed software, and online accounts could all be used by your devices’ new owners. Even if your neighbor assures you that they’ll scrub your data, you’d be wise to do it yourself. Be sure to share these tips with your neighbor too! They may not be aware of the risks.

Do you have more suggestions? Drop us a line! 

Q: What are the best and worst tech gifts to give from a security and privacy perspective?

A: This is a timely, intriguing, and very broad question. To help you, we looked at holiday lists and picked a few of the most popular ones. Keep in mind that any gadget that is called “smart” means that it connects to a network, the internet, an app, or any other type of wireless device, which can create privacy and security issues.

• Mobile hotspots, like the Verizon Jetpack, or T-Mobile MiFi. They have strong encryption, multi-factor authentication, and other security capabilities. Use these instead of public networks for the best security while traveling or when your own secure wi-fi ISP is unavailable.
• Home cybersecurity systems, such as Microsoft Defender. 
• Smart lighting. Smart lightbulbs are especially popular right now. Most have no-to-few security and privacy protections. For example, Philips Hue systems have known security flaws. Ensure you update your bulb firmware to prevent malware and hackers from going through your bridge to your network.
• Smart video doorbells. Most of these are privacy-unfriendly, sending all your data to clouds that have often been found to have security vulnerabilities. Data may also be shared with many types of third parties, including law enforcement agencies. The most secure type is one that stores that video locally, such as on a microSD card, and does not send any information to the cloud. More of these are going on the market, such as the NetAtMo video doorbell.
• Smartwatches. Although they are widespread and popular, all smartwatches have significant privacy and security vulnerabilities. A ThreadCurve article ranks them from the least privacy-invasive to the most invasive. Garmin Fenix and Epix are currently ranked the most secure and privacy-friendly.
• Digital assistants. Meta’s Portal has the least security and is the most invasive to privacy, but all digital assistants have both cybersecurity and privacy vulnerabilities. If you get or give a digital assistant this holiday, set all the available settings to the strongest levels. Then physically unplug them when you do not need to use them.
• Smart TVs. These popular entertainment options can track what you’re watching and for how long and the data is often sold to marketing and advertising firms. Some devices have privacy settings (like Google TV) but we couldn’t find any that had privacy and security settings as the default. 
• Xpression Camera. This is one of the first technologies to incorporate your words into the likeness and sound of another person. It is touted as “The only real-time AI-generated face filtering app for live streaming and chatting.” It’s being widely marketed. We consider this among the least secure tech gifts to give or receive. It’s especially dangerous because even people who don’t have the app are being exposed to identification and data collection (without their permission).
• A wide range of home and athletic gifts, like smart bikes, vacuums, appliances, cameras, and hundreds of others.

Remember that:

1. Few smart tech devices have security or privacy protections.  
2. Most smart tech devices with security and privacy capabilities are rarely configured to be secure or privacy-preserving by default. Never use technology until you first have enabled security and privacy settings. 

Carefully review the product specifications, site privacy notice, security policies, and security capabilities. They should at least have strong encryption for data collected, while transmitted, and when in storage, and multi-factor authentication (MFA). 



Look for privacy protections, such as:

• The ability to consent (or decline) to share your data with third parties
• Giving you access to view, correct, and/or download your personal data
• Providing you with ways to irreversibly delete all your data from their systems completely. 

Q: I have received multiple phone calls from an entity claiming to be my bank. They ask for my routing number and account number. Two of my friends have been victims of this type of phone fraud. One was about to close on a house and had $100K stolen from his account, preventing him from closing. What are some tips I can give to my friends and family to keep them from becoming victims?

A: Text and phone scams from “banks” are on the upswing. Some claim to be bank investigators trying to prevent a currently suspected crook from stealing money from their bank customers. Another common tactic involves telling the victim that the “investigator” is trying to catch a bank employee committing crimes through privileged account access. One woman lost $25,000 from this tactic.



To keep from being a victim:

• Never give your own or anyone else’s, personal information over the phone, through email, texts, or over the internet unless you initiated the contact or you know the person you are dealing with, and use strong encryption for all types of digital transmissions.
• Don’t give out personal information in response to unsolicited phone requests. Over the holidays, crooks often pretend to represent charities. Treat all such unsolicited calls as potential phone scams. Be careful about divulging your Social Security number, financial account information, and driver’s license number.
• Use an updated security program to protect your computer.



In short, NEVER give any of your personal information to any unsolicited callers.

Listen to my show, described below. Ben Rothke describes a wide range of phone scams.

Q: Have you heard of a scam called “pig butchering?”

A: The “pig butchering” scam is fairly new and has been used to scam victims out of millions of dollars, usually after making initial contact through social media. The scammer builds a relationship with the targeted victim and then convinces them to invest their money in cryptocurrency.

It starts with the scammer sending a note to the victim and then claiming that it’s an accidental text. Then, they start an ongoing conversation and build trust.

The crime is called “pig butchering” because the scammer is “fattening the hog” over time before the slaughter.  

Pig butchering scams cost U.S. victims more than $429 million in losses last year, according to the FBI Internet Crime Complaint Center. ProPublica provides a good description of this here. 

One California man lost more than $1 million as a victim of this crime. A woman in Delaware was drained of $1.6 million.

The best way to prevent being a victim of this pig butchering scam, and all other types of text scams, is to simply ignore them, and if someone promises you a way to get easy money that sounds too good to be true, it probably is. Watch this great video from Forbes about pig butchering scams here.

Q: What is check washing? My mother told me to be aware of this because she saw a warning about it on TikTok, but couldn’t tell me what it was. Should I be concerned?

A: This is an old type of scam that has recently increased as reported by police throughout the U.S. And is a simple type of crime to commit, which crooks love.



In 2021 it cost U.S. consumers $815 million. Criminals steal envelopes, with check payments to various organizations, from unsecured mailboxes. The checks are put into a liquid chemical mix that dissolves the writing, effectively "washing them." Once washed, stolen checks can be rewritten and deposited at a bank for any amount. The same tactic would likely work in other countries too. Here’s a recent news report about a New York man who lost all the money in his bank account from a criminal using this tactic; changing his $42 check payment for his phone bill to a $7,000 check to a crook. Here is a good video from the U.S. Postal Service Inspection Service explaining how to avoid being a victim of check washing. Be aware, and stay secure out there!

• Reddit for updating and making their Privacy Policy more privacy friendly. Is it perfect? No. EVERYONE should have the same privacy rights as California and Europe. But it’s an improvement. We encourage Reddit to allow everyone the same privacy rights, no matter where they are located.
• Ben Rothke for providing two ways to determine if someone on Instagram who you’ve never met in person is a scammer. 
• Julie Jargon at the Wall Street Journal for her article,“Your Kid’s First Phone: What’s the Right Age and Device for Your Family? There are important considerations when deciding between giving your child a hand-me-down iPhone or Android or a kid-safe phone.” She provides some great insights and advice.
• Braden Becker for his article,“The 11 Best Free (and Private) Email Accounts and Service Providers of 2022,” mentioned in the Q&A section above.
• U.S. Postal Service Inspection Service for providing information about mail crimes, such as check washing, and how to protect against such crimes. 
• Forbes for their informative and instructive video about pig butchering scams. This is a very effective awareness-raising video.
• PCMag for their instructions for how to download all your tweets. If you are still on Twitter, but are thinking about quitting, download the archive of all your tweets and then delete all your old tweets. 
• The FTC for providing awareness information and tips to identify imposter scams targeting military service members and veterans. 
• AARP for providing great advice about how to spot and stop Medicare enrollment scams. 

*Privacy Beacons do not necessarily indicate that an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.

Hey! Did you know that we have a Privacy & Security Brainiacs page on LinkedIn? Well, we do! Please “follow” our page. We provide a lot of news, tips, advice, and other useful information on our site. Our goal is to post 3-4 times a week. We’d love to also see your comments and thoughts on our posts. 



We now have a new page dedicated to HIPAA and healthcare news, here. This is in addition to our other three news pages for specific news topics! We also have a separate news page for IoT security and privacy news. You can see it here. And, we have a huge amount of news for Log4j security and privacy vulnerabilities, patches, exploits, and everything else related, here. You can also get to them all from our Privacy & Security Brainiacs News Page

NEW and EXPANDED “HIPAA Basics for Covered Entities 2022 2023 Edition.” Those previewing the class have told us they loved the advice and the quiz questions, which support critical thinking. That results in longer-term retention of the concepts. Real-world examples help professionals identify where they need to beef up their own HIPAA compliance practices. They also learn about HIPAA rights in the U.S. that they’ve never heard of before.

We also are releasing to production our first new Master Experts education classes, with the brilliant Dr. Mich Kabay, the former director of the NSA-accredited Norwich University Master of Information Security and Assurance Program. Dr. Kabay is our first Master Expert in residence. 

His first class being offered is Secure Coding, and his second class is Software Quality Assurance. 

Students of each class will receive certificates showing 2 continuing professional education (CPE) credits for the class. The certificates will also reflect how well students did in the class and much, much more. Ask us about our deeply discounted beta testing user pricing.

The Privacy Professor | Website

Privacy & Security Brainiacs| Website

Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share excerpts, as well, with the following attribution:

Source: Rebecca Herold. December 2022 Privacy Professor Tips. www.privacysecuritybrainiacs.com.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Information

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through PrivacyGuidance.com; 

2) making a request directly to Rebecca Herold; or 

3) connecting with Rebecca Herold on LinkedIn. 

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the encouraging communications by LinkedIn, she will send those asking for LinkedIn connections her Tips message monthly. If they do not want to receive the Tips message, LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com. 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.