'Tis the Season
The happy holiday spirit puts many people in optimistic, giving and trusting moods. Cybercriminals, identity thieves and other scammers know this all too well. Read on to avoid some of their craftier tricks so you can spend the season celebrating. 


More Than What's Bargained For

Digital shopping opens doors for data thieves
With more consumers turning to mobile and online sites for holiday purchases, crooks have greater opportunity to seize personal and financial information through vulnerable systems connected to the Internet. Chip cards, too, are making it more difficult to perpetrate a once simple and inexpensive crime - counterfeit credit and debit card scams. 

With the above in mind, the California Attorney General prepared a list of holiday shopping tips for consumers looking to protect themselves. Of course , her list is applicable to people beyond her state. Here are just a few:
  • If you receive a call from your credit card company that requests you to verify your account information for security reasons, ask to call the company back. Then call the telephone number listed on your card.
  • Say "no" to strange apps. Scammers can use mobile apps and games to hide malware that steals your personal information. Do not download apps unless they are from a known source and have third-party reviews that verify their legitimacy.
  • Use strong passwords. No repeaters. Weak and repeat passwords are a hacker's holiday treat. Always use more than ten characters, with numbers, special characters and a combination of upper and lower case letters. Use different passwords for different sites.

A few more tips to share with friends, family and colleagues
In a recent visit to CWIowa Live morning show, I shared some precautions people can take to mitigate their privacy and data security risks during the busy holiday season (as well as throughout the year). You can watch the segment on YouTube, but in the meantime, here's a quick sample of what we discussed:
  • Beware offers that appear too good to be true. They probably are. With email offers, hover your mouse over the sender's address and look at the bottom of your browser. If the address in the To field doesn't match what is displayed at the bottom of your browser, consider that a red flag.
  • Remove all the data from devices you are selling to make money for the holidays. Sixty-seven percent of used digital devices sold on eBay and Craigslist hold personally identifiable information (PII)! Check out this Rossen Report from NBC's Today Show to see just how much data can become available to the buyers of these used devices.
  • If a smart gadget or device (e.g. Samsung TV or Amazon Echo) is voice-activated, consider that it is always listening. Even if the device is designed only to respond to specific words or phrases, it has to be "tuned in" to hear those. Which of your conversations is it hearing? All of them. Turn it completely off when you don't need to use it.
Cyber Monday isn't the only day staff is tempted
Depending on your organization's policies, it may be okay to get some holiday shopping done at work. Maybe it's over the lunch hour or after the office officially closes. (Maybe not.) Either way, your organization's network and devices could be accessed by malware, viruses or covert data kidnappers should you or a fellow employee fall for a holiday-themed scam while at work. (It could even happen if you fall for it on a company-issued device you're working on from home!)  
Consider sharing these best practices with staff, vendors and anyone who may be using your network to browse or buy:
  • Never click on pop-ups; they are often fake and infested with malware.
  • A growing numbers of scam deals, coupons and discounts are circulating via social media. Your colleagues may see such a post and consider it okay because it was shared by a friend. The added air of legitimacy is exactly why these scams are so effective. On social media, friends can't be trusted!
  • A warning especially for high-ranking executives - you are prime targets for "whaling," a type of targeted phishing attack that aims to trick C-level associates into clicking links with infected malware or sharing confidential data. We might like to think these individuals are too busy to shop at work, but those jam-packed schedules may be precisely why they are cramming holiday gift buying in between conference calls.
Below is an example of a realistic looking phishing email sent to me on Nov. 15 , seemingly from ToysForce. The dead giveaways? When hovering over the "Cancel De-Activation" button, I saw the actual domain it went to, and it was not ToysForce.  Plus, I've never done business with a company called ToysForce!

areyouAre You Phish Bait?

Four sites to help you find out without clicking

Aside from the "hover over the link" tip above, there are other ways to check the legitimacy of an email. The four sites below catalog harmful URLs. Next time you hover, type in what you see at three or more such sites to safely "test" the URL.
keepKeep Your Eyes Peeled When Accessing Cash

ATMs are a thief's paradise
finance, technology, money, winter and people concept - close up of hand entering pin code at cash machine over snow
Across the world, in both high traffic and desolate areas, cash machines have become a mecca of opportunity for even the most resource-tapped criminals. That's because skimming devices are easy to get and generally cost just a few hundred dollars. They're sold on the dark web and generally grab plenty of data before they are detected.
We recently experienced a city-wide ATM hacking in my neck of the woods here in Des Moines, Iowa. Evidence it can happen anywhere. 

Before you visit your next ATM, be aware of three simple steps you can take to protect yourself and your card account:
  • Pull on the card reader to see if it jiggles.
  • Cover keys while putting in PIN (even when no one is around... a video camera could be monitoring your key entry). 
  • If something looks suspicious, move on. There's likely to be another ATM nearby.
These tips are also good for self-pay scanners, such as those found at gas stations and self-serve checkouts in stores. Crooks are big fans of planting skimmers there.
Check out these two videos compiled by investigative reporter Brian Krebs. They detail an especially stealthy version of criminal hardware - insert skimmers. 

Religion, politics and... fake news?
You've likely seen the explosion of news coverage investigating the proliferation of fake news - false, misleading and/or satirical new stories often capable of going viral online. When they do, their authors are rewarded with high revenues, valuable data and new targets for malware.  Online manipulation of audiences is a topic we're going to see explored even more frequently in the future. 
So, how do you know if a story is legit or even safe to click on? Below is a collection of warning signs you can look for to have a sense of what's real and what isn't. ( Review the full list here.)
  • Avoid websites that end in "lo" (e.g. Newslo) or ".com.co" as they often take pieces of accurate information and package it with false or misleading "facts."
  • Check to see if more than one news source is reporting the story.  
  • Be suspicious if the story makes you really sad, angry or annoyed. Fake news is designed to solicit these emotions so as to generate more shares and ad revenue.


New feature for 2017
Per the request of quite a few Tips readers, I'm adding a focus on healthcare security to each of my monthly emails. 

I'm happy to do so, as my company currently serves more than 400 healthcare clients, including covered entities and their business associates and subcontractors. The  healthcare space is one of the many industries using  my SIMBUS solution to prevent privacy and security problems within organizations large and small.  
Each month, I'll share a small collection of must-read articles for healthcare leaders, including those working in and outside of privacy and security departments.

SeventhPrivacy Professor On The Road & In the News

On the road again 

One of my favorite things to do is visit with leaders in different industries - healthcare to associations to energy and beyond. 

In November, I was delighted to  do a session called Privacy Challenges for IT Leaders and teach a full day privacy management class at the Privacy Asia Conference in Singapore. What's more, I was honored to also join a panel session on cybersecurity funding, Paying Down the Cybersecurity Debt

That's me below with my fellow panelists. Under that is another image of me chatting it up with a couple of the brilliant attendees I was lucky to meet while at the event. 

Taking to the air waves

CWIowa Live, a morning TV broadcast, regularly covers privacy and security tips with their guest, the Privacy Professor! Each is a brief 10-15 minutes and covers topics ranging from insider theft to connected vehicles. Check out this online library to watch recent episodes.

Here is my most recent visit to the studio   on Cyber Mondayduring which we discussed various types of security and privacy threats to watch for over the holidays.   

In the news

Questions? Topics?

Have a topic I should discuss on the  CWIowa Live morning show? Or, a question I can answer in my next monthly Tips? Let me know!

Happy World Computer Security Day!

Celebrate today... and into the future
Did you know November 30 was established in 1988 as World Computer Security Day

Celebrate by forwarding this message to family, friends and colleagues to help raise awareness of cybersecurity threats, and importantly, how to spot and avoid them. 

Also, check out the tweets using #computersecurityday
While I do love the opportunities designated days bring to help provide a focused awareness effort, I also hope we think about data security and privacy beyond those special days. 

Every day is a perfect day to keep awareness high for protecting your personal information!

Singapore was a fantastic host. What an amazing city!
There's absolutely nothing wrong with checking off your list online, on your phone or with the help of a digital assistant. I do it myself! In fact, I'm almost done with my shopping for the season, and much of it has been done online. 

Just be aware of the risks, and take a few extra precautions this year to be on the safe side. The more you know, the better you'll be at spotting those red flags.   
Have a wonderful, safe holiday season,
Rebecca Herold
The Privacy Professor
Need Help?

Permission to Share

Want to repurpose the information contained in this Tips? Yes, please forward in its entirety. 

If you prefer to use only excerpts, please use this attribution:

Source: Rebecca Herold, Founder, The Privacy Professor┬«, privacyprofessor.org, privacyguidance.com, SIMBUS360.com, rebeccaherold@rebeccaherold.com 

NOTE: Permission for excerpts does not extend to images, some of which are my own personal photos. If you want to use them, contact me.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564

Visit my blog    Follow me on Twitter