In The News

July 2019 OUCH! Newsletter

posted Jul 3, 2019, 1:00 PM by Craig Cox   [ updated Jul 3, 2019, 1:00 PM ]

This month's OUCH! Newsletter focuses on VPNs.  What are they? Do you need one? How do you pick one?  VPNs get explained in plain English.

Below are two services to consider if you decide that consumer VPN is a good fit for your use case:

O365 Phishing email ducks detection

posted Sep 26, 2018, 1:00 PM by Craig Cox   [ updated Sep 26, 2018, 1:03 PM ]

Security vendor Avanan has a blog post with details about a phishing scam that (at least as of mid-August) wasn't being caught by Microsoft's native filtering.  The gist of it is that there was no malicious payload, and the link went to an O365 document, which didn't trigger any warnings.  The fact that the document pretended to be an O365 login page and was collecting user names and passwords wasn't considered.

This is a great example of the constant arms race between attackers and defenders.  Microsoft will no doubt find ways to shut down this kind of scam, if they haven't already.  But every once in a while, the bad guys find a way around the automatic protections and manage to get the bait into our inboxes.

When this happens, we fall back to the same solid advice:
  • Be skeptical about unexpected links in email
  • Don't be rushed by alarmist language, artificially short deadlines, or threats
  • Never type your password into a prompt that was brought up by an email link.  Only offer your password when you came to the page from your own bookmarks or favorites.

Many thanks to all who share with us their phishing emails.  Sometimes those samples help us improve filtering or report violations.  They always keep us posted on what new things the bad guys are trying.

Phishing scam: Scammer knows your password, wants hush money

posted Jul 20, 2018, 6:39 AM by Craig Cox   [ updated Jul 20, 2018, 6:39 AM ]

Brian Krebs reports that a new twist on an extortion scam is going around.  The email accuses you of surfing bad sites and claims that you've been recorded side-by-side with whatever you were watching, and if you don't pay up then the video will be shared with your contact list. To make it seem more believable, the scammer knows your password!

In fact, the scammer downloaded or bought a list of compromised passwords and email addresses, and put them into a form letter.  The scammer figures that with a big enough list of emails and passwords, somebody's got to have a guilty conscience and will pay up.

If you get an email with this or any other story that is made more compelling because they have a password you recognize, the bad news is you have to immediately change that password wherever it's used, and never use it again.  The good news is that there may be no more damage than that - but you need to follow up and check the account on which you used the password.
  • If it was your banking password, check your balance, make sure you recognize all the debits, and so on.
  • If it was a social media password, check that the posts and messages you've sent recently are really yours, and that the scammer hasn't been spamming people in your name
  • If it was your doctor's portal, make sure nobody else has been getting your prescriptions
In general, make sure no mischief has been done with the password, and again, change the password and don't re-use it.

December 2017 OUCH! Newsletter: Lock Down Your Login

posted Dec 6, 2017, 7:23 AM by Craig Cox   [ updated Dec 6, 2017, 7:23 AM ]

This month's newsletter explores why you should ask banks and other websites to send a code to your phone, even after you've entered a password.  Good information, and a quick read.

November 2017 OUCH! Newsletter: Online Shopping

posted Nov 29, 2017, 8:42 AM by Craig Cox   [ updated Nov 29, 2017, 8:44 AM ]

This month's OUCH! newsletter provides tips and reminders about safe online shopping.  Please be safe during the Holiday shopping season!

Cyber Security Do's and Don'ts

posted Sep 15, 2017, 8:23 AM by Craig Cox   [ updated Sep 15, 2017, 8:25 AM ]

  • Create strong passwords that are at least eight characters long, and including at least a numerical value and a symbol, such as #, to foil password‐cracking software. Avoid common words, and never disclose a password online.
  • Use secure password management software such as Dashlane or KeePass.
  • Change your passwords every ninety days.
  • Perform regular backups of important data.
  • If possible, create a password for your files in order to protect file sharing activities.
  • Physically secure your laptop
  • Delete any message that refers to groups or organizations that you are not a part of.
  • Download and install software only from online sources you know and trust.
  • Never click on a link from an untrusted source.
  • Close windows containing pop‐up ads or unexpected warnings by clicking on the “X” button in the upper right hand corner of that window, not by clicking within the window.
  • Use antivirus software, and update it on a regular basis to recognize the latest threats. Heed ITR security alerts to download antidotes for newly circulating viruses and worms.
  • Regularly update your operating system, Web browser, and other major software, using the manufacturers' update features, preferably using the auto update functionality.
  • Set Windows or Mac updates to auto‐download.
  • Save attachments to disk before opening them. Our Sophos Antivirus will automatically scan your attachments if you save them to disk.

  • Never write down your password. Especially on a Post‐It note stuck to your computer!
  • Never give out your password to anyone, whether you know them or not.
  • Never select the "Remember My Password" option, especially in web browsers. Many applications do not store them securely.
  • Never purchase anything promoted in a spam message. Even if the offer isn’t a scam, you are only helping to finance and encourage spam.
  • Please use caution when opening an e‐mail attachment, even from someone you know well, unless you were expecting it.
  • Avoid creating common passwords such as your name, social security, birth dates, etc.
  • Do not leave your laptop unattended, even for a few minutes
  • Never reply to e-mail(s) requesting financial or personal information.
  • Please refrain from clicking on any buttons within pop-up ads.
  • Under no circumstances should you install or use pirated copies of software.
  • Do not install P2P file sharing programs which can illegally download copyrighted material.
  • Never set your e-mail program to "auto-open" attachments.
These tips can be downloaded as a PDF file.

Equifax Security Breach

posted Sep 15, 2017, 8:01 AM by Craig Cox   [ updated Sep 15, 2017, 8:01 AM ]

Equifax Announces Cybersecurity Incident Involving Consumer Information.  Please visit: in order to determine if your personal information was compromised, and if so, how to receive free premium credit monitoring.

-Stephen Shirey

Phone Scams

posted Sep 2, 2015, 7:49 AM by Craig Cox   [ updated Sep 2, 2015, 7:49 AM ]

Most of the posts on this site cover scams that come in through email, text or social media.  It's important to remember that scammers use old-fashioned telephones as well.
  • One of the scams in the tax scams post was perpetrated over the phone.
  • We had a telemarketer call one or more people at the George campus, thinking he was contacting homeowners.
  • The "tech support" scam is often tried over the phone.
  • The so-called Grandparent scam has been attempted on our staff in years past, and still crops up from time to time.
This is just a sampling of things we've actually seen.  Scammers won't operate within any set limits -- that's why they're the bad guys -- so the bait can be just about anything.  Your defense is to think critically about what people tell you on the phone, and don't let them rush you into giving up information or money.  The bad guys know that emotion kicks in before common sense, which is why the scammer wants you to be in a hurry.  Don't play the game!

In October, I'll be visiting each campus with workshops that go into detail on how scammers work and think.  If you'd like to spend 40 minutes learning how to recognize these scams, please watch for dates and times!

Tax scams

posted Aug 25, 2015, 8:19 AM by Craig Cox

Last week I learned of two different tax scams.  In the first, the scammers contacted the victim via telephone to extort money.  They claimed the victim had filed bad information and needed to pay additional taxes (or maybe a fine).  The victim was under such a psychological hold that she actually purchased a prepaid card and read the number over the phone to the scammers, fearing arrest.  The IRS itself warns against these kinds of scams, particularly stating that they will never ask a taxpayer to buy a prepaid cash card.

NPR has published a detailed analysis of how scammers use robocalls to set up this kind of scam.  They could pretend to be the IRS, or your bank, or a credit card company.  The common thread is the unbelievable level of psychological pressure applied to the victims.  I have stated in workshops that you should always pause to think, and let your common sense kick in.  The NPR analysis includes this quote from a scammer:  'OK, if you want a moment to process this, we're going to send the law enforcement in front of your doorstep.' They know the defense is to stop and think, and they threaten punishment if the victim tries!

The best defense is to hang up the phone.  You can also report the scammer to federal investigators.  From the IRS link above:
  • Contact the Treasury Inspector General for Tax Administration (TIGTA) at 1.800.366.4484 or
  • File a complaint using the FTC Complaint Assistant; choose “Other” and then “Imposter Scams.”
In the second tax scam, an individual was approached via email with a request to provide banking information; there was a statement that there was an error in the return and she should write back with her filing details, including date of birth, bank account and bank routing number.  Fortunately, she did not react to this, and didn't lose any money.  The defense here is to look at the email for red flags, and double-check with the IRS if you're not sure.  The message did not come from an account (a big red flag), so double-checking would have involved calling the local IRS office.

Brian Krebs writes that tax refund scams are being taken up by street gangs.  The article clearly lays out how gangs carry out the scam.  Be advised that he passes along some strong language, unfiltered.

Lastly, I can't stress this enough:
  • Don't put up with being bullied over the phone.  Hang up and seek help and advice!
  • If someone is trying to provoke panic, they're afraid of your common sense.  Don't be taken in!

Phony dropbox emails

posted Aug 24, 2015, 1:37 PM by Craig Cox   [ updated Aug 24, 2015, 1:38 PM ]

Two people reported receiving the following email today:

scam email

I have blanked out the name of the innocent bystander whose identity was borrowed to send the message.  The link went to a site that prompted the victim to log in to DropBox via email, but actually collected the email login ID and password so the scammer could use it later.

If you see an email coming from someone you know, but still doesn't seem quite right, contact the sender at an address or phone number that you already have (not by replying to the email) and ask if the email is legitimate.  That little suspicion is often right!  Trust your gut!

Notice that in the last line of the picture, DSPAM (one of our spam filtering devices) has inspected the message but was unable to identify it as spam because the text too closely resembled legitimate traffic.  We have very sophisticated spam interception running, but it can't catch everything.  This is why it's so great to have alert email users who can spot and report malicious email!

1-10 of 111