Category Archives: Data Security News

Defenses Against Smishing

Posted on by Judith

This week’s blog is adapted from a recent blog posted by The Identity Theft Resource Center(ITRC).  The ITRC is a non-profit organization established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft, data breaches, cyber security, scams/fraud and privacy issues.

Hackers and scammers are top innovators.  They are finding new ways to attach data every day.  With every new platform, software, or app that comes out, someone invariably finds a way to use it to their advantage. The end result can be a breach in your personal security and a loss of your identity.

But with every new form of attack—spoofing, phishing, hacking, and more—the public has to learn about the threat and learn how to protect themselves from it. That’s why staying on top of a new form of security threat is critical to protecting yourself.

There’s a new form of security danger out there, and this one specifically targets your smartphone. Smishing, as the attack is called, uses the hackers’ old favorite—phishing, or sending out emails that entice you to click a link that actually downloads malicious software—to install a Trojan or virus on your phone. As its name implies, smishing comes from “SMS phishing,” as SMS is the acronym that applies to text messages.

Obviously, a smishing attack goes after your device via text message, and it happens when you get a message from an unknown number that offers you some sort of incentive. It might be telling you about a free offer, a coupon, something wrong with your account, or even more likely, it might claim that “your friend” has sent you a game request or message. Unfortunately, the weblink in the text will install malicious software on your phone once you press it.

Unlike viruses of the “olden days” that sought to lock up your computer or disable your files, smishing attacks generally don’t even want you to know they’re there. They want to exist inside your device and continue to feed information back to the hacker, information like your contacts list, your email address book, and any passwords you enter for apps or accounts you use.

While there are antivirus apps available for smartphones, it can be difficult to completely remove malicious software from a smartphone once it’s infected. Depending on the virus, the only available option may be to reset the phone to its factory settings, which will remove all of your content out of the phone. By far, the better option is to avoid installing this type of threat in the first place. Just remember the rule that goes for emails and social media messages, and apply the same smart practice to your mobile device: never click a link that you weren’t expecting.

For more on best practices for identity theft protection, please visit www.hvshred.com

Financial Readiness in the Face of a Natural Disaster

Posted on by Judith

A recent blog on the FTC’s Consumer Advocacy website reminds us not just to be mindful of protecting our confidential information from hackers, but also from being lost in the midst of a natural disaster. While home is where most people feel safe and comfortable- when a hurricane, flood, tornado, wildfire, or other disaster strikes — it’s safest to pack up and go to another location.

When it comes to preparing for situations like weather emergencies, financial readiness is as important as a flashlight with fully charged batteries. Leaving your home can be stressful, but knowing that your financial documents are up-to-date, in one place, and portable can make a big difference at a tense time.

Steps to take to ensure financial readiness in case of an emergency include:

Conduct a Household Inventory-

Make a list of emergency contacts including family members who live outside your area; copies of current prescriptions; health insurance cards; policy #s for insurance companies as well as contact information; copies of important documents including the deed to the house, birth certificates, social security cards, passports and the like. Make a list of phone numbers or email addresses of your creditors, financial institutions, landlords, and utility companies (sewer, water, gas, electric, telephone, cable) a list of bank, loan, credit card, mortgage, lease, debit and ATM, investment account numbers, SS cards and backups of financial data your keep on your computer; also a good idea to have an extra set of keys for your house, your car, and your safe deposit box, and a small amount of cash.

Consider renting a safe deposit box for originals of deeds, titles, and other ownership records for your home, cars, RVs, or boats credit, lease, and other financial and payment agreements birth certificates, naturalization papers, and Social Security cards marriage license/divorce papers and child custody papers passports and military papers (if you need these regularly, you could place the originals in your fireproof box and a copy in your safe deposit box). Also include investment papers and your living will and health proxy.

Choose an Out-of-Town Contact

Ask an out-of-town friend or relative to be the point of contact for your family, and make sure everyone in your family has the information. After some emergencies, it can be easier to make a long distance call than a local one.

Update Your Information

Review the contents of your household inventory, your fireproof box, safe deposit box, and the information for your out-of-town contact at least once a year.

For more on best practices for maintaining and protecting confidential information, please visit www.hvshred.com

Be Wary of Inside Hackers as much as Outside Hackers

Posted on by Judith

This week’s blog is adapted from an article posted by Maggie Overfelt as a special to CNBC.com.  It reminds us that the small things matter.  When it comes to identity theft protection, we myst be vigilant at the individual and institutional level.
While systems are vulnerable and measures should be taken to secure systems from outside hackers, businesses must be wary of the inside hacker. Smart entities perform enterprise-wide risk assessments to find where their systems are most vulnerable and to spot aberrations in user behavior.

But sophisticated analytics does little to assuage situations where employees are using low-tech methods to capture information. Most systems will not handle the single bank employee just writing down on paper all the bank numbers they see that day — that’s difficult to track–and that is happening.

 Communication with employees in a position to turn rogue is key. A big deterrent in identity theft cases; if an employee feels like the company cares for them, they’re less likely to take advantage of the situation.

Experts recommend preventing the display of sensitive data in plain sight.  Company should institute a clean desk policy ensuring workers file away papers containing data before they leaver their desks, implement inactivity time outs for any tech devices, and switch to an e-faxing system which eliminates exposure of sensitive patient data on paper that’s pile up around traditional fax machines.

Experts also say that tougher penalties for and more prosecution of inside hackers would also be a disincentive for such crimes. On a general level, there can be practical barriers to pursuit of a criminal case, such as the victim company’s fear of embarrassment, reputational damage, or the perceived risk — real or not — that their trade secrets will be exposed in a court proceeding.

The Department of Justice and local authorities prosecute these cases all the time, despite what are seen as common barriers. The barriers are low when the actions are clearly wrong, such as a hospital employee stealing electronic medical records and selling them on the black market.

While the price tag for stolen information on the black market can translate to a lucrative sales career for some crooked employees, it’s a costly phenomenon for organizations once they have realized it has occurred, which is often during forensic examination of user devices after individuals left a company.

That’s usually too late to enact damage control. According to the Ponemon Institute, the average cost of a breach is $217 per record.

That’s just the hard costs, what you have to pay for notifying customers or any type of remediation services.  The bigger picture is the reputational damage that shows itself not just to the entity that suffers the damage, but to the industry.

Our efforts must be local and global–individual and system wide–it’s a lot of work–but it is an invaluable investment.

For more on identity theft best practices, please visit www.legalshred.com

Falling Prey to the Scammer Claiming to Help Recover from the Scam

Posted on by Judith

The FTC’s Blog focusing on best practices for consumer’s to protect themselves from identity theft is a great resource.  This week’s blog is adapted from a recent post by Consumer Education Specialist Lisa Lake.

Even worse than losing money to a scammer is losing more money to another scammer claiming to help you recover from the first one.

Sadly, this really happens. It works like this: Con artists contact you because you’re on their lists of people who lost money to scams. For a “small fee” or “donation” upfront, they promise to recover the money you lost from a prize scheme, bogus product offer, or some other scam.

Sometimes, they try to get you to contact them by putting their offers of “help” in the comments section of blog posts or online articles about scams. Some crooks claim to be from a government agency to appear trustworthy. Others pretend to be actual victims who got (supposed) help from some (fake) agency or company.

But it’s all just a scam, too — another way for a scammer to profit from your loss. They’re after your money, and if you share your payment information, they’ve got it.

Here’s how you can avoid these recovery scams:

(1) Don’t pay upfront for a promise. Someone might ask you to pay in advance for things – like help with recovering from a scam. Consider it a no-go if they ask you for money before they provide any “help”.
(2) Make it a practice NOT to send money or give out personal information in response to an unexpected text, phone call, or email.
(3) Check references and credentials–Do online searches. Type the name or contact information into your favorite search engine with the term “complaint” or “scam.”  Ask for a reference.

If you do find you have been scammed, please file a complaint with the FTC.  It will help get the word out and quash it sooner than later.

For more on identity theft best practices, please visit www.hvshred.com

MidYear Review of the basics for Identity Theft best practices

Posted on by Judith

Repetition it key to education.  That in mind, as we embark on the second half of 2016, we’d like to use this week’s blog to review the basics on identity theft protection best practices:

  1. Mobile device security – In our connected world, mobile devices account for a lot of our daily activities. Unfortunately, our smartphones and tablets are also wide-open gateways for a hacker to steal our identities. Make sure the apps you use are coming from trusted sources, not unregistered content publishers from third-party or aftermarket app vendors. When you’re out in public, protect your identity and conserve your battery by turning off the wifi to your device;  it will keep you from accidentally connecting to a network without intending to. If you do need to get online while away from home, remember to save the sensitive activity—like online banking—for a time when you’re connected to a trusted network.
  1. Privacy at home – Your home technology is every bit as vulnerable as it’s always been, which is why it’s important to install software that will protect you from malware and viruses. It’s also crucial that you password protect your home internet connection to keep outsiders from accessing it. If someone accesses your network without authorization, (s)he could do damage within your connected computers as well as use your internet address to break the law.
  1. Be scam-savvy – One of the easiest ways to steal someone’s identity with very little technological know-how is to get them to fall for a scam. That’s why it’s important to make sure you, your family members, and your coworkers are up-to-date on the latest scams.
  1. Be on the lookout – One of the most important steps you can take to prevent identity theft damage is to monitor your credit reports regularly. You are entitled to one free report each year from each of the top three credit reporting agencies. If you stagger those requests—receive on in January, one in May, and on in September, for example—you’ll get an ongoing look at the state of your credit. Be sure to report any suspicious activity as soon as you discover it, and place fraud alerts and freezes on any accounts that may have been compromised.
  1. Safeguard yourself old school – Remember, high-tech hacking and data breaches are only part of the problem. The old methods that don’t require anything more than a willingness to steal are still viable. That means dumpster diving is a still a threat, as is mailing bills from your home address. Be sure to shred all of your important, identifying documents before you discard them, and mail your bills from the nearest post office drop box instead of leaving them at the curb with the flag up.

It’s not a fail safe but taking these steps will help.  To stay up on identity theft best practices, please keep checking for our updates on www.hvshred.com

Understand and Protect Yourself from Online Tracking

Posted on by Judith
Going back to a favorite resource–the FTC Consumer Information Blog, this week we adapt Lisa Weintraub Schifferle’s installment making the public aware of how to understand and protect our selves from online tracking.

What follows is the low-down of how you are being targeted on line.

How do websites remember you? For years, the answer has been by using “cookies” – pieces of information saved by your web browser, then used to remember you and customize your browsing experience.

Now, it’s about more than cookies. Without using cookies, companies can use “device fingerprinting” to track you, based on your browser’s unique configurations and settings. Plus, mobile app developers can use “device identifiers” to monitor different applications used on your device. Tracking can also occur on smart devices, like smart TVs.

How can you control online tracking? Here are some ways to get started:

  • Delete or limit cookies. Check your browser’s settings for tools under Help, Tools, Options or Privacy.
  • Reset identifiers on your mobile devices. That makes it harder to associate your device with your past activity. iOS users can do this by following Settings > Privacy > Advertising > Reset Advertising Identifier. For Android, the path is Google settings > Ads > Reset advertising ID. Remember that this will only prevent tracking based on past activity – it won’t prevent tracking going forward.
  • Learn about tracker blockers. There are tools that allow you to block ads called tracker blockers. They prevent companies from using cookies or fingerprinting to track your internet behavior. To find tracker blocking plug-ins, type “tracker blocker” in your search engine. Then, compare features to decide which tracker blocker is best for you.

For more resources for best practices in Identity theft protection, please visit www.legalshred.com

Fending off Text Message Scams

Posted on by Judith

Unfortunately, even our smart phones are now vulnerable to scammers.  We all knew it was just a matter of time.  This week’s blog focuses on how to deter, detect, and defend against the text scammers.

As usual, the scammers often use the promise of free gifts, like computers or gift cards, or product offers, like cheap mortgages, credit cards, or debt relief services to get you to reveal your private information. If you want to claim your gift or pursue an offer, you may need to share personal information, like how much money you make, how much you owe, or your bank account information, credit card number, or Social Security number. Clicking on a link in the message can install malware that collects information from your phone. Once the spammer has your information, it is sold to marketers or, worse, identity thieves.

The results include unwanted charges on your cell phone bill as well as slowing down your cell phone performance by taking up space on your phone’s memory.

For the most part, it’s illegal to send unsolicited commercial email messages to wireless devices, including cell phones and pagers, unless the sender gets your permission first. It’s also illegal to send unsolicited text messages from an auto-dialer — equipment that stores and dials phone numbers using a random or sequential number generator.

Exceptions include transactional or relationship types of messages; when a company has a relationship with you, it can send you things like statements or warranty information.  Political surveys and fundraising messages are also not illegal

To protect yourself:

  • Delete text messages that ask you to confirm or provide personal information: Legitimate companies don’t ask for information like your account numbers or passwords by email or text.
  • Don’t reply, and don’t click on links provided in the message: Links can install malware on your computer and take you to spoof sites that look real but whose purpose is to steal your information.
  • Treat your personal information like cash: Your Social Security number, credit card numbers, and bank and utility account numbers can be used to steal your money or open new accounts in your name. Don’t give them out in response to a text.
  • Place your cell phone number on the National Do Not Call Registry.
  • If you are an AT&T, T-Mobile, Verizon, Sprint or Bell subscriber, you can report spam texts to your carrier by copying the original message and forwarding it to the number 7726 (SPAM), free of charge.
  • Review your cell phone bill for unauthorized charges, and report them to your carrier.

For more information on identity theft protection, please visit www.hvshred.com

On-Site is Most Secure-Be Wary of Changes in the Market Place

Posted on by Judith

Like other industries, the shredding industry is one that is always in transition.  The most recent big news is Steri-Cycle acquired Shred It.  The news we liked to bring our communities’ attention to is the fact that Steri-Cycle has specifically made it public their intended push to convert clients from on-site to off-site.

Along with our industry advocacy group Mobile Shredding Association, we strongly oppose any effort to diminish the value of on-site, witnessed secure document destruction. The move to convert clients to off-site shredding increases the complexity in managing document chain of custody, effectively removes client’s option to witness destruction, and creates a delay between receiving of client materials and the destruction of those materials which will certainly not take place immediately and may not take place within an appropriate amount of time. Legal Shred is primarily an on-site shredding service and are keen on providing clients the convenience and security of on-site secure destruction services.

At Legal Shred, we customize service to best accommodate each client’s needs.  Please contact us to make sure you are getting the service that works best and provides the highest level of security.  www.legalshred.com judith@legalshred.com (845) 705-7279

Legal Shred is a Certified Document Destruction Service

Posted on by Judith

Security is the top priority for Legal Shred.  While we recycle the shredded paper, do our best to create environmentally friendly routes to reduce our carbon footprint, and support our clients’ compliance with federal and local regulations, the most important service we provide is securely disposing confidential records.

One of the ways we assure our clients that we are the most secure means of document security is by being Mobile Shredding Association Certified.

In more detail, that means we are accountable by submitting to annual random audits.

We have already been subject to and passed a random audit earlier this year.  Here’s how the process works:

We were notified via email of our audit and given 30 days to submit the required verification materials:

  •  Proof of $1 Million Insurance liability policy
  •  Proof of meeting background testing requirements (our employees are randomly checked each year on an ongoing basis).
  •  Proof of meeting drug testing requirements (our team members are randomly drug screened on an ongoing basis).
  • Signed confidentiality statement between company and their employees and contractors who have access to client’s confidential information
  • Insurance records listing the VIN of each shred truck in operation

For more information on our top notch secured document destruction, please visit www.legalshred.com

Caller ID as a Scam

Posted on by Judith

A new favorite resource for our weekly blog is the blog posted by the Division of Consumer and Business Education of the Federal Trade Commission (FTC).  Earlier this month, Andrew Johnson wrote a blog to raise awareness of a scam in which the scammers have managed to create a familiar caller id number.  As he described it “Your phone rings. You recognize the number, but when you pick up, it’s someone else. What’s the deal?”

Scammers are using fake caller ID information to trick you into thinking they are someone local, someone you trust – like a government agency or police department, or a company you do business with – like your bank or cable provider. The practice is called caller ID spoofing, and scammers don’t care whose phone number they use. One scammer recently used the phone number of an FTC employee.

The bottom line: Don’t rely on caller ID to verify who’s calling. It can be nearly impossible to tell whether the caller ID information is real. Here are a few tips for handling these calls:

  • If you get a strange call from the government, hang up. If you want to check it out, visit the official (.gov) website for contact information. Government employees won’t call out of the blue to demand money or account information.
  • Do not give out — or confirm — your personal or financial information to someone who calls.
  • Do not wire money or send money using a reloadable card. In fact, never pay someone who calls out of the blue, even if the name or number on the caller ID looks legit.
  • Feeling pressured to act immediately? Hang up. That’s a sure sign of a scam.

If you’ve received a call from a scammer, with or without fake caller ID information, report it to the FTC at FTC.gov

For more on best practices to protect your identity please visit www.legalshred.com