Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Federal Trade Commission. Show all posts

How a Fake CIA Agent Duped Someone out of $50,000

 



Given a recent incident reported by The Cut, freelance finance writer Charlotte Cowles fell victim to an elaborate scam that highlights the dangers of social engineering. The scam began with a call from a number appearing as "Amazon," leading Cowles to believe she was a victim of identity theft. The caller, posing as a Federal Trade Commission official, connected her with a fake CIA agent named Michael. Over hours on the phone, "Michael" convinced Cowles that she faced serious charges related to the identity theft and persuaded her to withdraw $50,000 in cash. The twist? She was instructed to hand over the money to the CIA, which would inexplicably issue her a check for her own funds.

Despite suspicions during the ordeal, the scammers manipulated Cowles into isolation, urging her not to involve her family or the police, claiming it could jeopardise their safety. This tactic of isolating the victim is a common element in scams, aiming to heighten emotions and push individuals into making decisions they might not otherwise make. The scammers played on Cowles' fears for herself and her family, using personal details like the last four digits of her Social Security number to further erode her judgement.

Experts emphasise that falling victim to professional scammers is not a matter of lacking savvy. Selena Larson, a senior threat intelligence analyst, stresses that fraud perpetrators excel at social engineering and employ tactics like instilling fear, excitement, or urgency to manipulate their targets. To protect against such scams, Larson advises people to be wary of anyone trying to isolate them from friends and family, cautioning against trusting individuals posing as government officials or celebrities. Immediate requests for money and a sense of urgency are red flags that should prompt individuals to break off contact and report the activity.

This cautionary tale serves as a reminder that anyone can be targeted by scams. Larson suggests a vigilant approach, emphasising the importance of staying connected with loved ones and not succumbing to isolation. Additionally, adopting a strategy similar to Cowles' newfound tactic—never answering calls from unknown numbers—can be an effective way to avoid falling prey to scams.

As online threats continue to multiply, it is crucial for individuals to remain informed and alert. The incident also borders on the broader issue of cyber threats, including state-backed hacking efforts, ransomware attacks on hospitals, and the impact of cyberattacks on vulnerable communities. Stay safe and informed as we venture through the complexities of online security.

Blackbaud Faces Criticism for Cybersecurity Lapses After 2020 Data Breach

 



The cloud software company, Blackbaud, has come under fire from authorities for its major cybersecurity failings, stemming from a devastating ransomware attack in 2020. The attack exposed data from numerous educational institutions and non-profits that were clients of Blackbaud, including prominent UK universities and organisations like the National Trust and the Labour Party donors.

The ransomware attack, which began in February 2020 and was detected in May, had severe implications for the affected entities. Blackbaud, however, delayed notifying victims for almost two months and openly admitted to paying a ransom of 24 bitcoin to the attackers, without verifying the deletion of the compromised data.

The US Federal Trade Commission (FTC) has issued a complaint against Blackbaud, accusing the company of failing to implement adequate safeguards to protect customer data. The FTC highlighted Blackbaud's deceptive practices, alleging the company failed to follow recommended incident response best practices, including monitoring unauthorised access attempts, segmenting data, implementing multi-factor authentication, and regularly assessing security controls.

The FTC specifically criticised Blackbaud for retaining customer data beyond necessary periods and allowing its employees to use weak or default passwords. These lapses enabled the threat actor to move freely within Blackbaud's systems, exploiting vulnerabilities, and accessing unencrypted customer data.

In response to these security breaches, the FTC is proposing an order requiring Blackbaud to delete unnecessary data, refrain from misrepresenting its security practices, and establish a comprehensive cybersecurity program. The order would also mandate Blackbaud to notify the FTC promptly in case of future breaches.

This isn't the first time Blackbaud has faced consequences for its actions. The company has previously been penalised by the Securities and Exchange Commission and reached a settlement of $49.5 million with all 50 US states. Last year, it faced reprimands from the UK's Information Commissioner’s Office.

The FTC's complaint emphasises that companies like Blackbaud have a responsibility to secure and manage the data they hold. Samuel Levine, the director of the FTC’s Bureau of Consumer Protection, stated, “Companies have a responsibility to secure data they maintain and to delete data they no longer need.”

As we are assimilating another incident of this margin, it draws on the importance of robust cybersecurity measures and prompt incident response in safeguarding sensitive data. The proposed FTC order aims to ensure accountability and adherence to best practices, urging Blackbaud to take decisive steps in enhancing its cybersecurity protocols.

This incident serves as a stark reminder to organisations and individuals alike about the critical need for gearing up their security practices in the face of growing cyber threats. As Blackbaud faces regulatory scrutiny, the broader implications underscore the ongoing challenges and responsibilities associated with protecting sensitive information in the digital age.




Watch Out for Phone Scams

 


At the extent of people's gullibility, there is an increasing cybersecurity threat known as "vishing" which has become a cause for concern, impacting unsuspecting individuals and even businesses. Vishing, short for voice phishing, involves scammers attempting to trick people into revealing sensitive information over the phone. These calls often impersonate authorities like the IRS or banks, creating urgency to manipulate victims. In 2022 alone, victims reported median losses of $1,400, per the Federal Trade Commission (FTC).

What Is Vishing?

Vishing operates on social engineering tactics, relying on psychological manipulation rather than malware. The scammers may pose as government officials or company representatives to extract financial details, Social Security numbers, or other sensitive data. Notably, technological advancements, such as caller ID spoofing and AI-driven voice mimicking, contribute to the rising prevalence of vishing attacks.

Detecting a Vishing Attempt

Identifying vishing calls involves recognizing key signs. Automated pre-recorded messages claiming urgent matters or unsolicited requests for sensitive information are red flags. Scammers may pose as government officials, exploiting the authoritative tone to create a sense of urgency. The use of aggressive tactics during the call is another indicator.

What To Do? 

To safeguard against vishing scams, individuals can adopt practical strategies. Screening calls carefully and letting unknown numbers go to voicemail helps avoid falling prey to scammers who may attempt to spoof caller IDs. Remaining suspicious of unsolicited calls and refraining from sharing personal data over the phone, especially Social Security numbers or passwords, is crucial. Joining the National Do Not Call Registry can also reduce exposure to illegitimate calls.

Preventive Measures

Taking preventive measures can further fortify against vishing attacks. Signing up for the National Do Not Call Registry informs marketers about your preference to avoid unsolicited calls. Additionally, services like AT&T's TruContact Branded Call Display provide an extra layer of security, displaying the name and logo of the business calling AT&T customers.

In case one suspects falling victim to a vishing scheme, prompt action is essential. Contacting financial institutions, placing a security freeze on credit reports, and changing passwords, especially for sensitive accounts, are immediate steps. Reporting any attempted scams to the FTC and FBI adds an extra layer of protection.

As vishing scammers continually refine their tactics, individuals must stay vigilant. Being sceptical of unsolicited calls and refraining from sharing personal information over the phone is paramount in protecting against these evolving threats.

To look at the bigger picture, vishing poses a significant risk in the digital age, and awareness is key to prevention. Individuals can strengthen themselves against these deceptive attacks by staying informed and adopting precautionary measures. Remember, scepticism is a powerful tool in the fight against vishing scams, and every individual can play a role in ensuring their cybersecurity. Stay informed, stay cautious.


Blackbaud Enhances Security Measures Following FTC Settlement


Blackbaud, a major player in U.S. donor data management, recently settled with the Federal Trade Commission (FTC) after facing scrutiny for a ransomware attack in May 2020. This attack led to a substantial data breach affecting millions of individuals. The FTC's concerns revolved around security lapses, including weak passwords and insufficient monitoring of hacking attempts. The settlement marks a crucial step for Blackbaud, emphasising the need for enhanced security measures and data protection.

The FTC's complaint highlighted various security lapses by Blackbaud, including a failure to monitor hacking attempts, inadequate data segmentation, weak password practices, and a lack of multifactor authentication. As part of the settlement, Blackbaud is now mandated to enhance its security measures and delete unnecessary customer data from its systems.

One crucial aspect of the settlement requires Blackbaud to establish a data retention schedule, outlining the rationale behind retaining personal data and specifying a timeline for its deletion. The company is also obligated to promptly notify the FTC in the event of a data breach requiring reporting to relevant authorities.

The FTC alleges that Blackbaud paid a ransom of 24 Bitcoin (worth around $250,000 at the time) to the ransomware gang that stole sensitive personal data. However, the complaint reveals that the company did not verify whether the hacker actually deleted the stolen data. The breach, disclosed in July 2020, impacted over 13,000 Blackbaud business customers and their clients across the U.S., Canada, the U.K., and the Netherlands, exposing banking information, social security numbers, and plaintext credentials.

The aftermath of the breach saw Blackbaud facing 23 proposed class-action lawsuits in the U.S. and Canada by November 2020. In March 2023, the company agreed to pay $3 million to settle SEC charges for failing to disclose the full impact of the ransomware attack. Additionally, in October, Blackbaud agreed to a $49.5 million settlement to resolve a multi-state investigation supported by attorneys general from 49 U.S. states.

FTC Chair Lina M. Khan emphasised the severity of Blackbaud's failure to accurately convey the breach's scope, stating that it kept victims in the dark and delayed necessary protective actions. The settlement not only addresses security measures but also requires Blackbaud to avoid misrepresenting its data security and retention protocols in the future.

This settlement serves as a reminder of the responsibility companies bear in securing and managing the data they handle. It underscores the importance of robust cybersecurity practices, regular monitoring, and prompt disclosure in the event of a breach. As we move through our online experiences, these incidents show how important it is for companies to protect data and be clear with their clients and stakeholders.



Pleading TikTok to "Think of the Children" Misses the Point


In nearly every congress hearing on big tech, be it on privacy, monopoly, or in the case of last week’s TikTok hearing on national security, at least one lawmaker is seen to be concerned about something along with the lines of “But think of the kids!” 

In a recent hearing, a number of officials, including New Jersey Democrat Frank Melone, cited studies demonstrating that TikTok disseminates offensive material for children and teenagers. The site sends content about self-harm and eating disorders to children and young people every 2.6 minutes, or every eight minutes, according to a new study from the Center for Countering Digital Hate. The concern is furthered by the fact that TikTok is a popular platform choice among young users. According to a 2022 Pew Research Survey, the app was utilized by 67 percent of the teens polled, followed by YouTube. 

Callum Hood, research director at the Center for Countering Digital Hate, said in a press statement “Without legally mandated security through design, transparency, and accountability, the algorithm will continue to put vulnerable users at risk.” 

Although, Shou Zi Chew, CEO of TikTok noted that these are the issues that almost all major social media platforms have faced in recent years. These concerns are echoes of complaints that Meta has made in the past, particularly in connection to Instagram. 

When it comes to commenting on how harmful could a platform be to children, it often seems more of an attention-seeking tactic, highlighting some of the most common worries that American parents have. What kind of monster would not want to ensure that children are protected from exploitation and hazardous content? The attention paid to young users also presents one of the few open doors for bipartisan collaboration. 

But only a day before Chew was scheduled to testify before Congress, another gunshot forced students at Denver East High School to flee their classrooms. A pandemic-era program that provided free school meals to all children was phased away earlier this year in favor of a system based on income, which will put more obstacles in the way of the kids who need it the most. Due in large part to entrenched problems with economic inequality and a deteriorating social safety net, about one-third of children in the US live in poverty. 

Children are impacted by things like a lack of gun safety regulations and a lack of funding for social or educational initiatives, but these concerns frequently result in impasses in legislative and policymaking processes. Moreover, pleading with lawmakers to "think about the children" rarely has an impact. When it comes to Big Tech, the focus on "the kids" frequently oversimplifies and diverts attention from the more delicate issues of privacy, widespread data collection, the outsized power of certain companies to dominate smaller competitors, and the transnational nature of extremist content and misinformation. Instead, we need to ask deeper questions: How long should companies be able to keep data? What should it be used for? Can private companies that want to educate the next generation of consumers ever be incentivized to set time limits or restrict access to content for young users? Overall, how do our systems allow damage? 

There are certain ways that would get the concerns regarding children's well-being to light, practically protecting them. Although, it is rare to find favor in Congress. While officials may express concerns about how TikTok in the US differs from its Chinese counterpart, Douyin, in terms of the experience for young users, little has changed in legislation to address the online harms experienced by US children in the five years since the Tide Pod challenge or even the 18 months since Frances Haugen first testified before Congress, despite her frequent appearances on television hearings. 

In regard to these cases, Senators Edward J. Markey and Bill Cassidy are proposing a bipartisan bill for 2021 that would prohibit internet companies from gathering user data from users between the ages of 13 and 15 and establish a juvenile marketing and privacy branch at the Federal Trade Commission. However, the bill is yet to be voted on in the Senate.  

The Medical Review Institute of America Alerts Patients of a Privacy Breach

 

On November 9, 2021, MRIoA discovered that it had been the victim of a sophisticated cyber-attack that affected over 134,000 people, according to a data breach notification filed by the Maine Attorney General's Office. Following the realization of the security incident, the institution set forth to protect and restore the organization's systems and operations. MRIoA also promptly enlisted the assistance of third-party forensic and incident response experts to conduct a thorough investigation into the nature and scope of the problem, as well as sought assistance with remediation efforts. The incident was further reported to the FBI as well. 

According to MRIoA, which discovered the incident on November 12, 2021, the security incident primarily involved the unauthorized gathering of information; MRIoA retrieved and validated the deletion of the received information to the best of its abilities and knowledge on November 16, 2021. 

The HITRUST Common Security Framework (CSF) and associated standards/regulations, such as HIPAA, HITECH, and state data and privacy legislation, are incorporated into MRIoA's privacy and security program, according to the company's conditions. MRIoA enforces tight access controls, including privileged access, file integrity monitoring, input validation, and complete audit logging, and protects data confidentiality by encrypting data at rest with AES-256 and data in transit using TLS1.2. 

"We place a high importance on the security and privacy of the information stored on our systems, and we were astonished and disheartened to learn that we were one of the thousands of victims of this type of cyberattack," MRIoA's CEO, Ron Sullivan said. 

Meanwhile, as iterated below, additional cybersecurity precautions were installed and are being deployed to MRIoA's existing infrastructure to better limit the possibility of this type of event occurring again. 

  • Continuous threat hunting and detection software monitoring of their systems.
  • When attempting to access the systems, add extra multifactor authentication protections.
  • To ensure that all threat remains were eradicated, new servers were constructed from the ground up. Working with outside cybersecurity specialists to help them with their security initiatives.
  • Creating a new and hardened backup environment; enhancing their cybersecurity training for employees.

As MRIoA reviews, rewrites, and amends their existing cybersecurity rules in the wake of the attack, they suggest individuals report any fraudulent conduct to the appropriate law enforcement agencies, such as their state attorney general and the Federal Trade Commission (FTC).
 
Affected individuals are being offered free credit monitoring and identity protection services by the MRIoA. Further, individuals who want to sign up for the free credit monitoring service must do so within 90 days of getting their MRIoA notice letter. 

FTC slaps Facebook with record $5 billion fine








The Federal Trade Commission has finally approved a hefty fine of $5 billion on Facebook over the company’s privacy policies.

The settlement has left Mark Zuckerberg on a very rocky position within the company and has immensely damaged it. 

The agreement says that the company should establish  an internal privacy oversight committee, "removing unfettered control by Facebook’s CEO Mark Zuckerberg over decisions affecting user privacy.” 

“The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC," said FTC Chairman Joe Simons when announcing the settlement. "The relief is designed not only to punish future violations but, more importantly, to change Facebook’s entire privacy culture to decrease the likelihood of continued violations."

Although, the settlement did not hold Facebook executives, and CEO Mark Zuckerberg, personally responsible for the privacy violations. 

Zuckerberg welcomed and settlement in a blog post, and said that the structural change will help the company to grow more. 


"These changes go beyond anything required under US law today," he said. "The reason I support them is that I believe they will reduce the number of mistakes we make and help us deliver stronger privacy protections for everyone."