Criminals aren’t always bank robbers, purse snatchers, murderers and car thieves, there is a new kind of criminal introduced by the digital age – the cyber criminals. Below is a list of how these cyber criminals gain access to your personal and financial information, and information on how to prevent this from happening. If you are a victim of a cyber crime, please contact your local police department.
Social Engineering
Attempts a cyber criminal uses to lure unaware users to act out a specific task. Usually by acting as a trusted user or source that the targeted user has ties with. In most cases the cyber criminal does not know of the targeted user and has to craft ways to gain the user’s trust to grant them information or click/download and install malicious material.
社交工程為一種網絡罪行,利用人與人之間的互動去讓受害人上當,透過操控心理去誘騙受害人作出指定行為和洩露機密資訊,它可透過電話、互聯網或接觸人的方式進行。當騙徒取得想要的資料後,會用它進行身分盜用、商業間諜和其他犯罪活動,或者只是影響一般正常商業運作。
社交工程攻擊可區分不同類型。網路詐騙網站會誘騙使用者提供個人資訊 (例如密碼、電話號碼或信用卡資訊),詐欺內容 (例如謊稱裝置軟體過舊的廣告) 則會誘騙使用者安裝垃圾軟體。
社交工程攻擊可區分不同類型。網路詐騙網站會誘騙使用者提供個人資訊 (例如密碼、電話號碼或信用卡資訊),詐欺內容 (例如謊稱裝置軟體過舊的廣告) 則會誘騙使用者安裝垃圾軟體。
出現以下情況就表示發生了社交工程攻擊:
- 相關內容仿效可信實體 (例如瀏覽器、作業系統、銀行或政府) 的行為和外觀。
- 相關內容試圖誘騙您從事一些您只會對可信實體做出的行為,例如分享密碼、撥打電話給技術支援小組或下載軟體。
社交工程也可能出現在良性本質網站的廣告中。在其他情況下,這類網站不會顯示任何廣告,但會透過彈出式視窗、隱藏式視窗或其他類型的重新導向方式將使用者導向社交工程網頁。
更多信息:
Things you can do to avoid identity theft:
- Review monthly statements from your bank(s), credit card(s), and other financial institutions to learn of any incorrect charges.
- Investing in an inexpensive shredder cuts down on your personal information escaping from you in the trash. This can be found on credit card applications, statements, utility bills, etc.
- Have a credit monitor in place for quick access on your credit report and/or credit score. This can help you stay alert on data breach news or someone using your identity. You can request a free credit report from each of the three credit reporting agencies (Equifax, Experian, and TransUnion) once every 12 months.
- Ask your financial institutions to change your issued card number.
- If you are a part of an identity theft case, seriously consider placing your credit on a freeze by calling one of the major credit bureaus.
- You should set your privacy settings on all websites and understand what each of them mean in terms of your identity.
More information:
什麼是身份盜竊?
身份盜竊是美國和國外增加最快的犯罪。它通常涉及偷竊可用來實施欺詐的個人資訊,例如個人的全名、出生日期、社會安全號碼或銀行資訊。
身份竊賊如何得到我的資訊?
- 進入您的郵件
- 翻找您的垃圾
- 偷竊您的錢包、信用卡和身份證
- 非法侵入您的設備
- 透過欺詐騙術收集您的資訊
我如何降低成為身份盜竊受害者的風險?
- 將您的個人資訊存放在安全的地方
- 粉碎包含個人資訊的文件
- 保護您的郵件
- 取消不用的信用卡
- 每年審查您的信用報告
- 絕不回覆陌生人的電子郵件
- 不下載可疑文件或是點選不熟悉網站的連結
- 不在網路發送敏感的個人資訊
- 不在電腦上儲存金融資訊
我是嚴重資料侵害的受害者。我該如何防止別人以我的名義開設假帳戶?
聯繫您的信用局,在您的帳戶上設定欺詐提醒,並請求安全凍結。欺詐提醒要求信用局在放款人嘗試以您的名義開設帳戶前與您聯繫,安全凍結防止在您不知情時與索取您的資訊者分享這些資訊。
更多信息:
身份盜竊 (Identity Theft) | Manhattan District Attorney’s Office
Phishing emails are sent to the public in the mass. They look similar to an organization or user to retrieve private data from an unsuspecting user. Links found in the phishing email do not direct the user to the intended website, instead the user is sent to an alternate address meant to cleverly steal information or make you download malicious software onto your computer.
Top Ten Most Phished Companies (Sep 2017)
Source: Webroot Quarterly Threat Trends Sept 2017
Example of phishing email for Amazon customers
- Never click on a link from a suspected financial institution found in an email, instead open a new browser window or tab and type the URL of the financial institution to go to its website.
- Use security software like anti-virus and anti-malware software that can filter out known phishing attempts.
- Update your browser to the most current version.
- Update your PDF reader to the most current version.
- Update your operating system to the most current version.
More information:
可疑電子郵件
網路詐騙者會試圖透過網路釣魚郵件及簡訊來騙取或「釣取」你的資料,藉此竊取你的金錢或盜用你的身份。這些電子郵件看起來與你熟悉的公司所發出之真實電子郵件極為相似,信件內容通常會要求你點擊連結或附件以更新個人資料、財務資料或確認密碼等。
釣魚郵件例子-亞馬遜顧客
如何辨識網路釣魚郵件?
詐騙電子郵件的特徵如下:
- 使用一般通用的電子郵件問候語,不以全名稱呼你
- 內含附件或軟體更新程式
- 提供虛假網址或假冒的連結
- 企業標誌、版面設計及格式錯誤、過時或擺放位置錯誤
- 包含令人不安或緊急的聲明要求你立即採取動作
- 出現拼字和文法錯誤
- 要求你提供財務或個人資料
- 提供你不合常理的優惠
如何識別假冒的電子郵件?
詐騙電子郵件有許多跡象可循:
- 製造事態緊急的假象 — 許多詐騙電子郵件都會告知如果不立即更新重要資料,帳戶就會有危機。
- 假冒連結 — 點擊任何連結前,先將游標停留在電子郵件中顯示的網址上,比對與瀏覽器左下角所出現的實際連結網址是否一致。如果看似可疑,請勿按下連結。
- 附件 — 附件可能包含惡意軟體,所以除非你絕對肯定電子郵件真實可信,否則絕對不要開啟附件。
如何辨識詐騙網站?
請謹記以下須知:
- 登入銀行、購物或電子郵件網站時,請務必檢查網址開頭是否為「https」,其中字母「s」代表網站受到安全保護。
- 檢查瀏覽器網址列中有無鎖頭圖示。
- 小心確認網站網址的真實性。詐騙網站的網址通常會與銀行或知名企業的網址相類似。
- 請勿依賴電子郵件或搜尋引擎提供的連結,因為它們可能是假冒的連結。請直接在瀏覽器網址列中輸入網站網址。
更多信息:
Spear phishing attacks are highly customized and targets specific individuals or companies or their employees. These attacks gather and use personal information about their target to increase their probability of success. They may pose as your bank, credit card company, or social network website. You may be prompted to click on a link to enter your login information to proceed further to view a web page or read an article. (Source: Wikipedia)
Video explaining inline page object for Facebook login
- Never click a link in an email that appears to originate from a bank, government agency, commercial institution, or any legitimate company. Always manually open a new browser page and enter the site’s URL.
- Enable Two-factor authentication as much as possible.
魚叉式網絡釣魚攻擊是高度定制的,針對特定的個人或公司或其員工。 這些攻擊收集並使用有關其目標的個人信息,以提高其成功的可能性。 它們可能假充成您的銀行,信用卡公司或社交網絡網站。 系統可能會提示您單擊鏈接以輸入登錄信息,以繼續瀏覽網頁或閱讀文章。
- 切勿單擊看似來自銀行,政府機構,商業機構或任何合法公司的電子郵件中的鏈接。 必須手動打開新的瀏覽器頁面並輸入站點的URL。
- 盡可能啟用兩步身份驗證。
IRS (Internal Revenue Service) warns against fraud that originates from emails, phone calls, text messages or regular mail. Click on the links below to see how to watch out for these types of scams.
More information:
國稅局持續警告公眾要小心電話詐騙,並且提供五種讓詐騙現形的警訊,讓您在接到這種電話時能辨認出來。這些來電者自稱是從國稅局打來的。詐騙者通常要求您支付稅金。有些人可能透過宣稱您有退稅來企圖騙您。所謂的退稅是虛假的引誘,讓您提供您的銀行或其他私人金融資訊。
這些詐騙者在電話上聽起來煞有介事。他們可能甚至知道您的很多資訊。他們可能會改變來電顯示,讓它看起來像是國稅局的來電。他們使用假名和虛假的國稅局員工證號碼。如果您沒有接聽,他們通常會留下「緊急」的回電請求。
國稅局與您討論繳稅安排時會尊重納稅人權利。因此,很容易辨別虛假的國稅局來電者。以下是詐騙者會做而國稅局不會做的五種事,其中任何一種都是詐騙的徵兆。
這些詐騙者在電話上聽起來煞有介事。他們可能甚至知道您的很多資訊。他們可能會改變來電顯示,讓它看起來像是國稅局的來電。他們使用假名和虛假的國稅局員工證號碼。如果您沒有接聽,他們通常會留下「緊急」的回電請求。
國稅局與您討論繳稅安排時會尊重納稅人權利。因此,很容易辨別虛假的國稅局來電者。以下是詐騙者會做而國稅局不會做的五種事,其中任何一種都是詐騙的徵兆。
國稅局絕對不會:
- 不先寄給您正式通知就打電話告訴您欠繳稅金。
- 要求您支付稅金而不讓您有機會對他們指稱您欠繳的金額提出質疑或是上訴。
- 要求您使用某一種付款方法來繳稅,例如預付借記卡。
- 在電話上要求信用卡或借記卡號碼。
- 威脅要當地警察或其他執法機構因為您不付款而逮捕您。
如果您接到某人自稱是國稅局打電話來並且要求您付錢,您應該採取以下行動:
- 如果您知道您欠繳稅金或是認為您可能欠繳,請撥(800) 829-1040與國稅局討論付款選項。您也可以在 IRS.gov設立分期付款協議。
- 如果您知道您沒有欠繳稅金或是沒有理由認為自己欠繳,請致電(800) 366-4484或上網 Treasury Inspector General for Tax Administration (TIGTA) 向TIGTA報告此事件。
- 如果電話詐騙者以您為目標,也請在 Federal Trade Commission Complaint Assistant聯絡聯邦貿易委員會。使用他們的「FTC投訴協助」 (FTC Complaint Assistant) 來報告詐騙。請在您的投訴意見欄註明「國稅局電話詐騙」(IRS Telephone Scam)。
請記住,國稅局目前不使用不請自來的電子郵件、簡訊或其他社交媒體來討論您的個人稅務問題。如果您需要有關舉報稅務詐騙的更多資訊,請至國稅局網站 IRS.gov,在搜尋欄輸入關鍵字“scam”即可。
更多信息:
Healthcare is a necessity to all people, it is for this reason that criminals usually target the older generation because their need increases overtime.
The Consumer Reports reported that on average 65% of victims with medical identity theft paid $13,500 to resolve the issue. Don’t be caught unaware!
The Consumer Reports reported that on average 65% of victims with medical identity theft paid $13,500 to resolve the issue. Don’t be caught unaware!
Here are ways to protect yourself and family from healthcare fraud.
- Secure your Medicare, Medicaid and social security card.
- Medicare never calls to sell you products.
- Never carry your Medicare/Medicaid card with you on a regular basis, only on appointment or pharmacy visits.
- Make a journal of services at your doctors visit.
- Always review your Medicare Summary Notice or Part D Explanation of Benefits for any services or charges you did not get at your doctors visit.
- Shred documents such as statements that are no longer useful.
Guard Your Card video by medicare.gov
More information:
身分竊賊會使用各種詭計想盡辦法來騙取老年人的身分和財務信息。官員們提醒老年人要特別當心。
身分竊賊通常會假稱醫保銷售代理上門拜訪或打電話,他們會鼓動老年人加入一個處方計畫,否則他們可能會失去醫保福利。竊賊還會許諾返款或打折的醫保產品。
其預期目的是盜取身分信息申請信貸,或詐騙受害人讓其購買永遠用不到的醫保項目。
身分竊賊通常會假稱醫保銷售代理上門拜訪或打電話,他們會鼓動老年人加入一個處方計畫,否則他們可能會失去醫保福利。竊賊還會許諾返款或打折的醫保產品。
其預期目的是盜取身分信息申請信貸,或詐騙受害人讓其購買永遠用不到的醫保項目。
如何預防醫保詐騙:
- 了解您的 Medicare 包含了那些醫療措施。聲稱免費的醫療措施和器材極有可能是騙局。
- 您的 Medicare 卡片至關重要。不要將帳戶號碼告訴陌生人,尤其是電話推銷員。
- 如果醫療機構突然聯繫您,要多加小心。正規的醫療機構是不會作推銷的。
- 在您做出任何與醫療有關的決定時,最好請您的私人醫生參與其中,千萬不要讓不認識的醫生給您開任何藥方、醫療器材或居家醫療服務項目。
- 在收到Medicare月結單時要仔細查閱,有何不尋常的項目出現。
- 想舉報醫療詐騙的話,請至 How to report Medicare fraud | Medicare.gov ,或撥打 800-MEDICARE (633-4227) 或 877-486-2048。另外,衛生與人類資源部門的反詐騙熱線為 800-HHS-TIPS (447-8477) 或 TTY 800-377-4950。
- 如果您想加入反詐騙的行動當中,可以加入 Medicare 治安小隊 (Senior Medicare Patrol(SMP))。這是一個致力於宣傳如何防止詐騙的組織。更多資訊,請至 Senior Medicare Patrol。
更多信息:
A spoofing email is an email from an attacker who makes a forged email address that looks like it is sent from a known party or organization to a targeted user, so that the user thinks that he/she knows the email sender and clicks on the malicious links/attachments, which can extort information from the targeted user. Crafty criminals make this seem like a normal process and do not intend it to raise any concern. Cyber criminals most often use this technique along with phishing to form a trust with the targeted user.
More information:
Cyber criminals also forge financial institution communication as well. Below you will find some links on how this occurs and how to prevent them.
More information:
According to a study conducted by Symantec, vendor of well known security products, on the ISTR 2017, over 7.1 Billion identities have been exposed in the last 8 years. This is why being aware of company data breaches are important.
Data Breaches 2014-2016
Source: Internet Security Threat Report – Symantec, April 2017
- Pay attention to the news in case of reports of data breaches which are common in the digital age.
- Make it a practice to change your passwords every 3-6 months. Change your passwords directly after a data breach.
- Make use of free services that monitor your credit. Usually available at your credit card companies. This can assist you in responding to a credit problem before it grows out of control. AAA members also have a credit monitor service included in their package depending on which membership you have.
- Consider taking advantage of free credit alert services offered by companies or government after a huge data breach. The company will in some cases offer a lookup on their website.
- If it is with a specific credit or bank issued card, please call your credit or bank and explain to them what happened and tell them to send you another card.
Anything you can do to block hackers from attempting to access your equipment is progress and will benefit you in the long run. So these recommendations are for your home wireless router.
- Home Wireless Router
- Public WiFi
- Secure Website Transactions
- Use Strong Passwords
- Enable 2-Step/Multi-Factor Authentication
- Safeguard Social Media Accounts
- Manually Confirm Unexpected Emails
- Apply All Security and Required Software Updates
- Use Security Software and Hardware
- Setup a secure password on your WiFi router at home with criteria from the following:
- Uppercase letter (A-Z)
- Lowercase letter (a-z)
- Digit (0-9)
- Special character (~`!@#$%^&*()+=_-{}[]\|:;”’?/<>,.)
- Change you router’s default admin password with one that is secure in the settings page. Keeping default passwords makes it easier for intruders to take control of your router and all transmission of data across it.
- Use the most secure setting found on your wireless router, currently being WPA2-PSK.
- To keep your wireless router invisible. You can choose to “Hide your SSID” through your router’s wireless settings page. This makes your WiFi invisible to devices that are looking to connect to a WiFi connection. Keep in mind, you will have to manually connect to your WiFi on every device to first register the device.
If you ever use public WiFi, for example at a coffee shop, guest access in hotels, libraries, local community provided WiFi spots, to connect to the internet, stop to think if your connection is secure or not. If the public WiFi is insecure, virtually everything you type in online forms is left unencrypted, i.e., password, login information, credit card data, and other personal identifiers, can be seen as plain text to a hacker with the right tools. Even if the website uses, “https://” to transmit data. Remember not to use websites that require payment, login, or other personal information at these locations is key to keeping your personal information secure.
- Before you use a website to login or enter your personal information, always make sure that the website address starts with an “https://”. This secures every transaction that occurs between you and the website.
Paypal using HTTPS to transport data over the internet
- Make sure that you recognize the website address before you complete any transaction.
- You should always make sure that the website is reputable before performing any transaction on it.
- It should be a practice to use a strong and unique password (8 or more characters in length) for each online account you have open with various websites.
- There are password manager software that can associate each account with a password. Some tools even help you create a unique and secure password for you. There are even tools found on your browser that remember the passwords.
- To setup a secure password follow the criteria below:
- Uppercase letter (A-Z)
- Lowercase letter (a-z)
- Digit (0-9)
- Special character (~`!@#$%^&*()+=_-{}[]\|:;”’?/<>,.)
You can set up an online account to use 2-Step/multi-factor authentication. This is a step in-between the login process that sends a code to your phone. The online form then awaits that matching code to be entered correctly online. If no correct code is entered, the account will not be authenticated and no login is granted.
This is usually found in most banking, financial institution websites and in some social media websites as well. You can set this up usually in the Account Information, Security, or Login Credentials section of the online account although it does vary depending on their layout.
This is usually found in most banking, financial institution websites and in some social media websites as well. You can set this up usually in the Account Information, Security, or Login Credentials section of the online account although it does vary depending on their layout.
Nowadays, it is rare to find a person without at least one social media account. As social media has become in the spotlight on privacy issues these days, the awareness on how to secure your identity is a growing concern. Even employment sites are a form of social media which can encourage identity thieves to put together profiles of their next victim.
- To keep your identity secure on social media sites, there are usually a preference or settings page for privacy settings. These privacy settings can lower the chances on people looking to gain knowledge of you. Same should apply to any online account you have.
- Take off your birth date all social media or at least the year.
- Identity thieves hone in on personal details about you and the access is already public. Next time you enter a security question, think twice if it is one that someone can answer from information on your social media accounts.
- Make your friends private for others not to see. This discourages that email message from “so and so” (attacker) who knows you from an acquaintance.
Always confirm an email with a phone call if your are not expecting the email from the other party and the email asks of some personal information or money transfer, which should set off a red flag .
- Apply recommended security updates to keep your systems up to date with security patches. This may seem like a waste of time to most people but hackers attack using vulnerabilities found in unpatched systems.
- Stay current and up to date with web browsers and software applications.
- Firewall – Firewall is a hardware or software found usually on routers that monitors internet traffic. It protects you from hackers gaining access to your devices.
- Anti-virus/Anti-Malware Suite – Keep your anti-virus and anti-malware up to date with the latest virus and malware definitions. This will protect you against future outbreaks of known computer infections and outbreaks.
- Web filters – Found in security software suites, a web filter blocks known content that has malicious links/content associated and blocks it from view.
- Pop-up blockers – Pop-up blockers block ads and popups that can leak your privacy.
- Web browsers – Make use of modern, most up to date web browsers. They have a blocking mechanism of flagged known sites that have had malware/phishing attempts in the past.
- Scripting blockers (for advanced users) – Scripting blockers are software that run on your browser that blocks scripts that can cause virus or malware infections.
English
繁體中文
简体中文
Español
Tiếng Việt
Hmong