Cybercriminals Are Using Covid-19 to Trick Businesses
Dan: On the phone with me I have Vince and Sam from Bit-Wizards, the Tip of the Wand show beginning right now. Hi guys.
Sam: Good morning.
Vince: Morning Dan.
Dan: Vince is there. We've already talked to Vince for just a few minutes, but now he's changing hats. I can hear him physically changing his hats. Now wear the Bit-Wizards hat now, Vince.
Sam: Yeah, that's a big tall wizard hat that Vince is wearing right now.
Sam: [ inaudible 00:00:26].
Dan: He's going to smack you with his wand. We'll just let that one go. How have you guys been? Sam, we've already talked to Vince for a minute, you're doing okay, Sam?
Sam: Yes sir. Just holed up here in quarantine in [ Destin 00:00:43 ], but still working.
Dan: Oh good. So they feed you sandwiches and keep you going?
Sam: Yeah, that's exactly what my kids do. That's definitely 100% what my kids do for me is just kind of help me work and bring me food and sandwiches.
Dan: There you go. Give you a goer there. So you guys, I'm sure that you have been hit up with all kinds of weird things because of what's going on, people working from home and everything. Is business booming for you or just about even keel?
Vince: I mean, there's been a little uptake but I mean it's pretty much par for the course right now. We've been very fortunate in terms of being prepared. We've had a couple of customers that have come back and had some issues or things like that because they were having to take a reduction in force or a temporary layoff or something like that or a furlough, and so we've had to accommodate them. But in general things have been going pretty strong and we haven't had any major issues. Just a few things that are a little atypical, like we've got a bigger firm that was ... they had people that were sharing messages from internal and so they wanted some internal disclaimers put on the inside of their email, so for legal reasons we help them out with that, and some other little nit-noid problems. But in general, things have been going pretty good.
Dan: I'm glad to hear that. Well guys, let's just get right into it.
Speaker 4: Bit-Wizards, bits and bytes.
Dan: So today we thought we might talk to you a little bit about how to avoid some of the Coronavirus scams. We're going to start at the top. There's a lot of scammers right now that are taking advantage of fears surrounding the Coronavirus. This comes from the federal trade commission. They had a list of some pretty interesting things that start at the top level that aren't necessarily part of your IT, but they can lead towards getting into your IT if they can gain inside information. Some tips that they've given is the first one has to do with robocalls and they said, hang up on robocalls and for heaven's sake, don't press any numbers. They'll tell you if you want to be removed from the list, press nine. Just hang up.
Sam: Yes. If you press nine you just told everybody over there, there's a human being who answers robocalls and then your number gets pushed all the way to the top of everybody else's list, so they're going to start calling you because they know, you just confirmed. They're not going to take you off of any list at all. In fact, if you press any numbers and you don't just hang up immediately, then they're just going to know you're an easy target.
Dan: Yep. I'm also heard some people will say, well when they call, I like to mess with them. They said, don't do that because if you do that, again, it's a live body on the other end and you'll be getting called all the time.
Sam: That's correct. As long as they know ... in fact, I have the same policy even in my own email. I make sure that in my email I have images turned off and that's until after I click a button that says, yes, show me the images. But the reasons for that is if you have the images turned on, they can see if you even opened the email or didn't open the email.
Sam: With the scam emails and all that stuff, I just let it go straight to my junk folder and I delete it without even looking at it.
Dan: Perfect. Yep. I think everybody should do that.
Sam: Yeah. It's just healthy, especially with these robocalls because they are getting worse and worse, in spite of them passing rules and FTC and all that stuff trying to cut down on the robocalls, it seems like they're getting worse now. It's a computer on the other end, dialing every single number it can think of and then if it thinks it gets through to a human being, they put another human on the other end to try to talk you out of your money and try to con you. Right now they're doing it by scamming about this Coronavirus and some special treatments that the government doesn't want you to know about that can actually cure you.
Dan: Oh, so is that what a lot of it is, like cures and things of that nature?
Vince: Yeah, it's online offers for vaccinations and home kits. If they're trying to get you to buy, they're not proven to treat or prevent Coronavirus disease. The FDA, there's no FDA authorized home kits for the Coronavirus at this particular time. What we tell people is to make sure they fact check information before they sign up. Scammers and sometimes well meaning people, they'll share information that hasn't been verified. Before you pass on any messages, contact trusted sources, visit what the US government's doing. People like John Hopkins and stuff like that that you know, or the CDC, they can get you that information. If you're going to buy something, for heaven sake, know who the hell you're buying from. Because online sellers, they claim to have these in demand products like cleaning and household and health and medical supplies, when in fact they don't have them. What they're do is they collect your orders and then once they've got enough orders, they'll go out and they'll have it manufactured quickly in Chin on demand and then they ship it over. A lot of these products aren't verified by the FDA. They're not checked in. We tell people just to kind of stay away from that stuff, know who you're buying from. The thing is, anytime you're going to get, and this comes up all the time, people at this time start to get texts and emails that says that stuff is coming from the federal government or the IRS or the CDC or whatever and that details are being worked out. What they're trying to do is to get you to click on that on your phone or click on that in your email. They're trying to bait you in to what's called phishing. Then once they know that you're there, that might go to a virus file that gets downloaded onto your computer, because you click the link, and we've talked before about how there are security folks that are out there looking at this stuff all the time, but you never know when somebody's going to cover something up before something becomes mainstream and they're able to catch it and get the heuristics that are necessary to start blocking it through the link scanners.
Sam: Exactly right, and what you can do is instead of getting these texts that are from the government or the IRS, telling you about the money you just got, instead you can go directly to the IRS's website. The same goes for the CDC, for the World Health Organization. There is a lot of misinformation being passed around, and so one of the best ways to make sure that you're not falling prey to that, to something you saw on Facebook or nextdoor. com or any of these social media sites, that you can go directly to the source. So if you want to go see the statistics, you can go to Johns Hopkins University, it's jhu. edu. Or you can go to the World Health Organization or to the CDC's website, the White House has a special website set up to give you actual information about the virus and about the pay outs and about the progress they're making from a medical perspective and their recommendations for wearing masks and those kinds of things. Go there directly. Don't click on a link that you get in a text message and don't click on a link and you get in an email or that you see some obscure article that somebody reposted, which was a repost, which is a repost on Facebook and just assume that it's true because the misinformation is spreading almost as quickly as the COVID-19 itself and the widespread panic that ensues.
Vince: Another thing too is ... go ahead Dan, I'm sorry.
Dan: No, I was just going to say, when they do that, when they have you click on something like that and we've talked about that before, that's when all the viruses go down into your computer. What's the one where they hold you hostage? That one could appear as well, right?
Vince: That's a ransomware.
Vince: And that is correct.
Dan: To avoid all of that you just don't click on anything that you're not familiar with. You guys, so what happens? Because you guys prepare all of your clients with all this knowledge and information and I know you guys monitor a lot of this. What do you guys do to help prevent all of this?
Sam: Well firstly, we take advantage of Microsoft's learning system, so it's using some machine learning and some artificial intelligence and some crowdsourcing on the back end that is identifying patterns that look like scammy behaviors, that looked like spam, that look like shysters trying to con you out of your money. They'll identify, they have a very good success rate of identifying these because it has machine learning and large AI on the back end learning these things. But the thing that you can do, in your Outlook, there's a button that says, this is junk. When you get an email that looks like it is trying to phish for your information, you press that button and that reports it and that helps everybody else out in the community because now that's been flagged and identified as junk mail. If enough of those get flagged as junk mail just by hitting a single button, that single button will mark it as junk, it will send that information off to the system so that everybody else knows and then it will remove it right from your inbox as well. That's something that everybody can do to help cut back on the spamming that's going on and these phishing attacks.
Dan: Oh that's good to know. So if everybody participates with that, these won't go too far, hopefully.
Sam: Absolutely right. About 80% of all the email out there right now out is not generated by a human being. It's generated by a computer algorithm just trying to find an email address and find the next sucker to click on the link.
Dan: The next sucker. I like that because that's about what it is.
Vince: That's a good transition for us to transition to the next segment because we're going to specifically talk about phishing in the next segment. We've got a few items that people can look for and help them out to identify phishing types of emails.
Dan: Yeah, and we're not talking about red fish here.
Speaker 4: Bit-Wizards. What's up our sleeve?
Dan: All right guys.
Sam: Up our sleeve this week is how to avoid Coronavirus phishing scams. It's unfortunate, I know in our community, the local businesses I've been interacting with, we are doing the right thing. I haven't seen people doing salesy pitches trying to take advantage of the Coronavirus to get you to buy their product. I haven't seen it in our local community. What I've seen is the local community banding together, coming together to keep the economy rolling, keep things moving, keep people with jobs, keep people working and try to keep the society moving as long as the best it can. However, just because we know that we're doing the right thing, so we're trying to step up, that doesn't mean that the cyber criminals taking advantage of this Coronavirus. The way they're doing it right now is that they're sending out emails, pitching COVID-19 health information and fake cures. This comes from reputable sources like consumer reports that are monitoring this scourge that's happening on the internet right now of these phishing attacks, where they're targeting people who are afraid, understandably, who are a little scared about what's happening and confused about all the conflicting news they get from what they see on TV and what they see on Facebook. These fishes are targeting those people and trying to hit their email addresses. Then once they can get into your email, their whole purpose there is to reset some important passwords for you and then they can get into your banking and your financial accounts. So for them, they're capturing logins and passwords. The reason they're doing that because that is valuable to them because then they can impersonate you or a legitimate user getting into their banks or into their corporate networks.
Dan: These people are criminals, out and out criminals. I can't believe, well, I can believe. It's just people taking advantage of other people during a crisis like this is just out and out horrible.
Sam: It's really low. I hate to hear, they're specifically targeting the people who are more likely to be confused by all of this. Specifically targeting the people who are sitting there worried and afraid because they haven't been outside in a couple of weeks and all they see is the doom and gloom on the news. Then they get an email telling them about a potential cure they could have, some colloidal silver, something, something that they could take and they'll be fine, and this is what the doctors don't want you to know. Really all they're trying to do is trick you into clicking on a link and getting your credentials, but not all of the emails are trying to get your credentials, some of them really just exist to try to spread their viruses and their malware. In one version that we've discovered by a **inaudible** researcher, it also was asking for people to help find a cure for Coronavirus and urging people to download this little program they would that would use their computer power to collectively help try to discover the cure for Coronavirus. People good naturedly are downloading this program on their computer thinking, well mine just sits asleep there all night long, if it could be helping the government, if it could be helping the medical, I would do that. So then they install this program, but the program was never going to do anything at all to help sequence the genome of Coronavirus, it was instead just malware designed to get on their computer, sweep out their network and then spread from computer to computer, stealing as much information as they can.
Dan: My gosh. So if that does happen, then you guys can help us take that back off of their computer I'm sure.
Vince: Well, we can. In some cases certain viruses have signatures and there's software that we can use to clean things up, but the biggest thing that you can do is prevention. So how do you avoid getting scammed? That's really the question here. The first thing and most important thing that we try to tell people is think before you click. Looking and examining that URL and that link and if it looks suspicious or it's not right just delete it or as Sam mentioned, send it over to the junk mail and report it. Some good signs of fraud are things like where they've misspelled the URL or the name of a website, or they've gotten the URL where it's like one off. Instead of CDC, it's CDCC or something of that nature. Some way to trick you into thinking it's really that company. Then the other thing is looking at the last part of the email address on there, if it's not a . com or . gov, and I'm not saying that those are 100% safe, but if you see . ru, which means Russia or . br which means Brazil, those aren't typical places this would come from, and it's the CDC. Obviously the CDC isn't in Russia, and obviously it's not in Brazil. So that would give you a hint, on examining the URL. You can do that by simply going up at the top of the header of your email and clicking on that and taking a look at examining the email address that it came from and then also looking at the URLs without clicking on them first.
Dan: That makes sense.
Sam: Then ... sorry, go ahead. I was going to say, to go along with that, a big part of keeping your email safe is just don't open attachments, especially if you have no idea where that email came from. Or a website that says, hey, we're just going to download this little thing for you. In fact, some websites will automatically start downloading just by visiting the site, so don't double click on those downloads and don't open up any attachments because there is a really good chance that it contains malware. You may think, well I would never be dumb enough to punch in my password. If it looks sketchy, I wouldn't do it, which is fantastic. That's the starting place. However, if you install this on your computer, you've got to think about all the passwords you have saved in your browser so that when you go to a website you don't have to punch in the password every single time, and all the different places that the passwords are saved. Well, if they can get their software in your computer and they can get a copy of that password vault that's sitting on your computer and they can get it to themselves, then they can take all the time in the world they want to try to reverse the encryption on that vault and figure out your credentials and figure out your passwords that you have saved and to see if you're sharing or reusing the same password in multiple places because that gives them an opportunity to jump even into your financial information. So you've always got to be very of emails that are asking for things like your account numbers or your credit card numbers or a wire transfer or failed transaction. I got an email just yesterday from my church saying, if you get an email from the pastor who's asking you to go out and buy him some iTunes gift cards, he is not looking for iTunes gift cards at this point. It seems so laughable that this would even happen, that people would fall for this. I can tell you of two people just in our area just in the last year that I know legitimately were trying to do the right thing, help their boss out. They got an email from their boss that said, hey, I need you to run and grab some iTunes gift cards, and they went out and they went ahead and bought those gift cards.
Vince: Just piggybacking on that, one thing there I want to mention is do your homework when it comes to online donations and emails and stuff like that. There's a lot of, with crowdsourcing and GoFundMe and stuff like that, there's a lot of people spinning stuff up. You don't know necessarily that that money is going to the function that it's going to unless you've done your homework. So don't let anybody rush you into making donations. Know who it is, and especially, some of the flags are things like if they want donations in cash or by gift card or by wiring money, simply don't do it. Delete the email, get rid of it. One of the things, back on the attachments, I don't want everybody to be afraid to click on any attachment. You should just have your guard up when attachments come through. Make sure that the source of the email is the right source. Make sure that the URL makes sense before you open up attachments. Only open up things that you know the source. Even if you know the source, like if I'm sending an email to Sam, even if we have stuff that comes internal to Bit-Wizards and I've got all this scanning and all these other things that are happening, I always take an extra second or two to look a the header of the email to see who it came from and is it legit because they will literally try to spoof and say, hey Sam, Vince wants you to go and transfer money, to the blah blah blah, blah, blah account or whatever for IT. Sam doesn't necessarily have that power, but if it was your finance director or your HR, if they're asking you to send me the list of all the people in the company and their social security numbers, I mean, you want to take an extra step there. We get kind of on a cruise control on things and the whole thing is you need to be vigilant when you're working online and when you're working in your email.
Dan: Yeah. Do you think sometimes, Vince, people are really, really busy, they look at that and say, for example, you look, it's from Sam, like okay, it's from Sam, so I'm just going to go ahead and do this. Or Sam sees it from you and like, okay, I'm busy, I just need to get this done. But that extra step, would you recommend that if it looks suspicious to you that in a separate email contact that individual directly and say, did you send this?
Vince: I do, or I pick up the phone.
Sam: Pick up the phone, yep.
Vince: I either do that or I pick up the phone if I'm not sure, or I'll initiate a chat with Sam or somebody in the company and say, hey, did you send me this or that? I find I don't have as many problems with it internal as I do external organizations that I'm a member of, like people know that I'm part of the Chamber or people know that I'm part of Vistige or part of my church, St Mary's or something like that and they will send me something trying to get me to click on it. I take that extra step, but always being vigilant.
Dan: Yeah. I would say that if they really wanted to contact you over it, they will contact you over it over personal, maybe a phone call or a text or something.
Sam: That's absolutely right. Yep. I often tell people just pick up the phone. It's really very hard for a scammer to try to ... they can impersonate someone's email address. It's very hard for them to impersonate the actual person and to steal their actual phone number. So I've seen this quite a few times where there are like real estate transactions happening and there's a lot of money sitting in escrow. Once the title is finally signed and everything starts moving around, all of a sudden a lot of money gets released and that's when those scammers try to get in and send a notice to say, here, send a wire transfer for the X amount of thousands of dollars for this, and just click here and click here. Some of our clients are just fantastic and they say, I don't do that. I don't click to do wire transfers. I pick up the phone and then talk to the person on the other end to make sure it really is them.
Dan: It sounds to me like if a company is a client of yours, you continually try to get them educated so they don't do this. You have a little contact with your clients and you guys are a wealth of information about this, no doubt about it. But let's move on guys. That's awesome. That's a very interesting subject though.
Speaker 4: Bit-Wizards, from the spell book.
Vince: Well, today, this is where we demystify some technological geek speak or sort of discuss some little technological factoid, but we thought we'd do something fun today. I heard somebody call a scammer the other day a cyber punk. So I thought that was pretty funny and thought it was sort of apropos, but I thought we might tell everybody what that means. Cyberpunk is sort of a division of science fiction, sort of this dystopian futuristic setting, and it's sci-fi and it relates to computing and hackers, and often sort of features large, corrupt corporations as the antagonist. But it also is what we call our scammers and hackers and things like that.
Sam: There's a difference, right? There's a difference between a punk who operates in the cyberspace, which is someone trying to take advantage of you and then cyberpunk, the genre. So if you've seen the movie, what was the Harrison Ford movie?
Vince: Blade Runner.
Sam: Blade Runner.
Sam: One of my all time favorite movies. That would be considered steampunk. It's a dystopian future with big technology of big corporations and we're all driving around in flying cars and for some reason everything's dark all the time. The sun never shines. That's what cyberpunk is considered, I'm a big fan of sci-fi, I love it. I nerd out on ... I love old sci-fi, like the old Battlestar Galactica. I like all of those genres as well. I'm a big fan of Philip K. Dick and of some of these authors that like, man, I can't ... William H. Gibson who wrote Neuromancer, maybe the biggest cyberpunk story of all time. But that's the genre of this dystopian future, which we may or may not be living in right now. I'm not sure. You look at the news, you're like, wait, is this the sci-fi channel or is this the news right now? I'm having a hard time keeping up. But I like Vince's definition of cyber punk too and that's a punk who's just operating in a cyberspace cupboard, trying to get your stuff.
Dan: That's the easiest one I can think of. Just punk
Vince: What I would say is your Bit-Wizard's friendly professionals are the antithesis of cyberpunks or a cyber punk.
Vince: Not put the two words together, Sam. Our engineers are highly trained. Most of them are college educated. They've got many years of experience and we make them hold industry certifications to stay current. They're not your programmer in the corner drinking **inaudible** Cola and eating pizza or some pimply faced geek that's sitting out there. We're talking about real professionals. We're talking about people that are on top and in the know. Yeah, they love Harry Potter and Star Wars and Star Trek, most of them, although we have hired a few, which I don't know how they got hired that didn't like Star Trek. I found that kind of amazing that they got by.
Dan: That's a prerequisite. You've got to like Star Trek, man. **inaudible** Trekkie.
Vince: How could you not be a Trekkie?
Dan: Oh man. You know, my wife is the biggest Trekkie ever, of the old ones too. All the oldest ones. Man, she thinks they're awesome. I like them too. I'll sit and watch those, they're interesting.
Vince: Well, it's funny that you say this because that's what I was watching last night with my 10 year old daughter. I've totally geeked her out on Star Trek, so we were watching Star Trek, the original series last night.
Dan: I like it.
Vince: The episode Who Mourns for Adonais? Where it was Apollo. Cool stuff.
Dan: Who doesn't like William Shatner anyway? Okay guys, it's time for you guys to give a plug to one of your customers. How about that?
Vince: Yeah, so we thought today that we would give out an appreciation plug to the Greater Fort Walton Beach Chamber of Commerce, AKA the chamber in Fort Walton Beach on 34 Miracle Strip Parkway. The Chamber, obviously I'm the chair but the Chamber even before that embraced technology to sort of help promote people's businesses and just streamlined operations and to provide services to the members and the community. Right now they've gone totally virtual as we talked about and as I mentioned, a little bird told me that Ted is in there manning the emergency information center and the staff is working hard remotely. For all the small businesses out there, again the Chamber is providing COVID-19 community resources to your business members and our community and we want to thank them for being a loyal customer of Bit-Wizard. Sam, you want to add anything to that?
Sam: I've just been so impressed with the response from the Chamber over these last few weeks. A lot of people worrying about their businesses, worrying about what's going to happen in this economy and the Chamber has really stepped up and said, we're in this together, folks. We're fighting this together. We're going to keep our economy moving. People think of the economy as a single thing and it's either up or it's down. The economy is the flow of money within our community, the flow of funds, and so as long as I'm buying and as long as I'm selling and you're buying and you're selling, everybody else is doing so, the economy keeps going strong because then we can keep hiring people and giving people jobs and it keeps coming around full circle. I'm so impressed and so proud of our Chamber, really stepping up and doing everything that they can to keep the local companies working with each other, communicating with each other, helping each other out in this time of crisis.
Dan: Yep. I fully agree with you. It's pretty amazing, everything they put on their website to help the small business man out. Guys, were completely out of time. Always enjoy the show and look forward to next Tuesday. It's Bit-Wizards, Tip of the Wand. Have a great week, you guys.