The following alerts are found on external websites. Please click through the links to view updated alert information

 

Consumer Alerts

FDIC Consumer News and Information

FDIC Consumer Protection

Health Insurance Marketplace Fraud

IRS Tax Scams/Consumer Alerts

Federal Trade Commission Scam Alerts
 

Security Tips:

  • Change your password on a regular basis (a combination of letters, numbers and special characters creates a stronger password)

  • Never share your Online Banking User ID or password

  • Never leave your User ID or password anywhere that someone else can obtain and use it

  • Always logout of your internet banking session or any other website you’ve logged onto

  • Be suspicious of any e-mail with urgent requests for personal financial information

  • Never open ANY attachments from an unknown source

  • If you notice anything suspicious on your account(s) please call us at 620-397-5324

Security Tips

10/17/2022

Healthcare Reimbursement Phishing Scams

When you request a reimbursement from your healthcare provider, it may be completed through a third-party payment processor. These payment processors often offer direct deposit payments so you can get reimbursed as soon as possible. Unfortunately, cybercriminals can use social engineering to try to steal your reimbursement.

In a recent scam, cybercriminals are sending phishing emails that appear to be related to an active reimbursement request. The emails ask you to verify your request number and other identifying information to finish processing your request. If you provide this information, cybercriminals can use it to gain access to your account by verifying your identity. Then, they can update your direct deposit information to redirect payments to their own bank accounts.

Follow these tips to stay safe from healthcare claim scams:

  • Never click a link in an email that you aren’t expecting. Contact the payment processor directly by using a known phone number or email address.
  • Watch out for notifications that your account information, such as direct deposit information, was changed.

Always enable multi-factor authentication (MFA) on your accounts when available. MFA adds a layer of security by requiring that you provide additional verification to log in to your account.

 

9/15/2022

Malicious Monkeypox Scams

As health-related anxiety continues to be high from the COVID-19 pandemic, cybercriminals are creating scams to target a different health concern. Cybercriminals are using fear about monkeypox outbreaks to scare you into sharing sensitive information.

In one scam, cybercriminals send you an email about the latest monkeypox outbreaks and provide a link to mandatory safety awareness training. When you click this link, you’ll be taken to a fake Microsoft login page. If you enter your login credentials, you won’t get access to monkeypox safety awareness training. Instead, cybercriminals will get access to your credentials and account.

To stay safe from similar scams, remember the following tips:

  • Cybercriminals often use alarming topics to trick you into clicking impulsively. Always think before you click!
  • If you receive an unexpected training notification, reach out to your manager to confirm that the training is legitimate.
  • Before you click a link, hover your mouse over it. Watch out for links that are suspiciously long or show a different domain than the official website.

 

8/18/2022

Zero-Day Chrome Vulnerability No. 5 for 2022

The fifth Google Chrome zero-day vulnerability of 2022 has been disclosed.  Automatic update patches are being pushed out in stages, but anyone can manually update now.  The vulnerability, CVE-2022-2856 has a ‘high severity’ rating, and follows, CVE-2022-0609 in February, CVE-2022-1096 in March, CVE-2022-1364 in April, and CVE-2022-2294 in July.

Google Chrome is the most popular browser in the world, owning almost 65% of the market.  For more details about this zero-day vulnerability go to, https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html.

Authored by: Brad Goetsch

 

8/15/2022

Scam of the month – Using QuickBooks to make a quick buck

QuickBooks is a popular accounting software that offers free accounts to its users. While many individuals and organizations use QuickBooks to track their finances, cybercriminals have been using it to run a “business” of their own. In a new scam, cybercriminals create a free QuickBooks account and use the associated email address to send you malicious emails.

To start, cybercriminals send you a phishing email that appears to be an invoice from a reputable organization, such as Norton or Microsoft. The email includes a phone number and directs you to call if the invoice seems suspicious. If you call the phone number, you’ll be asked to confirm your credit card information to cancel the fake transaction. Unfortunately, if you share this information, the cybercriminals can use it to make their own purchases.

To protect yourself from this malicious scam, follow the tips below:

  • Never call a phone number provided in a suspicious email. Instead, visit the organization’s official website to find their contact information.
  • If you’re asked to verify payment information over the phone, ask the caller to tell you what they have on file. If they decline, only provide the last four digits of your payment card number.

Cybercriminals can use fake invoices to alarm you and trick you into clicking impulsively. Always think before you click!

Authored by: CalTech

 

8/4/2022

Don’t Post That Pic!

A little advice on oversharing sensitive personal information this week.  Ah, summertime.  It’s a time for relaxation and fun, but for some, it is that time of year their teenage driver FINALLY gets their learner’s permit or restricted driver’s license.  There were likely many stressful hours in the car earning this coveted piece of freedom, not to mention the countless brake checks, the thumping of a parent’s foot on the imaginary brake pedal in the passenger floorboard, or maybe just the sheer number of times that little handle above the passenger’s seat was grabbed.

But now the young driver has their license!  Not only does this open a new world of possibilities to them, but the parent also unlocked a parenting achievement, someone to run errands for them!  This achievement can make a parent (or kid!) want to boast proudly with a a picture of a young driver with their newly acquired driver’s license on social media.

There is some risk here!  Phone cameras are pretty good today, and it’s not hard at all to zoom in and clearly see the driver’s license number, legal name, date of birth, and signature!  If you want to post that picture, do the responsible thing, and blur or obfuscate that info before you post it.  It is obvious what they are holding (with the DMV in the background), don’t give the bad actors of the world that personal information so easily.

Authored by: Dave Kelly, PenTest+, CEH

 

6/30/2022

Top 8 ways to have a safe and happy Independence Day!

While you are out enjoying your 4th of July holiday, here are a few tips to keep in mind:

  • Avoid storing fireworks in server rooms . . . or in the cloud;
  • Make sure your family turns on the Find my phone feature before you go to the fireworks show.  Somebody always puts their phone down and they can’t find it in the dark.
  • When grilling, keep tablets and smartphones away from the grill.  Your melted device may limit your MFA capability;
  • Stay off public Wi-Fi networks, or your ‘Independence’ might be hampered for a while;
  • Think twice before using any fireworks that have a USB connection and require the installation of “drivers;”
  • When using an old server as a boat anchor remember to remove and destroy the hard drives first; and
  • If the fireworks are being sold out of a back room and they ask if you’re an ATF Agent, you may want to find a new store to shop!

 

6/23/2022

ELDER FINANCIAL EXPLOITATION – ENOUGH IS ENOUGH

Sadly, we’ve all seen, heard, or read articles regarding the proliferation of scams during the past two years.  I would venture to guess that most of you are like me … nothing gets my blood boiling more than hearing about those schmucks out there who have scammed and defrauded an elderly person.  I remember my own parents and grandparents and how hard they worked for every dime they earned, and I can’t understand how anyone would think it’s acceptable to exploit the elderly population.

On June 15, 2022, FinCEN issued an advisory which highlights behavioral and financial red flags to help financial institutions identify, prevent, and report suspected elder financial exploitation (EFE).  EFE is defined as the illegal or improper use of an older adult’s funds, property, or assets.  The advisory points out that elder abuse, including EFE, affects at least 10% of older Americans each year and that the estimated dollar value of suspicious transactions linked to EFE exceeded $3.4 billion in 2020.  What’s even more upsetting is that many of the perpetrators are known and trusted persons of the older adults, but there is a rising trend of scams that originate outside of the U.S. by individuals that have no relationship with the victim.

Many years ago, FinCEN added a specific category for EFE to the suspicious activity report (SAR).  But in addition to filing a SAR, financial institutions should refer their older customers who may be a victim of EFE to the Department of Justice’s National Elder Fraud Hotline (833-FRAUD-11).  Many states also have requirements that financial institutions contact local law enforcement or the applicable state’s Department of Aging or similar agency to report such activity. If you aren’t filing EFE SARs, you may need to beef up your controls – keep in mind that according to FinCEN the MAJORITY of EFE incidents go unidentified and unreported.

The newest advisory is linked here for your convenience.  Even if you think, “Oh, that’s a Compliance or BSA matter” – think again.  We all have elderly loved ones who can fall victim to a scam, so educate yourself and help protect them!  https://www.fincen.gov/sites/default/files/advisory/2022-06-15/FinCEN Advisory Elder Financial Exploitation FINAL 508.pdf

Authored by:  Joann Lang, CAMS, CIA, CCBP

 

6/16/2022

Memory Lane

As 10-D is approaching our 18th year and it has fallen to me to write the WST this week, it got me wondering what some of our first weekly security tips were about.  So, I dug around in the archives and found some classic topics from our first year of tips; Java, Vishing & Smishing, Remote Access & Multi-Factor Authentication, ATM skimming, and password management, just to name a few.

One in particular caught my eye regarding password length.  Remember when the password length recommendation was 8 or more characters?  That was the message of this early WST.  It even included a chart noting it would take a hacker 115 days to crack an 8-character password.  Today, the bad guys will crack your 8-character password in 8 hours.  Yes, the bad guys are getting better, too.

Currently, 10-D recommends 10 or more characters using numbers, symbols, and upper- and lower-case letters.  Make it a passphrase so it is easier to remember and save yourself some reset headaches.  These changes will bump up hack time to about 5 years, so you should be well on to a new password by the time they crack this one!

Authored by: Brad Goetsch

 

6/2/2022

New Zero-Day Vulnerability Affecting Microsoft Products

On May 30, Microsoft reported a zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT).  Dubbed “Follina,” this vulnerability could be exploited by a malicious attacker to execute arbitrary code on a Windows system using the MSDT URL protocol via Microsoft Office applications (such as Microsoft Word).  Microsoft is reporting that an attacker that successfully exploits this vulnerability could install unauthorized programs, impact data, or conduct other unauthorized activity on an impacted system, including running arbitrary code.

At this time, no patch is available for this vulnerability.  Microsoft has provided workarounds for this issue, listed in the link below.  Basically, the workaround uses the Windows registry to disable the MSDT URL protocol.  For people and organizations using Microsoft Defender products for antivirus, Microsoft also provides additional guidance in the same article: https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/

As always, testing is important!  Consider working with your technical resources to test system changes before rolling them out to your whole organization.

We are also seeing that many antivirus vendors are pushing antivirus definition updates that can detect and block this vulnerability.  Organizations may want to check with their antivirus vendors to understand any recommended actions specific to their product. 

Authored by David Bentley, CISSP

 

5/19/2022

Do your backups match your expectations?

A previous WST (https://10dsecurity.com/wst/building-blocks-of-a-business-impact-analysis.html) described what a business impact analysis (BIA) is and how it’s a key component of your business continuity program and disaster recovery success.  If you’ve done the work to define recovery point objectives, have you also made sure that your backups actually match your needs?  For instance, if a server has a recovery point objective of eight hours but you are only backing it up every twenty-four hours, your backups are misaligned!  Should system recovery be necessary, data loss beyond eight hours may be experienced.  When updating and reviewing the BIA, we recommend that you include a review of your backup retention schedule to ensure that all backups meet the institution’s BIA requirements for recovery point objectives.  You may find systems that you need to expand backup frequency.  Or, you may find BIA requirements that are unrealistic or unattainable.  In those instances, it may be wise for the institution to adjust expectations or develop other processes to resolve the planning gaps.

Authored by: David Matt, CISSP, CEH

 

5/12/2022

Are You Sure That Laptop is Secured?

One of the many areas we look at when conducting an IT audit is the security of portable devices, including laptops.  With the proliferation of laptops that are now enabling so many remote workers, it seems obvious to inquire about the security of the information that might be found on devices that are sometimes outside the institution’s normal physical controls.  Laptops are at a higher risk of being lost, stolen, or accessed by unauthorized persons.

When discussing laptop security, we sometimes hear, “Our policy is not to let employees store any customer information on the laptop, so we don’t feel there is any value in encrypting the laptop’s storage.”  While this is probably a well-intentioned belief, this overlooks several ways sensitive information may be stored locally.

Application data – Many applications will keep working copies of files, at least in temporary storage.  For example, when you open a Word or Excel file, the application may open temporary storage locally on the laptop or workstation while you are editing files.  Think of it as a scratch pad the application uses, which could include almost any content from the file being edited.  If the application ends abnormally, that temporary data may accumulate instead of being deleted normally.  Other application data may be more permanent, such as personal archive files that Outlook may be saving locally (i.e., .pst files) that may contain massive amounts of personal or sensitive information.

Windows temporary data – Much like the application-specific temporary storage discussed above, Windows creates temporary files as well.  These files are usually hidden from the end user seeing them, but they also can contain some sensitive information.  Not as likely to include customer data, but these temporary files could provide useful information for a potential attacker as there may be user IDs, network topology data, configurations, recovery files, and other infrastructure information that shouldn’t be disclosed.

Deleted files – Wait, how are deleted files a risk?  Often, when files or folders are deleted, Windows won’t truly delete all the data from storage and will instead only erase the listing (or index) of that information.  An analogy would be a library where the index listing for a book is deleted but the book is left on the shelf.  Deleting the index listing will make it harder to locate the book, but it will still be there.  That is essentially how Windows works when a file is deleted, only the index is deleted, and the actual file contents will often stay on the local drive until the space is needed for a new file object.  There are special applications made for discovering the data from “deleted” files, available to any motivated person.

Cloud storage – If an institution is using a cloud storage solution, such as Google Drive or Microsoft OneDrive, and it is configured to synchronize data locally, then it will retain copies of files on the laptop or workstation.  As an example, OneDrive will usually keep local copies in C:\Users\[username]\OneDrive.

Intentional – Even when the institution is operating with the best of intentions, it is not uncommon for a rogue individual to intentionally circumvent the rules or inadvertently save files to their desktop.  They may only be taking home a file to work on over the weekend, but it is a potential risk, nonetheless.

There is a simple solution, and that is whole disk encryption. Most versions of Microsoft Windows have the functionality built in (BitLocker) and only need it to be configured (by a qualified IT administrator).  Whether built-in encryption or another readily available commercial solution is used, implementation will result in well-protected storage on the laptop (this functionality also exists for desktops).  If a laptop with encrypted storage is lost or stolen, the institution will be out the value of the device but will have a substantially lower risk of information disclosure.

Authored by: Jim Baird, CBCP, TCNA

 

 

 

 

 

 

default photo

NOTICE OF EXPIRATION OF THE TEMPORARY FULL FDIC INSURANCE COVERAGE FOR NON-INTEREST-BEARING TRANSACTION ACCOUNTS: By operation of federal law, beginning January 1, 2013 funds deposited in a noninterest-bearing transaction account (including an Interest on Lawyer Trust Account) no longer will receive unlimited deposit insurance coverage by the Federal Deposit Insurance Corporation (FDIC). Beginning January 1, 2013, all of a depositor’s accounts at an insured depository institution, including all noninterest-bearing transaction accounts, will be insured by the FDIC up to the standard maximum deposit insurance amount ($250,000), for each deposit insurance ownership category. For more information, visit www.fdic.gov.