August 2019 Savvy Cybersecurity Alerts

Welcome to your August Savvy Cybersecurity newsletter. It is hard to believe that summer is coming to an end.

But for now, let’s cover the cybersecurity happenings this month, including:

• A ranking of the wireless routers on the market
• Why your office printer could be putting your cybersecurity at risk
• Why iPhone users need to update their devices immediately
• And more

How to be cyber-secure when buying real estate

Imagine going through the long, stressful process of selling your home and finally celebrating when the house is sold and your mortgage has been paid off–only to find out that the money is missing. That is what happened to the Masucci family of Glen Ridge, NJ as reported by The Wall Street Journal.

After owning their home for 30 years, the couple sold it for $840,000. On the day of the closing, the title company wired $180,000 to pay off the mortgage per the lawyer’s instructions. A few weeks later, however, the Masuccis were told that their mortgage payment had not been received. They soon learned that a hacker had gotten into their lawyer’s email and sent fake payout instructions to the title company. The $180,000 had been wired to the hacker’s bank account.

After seven months of negotiations, the title company agreed to pay off the mortgage. They were not able to catch the hacker or call the money back. This type of fraud is not uncommon. According to the FBI, over 11,000 people suffered from real-estate wire fraud last year totaling $149 million in losses.

Various groups are working to help raise awareness of this type of fraud. Real-estate industry groups have formed together to launch the Coalition to Stop Real Estate Wire Fraud. In addition to educating home buyers, they’d like to make law changes. For instance, banks could require that the name of the person or organization on the wire request matches the name on the bank account.

Until laws are passed, however, here are some ways you can protect yourself from this scheme:

• Talk to your lawyer and title company about this scam and be sure they are aware of the dangers.
• Ask to see all wire-related documents before any money is moved.
• Double-check all bank account information in person or over the phone with your lawyer before any money is moved.
• Confirm with the mortgage company right away that the money has been received.

If you or someone you know is in the process of selling a home, be sure you refer back to these tips. Experts warn that it is very difficult to recover these funds, especially as time goes on.

Cybersecurity shorts

Nearly half of high-net-worth investors are concerned about the security of their financial information online, according to a survey by Morgan Stanley. The survey found that 82% of investors expect their financial services firm to offer online account access, but half are still worried about their levels of security. Millennials are twice as likely as older investors to feel confident in their ability to keep their information secure. Advisors can remind investors of important cybersecurity practices like implementing two-factor authentication and logging on to their accounts from secure Wi-Fi.

The Bluetooth feature on your iPhone may make it easier for hackers to spy on you. According to experts, simply leaving the function on can allow others to see the device’s name, the OS version, and battery information. Even more concerning, using AirDrop or Wi-Fi password sharing can expose your complete phone number. To be safe, turn these features off when not in use.

School districts around the country being hit with ransomware attacks. Last month, districts in Alabama, Connecticut, Louisiana, Nevada, New Mexico, New York, and Oklahoma all suffered a form of ransomware. Many experts believe schools are being targeted because most school districts have a fairly limited IT team, leaving networks vulnerable. School districts should be proactive in backing up their data and training staff on cybersecurity leading into the new school year.

Another reason to make sure your online banking is protected with a strong password: Hackers have found a way to drain accounts that use weak passwords even if two-factor authentication is turned on. Security expert, Brian Krebs exposed a new tactic this month where hackers take stolen credentials from hacked sites and use them on third-party financial sites such as Mint, Plaid, and Yodlee. If the credentials work, the hackers can actually view balances and recent transactions even if multi-factor is enabled with the bank. From there, they send spear-phishing attacks to try to gain access. If you use a third-party financial site, be sure to use a unique username and password.

Consumer Reports has released security results after testing 29 different routers. The consumer resource created a test screening for 60 different indicators of good security and scored routers on a 100 point scale. They found issues such as 11 different routers accepting weak passwords. The ratings are a part of Consumer Report’s new initiative called Digital Lab that will allow the company to test more devices for security and privacy.

Beware of fake Equifax settlement sites. The Federal Trade Commission has warned that fake Equifax settlement websites have popped up following the settlement announcement. To be sure you are sharing your information with the legitimate website, only use ftc.gov/Equifax.

State Farm customers may want to change their password. The insurance company announced the breach this month, confirming that some accounts were accessed after a hacker attempted to log in with a stolen list of usernames and passwords from other data breaches. State Farm says it reset passwords for those affected.

Your printer may be putting your cybersecurity at risk. Security experts at the DEF CON convention warned that popular printer devices contain some serious cybersecurity vulnerabilities. Printers made by Xerox, HP, Brother, and others can be hacked and allow unauthorized users an entry into the network—making it especially dangerous for offices. The researchers who discovered the flaws worked with the companies affected and most have patched the hole.

Fingerprints, facial recognition information, usernames and passwords of over 1 million people discovered on accessible online database. The company responsible for the leak is Suprema—a security company used by the UK Metropolitan police, defense contractors, and banks. Experts are especially concerned due to the leak of fingerprints—while a password can be changed, a fingerprint cannot. As we move more into the biometric password world, leaks like this are a concern.

Capital One hacker may have stolen data from 30 other companies. This information was shared in federal court filings against Paige Thompson. While the filing does not name the other companies, reports say that the Ohio Department of Transportation, Ford, and Michigan State University may be victims. Thompson says the information was not sold and shared.

New scam promotes fake customer service phone numbers on Google Maps. The Better Business Bureau reports that scammers are creating these fake numbers and getting them to the top of Google search results through paid ads. Many of these phone numbers are wrongly called when consumers ask their voice assistant to search for and call a company. When you are connected, you are speaking to a scammer instead of the company. Instead, look up the phone number yourself to ensure you are calling the legitimate company.

Software updates

Adobe: Adobe released updates this month for Acrobat and other free PDF reader products. You can read about the updates here.

Apple: iPhone users should update their operating system to CVE-2019-8661 as soon as possible. Google Project Zero posted on the Apple flaws this month which could allow hackers to take over your devices. Unfortunately, the latest update does not fully protect against this flaw so be sure to install the next update when it becomes available.

Microsoft: Microsoft released patches fixing over 90 security issues in its products this month. Seventy of the flaws are in the Windows 10 operating system and while none are considered zero-day exploits, there are some critical fixes.  Your devices should prompt you to update automatically but you can learn more about the updates here.