Business Security Information

Well, we have had a good Thanksgiving meal, and most everyone has headed off to bed so it is now time for me to get down to writing this article.  Yesterday I received an e-mail from a friend stating she was out of the country visiting a friend that was ill.  Her friend was in need of surgery, and they were trying to recruit a surgeon from Israel and were in need of $2800 to pay for this necessary surgery.  First, I was suspicious that this was a fraudulent e-mail because I had just seen the person and knew that she had no plans of heading out of the country.  Secondly, the e-mail requested $2800 dollars which is a very small amount for a surgery, especially since the e-mail had an urgency about it leading the reader to believe that it may be a matter of life and death.  The return e-mail was also suspicious because the return address was a generic Yahoo e-mail address.

Crimeware is a form of of malware (malicious software) that is  used to attack your computer and/or network.  Crimeware is designed for one purpose which is to facilitate illegal or criminal activity.

This type of software is often used to commit identity theft.  Also, crimeware allows attackers to capture and export sensitive information which they can sell or use to exploit for some other type of financial gain.  Another common type of crimeware includes phishing kits that allow an attacker with little or no technical skill to launch a phishing attack.  This type of crimeware may include website development software, content for the site, and spamming software that will allow the attacker to send out mass e-mails to their phishing targets.

If you have not heard yet, the FTC (Federal Trade Commission) is changing the date they will start enforcing the Red Flags Rule.  The enforcement for this rule was to start last week on November 1, 2009, but has been delayed by the FTC until June 1, 2010.  This was announced by the FTC on Friday, October 30, 2009.

The Red Flags Rule is part of the Fair and Accurate Credit Transaction Act of 2003.  As discussed in my last article, “Complying with the Red Flags Rule”, businesses that are financial institutions or creditors must comply with the rule.  So, how do you know if this applies to you?  The definition of a financial institution is pretty straight forward and includes state or national banks, savings and loan associations, credit unions and any other institution that directly or indirectly holds a transaction account belonging to a consumer.  This transaction account is a deposit account or an account from which a consumer can make payments or transfers to third parties.  The definition of a creditor is a little more obscure.

When I was at my dentist’s the other day for my scheduled appointment, the receptionist asked me for my driver’s license and then made a copy of it.  Curious about why they did that and concerned about protecting my personal information, I asked them why they needed a copy of my driver’s license.  The lady explained that they were getting copies of all patient’s drivers’ licenses to comply with the FTC (Federal Trade Commission) Red Flags rule.  Now I knew some about the Red Flags rule, and it just did not seem necessary to make and store a copy of all your patients drivers’ licenses.  I discussed this issue with the dentist, who is also the owner of the practice, during my appointment, and I found out they were just going by information they had received as a member of the ADA (American Dental Association).  The dentist really did not know much about the Red Flags rule but was just following what he had received from the ADA because he was worried about getting in trouble from the FTC if they ever investigated his business.

Kaspersky Lab, an anti-virus/malware company, recently published a “Stop Cybercrime Guide” which I have read, and I think is an excellent overview of many of the computer security threats a business, home office or individual users may face.  Information covered in this short, 10-page document includes:

• Types of malicious programs and how to protect yourself against them.  Some of these protections you may have heard of before, such as installing security software, updating your software, backing up your data, and not using the administrator account except when needed, which I discussed in a previous article.

Websites and Phishers

I had just got done writing about recent website attacks on a variety of small business websites when I came across updated statistics from the Anti-Phishing Working Group that show even more of a need to protect your website.  The statistics indicate that the majority of criminals are actually using legitimate business websites when carrying out phishing scams.  The information shows that the fake or forged websites are only used by these con artists in 13 percent of the phishing attacks.  With a total of 30,454 domain names used by phishers in the last half of 2008, only 5591 of these domains were ones the phisher had set up themselves.  The remaining phishing attacks were using legitimate business domains.  This contradicts some of the information in my phishing article and is all the more reason to protect your business website and brand.

Scams abound in today’s society, but the scams of today are not that different from those of the past. The only difference is the method of delivery and the number of people that can be reached at one time.  Today’s technology now allows large numbers of people to be reached all at once through “phishing,” one of the most popular scams.  Phishing is a form of e-mail fraud in which the scam artist tries to obtain personal and financial information from someone.  It generates millions of dollars even when only a low percentage of people respond to the phishing e-mails.