A Real-World Example from the Workplace: Recently, a new employee at a company received a fraudulent text message on her personal phone, supposedly from the company’s president. The president had not sent any text, and the company had not stored her personal phone number. How did the threat actor know? It’s possible that a data broker linked the new employee’s private phone number with the president’s name at the new company by eavesdropping on a conversation, such as her telling a friend about her new job. Upon investigation, the employee found that some unexpected apps had access to her microphone.

A Real-Word Family Example: Last week, a husband and wife discussed dental options for their child at the breakfast table with their phones nearby. They hadn’t typed anything into a computer or searched online, yet less than an hour later, one received a text message from a company offering dental aligners. How could this happen? An app on their phone might have accessed the microphone, listened to the conversation, and shared the information with a data broker. The data broker then provided this information to a company selling dental aligners, prompting them to send a targeted text message. Have you or someone you know had similar experiences?

How It Happens: Some apps collect data, including audio data from a microphone, and sell it to data brokers, also known as Marketing Data Aggregation Warehouses. These brokers aggregate and sell data to various businesses, including marketing and advertising firms. These businesses then use the information to send targeted advertisements or, in the case of threat actors, perform sophisticated phishing attacks designed to extract sensitive information or commit fraud.

Apps are supposed to request your permission to access your microphone. However, this “user’s consent” often comes from clicking “Do you agree to the privacy policy” during installation. Most users do not read these policies and agree just to use the app. Privacy policies can be vague, stating that the user allows the app to collect information and share data with third parties.

Several types of apps can gather information for sale to data brokers and request microphone access in their privacy policies. These include:

• Social Media and Communication Apps: Use microphone access for features like voice messaging and video recording, sharing collected data for advertising.
• Virtual Assistants: Require microphone access for functionality, collecting voice queries and background noise for service improvement and advertising.
• Gaming Apps: Mobile games with voice chat request microphone access for communication, sharing user data for advertising.
• Productivity Apps: Note-taking and voice recorder apps request access for audio notes and transcriptions, collecting valuable user data.
• Health and Fitness Apps: Fitness trackers and health apps request microphone access for voice input, collecting sensitive health data.
• Utility Apps: Simple apps like flashlights and calculators sometimes request unnecessary permissions, including microphone access, to gather user data covertly.
• Marketing and Rewards Apps: Request location and microphone access to collect user data, which is then sold to data brokers.

These apps often include clauses in their privacy policies that allow microphone data collection, which users might unknowingly grant, leading to targeted advertising and other uses by data brokers.

For further reading, refer to articles like “FTC Cracks Down on Mass Data Collectors” by the Federal Trade Commission.

Protecting Your Privacy: To protect against such risks, Apple, Google, and Microsoft have all implemented ways to help ensure your microphone’s privacy even if users agree to the privacy policy. Instructions for disabling access to your mic are listed below. It’s crucial to regularly review and update app permissions on your devices, ensuring that only essential apps have access to sensitive data like the microphone.

Beyond Annoying Ads: Threat actors can use similar tactics to perform targeted attacks and commit fraud against individuals and their companies. For instance, the fraudulent text message received by the new employee could lead to more sophisticated phishing attacks intended for extracting sensitive information, transferring money, or other financial fraud.

Follow the instructions in the following draft memo you can send your workers and tell your family:

Memo to All Employees: Securing Your Microphone Privacy Settings

Dear Team,

We are committed to ensuring the privacy and security of our employees’ personal and professional information. Recent reports have highlighted the risks associated with apps accessing device microphones without explicit consent, potentially leading to targeted fraud and privacy breaches.

To protect your privacy and our organization’s security, we ask all employees to take a few moments to review and update the microphone privacy settings on their devices. Below are step-by-step instructions for various platforms:

For Apple Devices:

1. Go to Settings > Privacy > Microphone.
2. Turn off the microphone for all applications that do not need access to your mic.

For Android Devices:

1. Go to Settings > Type Microphone, Privacy, or Permission Manager in the search box. If you do not see the privacy settings, you might need to use a search engine or chatbot to find specific instructions for your device model and version of Android.
2. Turn off the microphone for all apps that do not need access to your mic.

For Windows:

1. Go to Settings > Privacy & Security > Microphone.
2. Turn off the microphone for all apps that do not need access to your mic.

For Macs:

1. Click on the Apple symbol > System Settings > Privacy & Security > Microphone.
2. Turn off the microphone for all apps that do not need access to your mic.

Practical Steps:

• Revoke Unnecessary Access: Disable microphone access for all apps that do not need it. Allow exceptions for essential apps such as video conferencing tools and browsers if you use them for meetings. If you are uncertain, restrict access; the app will request permission if it needs access in the future.
• Test Essential Apps: Before your next meeting, verify that the apps you frequently use for video conferencing and other essential functions work correctly with the microphone settings you have configured.
• Restrict Other Permissions: While adjusting your microphone settings, you’ll see other settings. To further protect your privacy, consider restricting access to your camera, location, contacts, and other sensitive data.

We live in a world where protecting our privacy is increasingly our responsibility. Threat actors are becoming more sophisticated, so it’s crucial to stay vigilant and proactive in securing our devices.

Thank you for your attention to this important matter. If you have any questions or need assistance, please ask.

(In the last sentence, you can give them more specific guidance on what to do if they have a question)

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

The post Are Threat Actors Listening to Your Phone? Secure Your Mic to Reduce Security Risks and Protect Your Privacy appeared first on Foster Institute.

Credit Freeze

If you haven’t already, consider freezing your credit to prevent new credit accounts from being opened in your name without your permission. Here are in-depth instructions and details: Help Protect Your Financial Future: Freeze Your Credit – Foster Institute

Monitor Financial Accounts

Keep a close watch on your financial accounts for any unauthorized activity or transactions. Consider subscribing to an identity theft protection service, which can help monitor your information and alert you to potential misuse of your personal data. If you didn’t place the credit freeze mentioned above, doing so is essential.

Beware of Fraud and Scams

Beware of email, text, phone calls, or messages popping up on your computer that claim you are hacked and offer tech support help. Familiarize yourself and your family with the latest fraud techniques. Be skeptical of emails, phone calls, or messages that request personal information or direct you to websites asking for personal or financial data.

Be Cautious with Search Engine Results that are Ads

Threat actors can purchase ads so that, if you search for keywords such as ‘My phone provider database was hacked,’ the ad, disguised as a helpful search result, will appear at the top. This can lead you to a page designed to defraud you or compromise your computer

To help protect yourself, when you search, scroll down and click on the organic search results rather than the ads. You are more likely to access safer websites.

Malicious advertising is not limited to search engines. Advertisements on websites can be just as dangerous. These attacks are called malvertising and trick millions of users each year.

Change Passwords Immediately

If you haven’t recently, change passwords for all your accounts including phone provider, social media, banking, and other sensitive accounts, especially if you’ve used the same password for multiple accounts.

Use a Password Manager

Consider using a password manager to manage your unique passwords on every website. Detailed information about using password managers: Password Managers Speed Your Workflow – Foster Institute

Set Up Unique Security Questions

When setting up security questions, avoid real answers that are easy for a bad actor to research. Instead, use fictional answers like, “The fourth crater on the moon.” Save your secret answers in a randomly named file such as “socks.docx,” and consider encrypting this file for added safety.

Enable Two-Step Verification

Enable two-step verification for accounts. Prioritize setting this up on sensitive websites and services where it’s available.

Update Operating Systems and Software

Ensure that all your devices have the latest security software, web browsers, and operating systems updates and patches. This is one of the best defenses against viruses, malware, and other online threats.

Secure Your Tax Identity with an ID.me Account

Given that social security numbers were compromised, there’s an elevated risk of someone attempting to file a fraudulent federal tax return in your name. To combat this, consider registering for an ID.me account which provides access to IRS services. With this account, you can also apply for an IRS Identity Protection PIN (IP PIN) that adds an extra layer of security to your tax filings by requiring this unique six-digit number on your tax return.

Protect Your Property Records

With personal details like your SSN in the wrong hands, even your home ownership documents could be targeted. It’s advisable to monitor and possibly register your property deeds with services that alert you to any unauthorized filings or changes. While a universal solution for this isn’t available yet, taking initial steps such as contacting your local county clerk’s office to inquire about protective measures can be beneficial.

Awareness for Business Impact

Businesses, particularly those utilizing services from the breached provider, should be acutely aware of the implications this breach can have on their operations. It’s crucial for business owners to assess their exposure and strengthen their internal security measures, including employee training on data privacy and regular security audits to prevent further damage.

Register for Online Tax Accounts in All States

To prevent the misuse of your personal information for fraudulent state tax filings, consider registering for an online tax account in each of the 50 states. This pre-emptive registration can block identity thieves from creating accounts in your name, a tactic increasingly used to commit tax fraud across state lines.

Digital Footprint and Data Sharing

Be vigilant about the information you share online and through mobile applications. It’s crucial to minimize data sharing and scrutinize the permissions you grant to apps, especially those that request access to sensitive personal information. Educate yourself and limit exposures to safeguard against unauthorized data usage. The less information threat actors can gather about you, the more difficult it will be for them to misuse your identity.

Review and Update Privacy Settings

Regularly review and update your privacy settings on social media and other online platforms to ensure minimal public exposure of personal information. This proactive measure can significantly deter fraudsters from using accessible data to facilitate identity theft or scams.

Legal and Financial Consultation

Consult with legal and financial advisors to explore additional protective measures tailored to your personal or business circumstances. Discuss setting up legal structures such as trusts to shield assets, or other strategies that may offer enhanced security against identity theft and financial fraud.

Emergency Contacts and Protocols

Prepare an emergency contact list and establish protocols for immediate action if you suspect identity theft or if a data breach occurs. Include the contact information for essential services such as credit bureaus, your bank, and legal advisers, to ensure a swift and organized response to security threats.

Forward this message to your friends so they can follow these steps can help mitigate the damage from the breach and protect their personal information.

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

Disclaimer: The information provided in this blog is for general informational purposes only. Technology changes constantly, and some of this information might become obsolete or incorrect. We do not endorse or receive compensation for mentioning products, services, or brand names. Any outbound links provided are for your convenience and to get you started, but we cannot guarantee the security or safety of those external websites. Conducting your research and making an informed decision about any products or services mentioned here is essential. We shall not be held responsible for any actions taken based on the information provided.

The post Protecting Your Financial Interests in the Wake of a Major Data Breach appeared first on Foster Institute.

Credit monitoring is important too, and it catches problems after the fact. Credit freezes help prevent fraud from happening. When you place a credit freeze, lenders can’t access your credit report without your permission.

For example, if you want to finance a car purchase, you’ll contact the credit bureau to lift the freeze temporarily for an hour so the dealership can check your credit. The lender might congratulate you on being savvy enough to know to freeze your credit.

If an identity thief tries to get a loan or buy a car in your name, if the lender refuses to make the loan in your name if they cannot run your credit reports, then your proactivity blocked the thief! Congratulations!

Be sure to place credit freezes for the rest of your family, including your youngsters, to help stop fraudsters from taking out loans in their names too.

Read more from the Federal Trade Commission (FTC) at https://consumer.ftc.gov/consumer-alerts/2018/09/free-credit-freezes-are-here.

To make things easier for you, below are the contact details for the major credit reporting agencies to contact and ask them to place freezes on your credit. They may offer services for fees that might be different than freezing your credit, and you might decide that a free freeze is all you need:

Equifax: https://www.equifax.com/personal/credit-report-services/ or call 888-298-0045.
Experian: https://www.experian.com/freeze/center.html or call 888-397-3742.
TransUnion: https://www.transunion.com/credit-freeze or call 888-909-8872.

The information shared here is not financial or legal advice, only a suggestion to protect your security. Consult with legal and financial professionals who can guide you appropriately.

Please forward this to your friends so they can protect their financial well-being by freezing their credit too!

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

The post Help Protect Your Financial Future: Freeze Your Credit appeared first on Foster Institute.

Data stolen may include contact information, dates of birth, driver’s license information, and Social Security numbers. Attackers can make money selling the information to people who could steal your identity and take out loans in your name.

Place a credit freeze on your credit report. To do so, contact all four: Experian, Innovis, Trans Union, and, you guessed it, Equifax. In total, you’ll spend less than $75 to place the freeze.

A credit freeze stops people for gaining access to your credit report. It is difficult for an imposter to borrow money if a lender cannot check a credit report first.

Remember, credit monitoring, though good, sometimes only catches bad things when it is too late.

A security freeze is more effective, and lasts longer, than a fraud alert.

Additionally, watch out for anything odd or abnormal on your bank statements. Download your credit reports every quarter to see what is on them. One way to see your credit reports is to use a service such as annualcreditreport dot com

The FTC gives suggestions about avoiding and handling identity theft at consumer.ftc dot gov/features/feature-0014-identity-theft

Equifax has set up a website equifaxsecurity2017 dot com for people to see if their information was part of the breach. However, many people have been experiencing problems with that website.

Executives – FYI: Reports say that the attack did not result from social engineering. In other words, nobody clicked a bad link in an email. The attackers got in because an Equifax website was insecure. Have you had someone check the security of your website lately? If your site simply displays static information, you are at a much lower risk than if your site has a place for someone to login and/or look up information via your site.

Reports say that the breach may have happened as early as May, and Equifax discovered the breach on July 29. The time between when attackers compromise a system, and when it is discovered, is called dwell time. The best thing to do is to stop hackers from getting in to begin with. Keep security a top priority at your organization! The attackers are counting on you to overlook important steps.

Please forward this to anyone you care about…

The post What You Need to Do to Protect Yourself after the Equifax Breach appeared first on Foster Institute.

Immediately change your password on Facebook.

If you haven’t done so, and every Facebook user should do this, turn on login approvals.

Go to Facebook dot com slash help and find the box at the top of the page named: Ask a question. Enter these words: How do I turn on login approvals.
Then follow the instructions.

Next, again at Facebook dot com slash help and, in the search box, enter: report an imposter account. The guide literally walks you through the process of what to do.

Please forward this to anyone you know who uses Facebook.

The post If Someone Impersonates You on Facebook appeared first on Foster Institute.

What if someone is angry at you, and they create your “death” and you wind up, so far as the government and business world knows, dead. Just try to apply for a loan or insurance after that! Am not sure if you will still have to pay taxes though… even after you are officially, but not really, dead.

Not only would this devastate you personally, the ability to forge someone’s death will create a whole new world of nightmares for businesses and governments alike. Imagine HR implications in your own organization. Insurance, accounts receivable, the list goes on…

But, all is not lost. He will also demonstrate how to create a new birth certificate. He shows how hackers can create a whole new identity.

And, related to identity theft, the hacker asks the question: If someone steals the identity of a person who isn’t a person, is that a crime since there is no victim?

How will it affect your organization if you don’t know who is really alive or dead, and if you can’t tell if people exist or never existed in the first place?

The post Hackers Can Kill You appeared first on Foster Institute.