Why Are You Getting This?

You signed up to receive the Tips, initiated contact to stay in touch with Rebecca and/or Privacy & Security Brainiacs (PSB), or consented to receive the Tips. Please read our Privacy Notice & Communication Info at the bottom of this message for more information. You may unsubscribe from there as well.

This month we are highlighting some of the many ways in which online and offline crooks try to obtain financial information and digital funds.

Do you have stories, examples, or concerns about the topics covered in this issue that you would like us to provide feedback on? Send them over! We may discuss them in an upcoming Tips. 

We hope you are finding all this information valuable. Let us know! We always welcome your feedback. 

Stay aware, and keep more of your hard-earned money in your pockets and online accounts!

Thank you for reading!

Rebecca

We would love to hear from you!

May Tips of the Month

• Monthly Awareness Activity
• Privacy & Security Questions and Tips
• Data Security & Privacy Beacons*
• Privacy and Security News
• Where to Find the Privacy Professor

May is designated as “Small Business Month.” The goal is to help “small business and startup owners begin and succeed in their businesses.” 

Establishing data and cybersecurity, privacy, and compliance programs is critically important for such business success. With this in mind, to support Small Business Month, here are a few activities small (including sole proprietors and those who are self-employed), medium, and even large businesses, can do to strengthen their security and privacy protections while also supporting compliance with a wide range of legal requirements. 

Pass them along to your business partners and contracted entities to remind them of the need for security and privacy protections.

• Read your website's privacy notice (often called the privacy policy). 
• Do your internal activities support the promises you are making within it? If not, you are putting your business at risk. Your business actions must comply with your privacy promises, or you could be fined, face lawsuits, and more.
• What is the date for the last time you updated it? Suppose it has been longer than 12 months. In that case, we strongly recommend that you review your privacy notice and ensure it correctly represents and describes your business practices. If it doesn’t, update the notice or change your practices accordingly (and be sure to update the last review date on the privacy notice on your site). 
• Read your website's security notice (also often called the security policy). As with the privacy notice, ensure your security notice is accurate and that you’ve reviewed and updated it within the past 12 months.
• Ensure you have the basic security and privacy components within your programs that are generally required by most data protection and privacy laws, regulations, and contractual requirements. These include security and privacy:
• Documentation (such as within an inventory) for the personal data you collect, derive, store, process, and share with others and where that data is located throughout the full data lifecycle
• Documented policies and procedures
• Regular training and ongoing awareness messages and activities
• Risk management activities, including risk assessments
• Management processes for contracted entities
• One area that organizations often overlook is the disposal of computing devices and storage media. Completely remove data from computing and storage devices before you sell, donate, or dispose of them. If you don’t know how, contact us, or simply completely smash them to pieces. (Put on some eye protection first, for your safety!)

What other activities do you suggest for making your own Small Business Month: Privacy and Security Protections? Are you planning to do one of these suggested activities or your own? Or are you doing an awareness event for a different recognized day or week in May?

Here are a few questions we’ve received over the past few months about privacy, security, and compliance. We’ve received many! Those we did not get to here may be included in an upcoming issue.

Are the answers interesting and/or useful to you? Please let us know! Keep your questions coming!

Q: What does "pretexting" mean? A reporter kept using that term when reporting about financial crimes but never explained what that meant. Is it a new type of texting?

A: Pretexting generally means pretending to be someone else to gain a targeted victim’s trust and then manipulate them. Pretexting is a tactic used by social engineering crooks to trick people into giving them data, access to computers, and doing activities beneficial to their criminal intentions. Pretexting is often used in phishing emails, such as when cyber crooks send emails to their targeted victims, pretending to be from the IRS and threatening to imprison the recipient unless they agree to wire money or pay bitcoins immediately for “back taxes.” Pretexting is also used in scam phone calls, text messages, social media sites, and anywhere communications occur. Pretexting is a very effective tool in financial crimes.   

Fun facts: The term “pretexting” originated in the 1510s from a French phrase that means “that which is assumed as a cloak or means of concealment,” while the word “texting,” as in sending phone messages, originated in 2005, as a shortened form of the longer phrase, “text messaging.”

Q: What are the most common financial crimes? 

A:  Earlier this year (2023), the US Federal Trade Commission (FTC) published its “Consumer Sentinel Network 2022” 91-page report about this topic. The top 29 financial crime categories from that report are shown in Table 1. Notice the #2 financial crime, “Imposter Scams,” is about pretexting, mentioned in the previous answer.

Table 1: Top Financial Crimes in 2022. Source: FTC.

Q: Do you think AI and ML will help to reduce financial cybercrime or make it worse? 

A: Yes. Artificial intelligence (AI) and machine learning (ML) tools cover an endlessly wide range of tools, some of which will be beneficial for preventing and reducing financial cybercrime and others that will be used to commit cybercrime. Here are a few examples:

• How AI/ML can help reduce financial cybercrime: There are many ways! A few include:
• AI/ML tools being used to analyze huge databases to identify anomalies and patterns that suggest cybercrime and fraudulent activities are occurring. 
• AI-powered fraud management systems are also being used to identify and prevent various payment fraud, identity theft, phishing attacks, and other criminal activities. 
• Since AI/ML tools continuously self-adapt through use, well-engineered AI/ML tools can “learn” from new types of fraud patterns and trends, ultimately improving the detection of more types of fraud as time passes.
• AI/ML tools are also being integrated within security systems to perform identity verification and biometric authentication more accurately, also supporting cybercrime prevention.

• How AI/ML tools are being used in many ways to support committing financial cybercrime: There are also many ways! A few include:

• Using chatbots (those interactive communications boxes with customer service) to commit phishing scams, identity theft, and a wide range of social engineering attacks. A common crime currently being used involves cybercrooks using chatbots to impersonate customer service representatives for banks or other financial institutions. The fake financial organization chatbot then engages the targeted victim in a conversation, asking for personal information, such as bank account number, account password, Social Security number, and more. The chatbot explains quite convincingly that this is to resolve a problem or first to verify the target’s identity. Many cybercrooks have obtained financial information in this way to perform a wide range of crimes, such as taking all the money out of the victims’ accounts, committing identity fraud, and more. 
• AI scammers are cloning people’s voices, including kids' voices, to lure folks into sending money. All the crooks need is a short audio clip of the cloned person’s voice to create a believable impersonator of a clone victim. Such scams are so effective and common that the US FTC recently issued a consumer alert warning about voice cloning.
• Cybercrooks are using AI to create deep fakes (manipulated images or videos that look like real people, usually those known to the public). One tactic cybercrooks use is AI to create deep fakes for sextortion and revenge porn, the results of which will look very real, even though the victim did not actually perform the activities shown in the deep fake videos or photos. These examples of AI-generated deep fakes are quite convincing.



Many more examples could be provided, but this should demonstrate the variety of real-life examples that are increasing in occurrence. 

Q: Have ChatGPT, Bard AI, or other AI been used in financial crimes? 

A:  Yes. In addition to having beneficial impacts, ChatGPT, Bard AI, and all the others like them are making it easier for scammers and cybercriminals to steal money and valuable data from their victims. They can be so convincing that consumers can’t distinguish between legitimate and fake information.  For example, emails with a subject line touting the power and increasing use of ChatGPT are being sent to potential scam victims in Denmark, Germany, Australia, Ireland, and the Netherlands. ChatGPT is also used to create malicious code, such as ransomware, to launch against organizations and reap from the victim's large financial paydays. ChatGPT is also used to create chatbots impersonating women to fool targeted victims into sending money.

Q: Regarding your information about check washing a few issues back, thank you! Check washing happened to my family member. I showed him your article/answer, and he is now changing how he pays with paper checks. Are there any more tips you have related to this while we are "changing our ways"?

A: You are welcome! We are happy you found the information from our December Tips helpful; thank you for letting us know! 

Police reports worldwide indicate that check-washing crimes are increasing in frequency. The Better Business Bureau reports check washing in the US results in $815 million in annual losses to individuals, businesses, and financial institutions each year. This demonstrates that while new cybercrimes emerge, long-existing crimes continue to be committed. As people become less familiar with using old-fashioned paper checks, criminals see an opportunity to use check washing even more. 

As a reminder, check washing erases payee names and dollar amounts from checks. It is accomplished using a chemical solution such as acetone (the active ingredient in nail polish remover and paint thinner). The crooks then rewrite the check to steal money from the victim.

In addition to the information we provided in December, here are some additional actions you and your family, friends, and co-workers can take to help prevent becoming victims of check washing:

• Use a blue or black gel pen. Gel pens often use ink that is harder to wash off. Some gel pens, such as Uni-Ball pens with Super Ink, even claim their ink protects against fraud. 
• Take envelopes containing checks to the post office to mail. You will minimize the likelihood a thief will steal your check by putting it into the mail at the post office rather than from your home. In some geographic locations, drop off such mail before the last daily pick-up or at your post office. And in some geographic areas, it is best to even avoid using the blue government-issued mailboxes (as in the US) that are publicly available throughout most urban areas. When mailing a check from your home, if you know your mail delivery person will check inside, don't raise the flag on your mailbox or clip your mail to the outside of the mailbox. Thieves, keep an eye out for these.
• Collect the mail from your mailbox daily. Never leave your mail in your mailbox for an extended period. You never know when a thief will try to steal your mail, so it's best to check your mailbox frequently. You can also sign up for Informed Delivery from the USPS to get an email with images of the letter-sized mail you should receive each day, and it also indicates if you will be getting packages. We use this, and it has been very helpful. Is this offered in other countries? International readers, please let us know!
• Ask for a USPS mail hold when away from your home. You can request a USPS mail hold, and the USPS will hold your mail for up to 30 days. Is this offered in other countries? International readers, please let us know! Or, get a trusted friend or neighbor to pick up your mail while you are away.
• Frequently review your checking account. Look at the documentation and amount for every check. Notice unusual or unexpected withdrawals or an amount for a check number not in sync with the check you wrote and recorded. Monitor your online images of checks you wrote that were cashed; look for signs that they have been altered. Also, look for checks that haven’t cleared and check for past-due notices.
• Consider going paperless. One of the best ways to avoid check-washing fraud is to stop using paper checks. Transition to paying bills using online sites that demonstrate strong security controls. Send money transfers and ACH payments through your bank. Use electronic bill pay and transfers. Many banks and credit unions offer free online bill-pay services. More and more folks are using peer-to-peer payment apps, which could be a good option when sending money to friends or family, but only if you first check to ensure the app is legitimate and uses strong security safeguards and protects your privacy. Check their website privacy and security notices.
• Shred any old checks still in your possession. If thieves get their hands on blank check stock, you are handing your money over to them. Even if the accounts are no longer open, forged checks will create a hassle for you to resolve.
• Share your new check-washing knowledge! Warn family members and friends who regularly send checks about the dangers of mail theft and the steps they can take to help avoid check-washing fraud.

Q: The FBI and FCC recently warned that those free USB charging stations in public spaces, such as airports, hotels, etc., can have devices hidden within them to steal data, spread malware, etc. I recall you wrote about this in past Tips issues, didn’t you?

A: You have a great memory! Yes, I covered this in a couple of Tips issues throughout the years. And, in 2018, I covered this in episode 39 of my radio/podcast show, and at on-site security and privacy corporate training courses in 2010, when I first became aware of what was then an emerging new threat from a business friend, who may have invented what was the first juice jack blocker. 

Tiny skimmers can be put within the USB charging ports, which will then copy all the data and software from the devices charging there, and can also be used to plant ransomware, keystroke loggers, and other types of malware. These skimmers are very hard for you to see inside the USB ports and in most cases, impossible to see, unlike the credit card skimmers on gas pumps and credit card payment processors that you can usually see if you look closely and jiggle the swipe device. And, the cords that are now so commonly found at charging stations may have been replaced by a crook with a cable that is not the electric-charge-only cables typically located at those charging stations. Some of the cords aren’t used to take data or plant malware but instead to ruin your device by using a destructive voltage level.

We’re glad the FBI and FCC warn about these risks with public charging stations and USB ports. And yes, carrying your own charger and USB cord and using an electrical outlet instead is one option. There is another way to mitigate this risk without needing to use a portable charging device, which may not have enough charge left on it, to begin with, and may itself need charging. We also recommend using a juice jack blocker, a small, inexpensive device that is very effective in stopping data from being stolen and malware from being loaded. It will not be as bulky as most portable chargers.

At the very least, make sure you use charging ports that are non-data USB-A power-only ports or cords that are power-only non-data cords.

Q: What is the difference between a "voice note" and "voice mail"? Is one more secure and/or provides more privacy than the other?

A: Generally, the primary difference is that “voice notes,” also called “voice texts,” “voice memos,” “audio messages,” and “voice messages,” are sent via apps such as iMessage, Telegram, WhatsApp and many others. Voice notes are not going through or being delivered by a telephone service like Verizon, Vodafone, AT&T, and many others. Voice notes are typically much shorter than traditional voice mail delivered through phone service providers. And a huge number of voice notes are being sent daily! WhatsApp reported in March 2022 that more than 7 billion voice notes were being sent daily through their app. 

Fans of voice notes like that they are asynchronous (can be listened to and answered whenever each of those in the conversation has time to do so, which is what you can also do with voice mail messages). Many others like hearing the nuances of a person’s voice instead of reading a text, which is often open to misinterpretation. And, many voice notes users indicate they like that the voice notes are more security and privacy-protecting…but are they? 

Nope! Since voice notes are being sent through apps, which are generally unregulated and usually lack sufficient security controls, if they even have them at all, they are subject to many more types of cybersecurity risks and privacy threats. Even those messages that automatically “disappear” after a short time, such as iMessage, can still be saved as an audio file before they disappear. And, when using public Wi-Fi networks, such voice notes are subject to being intercepted and possibly listened to if the transmission is not encrypted. Also, voice note files can contain malware, and the associated data can be used to commit identity fraud. 

Bottom line: Currently, the protections required for voice mails delivered through phone telecommunications companies make them much more secure and privacy protected, in addition to providing more legal recourses following breaches, than voice notes.

• MHCS CPA services for providing a special day when the public can bring their tax and other types of financial records and finely shred and dispose of them right there on the spot…while enjoying delicious homemade ice cream! NOTE: April and May are popular months for CPA firms and other types of tax-related services to do these types of events. We aren’t sure if all of them also provide homemade ice cream, though. 

• ENISA for their newly published study, “Foresight Cybersecurity Threats for 2030". This study aims to identify and collect information on future cybersecurity threats that could affect the Union’s infrastructure and services, and its ability to keep European society and citizens digitally secure.” 
• FTC for the Disposal of Consumer Report Information and Records rule, updated and effective on November 15, 2017. Why are we pointing out a six-year-old rule? Because more organizations need to read and follow the requirements described within it; there are increasingly more disposal breaches of personal and financial information. Consumers should read it, too, so they know how most organizations in the US are obligated to secure their information throughout the disposal process. 
• Tara Taubman-Bassirian for her GDPR Non-Material Damage Compensation report. Scroll down for a nice table listing GDPR cases, brief overviews, and associated penalties. 
• Katie Teague at CNET for her informative report,The 4 Worst Spots You Could Put Your Alexa Speaker. It's best to avoid putting your Amazon Echo device in certain spots.
• HHS for transparency in posting all their privacy impact assessments (PIAs) to be accessible publicly. NOTE: All Federal agencies are required to do this.
• The Data Privacy Working Group, a new initiative by the organization that is behind Matter, the Connectivity Standards Alliance (CSA), to develop a privacy certification for smart home devices. Matter is a smart home interoperability standard that is developed by companies such as Samsung, Google, Apple, and Amazon.
• The Iowa Safe at Home program for expanding to provide mailing address confidentiality to survivors of assaults. 
• Identity Theft Resource Center for their report, “Q1 2023 Data Breach Analysis: The Lack of Actionable Information in Data Breach Notices Continues to Grow.” 
• Future of Humanity; Institute University of Oxford; Centre for the Study of Existential Risk; University of Cambridge; Center for a New American Security; and Electronic Frontier Foundation for their report, “Open AI: The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and Mitigation,” in February 2018. Those warnings from five years ago are more relevant than ever today and worth revisiting.
• EFF for their “Measuring the Progress of AI Research” project. “This pilot project collects problems and metrics/datasets from the AI research literature and tracks progress on them.” Informative and interesting!
• BDO for warning of fake websites pretending to be their company and six associated tips. 
• The Cloud Security Alliance (CSA) for their Security Implications of ChatGPT, a whitepaper providing guidance across four dimensions of concern. CSA also calls for collaboration in developing our Artificial Intelligence (AI) roadmap for AI cybersecurity and cloud computing.

*Privacy Beacons do not necessarily indicate that an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.

Hey! Did you know that we have a Privacy & Security Brainiacs page on LinkedIn? Well, we do! Please “follow” our page. We provide a lot of news, tips, advice, and other useful information on our site. Our goal is to post 3-4 times a week. We’d love to also see your comments and thoughts on our posts. 

We now have a new page dedicated to HIPAA and healthcare news, here. This is in addition to our other three news pages for specific news topics! We also have a separate news page for IoT security and privacy news. You can see it here. And, we have news for Log4j security and privacy vulnerabilities, patches, exploits, and everything else related, here. You can also get to them all from our Privacy & Security Brainiacs News Page.

We just released our latest course, “HIPAA Basics for Business Associates 2023 Edition.” Our course includes more direct experience insights, examples, guidance, supporting supplemental materials, and more meaningful course quizzes and associated certificates of completion than other vendors. Please check it out! 

We have updated and reorganized our Privacy & Security Brainiacs home page. We have also updated our “Online Learning” landing page. The courses provide real-world examples and advice, and the quiz questions support critical thinking, which results in longer-term retention of the concepts. Real-world examples help professionals identify where they need to beef up their own compliance practices. They also learn about HIPAA rights in the U.S. that they’ve never heard of before. 

We have also created a landing page for our new Master Experts “Online Education” services.

Students of each class receive certificates of completion, showing the course name, length of the class to use for their continuing professional education (CPE) credits for the class, date completed, and any applicable information about the associated exam score. The certificates will also reflect how well students did in the class, and much, much more. Have questions about our education offerings? Contact us!

The Privacy Professor | Website

Privacy & Security Brainiacs| Website

Permission to Share



If you would like to share, please forward the Tips message in its entirety. You can share excerpts as well, with the following attribution:

Source: Rebecca Herold. May 2023 Privacy Professor Tips

www.privacysecuritybrainiacs.com.

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Information

You are receiving this Privacy Professor Tips message as a result of:

1) subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com or

2) making a request directly to Rebecca Herold or 

3) connecting with Rebecca Herold on LinkedIn. 

When LinkedIn users invite Rebecca Herold to connect with them, she sends a direct message when accepting their invitation. That message states that in the spirit of networking and in support of the communications that are encouraged by LinkedIn, she will send those asking her to link with them her monthly Tips messages. If they do not want to receive the Tips messages, the new LinkedIn connections are invited to let Rebecca know by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com. 

If you wish to unsubscribe, just click the SafeUnsubscribe link below.