Why are you getting this?

You signed up to receive the Tips, initiated contact with Rebecca and/or PSB, and asked to stay in touch, or you consented to receive the Tips. Please read our Privacy Notice & Communication Info at the bottom of this message for more information. You may unsubscribe from there as well.

Rebecca

We would love to hear from you!

Did you find the tips we provided useful? Did you like this issue? Do you have questions for us to answer? Please let us know at info@privacysecuritybrainiacs.com.

November Tips of the Month

• Monthly Awareness Activity
• Privacy & Security Questions and Tips
• Data Security & Privacy Beacons*
• Privacy and Security News
• Where to Find the Privacy Professor

November is special for many reasons, and is the gateway to gratitude, gatherings, and gifting. Holiday spending will be about $1,800 per person this year and online shopping is way up.

Talk Money Week 2022, which is November 7–11, is a great time to plan activities that incorporate security and privacy education and awareness raising!

Most people do not realize how much money is lost through cybercrime, and through losing data because of weak (or no) security and privacy practices.

Here are some startling stats:

• Cybercrime will cost companies worldwide an estimated $10.5 trillion annually by 2025, up from $3 trillion in 2015. 
• 43% of cyberattacks are aimed at small businesses.
• The most common types of attacks on small businesses include:
• Phishing/Social Engineering: 57%
• Compromised/Stolen Devices: 33%
• Credential Theft: 30%
• A cybersecurity incident can impact business weeks, months, and even years later. Below are five areas where businesses suffer:
• Financial losses
• Loss of productivity
• Reputation damage
• Legal liability
• Business continuity problems
• In addition to these business losses, individual victims of identity fraud lose anywhere from $500 up to more than $20,000. A whopping 21% of victims report losing that larger amount. Those over 60 tend to lose more money to identity theft and fraud. 
• Cybercrime caused $6 trillion of damage in the US in 2022.

What can you do? 

Give a short talk, live or in a video, at your organization about these facts and stats, and then challenge others to determine the amounts of money that have been lost within your organization, city, state, immediate and/or extended family, or other types of grouping. Pinpoint why each incident happened, using the above categories.

What other activities do you suggest? Are you planning the above activities, or a different one related to Talk Money Week, in November? Let us know!

Rebecca includes a list of 250 security and privacy awareness activities and resources within her book, "Managing an Information Security and Privacy Awareness and Training Program." If you’d like more ideas, check it out.

Here are a few of the questions we’ve received over the past several months that cover situations that could occur at various points in everyone’s lives. We’ve received many! Was this information interesting and/or useful to you? Please let us know! Also, please keep your questions coming!

Q: Medicare scam. My Texas neighborhood’s social media is blowing up with reports of Medicare fraud. Apparently, many locals are seeing charges for glucose monitoring and delivery equipment, all from the same “provider,” but none of them ordered or received it. They have reported it to Medicare, but Medicare is apparently just paying the charges and not doing anything about it. Have you heard of this happening in your area? 360 DME Supplies, LLC is the provider that is billing and getting paid for these charges. I am concerned that Medicare is unwilling to act on it.

A: Medicare and Medicaid fraud have been pursued by criminals ever since those services were introduced. We found many reports of a similar, and perhaps the same, Medicare scam. Looking further, we found several fraud cases that have been tried in court. 

One criminal in Florida was sentenced to 55 months in prison followed by 3 years of supervised release for submitting more than $2.2 million in fraudulent billings to Medicare. In another scam in New York, the criminal stole over $700,000 in bogus durable medical equipment (DME) orders, at about $500 per order. 

These types of frauds may seem like they are not being addressed by the Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (“CMS”). We surmise that while the investigations are going on, a different part of the agency is still making the payments, until all the evidence is collected.

Be sure to continue to report these situations to the phone number listed on this Medicare site. When reporting, be sure to:

• Write down the name of the person you are speaking to
• Note the date and time
• Get any case number they may assign.
• Plus, ask them if you can call back to see how the investigation is going.

Q: I love your Q&As! I’ve learned a lot, including how to help make my older parents and overly-confident 20s-something children more security and privacy aware. Any suggestions for some good privacy- and security-improving gifts?



A: Thank you! That’s a timely and fabulous question. We’ve updated our 2020 gift list just for you! Here are some 2022 gift suggestions:

1. The book, Cybersecurity for Grandparents: Credit Reports, Device Updates, Social Media.
2. Privacy screens/filters: for smartphones, laptops, tablets, large monitors, IoT device screens, etc.
3. A UPS (uninterruptible power supply) and surge protector.
4. Backup drives: USB or actual hard drives that connect to your computer.
5. Cable locks: To use while traveling, when working in a shared type of business space (e.g., rented work areas), when leaving the hotel room, in home offices where there are others in the house that do not live there, or when you don’t want to move your computing device.
6. Remote locator, data wipe, and activity logging/recording tools.
7. Portable battery chargers. Many available are small and can do a full charge on smartphones, tablets, and laptops.
8. Subscription to anti-malware software.
9. Backup service subscription. Make sure the service is one that has strong security and privacy practices.
10. Encrypted USB drives. To store copies of photos, videos, important financial papers, wills, etc.
11. Covers for webcams (e.g., a cute sticky note cube, etc.
12. Physical privacy screen, to use in online meetings, to keep the surroundings from being seen.
13. Related to the previous suggestion, a green screen with a background generator tool, for those who do a lot of online meetings, schooling, etc. This will keep the inside of their work areas (often in their homes) from being seen.
14. Faraday/security sleeves/wallets/billfolds to protect credit cards, passports, etc. from having data stolen from the RFID chips within them from nearby RFID proximity readers.
15. USB data charging port blockers, for protecting those who recharge in public USB ports. 
16. Portable VPNs for work-from-home (WFH) folks, students, etc.
17. Privacy clothing. Particularly to keep travelers from being a victim of pickpockets. 
18. Two-factor authentication hardware tools. 
19. Offline (your password is not stored in the cloud) password manager. 
20. Microphone/audio device input blocker. 
21. Device USB port blocker. 
22. For friends and family still using landlines, a call blocker. 

Do you have more suggestions? Drop us a line!

Q: What new (and not well-known) scams are out there?

A: New ones emerge every day! These two seem to be increasing in frequency.

Domain Extortion Scams 

They’ve been around for years but were not being widely sent to targets. They happen more now because more people have their own domains -- particularly domains that are the name of individuals. Parents are buying their children's names as domains before or shortly after they’re born. 

Requests look like they come from a business owner or manager (often overseas). What looks like a legitimate inquiry about purchasing domains then evolves to a mention of extensions you don’t currently own. You are then told that you need to pay to get those domains in addition to the extensions you currently own. Below are some screenshots of my own experience with this, showing the order in which I received the main scam email messages.

Although I haven’t seen a complete “price list,” I was asked for tens of thousands of U.S. dollars for each domain.

• If you get similar e-mails, don’t click on links or attachments.
• If the email appears to come from a sender you know, your acquaintance may have had their email address hacked. Call them and tell them about the email. 

I always report these types of emails to the FBI. If you don’t feel comfortable doing that, then delete the message, and for extra security (especially if there was an attachment) delete the message from your trash bin.

Cryptocurrency Scams

Because crypto is a relatively new type of investment and payment method for the majority of the population, cybercriminals try to dupe people who are new to the field.

Organized criminals are using fake cryptocurrency sites and applications, and many victims are losing a lot of money. 

Here are a few red flags for cryptocurrency scams:

• Promises of guaranteed returns on sites claiming to provide cryptocurrency. No such promises can be made with cryptocurrency. This is a scam!
• Requirements to provide cryptocurrency in advance on sites that are taking cryptocurrency for payments. This is a scam!
• New online “friends” who offer to show you how to invest in cryptocurrency, or ask you to send them cryptocurrency. This is a scam!
• 
  

We provided a couple of beacons in this issue that also provide some good advice about cryptocurrency scams. Check them out, below.

Q: I’m going to a family reunion in early November, with many generations. While we’re eating, I’d love to discuss current scams with them so they will be on the lookout over the holidays. I’ve made a shortlist, but I know you can provide me with one that is more current. What scams would you discuss with a wide range of generations?

A: Oh, we love this question! That's a great non-controversial topic to bring up over the holidays. (But remember to talk about happy things too!)

• Grandparent scam. The crook calls claiming to be a grandchild who is in need of money for an emergency (like theft or an accident). Many different variants exist. See more here, along with the sad story of a couple who lost $100,000. A couple was recently sentenced to several years in prison in Florida for this type of fraud.
• Holiday scams. They abound and the FBI even publishes a “naughty” list.
• The Google Voice scam. If you post an item for sale online or post some other type of ad (e.g., lost pet), criminals will call the phone number you provide, and tell you that you'll get a verification code from Google Voice (their virtual phone and text service). They’ll then ask you to read it back. What they are actually doing is setting up a Google Voice account in your name that they will then use to commit crimes, pretending to be you, to cover their tracks from law enforcement. Never share your verification codes with anyone!
• Fake job frauds. During the holidays, many people take side jobs to bring in extra money. They are highly susceptible to fake job offers. Scammers take personal data (like resumes) from online job posting sites and then contact job seekers, pretending to be a recruiter or a business looking to fill openings. They will then collect more personal data from you, such as SSN, bank account number, etc. Some will even ask you to pay a job application fee. Here’s some good information about bogus job offer scams.
• Typosquatting scams. Typosquatting is when people are tricked into visiting a fake website by registering a domain name similar to that used by genuine brands. This is nothing new. However, what is increasingly common is for these sites to be used to spread ransomware and other types of malicious code. We've tracked 200+ typosquatting domains impersonating at least twenty-seven brands, tricking site visitors into downloading various Windows and Android malware. Look closely at the domain name before visiting a site. Some of these typosquatting malicious sites are using misspellings pretending to be Google Wallet, PayPal, Snapchat, TikTok, and many other popular sites and apps. For example, the TlkTok-apq link has been used to trick people into thinking it is the TikTok app.
• Deepfakes of celebrities are increasingly being used by unethical marketing firms to sell products. The viewer believes celebrities are promoting the products. Cybercriminals are also using deepfakes, trying to make their sites look legitimate. If a celebrity promotion seems surprising or out of character for the associated person, it could very well be a deepfake.

We could go on and on! But we don’t want to steal your joy. We’re simply providing the gift of raised security and privacy awareness!

Enjoy your family time!

Q: Several years ago my friend lost his elderly father, who was a pillar of the community. After he died, some people came forward and made claims about how he had a secret family and had committed crimes. They demanded a large amount of money to not release the “evidence” they had about these claims. Ultimately, my friend did not pay and the criminals published the claims. After years of investigative work, the son was able to prove the truth. How can I make sure that after I die my identity will not be stolen, and that my own life facts are not altered? I not only want to protect my own legacy, but I also want to keep my family from going through such a horrible situation.

A: You have no guarantee that criminals won’t try to steal the identities or tarnish the reputation of the deceased. But you can take these simple steps to reduce the likelihood.



• Perform a regular (once a year) self-audit of all online personal data and remove as much as possible. That includes:
• Social media accounts
• Association and other membership sites
• Subscription sites
• Retail sites
• Also delete all data on computing and storage devices, and then completely destroy the devices you no longer need.
• Create a secure digital life box with all the information you want one or more of your survivors to have. These life boxes often include an inventory of your digital assets (network and online account IDs and passwords, digital documents, records, photos, phones, tablets, IoT devices, any other type of digital device, etc.), hard copy documents, photos, videos, jewelry, heirlooms, a list of people (and their addresses) that you want to be notified of your death, etc.
• Include within your will explicit instructions for named individual(s) to take the actions you direct with all your digital -- as well as hard copy -- information. During this time, you might consider crafting a life story to show at your memorial service and/or put in a secured monument at a cemetery or similar location. Photos, videos, accomplishments, newspaper clippings, books, and more can all be added to your memory box.
• Be aware that the U.S. has a revised Uniform Fiduciary Access to Digital Assets Act. All states, except for Massachusetts (which has bills pending) have adopted a version of this to address access to digital assets after a person’s death (related to the first question above).

Q: This isn’t so much of a question as a warning to your readers. I almost entered my personal information at a student loan debt relief scam site! What else could would-be victims do?

A: Thank you for this warning! We’re happy that you spotted one of the red flags of these increasingly more common student loan debt relief scams. Here are a few more:



• Some scammers pose as organizations that can help individuals “correctly” file their loan forgiveness applications. They ask you for the fee upfront to do so. Asking you to pay upfront before they’ve even provided any help is usually illegal.
• If the organization claims they are a federal agency, such as the US Department of Education, IRS, Treasury Department, or other, don’t believe them! Even if they include the claimed agency’s logo on their site or communications media. Look at the web URL. Legitimate federal agency URLs end in “.gov” while scammers’ sites do not. 
• You may be asked for a fee to expedite student loan forgiveness. The process normally takes time. Legitimate government agencies will not allow your loan to disappear at the press of a button. 
• Do not give your SSN, FSA ID, or other personal information over the phone or in an email or text; only scammers will ask you to do this.  
• If the organization uses pressure tactics on you or tells you that you must make a decision within a very short period of time, don’t believe them. Cybercriminals want to take your money as quickly as possible, and then disappear, so they of course will be pressuring you to hurry up. 
• We’ve sadly heard of a completely crazy tactic that works sometimes…claiming that you must sign over power of attorney to an entity to allow them to speak on your behalf. Holy cow! Don’t even think about it!
• And of course, many of us are asked for a credit card number. Government programs similar to the student loan forgiveness program will not ask for your credit card number.
• Military personnel (and their families) are increasingly targeted with scams. This is especially common with regard to programs providing benefits to military members, such as through the PACT Act. Information is then taken and used for identity fraud. Military families and veterans have been found to be 40% more likely than civilians to become victims of scammers and cyber thieves, with 80% of the attacks specifically taking aim at their military benefits. If you’re in the military and get an unsolicited offer from a non-government entity to help you with a benefits program, it is very likely a scam.  

• Attila Tomaschek at CNET for his article, “Here's How to Protect Your Data From Invasive Android App Permissions.” This is very instructive; nice work, Attila!
• By Rosario Méndez at the Federal Trade Commission (FTC) for her article, “Data security applies to charitable organizations, too.” Thank you, Rosario; we wholeheartedly agree! And during the holidays there is such an uptick in charitable organizations asking for donations of money and material items, but also putting up websites and using third parties to collect donations, this becomes a very important issue for each of those organizations to address. Are they? Ask them before you hand over your personal data!
• St. Louis Public Radio for providing information about scams targeting military members and their family.
• AARP for their article, “Mail Theft, Check Fraud on the Rise, USPS Warns,” and their entire Scams & Fraud page. Great info that is kept updated often.
• The U.S.  Centers for Medicare and Medicaid Services (CMS) for providing a page detailing the types of fraud, scams and abuse to be on the lookout for. They also provide on this page information about how to contact the CMS to report different types of situations.
• The U.S. FBI for their holiday scams information.
• The U.S. FTC for providing advice on how to spot cryptocurrency related scams.
• Kaspersky for also providing advice on spotting cryptocurrency related scams.
• The U.S. IRS for their letter giving notice whenever someone has used an individual’s personal information online at their website. See the image below, with security and privacy statements. Great to see!

• The Iowa Secretary of State for providing tips during October Cybersecurity Awareness Month.

*Privacy Beacons do not necessarily indicate an organization or person is addressing every privacy protection perfectly. It simply highlights a noteworthy example of privacy-aware practices.

Hey! Did you know that we have a Privacy & Security Brainiacs page on LinkedIn? Well, we do! Please “follow” our page. We provide a lot of news, tips, advice, and other useful information on our site. Our goal is to post 3-4 times a week. We’d love to also see your comments and thoughts on our posts.

We have added a large amount of news on our three news pages since the last Tips! We have our all topics Privacy & Security Brainiacs News Page. It contains news grouped by each month, and within each month by specific topic. We also have a separate news page for IoT security and privacy news. You can see it here. And, we have a huge amount of news for Log4j security and privacy vulnerabilities, patches, exploits, and everything else related, here.

HIPAA Basics for Business Associates

is getting great reviews!

Clients who took “HIPAA Basics for Business Associates 2022” have told us they have learned about issues that were not covered in other classes they’ve seen and taken. They also have found the real-world examples particularly helpful in not only identifying where they need to beef up their own HIPAA compliance practices, but also in helping them see where they, and their family member and friends in the U.S., have rights under HIPAA that they didn’t even know about before.

Almost Here!

We also are in the pilot phase of our first new Master Experts education classes, with the brilliant Dr. Mich Kabay, who create and was the former director of the NSA-accredited Norwich University Master of Information Security and Assurance Program, as our first Master Expert in residence. His first class being offered is Secure Coding, and his second class is Software Quality Assurance.

Now would be a perfect time for you and/or your colleagues and cybersecurity and privacy pros to take these classes. Students receive certificates, showing 2 continuing professional education (CPE) credits. class. The certificates will also reflect how well you did in the class, and much, much more. Ask us about our deeply discounted beta testing user pricing. 

See our Privacy & Security Brainiacs page for our business in the news!

Did you miss attending the in-person FutureCon Des Moines event on September 8? You can view Rebecca’s session, leading a discussion with prominent CISOs in different industries here.

Did you miss attending the online September 13th ISACA event presented by Rebecca, “Post-Dobbs Privacy & Compliance”? The controversial Dobbs decision, overturning Roe v Wade, is the topic for this provocative online session, covering implications for HIPAA compliance, employee security and benefits, and privacy of women's health data. You can view the recording for free, but registration is still required. Just click on the link below. 

The Privacy Professor | Website

Privacy & Security Brainiacs| Website

Permission to Share

If you would like to share, please forward the Tips message in its entirety. You can share excerpts, as well, with the following attribution:

Source: Rebecca Herold. November 2022 Privacy Professor Tips.  www.privacysecuritybrainiacs.com

NOTE: Permission for excerpts does not extend to images.

Privacy Notice & Communication Information

You are receiving this Privacy Professor Tips message as a result of:

1. subscribing through PrivacyGuidance.com or PrivacySecurityBrainiacs.com;
2. making a request directly to Rebecca Herold; or
3. asking Rebecca Herold to be a connection on LinkedIn.

When LinkedIn users initiate a connection with Rebecca Herold, she sends a direct message to each of them when accepting their invitations. That message states that each month, to support the LinkedIn networking purpose and goals, and to stay in touch with her links, she sends her LinkedIn connections one security and privacy tips message via email each month. If they do not want to stay in touch with her in this way, LinkedIn connections are invited to let Rebecca know they do not want to get email messages from her by responding to that LinkedIn message or contacting her at rebeccaherold@rebeccaherold.com.

If you wish to unsubscribe, just click the Unsubscribe link below.