E-mails telling you that your data has been compromised are now sometimes fake. Be careful what you click on.
TechRepublic’s Karen Roby spoke with Eva Velasquez, CEO of the Identity Theft Resource Center about new malware threats that look like breach alerts. The following is an edited transcript of their conversation.
Karen Roby: It seems like every time we turn around, there’s a new way that criminals are infecting our lives online, and what we’re going to be talking about today is some fake data breach notifications being sent out through Google alerts. What is it? And what’s happening here that you guys are watching closely?
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
Eva Velasquez: The fraudsters are very clever in that they will often take a situation where there’s a kernel of truth and then they spin it so that they can perpetrate their schemes. Data breach notifications are a real thing. Most of the time, it’s a legitimate consumer tool. Most states require them by law, and they’re to inform consumers when their information, their identity credentials, their data has been compromised. The thieves, of course, realize that this is something that is concerning to people. They want that information. They are expecting them. It’s really become part of our lexicon. So they are using these fake data breach notifications to grab your interest, make you think, “Oh, I need to have this information. I need to know if my data’s been compromised.”
Now, they often will contain links to malicious pages. They can even contain a form or a document, and when you download a document, it can be infected with malware and then you will turn around and you could infect your entire, your computer or even your system if you’re on a network. So, it’s really important when you get any type of notification, including a data breach notification, that you go to the source, don’t click on any links and certainly don’t download any documents from that incoming communication. It’s very different if you go to the website of the entity that’s purporting to be breached than it is if you’re responding to an email or a text or something like that.
Karen Roby: That’s the really troubling thing here, obviously, is that what people sometimes think is a very benign piece of information being sent to them, it may or may not impact them, so they may click on it and then this can happen. When we talk about malware, this can get to be a real problem for an individual or a company.
SEE: Cybersecurity: Let’s get tactical (free PDF) (TechRepublic)
Eva Velasquez: Oh, absolutely. I mean, the bottom line is you do not want to have your machines infected with malware. And it runs the gamut from key-loggers that can log every keystroke that you make because you’re logging into your different accounts and they can obtain your password that way. They get into all of the documents and the internal runnings of your computer. They can circumvent information. I mean, there’s just a panoply of schemes that they can perpetrate once they have access to your machine, so you absolutely want to avoid it where possible. And by all means, please make sure that you have antivirus and malware detection software or programs on your computer, and make sure that you do patching when you get these updates.
And it says, “Do you want to do this update?” And everybody clicks, “No, not now. I’m busy.” That is a really important part of protecting yourself, because those are addressing known vulnerabilities. It’s something that the hackers and the cyber criminals know that we don’t look at as very important, and so we don’t do it right away, but those are really simple things that you can do to make sure that your machine stays healthy.
Karen Roby: I think you just said the key thing, that the hackers, they know we get busy and we say, “Oh, I’ll deal with that later,” and just X out of it. But there are tools, there are resources there available to us to make sure we are protected.
Eva Velasquez: Absolutely. This is a confusing space. We want people to realize they don’t have to figure this out all by themselves. You’re not alone out there. There are many organizations like the Identity Theft Resource Center that will give you information and advice for free. You don’t have to do the guesswork. When it comes to these fake data breach notifications, and frankly data breach in general, we want people to know that we have some great tools, and we’ve taken the guesswork out of it. If you get a data breach notification, and you’re not sure if it’s either legitimate or even what it means, please visit the ITRC website or our partner, Breach Clarity. Now we have been capturing data breach data and information about data breaches since 2005. We are using that data along with a partner to generate a risk score.
Eva Velasquez: We’re sort of like earthquakes, the Richter scale, you see that number and you understand intuitively the severity of that event. We are doing the same thing with data breaches. Our data is being used by Breach Clarity. They’ve built this amazing algorithm that gives you a risk score and tells you just how bad this particular breach is. Then, of course, it also tells you what your potential harms could be and what your remediation steps are. Of course, we’re always available with our advisors, our one-to-one advisors. You can give us a call or live chat with us and ask a question, and we will steer you in the right direction. You don’t have to respond to everything that’s coming over the transom, every email, every text, every free offer if you fill out this survey.
Take a breath, think, and do a little research first, see if these things are legitimate, go to the source, and if you’re still stuck, by all means, reach out to us or any of the other organizations that provide free services and get that advice before you click.