Security

Cyber Security Awareness

Awareness! We all need to keep informed on existing Cyber Fraud as well as how to protect ourselves. This page provides helpful information and resources to keep your information safe.

Real Estate Transaction Fraud PSA

Tech Tip - Updating Your Passwords!

FAQ/Resources

Yes - there is a set of scams that are associated with taxes and the IRS.    Here are some of the basics to know about IRS Scams.

What the IRS will NOT do - the IRS does

  • NOT call you unless you have reached out to the agency first
  • NOT initiate contact with taxpayers via email, testing/SMS or social media
  • NOT threaten to bring in local police or other law enforcement to arrest you for nonpayment
  • NOT ask for credit or debit card numbers over the phone

What do you do when

  • You receive an unsolicited text message or Short Message Service (SMS) message claiming to be from the IRS
  • You receive an email claiming to be from the IRS that contains a request for personal information, taxes associated with a large investment, inheritance or lottery…
  1. Don't reply
  2. Don't open any attachments - it could contain malicious code that may infect your computer or mobile phone
  3. Don't click on any links
  4. To report the text or email, visit https://www.irs.gov/uac/report-phishing for details
  5. Delete the original text or email

Resources:

When in doubt:  Verify how to get assistance by visiting www.irs.gov
For the latest in IRS Tax Scams and Consumer Alerts visit: https://www.irs.gov/uac/tax-scams-consumer-alerts
Examples of IRS phishing emails
https://www.irs.gov/pub/irs-utl/phishing_email.pdf  (you have a tax refund!)
https://www.irs.gov/pub/irs-utl/phishing_email2.pdf (we will “help” you unblock your funds…)

To create and remember crytpographically secure password we recommend you use a password service.  The following are the top 3 currently available.

Great question – and a lot of answers here.    

Kw.com emails may be singled out the same as any financial and service sector email accounts are targeted.  Contact information is meaningful to the “bad guys” and Real Estate professionals (along with other industries) work with this kind of information as part of their business.

Remember – receiving spam/phishing emails is one thing, having any of these emails get your credentials can be much more damaging.  Be aware! 

Phishers are in the business of tricking users to give up personal, account, or user login information.  They are smart, creative and will always be evolving their methods.

WE are the best defense!  While systems can limit the number of spam and fraudulent emails recieved - some will always find their way into your inbox.  Don't expect to have a spam free account.

Make the small investment in time and look at the 6 steps "How to Spot a Phishing Attempt" below.

Setting up 2 Step Verification will protect your account with both your password and your phone -  And it is easy to do!  

Use the link below for more on what it is, and click the  "Get Stated" buttom at the bottom of that page to enable Google's 2 Step Verification for your G Suite account.

https://www.google.com/landing/2step/index.html

To reduce receiving spam from known spam emailers

 

 

 1.  Select the email to be marked as spam

 

 

2.  the  selection above the selected email will change to this

 

3.  Then click the SPAM icon at the top of the page.  This will add this email to Google's Spam filtering intelligence and reduce your (and others) receipt of Spam email.

Note:  To date no KWRI related websites were compromised – the KWRI Security team will continue to validate and monitor this issue.

 Summary – what we know as of 02/24/2017:

  • Sensitive data was leaked from Cloudflare, including:  passwords, private messages, cookies, encryption keys 
  • The scope/number of compromised sites is still in flux – current estimates are that  over 4.2 Million websites could have been impacted
  • While, to date, this does not impact KWRI it could impact agents that use Cloudflare for hosting business related websites, or use sites hosted by Cloudflare

What it means to each of us personally:  

  • While the list of possibly impacted domains is long, and here are a few notable sites that could be impacted:  yelp.com, uber.com, betterment.com, glassdoor.com, bitdefender.com, fitbit.com, authy.com to name a few

CALL TO ACTION:  While there are no direct impacts to KWRI, the following steps are recommended…

  • Check your password managers and change all of your passwords, especially those on affected sites.  
  • Use 2 Step Verification (or 2 Factor Authorization) when possible.

Resource:  

Link to list of potentially impacted sites https://github.com/pirate/sites-using-cloudflare

Meltdown/Spectre Processor Vulnerabilities Update (11-Jan-2018)

 

Background: While computer processor manufacturers will need long term fixes to chip architectures, there are operating system and web browser updates that will address the Meltdown and Spectre vulnerabilities that went public last week.

The best line of defense is to install these updates to your operating systems (see the Microsoft AMD exception below) and browsers.  Include below is basic information on common operating system and web browser updates to address these vulnerabilities.

Note, expect additional updates - specifically updates for Microsoft Operating System using AMD processors, and the Google Chrome browser.

Operating System updates - below is updated information on Microsoft and Apple operating systems:

Microsoft (Windows):

  • Windows Operating System updates are available (for computers using Intel processors):
    • Updating Windows 10 - Windows 10 periodically checks for updates so you don’t have to. When an update is available, it’s automatically downloaded and installed, keeping your device up to date with the latest features.
    • To check for updates now, select the Start button, and then go to Settings > Update & security > Windows Update, and select Check for updates. If Windows Update says your device is up to date, you have all the updates that are currently available.
  • Windows OS patches for AMD processors
    • Microsoft has temporarily suspended updates AMD processors. If your computer is running Windows on a computer powered by an AMD processor, you will not be offered fixes.
    • To find out what processor your computer uses press the Windows and pause keys to see basic information about your computer (including the processor brand)

Apple (iOS/macOS)

Browser Updates – below are the current browser versions that have been distributed to address these vulnerabilities:

The message contains a mismatched URL

When a message claims to be from Bank of America but the url is http://qwerty.qwerty.com, that is almost certainly a phishing attempt

The message contains poor spelling and grammar

Reputable companies have entire teams of people making sure their messaging is proofread and error-free. Phishers do not have that luxury. Note: A phishers are becoming more advanced so are their abilities to send an error free and grammatically correct message.

You're asked to send money

If you get an email asking for money, look the company up on the internet or call them. Check your records to see if you've done business with them. 99% of the time this is a scam!

URLs contain a misleading domain name

For example http://facebook.com and http://faceb0ok.com may look alike at a glance but they both go to very different servers.

The message asks for personal information

Be wary of any message asking for any personal or account related information

Something just doesn't look right

The old adage "Better safe than sorry" applies doubly online. If it looks odd or just doesn't feel right, than it is most likely a phishing attempt.

Phishing Attack Prevention Best Practices Guidelines

Never respond to emails that request personal or financial information

Banks or e-commerce companies generally personalize emails, while phishers do not. 

Phishers often include false but sensational messages, (e.g. "Urgent - your account details may have been stolen") in order to get an immediate reaction. 

Reputable companies don't ask their customers for passwords or account details in an email. Even if you think the email may be legitimate, don't respond. Contact the company by phone or by visiting their website. Pick up the phone and speak to a real person, or type the URL in yourself by hand rather than clicking a link in a suspicious email.

Do not click on links, download files or open attachments in emails from unknown senders.

Always be cautious about opening attachments and downloading files from emails, no matter who they are from.

Do not trust the "From" email name

A favorite phishing tactic among cybercriminals is to spoof the From/display name of an email.  More than half of 760,000 email threats targeting 40 of the world’s largest brands! 

Here’s how it works: If a fraudster wanted to spoof the hypothetical brand “Acme Bank,” the email may look something like:

To: You <your.name@kw.com>

From: Acme Bank <customerservice@secure.com

Subject: Suspicious Login Attempt

While Acme Bank doesn’t own “secure.com” this email still appears legitimate because most user inboxes only present the display name (Acme Bank). Don’t trust the display name. Check the full email address — if it looks suspicious, don’t open the email.

Check to ensure the website you are visiting is secure

Before submitting your personal or other sensitive information, there are a couple of checks you can do to help ensure the site uses encryption to protect your personal data.

  • Check the web address in the address bar. If the website you are visiting is on a secure server it should start with "https://" ("s" for security) rather than the usual "http://."
  • Also look for a lock icon on the browser's status bar. You can check the level of encryption, expressed in bits, by hovering over the icon with your cursor.
  • Note that the fact that the website is using encryption doesn't necessarily mean that the website is legitimate. It only tells you that data is being sent in encrypted form.
  • Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).

Be extremely cautious with emails and personal data.

Most banks have a security page on their website with information on carrying out safe transactions, as well as the usual advice relating to personal data. 

  • Never share your pin numbers or passwords with anyone
  • Do not write them down 
  • Do not use the same password for all your online accounts 
  • Avoid opening or replying to spam emails, as this will give the sender confirmation they have reached a live address. 
  • Use common sense when reading emails. If something seems implausible or too good to be true, then it probably is.

Keep your computer secure.

Some phishing emails or other spam may contain software that can record information on your internet activities (spyware) or open a 'backdoor' to allow hackers access to your computer (Trojans). 

Installing antivirus software and keeping it up to date will help detect and disable malicious software, while using anti-spam software will stop phishing emails from reaching you.

Always beware of urgent or threatening language in the subject line.

Invoking a sense of urgency or fear is a common phishing tactic. Beware of subject lines that claim your “account has been suspended” or your account had an “unauthorized login attempt.”

Always review the signature block of an email.

Lack of details about the signer or how you can contact a company strongly suggests a phish. Legitimate, reputable businesses always provide contact details.

Always check for spelling mistakes

Reputable, legitimate brands are pretty serious about email. Legitimate messages usually do not have major spelling mistakes or poor grammar. Read your emails carefully and report anything that seems suspicious.

Always analyze email salutations

Is the email addressed to a vague “Valued Customer”?  If so, watch out—legitimate businesses will often use a personal salutation with your first and last name.

ALWAYS report suspicious activity.

If you receive an email that appears in any way to be a phishing attack, report it to your local IT person/department immediately and any other chain of command for security incident escalation right away.