According to the most recent Federal Trade Commission-led “Consumer Sentinel Network (Sentinel),” Americans, including small businesses, filed 1.4 million fraud reports in 2018. The research was carried out in 2018 and published in 2019. The reports came from over 50 federal, state and non-governmental agencies. Below are some of the findings from those 1.4 million filings. (See also, the SmallBusiness.com Guide to Business Computer and Tech Security.)

$1.5 billion | People reported losing $1.5 billion (yes, that is with a ‘b’) to fraud last year – an increase of 38% over the 2018 report.

3 most common fraud report fillings | Imposter scams, fake debt collection, and identity theft.

Younger people reported losing money to fraud more often than older people. | Let that sink in. It’s what the data has been revealing for a while, but it’s hard for some people to grasp as it goes against conventional wisdom.

43% | The percentage of reports that were filed by individuals in the 20s
5% |The percentage of reports that were filed by individuals in the 70s.

However, when the fraud victims were in their 70s, the amount stolen were higher

$751 | Average amount of money lost by victims in their 70s
$400 | Average amount of money lost by victims in their 20s.

Scammers prefer wire transfers

$423 million | Wire transfer was the most used means of money transfer

Florida, Georgia and Nevada | The worst three states for fraud and fraud reports (per 100,000 population)

Check out what happened in your state.

The Justice Department said Paige was able to gain access by exploiting a misconfigured web application firewall, according to a court filing.

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened, I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

Richard D. Fairbank, Chairman and CEO
Capital One

Thompson was arrested Monday in connection with the breach, the Justice Department said. A former Amazon systems engineer was arrested on charges that she breached the network of Capital One, the tenth largest U.S. bank.

$100 million – to $150 million | The company expects to incur between costs this amount related to the hack, including customer notifications, credit monitoring, tech costs and legal support due to the hack.

Much of the evidence tying her to the breach came directly from things she posted online or in direct messages. An unnamed recipient of one of those messages sent them to Capital One officials. “Let me know if you want help tracking them down,” the person wrote.

The company says it fixed the vulnerability and that it is “unlikely that the information was used for fraud or disseminated by this individual.”

What to do if your bank account gets hacked?

(Advice from CNN and the SmallBusiness.com Guide to Business Computer and Tech Security)

Don’t panic

The bank says it will notify everyone who was affected by the breach and offer them free credit monitoring and identity protection services.

Check your accounts now

Look over your credit card and banking statements and report any suspicious activity to the bank as soon as possible. Change your passwords on all accounts.

Freeze your credit

Taking this step means that no one will be able to access your credit reports without your permission. A lender or business won’t be able to gain entry to your credit file until you unfreeze it. (Note: It can be a hassle.)

Stay vigilant

Consider signing up for a credit monitoring service, The bank will likely offer to supply one. Even if you accept their offer, you could also check your credit reports yourself to make sure fraudulent accounts haven’t been opened in your name. (A good habit: Do this at least once every quarter.)

Watch out for scams

Don’t respond to phone calls or emails from creditors. Call them using the phone number you find on the legitimate website,

Photo | By Drew Angerer/Getty Images

There are over 30 articles in the SmallBusiness.com Guide to Business Computer and Tech Security)

Also on SmallBusiness.com

The financial consequences of a data breach can be particularly acute for small businesses. The study revealed significant variation in total data breach costs by organizational size.

$204 | The per-employee breach-related costs for organizations with more than 25,000 employees
$3,533 | The per-employee breach-related costs for organizations with between 500 and 1,000 employees

Thus, smaller organizations have higher costs relative to their size than larger organizations, which can hamper their ability to recover financially from the incident.

“Cybercrime represents big money for cybercriminals, and unfortunately that equates to significant losses for businesses,” said Whitmore. “Companies need to be aware of the full financial impact that a data breach can have on their bottom line –and focus on how they can reduce these costs.”

Some of the top findings from this year’s report include:

• Malicious Breaches | Over 50% of data breaches in the study resulted from malicious cyber attacks and cost companies $1 million more on average than those originating from accidental causes.
• U.S. Breaches Cost Double | The average cost of a breach in the U.S. is $8.19 million, more than double the worldwide average.
• Healthcare Breaches Cost the Most | For the 9th year in a row, healthcare organizations had the highest cost of a breach – nearly $6.5 million on average (over 60% more than other industries in the study).

Lifecycle of a Breach

279 days | The average lifecycle of a breach
206 days | Days between the breach and the first identification of the breach by the company
73 days | Days it takes for the company to contain the breach.

Healthcare organizations in the study had the highest costs associated with data breaches.

$6.5 million | The average per-organization cost of a breach in the healthcare industry was over 60% higher than the cross-industry average.

GettyImages

AP’s Joyce M. Rosenberg recently shared five things a small business owner can do to reduce their chances of employee theft. (The complete article can be found here.) Here are some quick tips.

1 | Make sure that responsibility for finances doesn’t rest with only one person. Business owners should have their bank statements sent to their home instead of to the business and given to their accountants to review.

2 | When a staffer quits or is fired, their access to the company’s computer system and email should be cut off immediately. Change passwords on any account the employee may have used.

3 | Watch out for suspicious behavior that could be a tipoff about stealing.

4 | Surveillance cameras can discourage staffers from stealing property. Even if a camera is not a deterrent, the owner can see who the thief was.

5 | If you suspect theft is taking place, consult with an attorney or HR provider to decide the best action to take.

GettyImages

“Weak passwords, reused passwords, and poor organizational password management can easily put sensitive information at risk. A good password is the first line of defense against cyberattacks.”
Emmanuel Schalit, CEO of Dashlane. 

The password management platform, Dashlane, recently released statistics related to 2018 password usage (and outrageous blunders) of the year.

200 | The average numer of accounts that require passwords maintained by an internet user.

Dashlane’s “2018 Worst Password Offenders” list, from worst to best:     

1. Kanye West: He was captured unlocking his iPhone with the passcode “000000” during his meeting at the White House. 
2. The Pentagon: The Government Accountability Office (GAO) found numerous cybersecurity vulnerabilities in several of the Pentagon’s systems. Among the disturbing issues was that a GAO audit team was able to guess admin passwords in just nine seconds.
3. Cryptocurrency owners: There were several news reports of desperate cryptocurrency owners who went to extreme measures (including hiring hypnotists) in their attempts (and mostly failures) to recover/remember the forgotten passwords to their digital wallets.
4. Nutella: Nutella encouraged its Twitter followers to use “Nutella” as their password to celebrate World Password Day.
5. U.K. Law Firms: Over one million corporate email and password combinations from 500 of the country’s top law firms available on the dark web.
6. Texas: Over 14 million voter records were exposed on a server that wasn’t password protected. Information from 77% of the state’s registered voters was left vulnerable.
7. White House Staff: A White House staffer wrote his email login and password on official White House stationery — and then accidentally left the document at a Washington, D.C. bus stop.
8. Google: An engineering student from India hacked one of Google’s pages and got access to a TV broadcast satellite. He didn’t need much skill — just the ability to log into a Google admin page on his mobile device in using a blank username and password.
9. United Nations: U.N. staff were using Trello, Jira, and Google Docs to collaborate on projects, but forgot to password protect many of their documents. 
10. University of Cambridge: A plaintext password left on GitHub allowed anyone to access the data of millions of people being studied by the university’s researchers. 

Here are lessons you should learn, says Dashlane Emmanuel Schalit.

1. Password protect all accounts: Whether it’s a server, email account, or an app, you should always secure your data with passwords as they’re the first, and often only, line of defense between hackers and your personal information.
2. Use strong passwords: Never use passwords that are easy to guess or that contain names, proper nouns, or things people can easily research about you.
3. Never reuse passwords: Every one of your accounts needs a unique password. 

GettyImages

Facebook today (Friday, 9.28.2018) said an attack to its network led to the exposure of information from nearly 50 million of its users. Company engineers first discovered the security issue on Tuesday. “We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security,” Guy Rosen, vice president of product management, said in a Facebook statement.

What the attackers did

The attackers exploited a feature in Facebook’s code. The exploit allowed them to steal Facebook “access tokens,” which are like digital “keys” that enable people to stay logged in to Facebook without needing to re-enter a password every time they use the application. The company said it did not know the origin or identity of the attackers, nor had it fully assessed the scope of the attack.

What Facebook has done in response to the attack

According to Facebook, these are the steps the company has taken since discovering the attack.

1 | Fixed the vulnerability and informed law enforcement.

2 | Reset the access tokens of the almost 50 million accounts Facebook knows were affected to protect their security.

3 | Reset access tokens for another 40 million accounts as a precaution (meaning that 90 million accounts must log back in).

What Facebook says you should do

Log back into facebook | Around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login.

Look for the notification | After you log back in, you will get a notification at the top of your News Feed explaining what happened.

If necessary, visit the Facebook Help Center | If you are having trouble logging back into Facebook — for example, because you’ve forgotten your password — visit the Facebook Help Center.

If you don’t see the notification and want to take the precautionary action of logging out of Facebook, visit the “Security and Login” section in settings. It lists the places you are logged into Facebook with a one-click option to log out of them all.

Using a database of 61.5 million anonymous passwords, researches at the password management service Dashlane uncovered some troubling password patterns. The researchers examined the data for patterns of simple mistakes that continue to be made by people who use passwords in daily life.

“It is difficult for humans to memorize unique passwords for the 150+ accounts the average person has,“ said Dr. Gang Wang, Virginia Tech computer scientist who used the list for academic research. “Inevitably, people reuse or slightly modify them, which is a dangerous practice.”

Troubling passwords found by the researchers

1 | Pervasive “password walking”

A high frequency of passwords containing combinations of letters, numbers, and symbols that are adjacent to one another on the keyboard. This practice, known as “Password Walking,” simply uses the pinky or ring finger on their left hand to type their entire password. In addition to well-known password walking like “qwerty” and “123456,” Dashlane’s researchers uncovered several other combinations that are frequently used:

• 1q2w3e4r
• 1qaz2wsx
• 1qazxsw2
• zaq12wsx
• !qaz2wsx
• 1qaz@wsx

2 | Love and hate

The researchers uncovered passwords related to love, as well as aggressive and vulgar language. The ten most frequent love/hate-related passwords:

1. iloveyou
2. f*ckyou
3. a**hole
4. f*ckoff
5. iloveme
6. trustno1
7. beautiful
8. ihateyou
9. bullsh*t
10. lovelove

3 | Branded passwords

The ten most frequent brand-related passwords:

1. myspace (a holdover from a previous era)
2. mustang
3. linkedin
4. ferrari
5. playboy
6. mercedes
7. cocacola
8. snickers
9. corvette
10. skittles

4 | Music and movies

Pop culture references are prevalent. The ten most frequent pop culture passwords:

1. superman
2. pokemon
3. slipknot
4. starwars
5. metallica
6. nirvana
7. blink182
8. spiderman
9. greenday
10. rockstar

Dashlane’s suggestions for improving your passwords

• Use a unique password for every online account
• Generate passwords that exceed the minimum of 8 characters
• Create passwords with a mix of case-sensitive letters, numbers, and special symbols
• Avoid using passwords that contain common phrases, slang, places, or names
• Use a password manager to help generate, store, and manage your passwords
• Never use an unsecured Wi-Fi connection

The U.S. Homeland Security’s Computer Emergency Readiness Team (US-CERT) has recently warned that Russian cyber teams have been infiltrating home and small business networks, corrupting routers, switches, and  firewalls using virus-corrupted software and protocols like:

• Generic Routing Encapsulation (GRE)
• Cisco Smart Install (SMI)
• Simple Network Management Protocol (SNMP)
• Network-based Intrusion Detection System (IDS)

In their warning, CERT says the FBI has “high confidence” that Russian state-sponsored cyber actors are using compromised routers to conduct man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations.”

What methods are the Russian cyber teams using?

In an interview with NPR, Jeanette Manfra, the Department of Homeland Security’s cybersecurity chief, warned that one technique they are using to compromise security is spoofing. “It allows an actor to pretend that they’re the computer or the device that you think you’re talking to, so they get into the middle of a connection between two different devices, and they can spy on the traffic that is going back and forth, they can manipulate the traffic,” she says.

Targets of the attacks were described as “primarily government and private-sector organizations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors.”

A variety of access methods are being used in the attack

• Spear-phishing emails from a compromised legitimate account
• Watering-hole domains (infecting websites the target is known to visit)
• Credential gathering
• Open-source and network reconnaissance

What actions should a small business take?

Look for the brand name of your network devices | (For instance, your router) Write down the make and model of your device.

Contact your support service | If you have an individual or company that provides network support or maintains your network, check with them first.

Seek instructions on the website of your network infrastructure device | Vendors of routers and switches are putting out guidance that is specific to the make and model of their network device products. Download the instructions or updates they provide.

Interview with Department of Homeland Security’s cybersecurity chief

According to a recently released survey from Nationwide Insurance on cybersecurity and small business, being the victim of a cyberattack can be costly to your company both in time and money.

20% | Percentage of cyberattack victims who spent $50,000+ recovering from the cyberattack
   7% | Victims who spent more than $100,000 recovering from the cyberattack

“Cyberattacks are some of the greatest threats to the modern company,” said Mark Berven, president of Property & Casualty for Nationwide. “Business owners are telling us that cybercriminals aren’t just attacking large corporations on Wall Street. They’re also targeting smaller companies on Main Street that often have fewer defense mechanisms in place, less available capital to re-invest in new systems and less name recognition to rebuild a damaged reputation.”

Part of the problem facing a business’ ability to recover from an attack is that a majority of owners are not prepared.

76% | The percentage of businesses that don’t have a cyber attack response plan
57% | Don’t have a plan to protect employee data
54% | Don’t have a plan to protect customer data

Good intentions, bad execution

The vast majority of business owners say it’s important to establish cybersecurity best practices. recommended. Unfortunately, far fewer actually establish such practice.

85% | Percentage of small businesses who say it’s important to protect their company’s computers against viruses, spyware and other malicious code
65 % | Percentage of small businesses who actually protect their company’s computers

85% | Say it’s important to secure their company’s computer
58% | Actually secure their company’s computers

85% | Say it’s important to make regular backups of business data and information
59% | Actually make regular backups of business data and information

83% | Say it’s important to establish security practices and policies to protect sensitive information
50% | Actually establish security practices and policies

81% | Say it’s important to control physical access to computers and network components
60% | Actually control physical access to computers and network components

80% | Say it’s important to require employees to use strong passwords and to change them often
52% |  Actually require employees to do so

Perception vs. Reality

The survey respondents were given the chance to say in two different ways if their companies had been the victim of a cyberattack: First, in an “unaided” way in which they were not given examples of specific types of cyberattacks and second when they were aided with examples.

13% | Percentage of business owners who said they had been a victim of a cyber-attack when asked without being given examples of such attacks.
58 % | Percentage of owner-victims when provided a list of the following types of attacks (the list below).

When given specific examples of what cyber-attacks encompass, here are the percentage of participants in the survey who had experienced each attack.

36% | Computer virus
29% | Phishing
13% | Trojan horse
12% | Hacking
 7% | Data reach
 7% | Ransomware
 7% | Issues due to unpatched software
 6% | Unauthorized access to customer info

istock

Also on SmallBusiness.com

Most Small Businesses Have No Cyber Attack Response Plan

Broadband and information technology are powerful factors in small businesses reaching new markets and increasing productivity. However, as the breach of Equifax clearly shows, small businesses need a cybersecurity strategy to protect their own business, their customers, and their data from growing cybersecurity threats. Here are ten cybersecurity tips for small businesses from the U.S. Federal Communications Commission. If you are not comfortable with technology or find some of these tips hard to understand,  schedule some time with your tech-support advisor to review how your company stacks up to these recommendations.

1. Train employees in security principles

Establish basic security practices and policies for employees, such as requiring strong passwords, and establish appropriate Internet use guidelines that detail penalties for violating company cybersecurity policies. Establish rules of behavior describing how to handle and protect customer information and other vital data.

2. Keep your machines clean

Having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats. Set antivirus software to run a scan after each update. Install other key software updates as soon as they are available. (Equifax not updating their software is what enabled cybercriminals to breach their data.)

3. Provide firewall security for your Internet connection

A firewall is a set of related programs that prevent outsiders from accessing data on a private network. Make sure the operating system’s firewall is enabled or install free firewall software available online. If employees work from home, ensure that their home system(s) are protected by a firewall.

4. Create a mobile device action plan

Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password-protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.

5. Make backup copies of important business data and information

Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly and store the copies either offsite or in the cloud.

6. Control physical access to your computers and create user accounts for each employee

Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.

7. Secure your Wi-Fi networks

If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted, and hidden. To hide your Wi-Fi network, set up your wireless access point or router, so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router.

8. Employ best practices on payment cards

Work with banks or processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations pursuant to agreements with your bank or processor. Isolate payment systems from other, less secure programs and don’t use the same computer to process payments and surf the Internet.

9. Limit employee access to data and information, limit authority to install software

Do not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission.

10. Passwords and authentication

Require employees to use unique passwords and change passwords every three months. Consider implementing multi-factor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multi-factor authentication for your account.

VIA | U.S. Federal Communications Commission