TechTidBit - Tips and advice for small business computing - Tech Experts™ - Monroe Michigan

Brought to you by Tech Experts™

Fake Software Ads Used To Distribute Malware

Google is most people’s first port of call for help or information online – something cyber criminals are using to their advantage.

Specifically, they are targeting Google ads, impersonating campaigns for popular software such as Grammarly, Slack, Ring, and many others. This is nothing to do with those companies, but to the untrained eye they look like the real deal… which is how they’re tricking people into clicking the ads.

If you’re not using an ad blocker, you’ll see promoted pages at the top of your Google search results. These look almost identical to the non-promoted, down page organic search results, so you or your people could easily be tempted to click.

It’s a complicated scam. Criminals clone the official software websites, but instead of distributing the genuine product, when you click download they install ‘trojanized’ versions. That’s geek speak for malware that disguises itself as real software.

Google is working to protect us by blocking campaigns it’s able to identify as malicious. But criminals have tricky ways around that too.

Ads first take you to a benign-looking website – which the crooks have created. This then redirects you to a malicious site that convincingly impersonates a genuine page. That’s where the malware lurks waiting for a click, beyond Google’s reach.

Worse, in many cases, you’ll still get the software you’re trying to download, along with a hidden payload of malware. That makes it harder to tell that your device or network has been infected and may give the malware longer to do its job.

To stay protected, train your team about the dangers and make sure everyone is on the lookout for anything that doesn’t seem quite right.

Encourage people to scroll down the Google results until they find the official domain of the company they’re looking for, and make it a policy that people seek permission before downloading any software – no matter how innocent it may seem.

You could also consider using an ad blocker in your browser. That will filter out any promoted results from your Google search for some extra peace of mind.

For help and advice with training, software policies and network security give us a call.

Six Immediate Steps You Should Take If Your Netflix Account Is Hacked

Netflix is one of the most popular and well-known streaming services. The platform has become an essential part of many people’s daily entertainment routines. Unfortunately, like any online service, Netflix accounts can be vulnerable to hacking.

You might not think something as benign as Netflix could represent a security risk to your business. In most cases, your company laptop (as well as any devices your spouse or children might use) are connected to the same home network as your streaming services. This gives cyber-criminals an easy way to gain a foothold into your equipment.

Hackers take advantage of “phishing overload.” Once they breach your account, they’re usually quiet for a bit, hoping you’ll mistake the Netflix suspicious login warning for a fake.

Here are some things to do right away if you fear your account is hacked:
1. Go to the Netflix site & try to log in.
2. If you can log in, change your password immediately.
3. If you can log in, remove any strange payment methods
4. Contact Netflix support and let them know that you think you’ve been compromised (don’t skip this step).
5. Watch your bank statements.
6. Change the password for other accounts that used the same one as your Netflix account.

Is Your Online Shopping App Invading Your Privacy?

Online shopping has become a common activity for many people. It’s convenient, easy, and allows us to buy items from the comfort of our homes. But with the rise of online shopping, there are concerns about privacy and security.

Not all shopping apps are created equally. Often people get excited and install an app without checking privacy practices. Apps can collect more data from your smartphone than you realize. Whether you use your phone for personal use, business use, or both, your data can be at risk. So can your privacy.

Recently, security experts found a popular shopping app spying on users’ copy-and-paste activity. This app was tracking users’ keystrokes, screenshots, and even their GPS location. This raises the question: Is your online shopping app invading your privacy?

SHEIN is the app in question, and it’s a popular shopping app with millions of users. According to reports, researchers found the app collecting data from users’ clipboards. This included any text that users copied and pasted. This means that if the user copied and pasted sensitive information, the app would have access to it.

Including things like passwords or credit card numbers.

Not only that but the app was also found to be tracking users’ GPS location. SHEIN was also collecting data from device sensors, including the accelerometer and gyroscope. This means that the app was able to track users’ movements. As well as collecting information about how they were using their device.

The app’s developers claimed that the data collection was for “optimizing user experience.” A very vague explanation that’s used by other app developers as well.

The developers stated that the collected data was only used for internal purposes. But this explanation wasn’t enough to please privacy experts. Those experts raised concerns about the app’s data collection practices.

This isn’t the first time people caught an app grabbing data without users’ knowledge. Many popular apps collect data from their users, often for targeted advertising purposes.

The popularity of the shopping app Temu has been exploding recently. Since the app appeared in a Superbowl Ad in 2023, people have been flocking to it.

But Temu is another shopping app with questionable data collection practices. Some of the data that Temu collects includes:

  • Your name, address, phone number
  • Details you enter, like birthday, photo, and social profiles
  • Your phone’s operating system and version
  • Your IPS address and GPS location (if enabled)
  • Your browsing data

Here are some tips to protect your privacy when using shopping apps.

Know what you’re getting into (read the privacy policy)

Yes, it’s hard to stop and read a long privacy policy. But, if you don’t, you could end up sharing a lot more than you realize.

Turn off sharing features

Turn off any data-sharing features you don’t need in your phone’s settings, such as location services. Most smartphones allow you to choose which apps you want to use it with.

Remove apps you don’t use

If you’re not using the app regularly, remove it from your phone. Having unused apps on your phone is a big risk.

Research apps before you download

It’s easy to get caught up in a fad. You hear your friend talk about an app, and you want to check it out. But it pays to research before you download.

Shop on a website instead

You can limit the dangerous data collection of shopping apps by using a website instead. Most legitimate companies have an official website.

Learn How To Fight Business Email Compromise

A significant cyber threat facing businesses today is Business Email Compromise (BEC). BEC attacks jumped 81% in 2022, and as many as 98% of employees fail to report the threat.

What is business email compromise (BEC)?

BEC is a type of scam in which criminals use email fraud to target victims. These victims include both businesses and individuals. They especially target those who perform wire transfer payments.

BEC attacks are usually well-crafted and sophisticated, making it difficult to identify them. The attacker first researches the target organization and its employees online. They gain knowledge about the company’s operations, suppliers, customers, and business partners.

The scammer pretends to be a high-level executive or business partner. Scammers send emails to employees, customers, or vendors.

These emails request them to make payments or transfer funds in some form.

The email will often contain a sense of urgency, compelling the recipient to act quickly. The attacker may also use social engineering tactics. Such as posing as a trusted contact or creating a fake website that mimics the company’s site. These tactics make the email seem more legitimate.

According to the FBI, BEC scams cost businesses about $2.4 billion in 2021.

These scams can cause severe financial damage to businesses and individuals. They can also harm their reputations.

How to fight business email compromise

BEC scams can be challenging to prevent. But there are measures businesses and individuals can take to cut the risk of falling victim to them.

  • Educate employees
  • Enable email authentication
  • Deploy a payment verification processes
  • Check financial transactions
  • Establish a response plan
  • Use anti-phishing software

Get ready for the unexpected

If your business suffers an email compromise or a ransomware attack tomorrow, do you have a contingency plan in case of any disasters? The unexpected can happen anytime, and small businesses can get hit particularly hard.

Here are ten helpful tips to get ready for anything:

  1. Create a contingency plan
  2. Maintain adequate insurance coverage
  3. Diversify your revenue streams
  4. Build strong relationships with suppliers
  5. Keep cash reserves
  6. Build strong outsourcing relationships
  7. Check your financials regularly
  8. Invest in technology
  9. Train employees for emergencies
  10. Stay up to date on regulatory requirements

Thinking Of Moving Offices Or Going 100% Remote?

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Has hybrid and remote working left you and your team rattling around an office that’s too big?

If you’re now in the position of overspending on rent, utilities and cleaning, you might be thinking about downsizing to another location – or even abandoning the office completely.

That’s something that will take some planning if you want a smooth transition with minimal, expensive downtime.

Moves are always stressful, and relocating your IT systems takes a bit more thought than manhandling a desk up the stairs.

So here are our top three suggestions to make it easier to shift your IT setup to a new location.

[Read more…] about Thinking Of Moving Offices Or Going 100% Remote?

Is It Time To Ditch The Passwords For More Secure Passkeys?

Passwords are the most used method of authentication, but they are also one of the weakest.

Passwords are often easy to guess or steal. Also, many people use the same password across several accounts. This makes them vulnerable to cyber-attacks.

The sheer volume of passwords that people need to remember is large. This leads to habits that make it easier for criminals to breach passwords. Such as creating weak passwords and storing passwords in a non-secure way.

61% of all data breaches involve stolen or hacked login credentials.

In recent years a better solution has emerged – passkeys. Passkeys are more secure than passwords. They also provide a more convenient way of logging into your accounts.

Passkeys work by generating a unique code for each login attempt. This code is then validated by the server. This code is created using a combination of information about the user and the device they are using to log in.

You can think of passkeys as a digital credential. A passkey allows someone to authenticate in a web service or a cloud-based account. There is no need to enter a username and password.

This authentication technology leverages Web Authentication (WebAuthn). This is a core component of FIDO2, an authentication protocol. Instead of using a unique password, it uses public-key cryptography for user verification.

The user’s device stores the authentication key. This can be a computer, mobile device, or security key device. It is then used by sites that have passkeys enabled to log the user in.

More secure

One advantage of passkeys is that they are more secure than passwords.

Passkeys are more difficult to hack. This is true especially if the key generates from a combination of biometric and device data.

Biometric data can include things like facial recognition or fingerprint scans. Device information can include things like the device’s MAC address or location.

This makes it much harder for hackers to gain access to your accounts.

More convenient

Another advantage of passkeys over passwords is that they are more convenient. With password authentication, users often must remember many complex passwords. This can be difficult and time-consuming.

Forgetting passwords is common and doing a reset can slow an employee down. Each time a person has to reset their password, it takes an average of three minutes and 46 seconds.

Passkeys erase this problem by providing a single code. You can use that same code across all your accounts. This makes it much easier to log in to your accounts. It also reduces the likelihood of forgetting or misplacing your password, or worse, writing it down.

Phishing resistant

Credential phishing scams are prevalent. Scammers send emails that tell a user something is wrong with their account.

They click on a link that takes them to a disguised login page created to steal their username and password.

When a user is authenticating with a passkey instead, this won’t work on them. Even if a hacker had a user’s password, it wouldn’t matter. They would need the device passkey authentication to breach the account.

What Is Push Bombing And How Can You Prevent It?

In the fast-paced digital landscape, businesses both big and small face a multitude of challenges. One such emerging threat that has garnered significant attention is “push bombing.”

This practice involves bombarding a company’s push notification system with fraudulent or malicious requests, causing disruptions, overwhelming server capacities, and undermining user experiences.

Small companies, in particular, are vulnerable to the detrimental effects of push bombing as they often lack the resources and expertise to swiftly counteract such attacks.

Understanding push bombing

Push bombing refers to the deliberate act of flooding a company’s push notification system with an excessive number of requests, typically generated by automated scripts or bots.

These requests are intended to exhaust server resources, disrupt normal operations, and degrade the performance of legitimate notifications.

Push bombing can lead to a series of detrimental consequences for targeted businesses, including increased server costs, diminished user experience, loss of customer trust, and even reputational damage.

Small companies often face a unique set of challenges when dealing with push bombing attacks.

Limited budgets, scarce technological resources, and a lack of dedicated security personnel make it difficult for these businesses to respond effectively. Unlike larger enterprises, small companies may not have the financial means to invest in robust security systems or hire specialized personnel to address such threats.

Consequently, they become attractive targets for push bombing perpetrators seeking vulnerabilities to exploit.

Preventive measures for small businesses

While it may be challenging for small companies to completely eradicate the risk of push bombing, there are several key, low-cost preventive measures they can take to minimize the impact of such attacks:

Implement rate limiting: By setting thresholds for the number of push notifications allowed per second, small companies can regulate the flow of requests and prevent overwhelming their systems.

Rate limiting helps distinguish legitimate user requests from automated ones and ensures a more balanced distribution of server resources.

CAPTCHA implementation: Employing CAPTCHAs (Completely Automated Public Turing tests to tell Computers and Humans Apart) in push notification sign-up forms can effectively deter automated bots from inundating the system with fake requests.

CAPTCHAs require users to complete a challenge, thus confirming their human presence and preventing malicious activities.

Monitor traffic patterns: Vigilant monitoring of network traffic can help small companies identify abnormal patterns indicative of a push bombing attack.
Employing security tools that provide real-time alerts and anomaly detection capabilities can enable proactive response and mitigation.

Two-factor authentication (2FA): Implementing 2FA for push notification subscriptions can add an extra layer of security. By requiring users to verify their identities through a secondary authentication method, such as SMS codes or email confirmations, small companies can significantly reduce the risk of unauthorized subscriptions by bots.

Collaborate with security experts: Small companies can benefit from partnering with reputable cybersecurity firms or consultants.

These experts can assist in conducting security assessments, implementing protective measures, and providing guidance on responding to push bombing attacks, thus augmenting the company’s overall security posture.

As digital threats continue to evolve, it is crucial for small companies to remain proactive in safeguarding their push notification systems against push bombing attacks.

By implementing preventative measures such as rate limiting, CAPTCHAs, traffic monitoring, 2FA, and seeking professional guidance, small businesses can fortify their defenses and mitigate the risks associated with push bombing.

As technology advances, it is essential for companies of all sizes to prioritize cybersecurity to maintain the trust and confidence of their customers, ensuring smooth operations and sustained growth in an increasingly digital world.

The Transformative Power Of Cloud Computing For Small Businesses

Small companies face numerous challenges, including limited resources, budget constraints, and the need to stay technologically relevant. Thankfully, advancements in technology have leveled the playing field, empowering small businesses with tools and solutions that were once only accessible to larger enterprises.

One such technology that has revolutionized the way businesses operate is cloud computing.

Cost savings

Traditional on-premises IT infrastructure can be expensive for small businesses, requiring significant upfront investments in hardware, software licenses, and maintenance.

Cloud computing offers a more cost-effective alternative. With cloud services, small businesses can leverage scalable resources and pay only for what they use, eliminating the need for infrastructure investments.

Collaboration and remote work

The ability to collaborate effectively is essential for small businesses to thrive.

Cloud computing facilitates seamless collaboration by providing a centralized platform accessible to employees from anywhere with an internet connection.

Cloud-based tools such as project management systems, document sharing platforms, and real-time communication apps enable teams to work together efficiently, regardless of their physical location.

This capability is especially valuable for small businesses with remote workers or distributed teams, fostering productivity and efficiency.

Data security

Protecting sensitive business data is a critical priority. Cloud computing offers robust security measures, including data encryption, regular backups, and advanced authentication protocols.

Storing data in the cloud reduces the risk of data loss due to hardware failures, theft, or natural disasters.

Cloud service providers typically have dedicated security teams and advanced threat detection systems, ensuring a higher level of data security than many small businesses can achieve on their own.

Flexibility and accessibility

Cloud computing provides small businesses with unparalleled flexibility and accessibility. Employees can access critical business applications and data from any device with an internet connection, enabling remote work and enhancing productivity. This flexibility also extends to the ability to quickly scale resources up or down based on business needs.

Cloud-based services also ensure that software and applications are regularly updated, eliminating the burden of manual updates and ensuring access to the latest features and security enhancements.

Competitive advantage

Adopting cloud technology can provide small businesses with a significant competitive advantage.

It allows smaller companies to access enterprise-level tools, applications, and infrastructure that were once exclusive to larger organizations.

This leveling of the playing field enables small businesses to innovate, streamline operations, and deliver enhanced customer experiences.

Cloud computing has emerged as a transformative technology for small businesses, offering a wide array of benefits, including scalability, cost efficiency, enhanced collaboration, data security, and improved flexibility.

By embracing cloud services, small businesses can leverage the power of advanced IT infrastructure without the burdensome costs and complexities associated with traditional on-premises solutions.

The cloud empowers small businesses to compete effectively, drive innovation, and achieve growth in an increasingly digital and interconnected world.

A Four-Day Week Doesn’t Mean Four-Day Security

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Are you one of the many companies around the world that’s looking at a four-day working week? Perhaps you’ve already made the leap.

Or, do you find that your team takes more time off during the summer months?

For lots of businesses, it’s never going to work. But those that have tried it have generally found it to be hugely positive. It improves your employees’ experience, making them more loyal, engaged, and productive.

It can help to attract and retain better talent, while improving your brand reputation. And let’s not ignore the cost savings of shutting down the office for an extra day.

But it has to be done right. Forcing people to cram the same amount of work into fewer hours could be a recipe for burnout and exhaustion.

That can lead to corners being cut, which in turn could lead to a cyber security disaster. Even if processes aren’t being intentionally skipped, human error due to a lapse in concentration becomes inevitable. [Read more…] about A Four-Day Week Doesn’t Mean Four-Day Security

What Is App Fatigue And Why Is It A Security Issue?

The number of apps and web tools that employees use on a regular basis continues to increase. Most departments have about 40-60 different digital tools that they use. 71% of employees feel they use so many apps that it makes work more complex.

Many of the apps that we use every day have various alerts. We get a “ping” when someone mentions our name on a Teams channel. We get a notification popup that an update is available. We get an alert of errors or security issues.

App fatigue is a very real thing and it’s becoming a cybersecurity problem. The more people get overwhelmed by notifications, the more likely they are to ignore them.
Just think about the various digital alerts that you get.

They come in:

  • Software apps on your computer
  • Web-based SaaS tools
  • Websites where you’ve allowed alerts
  • Mobile apps and tools
  • Email banners
  • Text messages
  • Team communication tools such as Slack or Teams

Some employees are getting the same notification on two different devices. This just adds to the problem.

This leads to many issues that impact productivity and cybersecurity. Besides alert bombardment, every time the boss introduces a new app, that means a new password.

Estimates are that the average employees is already juggling about 191 passwords. They use at least 154 of them sometime during the month.

How Does App Fatigue Put Companies at Risk?

Employees Begin Ignoring Updates

When digital alerts interrupt your work, you can feel like you’re always behind. This leads to ignoring small tasks seen as not time-sensitive. Tasks like clicking to install an app update.

Employees overwhelmed with too many app alerts tend to ignore them. When updates come up, they may quickly click them away. They feel they can’t spare the time right now and aren’t sure how long it will take.

Ignoring app updates on a device is dangerous. Many of those updates include important security patches for found vulnerabilities.

When they’re not installed, the device and its network are at a higher risk. It becomes easier to suffer a successful cyberattack.

Employees Reuse Passwords (and They’re Often Weak)

Another security casualty of app fatigue is password security.

The more SaaS accounts someone must create, the more likely they are to reuse passwords. It’s estimated that passwords are typically reused 64% of the time.

Credential breach is a key driver of cloud data breaches. Hackers can easily crack weak passwords. The same password used several times leaves many accounts at risk.

Employees May Turn Off Alerts

Some alerts are okay to turn off. For example, do you really need to know every time someone responds to a group thread?

But, turning off important security alerts is not good.

There comes a breaking point when one more push notification can push someone over the edge.

What’s the Answer to App Fatigue?

It’s not realistic to just go backward in time before all these apps were around.

But you can put a strategy in place that puts people in charge of their tech, and not the other way around.

  • Streamline your business applications
  • Have your IT team set up notifications
  • Automate application updates
  • Open a two-way communication about alerts