Carrie Kerskie doesn’t scare easily. The identity theft protection expert has dedicated her life to staying one step ahead of fraudsters, scammers and other evil-doers who lurk behind the mask of technology, the last 15 years as the president of leading identity theft restoration and consulting company the Kerskie Group. Also, as a published author and host of the podcast and YouTube series Privacy Mentor, Kerskie has given tons of advice to us mobile-first creatures such as how to avoid those looking to take advantage of people left vulnerable during the pandemic through slick scams and how to prepare yourself for high volume phone fraud periods like tax season.
And it turns out October isn’t just spooky season because of all the pumpkin spice either (we kid!). Scammers begin their traditional uptick at the start of the holiday season, and Carrie says being aware of what new cyber and phone fraud trends to look out for is your biggest defense against unwanted tricksters.
“That’s why I appreciate opportunities like this,” she says of the interview we’re just sitting down for, “because the more that we can get this information out there the better … and unfortunately when it comes to technology and privacy and identity theft, the same old advice that was given 10, 15 years ago is still the gospel of what you’re supposed to do. And that is outdated. None of it works. It’s not true, it’s not relevant anymore.”
Carrie shares her latest expert intel to help us all avoid being ghosted by scary scammers looking to take more than all your Halloween candy, and upend the rest of your holiday season too.
October is Cybersecurity Awareness Month, and more or less the unofficial beginning to the holiday scam season. To start off, I was just wondering if there are a few simple things that come to mind that people can do right now to bolster their protection against cybersecurity attacks?
Three major things to remember: Educate, Evaluate and Eliminate.
- Educate. That’s easy: Awareness. Realize what you don’t know. Figure out ways that you can improve that. And then share what you know with others. When you have an incident or if you learn something new, a new threat or skill, share that. It’s a cycle that just keeps revolving because now you know these things and can share it with everyone else and the more you know, the better chances you are going to have to recognize when you're faced with one of these threats.
- Evaluate. That’s where we weigh privacy versus convenience. If it’s easy for you, it’s easy for a criminal. Privacy means you’re going to have strong and unique passwords, minimum of 12 characters, and for pins use random numbers and take advantage of extra security. I also suggest using multi-factor authentication when it’s available. If it takes you one step to log into your online account, that’s how many steps it’s going to take the bad guys to break in too. But if they have to jump through five hoops, they’re going to say, “Forget this, I’m going over to this other guy. He only has one hoop.”
- Eliminate. It means validate or eliminate whatever you come across, whether it’s email, text message, phone call or even a letter in the mail. If you can’t confirm that information to be true or confirm the senders, then get rid of it, throw it away.
Now that we’ve laid the groundwork here, what’s been keeping you up nights lately?
In the past, you used to have identity theft, frauds and scams, and cyber threats. Now, they all merged. It’s all pretty much one in the same because they use one to commit the other. Some of the big things that we continue to see are account takeovers where the criminals are getting access to bank accounts, mobile phone accounts, credit card accounts, Amazon accounts, you name it. And with the bank accounts, a huge trend has come because the banks now use a P2P or person-to-person payment platform. Even if you don’t use a P2P and never activate it, if someone does an account takeover, they get access to your bank account and will activate the P2P and use it to transfer money.
Another one that continues to be a risk is remote-access software. The software itself is not the risk, as many remote workers use it with their company’s IT departments, but it’s the fact that the criminals are using this software in their scams.
You’ll get a link or you’ll have a pop-up on your computer and it’ll say, “There’s a problem with your computer.” Or you’ll get a call from someone pretending to be your bank saying, “Did you initiate this wire transfer?” You say, “No, that wasn’t me.” Then they say, “Okay, great. What we need to do, because we think it came from your IP address, is we need to check your computer. I’m going to send you to our tech department and they’re going to check your computer for you.” And at no point in time during these phone scams are they asking for credit card information, bank account information, your social security number. That’s a new tactic because in the past we used to say, if they asked for anything sensitive, hang up. They’re not asking for that anymore. They’re turning these more into trust campaigns where they’re building up your trust because they’re not having those red flags.
They get you to install this remote access software and what it does is it gives the criminal access to your computer and everything on it. So when you go to bed, they fire up your computer and they just open up your browser, look at the history, look at your bookmarks. And for most people it’s their bank accounts or brokerage accounts, mobile phone accounts and whatnot. And if you store your passwords in your browser, now they’re into all of your accounts.
To remove remote access software you actually have to go and look at your installed programs or apps, depending on what type of device you’re using, and look for remote access software programs. I recommend when you’re looking through the installed programs, if you see a name that you don’t recognize, do an internet search. If it says it has anything to do with remote access software, you need to delete the app or uninstall the program.
Apps are nothing more than the software programs you would install on a computer except it’s on a phone. People think they’re two different things and they think the computer software downloads are more vulnerable than an app. They’re not. They’re the same. So what you need to do is before you download any apps, first ask yourself, do you really need it?
Another example is public Wi-Fi. I know a lot of times people will go to coffee shops or libraries and they will use the Wi-Fi. The exact same things that can happen with a laptop on Wi-Fi can happen with the smartphone that is using Wi-Fi instead of the phone’s wireless data. So you’re better off getting an unlimited or larger data plan because it’s much safer than using the public Wi-Fi.
TIP! Use your mobile hotspot on your phone or buy a separate hotspot device and use that because that is more of a secured connection. I highly recommend that you use the data on your mobile phone plan and turn your phone into your own wireless network instead of using anything out in public.
One more thing to consider are operating system updates. When there is an update for your phone, your computer, your tablet, whatever it might be, install them. If you don’t do it, you’re leaving yourself vulnerable because most often these software updates also patch security vulnerabilities. And criminals will use software tools on the internet that will go out and sniff for devices that have not updated their operating systems just so they can exploit them.
Could you explain a little bit what a SIM swap is? They're becoming increasingly common, but people may not know what it means exactly.
So a SIM card can be an actual tiny little physical card that looks like a chip that gets installed into the smartphone and that’s what enables you to have cellular service. It’s what makes the calls, sends the text messages, accesses the internet. All that is tied to your account. And that phone number is tied to that SIM card. Now many new devices have what’s called an eSIM, which is an electronic SIM card instead of a physical one. SIM swapping is when service for your mobile phone is transferred to the SIM card and device in possession of someone other than you.
What that means is that incoming and outgoing calls using your number are on the criminal’s phone. Text message are the same thing. This is why criminals like SIM swapping because of the two-factor authentication process where most people get a code by text. So they SIM swap, they’ll go to your bank account, they’ll try to initiate a password reset and that will trigger a text message to be sent to the mobile phone, which is to the SIM card, that’s now in the bad guy’s phone.
Also often when someone gets SIM-swapped or if their mobile phone account gets compromised, sometimes the first thing they do is change their number. It’s the worst thing you could do because your phone number is the equivalent of your social. When you change that phone number, those institutions like your bank are going to text to the old phone number. When you change that phone number it could lock you out of your account. Many financial institutions now use code by text to validate you as the owner of that account. If they are texting it to your old number, you can’t get the code and they can’t verify you as the account holder.
With the midterm elections coming up early in November, is there anything in particular people should have heightened awareness around there?
Absolutely. Again, any time there are any heated discussions, very polarizing discussions, this is when the criminals swoop in. Because again, that fear and confusion, it’s a perfect environment. So with the elections, what we start seeing is you’re going to get more phishing e-mails and smishing texts. And the way they’re going to be designed, it’s going to be like, “Oh, did you see what the other party did? Make sure all your friends are aware this. Share this with everybody.” So when you’re forwarding that to all of your contacts, they’re harvesting connections. Now they know who you know and who knows you, so that they can send spear phishing emails that look like they come from a trusted source. Same thing with text messages. We’re seeing, since the pandemic, a huge increase in smishing text messages. Most of the time, the ones we’ve seen that caused major issues are the ones that appear to be from a financial institution asking you to confirm or deny a suspicious transaction or to confirm or deny the request to reset your password.
Well, people panic and click the link in the message, but they’re not going to the login page for their bank. They’re going to a fake login page that’s used to harvest their online credentials that the criminals then use to log in. Political scam texts also include links would cause harm to your device or trigger a fake login page for your email account.
You need to be very careful in any time there’s a heated environment, and it seems like everything is divisive nowadays. Just use caution when you see these things come through, before you respond, before you click, validate or eliminate, take time, sleep on it, think about it before you make a rash decision.