Security & Privacy

Introduction

Internet is one of the tools we are using every day. There is no doubt that it has changed the way that people communicate across the globe. It has given us possibilities we never had before - with its great popularity (over 2.5 billion users), we can send photos, watch videos, buy stuff or… get our identity stolen. Internet is no exception to the rule: “If it seems too good to be true, it probably is!” In this article, we would like to show you how to protect your identity and other sensitive data from the bad guys, and how to feel comfortable online, no matter if you are browsing our website, buying a book in one of the online bookstores, or reading your email.

As a Sunshine Profits client, you are protected from a wide spectrum of cyber threats. We make sure that the technology we use to provide you with our services is up-to-date and our staff is trained and aware that your privacy is extremely valuable to you, Sunshine Profits and, unfortunately, to cyber criminals. Year after year more businesses join the fight for improved security of your data, which of course is good, but is it enough for you to carelessly trust everything you see on your computer screen, tablet or smartphone? Certainly not. With security measures being more and more advanced it is becoming more apparent that the weakest point of the defense line is human.

Below, we will outline a couple of ways in which you might be approached by identity thieves, actively or passively.

How to spot a fraudulent email?

For many of us checking email is part of the daily routine. We use it for business and privately, therefore our inbox is a true gold mine for swindlers. First of all – avoid suspect email. Easier said than done. Avoiding email from unknown people is not always possible, but opening files or clicking on links from strangers is asking yourself for trouble. What about people we trust? In the example shown below, someone obtained the password to your friends email account. He did his homework by crunching through your friends messages and now he knows that you know each other, moreover, he knows your buddy’s family members and possibly more. Here is what you might receive from your friend's address:

From: Thomas Ballwin [email protected]
Reply-to: Thomas Ballwin [email protected]

I hope this email finds you and yours well. I made a trip to Makati, Philippines with Jane, Nadine and Robert, unfortunately we were mugged at the park of the hotel we are staying, all cash,credit card and cell were stolen off us but luckily we still have our passports with us.

I have been to the Embassy and the Police here but their response was too casual, I have also made contact with my bank but it would take me 3-5 working days to access funds in my account, the bad news is our flight will be leaving very soon but i am having problems settling the hotel bills and the hotel manager won't let me leave until i settle the bills, I need your help/LOAN financially, you are my last resort and hope, all I need right now is $1,950.00, I'll appreciate what you can give if not all and I promise to make the refund once I get back home, you can wire money to my name from a western union outlet around www.westernunion.com/locator to find any agent location nearby or visit www.westernunion.com to send money online :-

Here are the details you need to get it to me;

Full Name - Thomas Ballwin

Location: Evangelista Street 1640 Rudex Building, Makati, 1234, Philippines.

Please let me know if I can count on you and I need you to keep checking your email because it's the only way I can reach you. ..

Thanks,

Thomas Ballwin

As you can see the bad guys have deployed various techniques to sneak into your wallet. They use the trust you have in your friend by sending the above message from his account and support it with the information about his family members. After that, they play on your emotions by suggesting that your friend is in deep trouble and you are the “last resort and hope”. Once you are “softened” a little bit, they simply ask you for money.

In most cases there are two different email addresses in the message. First is your friend's address (or someone who had you on their contact list) – “from”. But there’s usually a “reply-to” address, which looks almost the same. Almost is a key word here. It’s the first alarm bell that should ring when you open this email. In the abovementioned example the dot is purposely misplaced ([email protected] vs [email protected]), so when you hit the reply button, your friend won’t get it. It is important to warn him about the situation, and that he should change not only his email password, but also set new passwords everywhere he used the same password, including places where this email was used to register for an account.

Another popular email scam is called “Nigerian”, or advance-fee. Usually the story revolves around a government , testament, bank or Nigerian National Petroleum Corporation employee who claims that they have access to a large amount of money (millions or tens of millions of dollars). Naturally, this little fortune has to be transferred out of the country for a fee (usually 10-30%). Everything looks good until someone needs to be bribed off to let the transfer go under the radar, so… the scammer asks you for money. Back to the rule number one. It was too good to be true.

Other known types of scam include a combination of a phishing email and a forged web page. The role of email is to encourage you to click on a link which will take you to a similar page to the one you have been manipulated into believing you are visiting. Forged web pages are extremely dangerous because they usually target your financial information (e.g. bank account, credit cards, PayPal, eBay) or email accounts (which can be used to access your accounts elsewhere).

Pay attention to odd-looking URLs:

1. http://[email protected]/
2. http://854.17.153.21/sunshineprofits/update.htm?=
3. http://login.sushineprofit.com/
4. http://www.sunshineprofits.com/login/
5. http://www.kitco.com/

At first they look as they should take you to legit destinations, but when you examine them closely, you will see that they are designed to look similar to legitimate URLs. Most email programs will display the true destination URL (usually in the bottom-left corner of the screen) when you place your cursor on the link without clicking on it. Hover your cursor above any of the abovementioned links to see it for yourself (don’t worry, this time they are safe). As you can see, if you click the abovementioned link, you will not be taken to Kitco’s website though you were led to believe so. What if the visited page only looks similar to the one you think you are visiting? You guessed right – your privacy is at stake.

Email attachments are yet another way of attacking your computer. Although fraudulent attachments are usually computer programs designed to bypass your security measures and specific knowledge is required to create them, they are also easily redistributable and in some cases are specifically written to multiply themselves. This means that they can be found in fraudulent emails every day. See below:

Date: Mon, 30 Dec 2013 12:00:16 -0500 (EST)
From: [email protected]
Subject: Your transaction is completed

Transaction is completed. $2,346.95 has been successfully transferred.
If the transaction was made by mistake please contact our customer service.
Payment receipt is attached.

*** This is an automatically generated email, please do not reply ***
Bank of America, N.A. Member FDIC.
© 2013 Bank of America Corporation. All rights reserved

The attached file “payment_receipt.zip” is waiting to be opened, but this email , which purports to be from Bank of America, is fake. The sender obviously doesn’t even know your name, and you shouldn't open e-mail attachments from strangers. If you receive an attachment - especially a .zip, .exe, .vbs, . htm or .html - and you aren't sure what it is, you should run your updated antivirus software before opening it.

How to spot a fraudulent web page?

A phishing web site (or a spoofed web site) tries to trick you into believing that you are on a legitimate website. The attacker will aim to make the URL address and overall design as similar to the original, as possible. Look for similar or misspelled addresses, broken images, outdated layout, no “https” on login or payment pages.

1. Legitimate website - “https”, green padlock, correct address and layout

2. Phishing website – no “https”, incorrect address, poor graphics quality, threatening message

We recommend you to take a couple of minutes and take the phishing quiz. It is fun and highly educative.

Using your credit card online

Shopping online became popular and credit cards are widely accepted. Before providing your credit card details online, make sure that you are on a legitimate website by looking for https:// in the web address or for a padlock icon. For more information visit your credit card provider:

• VISA
• MasterCard
• Maestro
• Discover
• American Express
• JCB

How to create passwords. Tip.

We live in an environment that requires you to remember multiple passwords, PINs and logins. We help ourselves by writing them down on paper, in web browsers, smartphones, sometimes in places so secure, that we can’t remember where they were. Easy to remember passwords like “bob1” to your “[email protected]” email account or names and birthdates like“mike1956” are definite no-nos.

Here’s a tip - create your passwords so that they mean something to you: This is my first laptop = Tim1l@pt0p or about to use Sunshine Profits website at home = a2uSunSh1nePr0f1tswww@h

Summary

Most of the abovementioned attacks are not aimed at your computer’s software, connection or stored passwords. They don’t require sophisticated hardware, software or programming skills, so they can be deployed by an anonymous person from an internet café in the middle of Africa, Asia or two blocks away from you. The attacker doesn’t even have to know math. This makes social engineering really dangerous and easily applicable.

Unfortunately, there are no 100%-sure methods of recognizing phishing/fake websites, emails or phone calls, therefore we believe that using common sense, educating yourself and combining the above with security software is the way to go.

The Sunshine Profits Support team will never ask you for your account password, Social Security Number, tax identification number, or mother's maiden name. If we require sensitive information from you, we will notify you in an email and request that you enter the information only after you have safely and securely logged in to your Sunshine Profits account. If you think you have been a victim of a phishing email purporting to be from Sunshine Profits, please send us a copy of the offending email so we can investigate.

Additional Resources

• Internet scams are constantly evolving, therefore it is highly recommended to keep yourself updated. Here are the additional resources that we have personally reviewed and found helpful:Take this quiz to find out if you can tell the difference between a legitimate website and a phishing attempt. We highly recommend it! - http://www.opendns.com/phishing-quiz/
• What is the actual link? - http://www.bustspammers.com/phishing_links.html
• On guard online - http://www.onguardonline.gov/
• U.S. Federal Bureau of Investigation phishing prevention tips — http://www.fbi.gov/scams-safety/e-scams
• Internet Crime Complaint Center — http://www.ic3.gov/crimeschemes.aspx
• Anti-Phishing Working Group (APWG) — http://www.antiphishing.org
• The Phishing Guide — http://www.technicalinfo.net/papers/Phishing.html
• Microsoft Safety & Security Center: How to recognize phishing — https://www.microsoft.com/en-us/safety/online-privacy/phishing-scams.aspx
• PayPal guide to phishing — https://www.paypal.com/my/webapps/mpp/security/general-understandphishing
• Protecting Against Credit Card Fraud — http://www.consumer.ftc.gov/articles/0216-protecting-against-credit-card-fraud
• OnGuard Online | Internet Safety Resources — http://www.onguardonline.gov/