SpamBox ReLoaded, PayPal Hacks & 5 Steps for Security.

   Holiday Cheers; Thieves Are Here (not that they ever left)

       We thank Al Gore for inventing the internet just as much as the next folks do. It makes everything free and easy.  Gone are the days when we have to get up, get out of our jammies, shave, and actually leave the house to do.. ugh.. work. Now we can tele-commute and read Reddit all day from the comforts of our home office, instead of having to slog in to bogart the company's resources.  Kinda miss that K-cup coffee though....
       Of course these internet luxuries are also available to the thieves and hucksters of the world, so they can telecommute too. Unfortunately for hard working, busy business folks, the thieves are not spending all day on Reddit. Rather, the crooks are working diligently to develop ways to separate us from our hard won earnings, data, and reputations. 
      With Christmas and the holiday season right around the corner, if not here already, the crooks are working overtime, just like we are.  Here's a pretty clever little sample of a crook who somehow preempted  our PayPal administrative actions, luckily by a day. But I wonder what would have happened, if this time, the thief was right on time.

We needed to add an email to our paypal stuff, which we did.  However, the day before, someone sent us this little phishing lure.  Our email provider labelled it accurately as SPAM and sent it to the spam box.  But let's say, the guy's timing was better, and he sent it the following day. The day we would have been looking for an email confirmation note from PayPal? 
  Here's how we know the email is bogus.  Hover over the "From" address, and the actual address pops up.

---

This email looks like it comes from paypal, but is actually from a crook.
    The bait on this phishing attempt is to get us to go to a site that will look identical to PayPal AND enter our Log-in credentials.  The thieves steal our log in creds, change the password, add a bank account, and steal real money.  Or maybe they just access our customer data. Or whatever. Bottom line is, we don't want that hassle, and neither do you or your customers :)

---

   The phishing attempt came on October 29th.  Here's the legit confirmation email from PayPal, we got on the 30th, when we added John's email to the account.
   Sometimes, it's good to be LUCKY and good, but we'll also settle for just luck.  We know how it is, even from the jammie comfort of the home office.  When we are looking for something that "should" be there, we always check the spam box..
   Now we did not open the phishing email, because, you know, with html 5, opening a message can be all it takes.  As much as we'd love to show you what's inside it, sometimes discretion is the better part of valor.  just trust us, it is a scam.

    Take away: Right now and for the next 3 - 4 months, it's all out smash and grab season for on line thievery.
1) Train your hard working team on the basics.  They want to do things right, and a security breach fouls up everything, along with bringing down team moral.
2) Enforce simple disciplines and protocols for security (hardest to do for OURSELVES).
3) Keep work and play separate, as far as online stuff goes.  If one MUST go to check out the latest Vegas odds for football, then do it from a non-critical computer, not the one your quickbooks are on :)
4) Hover first. Even when something looks 100% legit, hover over it before you click.
5) Say no to juicy stories, cute kittens, and emotional tugs that friends send you links to.  If you must check it out, look it up on google or some other search engine yourself (Links shared on social sites are the MOST MALWARE infested of any, anywhere).

---