Author: Greg MacSweeney

Excerpt: “Why it’s important: Data security has always been an important topic for financial services. Protecting a client’s data, or information used to make investment or trading decisions, is the highest priority. If a client can’t trust a financial firm with its information, the company will be out of business. Today, however, the threat from cyber attacks is increasing, and the hackers are more organized, well funded, and sometimes sponsored by other nations. Where the industry is now: In fact, data security has been one of Wall Street & Technology’s top Outlook topics for five of the past seven years. No other topic — low latency/HFT, cloud, big data, social networking, risk management, or analytics — has appeared in WS&T’s annual Capital Markets Outlook feature so many times. That said, the cyberthreat facing financial institutions is greater today than it has been at any time in the past. Banks report being probed for weaknesses continuously. “Continuously” may sound ominous, and it is. Banks are fending off attacks or detecting probes looking for weaknesses almost every minute of every day.”

Link: http://www.wallstreetandtech.com/security/increasing-cyberthreats-pose-massive-challenge-for-financial-firms/d/d-id/1318144

No matter how many times I see the same story I am still shocked by the audacity of some people.  Whether it’s a devastating Typhoon in the Philippines, a mass shooting at a US elementary school, or a horrible hurricane in New York City, criminals find a way to take advantage of the disaster.

Take for example the Sandy Hook Elementary Mass Shooting last year.  Within hours of the horrific event there were newly registered domains set up for the purposes of either monetizing on the domain names or for fraudsters to create fake donation sites.  Facebook groups and pages popped up attempting to play on people’s emotions and solicit donations.

Even this month when wacky weather hit the Illinois region FEMA had to warn the public of fraud related to the storms.

These are three red flags that consumers might be donating to an illegitimate organization:

• The domain/site you’re on is not the legitimate domain/site for the charity
• You’ve received an unsolicited email or phone call asking for donations
• The charity is new or has little name recognition

*Note, these red flags do not mean that the charity is illegitimate, only that you should be suspicious of it and do further investigation prior to making a donation.

These are three things big brands should be doing to protect their brand and customers from scams:

1. Protect your Reputation

Use a reputation and risk management company, like BrandProtect, to monitor the internet, emails and social media sites for your brand.  Protecting your revenue, rights and reputation is of utmost importance.  Look for things like:

• imposter groups or pages on social networks
• phishing attacks through email spam
• infringing domain registrations.

 2. Ability to take Action

Your online brand protection solution should have the ability to get these imposter site  taken down quickly and easily.

 3. Keep monitoring

Even if a disaster is in the past, scammers will find new ways to abuse your brand and tarnish your reputation.  If brands aren’t proactive in protecting their rights and reputation customers will start to lose trust in the brands recognition.

If you do want to donate to a disaster relief effort be sure not to provide too much personal detail – legitimate charities are not asking for your SSN, banking security questions like “Mother’s Maiden Name”, or extensive credit info.

When deciding to donate to a charity online or offline, do your research first – many charities, even those with long-standing brand recognition, do not send as much of your donation to the cause as you’d think.

If you do receive an email from a charity that you believe to be suspicious, send it to them.  Most organizations have a reporting address on their website where customers or the public can send suspicious emails to for investigation.

These types of scams can be shutdown very quickly using a takedown provider.  Even if you stumble upon what you think is a Facebook group that is a scam, send it to us, we can report it to Facebook quickly and hopefully stop the scammer dead in his tracks!

Just remember, unfortunately scammers are everywhere and try to pull at your heartstrings during a disaster.  So just be informed and exercise vigilance when making a donation.

The CRDP works especially well with organizations who wish to take control of domain names that contain their trademarks.

The CDRP can be filed through two organizations:

1. British Columbia International Commercial Arbitration Centre (BCICAC)
#348 – 1275 West 6th Avenue
Vancouver, BC, V6H 1A6
Phone: (604) 684-2821
Fax: (604) 736-9233
Web site: www.bcicac.com
E-Mail: admin@bcicac.com

2. Resolution Canada Inc.
85 Curlew Drive
Suite #107
Don Mills, Ontario, M3A 2P8
Phone: (416) 447-0035
Fax: (416) 447-6447
Web site: www.resolutioncanada.ca
Email: info@resolutioncanada.ca

In order to begin this process the complainant must assert 3 things:

1. The Registrant’s dot-ca domain name is confusingly similar to a mark in which the complainant had rights prior to the date of registration of the domain name and continues to have such rights.
2. The Registrant has no legitimate interest in the domain name.
3. The Registrant has registered the domain name in bad faith.

If all 3 of these elements are present then you can begin to file your claim.

Costs associated with the CDRP (Prices are in Canadian dollars):

When you file your claim you must select 3 Adjudicator panelists[1] provided by either organization. In the event that the registrant does not reply to the complaint or 3 panelists cannot be agreed upon by both parties, a single panelist will be selected by the organization you filed through.

Once all of the information on the registrant, trademark, domain and other pertinent information have been gathered you may submit the complainant to the provider (Resolution Canada or BCICAC)  in five hardcopies or an electronic copy (in pdf format no more than 10 mb’s each) of the Complaint.

The panel will normally render a decision within 3 weeks, and after a few days for CIRA and others to review the decision, they will advise the Complainant and Registrant of the decision, and post the same information on their website.

Best Practices and side notes:

1. Hiring an organization such as BrandProtect to monitor your trademarks and domains can provide early detection and removal of possible trademark infringements and infringing domain names while saving your organization time, money and stress.
2. Try to contact the domain owner first to attempt resolution before the CDRP. Offer to pay for the domain filing and transfer fee to gain control.
3. Avoid paying the registrant anything beyond the above fees for the domain. This will establish that your organization is willing to pay “ransom” for its trademarks and may encourage other domain squatters.
4. Make sure that your trademark was registered before the domain name.
5. Review the rules thoroughly to make sure you have met all prerequisites and comply with all requirements.
6. Try to show precedent from previous domain acquisitions your organization may have completed or use previous CDRP case decisions to strengthen your position.
7. If the registrant is able to prove that this case was filled in bad faith, a fee against the complainant of up to $5,000 could be applied.

Controlling the various gTLDs and ccTLDs such as .ca, .org, .net, .info and .com etc. which contain your trademarks means controlling your Brand. Do not “wait and see”, be proactive in monitoring, protecting and gaining control of your brand online.

My goal with these 7 steps is to give you and your team the basic knowledge to not to become another cyber-victim. Put on your kevlar and let us begin phishing bootcamp!

1. Verify with the bank/institution

Do not respond to e-mails or phone calls asking for your personal information. Especially ones that have a scene of urgency. In the unlikely situation that you may believe your bank or another financial institution requires your information, get the official phone number from the back of your card, from their official website or your company’s records (never the one in the suspicious email) and give them a call to confirm.

2. Straight to the source

Everything can be masked. The caller ID on your phone, the senders name in an email or a private message via a social network. Scammers will use correct spelling and logos of institutions get your credentials.

Don’t click any links. URLs can easily be masked in an email and send you somewhere else. Often a spoof page that looks completely identical to source. Type out the URL yourself, the same URL you always use for online banking. This includes delivery companies, which is a more common technique phishers use to go after businesses.

3. It’s not always financial institutions

To get your credentials the scammers will often mimic common e-commerce, subscription services and telecommunication companies. Once you’re asked for personal information, think twice and verify the source.

A friend on your social network or an e-mail contact alerting that they’re traveling abroad, have been robbed and require funds urgently is a known scam. Even if it’s a contact you know, accounts can be hacked. Contact them back via the information on your rolodex and confirm if the message is really from them.

Someone from a reputable company has contacted you for a job offer as a debt collector is often another form of money laundering, scamming multiple victims to cover-up illicit funds.

Email’s pretending to be telecommunication services or television subscription services.

When it comes to phishing, it’s not always banks. If your business collects financial data there’s a good chance someone else is pretending to be you and trying to get your clients data under your name. Protect your brand with anti-phishing and brand abuse monitoring.

4. It’s too good to be true

Did you really win the latest gadget from a sweepstakes that you’ve never entered?

A relative you never heard of has left you a large inheritance?

Get rich right away?

If it sounds too good to be true, then it is. No matter how tempting the reward is, never send your credentials. If you think it’s the real deal, pick up the phone and get to the bottom of it. Use the organizations number and never the one listed in the email.

5. Check your banking records

Check often for irregular transactions. Keep an eye out for unaccounted purchases or incorrect decimal points. If you notice any irregularities notify your bank immediately.

6. Mobile Safety

Despite the process apps take to get verified the bad guys can still get their product listed. Often their malware collects data on your phone and can make phantom phone calls to premium phone numbers. Prior to downloading a financial app make sure it’s listed on the bank’s website. These apps usually mimic financial services and banks. If your business has ever dealt with phishing or trademark infringement, we highly recommend Mobile App Monitoring. App monitoring can keep your clients protected by eliminating the presence of criminal activity against your brand.

A SMS requesting personal information is always a scam, even if they direct you to a link with correct logos.

7. Security

Web Browsers are your friends. Update them regularly and make sure the settings are enabled to warn you of malicious content. They won’t catch everything but will still prevent you from accessing most fraudulent webpages and malware.

Ensure that your computer and computers on your network have updated security patches and antivirus.

While on financial and e-commerce sites check for the secure https (not http) within the URL. Also lookout for the padlock logo alongside the address bar. You can click on it to see the security certificate for the site.

As people and businesses become more attentive of their online security, the phishing professionals adapt. Inform yourself and stay ahead of the latest online threats. You can never be too safe with your online presence.

What other steps does your company take to prevent phishing? Let us know!

Follow @bp_phishing for the latest phishing updates.

One of the areas my clients are focusing attention on recently is the presence of their brands on Twitter.   At the session, Twitter’s Christine Kao indicated that Twitter receives more than 50 intellectual property complaints per day, so it seems this concern is widespread.  Christine stated that her team responds as quickly as possible, and on a first come first served basis to the notifications they receive.  Her recommendation to brand owners, wanting to see violations removed as quickly as possible is:

• Take time to understand Twitter’s criteria for violations.  Twitter has a trademark policy, a counterfeit policy, a DMCA policy and an impersonation policy, and it is important for brand owners to figure out where to file under

• Provide as much information to Twitter as possible

• Set client expectations, as each social media platform has their own policies

• and brand owners need to play by their rules

• Don’t file duplicate complaints – give it time – as new complaints go to the bottom of the list

• Being respectful helps!

Christine had this additional advice for brand owners:

• Think strategically.  Users in social media are often fans, and users see notifications as bullying.  Is this the proper medium for a takedown?

• Be mindful of the language you use

• Pick a Plan B user name.  User name are issued on a first come first served basis

Philippe Vandeuren, Anheuser-Busch InBev S.A.indicated his belief that it was vital these days for organizations to have a social media crisis management team in place.  His recommendations were to:

• Create a team with the right people in the right place, and ensure they know who is responsible for what.  The team needs to be cross-functional, so that the expertise of many within the organization can be drawn upon

• Understand, categorize and summarize the facts of the issue at hand (brand, product, reputation, geography)

• Assign issues with a severity level.   For high level severity issues it is important to act immediately and try to have the facts rectified.  For medium level severity issues, actions should be taken to deflect the issue, and for low level severity issues  it is recommended that posts be monitored to ensure the situation doesn’t escalate

• Lots of discussion should be taking place amongst the crisis team members when an issue arises

• In cases where the issue is highly negative escalate the issue internally so that upper management is aware

• Move issues offline.  Contact the posters via email to have a closed off conversation

I am glad to say that a lot of this advice is second nature to many of my clients who have put these cross-functional teams in place a long time ago (many soon after they began their engagement with BrandProtect!).

Don’t get me wrong, Craigslist has some very appealing attributes.  It’s free and there are lots of opportunities to buy “cheap stuff” and hey, you might even be that lucky person that finds $98,000 in a desk purchased for under $200, however, brands and organizations that use Craigslist need to be aware of some of the risks especially if it is used for advertising or job postings.

Ads can be posted anonymously and the unsuspecting visitor could respond to an ad that underneath, does not have good intentions.  I have blogged about the trademark being an organization’s most valuable asset, which is why offenders will attempt to exploit a brand’s reputation and goodwill by adding logos and other deceiving elements to attract unsuspecting users to their ads.

We live in a time where having a job is extremely important and not always easy to come by.  Criminals know this and are more than happy to exploit a person’s vulnerability, especially if they are desperate for a job.  They may represent themselves as a well-known company and even include a logo in their ad to give it an extra feeling of authenticity.  The poster may provide a number to call them or instruct the user to contact them via their Craigslist anonymous email address.  The job seeker may be asked to provide them with their personal information or ask them to wire transfer money into the criminal’s account.  The poster may be more brazen and include a link that directs the job seeker to a spoofed site or phishing page where their personal information can be stolen.  For additional information on job ad scams on Craigslist, check out Mashable’s article that provides a more detailed list of warning signs for job hopefuls that use Craigslist.

Another scam that I am aware of is one that claims to assist customers of well-known companies with their suspended accounts and offer to pay their outstanding bills.  We all know the saying “if something is too good to be true, it probably is,” but I can only imagine that if you are a person who hasn’t been able to pay your bill for a service that you and your family desperately need, the offer may seem like an answer to your prayers.

If your company currently uses Craigslist or plans to use it in the future, here are a few tips to help keep your customers and future job applicants safer:

1. Monitor Craigslist for misuses of your trademark/brand name on a regular basis.  New ads are constantly added.
2. Have any unauthorized or fraudulent posts removed ASAP.
3. For job postings, add the display URL that will direct the job seeker to the application page of your organization’s secure website and refrain from hyperlinking it.
4. Do not ask job applicants or customers to provide their personal information to you via Craigslist.
5. Establish companywide policies and procedures on how and what to post on Craigslist and ensure compliance.

These tips will not stop all fraudulent activity from occurring, but it will help to mitigate the potential harm to your company’s bottom line and reputation.

For more information on how to protect job applicants and employees from identity theft, click the link below.

“You have been chosen by my family to help us send $5 million dollars to our bank in America. We need your help with this as our family here cannot use the country’s banks. The money is going to a charity that our government forbids our foundation to donate too. We know you are a good man and will help us do this. My family’s gift to you will be $500,000 for doing this great task for us. We know you will agree to this otherwise you would not have been contacted. Please reply to this email and include your full name and address and government identification number so we can get the funds transferred. We have put all of our trust and faith into you. Thank you loved one – Mrs. Smith, Heiress ABC Company – DEF Family.”

Now how many of you have received some version of this aforementioned e-mail scam sent by a Nigerian Princesses/Heiresses who is usually in some of type of destitute circumstance. These types of scams are sent because they fortunately work. Hard to believe but they do. Maybe the recipient has been out of work for a while or in some other vulnerable financial state which prompts them to respond. They get coaxed to provide personal information and before you know it, their identification is stolen and bank accounts wiped.

Another popular e-mail scam is one that warns you that your password needs to be reset. These are sent by fraudsters under the guise of one of the Social Media sites/Professional networking groups the recipient is a user/member of (e.g. Facebook or LinkedIn). In many instances, the recipient is not even a member of that group (personal experience) and therefore it is easy to not think twice and just delete the email. However, if the recipient is a member of the site in question, these emails look legitimate and unsuspecting recipients may click on the fraudulent link in the email which takes them to a replica of the actual site to see which asks them to provide personal information such as passwords, birth dates or more.

Amongst email scams, phishing unfortunately continues to grow and wreak havoc on many organizations. Senior leadership has to be especially carefully given the vital data they possess. A breach there could have major implications for an organization. However, this is not say that phishers only target large organizations or the executive team. They target ALL organizations. As Dylan Sachs – Incident Respond Director at BrandProtect stated: “No company is exempt from being the target of phishing attacks – customer base, industry, or number of employees all factor into the likelihood of being targeted, but we have seen many municipal credit unions, universities, manufacturing companies, small retailers, or local service providers being targeted.  The perpetrators are only interested in acquiring data – not just bank account information, but name, address, social insurance or security numbers, email addresses, or even social media account information – all of which is extremely valuable to them, and they will not hesitate to pick on unsuspecting targets where response will likely be disorganized scrambling, if any response at all.”  Food for thought no doubt.

Given this backdrop, listed below are some basic steps that go a long way to help protect yourself against fraud:

1. Do not open any attachment if you do not know the sender
2. If it sounds too good to be true, it probably is
3. Do not engage in transactions from unsolicited emails
4. You did not win 20 million dollars by not entering a lottery
5. No bank or social media site is going to ask you to re-set your password; this is a prototypical phishing attack
6. Report any suspicious email immediately to your IT Team and supervisor.
7. After signing up for any group,  it is highly recommended  to read and understand (the sites) communication protocols to mitigate any fraud.

All of this seems very elementary but as everything now seems to have the prefix “smart” attached to it; we should follow suit to become smarter.

Why?  Well the DNS system serves both the public Internet and private Intranets.  So if your company hosts confidential information only accessible by employees on their Intranet with an extension like .corp, once the gTLD goes live, that information could be visible to the rest of the registry system.  This could create enormous potential for malicious interception of the data causing security breaches.  Businesses of any sizes can be effected and therefore should work towards fixing the problem internally.

ICANN commissioned a study on the potential security risks of name collision and the likelihood of occurrence. From this study they identified that .home and .corp will have the highest probability of concerns.  This study also allowed ICANN to develop a plan for name collision that they approved for implementation on Oct 7^th called the New gTLD Collision Occurrence Management Plan (“The Plan”)[2].

The basic outcome is that before a registry can transition to delegate it will have to undergo an extensive assessment of probability and severity and then be required to implement all recommendations or choose to block all relevant Second-Level Domains (SLDs) as designated by ICANN.

On Oct 29, 2013 the Online Trust Alliance (OTA) will be hosting a workshop in Washington DC (also available online) with experts from around the globe discussing the current state of play and the implications for corporations.  BrandProtect will attend this event and update our blog with all relevant information.

Organizations need to be aware of their internal domain names and be diligent in updating any likely concerns.

How is your organization preparing itself for the new domains? Are you concerned about possible domain name collisions?

The recent DNS attacks, executed by the Syrian Electronic Army, were achieved through social engineering – making someone official voluntarily give up the information needed.  This is also how phishing attacks work, in that the victims are shown a seemingly legitimate webpage, told their account is locked, and in order to unlock it they have to enter their banking login information.  APTs are often started by socially engineering employees to install malware on their computers, and can lead to complete network compromise, if the proper security protocols aren’t followed.   Social engineering is not something new to come about with the rise of the Internet, either – it’s been around for centuries, maybe even millennia.

Offline, social engineering attacks are often used against tourists to bilk them of their money – these are commonly referred to as “con games”, like 3-card monte and the pea-under-the-shell game.  The difference now, is that victims can lose more than just the contents of their wallets.  Online, fraudsters find employees who work at a target organization via LinkedIn, then look them up on Facebook, all the while gathering information on the employee’s co-workers and friends.  “Hacking” someone’s social media account is fairly trivial, especially when people are still using simple passwords.  Reaching out to the employee, while pretending to be a co-worker or friend is extremely easy, as spoofing email headers has become a minor inconvenience, or simply using a friend’s compromised account. Convincing the employee – much like convincing the phishing victim – to give up information like usernames, passwords, or other sensitive data is the hard part, but is obviously possible.

So how do we end up paying for the security breaches of today?  As these social engineering attacks continue, we’re going to be seeing an increased focus on keeping information secure – this means locking down social media profiles, which is a bad thing for companies who have just finished getting over the whole “you need social media to survive” concept that has been so pervasive over the past decade.  This means we’re going to see an increase in corporate policies around employees using social media, including what they can and cannot post.  As the corporations begin to implement these changes to defend against the possibility of cyber-attack, the trickle-down to less-likely-targets will become apparent (“well, if Company X is doing it, and we want to be as big as them, we need to act like it and implement our own policies!” at best, and companies being forced to implement policies in order to get insurance at worst).  All of these changes will start to have greater and greater impact on our daily lives, and, if left unchecked, will result in social media simply becoming an online diary, to be read by no one.  Except the social media companies – rest assured, they’re reading all about you.  But that’s nothing new.

The paper, titled Intellectual Property Rights intensive industries: contribution to economic performance and employment in Europe, said that 35 percent of all employment in the EU, some 77 million jobs, comes from industries that have a “higher than average use of IP rights”.  Also, the study finds that “about 40 percent of the EU’s total economic activity (€4.7 trillion annually) is generated by IPR-intensive industries, which include engineering, computers and pharmaceuticals.”

The article was of particular interest to me, after having recently read that a study was just conducted by Price Waterhouse Coopers in the U.K., concluding that fake goods ‘have gone mainstream leaving manufacturers of the genuine articles out of pocket”, with the U.K. government estimating that counterfeiting costs the economy £1.3 billion a year[2].

Mark James, head of anti-counterfeiting at PwC spoke about his findings that “British public seemed to be unaware that buying the occasional fake could do any harm. He said: ‘Consumers are just not thinking of it in those terms. Even when they are asked about deterrents, being caught and the morality of it come behind safety, the fear of losing bank details and the product not being delivered. ‘But there is a cost. Companies are having their reputations, their brands and their revenues stolen and that has a knock-on effect on jobs.”
Although these studies took place in Europe, you can be sure the same thing is happening in North America.  When people purchase counterfeit products they often don’t realize that their jobs, or the jobs of their neighbours may be in peril.

Now that you know, do you really need that knockoff Chanel?

[1] http://www.worldipreview.com/news/ohim-and-epo-one-in-three-european-jobs-created-by-ipr?utm_source=World+IP+Review&utm_campaign=e4c1576e91-WIPR_Digital_Newsletter_03_10_2013&utm_medium=email&utm_term=0_d76dcadc01-e4c1576e91-27043189

[2] http://www.dailymail.co.uk/news/article-2440930/Fake-goods-mainstream-Middle-classes-snap-fake-designer-handbags-watches-DVDs.html#ixzz2gh3RN1dm