Recognizing and Avoiding Phishing Scams

What is phishing?

“Phishing” is what we call an online scam that attempts to extract information, credentials, or money from you, usually by impersonating someone you trust or a trusted organization like a bank or vendor.

Phishing emails and text messages attempt to trick you into clicking on a link, opening an attachment, or sending proprietary information. Often the return address is the name of a person or company you recognize, leading you to believe the message is legitimate. But there are many ways for you to recognize phishing and to avoid falling for scams.

If you have any question at all that an email might not be legitimate, forward it to support@macktez.com. If you do this, please send a second email referencing the first one, because sometimes the original forward can be caught in our spam filter. If you accidentally click on an email that you think was not legitimate, please let us know, even if you didn’t enter any information.

Tips for security

– Exercise your Spidey sense. If the request from someone you know is unexpected or unusual, or if the language used in the email is not typical for the person you think the email is from, be alert and extra careful. Verify the message with the sender some other way (call, text, or chat).
– Remember that return addresses are easily spoofed. It’s as easy to put someone else’s return address on an email as it is to write someone else’s return address in the top left corner of an envelope sent through the regular mail.
– Be aware at all times of links you click in an email message. You can hover your mouse over a link to reveal the actual target of that link — if the target is not what you think it should be, don’t click.
– Be particularly wary of any email that links to a website that asks you to enter credentials.
– You are most vulnerable when you are engaged in something new — starting a new job, using a new communication tool, working on a new project with new vendors. Slow down in these situations and maintain extra vigilance until you have established a routine.
– If you receive an email asking to change a method of payment (for example, a new wire transfer number) verify this change either in person or by phone. Never authorize any electronic payments until you have confirmed the authenticity of the request with the vendor directly.
– Protect your computer by installing security software and keeping it up to date. That way even if you download malware accidentally, your computer will be protected.
– Set your phones and computers to do automatic updates to ensure you are taking advantage of the most recent security updates at all times.
– Do not reuse passwords. If one of your passwords is compromised through a phishing scheme, the hacker will most certainly try to use that password to log into any number of other services. (Use a password manager like 1Password to help you keep track of your passwords.)
– Use strong passwords, at least 12 characters long. Length is more important than complexity, so use phrases if you have trouble remembering passwords. “Ilikemexicanfood4lunch” is a much more secure password than “buRR1t0”. (Again, use a password manager so that you don’t even need to remember your long passwords.)
– Enable multi-factor authentication (MFA) on every critical service, starting with your email account. MFA makes it so that even if someone knows your password, they won’t be able to log into your account.
– If you suspect a password has been compromised, change it immediately.

Have I been hacked?

Receiving a phishing email does not mean you have been hacked. Even when the suspicious email seems to reveal information you think is private (a message from your direct supervisor, or a link to a service you actually use), it’s usually because that information is not in fact private — your company’s org chart, for example, can be easily gleaned from your public website or LinkedIn.

If someone else reports that they received a phishing email from you, that also may not actually indicate a true vulnerability. Adding a fake “from” address to an email is easy to do, and does not necessarily mean the email actually came from your email account.

That said, hacks do occur (especially if you use the same password for multiple services and have not enabled MFA). If you suspect your email account has been compromised, go ahead and change your password right away and let Macktez know. There are clues we can look for within your email account to assess the extent of the hack and take remedial action.

What’s really going on?

Phishing is not a particularly sophisticated form of hacking. It doesn’t take a lot of computing power or a special knowledge of code. It’s a modern form of social engineering, where a con artist takes advantage of your trust or inattention.

Phishing can be very broad — someone sends a thousand generic requests from “Dropbox” via email and hopes to get a small return. Or it can be targeted (sometimes called “spear phishing”) — someone looks up information about your organization, spoofs specific email addresses, and makes specific requests that they think will sound more legitimate. In all cases, hackers are just hoping to trip you up, and then will use the information they get to expand their attempts.

What can you do?

There’s no way to stop phishing entirely. But there are ways to reduce the practice, minimize the risks, and assist those who are also trying to block phishing on your behalf.
– Enroll in Macktez Domain Management. By configuring, enabling, and monitoring industry standard tools for email security (SPF, DKIM, and DMARC) Macktez can help ensure that outgoing email using your organization’s domain is not spoofed, providing email recipients greater confidence that messages from you are authentic.
– Sign up for simulated phishing campaigns from Macktez. We can purposely send (harmless) email to your staff every quarter to train them to recognize phishing.
– Click the “spam” button in your inbox to train your email service to recognize illegitimate emails. Large email providers like Google and Microsoft aggregate user feedback to improve their own filters so that these kinds of emails never reach your inbox.

08-28-2023 | Tech Notes

Business Phone Services Now Require Registration For Text Messaging

If you are using a mobile app for your business phone service (like RingCentral, Zoom, or Dialpad), you might be used to using SMS text messaging to connect with your contacts. But now, due to new regulations, SMS through business phone services will be restricted until your organization is approved to send business-related SMS.

What’s really going on?

As you are probably aware just from looking at your personal cell phone, mobile service carriers are being inundated with more and more SMS messages from businesses. In order to gain some measure of accountability over the use of SMS by businesses, mobile carriers are now requiring all business SMS users to register with The Campaign Registry (TCR) to ensure compliance. These requirements apply to all businesses sending and/or receiving SMS from or to standard 10-digit phone numbers.

Zoom has already begun to disable SMS for non-compliant senders. RingCentral has started sending notices that they will be tripling the cost for unregistered SMS delivery.

For all of our clients who use SMS with their business phones, registration is a requirement. If you’re using Zoom, Ring Central, or any other Voice over IP (VoIP) phone system with SMS capabilities, your organization needs to register as a “brand” with TCR, and register at least one “campaign” associated with your organization’s individual phone numbers.

What should you do?

If this change affects you, reach out to Macktez today to discuss next steps and minimize the impact this will have on your workflow.

If your business uses VoIP service with physical desk phones rather than mobile apps, you won’t notice any changes to your service because you weren’t taking advantage of SMS service to begin with. We still recommend that you go through the registration process in case you switch to mobile phones in the future and want to take advantage of SMS.

08-11-2023 | Bulletin, Uncategorized

Is a to-do list really the best to-do list?

Do you ever reach the end of your day and feel like you haven’t accomplished what you wanted to? You can fix that.

Your inbox has a well-known drawback for getting things done: it’s ordered by other people’s priorities, not your own. So each new email can interrupt what you think is important to do today.

Moving your action items to a to-do list lets you set your own priorities and, with some discipline, stick to them. Whether it’s a full-featured multi-device app or a post-it note, a good to-do list can help you shut out distractions and stay focused.

But a to-do list can be endless, while a single day is not. Our sense of productivity comes from how much we get done within the boundaries of our working hours.

That’s why at Macktez, our favorite to-do list is not a list at all — it’s a calendar.

A calendar’s visual blocks of time show you exactly what you can and cannot get done in one day — it’s a to-do list with limits. You may want to get ten things done today. But can you? Is it possible? If you don’t shape your to-do list to fit your day, you are setting yourself up for failure. You’ll go to sleep feeling like you didn’t get anything done no matter how much you did and how hard you work.

Your calendar should be comprehensive. Block out time for checking your email and for calling your mother. Your full life — meetings, lunch, classes, dinner dates, commute — should be represented here so you can clearly see how many hours there really are in your day, and how many hours your tasks will take. With better tools to help you prioritize, you’ll set better deadlines, accurately schedule your day, and feel much more productive.

07-20-2023 | Working Yellow

Electronics Recycling

E-waste can be dangerous if mishandled, releasing toxins and hazardous chemicals (e.g. mercury, lead, and cadmium) that contaminate its surroundings. That’s why in New York City and many other localities, putting your old electronics out with the regular trash is illegal.

Additionally, disposing of old computers without first erasing the files stored on them may be a security risk for your organization or for you personally, as storage drives can be harvested and the data on them may be viewed and used by bad actors.

There are now many options for responsibly disposing of electronics, including commercial and residential building pick-ups and community drop-off events. Computer manufacturers each have their own programs for free return of equipment for disposal, and consumer electronics stores like Best Buy will accept small numbers of drop-offs each day. But not all these methods will provide certified data erasure. You should be clear about your security needs before letting go of old equipment.

Macktez has partnered for over a decade with 4th Bin for e-waste recycling and certified data destruction. To help clients avoid the high minimums required to schedule a pick-up, we can hold equipment securely until we have a full load to turn over to 4th Bin. Or 4th Bin can ship an empty box to your office to be filled and shipped back for proper disposal.

Let us know if you need help the next time you refresh your fleet of workstations, upgrade your network equipment, or prepare for an office move.

06-14-2023 | Tech Notes

A Conversation is not a Meeting

What is a meeting, anyway?

A meeting is when two or more people come together to discuss one or more topics, in order to accomplish a goal. But some meetings can actually end with more confusion than when they started — we’ve all been in bad meetings that frustrate our momentum.
If you follow a few simple suggestions, you can have meetings that are productive and worthwhile every time:
– A meeting needs an agenda (or at least a stated purpose) that everyone knows — what are we here to talk about, decide, and accomplish together?
– Someone needs to take notes, and those notes need to be shared afterward. It’s even better if you have a way to share those notes so that others can add details: an email thread is OK, a shared Google document is better.
– Meetings yield decisions and actionable tasks, and those tasks should be assigned so that everyone knows who’s doing what.
– Prioritize action over discussion and turn a discussion into action as soon as possible.
– Instead of asking questions, propose actionable tasks.
– Instead of disagreeing with a proposal, offer a different solution.
– The next deadline — launch date, test, draft, presentation, or just the next meeting — should be identified before the meeting ends (or one person should be tasked with scheduling the next meeting within 24 hours).
– Meetings should be short (30 or 60 minutes).
– Meetings should be held with the fewest number of people possible.
– When you’re done with the agenda, end the meeting … even if it’s early.

The bottom line is: a meeting always moves a project forward with actionable tasks, assignments, deadlines, and a record of what everyone agreed to do.
Good conversations can also be a part of your work — brainstorming, debriefing, decompressing, even goofing around. But don’t mistake a good conversation for a meeting.

05-25-2023 | Working Yellow

Security Bulletin: Update available to patch vulnerability in Ruckus wireless access points

A Ruckus vulnerability quietly announced in February received more attention last week when the U.S. Cybersecurity and Infrastructure Security Agency (CISA) gave U.S. federal agencies a deadline of June 2 to secure their wireless access points (WAPs) against the critical CVE-2023-25717 RCE bug.

If remote web admin access is enabled for Ruckus WAPs, attackers can use malicious code to add these devices to a network designed to launch distributed denial-of-service (DDoS) attacks against other targets.

Ruckus already has patches available for a long list of devices (including devices that are end-of-life but may still be in use).

What’s really going on?

First of all — if you are not using Ruckus WAPs, this security bulletin does not apply to you.

Second, for most office and home networks, WAPs cannot be accessed from the internet, only from within a local network, so the risk here is lower. A hacker would need to be physically present in your office, connected to WiFi or ethernet, to reach your WAPs or wireless controllers. Generally, that’s just not how vulnerabilities like this are exploited. But, to be safe, we still recommend patching these devices to maintain the highest level of security.

In some cases, however, in order for administrators to manage the wireless network remotely, Ruckus has an interface enabled that can be accessed from outside the local network. When this is the case, the vulnerability in question is much more critical because it can be exploited by remote actors, and should be patched right away.

Best Practices

To prevent botnet malware infections on any network device, firmware updates should be applied regularly, admin passwords should be strong and unique, and remote admin panel access should be disabled.

Macktez Network Management reports on device status to help to identify potential vulnerabilities before they cause problems. Ongoing monitoring of network infrastructure better equips us to respond to service outages, hardware failures, and security vulnerabilities when they do occur. Manual tasks are grouped together and performed on a scheduled, recurring basis, efficiently ensuring that automated tools are working properly. If your organization would like this same protection, email Macktez and we can meet to discuss your needs.

05-22-2023 | Bulletin

Reilly Scull Talks Jumpcloud on ChannelPro Weekly

Macktez CTO Reilly Scull joined ChannelPro Weekly for a discussion about how to take advantage of JumpCloud’s cloud-based directory platform for user and device management.

JumpCloud is an integral part of Macktez Identity Management, which more and more of our clients are using to manage a hybrid workforce on multiple platforms.

05-09-2023 | Tech Notes

Security Bulletin: Critical Microsoft Outlook exploit requires immediate security update

Microsoft has released security updates for Windows and Outlook that all users should apply immediately, as they address several critical security vulnerabilities that have already been exploited by Russian hackers.

If your organization’s computers are enrolled in Macktez Workstation Management, we were able to ensure that all PCs were up to date. Macktez even remotely rebooted computers that still needed a restart in order to apply the security patches.

If your organization’s computers are not enrolled in Macktez Workstation Management, you should apply updates right away to make sure that Windows and Outlook are current.

– Select Start  > Settings  > Windows Update

– Then select Check for updates.

– If updates are available, choose to install them.

Or go to this Microsoft Support page and click the “Check for updates” button.

https://support.microsoft.com/en-us/windows/get-the-latest-windows-update-7d20e88c-0568-483a-37bc-c3885390d212

If you need any help with this or have any questions, please email us to let us know what the issue is.

In addition, if your mail provider is Microsoft 365, Macktez is available to run a script that checks accounts to see if this vulnerability has been exploited at your organization.

What’s really going on?

The vulnerability allows hackers to send you a specially-formatted email or calendar invite that can share an important part of your Windows internal password management tool. This, in turn, can allow hackers to try for more targeted attacks.

The exploit appears to have been used by state-sponsored hackers in Russia against targets in Ukraine for at least the past year. If you are not involved in that conflict, it is highly unlikely that your organization has been targeted. But now that Microsoft has announced the vulnerability, bad actors everywhere are aware of it and have likely already started trying to use it against unpatched systems.

Note: macOS, iOS, and Android versions of Outlook do NOT have the same vulnerability.

Best practices

Microsoft regularly updates Windows and other Microsoft applications on the second Tuesday of every month (“Patch Tuesday”). Not all updates are as critical as this month’s, but they are all important and recommended — you should keep automatic updates on and restart your computer at least weekly to make sure that patches are fully applied and your system is current.

Macktez Workstation Management provides a core set of tools on end-user computers that allow us to manage software patching, antivirus and malware protection, and standard security policies such as screen lock and local encryption. Our clients with workstations enrolled in this subscription are guaranteed to have the latest security updates already installed, and this week we were able to issue a reboot command to any workstations that hadn’t yet completed the latest updates. If you’d like your organization to have the same protection, contact us and we can meet to discuss your options.

03-17-2023 | Bulletin

Google Drive Changes in macOS

Over the past few months, Google Drive, Dropbox, Box, and OneDrive users on Apple computers have experienced small and not-so-small changes to how files saved to these cloud services appear in the Finder. The notes below address the user experience with Google Drive specifically, but some of these particulars are relevant also for other cloud file storage solutions.

User experience changes in Google Drive for Desktop

Where to find “Google Drive”

In Finder, “Google Drive” no longer appears in the “Favorites” section of the sidebar, and instead is listed under “Locations.” You will still be able to see a link to “Google Drive” from your Home directory, right after “Desktop,” “Documents,” and “Downloads.”

If you have connected more than one Google account to Google Drive for Desktop (for example your business and personal accounts), this link will include your email address to distinguish the different accounts.

Shortcuts broken

As a result of this change from “Favorites” to “Locations,” any shortcuts to Google Drive folders that you created and saved to your Desktop or to the sidebar in Finder will be broken and will need to be recreated manually. What’s especially confusing is that you might still see the files you expect inside these folders when you click these old links, but they will not be the files that are syncing to Google Drive. Be sure to recreate all your Google Drive shortcuts.

Move and copy files in Finder

Previously, if you dragged a file from a Google Drive folder to your Desktop or another local storage space, your computer would copy that file. Now, if you just drag a file from Google Drive to Desktop that file will *move* and get deleted from Google Drive. That’s confusing, and can even be a little alarming, but not if you think about it this way: dragging a file from Google Drive to your Desktop now works the same as dragging any file in your Finder — it moves the file. If you want to copy the file while dragging, hold down the option key.

External references may get messed up

The old version of Google Drive created full file paths for everyone that started with /Volumes/GoogleDrive/ and were the same for all users. Under the new architecture mandated by Apple, the full path goes through your Home folder (/Users/[yourname]/Library/CloudStorage/GoogleDrive/), which is different for every user. This can be a big problem for teams sharing files with externally-referenced files (ex-refs).

When you place images or other drawings into a file in InDesign or AutoCAD, the program is saving a file path to this ex-ref. Whenever possible, that file path is a relative file path that indicates where the ex-ref is in relation to the main file. But in certain situations the file path saved is an absolute path, starting from the top level or root level of your entire directory. When that happens, this full file path to an ex-ref won’t be the same for you as it is for your colleagues, because the absolute path includes the name of your Home folder, which is the same as your computer login name. That means that if you place a drawing into AutoCAD, and then your colleague opens that AutoCAD file to make additional edits, they won’t be able to work on the ex-ref you placed.

The solution generally is to make sure that ex-refs live in the same folder as the main file you are working on, or in a folder below that file. That way the file path for an ex-ref can always be a relative path and won’t need to use the name of your Home folder.

Other bugs

Some users have experienced problems that are not intentional security changes and are more easily classified as bugs. If any of these are happening to you, first try a simple restart of your computer. If that doesn’t help, a reinstall of Google Drive for Desktop is usually the best course of action.

– Google Drive seems to be constantly syncing files and limiting the performance of your computer.

– Google Drive starts saving files locally that are meant to be saved only in the cloud. If this happens with a large folder, you can end up running out of storage space on your computer.

– Google Drive is not reporting the sync status of certain files correctly — files you add to Google Drive in your Finder are not showing up at drive.google.com in your web browser and are not accessible for your colleagues.

What’s really going on?

All these changes are related to a new API for cloud storage providers called File Provider that Apple first released in macOS 12.1 to integrate cloud file storage solutions more securely and consistently in the operating system. While Box responded to Apple’s extension change in 2021, only since September 2022 have we seen Google Drive, Dropbox, and OneDrive rewrite their applications for desktop integration to use the new API.

Cloud file storage solutions that show up as external drives in Finder have been available for years, but were always a bit of a hack, and were implemented in different ways on different systems using “kernel” extensions that were allowed to make deep changes to Apple’s OS. These hacks were incredibly helpful for users, especially when cloud file storage solutions figured out how to show you all the files you had in the cloud without actually downloading them. But kernel extensions presented a security problem for Apple in that they implemented changes to core OS functions and opened up security vulnerabilities that Apple couldn’t cover.

Apple has deprecated support for kernel extensions in general. In order to accommodate the popular and useful cloud file storage solutions, Apple published a new API called File Provider that created integration to these cloud services at the user level, not the system level. As a result, the applications that run the interface for interacting with these cloud files needed to be rebuilt.

Certain changes in functionality are expected and even desired by Apple (like how files are moved, not copied, when you drag them). Others are user-interface bugs that will hopefully get cleared out as Google continues to update Google Drive for Desktop.

How do you know if you’re on the new version?

If you are running macOS 12.1 or higher (Monterey or Ventura) then you are probably already using the most recent version of Google Drive for Desktop and have had these changes implemented. The best way to be sure is to check the preferences of Google Drive.

– Click the Google Drive icon in your menu bar.

– Click the gear icon, then Preferences.

– Click the gear icon in the window that appears. Here you’ll see more detailed preferences for each of the Google accounts you have connected to Google Drive for Desktop.

– Under “Google Drive streaming location,” if the “Change” link is grayed out and you see the notice “Folder location is controlled by macOS,” you are working under the new architecture described above.

02-15-2023 | Tech Notes

DMARC and Email Deliverability

A retail client recently approached us with a challenge: can Macktez help them to deliver 3-5 million emails a month to verified subscribers from multiple platforms without getting tagged as spam?

Why is that so hard? Well, a lot has changed in the world of technology in the past four decades, but the current protocols for sending and receiving email, solidified in the 1980s, have not.

That leaves a lot of room for mess, misuse, and misunderstanding for those of us trying to separate the signal from noise in our own inboxes as well as for organizations that rely on large email campaigns to reach their customers and drive business.

Google and Microsoft in particular have been attacking that first problem aggressively, flagging email they recognize as spam or phishing attempts and encouraging users to take cybersecurity seriously.

But what about organizations like our retail client that legitimately need to send a high volume of email, want to make sure that email is delivered, and want to make sure that no one is sabotaging their online identity with spoofs and malicious content?

The answer involves a number of acronyms and backend services as well as continued human attention to manage and monitor configuration changes. The tools involved are useful for any organization concerned with its online reputation, but especially impactful for any with high-volume email requirements.

Tools

First, the acronyms:
– SPF (Sender Policy Framework) is a protocol for letting the world know what outgoing mail servers are allowed to send email from your domain.

– DKIM (Domain Keys Identified Mail) is a protocol that proves an email that says it came from your outgoing mail server really did.

– DMARC (Domain-based Message Authentication Reporting and Conformance) is a protocol that leverages SPF and DKIM to produce detailed reporting on all email associated with your domain name, and then lets you send specific instructions to recipients’ mail servers about what to do with invalid email.

Configured properly, used together, and then monitored and adjusted over time, these tools can greatly reduce cybersecurity risks and increase deliverability for legitimate email. (We include these tools and services in Macktez Domain Management as a monthly subscription.)

When your company receives all its email through Google, for example, but sends email using Mailchimp, SPF, DKIM, and DMARC all need to be used together to ensure that the Mailchimp email isn’t flagged as spam.

Our big retail client is using several marketing and retail services to send 3-5 million emails per month on the company’s behalf. The sheer number of emails sent requires a careful application of policy to make sure they reach their intended audience, and each of the services used to send email needs to be incorporated into the DMARC policy and monitored.

Macktez spearheaded the Domain Management project with our client. First, we confirmed or established correct SPF and DKIM records for every service our client uses to send email. Then we wrote a DMARC policy that at first collects information on all email alleging to come from our client’s domain.

Once we had enough data, we worked closely with several key members of the client’s staff to make adjustments and additions to the DMARC policy then, we slowly adjusted the percentage of invalid emails that DMARC would instruct recipient mail servers to quarantine or reject outright. This part of the process needs to be done incrementally and with ongoing attention to make sure that the policy is being applied correctly. It’s important not to rush this, or else you run the risk of legitimate emails getting blocked.

Results

Within the first two months we could confirm through DMARC reporting that the number and percentage of sent emails that were delivered properly had gone up. Two more months of monitoring and policy adjustments showed that percentage continuing to increase, with authentic messages being delivered as intended while illegitimate messages (spoofing attempts of the domain sent from non-authorized servers) were consistently flagged.

This allowed our client to feel secure and confident that its marketing and sales emails were properly reaching its customers, and that any malicious attempts to subvert its stellar domain reputation were being blocked.

Our client’s marketing, sales, and customer experience teams benefit from the confidence that their emails are being sent with proper authentication and are being received by their customers without issue, while their customers get added security of knowing that spoofing attempts appearing to come from this company won’t even make it to their inbox.

01-30-2023 | Case Study