The Bottom Line
Small business is important to Central Oregon, and to Mid Oregon. Find tips and resources for business, and information about Mid Oregon’s commercial services and business members.
Understanding the Different Types of Phishing Scams
Cybercriminals continue to improve the tools they use for phishing scams. They steal money, identities, credentials, and more every day from individuals and organizations. Even the most cyber-savvy users can be scammed if they don’t pay close attention. To protect yourself, it’s helpful to understand the different types of phishing scams.
Email Phishing Scams
Email is the most popular type of phishing scams. Victims open and act on phishing emails that include fake domain names and redirected URLs. The email’s subject line and content often look legitimate and designed to get a response. Cybercriminals use many tricks to gain your trust, hoping you won’t notice.
- Closely examine URLs, including spelling. Fraudsters transpose, add, and delete letters to misspell a web address that brings you to a duplicate, fraudulent website. Subtle details like leaving the “s” off of “https” in the URL is another red flag.
- Avoid following links or opening attachments in emails. Instead, type the true URL for the website because links can easily and quickly redirect you to bogus websites and attachments loaded with malware. Be sure to not misspell the domain to avoid Typosquatting attacks detailed below.
- Don’t trust, instead verify email senders, before providing any sensitive information at work and home.
Spear Phishing
Spear phishing is a version of email phishing scams that targets recipients by name, known interests, work relationships, friendships, and other details. With social engineering, scammers scour social media to gather information about targets. Using public information and data from breaches, cybercriminals develop targeted email attacks.
- Limit the information you post on social media, such as Facebook, Instagram, and LinkedIn, and other websites that spear phishers look to exploit.
- Use two-factor authentication (2FA) or multi-factor authentication (MFA) whenever possible. Each layer of verification ensures the right person is accessing accounts and not someone claiming to be you.
- Use artificial intelligence (AI) tools to alert you of compromised accounts.
Whaling
Whaling is a type of spear phishing that targets those at upper levels of management who control of funds. Leaders are not spoof-proof and are vulnerable to the same phishing tricks that target staff. Here are some tips to help ward off whaling.
- Verify Client Certificates are legitimate.
- Set email filters to a level that flags suspicious senders, even before they make it to an inbox.
- Financial transactions should have the highest levels of verification, including face-to-face verification tools.
Smishing and Vishing
Smishing uses SMS and text messages for phishing scams. The text message usually has a legitimate-looking link and sometimes includes the first or last few numbers of an account. Victims assume it is legitimate and then take steps that compromise an account and other confidential information.
Vishing attacks are voice calls, many robocalls, that intend to scare recipients into responding with confidential information.
- Never answer a text or phone call from a sender you can’t verify before supplying any information.
- Hang up and redial the phone number directly. Chances are you’re a vishing target.
- Never respond directly to a text message that’s looking for information or includes links.
- Go directly to the true source to verify the sender. Look up the real phone number or website URL and call or browse there. This approach will help determine if it is a legitimate request and whether your information is needed.
Typosquatting
Also called URL or domain hijacking (do-jacking), typosquatting uses incorrect spellings for URLs, or typos a user does without realizing. Minor deviations in spelling can bring you to a look-alike, spoof website. Many of these sites can disappear immediately after stealing your payment card and other information.
- Check and double-check URL spellings before connecting. Making sure every character, hyphen, and apostrophe is in place.
- Use previously bookmarked sites when possible.
Angler Phishing
One of newest and fastest-growing phishing scams is angler phishing. It uses social media spoof sites to trick users into providing information. These sites often masquerade as social media customer service and ask for sensitive information. They often threaten to close the account or take other action if the data isn’t provided.
- Address account issues only on the official social media website.
- Look for an official blue checkmark verification symbol, like those found on Twitter and Instagram messaging.
For more articles on phishing scams, cybersecurity and related topics, visit Mid Oregon’s Security and Fraud Center.
Your Mid-Year Tax Check-In: Consider these Tips for Potential Savings
Get your tax act together now by being more organized in the second half of 2021
Proper tax planning isn’t just for CPAs. The more organized you are now with paperwork and business practices, the better. Here are some tax tips to consider for the second half of the year.
Create a system
Whether you file your own taxes or take them to a professional, it’s always a good idea to keep the paperwork you’ll need organized throughout the year. If you want to work smarter, trade in your throw-everything-in-a-box tax prep method for labeled folders in a desk drawer or a separate file box. You could also consider using a software program. Generally, the IRS suggests you keep records for three years from the date of a filed tax return.
Good news for business meals
As more people get vaccinated and the world opens back up, now is a good time to take advantage of a temporary tax change that allows a 100% deduction for qualifying business meals through December 31, 2022. Typically, business meals are only 50% tax-deductible, but a temporary revision in 2020 allows you to claim the full meal for a limited time. Don’t forget to save your receipts and note your business clients.
Review and update your W-4 form
If you had a big tax bill this year and would prefer not to live through that again, you can change your W-4 form to increase how much is withheld from your taxes. Doing that will likely help you owe less next year. Ask your HR department for a new W-4 and make changes now so you can have more taken out for the remainder of 2021.
On the flip side, if you had a big tax refund, you can also update your W-4 form to reduce how much money is being withheld from your earnings. Getting a refund means you gave the government an interest-free loan. It also means you may be living on less than you have to. The IRS offers a federal tax withholding estimator to help people figure out how much they should be withholding.
Going back to school?
If you are thinking about going back to school or already took the leap and enrolled, you may be able to claim the Lifetime Learning Credit for graduate school or professional certificate programs, which can be worth up to $2,000 in 2021. To qualify, you must take classes at an eligible educational institution and your modified adjusted gross income in 2021 has to be less than $90,000 if you are single or $180,000 if you are married and filing jointly. And remember, tax credits are better than tax deductions, because they lower your tax liability on a dollar-for-dollar basis.
Consider a home office deduction
If your work situation changed in 2020 or 2021, and your side hustle became your full-time gig, don’t shy away from the home office deduction if you qualify. Historically, people have worried this might flag an IRS audit. But if you are an independent contractor or self-employed, and have a room (or area) in your home solely devoted to doing business, stake your claim. You can deduct a portion of rent or mortgage and other expenses that are attributable to the space that is specifically used for doing business, or you can simply deduct $5 a square foot, up to 300 feet.
File your taxes if you haven’t already
If you haven’t yet filed your taxes, get on it, especially if you are owed a refund. The only way to get a refund is to file a tax return. Plus, there is no penalty for filing after the deadline if a refund is due. Visit IRS.gov through Oct. 15 to prepare and file returns electronically.
And if you haven’t filed your taxes yet and you owe money — even if you can’t afford to immediately pay the taxes owed — you should still file a tax return as soon as possible to reduce potential penalties. The IRS offers options for taxpayers who owe the IRS, but cannot afford to pay the full amount at one time.
*This guest article is from the “Your Money Blog” in Mid Oregon’s Digital Banking Credit Savvy resource. It is made possible by SavvyMoney. “Your Mid-Year Tax Check-In: Consider these Tips for Potential Savings” by Jean Chatzky with Casandra Andrews was published in July 2021.
Not All WiFi Is Good WiFi
With summer travel back in full swing, our electronic devices are often in tow. WiFi is now included with most mobile phones, tablets, laptops, and desktop computers. Access to WiFi is also standard in most places from corporate offices to public spaces. It’s important to remember that not all WiFi is good WiFi.
With WiFi technology being so pervasive, it provides opportunities for cybercriminals. Luckily, you can significantly reduce your WiFi risk through awareness and security tips.
Malicious WiFi access points
Cybercriminals often use a malicious WiFi access point for an attack. These devices can be set up in hotels, coffee shops, airports, near offices and apartment complexes, etc. The cybercriminal’s goal is to get unsuspecting victims to connect to the malicious device for WiFi. For example, a malicious WiFi access point could be set up near a hotel pool and named “Free Pool WiFi.” If you’re a hotel guest and see this option, you’d likely connect.
Cybercriminals also try to imitate legitimate access points. A cybercriminal could be in a car near an office with a WiFi access point with a similar name as your office’s regular WiFi. If your mobile device or computer attempts to connect, it might connect to the malicious access point instead of the real one. Criminals sometimes will even knock the legitimate access point offline, making their access point only one available.
What cybercriminals try to access
Assuming you’ve connected to a malicious access point, what can a cybercriminal do? Once connected, a cybercriminal can begin attacking that device directly. If the device has any vulnerabilities, including missing patches, the criminal has a direct connection to the device, allowing easy access. With successful exploitation of the vulnerability, the criminal could control that device without the user’s knowledge. If the user disconnects from that WiFi access point, every time the user goes back online from anywhere, the criminal could re-gain access because of the malware installed.
Privacy risks
Another risk is privacy. While a victim is connected to the malicious access point, the cybercriminal can monitor everything they do online. This risk has reduced in recent years as more sites have SSL certificates. An SSL certificate allows the website to encrypt its traffic. If you visit a website with a URL that starts with HTTPS:// that indicates that everything you see and type on that website is secure.
Even if you were on a malicious WiFi access point, the criminal could not see what you’re typing. It is important to note that while HTTPS ensures that the data you are sending to the website is secure, HTTPS does not guarantee that the website you are visiting is legitimate. If you have typed in the correct URL and see the HTTPS, then you should be safe. However, if you mistype the URL or are visiting a site that you are not familiar with, it could have HTTPS in the URL, but that does not guarantee the website itself is safe.
Website security issues
Of course, cybercriminals don’t just give up. Sometimes, they will attempt to break the encryption between you and the website. If successful, they can monitor everything you type. Luckily, this type of attack is easy to detect because there will be an on-screen warning about a security issue with the website.
In many cases, it will specifically say that there is an issue with the Security Certificate. If you see one of these warnings, stop! Do not select to ignore the warning or continue to the website. If you do, everything you see and type can be monitored and recorded. These warnings mean something is wrong, and you should contact your company’s ‘tech support or the company that provides the website.
DNS attacks
Another common form of attack with malicious WiFi access points is a DNS attack. When your device connects to any WiFi access point, that access point will assign a DNS server to your device. A DNS server is a system that tells your computer how to get to another computer based on the domain name that you type in.
For example, if you open your browser and type in www.sosdailynews.com, your computer doesn’t understand what that means. Instead, it will send that domain name to a DNS server and ask, “how do I get to this address?” The DNS server will then respond with something like “192.223.10.25,” an IP address for that website. Your computer understands the IP address and then makes the connection.
If a cybercriminal controls the DNS server that your computer is communicating with, that will allow them to control where your computer connects. For example, if you typed in the URL to a bank, a malicious DNS server could give you an IP address that points to a criminal’s web server designed to look like the bank. You think you’ve typed in the correct URL and end up at a website that looks like what you expected. You type in your login, password. or other confidential information. And, that data is sent to the malicious website without your knowledge.
How to check for website security
Because detecting phony WiFi access points is difficult, the best time to look for a potential issue is when you browse to a secured site (any site that starts with HTTPS://). Be sure the website begins with HTTPS:///. Most people will type in www.whatever.com and assume it will add the HTTPS:// at the beginning. Always look to make sure it is there.
If it is not, do not proceed. If you attempt to connect to a secured website and receive a message that there is an issue with the security certificate, stop immediately. There is never a situation where a broken security certificate is normal. If you receive a warning, error message, or other notification that there is a problem, stop, pick up the phone, and contact tech support. Remember that it does not matter where you are; a WiFi attack can happen at home, work, or, any public location.
For more articles on cybersecurity and related topics, visit Mid Oregon’s Security and Fraud Center.