FitchGroup Masthead
13 Black Fraud Master Fitch
Phish of the Week Nov

What happens when a kid gets phished? It’s wise for parents to be prepared!

Check out Marc Vasquez’s story.

Marc works with CISA, the US government agency that helps organizations handle cyber risk.

Click to watch the video. 

Cybersecurity News You Can Use

H R Block Canada Inc H R Block partners with myBlueprint to awa

During this year’s tax season, hackers accessed confidential data linked to H&R Block Canada, one of the country’s largest tax preparation firms. Using stolen credentials, they infiltrated hundreds of Canada Revenue Agency (CRA) accounts, altering direct deposit information, submitting fraudulent returns, and stealing over $6 million, an investigation by *The Fifth Estate* and Radio-Canada revealed.

Hackers fabricated addresses, including one on a non-existent “Tomato Street,” to facilitate the scam. Despite this, the CRA did not publicly disclose the breach, and Revenue Minister Marie-Claude Bibeau declined interview requests.

The CRA admitted to over 31,000 privacy breaches since 2020, affecting 62,000 taxpayers, yet reporting to Parliament lags. Experts, including Laval University’s André Lareau, criticize CRA’s inability to secure taxpayer data, citing a “pay and chase” culture that prioritizes rapid refunds over fraud prevention.

MoveIT logo

A hacker, “Nam3L3ss,” exploited a critical vulnerability in MOVEit, a popular type of file transfer software, exposing sensitive employee data from over 25 major organizations. The vulnerability, CVE-2023-34362, allowed unauthorized access to bypass authentication and exfiltrate information, leading to one of the largest corporate data leaks in 2023.

The stolen data includes employee directories with names, emails, phone numbers, and cost center codes. This poses risks of phishing, identity theft, and social engineering. Companies impacted include Amazon, HSBC, MetLife, and Cardinal Health.

The breach highlights cybersecurity flaws, emphasizing the need for immediate patching, audits, and employee training. Experts warn such incidents severely impact corporate security, employee privacy, and trust.

These organizations say they have been hacked recently. If you do business with any of these companies, change the password on your account and use two-factor authentication wherever possible.

Nov 1 breach logos
FitchGroup | Pay taxes or else

Want to know more?

Visit us at the Technology Risk Team FX site for helpful resources

or contact us at information.securitygroup@thefitchgroup.com

to share interesting articles or suggestions for future newsletter topics.

One more thing...

Nov 15 Cartoon

Answers to Your
Cybersecurity Questions

Sometimes, I see an orange dot on the top of my iPhone screen. What does that mean? — Martin F.

It means an app is using the microphone. If you’re making a call or having a video chat, seeing an orange or green light on the phone is not a problem. But if the dot shows up when you’re surfing the web, it’s time to act. Go to Settings > Privacy > Microphone to see which apps have access to your microphone. If you see an app you don’t recognize or don’t want to have microphone access, toggle it off.

Fidelity has an authentication process called “Your Voice is Your Password.” Is it safe to use that option? — David H.

Fidelity says it uses state-of-the-art technology to identify your voice, even if you have a cold. If you have a bad connection, the system will ask you to use another way to sign on. But as artificial intelligence improves, criminals can steal someone’s voice by lifting as little as :03 seconds of conversation off a video posted to social media. So, you might consider adding multi-factor authentication to your login, particularly for financial websites.

If my information is on the dark web, what can I do about it? — Elizabeth M.

Elizabeth, data breaches happen so often, chances are good your personal information does, indeed, live on the Dark Web. The most important steps you can take will sound familiar. Make sure you use long, passphrases (not passwords) that are unique to each online account — particularly your banking, government, and email accounts. Use multifactor authentication (where you’re sent a text with a password or number every time you log in) with every account that offers it and set up text alerts on your financial and credit accounts, so you receive a text message every time there’s activity.

Send us your cybersecurity question for possible use in a future newsletter.

Cyber cartoon © 2024 Cartoonstock.com | Original content © 2024 Aware Force LLC