Home + Mobile

Carbonite to Acquire Webroot

I’m excited to share that Webroot has entered into an agreement to be acquired by Carbonite, a leader in cloud-based data protection for consumers and businesses. Why do I think this is such good news for customers, partners and our employees?   For customers and...

The Reality of Passphrase Token Attacks

In my blog, Password Constraints and Their Unintended Security Consequences, I advocate for the use of passphrases. Embedded in the comments section, one of our readers Ben makes a very astute observation: What happens when attackers start guessing by the word instead...

Common WordPress Vulnerabilities & How to Protect Against Them

The WordPress website platform is a vital part of the small business economy, dominating the content management system industry with a 60% market share. It gives businesses the ability to run easily-maintained and customizable websites, but that convenience comes at a...

A Miner Decline: The Slowdown of a Once-Surging Threat

This is the first of a three-part report on the state of three malware categories: miners, ransomware and information stealers. In Webroot’s 2018 mid-term threat report, we outlined how cryptomining, and particularly cryptojacking, had become popular criminal tactics...

Smart Wearables: Convenience vs. Security

Fitness trackers and other digital wearables have unlocked a new era of convenience and engagement in consumer health. Beyond general fitness trackers, you can find wearables for a variety of purposes; some help diabetics, some monitor for seizure activity, and some...

MSPs: Your Security Vendor Should Integrate with More Than Just Your RMM and PSA

For many MSPs, integrating their security solution with their remote monitoring and management (RMM) and professional service automation (PSA) platforms is essential for doing business. Together, these platforms help lower the cost of keeping up with each client,...

Top 5 Things SMBs Should Consider When Evaluating a Cybersecurity Strategy

SMBs are overconfident about their cybersecurity posture. A survey of SMBs conducted by 451 Research found that in the preceding 24 months, 71% of respondents experienced a breach or attack that resulted in operational disruption, reputational damage, significant...

What’s Next? Webroot’s 2019 Cybersecurity Predictions

At Webroot, we stay ahead of cybersecurity trends in order to keep our customers up-to-date and secure. As the end of the year approaches, our team of experts has gathered their top cybersecurity predictions for 2019. What threats and changes should you brace for?...

Responding to Risk in an Evolving Threat Landscape

There’s a reason major industry players have been discussing cybersecurity more and more: the stakes are at an all-time high for virtually every business today. Cybersecurity is not a matter businesses can afford to push off or misunderstand—especially small and...

Ransomware: a Modern Threat to Public Safety

Reading Time: ~2 min.

Ransomware authors are pivoting their attacks from individuals to government entities and health care institutions, causing a threat to public safety. Traditionally, crypto ransomware targeted individuals and encrypted their personal data and files as a form of extortion for hundreds of dollars. Ransomware has evolved to target businesses and government agencies for much larger financial gains.

The cost of ransomware

There are countless news stories of hospitals and other institutions being shut down by ransomware. We have been seeing an increase in attacks on government entities, including counties and police departments.

A small Ohio town experienced a ransomware attack earlier this year that shut down county government offices and 911 dispatch. This slowed their emergency response but luckily they were still able to respond to emergency 911 calls.

The financial costs to these organizations are also a concern and they’ve been steadily increasing as crypto ransomware continues to evolve.

The FBI estimated that cybercriminals would collect over $1 billion in ransoms during 2016.

In reality, the actual losses suffered by organizations are much higher due to the disruption of productivity and when government entities and police departments are increasingly being targeted, public safety becomes an issue.

An issue of public safety

Ransomware attacks targeting hospitals are increasing, crippling critical infrastructure and exposing or hindering Electronic Health Records (EHR). When these records are impacted, it causes patient care to be hindered or halted. As more organizations implement connected medical devices and allow employees to bring their own devices to work, access points for unauthorized users are left open.

A 2016 study by Peak 10 found that only 47% of current healthcare organizations have implemented advanced malware protection and only 57% have implemented an encrypted network.

Earlier this year, an attack on police CCTV cameras in Washington D.C. crippled the city’s surveillance system and forced major citywide reinstallation. Although this attack was an extortion effort, it makes you wonder how similar attacks will be used to cripple government emergency response and how cyberattack methods are evolving.

Once ransomware hits a police department’s system, the damage can be catastrophic if mitigation methods aren’t in place. Attacks cripple dispatch systems and patrol car computers, slow police response time, expose records, and create an unsafe environment for officers in inmate holding areas.

What the government is doing about it

Ransomware and other cyberattacks on government operations are a real issue of public safety and steps need to be taken to improve response time to such attacks. The FBI recommends taking prevention and continuity measures to lessen the risk from ransomware attacks.

  • Back up your data locally or in the cloud
  • Secure backups and keep them on scheduled updates
  • Do not open attachments in unsolicited emails
  • Keep your operating system, software, and firmware up-to-date
  • Ensure antivirus and antimalware solutions are set to automatically scan and update
  • Report internet crimes to the Internet Crime Complaint Center (IC3)

Ransomware presents a real, imminent threat to the public and to our government. Share this article to help spread ransomware awareness in your community.

Take your browser security to the next level

Reading Time: ~3 min.

Aren’t you tired of annoying pop-ups that slow your computer way down, or give you viruses that cripple your PC faster than De’Aaron Fox on a fast break? What if we said you could make minor changes to your lineup to drastically speed up browsing sessions, improve browser security, and reduce your risk of downloading malware or potentially unwanted applications (PUAs)?

Well, hold onto your hats, folks. That’s exactly what I’m going to do. (Just think of all the time and hassle you’ll save when you no longer have to remove junk programs from your parents’ computers due to accidental pop-up clicks!)

Recommended Browsers for Privacy & Security

Personally, I’m a fan of Google Chrome and Opera, but I also use the most up-to-date versions of Waterfox and Internet Explorer for testing purposes or when accessing certain content management systems. Each of the below have quality security features, including pop-up blockers, antispyware, antivirus, anti-phishing, and private modes that complement a full antivirus and cybersecurity solution. Here’s a breakdown.

Google Chrome: I’m biased here, but Chrome is extremely stable, has cross-platform functionality, and it’s pretty darn fast if you have enough RAM or a gaming PC like myself. Most importantly, however, it offers a wide range of extensions for improved user experience and navigation, handling pop-ups and ads, etc. If you’re a fellow Chrome user, I can’t recommend Adblock Plus enough. It’s amazing how quickly pages load when they’re not cluttered up with ads you’d never intentionally click on anyway.

Waterfox: Firefox was a longtime favorite of mine for a variety of reasons, but we’ve grown apart in recent years. Let’s face it: back when we first met, Firefox looked good, moved fast, and had better functionality than anything else available. These days, Firefox has gotten sluggish and imposes too many restrictions. (And let’s not forget the incessant update phase from a few years back.) My new side-browser is Waterfox. If privacy is a concern, you’ll be happy to hear that absolutely no data is sent back to Firefox or Waterfox. You can also sleep better at night knowing that Waterfox is partners with Ecosia, a search engine provider that plants trees with earned revenue. Built on the same Firefox code but without the painful restrictions, it reminds me why I ever fell in love with Firefox in the first place.

Opera: Maybe it sounds crazy, but Opera is my favorite mobile browser. I get impatient about slow network speeds and Wi-Fi connections, especially when my ISP throttles my bandwidth. Opera is super-fast and has plenty of features, but what really makes it stand out for mobile is its Turbo Mode. Turbo Mode compresses web traffic through Opera’s servers, reduces the amount of data transferred, AND it dodges annoying ISP restrictions. Opera has built-in fraud and malware protection that’s enabled by default. It uses several databases and blacklists for known phishing and malware websites to help with browser security.

Internet Explorer: If I’m being honest, I wouldn’t say I like IE. But the reason it’s on this list is that it’s still a shockingly popular browser, and a lot of content management systems and other programs I’m required to use professionally run more smoothly with IE. You can adjust security levels, enable the SmartScreen Filter, and enable ActiveX filtering for enhanced browser security on Internet Explorer.

How to Secure your Browser

Having layers of protection is never a bad idea, especially with the evolving threats we’re faced with today. Preventing pop-ups is a quick and easy step to protect yourself and any family members you may have who aren’t as up-to-date on mitigation techniques. Built-in antispyware and anti-phishing components of these browsers typically notify users when they click malicious or risky URLs, thereby stopping attacks before the actual malware or spyware is downloaded onto your machine.

By using secure browsers on all your devices, in addition to cloud-based cybersecurity, you can avoid many of the threats on the web, and seriously up your internet security game.

Keep social engineering attacks from destroying your identity

Reading Time: ~2 min.

Sometimes it takes a close call or bad experience to really hammer it home. The concept of identity theft is nothing new. To put it in perspective, my step-dad had his identity stolen, and didn’t even know it. He was targeted by a social engineering attack and forked over several hundred dollars during the scam and didn’t realize he was a victim until I sat down with him to help speed up his aging computer.

What is social engineering?

Social engineering attacks, like any con, are based on psychological manipulation to incite victims to give up money and sensitive, confidential information. An example given by Wikipedia (yes, we use Wiki too), might be someone who walks into a building and posts an official-looking flyer on the company bulletin that announces a new phone number for the help desk. When employees call for help, the criminal might ask for passwords and other corporate login credentials. This opens access to the company’s private information. Another example of social engineering might involve a hacker contacting their target on a social network, such as Facebook. They start a conversation and gradually gain their target’s trust, then use that trust to get access to sensitive information.

Why? Because $$$.

Motives typically involve some kind of financial gain, though some attackers choose victims for personal reasons, such as revenge. In my step-dad’s case, it all started with that slow computer. He signed up for a sketchy PC cleaner tool to get rid of viruses and speed things up, after which he was targeted through a phishing scam. This attack resulted in him paying the attacker sums of $150 to $300 on various separate occasions.

What are the most common types of social engineering attacks?

Phishing: These attacks can include scenarios like the aforementioned, but may also be more targeted. Spear phishing attacks are more sophisticated and can include customized email sends or targeted ads that require a bit more research on the attacker’s part.

Watering hole: In a watering hole attack, user-groups are specifically being targeted. For example, attackers would research specific employees that visit niche websites and then host malware specifically targeting these employees.

Baiting: Just like the term suggests, baiting attacks involve offering victims something they want. Most often, these appear on peer-to-peer sharing sites where you can download or stream those hot new movies or Beyonce tracks you’ve been hearing about. The risk is that you may be downloading malware instead of, or in addition to, the files you actually want. Baiting can also include too-good-to-be-true online deals or fake emails with answers to questions you never asked on any forums.

Who and what to trust

Social engineering attacks are limited only by the attacker’s imagination. But, that means knowledge is your greatest tool against evolving cyber threats. I’m not suggesting you turn paranoid, but if something online strikes you as a little off or too good to be true, question it. Don’t remember sending a package or signing up for a contest? Then don’t click the “track my package” or the “Congrats, you’re a winner!” links.

Phishing and baiting tactics have been used in recent employment scams targeting recent college graduates. Whether you’re on social media, applying for jobs, or simply surfing the web, always think before you click, do your research, and visit HTTPS sites through a secure search engine, not via email or social media links.

Simple steps to help make you CyberSmart

Reading Time: ~3 min.

The online threat landscape continues to evolve. Not only do we need to continue innovating and refining our protection techniques, but we also need to stay on top of our cybersecurity education in order to protect each other from these attacks. As it happens, a number of people still don’t use any cybersecurity on their personal devices. To better understand these patterns, and to help create a cybersmart community as more aspects of our daily lives become internet-connected, we took it upon ourselves to gather data from home users in the form of a survey.

First, how many people use cybersecurity?

We found that 14% of users surveyed don’t use any cybersecurity protection whatsoever. Sure, we could tell you all you should be using our cloud-based SecureAnywhere® protection, but, in all honesty, it’s more important to us that people protect themselves in the first place, whether they’re our customers or not. You can help your friends become CyberSmart by sharing this blog or by sending a Tweet to your network. Foregoing an antivirus solution and neglecting to layer your cyber defenses exposes you to an ever-evolving barrage of malware and phishing, not to mention SQL injection, cross-site scripting, and man-in-the-middle attacks.


Are You CyberSmart?

Given how many free antivirus solutions are available, the number of survey participants who still don’t use any device protection was much higher than we expected. (Do keep in mind, however, that a large number of the free solutions come with potentially unwanted applications in tow. When it comes to cybersecurity, you tend to get what you pay for.)

No matter which protection you choose to use, we recommend taking a few simple steps to minimize your risk of being targeted by attackers. Enabling automatic updates for your operating system, apps, and programs, and layering your Wi-Fi security are easy but effective ways to close the gap. Also, be sure to use strong, unique passwords for your sensitive accounts. Although you’ve probably heard that one before, you’d be amazed at how many people still reuse passwords between various accounts, including their banking and other financial logins.


Nearly half of users in our survey admitted to reusing their passwords. If you’re one of them, and you find yourself thinking, “but I have so many logins and it’s too hard to remember all my different passwords,” we understand. We’ve all faced this question at one time or another during the internet age. But you can use a secure password manager to ease the burden of having to keep track of so many credentials.

My Webroot, Anywhere

Whether you’re already part of the family, want to take Webroot SecureAnywhere® for a free test drive, or purchase for 25% off,  we provide an online management account where you can centrally control your various connected home and mobile devices (and also manage your passwords.) If you haven’t already, take advantage of our advanced protection features today by setting up your My Webroot Anywhere account.

My friend stole my password!

Reading Time: ~2 min.

News of yet another breach at Target or Yahoo seems pretty commonplace these days. Sometimes, the frequency of big, newsworthy hacks can make us forget about more personal threats we face: the people close to us who have easy access to our financial info, social media accounts, online identity, and even our computer password.

Exponential growth

According to Pew Research Center, the use of social media has seen tenfold growth over the last decade, with nearly 68% of U.S. adults at the end of 2016 reporting they have a Facebook account (let alone any of the other social media outlets, such as Twitter, LinkedIn, Instagram, etc.) This growth represents a turning point in the way we consume news and share information with our friends and family members. But as the world becomes increasingly connected, it’s also becoming increasingly hackable.

In a survey conducted by the University of Phoenix, it was found that 70% of social media scams in 2016 were shared manually, meaning people voluntarily and unwittingly shared posts that linked to malicious or affiliate sites. Moreover, the study found that 9 out of 10 people limit their personal information shared on social media due to fear of being hacked.

9 out of 10 people limit their personal information shared on social media due to fear of being hacked.” – Survey results, University of Phoenix, 2016

Friends don’t let friends get hacked

To increase your personal security when browsing and sharing online, we recommend you take just a few simple steps.

Enable an automatic lock on your computer.
It sounds so simple, right? But seriously, adding a lock to your computer will keep friends and foes alike from accessing your everyday accounts that you may have forgotten to close or sign out of. We recommend rotating your Windows or Apple password and making it unique and very different from others that you may use on financial or data sensitive accounts.

Use a secure password manager.
They’re easy to find and easy to use. So what’s standing in your way? Using a password manager like Google Chrome’s built-in features or the Webroot SecureAnywhere password manager enables another layer of protection that you can sign out of when you’re done browsing or paying your bills. This will also help keep you from using the same password across all of your accounts for ease of access.

Don’t enter passwords on other people’s computers.
Be wary of logging into your social media accounts on your friends’ computers. You might forget to click “no” or “never” when prompted to save your login credentials, and you wouldn’t want an embarrassing Snap or Facebook post to haunt you.

If your password gets hacked

First, don’t panic, but don’t hesitate to take action either. Change all relevant passwords immediately, including any to other accounts where you may have reused the same credentials. Inform your friends and family members immediately of the situation, and to disregard messages or posts that were sent from your account during the period of exposure. Finally, don’t forget to notify the support team for the associated social network so that they can investigate and help prevent others from becoming victims of the same types of attack.

The Internet of Toys

Reading Time: ~4 min.

The convenience of having some kind of internet connection on more and more of the devices we use each day is undeniable. However, without proper security vetting, this convenience may come at a hefty price. In the past year alone, we’ve seen millions of routers, DVRs, IP cameras, cars, and more get hacked and either ransomed or hijacked for illegal purposes. This is mostly because the vendors of these devices only focus on functionality and the “set it and forget it” mentality. The next big IoT device type on the high-risk radar might not be what you expect… It’s toys.

Just last month, almost a million CloudPets.com accounts were compromised which contained 2 million voice recordings of kids and their families. This data—which is currently being ransomed—was taken from an unsecured MongoDB installation. There was no password or authentication required to access the widely available MongoDB on port 2701 at Anyone who tried to connect had access and could access as much data as they wanted. It was only a matter of time before threat actors decided to take the data and delete the original copies from the server. In fact, the MongoDB currently has over ten thousand unsecured servers from which data has been stolen and held for ransom.


The CloudPets breach is yet another in a long list of poorly secured connected devices. Germany has already banned My Friend Cayla dolls, having classified them as espionage devices. Anyone selling the toy may be subject to a fine of up to 25,000 € for anyone who sells the toy. Barbie dolls are also on radar, since the Hello Barbie doll made headlines a couple of years ago. The doll was easily hackable and would reveal users’ system information, Wi-Fi network names, internal MAC addresses, account IDs, and even MP3 files. Aside from the sheer creepiness of hacking a children’s toy, this type of sensitive information can be used by cybercriminals to gain entry into a user’s more high-value accounts. The ease with which an attacker can access users’ details, including passwords, can give them a starting point to infiltrate other accounts, and sensitive family information can be used to guess passwords and secret questions.

Are hackers toying with your data?

We continue to witness a growing number of attacks with extortion as their goal. They begin with a simple but effective brute force assault from RDP to MongoDB and are now on to MySQL, and it won’t stop there. As long as such protocols, tools, and software are installed without adequate security measures, new breach stories will continue to make the news. Vendors of all IoT devices must ensure that they properly secure their devices and the information they collect.

Beyond the vulnerabilities the backend databases that support these IoT devices comprise, we have also been seeing remote exploitation of the actual toy device via Bluetooth Web API. Any user with a computer or a phone can connect to the CloudPets plushie without any authentication, and can then control the toy. Using the built-in microphone, an attacker can send and receive recorded messages to and from the toy, and they don’t even have to be inside the house. Experts in the field are already issuing warnings as to the privacy risks associated with allowing websites to connect to devices via Bluetooth. The CloudPets situation is a prime example of connected device manufacturers being grossly negligent towards the security of their products, and only focused on functionality (and, therefore, saleability.)

There’s a smarter way to play

To mitigate these types of risks, vendors need to conduct regular risk assessments and security vetting. They need to understand what does and does not need to be internet-facing within the organization. The items that do need to connect to the internet should be protected accordingly, starting with checking and improving on default settings. Authentication levels for each product need to be investigated and possibly enhanced to require two-factor, given that default options aren’t always the most secure. Where possible, access should be restricted based on policy, and vendors must investigate whether VPN and tunneling protocols would work for a particular use case. It’s essential to keep installations up to date. Additionally, vendors need to regularly review the setup configurations, look for unexpected or undocumented changes, and review the listed administrator accounts as a standard routine. In addition, consumers must be educated on the potential for these devices to generate and store sensitive data, as well as how to use good security practices to ensure their information stays safe. Although we can never make ourselves 100% secure, we should give ourselves a fighting chance.

Once a vendor or organization has set up what it believes to be the best defense, it cannot simply forget about it. Plans need to be in place for when a breach does occur so data can be recovered as quickly and efficiently as possible. This means creating and executing a well-divided, regularly-tested, air-gapped backup strategy. It could mean the difference between a breach being little more than a learning experience, versus resulting in devastating losses from which the business may not recover. It’s also important to make sure all employees are aware of what to do when things go wrong, as time will be of the essence. Each employee must know who needs to do what, when, where and how, from the incident responders to PR. Because the modern threat landscape continually changes, the only way to achieve remotely effective protection is not to sit back and relax, but to continue examining, refining, and improving upon security practices.

Employment scams target recent college grads

Reading Time: ~2 min.

As if the job market isn’t hard enough to break into, rising seniors and recent college graduates are employment scam targets. In January, the FBI issued a warning that employment scams targeting college students are still alive and well.

Employment Scams – A Public Service Announcement

According to the FBI, scammers advertise phony job opportunities on college employment websites soliciting college students for administrative positions. Then the student employee receives counterfeit checks and is told to deposit them into their personal account. Shortly thereafter, the scammer directs the student to withdraw the funds and send a portion, via wire transfer, to another individual. Often, the transfer of funds is to a “vendor”, allegedly for materials necessary for the job. By the time the bank has confirmed that the original checks were fraudulent, the victim’s own money is long gone

Dashed employment hopes and lost wages aren’t the only concern for victims of recent employment scams. Possible consequences of participating in this scam include:

  • The student’s bank account may be closed due to fraudulent activity and a report could be filed by the bank with a credit bureau or law enforcement agency.
  • The student is responsible for reimbursing the bank the amount of the counterfeit checks.
  • The scamming incident could adversely affect the student’s credit record.
  • The scammers often obtain personal information from the student while posing as their employer, leaving them vulnerable to identity theft.
  • Scammers seeking to acquire funds through fraudulent methods could potentially utilize the money to fund illicit criminal or terrorist activity.
Staying Safe

Remember, if it sounds too good to be true, it probably is.

Guaranteed income with no experience needed. Work from home and control your own schedule. Apply today to start earning thousands!

Phone introductions are a fine way to start the conversation, but be wary of opportunities that don’t lead to a face-to-face interview. Although some companies and government agencies may require it, you should be very cautious when sharing your Social Security Number online or over the phone. Tell the employer you’ll only provide that information once you’ve received a formal offer and are filling out W-2 or 1099 paperwork.

Be sure to do your research as well. Look into the company to find out about their market, what they sell, and look for reviews and evaluations from their employees. (Hint: you should be doing this anyway, not just when you suspect a scam.)

You can also take advantage of the Better Business Bureau and the BBB Scam Tracker℠ to research the types of scams that have been reported in your area.

Have you been scammed?

Help others avoid becoming a victim of employment scams by reporting the incident to the Better Business Bureau, the Internet Crime Complaint Center (IC3), and the Federal Trade Commission.

Top 5 Tax Season Scams

Reading Time: ~4 min.

During tax season most of us are probably still dreading the moment we have to quit procrastinating, buckle down, and file our income taxes. Coincidentally, it’s also a time that cybercriminals are working overtime to scam home users into giving over their financial data, and even their tax returns. The frequency of attacks only increases as the IRS tax deadline (April 18th this year) looms ever closer.

Don’t Let Tax Season Scammers Steal Your Refund!

According to the IRS, thousands of people have lost millions of dollars and their personal information to tax scams and fake IRS communication in the past few years. In fact, a recent phone scam has been aggressively targeting taxpayers, often members of immigrant populations, in which callers claim to be IRS employees. They use false names and credentials and even spoof their caller ID information to appear more legitimate. The scammers tell their victims they owe money to the IRS and demand it be paid right away through a pre-loaded debit card or a wire transfer. If any victims refuse or sound too skeptical, the scammers threaten them with arrest, deportation, or any number of other downright terrifying legal scenarios.

According to data collected in the 2016 tax season, the IRS saw an approximate 400% surge in phishing and malware incidents, and our own data suggests this number won’t be going down any time soon.

A number of alerts have been issued by the IRS about the fraudulent use of their name or logo by scammers who hope to steal taxpayers’ assets and identity. Regular mail, telephone, fax, emails—scammers are using every phishing tool at their disposal to trick unsuspecting victims, and the proof is in the numbers. According to data collected in the 2016 tax season, the IRS saw an approximate 400% surge in phishing and malware incidents, and our own data suggests this number won’t be going down any time soon.

BOLO (Be on the Lookout)

While the IRS provides a list they call their tax season “Dirty Dozen” scams, here are the top 5 we think you should really watch out for.

Phishing: Taxpayers need to be on guard against fake emails or websites looking to steal personal information. The IRS will never initiate contact with taxpayers via email about a bill or refund. Don’t click on one claiming to be from the IRS. Be wary of emails and websites that may be nothing more than scams to steal personal information.

Phone scams: Phone calls from criminals impersonating IRS agents remain an ongoing threat to taxpayers. The IRS has seen a surge of these phone scams in recent years as con artists threaten taxpayers with police arrest, deportation and license revocation, among other things.

Identity theft: Taxpayers need to watch out for identity theft especially around tax time. The IRS continues to aggressively pursue the criminals that file fraudulent returns using someone else’s Social Security number. Though the agency is making progress on this front, taxpayers still need to be extremely cautious and do everything they can to avoid being victimized.

Return preparer fraud: Be on the lookout for unscrupulous return preparers. The vast majority of tax professionals provide honest high-quality service. There are some dishonest preparers who set up shop each filing season to perpetrate refund fraud, identity theft and other scams that hurt taxpayers.

Fake charities: Be on guard against groups masquerading as charitable organizations to attract donations from unsuspecting contributors. Be wary of charities with names similar to familiar or nationally known organizations. Contributors should take a few extra minutes to ensure their hard-earned money goes to legitimate and currently eligible charities. IRS.gov has the tools taxpayers need to check out the status of charitable organizations.

Preventative Measures

To stay safe during tax season, you need to first understand what is and isn’t normal. When faced with officials or people with perceived authority, we tend to get nervous and want to do anything they say to avoid getting in trouble. (Think about how you probably tense up when you see a cop pull up behind you, even though you know you weren’t speeding.)

The IRS will never:

  • Call to demand immediate payment using a specific payment method such as a prepaid debit card, gift card or wire transfer. Generally, the IRS will first mail you a bill if you owe any taxes.
  • Threaten to immediately bring in local police or other law-enforcement groups to have you arrested for not paying.
  • Demand that you pay taxes without giving you the opportunity to question or appeal the amount they say you owe.
  • Ask for credit or debit card numbers over the phone.

Additionally, it’s important that you pay close attention to email addresses, and never share financial information through email. It is normal that online tax preparation services, such as TurboTax, will require several steps of authentication via a secure connection, and may ask for personal information. Because many modern phishing scams can look almost exactly like the real deal, be sure to go directly to your tax prep service’s website in your browser, rather than clicking the links in any emails. If you’re a Webroot user, we also highly recommend you enable the Webroot Filtering Extension to ensure you know which sites are safe to visit.

Know Your Rights

You have the right to be informed, and also the right to appeal any IRS decisions in an independent forum. Have other questions about your rights as a taxpayer? Visit www.irs.gov/taxpayer-bill-of-rights.

5 Totally Achievable Resolutions

Reading Time: ~3 min.

If you’re anything like me, you probably make a bunch of lofty resolutions every year that you probably won’t, or even can’t, achieve. (For instance, I’ve been promising to hit the gym a little harder for about 6 years now.)

But enough is enough. Here are 5 completely achievable resolutions to help keep you and your identity safe in the New Year. Best of all, they’re not too hard and don’t take long, so you get the satisfaction of checking things off your list right away!

1.     Layer Your Wi-Fi Security

Remember over the holidays, when you had to read your super long and complicated router password to everyone in your family so they could connect to the Wi-Fi? Wouldn’t it have been great if they’d taken a seat and listened all at once so you wouldn’t have to repeat it 50 times in between trips to the kitchen to baste your bird or check a timer? Wouldn’t it be even better if you could have your own guest network with a friendly password that the whole family can remember?

Well… you can.

These days, continuing technological advances have given most routers dual-band technology. The “dual” part means you have a 5 GHz band for devices that are centrally located and more or less stationary near your router, giving you the best possible speeds, while there’s a 2.4 GHz connection for devices that are more mobile and need a longer range.

If you activate Guest Networking for both your 5GHz and 2.4GHz bands within your router’s settings, you can create separate passwords for residents and guests. That way, you can manage who gets access to your secure network, and then your connection won’t get bogged down the next time you want to stream the football game while your 3-year-old niece is glued to the Disney Holiday Special.

Be sure to enable WPA2 security on both networks to protect your houseguests and to keep holiday opportunists from leeching off of your connection.

2.     Enable Biometric Screening or a PIN on your New Device

Did you get a new toy over the holidays? Make sure to enable two-factor authentication and either a security PIN or biometric access to your devices whenever possible. Although it might add another second or two to the time it takes to unlock your devices, it’ll be worth it when you realize your mom won’t casually stumble across those pictures from so-and-so’s bachelor/ette party.

3.     Avoid Opening Emails On the Go

This one might be the easiest of all, and a lot of recent studies have suggested that ignoring your email a bit more often can have incredible benefits for your stress levels and overall mental health. And, let’s face it, who couldn’t use a little help de-stressing after the holidays?

Unsecured Wi-Fi in coffee shops and the like is a prime spot for cybercriminals to take advantage. If you absolutely have to open your emails while you’re out and about, we recommend staying connected to your mobile data plan. And if you’re worried about data rates, try to wait until you’re connected to a secure Wi-Fi network that you trust, and one that you know has encryption in place. Besides, if you really take stock of it all, those emails can probably wait.

4.     Activate Automatic Updates

You’d be amazed how many breaches could be avoided by keeping software/firmware up to date. Hackers often exploit known vulnerabilities that companies like Adobe and Microsoft have already patched or are close to patching, figuring that the numbers game will still come out in their favor. After all, there are a lot of people out there who ignore updates or may not realize how important they can be. If you don’t have time to stay on top of every update, enabling automatic updates on your devices is an easy way to close the window of opportunity for cyber thieves and other hackers.

5.     Install a Unified Threat Management Appliance (UTM)

Think of a UTM as a souped-up firewall. The average family has at least 4 connected devices in their home, and many have more than double that amount. For larger families, not to mention people who run a business from their home, a Unified Threat Management appliance will add another layer of network protection for your highly connected gateway.

In all seriousness, you could probably complete most—if not all—of these tasks in the span of a Sunday afternoon, and they could save you from spending countless hours on the phone with banks and creditors as you try to retrieve a stolen identity or dispute fraudulent charges. How many of your other resolutions have that going for them?

So what are you waiting for? Take the initiative in 2017 and follow these tips to protect your family, your home, your identity, and your privacy from modern cyberattacks.



What to Expect at CES 2017

Reading Time: ~3 min.

Why wait for news on the next big thing in technology, when you can get a sneak peek at the hottest, up-and-coming consumer tech and innovations at CES 2017? For the last 50 years, the yearly CES event has served as a showcase and springboard for the latest advancements in tech as they enter the marketplace.

But, before your gobble up the newest, smartest gadgets, it’s important to consider their implications for our overall security. Here are some things we’re thinking about in preparation for this year’s event.

Artificial Intelligence and the Internet of Things

Devices of all types keep getting smarter and the number of connections between them grows in size and variety. The “Internet of Things,” isn’t just a sci-fi movie fantasy anymore—it’s here, and it raises some serious concerns.

Hypothetically speaking, if my phone were connected to my fridge and other appliances, my thermostat, my home security system, and even my car, what would happen if a hacker stumbled across a vulnerability in my toaster’s firmware? Could they lift my banking credentials? Or stop my car’s engine while I’m on my commute? Sure, it might sound unlikely or extreme, but you can see how increasing connectedness doesn’t just bring benefits and convenience; it also offers up an assortment of new opportunities for hacks and other cybercrime.

This year’s CES event will address IoT cybersecurity concerns, such as regulations around self-driving cars, what smart thermostats and other advances in the domestic future will bring.

CES Sessions to Consider:

  • The IoT Becomes Personal: Bosch shows how “things” become partners, and covers advanced tech in the areas of connected mobility, industry, smart home, and smart city.
  • Smart Technology for Smarter Cars: Valeo presents its groundbreaking technologies for intuitive, clean, and connected driving.
  • Next Big Thing: Smarter Homes for Everyone: From urban apartments to country mansions to smart cities, this talk discusses the technology at the heart of it all, and how close to this future we really are.
Architecting Smart Cities

Many organizations around the world are working on solutions to help make smart cities even smarter; more energy efficient, more comfortable, and more automated. Unfortunately, a lot of these innovations can suffuse city networks and the devices connected to them with cybersecurity vulnerabilities.

For more information about smart cities and their implications, the CES panel Smart Cities, Smart States, Smart Mobility will discuss the symbiotic relationship cities and mobility have enjoyed for centuries while considering the societal promises that connected technologies offer.

Additionally, to raise awareness and connect organizations working to address these vulnerabilities, CES 2017 will be launching The Smart Cities Hackathon, where developers, makers, and smart cities specialists can collaborate on solutions for sustainability, safety, and efficiency.

Hackathon participants will get to play with:

  • Amazon Alexa Skills Kit
  • IBM Watson Cognitive and Bluemix APIs
  • Intel’s Grove IoT Dev Kit
  • Honeywell’s Connected Home API
  • UL’s Safety Index
  • Open Data from the City of Las Vegas
  • Other leading IoT technologies TBA
Technology Rising Stars

In addition to various security concerns, we can’t forget that CES is a smorgasbord of new technology. Seasoned techies and n00bs alike, be sure to check out the 2017 Tech Trends to Watch session for a guided tour through key trends and emerging technologies, as well as how the Internet of everything, artificial intelligence, virtual reality, autonomous vehicles, wearables, and more are shaking up everything we take for granted.

Other sessions to consider:

  • Last Gadget Standing: Yahoo! Tech’s David Pogue and his team of experts, along with the audience, predict which product on the CES show floor that’s destined for greatness.
  • Mobile Apps Showdown: App producers will have just 4 minutes to demo their app before judges, both on and offline, will identify the winner. Bonus: this year, CES is introducing the 10under20: Young Innovators to Watch!
  • Extreme Tech Challenge: The Extreme Tech Challenge is the world’s largest startup competition, and identifies emerging leaders with the potential to dominate their markets.

There will be a lot to take in at CES 2017, and we look forward to hearing about the newest advances technologies, as well as how we can all collaborate to continue building a smarter, more secure future for everyone.


History of Holiday Tech Toys

Reading Time: ~2 min.

Who remembers the Atari 2600? Yeah, I don’t either. Just kidding. Maybe. It’s hard to think about the words tech and toys together before the 1990s. However, they were a thing. Kids of the late 70s reveled in the Atari 2600. It became a staple of pop culture—defining a generation of gaming young enthusiasts. But tech toys didn’t stop there.

Later was the introduction of Game Boy in 1989. The ability to leave your bedroom and actually play video games on the go? That was life-altering for, I dare to say, every teenage boy and girl. Although, for many, the 2000s were the formative years of tech toys. They saw the 90s as a blip on the radar of tech toys’ rise to the domination of Toyland. This group had a front row seat to watch Xbox Live parade onto the scene in all of its glory. The first successful home online gaming console even left this writer a little jealous. Where were you during my gaming days?

The proliferation of tech toys over the years has only been eclipsed by the dangers surfacing from the bowels of cartridge graveyards around the world. I’m talking cybercriminals. They see the one thing that brings joy to so many sugar plum-dreaming cherubs during the holidays – tech toys – as a means to wreak havoc.

I’m not talking script kiddies in their parents’ basements. These aren’t the kids we grew up with then nor the kids growing up now. Dismiss the prevailing idea of what a hacker is. Don’t be mistaken; these cyber thieves are real and dangerous. They pose a threat to your personal security and the sanctity of all that is Christmas morning.

While you’re contemplating that, our team has put together a fun infographic to take you down memory lane through the History of Holiday Tech and emergence of cyber risks. We hope you enjoy!


All Phishing Scams Want for Christmas…

Reading Time: ~2 min.

Corny title aside, ‘tis officially the season for online shopping, and that means a drastic increase in phishing scams. In order to obtain sensitive information from specific organizations and people, these threats have become increasingly sophisticated and are carefully crafted. According to the latest Webroot Quarterly Threat Update, 84 percent of phishing sites exist for less than 24 hours, with an average life cycle of under 15 hours.

“In years past, these sites could endure for several weeks or months, giving organizations plenty of time to block the method of attack and prevent more victims from falling prey,” said Hal Lonas, chief technology officer at Webroot. “Now, phishing sites can appear and disappear in the span of a coffee break, leaving every organization, no matter its size, at an immediate and serious risk from phishing attacks.”

3 things you NEED to know about phishing

During 2016, Webroot has observed an average of over 400,000 phishing sites each month. To keep up with the incredibly short life cycles and sheer volume of phishing sites and URLs, you have to abandon old techniques that use static or crowdsourced blacklists of bad domains and URLs. There are over 13,000 new malicious sites per day, approximately 11,000 of which last 24 hours or less, rendering static lists obsolete within moments of being published.

Nearly all of today’s phishing URLs are hidden within benign domains. Since phishing attacks no longer use dedicated domains, URLs must be checked each time they are requested. At the speed of today’s attacks, a page that was totally benign just seconds ago may have since been compromised.

Google, PayPal, Yahoo, and Apple are heavily targeted for attacks. Cybercriminals know to impersonate sites that people trust and use regularly. Webroot took a closer look at the companies for which impersonation would likely cause the largest negative impact. Of these “high-risk” organizations, Google was impersonated in 21 percent of all phishing sites between January and September 2016, making it the most heavily targeted.

Emails to avoid

With the holiday season in full swing and the New Year fast approaching, hackers are up to their old tricks. According to Mike Trammell, senior director, office of the CISO, Webroot, we should all be wary of emails containing UPS, USPS, and FedEx shipping alerts; 401k/benefit enrollment notices; and miscellaneous tax documents from now through the end of January.

So far, we have seen the following email subjects related to phishing:

  • FTC subpoena
  • RE: insurance
  • Shipping status changed for your parcel # XXXXXXXXX

Be on the lookout for these types of messages in your inbox, since they’re likely to be phishing attempts that could lead to credential harvesting, ransomware infections, and more.

Our holiday wish for you

With holiday gifting on the horizon, the scammers are out in force, so remember to be extra vigilant. Remind your families, friends, colleagues, and clients to use secure and reputable websites and to only click links from sources they trust. Particularly at this time of year, if a stranger contacts you or anyone you know, whether by phone or by email, remember that they might not be who they claim to be. Before giving them any information or money, try contacting them back through their publicly available contact information.

From everyone at Webroot, we hope you have a secure and joyous season, and a happy new year!

Page 4 of 8« First...23456...Last »