For occasions where you need to create surveys, quizzes, or get other quick and easy responses, you may not have tried Google Forms. Here’s to use them:

– Go to forms.google.com and sign-in with your Google login.

– Select the type of form you need from the gallery (Blank, Event Registration, Contact Information, RSVP, and more).

– From the small floating menu, Google gives options to add or import questions. Depending on the use for the form, you can choose your question type e.g., short answer, multiple choice, checkboxes, and more.

– The menu also allows you to add images (from the computer, camera, Google Photos, Google Drive, or from a Google Image Search). Video can also be added.

– Select a theme and settings.

– Share the form by email or social media (Facebook and Twitter).

– Use the Responses tab to access a quick summary of responses.

– Google provides a quick tutorial to help you create forms.

A report by blockchain data platform ‘Chainalysis’ has shown a 30 per cent increase in cryptocurrency being used for money laundering in 2021 compared to the previous year.

$8.6 Billion

The 2022 Crypto Crime Report noted how cybercriminals laundered a massive $8.6 billion worth of cryptocurrency in 2021. The figure was arrived at by compiling the amount of cryptocurrency being moved from illicit addresses to addresses hosted by services.

Only A Measure Of Online, Not Offline

If $8.6 billion seems like a very large amount, the report also notes that this doesn’t even take into account the amount from offline crime (e.g., traditional drug trafficking) that is converted into cryptocurrency to be laundered.

Most Money Laundering Doesn’t Involve Cryptocurrency

To put the numbers into perspective, it’s worth noting that between $800 billion and $2 trillion of fiat currency (government-issued currency) is laundered each year, which represents as much as 5 per cent of global GDP. By contrast however, only 0.05 per cent of all cryptocurrency transaction volume was laundered in 2021, meaning that cryptocurrency is by no means the preferred method for money laundering yet.

Blockchain More Transparent Says Chainalysis

Chainalyis, the report’s author, says that the reason why there is a big difference between fiat and cryptocurrency-based money laundering is that the transparency of blockchains means that it’s easier to trace how criminals move cryptocurrency between wallets and services to try and convert it into cash.

Thieves Use DeFi Platforms & Scammers Use Centralised Exchanges

The report highlights how those involved in theft tend to use DeFi Platforms (with DeFi protocols) whereas scammers tend to prefer centralised exchanges for their money laundering. The report says that this is because:

– DeFi /open finance platforms have no middleman (no bank or credit card issuer as an intermediary in financial transactions) and, therefore, offer greater anonymity, which may be why they received 17 per cent of all funds sent from illicit wallets in 2021 (up from 2 per cent!). Chainalysis noted in its report that addresses associated with theft sent just under half of their stolen funds to DeFi platforms (around $750 million worth of cryptocurrency in total).

– Scammers tend to lack technical sophistication and, therefore, prefer to send the majority of their funds to addresses at centralized exchanges.

Looking For Patterns & Using Compliance Checks

The report accepts that because some criminals use cryptocurrency to launder funds from crimes that happen offline, it is not easy to track all money laundering activity. However, looking for patterns that suggest users may be trying to avoid compliance screens, and introducing compliance checks can help uncover more illegal activity.

What Does This Mean For Your Business?

As the report points out, using cryptocurrency to launder money is becoming increasingly popular, but is still nowhere near as big a problem as fiat-based money laundering, perhaps due to the transparency risks of blockchain (with increased checks) and the complexities of using cryptocurrencies not being widely understood. In fact, even most genuine investors and traders don’t fully understand cryptocurrencies. For example, a Cardify report (March 2021) showed that only 16.9 per cent of investors who have bought cryptocurrency don’t fully understand its value and potential, and 33.5 per cent of buyers have either little or zero knowledge about cryptocurrencies.

Nevertheless, criminals using cryptocurrency for money laundering is clearly a growing problem. One important measure that could be taken to help tackle the problem is making sure that those tasked with investigating it have a good understanding and are trained in cryptocurrency and blockchain analysis and/or have expert help. Also, more attention needs to be paid to how DeFi transactions can be analysed, and to enlisting the help of the teams behind DeFi protocols to screen wallets for suspicious activity and patterns e.g., prior transactions with known illicit addresses.

A new report from F-Secure has revealed that the most technically competent staff are just as likely (if not more likely) to fail a phishing test exercise.

Phishing

Phishing attacks typically involve sending emails that appear to come from a legitimate company/organisation (e.g., a bank) in order to gain an individual’s confidence, so that the recipient will follow a link in the email. Clicking on a link in a phishing email, however, means having malicious software loaded onto the recipient’s device that can allow cybercriminals to take control of a computer, log keystrokes, gain access to your personal information and financial data (for theft and identity theft), or simply be directed to a phishing page / payment page where sensitive information and/or money is taken. Compromising one person’s computer and accounts can also provide a way into wider company systems. It should also be noted that phishing links can be inserted into malicious advertisements, and even direct messages on chat apps.

The Study

The results of a recent test by F-Secure, published in the report ‘To Click or Not to Click: What we Learned from Phishing 80,000 People’, highlighted a comparison of how personnel working in IT or Development Operations (DevOps) responded to (test) phishing emails. The results showed that not only do phishing emails mimicking HR announcements or asking for help with invoicing get the most clicks from recipients but, crucially, people working in ‘technical’ roles seem equally susceptible to phishing attempts (or even more so) than the general population.

Why?

Matthew Connor, F-Secure’s Service Delivery Manager explained why people working in ‘technical’ roles seemed equally or more susceptible to phishing attempts than the general population by saying that: “The privileged access that technical personnel have to an organisation’s infrastructure can lead to them being actively targeted by adversaries.”

Clicked Despite Higher Level Of Awareness

One big concern raised by the study is that despite IT personnel being more aware of previous phishing attempts and knowing more about the threat than others (as evidenced by post-study surveys) they still clicked as often (or more often) on the phishing links.

Speed Of Reporting and Ease Of Reporting Crucial For Security

The study also found that both the IT and DevOps groups were no better at reporting phishing attempts than others (coming 3^rd and 6^th out of 9 departments) and that IT came 15^th out of 17 in terms of reporting the phishing emails. Also, the study highlighted how reporting the phishing emails became more common as time went on, and how different processes at different organisations played a key role in the level of reporting e.g., 47 per cent who had a dedicated button to flag suspicious emails used it to instantly report phishing emails during the study compared to much lower levels of reporting where there was no button.

Clearly, rapid reporting of phishing emails could help businesses to tighten security and raise awareness, but the study highlights how important having a simple, fast, easy-to-use reporting process (a button) in place is.

How To Spot Phishing Emails

Many phishing emails have giveaways that you can spot if you know what you’re looking for. Examples of ways in which you can identify a phishing email include:

– Online requests for personal and financial information e.g., from government agencies, are very unlikely to be sent via email from legitimate sources.

– Generic greetings. Scammers are less likely to use your name to personalise the email greeting and title.

– Mistakes in spelling and grammar can be signs of scam emails.

– Checking the email address by hovering your mouse (without clicking!) over the link in the email. This can quickly reveal if the email is genuine.

– Beware of heavy emotional appeals that urge you to act immediately. These are signs of scam emails that hope to bypass your critical-thinking and tap into an emotional response.

What Does This Mean For Your Business?

As the study’s report pointed out, advanced or even average susceptibility to phishing is a concern and, on the surface, IT staff who should have a higher awareness of phishing, click more often than other staff on phishing links is a worry. However, as highlighted by F-Secure, one explanation may be that IT staff with privileged access to systems may be more actively targeted by adversaries. One really valuable insight uncovered by the study is that providing a fast, easy reporting process for phishing emails can provide a way for security personnel and other teams to work together and improve an organisation’s resilience against phishing, which could mean earlier detection in future, thereby really helping strengthen company security going forward. Cyber security training and awareness efforts are also important in keeping all staff up to date with the nature of threats and how to respond to them in a way that protects the organisation and enables vital feedback.

In this article, we look at what doxxing is, some examples of doxxing, and what can be done to protect ourselves and our businesses from being ‘Doxxed’.

What Is Doxxing?

Doxing is a 90s hacker term meaning for dropping (personal) dox where ‘dox’ is a slang term for documents. Doxxing is a malicious act where a person/persons use a variety of methods to find previously private personal information about an individual or organisation, and then publicly reveal/expose that information to all, usually over the Internet. The type of information released could be anything from simple personal details (real name, home address, workplace), to much more personal, embarrassing, and damaging information.

Why?

Doxxing is used as a method of attack, primarily for punishment or revenge and can lead to acts of extortion.

What Details?

The kind of personal details and information that doxxers may collect about a person, business, or organisation may include name, telephone number, address, personal photographs, videos, comments and quotes, email content, account numbers, and more.

Where From?

Doxxers can collect different snippets of information about their targets from a number of sources including hacks, social engineering, social media accounts, getting access to a target’s email account, WHOIS lookups, using an IP logger to trace online activities, reverse mobile phone lookup, tracking usernames, using GDPR  subject access requests, collecting information that has been sold across the Web by data brokers, accessing details from hacks/sold hacked details, and more.

Is It Illegal?

Although doxxing is malicious and can be very harmful, it is generally not illegal because much of the information is gathered from what is considered as the public domain. However, the legality also depends upon whether details were obtained using legal methods, and doxxing treads a fine line between what is legal and not, sometimes entering into the illegal worlds of stalking, harassment, and more. If the threat of doxxing is used to extort money then this is, of course, blackmail. In many cases, at the very least, doxxing often violates many websites’ terms of service.

Some Examples of Doxing

Just some of the many examples of doxing that have made the news include:

– December 2011 – the hacking group Anonymous exposed detailed information online about 7,000 law enforcement agents as revenge for investigations into hacking activities.

– In 2013, hackers posted Kim Kardashian’s Social Security number, credit report, address (+ six previous addresses) online.

– In 2016, while Donald Trump was campaigning for the US presidency, Anonymous posted his Social Security number and phone number, as well as the contact information for his agent and lawyer online.

– In 2017, the Russian (Moscow) hacker group Turla hacked the Instagram account of Britney Spears, and used it to post secret, cryptic comments.

How To Protect Yourself and Your Business From Being Doxxed

Some of the measures you can take to help protect yourself/your business from falling victim to doxxing include:

– Using a VPN to protect your IP address.

– Using strong passwords, avoiding password sharing, and using 2FA or multi-factor authentication where possible.

Keeping anti-virus software and patches up to date and installing antimalware to combat doxware.

Removing personal data from apps, and from gadget/device settings.

– Setting up different email addresses for different uses e.g., professional, personal, and spam.

– Maximising your social media privacy settings and being careful what is shared i.e., bearing in mind GDPR, consent, personal details and privacy matters when sharing anything relating to staff.

– Hiding domain registration information from WHOIS.

Avoiding logging into a website through Facebook or Google.

– Asking Google to remove any personal information that you are concerned about.

– Keeping up with good general online security practices and be careful what information you share via social media.

– Deleting old online accounts.

– Using the legislation available to tackle doxxers. For example, Hong Kong introduced a new anti-doxing law in October 2021 (The Personal Data (Privacy) (Amendment) Ordinance 2021), mainly to prevent details of members of the authorities from being posted online and, perhaps, to crack down on criticism. The law could, however, be used by citizens and businesses to combat malicious doxxing acts. The law amendment gives Hong Kong’s Privacy Commissioner for Personal Data the right to conduct criminal investigations and institute prosecution related to doxxing. Also, under UK GDPR, persons have the ‘right to be forgotten’ i.e., requesting that a business/organisation removes/deletes all data collected about them.

– For businesses – keeping an up-to-date record of processing activities, showing what data is being collected, where it’s stored, for how long, and who is being/has been shared with.

– Keeping levels of awareness and training about data protection, privacy, and threats like doxxing up to date among staff.

– Checking/monitoring compliance relating to contracts with third parties processing personal data on your/the company’s behalf.

– Using websites to help erase data about you stored around the Web / opting out of people searches. Examples (including U.S.), include https://www.beenverified.com/app/optout/search, https://www.instantcheckmate.com/opt-out/, https://www.gov.uk/government/publications/register-to-vote-anonymously, opting out of the top 10 data brokers – https://databrokerswatch.org/top-ten, https://joindeleteme.com/.

What Does This Mean For Your Business?

The main motives for doxxing appears to be revenge, control, or even as a way to blackmail someone. Following good general online security practices and policies is the best way to avoid giving people (e.g., disgruntled former employees/customers, hackers and others) the fuel and the openings they need to build their campaigns. Sadly, much of our data ends up being shared around the Web, perhaps to places we wouldn’t expect to go and determined doxxers may be able to find some things, despite our best efforts to maintain our privacy. That said, as highlighted in the list above there are still many proactive measures that can be taken to reduce the risk of being doxed.

Google has offered new alternative options to free Legacy G Suite account holders who it had previously said would have to upgrade to a paid subscription by 1 July.

What Is A Legacy G Suite Account?

Google’s free edition of G Suite, known as Workspace, was first made available to businesses, organisations, and schools from 2006 to December 6, 2012, with Google Apps. Users of this free edition of G Suite—also known as the legacy free edition could host Google accounts on custom domains for multiple users. However, this free version gave users a much-reduced set of business features.

Move To Paid Subscription

Recently however, Google informed users, who had been allowed to keep their free accounts for 10 years, that they needed to either upgrade to a paid Google Workspace subscription service to keep their services by July 1, 2022, or export their data using Google’s Takeout tool.

Backtrack – New Option

Last week, however, Google emailed users with details of a new option (also now shown on Google’s Support pages). The main new alternative is that users who don’t want to upgrade to a paid subscription will be offered a better data transfer option “in the coming months.” This new option will enable users to move their non-Google Workspace paid content and most of their data to a no-cost option. The new option won’t include premium features like custom email or multi-account management, and users will be able to evaluate the option prior to July 1, 2022, and prior to account suspension.

Another Lifeline

Google also appears to be offering another lifeline to those who have a G Suite legacy free edition account that’s purely for personal use and who don’t want to upgrade to a Google Workspace subscription. Google has invited these account holders (with ten users or less) to use a feedback form to provide more information. Google says that if they don’t want to upgrade to Google Workspace, they will still be allowed to keep their access to additional Google services (YouTube, Photos, Maps, Pay, Books etc) and any paid content purchased through non-Google Workspace services made with their legacy account e.g., any movies purchased on Google Play.

What Does This Mean For Your Business?

It appears Google’s first announcement of a deadline to either start paying by July or export your data out may have ruffled a few feathers and highlighted some of the different needs of Legacy G Suite account holders who may require a bit more help, including the fact that some people have content they’ve purchased through Google that they don’t want to lose. Although Legacy G Suite account holders are likely to appreciate that they enjoyed 10 years for free, they may also have assumed that Google would continue to take the same generous approach when the time for change approached rather than essentially being emailed with a deadline. For Google, it’s at least been a way to get the attention of account holders and help funnel users towards Google’s aim of ramping up its ‘Workspace’ to create something that Google hopes will seriously challenge Microsoft’s Office/365 dominance.

If you’d like an easy way to get a text transcript of your YouTube videos, try using YouTube’s built-in transcript tool. Here’s how:

– Log in to YouTube and go to YouTube Studio.

– Select Subtitles from the sidebar (left).

– Select a video, choose the language, and click on ‘Confirm’.

– To edit the text transcript that appears on the screen, select ‘DUPLICATE AND EDIT’ (right-hand side).

– Edit the transcription in the dialog box and click on the ‘PUBLISH’ button.

– The transcript will be lowercase and lacking punctuation so this will need to edited and amended manually.