Cybersecurity Awareness & Education for the Community

Elder fraud involves the financial exploitation of older adults through intentional or deceptive acts, including scams, coercion, or abuse by strangers or people they know. In 2024, individuals aged 60+ reported more than $4.9 billion in losses to the FBI’s Internet Crime Complaint Center, a 43 percent increase from the previous year.

Common Schemes:

• Family or caregiver scams where relatives or acquaintances exploit trust to obtain money or assets.
• Romance scams where criminals pose as affectionate partners online to gain financial access.
• Tech support scams where fraudsters pretend to fix fake computer issues to steal money or data.
• Government impersonation, grandparent, and sweepstakes scams where criminals threaten arrest, pretend a loved one is in trouble, or claim a prize or inheritance that requires upfront payment.

Download Brochure: Elder_Fraud_Tri-fold.pdf(PDF, 511KB)

• Keep all devices (phones, tablets, laptops, game consoles) updated with the latest software and security patches.
• Use antivirus software and enable automatic updates.
• Set up screen locks or passcodes on every device.

• Use strong, unique passwords for every account. Avoid reusing passwords across platforms.
• Enable multi-factor authentication (also called 2-step verification) for email, social media, and important apps.
• Don’t allow browsers to remember payment information on shared devices.

• Download games and updates only from official sources (like PlayStation Store, Xbox, or the App Store).
• Set time limits for gaming and monitor in-game purchases.
• Turn on privacy settings and block unknown users.
• Remind children never to share account credentials or click on unknown links sent by other players.

• Help children set up social media profiles with strict privacy settings.
• Encourage them to think before they post: is the content personal, embarrassing, or revealing?
• Review friends and followers regularly to ensure they are people your family actually knows.
• Report suspicious accounts or behavior directly through the platform's built-in reporting tools.

Smart security cameras and baby monitors can add peace of mind for families, but they must be set up securely to protect your privacy.

• Disable remote viewing features if you do not need them, which reduces the chance of unauthorized access. 
• Keep your camera updated by installing firmware or software updates, and enable automatic updates when possible.
• Change any default passwords to a strong, unique password created from three memorable words.
• Review your router settings and consider turning off UPnP or port forwarding to limit outside access to devices on your network.
• Check your router’s list of connected devices regularly and remove anything unfamiliar.

• Shop only from trusted retailers. When in doubt, go directly to the official website instead of clicking on ads or links in emails.
• Use credit cards instead of debit cards when possible. They often offer stronger consumer protections.
• Look for "https" in the URL and a padlock symbol when entering payment information.

• Use privacy settings on social media platforms to limit who can see your posts.
• Consider parental control tools to restrict access to age-inappropriate websites or content.
• Teach children not to share private information (like their full name, address, school, or phone number) on websites, social media, or in games.

• Be cautious of messages claiming you've won something, need to reset a password, or must act immediately.
• Don’t click on links or open attachments from unfamiliar emails or texts.
• Teach kids to go to a parent or trusted adult if something online makes them feel uncomfortable or unsafe.

• Business owners set the tone. Make cybersecurity part of regular staff meetings and leadership discussions.
• Appoint a Security Program Manager, even if they’re not in IT, to coordinate your security efforts.
• Create and regularly review an Incident Response Plan (IRP) so your team is ready to act if something goes wrong.

1. Train Employees to Avoid Phishing

• Use free training tools to help staff recognize suspicious emails and websites.

• Create a culture where employees feel safe reporting suspicious activity.

• Share regular threat updates to keep everyone alert.

2. Require Strong Passwords

• Use passwords that are at least 16 characters long and unique for each account.

• Provide a password manager for staff to generate and store secure passwords.

• Change all default passwords before using new systems.

3. Enable Multifactor Authentication (MFA)

• Turn on MFA for all business systems, especially email and administrator accounts.

• Use phishing-resistant MFA methods, such as security keys or authenticator apps.

• Encourage employees to use MFA for their personal accounts as well.

4. Update Business Software Regularly

• Enable automatic updates on all devices and systems.

• Replace outdated software and legacy systems.

• Use antivirus and anti-malware tools, and keep them up to date.

• Follow the 3-2-1 Backup Rule: Keep 3 copies of important data, on 2 different media types, with 1 copy offsite.
• Test backup systems regularly to ensure you can recover quickly.
• Encrypt data at rest and in transit to protect sensitive information.

• Use strong passwords and fingerprint/face recognition.
• Turn on remote tracking and wiping capabilities.
• Don’t allow connections to unknown public Wi-Fi hotspots.

• Enable logging on key systems and review logs regularly for suspicious activity.
• Set alerts for failed login attempts or unusual access.
• Protect logs from tampering or unauthorized access.

• Remove unnecessary admin privileges from user accounts.
• Enable full-disk encryption on all laptops and portable devices.
• Don’t allow users to install their own software without approval.

• Move email and file storage from office-based servers to secure cloud services (e.g., Microsoft 365, Google Workspace).
• Cloud services often provide more reliable security, updates, and support than small businesses can maintain on their own.

• Run tabletop exercises to simulate ransomware, phishing, or other attack scenarios.
• Review what went well and what needs improvement.
• Update your IRP accordingly.

• Report suspected cyberattacks to CISA via their Cyber Incident Reporting System.
• Sharing information about threats helps protect other businesses and strengthens local resilience.

   

"Passwords are like toothbrushes... "Choose a good one, change them regularly, don’t share them, and keep them safe.

Effective Password Management

Passwords are key to accessing your personal information or using your credentials to enter a network. Creating a strong, complex password is an important step in protecting your data and securing any information you may have access to.

What To Do

1. Use Longer Passwords: Should be at least 14 characters long.
2. Use a Mix of Uppercase and Lowercase Letters, Symbols, and Numbers
3. Make It Unique: Use unique passwords for each account to prevent a breach of one account from affecting others.
4. Use a Phrase: Use passwords that are hard to guess and easy to remember.
5. Reset It Periodically: Make sure to reset your password regularly, at least every 90 days.

Phishing Prevention

Phishing and smishing are techniques used by attackers to trick you into giving away information by disguising themselves as a trusted source.

Phishing typically involves scam emails, while smishing refers to fraudulent SMS messages. Both methods aim to persuade you to click on links, download files, or provide sensitive information. These messages often resemble legitimate communications from trusted individuals and may include the following warning signs:

• Unfamiliar tone or greeting 
• Unrecognized sender or sender address
• Sense of urgency to act immediately or within a defined timeline
• Spelling or grammar errors
• Too good to be true messages
• Attachments or embedded URLs

Cyber attackers are increasingly using artificial intelligence to create phishing emails that closely mimic legitimate ones.

Browse Securely

Scammers use websites to steal your credentials, trick you into downloading malicious software, and present you with false information that looks legitimate.

What To Do

1. Updated Browsers: Keep your browsers updated to take advantage of the latest built-in features.
2. Use Browser Security Features: Control how third-party cookies are handled in your browser by modifying your settings. It is recommended to turn on the "Do Not Track" feature in your browser.
3. Ensure URL Starts With HTTPS: Make sure to visit sites that have a padlock icon, indicating that they are encrypted.

Data Backups

Taking steps to prevent data loss in the event of a system crash, cyberattack, or loss of access to your machine is essential.

What To Do

• Adopt Cloud Offering for Storage: It is a best practice to save your work files on OneDrive and back up critical data to SharePoint. This ensures that your data remains secure and accessible, even if your local machine is compromised.
• Organize Your Files: Storage space is limited, and keeping files you no longer need or past their retention period poses a security risk that can lead to accidental exposure.
• Cultivate a Backup Routine: Make it a habit to back up your data at least once a week. Regular backups ensure that you always have a recent copy of your data in case of an unforeseen situation.

Data Classification and Retention

Adopting data classification, retention, and disposition standards is essential to ensure that each type of data receives the appropriate level of security and is retained or disposed of in accordance with its classification and legal requirements.

What To Do

• Secure Paper Records: Store paper records in locked file cabinets or storage rooms with controlled access.
• Use Secure Sharing Platforms: Utilize OneDrive or SharePoint’s “Share” function to securely share documents, as these platforms offer better control over who can access and edit your files.
• Set Appropriate Permissions: Configure permissions when sharing documents to ensure that only authorized individuals can view or edit the content, preventing unauthorized access and data leaks.
• Monitor Document Access: Use the tracking features available in OneDrive and SharePoint to monitor who accesses your documents and what changes are made. When projects end or employees leave, it’s a good time to review access to folders and ensure that only the appropriate individuals still have access. Conducting periodic access reviews, such as quarterly, is also a best practice to maintain data security and compliance.

   

  ---

File Sharing

Data mobility refers to the process of sharing documents either within an organization or with external parties. When transferring sensitive files externally, such as through email or other online platforms, several risks may arise.

What To Do

• Use SharePoint: Change your practice from sending attachments via email to using the “Share” function of OneDrive or SharePoint.
• Use Built-in Restrictions: When using SharePoint to share documents, ensure proper settings are applied to restrict downloads and control view, review, and edit permissions. Use these settings thoughtfully, ensuring they align with the specific needs of the document to secure data and prevent unauthorized access.
• Set Expiration: Be sure to set an expiration date on the document you share.
• Enable Versioning: Use versioning and log changes in a document to keep track of modifications and maintain document integrity.
• Monitor Folder and Document Access: Use the tracking features available in OneDrive and SharePoint to monitor who accesses your documents and what changes are made.

   

   

   

Secure Home Wi-Fi

With the increase in hybrid work, securing your home Wi-Fi network has become more critical. If your home network is unsecured, the chances of it being compromised increase, which can lead to your computer and data being at risk.

What To Do

• Change Default Settings: Configure your home router by changing the default login credentials. Use a strong, unique password to prevent unauthorized access to your router's settings.
• Hide Your Wi-Fi SSID: Configure your router to hide the Wi-Fi SSID (network name) from public view. This makes it more difficult for unauthorized individuals to detect and attempt to connect to your network.
• Limit Coverage: Adjust your router settings to limit the coverage area of your Wi-Fi signal. This reduces the chance of unauthorized users connecting to your network from outside your home.
• Regularly Update Firmware: Keep your router's firmware up to date to ensure you have the latest security patches and features.

Security on Public Wi-Fi

Attackers can compromise public Wi-Fi networks and can listen in on conversations or compromise devices.

What To Do

• Browse Safely: Avoid connecting to public Wi-Fi whenever possible. If you must use public Wi-Fi, refrain from performing sensitive transactions or accessing confidential information. Always ensure that you are using secure “HTTPS” websites.

   

Prevent Malware:

Malware is one of the most common methods attackers use to launch cyber-attacks. It can infiltrate your system without your knowledge, often disguising itself as a legitimate file or background process. Once your machine is infected with malware, it can be used to monitor your activities, log keystrokes, exfiltrate data, and even turn your computer into a bot for cryptocurrency mining. The implications can be severe, but there are steps you can take to protect yourself from malware infections.

What To Do

1. Antivirus Software: Ensure you have antivirus software installed on your machine and that it is up to date. Antivirus programs help detect and remove malware at the initial stages, protecting your device. Without an antivirus solution, your device is at significant risk of being compromised by malware. In 90% of cases involving malware, you may not even be aware that your device is infected.
2.  Beware of Downloads: Most malware originates from downloads. When you download software from the internet, it often includes backdoors that can compromise your device.
3.  Educate Yourself: Stay informed about common malware tactics, and learn how to recognize phishing attempts and other deceptive practices.

Screen Locks

Leaving your computer unlocked can lead to unauthorized access, especially in shared or remote workspaces. Ensuring that your device has its screen locked when not in use helps protect your confidential information and maintain security.

What To Do

1. Lock Your Screen: Always lock your computer screen when stepping away from your desk, even if it’s just for a short period. Use the keyboard shortcut (e.g., Windows + L for Windows or Control + Command + Q for Mac) to quickly lock your screen. Make sure family and friends understand they cannot use your work devices.
2. Enable Automatic Lock: Configure your computer's settings to automatically lock after a period of inactivity. This reduces the risk of leaving your device exposed if you forget to manually lock it.

USB Flash Drive Security

USB flash drives are a convenient tool for transferring, sharing, and backing up data, but they also pose significant risks, such as data leaks and malware infections.

What To Do

1. Adopt Alternate Ways: Using USB flash drives poses a significant risk, as data is a critical asset in today’s digital landscape. Instead, use authorized alternatives for data sharing, such as SharePoint or OneDrive.
2. Physical Protection: USB drives are easily lost. If they contain sensitive information, ensure to lock them in a secure cabinet when not in use to prevent unauthorized access.

    

Do Not Use USB Drives Found in Public. 

USB drives found in public places or received from unfamiliar sources are a common method for threat actors to distribute malware.

A way of ensuring that only authorized users (or automated systems) can access data or services.

Temporarily suspending an account in response to the detection of unusual or suspicious activity.

A person who manages a computer system, usually with highly privileged access to data and services.

Artificial intelligence (AI) describes computer systems which can perform tasks usually requiring human intelligence. This could include visual perception, speech recognition, or translation between languages.

A security strategy organizations can use that approves a list of email addresses, IP addresses, domain names, or applications while denying all others to protect computers and networks from threats. Whitelisting and blacklisting are still used across the industry.

 Software that is designed to detect, stop, and remove malicious software (malware).

See also: anti-virus

Software designed to detect, stop, and remove viruses and other kinds of malicious software.

See also: anti-malware

A software program running on a computer. Usually referred to as an 'app' when running on a smartphone or tablet.

Also known as: app

A systematic method for analyzing and depicting the different ways a computer system might be attacked.

See also: hacker

The method an attacker uses to gain unauthorized access to a computer system or device.

Also see: hacker

Individual or group that conducts cyber attacks.

Also see: Threat actor

The process of determining if someone (or something) is who (or what) it claims to be.

A copy of computer data usually stored in the cloud or on removable media, that can be used to recover from data loss or theft.

A type of authentication based on biological data that is unique and specific to a person (such as a fingerprint or face ID).

A distributed network of infected devices on the internet used to commit coordinated cyber attacks without their owner's knowledge.

An attack that uses computing power to automatically enter a large number of guesses for security credentials in an attempt to gain unauthorized access.

Bring Your Own Device. When employees use their own device(s) for work purposes, but the employer owns corporate data and resources that may be accessed or stored on it.

A form of digital identity for a computer, user, or organization to allow the authentication and secure exchange of data.

An artificial intelligence language model developed by OpenAI designed to mimic human conversation, based on the input it receives.

An on-demand, massively scalable service hosted on shared infrastructure accessible via the internet. Typical services include providing data storage, data processing, and pre-built functionality such as logging.

Content Management System. Software used to create, manage, and publish digital content to the web.

Information used to verify someone's identity, such as a password, token, or certificate that authenticates use of a service.

A method where attackers use passwords stolen from one web service to try and access accounts on another service, taking advantage of any reuse of username and password combinations.

An attempt to damage, disrupt, or gain unauthorized access to computer systems, networks, or devices.

The protection of devices, services, and networks and the information they contain from unauthorized access, theft, or damage.

A long-term plan of action with the aim of implementing cybersecurity.

The threat of a cyber attack to a user or organization, and the unauthorized access, theft, or damage that could result.

A managed facility that houses computer systems and data storage infrastructure.

Distributed Denial of Service. A type of cyber attack where a computer service is overloaded by requests from multiple computers or locations, so that genuine users can no longer access the service.

Making information that has been encrypted readable again.

A security control that organizations can put in place which blocks their users from connecting to or accessing named entities (such as IP addresses or domains) that may be suspicious. Whitelisting and blacklisting is still used across the industry.

Computer-based hardware that physically exists, such as a desktop computer, smartphone, or tablet.

A type of brute force attack where words in a dictionary, phrases, or common passwords are used to guess credentials.

The traces of digital information about a person that is publicly available online.

The provision of services (such as banking or online shopping) via the internet or an electronic network.

A cryptographic technology used to validate the provenance of messages, documents, or software.

Direct Memory Access. Allows devices to access main memory outside of the control of the CPU, allowing faster data rates.

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication and reporting protocol that helps organizations monitor, prevent, and improve protection against fraudulent and spoofed email.

A set of network addresses on the internet, managed by an organization or person.

Denial of Service. A type of cyber attackwhere a computer service is overloaded, so that real users can no longer access the service.

Protection of information by making it unreadable by everyone except those with the key to decrypt it.

Any large business or organization that uses computer systems, networks, and devices.

A networking protocol based on wired (rather than wifi) connections that enables devices to communicate with each other.

Development of tools to take advantage of a vulnerability in a system to gain unauthorized access or produce unwanted effects.

Hardware or software used to prevent unauthorized access to or from a network.

The software embedded into a device that allows it to function.

Someone who uses their technology skills to gain unauthorized access to computers, systems, and networks.

A network endpoint. For example, a PC, laptop, smartphone, or tablet.

Activities to identify, analyze, and determine the response to cybersecurity incidents, to minimize the immediate and long-term business impact.

Deliberate or accidental threat to an organization's security from someone who has authorized access (such as an employee).

Technology describing everyday objects (rather than computers and smartphones) that can connect to the internet. Examples include speakers, televisions, and security cameras.

Internet Protocol. A communications protocol that relays data over network boundaries and establishes routing across the internet.

Internet Protocol address. A number assigned to each device that is sending or receiving data across the internet or a LAN.

Internet Protocol Security. A suite of protocols that secures data sent over an IP network, often used to establish VPNs.

Internet Service Provider. A company that provides individuals and organizations access to the internet, and other related services.

Hardware or software used to covertly record each keystroke entered into a computer or device.

A single press of a key on a computer.

Local Area Network. A collection of computers and devices in the same location (usually a building), connected by ethernet or wifi.

Large language models (LLMs) use algorithms trained on a huge amount of data, turning relationships between pieces of data into probabilities to predict sequences of text (or increasingly other content) in response to user prompts.

Generating, capturing, retaining, and storing information on security-relevant events or behavior from computer systems.

Machine learning (ML) is a type of AI by which computers find patterns in data or solve problems automatically without having to be explicitly programmed. Most AI in current use is built using ML techniques.

Derived from 'malicious software', malware is any kind of software that can damage computer systems, networks, or devices. Includes viruses, ransom ware, and trojans.

Metadata describes the properties of data and communications. Examples include file date and packet size.

Multiple computers and/or devices connected to shared resources and information.

Original Equipment Manufacturer. An organization that makes hardware or software used in other products.

Software that makes its source code freely available for anyone to access, use, modify, and distribute. Open source encourages transparency, collaboration, and community-driven development, and is governed by licenses that support shared innovation and continuous improvement.

The basic software running on computers, tablets, and smartphones, required to run additional applications and hardware.

A sequence of words or other characters longer than a normal password, used to verify the identity of a user, usually to gain access to an account, website, or system.

A sequence of characters used to verify the identity of a user, usually to gain access to an account, website, or system.

A method where attackers use a small number of commonly used passwords to try and access a large number of accounts.

Installing updates to devices or software to improve security and/or enhance functionality.

A cyber attackwhere a user is misdirected to a fraudulent website, despite entering the correct address.

Scam emails or text messages that contain links to websites which may contain malware, or may trick users into revealing sensitive information (such as passwords) or transferring money.

Hardware or software environments on which applications can run. Software examples include Windows, Android, and iOS. Hardware examples include PCs and Mac computers.

A set of rules that determine how data is handled, protected, and transmitted between devices on a network.

A type of malware which prevents you from accessing your device and the data stored on it, usually by encrypting your files. A criminal group will then demand a ransom in exchange for decryption.

A business model where consumers purchase ransomware services 'off the shelf', without requiring the technical skills to develop the malware.

Devices such as USB flash drives, DVDs, and memory cards, that can be easily removed from a computer to increase storage capacity (or to transfer data).

Radio Frequency Identification. Technology that uses electromagnetic fields to identify, track, and share data between tags within objects or worn by people.

A person who is accountable for risk within an organization.

A device which sends data from one network to another based on the destination IP address.

Techniques that ensure data stored on devices is removed so that it can no longer be recovered by unauthorized parties.

Protecting digitally stored information using physical and electronic techniques.

A software or hardware-based device that accepts and responds to requests made over a network.

Technology, apps, or services used for work without approval or oversight from the IT department. These tools are often adopted to solve business problems but can create security, compliance, and data risks.

Single Sign-On (SSO) is an authentication method letting users access multiple apps with one login, reducing password fatigue and boosting security by consolidating credentials into one strong password, often secured with multi-factor authentication (MFA).

Combination of 'SMS' and 'phishing'. Untargeted text messages sent to large numbers of people, asking for sensitive information, or encouraging them to visit a fake website.

A technique an attacker uses to manipulate people into carrying out specific actions or divulging information.

Websites and apps, such as Facebook, X (Twitter), and Instagram, that allow people to share and respond to user-generated content (text posts, photos, and video).

Unsolicited email sent in bulk, also referred to as junk email.

A form of phishing targeting particular individuals, where the email is designed to look like it's from a trusted or known person.

A technique attackers use to appear to make their communications appear from a legitimate source. Email addresses, display names, and domains can all be spoofed.

A type of malware that installs on a device without the user's consent, collecting data, and then sending it to a third party.

Forcing a time delay between successive login attempts in order to defend against brute force attacks.

A physical device or digital data, typically used with a password, to provide a user with access to a computer or network.

A type of malware disguised as legitimate software that is used to gain unauthorized access to a victim's computer.

A technique used by threat actors where they set up a website or software with a misspelling of something legitimate. This can trick a user who accidentally misspells a service into entering information into the malicious website or downloading malware.

A virtual environment within a physical computer that behaves like a separate computer. It allows the user to run programs and test apps in isolation.

The process of creating and running a virtual version of a computer system, such as a virtual machine.

A type of malware that is designed to infect legitimate software programs and replicates across networks when those programs are activated

Virtual Private Network. A set of cryptographic technologies used to encrypt data as it travels over a network between two fixed endpoints.

Wide Area Network. A network spread over a large area, typically a collection of Local Area Networks (LANs) and other networks connected together.

Wireless Access Point. A device which provides wireless access to a network.

A type of cyber attack where an attacker identifies a website frequented by a particular group of users and then compromises that website with malware to infect the computers of its visitors.

Highly targeted phishing attacks (that look like legitimate emails) aimed at senior executives.

Wireless network technology used to connect devices to the internet (or LAN).

A destructive type of malware that destroys the data on the computers and networks it infects.

A type of malware, similar to a virus, which self-replicates across networks without the need for a user to open an infected program.