Tips for Staying #CyberSecure While Shopping Online for #CyberMonday

Cybercriminals need shopping money for the Holidays and one of their favorite times to get yours is when you are shopping on #CyberMonday.

Use these tips to help stay #cybersecure while shopping online for #CyberMonday and at any other time:

  1. Credit or debit? Use credit cards, not debit cards, for your online shopping. Debit cards are tied directly to your bank account so if there is a problem, your money is gone. With credit cards, it is borrowed money, plus, if you have a problem with the merchant or order, the credit card company can act as your intermediary in the dispute. If possible, have one credit card that is used solely for online shopping in case you need to cancel it.
  2. Secure Internet connection. When shopping online, it is best to avoid free WiFi or other forms of open WiFi in public locations. When you are out, it is best to use your own data plan or, if you must use public WiFi, use a VPN to help minimize the risk of having your information stolen.
  3. Credible merchants. Only shop at online merchants that are credible and well-established. Anyone can put up a website in a short amount of time, make sure you know you’re dealing with a trusted merchant with a history of doing business.
  4. Scams – too good to be true (merchants). Be wary of deals that seem too good to be true and do not get too greedy because if a “deal” seems that good, it almost certainly is and the person behind the scam is either outright stealing your money or they are trying to steal your information.
  5. Saving information with merchant. While it is more convenient to save your personal information and payment information with the merchant, doing so also means that information is now stored in their database and can be compromised. It is best to not save your information with merchants.
  6. Scams – too good to be true (click here). Be wary of emails or social media posts that advertise deals that seem too good to be true and then tell you to “click here” on a link to see more information. Those are usually phishing emails that are designed for the sole purpose of getting you to click the link so they can either steal your information or deposit malware on your device. Cybercriminals can perfectly clone emails from legitimate merchants such as FedEx, PayPal, Amazon, and others so just because the email looks legit doesn’t mean it is — don’t click on the links!
  7. Scams — the sad story. While not limited to online shopping, a close relative to the “too good to be true” scam are the scams that play on your sympathy and generosity during the Holidays. An example of these is chain emails that tell of a tragedy that has befallen people and asks for donations. Criminals know how to play on our sympathies and use our emotions to manipulate us into doing things we would never do otherwise, such as sending money because someone asked for it in an email or social media post. Unless you know the people first hand, do not let your emotions overtake your judgment and stick with reputable charitable organizations with an established history.
  8. Good Cyber Hygiene. Whether for shopping on #CyberMonday or otherwise, it is best to always use good #CyberHygiene to protect yourself online. Here is a free Checklist for Good Cyber Hygiene.

For more discussion of these tips for staying safe while shopping online see 5 tips for Avoiding the Cyber Grinch this Cyber Monday! and Cyber Monday: Online safety tips from a cybersecurity expert.



Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

What do holiday charities, school weather closings, social media and ransomware have in common?

Question: What do holiday charities, school closings,social media and ransomware have in common?

Answer: They are all tools that cybercriminals use to steal money from you!

Social engineering is a fancy way to describe old-fashioned lying. It is what happens when bad guys use deception to get people to do something really dumb that they would not ordinarily do. Most hackingcybercrime, and data breaches are not caused by sophisticated attacks but are accomplished by social engineering.

The bad guys play on your emotions so that your desires overpower your judgment and “BAM!” they got you. This is the Nigerian Prince. This is the chain letter. This is countless other examples just like that. Remember the old lesson, “if it seems too good to be true …”

school-closingsThere is another variant floating around during the Holidays especially. Sad stories about people suffering tragedies during the Holidays, news events of tragedies during the Holidays, etc. and they all play on your emotions to get you to either give them something (money or data), propagate the scam by sharing it, or downloading something such as ransomware that will then force you to give them something!

Yesterday, I saw a different twist on this emotional game. With freezing weather moving in, Facebook was littered with people sharing a “story” with an image that read “SCHOOL CLOSINGS” that led you to something that was not a legitimate story on school closings (I don’t know what it was, I didn’t click on it). This “fake news” item may have been good fun or it may have been something worse, I don’t know because I didn’t click on it. But what I do know is this: researchers have recently discovered that cybercriminals are now using Facebook and LinkedIn to distribute Locky ransomware through people clicking on images.Facebook and LinkedIn to distribute Locky ransomware through people clicking on images. If the bad guys see that people love clicking on “SCHOOL CLOSING” links, you can bet they will start using them.

This Holiday Season and always, click with caution!


Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Kim Kardashian’s Lesson on the Relationship Between Physical and Cybersecurity

While the story of Kim Kardashian being robbed at gun-point while in Paris, France has created quite a stir in pop culture, it has lessons to learn about cybersecurity as well.

First and foremost, it demonstrates the integral interplay between cybersecurity and physical security and how people need to always maintain situational awareness of how their cyber activities may be giving away critical information about them. This kind of information, gathered bit by bit to paint a full picture, is very valuable to those carefully studying their targets, such as social engineers. Continue reading “Kim Kardashian’s Lesson on the Relationship Between Physical and Cybersecurity”

Tips for Parents to Help Keep Kids Safe Online


Missing Kids.png
Alicia Kozakiewicz standing in front of the wall of missing children at the National Center for Missing and Exploited Children headquarters. Read Alicia’s heartbreaking story below.

I was recently asked to talk about online safety tips that parents should understand to help keep their children safe in the online world. Here are some of my talking points: Continue reading “Tips for Parents to Help Keep Kids Safe Online”

Computer Use Policies – Are Your Company’s Illegal According to the NLRB?

4c00b10767cf8a5c15a4cde1b4c4f0a4_f120The National Labor Relations Board (NLRB) has continued its assault on businesses and their ability to legitimately protect their computer systems and information against unauthorized non-business use by employees.

A few weeks ago, I wrote 3 Important Points on Computer Policies in which I stressed (1) why your company must have them but (2) that such policy must comply with the NLRB’s Purple Communications case. The NLRB has struck again.

On May 3, 2016, an NLRB Administrative Law Judge struck down as overbroad a Computer Use Policy in Ceasars Entertainment Corporation d/b/a Rio All-Suites Hotel and Casino (NLRB Docket Sheet). The policy, titled Use of Company Systems, Equipment, and Resources, was part of the company handbook and stated that computer resources may not be used to do several things that were listed out and is standard in many similar policies. The NLRB decision (Decision) found that prohibitions against the following was illegal:

  • Share confidential information with the general public, including discussing the company, its financial results or prospects, or the performance or value of company stock by using an internet message board to post any message, in whole or in part, or by engaging in an internet or online chatroom
  • Convey or display anything fraudulent, pornographic, abusive, profane, offensive, libelous or slanderous
  • Send chain letters or other forms of non-business information
  • Solicit for personal gain or advancement of personal views
  • Violate rules or policies of the Company

The NLRB found that prohibiting the conduct mentioned above made the policy overbroad and could effectively limit employees’ use of their employer’s email system to engage in Section 7 communications during nonworking time. Because of that, it found the employer has engaged in an unfair labor practice prohibited by the National Labor Relations Act.

Welcome to Wonderland.


Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Social Media Malware: What Is It and How do You Avoid It?

Guest Post by Cassie Phillips

You can’t have spent more than a week on the internet without hearing about malware and its adverse effects on your computer or even your smartphone (smartphone malware is on the rise as well). Perhaps you’ve even had to spend half a day cleaning it off your computer yourself. It is a menace, and it is dangerous considering the data it could potentially steal from your computer.

Malware has been around as long as the internet, but now that we have social media surrounding us wherever we go, some enterprising cybercriminals took it upon themselves to develop malware that directly targets social media and those related accounts. This leads to stolen data from social media accounts, much of which is personal in nature and can be used against you if not used to steal your identity. It also leads to takeover of your social media accounts, which is usually embarrassing and hard to recover from.


Here’s what you need to know about the threat:

What Makes It So Special?

Technically, not very much. Malware is often do diverse that it is hard to categorize it other than the effects is causes or its main targets. Social media malware isn’t magic or a special program only developed by the best hackers in the world, it is just a piece of software that intends to make your life miserable through your social media pages. Sometimes the term is used to describe malware spread through social media and at other times it is used to primarily categorize the target. Either way, the malware itself is not too different from the malware that attacked accounts or through websites before it.

Yet this does make it a very special kind of threat. If a piece of malware attacks your browser you can often simply delete it from your computer before it spies on too much or causes too much damage to your computer. Social media malware is different. It takes on a public edge. Whether it is malware you click on thinking it is a friend’s link or something you find somewhere else online that later posts on your wall it is a much more personal assault. Malware spam is usually not very polite about what it shares with family and friends, and can often disturb them.

Increasing Prevalence

The first thing you need to know is that it is becoming more common. More sophisticated cybercrime usually goes for breadth instead of depth when it comes to average consumer targets. Malware does take time for development, and the first wave had to tailor their product for social media. Now that all of the framework for malware has been developed, cybercriminals can now also spend more time tweaking instead of starting anew. This means more frequent attacks of different kinds.

Hackers probably could simply try to get into people’s accounts one at a time, but that isn’t cost effective and the automation and plague-like nature that malware has in its very nature means that a single cybercriminal can target a theoretically unlimited amount of victims. They can not only make a living and cause someone a bad day, but get rich and cause chaos doing so.

All of this coincides with increased rewards for those who successfully take over someone‘s social media account. With the monetization of social media people are linking credit card or even bank information to their accounts. This means that identity theft is easy for someone with the access to your account that social media malware can provide. Combining that with increased connectivity between people allowing for a quicker spread of the malware means that your Facebook account has a glowing red target on it.

Defenses and Preventative Measures

When trying to prevent social media malware from getting into your life you are by no means alone or hopeless. You should consider following the tips below to make yourself safer:

  • Use a Virtual Private Network (VPN) whenever you are going to use social media in public (this includes checking Twitter on your smartphone). Hackers love to intercept data over public networks and use it against you, and this can include getting to your accounts and computer and installing malware. This can lead to either the direct takeover of your accounts or easier targeting of them.

    A VPN is a service that connects your computer to an offsite server using an encrypted connection, keeping hackers out and your data in. It also hides your location from anyone tracking you. You will want to make sure that you are getting the very best available, so read up on ones that will work best with your devices while using social media.

  • Make sure that you are updating your online security suite (and if you don’t have one, please get one now) frequently. Malware comes out quickly, and you need to be up to date in your defense as much of the time as possible.
  • No offense is meant, bur some of your social media friends have no idea what they are doing. Do not accept their app invitations or engage in their chain posts. Many of them are traps. If they have a copy and paste message with a link, don’t pay any attention to it.
  • Try to maintain at least some degree of privacy on social media. The opinions of strangers rarely matter, and you certainly have better things to do with your time. What cannot be seen cannot be so easily targeted, and if you partition off the pointless parts of social media those parts can’t get to you so quickly.


Social media malware isn’t going anywhere, and you need to be able to defend yourself. Fortunately, with the above knowledge and the right tools to aid you, you will not have any problems with this common menace.

Do you have any other ideas on what to do about social media malware? Have you encountered any problems yourself? Any stories to share? We would love to hear about them. Please leave a comment below and let us know what you think.


Cassie Phillips is a frequent author and blogger. You can find more of her work at SecureThoughts.

A special thanks to Shawn Tuma for sharing this article. His website is one of those websites that simply impressed me when I first stumbled across it. The content gives loads of new information that inform my technology decisions. Readers will want to check out this recent video blog on cybersecurity and data breaches.


Kevin O’Keefe Interviews Shawn Tuma About Blogging at State Bar of Texas 2015 Annual Meeting

I had the wonderful opportunity to visit with and get to know Kevin O’Keefe (@kevinokeefe) at the State Bar of Texas 2015 Annual Meeting in San Antonio. Kevin is the Founder and CEO of LexBlog, the preeminent source for legal blogging (where I plan to head, one day).

Kevin and I both did presentations during the Ignite Session; Ignite presentations are 20 slides in 5 minutes, with the slides advancing automatically, whether you are ready or not! It was quite a challenge. Following my presentation, Kevin did a brief interview of me using just his iPhone — and it was really cool (and is inspiring me to start doing video blogs – so stay tuned!).

Post Webinar Thoughts: Simple Ways to Effectively Use Social Media to Help Build Your Law Practice

Here is a great post by Cordell on a few takeaways from our webinar on social media marketing for lawyers. Check it out and let us know what you think: Simple Ways to Effectively Use Social Media to Help Build Your Law Practice | Cordell Parvin Blog.

Part 3 of Series: Simple Ways to Use Social Media to Build Your Practice in One Hour

cordellHere is the third and final post in my 3 part series on Cordell Parvin’s blog: Lawyers: Simple Ways to Use Social Media Marketing in One Hour: Part 3 | Cordell Parvin Blog.

If you missed them, here are the first two posts:

I also have several other posts where I discuss my coaching experience with Cordell — check them out and give him a call, he doesn’t bite! Here is his website and his blog.