If the guidelines are followed correctly, Google Business Profile (GBP) suspensions should not happen right? But if it does happen, getting your profile reinstated certainly shouldn’t take months, either.
But, for a few weeks in October, Google has been causing nightmares for tens of thousands of businesses around the world. it seemed that all it took to get suspended was simply looking at your GBP the wrong way, and the current response time for GBP support to reinstate suspended profiles was 1 month or longer. So what’s been going on?
What happened?
It seems Google released sloppy code that contained a bug, which caused Google Business Profile suspensions to skyrocket.
Ben Fisher, Google Diamond Product Expert, and owner of Steady Demand, explained that there were a number of causes for suspension at the time:
“Causes for suspension right now:
Hitting the verify button (instant suspension)
Adding website parameters (33% suspended)
Editing hours
Editing a description
Editing name
Editing categories
Editing address (This is normal, kinda)
Marking yourself ‘temporarily closed’
Breathing too hard on a GBP (OK kidding!)
“Normally when editing GBP, you will either have to wait for a review, it will be accepted, it will cause a re-verification or it will suspend the profile. As of a few weeks ago, the number of false positives has grown exponentially.”
What did the local SEO community experience?
Harmony Huskinson, Local SEO Specialist at Portent said:
“I was on a screenshare with my client when their listing got suspended at the end of September, an agency’s worst nightmare. I was showing them how they can update their profile to a primary category that is more accurate and this triggered a suspension. I have another client who’s needed me to add UTM parameters to their URLs for weeks, but that project is on hold until Google fixes this bug.
“At this point, we’ve been waiting for reinstatement for three and a half weeks, so we’re only halfway through the backlog, probably. I’ve read that folks are waiting up to six weeks to hear back from Google. The location that was suspended has lost quite a lot of business for this, they were ranking fairly well in their local community and all that progress is negated by this unprecedented suspension. As a marketer whose first priority is helping local businesses see results, I’m feeling pretty stuck.
“They’ve lost quite a bit of business to this, from what I hear.”
Ashley Romer of PaperStreet, who works with a number of clients in the law industry, was equally as frustrated by what has happened:
“So right now I am dealing with one client who has multiple locations. She went to add a new location and it was immediately suspended right away. I have submitted a reinstatement and keep following up. I believe we are on the 4th week without a resolution.
“Most law firms, especially smaller ones, rely on their Google listing for business. So waiting weeks to get it back online can really cause a strain.”
Bug Fixed, but Reinstatement Times Still Affected
As of the afternoon of Friday, October 21, 2022, the suspension bug has been fixed.
“Google has just confirmed that the bug causing small edits to trigger suspensions should be resolved now.”
But the reinstatements are still taking a long, long time. So we’ve been talking to the experts about the problem to see what you need to know, and what you can do.
Tim Capper, Google Platinum Product Expert, and owner of Online Ownership, says:
“You need to identify the reason for suspension, fix the issue and submit a reinstatement request. A long delay in hearing back from your reinstatement request is not the bug. The current response time to a reinstatement request is around 25-30 business days.”
Tim explained that the bug kicked in when you got a response to your reinstatement request.
A normal response is:
We require additional information about the business.
I’m happy to confirm that we are able to reinstate the business profile and no further action is required.
A nonstandard (bug) response is:
This case is being sent to a specialist.
Your profile is live and verified (but it won’t be when you check)
While the bug was active, when you replied to either of the above responses, you got the exact same response a few days later. So perhaps this may be described as more of a reinstatement loop. If this ever happens, your profile’s reinstatement has landed in the bug cycle!
You may have noticed that GBP displays your case ID and progress status on all business support pages, support requests, and also on the help forums home page.
The progress status also refreshes every time you get a non-standard response, so you think a human is viewing your request, but unfortunately not.
Google Business Product Expert Stefan Somborac (of Marketing Metrology), shared the experience he’s had with helping reinstatements on the forum:
“The support team is taking 3-4 weeks to respond to US reinstatement submissions. I suspect there is a regional factor here. I had a Canadian case resolved in 2 weeks and an Australian case resolved in less than one week … Recommendation: patience.”
What can you do to avoid any reinstatement issues?
If you are aiming to get reinstated, all the advice strongly recommends you double, maybe even triple, check your GBP and the reasons it was suspended. Create a strong case and make sure you provide Google with a thorough explanation, with documentation, that proves why your GBP should be reinstated.
As Amy Toman, Local SEO at Digital Law Marketing and Google Gold Product Expert, explains:
“Because responses are running slowly, it’s best to prepare your case thoroughly before submitting your reinstatement request. Make sure you update your listing to comply with Google’s guidelines and be sure your supporting paperwork is consistent and correct. By providing proof of your listing’s accuracy and compliance with the guidelines, you help Google to get your listing back online quickly.
“My point is that if you send Google all the info they need at the beginning of the process, the timeline should be shorter.
“Most [reinstatements] are seeing four weeks, but that’s my experience, nothing formal from Google. It’s not consistent, though; I’ve seen some take less time as well, but that’s rare.”
Elizabeth Rule, Local SEO Analyst at Sterling Sky and Google Gold Product Expert, echoes Amy’s advice:
“Though there is still an average 22-day (or longer) wait to hear back on reinstatement cases, anecdotally I am seeing quicker action taken for businesses who have tons of proof their business is legit and located where they say they are, versus businesses who don’t have much proof and say things like ‘my business has been verified for 5 years with no issues’. That may be true, but if you do not have definitive proof, Google is less likely to reinstate you despite how long you’ve been verified.”
Joy Hawkins, owner of Sterling Sky, told us that her business hadn’t been affected by the suspensions bug, but gave some excellent advice on ensuring GBP quality so your profiles do not get suspended in the future:
“At Sterling Sky, we haven’t experienced any suspensions due to edits and are proceeding as normal with our clients. We never suggest doing tons of major changes to things like the business name, phone number, website, etc. at the same time.
“If you are working in spammy industries like locksmiths, drug rehabs or personal injury attorneys, be very careful not to submit too many edits to the listing in Google My Business at once or it could trigger a suspension. For example, I wouldn’t suggest adding attributes, a business description, and changing categories all at the same time. Instead, spread this work out over time and only do one or 2 edits at a time.”
In summary
Our key takeaways from the current issues with GBP suspensions and reinstatements:
Before the suspension fix, experts advised you not to update your Google Business Profile unless absolutely critical.
Suspensions were happening for all kinds of basic reasons, sometimes for simply clicking ‘verify’ or performing basic edits.
Reinstatements are still taking at least 22 days, and in many cases even longer.
When submitting a reinstatement request, prepare a thorough case for reinstatement and make doubly sure your listing adheres to Google’s guidelines.
Now that the suspension bug has been fixed, things shouldn’t be quite as bad for local businesses and marketers. It’s worth stating that while many suspensions happened for seemingly superficial reasons, sticking within Google’s guidelines for GBP is essential. This is particularly the case with the slow reinstatement issue.
Multifactor authentication (MFA) is the gold standard in offices around the world and 2FA is the standard for end users. We all know the drill: you use your username (often your email address) and, perhaps, as the password, the name of your first dog and your kids DOB.
Not very foolproof, and not recommended, but often the end user isn’t too worried. In their mind, they know that if the hacker does figure out their crappy password using various tools or techniques, they still must find their way past the 2FA/MFA layer of security.
Beware of “push bombing”
However, what you may not realize is that hackers have developed many tried-and-true methods for circumventing your 2FA/MFA security, including social engineering attacks, spear-phishing, and DDoS attacks. And there is another favorite tool hackers have at their disposal, and it relies on users being tired, frazzled, or annoyed enough to “cave in.”, which is especially prevalent in the lead-up to the holiday season.
Users and organizations frequently implement multi-factor authentication (or 2FA) that uses push notifications to protect their employees and customers. The process is simple: you type in your password, receive a notification that is “pushed” to your smartphone, and approve the access. Many Identity Providers (IdPs) and MFA products work in this way. The problem with push notification MFA is that, like most things, it can be exploited.
The 2022 Passwordless Security Report found that push attacks grew 33% year over year
Push attacks are a favorite tactic of Nobelium, the Russian hacking group behind the massive Solar Winds supply chain attack
The recent attacks by the Lapsus$ hacking group underscore the level of risk push notification MFA creates for organizations.
Push attacks (also called push bombing attacks, push fatigue attacks and MFA-prompt bombing) are used by malicious actors to get past push notification MFA. The attacker is usually already in possession of a valid username and password. With 15 billion stolen passwords available on the dark web, this is trivial. The attacker spams the victim with notifications to authenticate until they are fatigued and finally accept it. When deployed on a mass scale using automated attack tools, even a 3% success rate is significant.
How Does a Push Attack Work?
Consider this: what happens when you’re busy, immersed in your work, and you receive a notification on your phone to approve?
Do you always read the notification? How likely are you to casually approve a message or prompt out of habit, just to get on with your day? Would a less tech-savvy user in your organization tap “Approve” on their mobile app, even if it was a fake push notification?
The reality is that they are very likely to do so. Push notifications have become so numerous that people often hastily approve them — not knowing or understanding the repercussions this can have on their work environment. In 2018, malicious actors exploited this tendency toward “push fatigue” multiple times in concert with phishing tools to target politicians involved in the economic and military sanctions against Iran. More recently, large swaths of Microsoft 365 users were targeted in a push attack campaign.
Push notification attacks take advantage of a few key factors:
Awareness
The attackers prey on a particular lack of awareness on the user’s part. Many people outside the Security Operations Center (SOC) don’t even know this is happening. Companies invest heavily in security education to protect employees from falling victim to password phishing and more traditional attacks. It’s going to be a while before the push attack problem is part of users’ daily vocabulary.
Familiarity
Push-based approvals are often introduced to the enterprise along with an MFA app such as SalesForce Authenticator. The user associates the action of approving a request with a security feature. Given this, It’s understandable that people aren’t quick to be suspicious of this functionality.
Cognitive Overload
Between texts, emails, Spotify alerts, etc., our smartphones are overloaded with notifications. There is simply too much information to process — and hackers take advantage of this overload. Users who receive dozens or even hundreds of notifications a day are not likely to think too hard about them. The likelihood of a single rogue login approval being overlooked or approved by accident is low, but at scale, it becomes a very promising attack vector.
Compromisable Push Notification MFA
Of course, the elephant in the room in common here is the fact that standard push notification MFA is inherently flawed and increasingly being used as an attack vector.
Can You Prevent Push Attacks?
The good news is that you can use alternative authentication flows that better secure you or your users, increase your login speed and provide a smoother user experience.
These attacks are generally going to be targeted at employees of organizations they want to gain access, rather than individuals.
If you are just and end user, looking to protect access to your online services and accounts, the easy solution is to not use an MFA/2FA solution that simply requires you to tap “approve” on your mobile device (such a Windows Hello or Android authentication), which gives access to anyone who is asking.
Instead use a solution that actually requires you to interact with the service/website that you are logging into, such as entering a One-Time-Password (OTP) from your authenticator app or confirming an on-screen code that you will only know if you are one logging in.
This will stop you from simply approving a malicious actors requests, either accidentally or through fatigue,
When you combine user-first login with desktop SSO, you can achieve a very high level of assurance for desktop login, web applications and Single sign-on. It’s more secure than a push-based login and it gives you instant access across SSO-protected apps and corporate resources.
For example, with HYPR True Passwordless™ MFA, your smartphone acts as a remote control for your computer. You tap on the HYPR mobile app to select your computer, provide your preferred biometric or decentralized PIN and gain access to your desktop.
User-initiated authentication for desktop SSO addresses multiple threats:
Clarifying Intent: The login action is initiated by the user. This requirement signals a clear intent to login. Moving the first step from the desktop to the smartphone keeps a malicious actor from spamming the user with requests to access their workstation, and subsequently, all of their corporate resources.
Stops phishing: Login of this kind is phishing resistant, preventing you from inadvertently approving any access request because it’s an active process that begins on your smartphone. Access is granted only when you make the conscious decision to unlock your smartphone.
Elimination of passwords: HYPR’s mobile-first login does not utilize passwords. Going passwordless also means you’ll worry less about credential stuffing, brute force, and SIM-swapping attacks that are common among legacy, password-based MFA solutions.
MFA By Design
The mobile-initiated login method is multi-factor by design. It provides factors for:
Something you are: your fingerprint, face scan, or other biometric recognition.
Something you have: your smartphone, which acts as a physical FIDO token, similar to a smart card.
Something you know: a decentralized PIN that’s also stored safely on your device.
Now that the user has strong authentication into their computer, your SSO provider can extend that strong binding to provide seamless access into other resources across the enterprise without additional friction.
Log into SSO With QR Code
Passwordless MFA that supports QR code scanning provides the strongest protection against push attacks. This eliminates push notifications entirely, even for direct SSO login. QR Login feature lets users log into their SSO-managed web apps by scanning a QR code with the App or camera on their smartphone.
This prevents push fatigue and its potential for push attacks. It gives more control to the end-user as they initiate their authentication by scanning the code rather than waiting for a push notification to arrive on their smartphone. QR Code login is also an inherently multi-factor as it utilizes something you have (your phone) and something you are (biometric validation).
Preventing Push Attacks: Key Takeaways
With push notification MFA, organizations are relying on the weakest link known to security — people. It’s human nature to take the path of least resistance, including recklessly accepting push notification authentication requests so we can continue on with our day.
As cyber threats evolve, so must our security solutions. Here are key takeaways to help your organization steer clear of push attacks:
Push-based MFA is subject to bypassing commonly used tools such as Modlishka and phishing.
Initiating login on the user’s smartphone creates a phishing-resistant flow so your employees cannot be tricked into logging into the enterprise.
Mobile-initiated login at the desktop is inherently multi-factor, this means you can leverage your SSO provider for instant access to cloud and web applications.
QR Code login to SSO eliminates push notifications entirely from the authentication process.
Cybersecurity is a complex topic and if you are the average layperson, you likely have found yourself asking “What is the difference between 2FA and MFA “.
In simple terms, Two-Factor Authentication (2FA) requires users to demonstrate exactly two distinct methods of authentication, whereas Multi-Factor Authentication (MFA) requires users to demonstrate a MINIMUM of two distinct methods of authentication but can be more. So, all 2FA is MFA, but not all MFA is 2FA.
If you are new to the world of cybersecurity, terms such as MFA and 2FA may appear rather cryptic to you. Sometimes MFA and 2FA are used interchangeably, but although similar, they are not the same thing. Both acronyms have been in wide use for years and happen to be an inseparable part of online security, so let’s once and for all clear up the confusion around MFA and 2FA.
Preliminary Definitions
In order to fully comprehend what MFA and 2FA are, you have to understand two concepts: that of authentication and that of a factor of authentication.
Authentication is a process during which a security system decides if the person who tries to log in is exactly who they claim to be.
The preceding definition entails that a security system has to find a way to ensure that the person who tries to log in as Bob is indeed Bob and not someone pretending to be Bob. The security system should not grant access to some oher person using Bob’s credentials. So how can a security system know that the person is Bob?
Well, Bob has to successfully present adequate evidence of his identity and then and only then will he be granted access.
A factor of authentication is a piece of evidence that a user has to present to prove they are who they claim to be.
The three basic Factors of Authentication are:
Knowledge Factor – represents what you know, e.g. a password
Possession Factor – represents what you have, e.g. a phone, a security token
Inherence Factor – represents who you are, e.g. your fingerprint or eye retinal pattern
MFA vs. 2FA
Multi-Factor Authentication (MFA) is a type of authentication that requires two or more factors of authentication.
Two-Factor Authentication (2FA) is a type of authentication that requires exactly two factors of authentication.
Two-Factor Authentication is, therefore, a subset of Multi-Factor Authentication, and the following two sentences are true:
Every Two-Factor Authentication is Multi-Factor Authentication
Not every Multi-Factor Authentication is Two-Factor Authentication
Why Is One Factor Not Enough?
The Knowledge Factor is the most commonly used factor of authentication. A password you enter every time you log in to an application is an example of the Knowledge Factor. Unfortunately, passwords have long proved insufficient in the contemporary world. Simply put, passwords are not secure enough.
Cybercriminals invented a wide range of methods to intercept and hack somebody’s password, from phishing to keylogging, to rainbow table attacks. If passwords are your sole line of defense against unauthorized access, then you better enable Multi-Factor Authentication in your workforce before it’s too late along with a password manager.
How Introducing More Factors Improves Security?
MFA adds more factors of authentication and therefore eliminates security threats associated with low security of passwords. You can think of every factor as an additional lock, with varying levels of difficulty of breaking them. If you introduce Two-Factor Authentication (2FA) to your users’ login experience, then even if a malicious third party manages to break the weak lock (password), they will not be able to open the door because the strong lock (e.g. the Mobile Push authentication request method) will stop them.
The Mobile Push authentication method is an example of the Possession Factor. Mobile Push is one of the methods your users can use if they install a mobile authentication app. Assuming the attacker already broke your password, now they have to steal or gain remote access to your phone, which isn’t impossible but much harder than cracking a password. Stealing or gaining access to your phone requires additional steps on the attacker’s side, which in turn means more time for you to react. Simply tapping DENY on your phone will stop any malicious attempt at breaking into your account.
Nobody’s perfect. It’s human to err. Sometimes you work under stress or pressure and it’s so easy to get distracted. Attackers know this and they will try to attack you when you are the weakest. You can make a mistake that will cost you your data and money. Two-Factor Authentication significantly mitigates the probability of human error but does not eliminate it. Introducing yet another factor of authentication will make your authentication even stronger and the chances of human error are negligible.
One way to further reinforce your MFA is turning on fingerprinting in your Authenticator.
With fingerprinting turned on, your Mobile Push Multi-Factor Authentication may look as follows:
Again, adding more factors of authentication is like adding more locks to your door, each lock harder to crack than the other. In the login example above, three factors of authentication were used: Knowledge Factor (password), Possession Factor (phone), and Inherence Factor (fingerprint). Since three factors were used, the preceding is an example of Multi-Factor Authentication but not Two-Factor Authentication.
Enable MFA/2FA Now
To reiterate, MFA involves introducing more factors of authentication to the process of authentication. 2FA is a subset of MFA that involves using exactly two factors of authentication. Using just one factor in the form of a password is not secure enough, and that’s why you have to enable Multi-Factor Authentication in your company.
Time is of the essence. Now that you understand what MFA/2FA is and know how insecure using only passwords in your company is, enable MFA before it’s too late! Improving security should be your number one concern now.
Digital marketing metrics are crucial to your campaigns’ success.
After all, your key metrics give you insights into your digital marketing campaigns’ performance and help you understand the strategies that work (or don’t work) well.
Tracking your metrics also helps you make better marketing decisions to meet your objectives. Tracking and analyzing your metrics is essential to optimizing your website and campaigns.
If you don’t track your performance, you will suffer uncertainty and increase your risks. Here are 8 of the most crucial metrics you should be tracking.
1. Traffic Data
Traffic data is one of the most basic yet crucial metrics for measuring your website or marketing campaign’s effectiveness.
The data can answer questions such as: How many people visit my website? What pages are they viewing? Which keywords do they search for?
Source: Researchgate.net
Traffic data gives you an idea of how much traffic your website gets from search engines, social media, and other sources.
If you’re not getting enough traffic, check crucial aspects such as your website’s design, ad copy, and other marketing content and initiatives.
It’s essential to remember that traffic data doesn’t solely determine the success of your marketing campaigns.
It is best to pair this metric with the other crucial metrics to determine how well your campaign performs.
2. Conversion Rate
Conversion rate is the percentage of visitors who complete an action you want them to take on your website. It’s usually expressed as a percentage of the total number of people who visit the page.
For example, suppose you sell test case management software; if 100 people visited your website and five subscribed to your service, your conversion rate would be 5%.
The conversion rate is significant because it tells you how well your website or campaign helps turn your passive visitors into paying customers.
It helps you determine where to improve, including which pages are performing well and which ones need attention.
3. Customer Lifetime Value (CLTV)
Customer Lifetime Value (CLTV) is the total amount of money you expect to make off a customer throughout their relationship with your business.
The CLTV formula is simple: CLTV = Average Customer Value(How much they spend) x Average Customer Lifespan (How long they stay).
Calculating the CLTV can give you a good sense of the cost to acquire a new customer based on their lifetime value.
Use CLTV and other metrics to help you decide how much and where to spend your marketing efforts to drive significant results.
For example, if you know that each new customer costs $300, but they only make $200 in revenue, it might be time to rethink your marketing strategy or adjust your pricing model.
4. Return on Ad Spend (ROAS)
Return on Ad Spend (ROAS) is the amount of revenue earned per dollar spent on advertising.
Calculate your ROAS by dividing the total revenue generated by the campaign by the total cost of running it. The formula is: Revenue / Total Adspend.
For example, if you spent $1,000 on advertising a worship presentation software for pastors and made $10,000 in revenue, your ROAS would be the ratio of 10:1 or 10.
The higher your ROAS, the more profitable your advertising campaign. The lower it is, the less effective your campaign is at driving sales.
5. Cost Per Acquisition (CPA)
Cost Per Acquisition (CPA) is the cost of acquiring a new customer.
Calculate your CPA by dividing your total sales revenue by the number of customers acquired in a given period (Total Amount Spent / Total Conversions).
Your CPA is an essential metric for measuring your marketing strategy’s effectiveness because it tells you how much you spend on each customer.
If this number is too high compared to each customer’s value, you need to try a different marketing approach since lose money for every customer acquired.
6. Average Session Duration
Source: analyticsedge.com
Average Session Duration is a metric that measures how long visitors stay on your website.
Suppose you have a blog about the content tracking process, this metric is able to tell you how engaged your visitors are with your content.
Calculate the average session duration by dividing the total number of visits in a month by the average session length.
For example, if a site has 100 visits in one month and an average session length of 20 minutes, then the website’s average session duration would be 100 divided by 20 = 5 minutes.
Use this metric to ensure that your content is compelling enough to keep visitors reading or that there are no problems with your site’s design.
7. Average Page Load Time
Average Page Load Time is the average time it takes for a webpage to load.
Visitors are going to click away in frustration if your web page takes too long to load, increasing your bounce rate..
Your average page load time should be less than five seconds, according to Google.
Optimize your images and compress code to help speed up your page load times.
Find this metric in Google Analytics under Behavior > Site Speed > Performance.
Alternatively, you can use other online tools such as Google’s PageSpeed Insights or GTMetrix.
8. Engagement Rate
Source: fanpagerobot.com
Engagement Rate measures how often your audience interacts with your content.
It’s also the percentage of impressions that result in a user taking action, such as clicking on an ad or making a purchase.
It is the number of people interacting with your content divided by the total number of people who saw it (Total Engagement / Total Impressions).
For example, if you have 10,000 views on your latest blog post on why you should buy SEO articles and 1,000 people clicked through to read it, your engagement rate would be 10%.
This is a good engagement rate as the higher the engagement rate, the more frequently users interact with your content.
Track your metrics to stay on top of your campaigns
There is no perfect formula to achieving digital marketing success, but you can get closer to your goal by tracking the right metrics and optimizing your campaigns accordingly.
While there is a plethora of marketing metrics you can track, focus on those that matter most to your business and are crucial for any successful digital marketing campaign.
Cybersecurity researchers uncover MaliBot, a powerful new Android malware that steals passwords, bank details and cryptocurrency wallets from users.
Besides being able to siphon passwords and cookies of the victim’s Google account, the malware is designed to swipe your 2-factor authentication codes from the Google Authenticator app as well as exfiltrate sensitive information such as total balances and seed phrases from Binance and Trust Wallet apps.
In addition to remotely stealing passwords, bank details and cryptocurrency wallets, MaliBot can access text messages, steal web browser cookies and can take screen captures from infected Android devices. It can also get around multi-factor authentication (MFA) – one of the key cybersecurity defences people can use to protect themselves against cyber criminals.
Like many Android malware threats, MaliBot is distributed by sending phishing messages to users’ phones via SMS text messages (smishing) or attracting victims to fraudulent websites. In both cases, victims are encouraged to clink on a link, which downloads malware to their phone.
So far, researchers have found two malicious websites used to distribute MaliBot – one is a fake version of a legitimate cryptocurrency-tracker app with more than a million downloads from the Google Play Store.
After being downloaded, MaliBot covertly asks the victim to grant accessibility and launcher permissions it requires to monitor the device and perform malicious operations. This includes stealing sensitive information like passwords and bank details, as well as manipulating the device to coerce the victim into giving up additional information – something it does by stealing multi-factor authentication codes.
Google Android users are encouraged to uses two-step verification, designed to protect accounts from being accessed by intruders even if the password is known – but the cyber criminals behind MaliBot know this and have devised a way of getting around it.
Once MaliBot has captured credentials on the device, it can bypass multi-factor authentication by using the accessibility permissions, to click the ‘Yes’ button on the prompt asking if the user is trying to sign in. If a user sees this, they might find it suspicious, but the access granted to MaliBot could hide an overlay over the prompt so it isn’t seen.
MaliBot also uses a similar technique to bypass additional protections around cryptocurrency wallets, allowing the attackers to steal any Bitcoin or other cryptocurrencies from accounts linked to the infect Android smartphone.
In addition to stealing sensitive information and currency from the victim, MaliBot is also equipped with the ability to send SMS messages that can be used to infect others with the malware – a tactic similar to that which allowed FluBot malware to become so successful.
Currently, the MaliBot campaign is solely targeting customers of Spanish and Italian banks, but researchers warn that “we can expect a broader range of targets to be added to the app as time goes on”.
While the malware is focused on stealing bank details and cryptocurrency, it’s warned that MaliBot’s powerful capabilities, which allow control over an infected device, could “be used for a wider range of attacks than stealing credentials and cryptocurrency.”
To avoid falling victim to MaliBot or other Android malware attacks, users should be wary of following links in unexpected text messages and should be cautious about downloading apps from third-party websites.
Users should also be aware about the risks associated with enabling accessibility options – while they do have a legitimate use, they’re also widely abused by cyber criminals.
It is also recommended to install a robust cybersecurity and anti-malware solution on all your devices, such as Bitdefender.
Lots of people use their browser to save their passwords, but most browsers store your sensitive data, including usernames, passwords and session cookies in plain text (not encrypted).
Most Chromium-based web browsers are affected, including Google Chrome and Microsoft Edge. A quick test on other browsers such as Brave and Mozilla’s Firefox conforms that these browsers also storing this data insecurely in plain text as well.
Physical access to your machine is not required, as remote access or access to software that is running on the target machine is sufficient to extract the data. Extracting can be done from any non-elevated process that runs on the same machine, such as any browser extensions or other installed apps your have installed.
While it is necessary for the user to enter credential data such as usernames and passwords before they can be extracted, Zeev Ben Porat notes that it is possible to “load into memory all the passwords that are stored in the password manager”, in fact this is exactly what password managers such as LastPass, 1Password, Dashlane etc do in order to import all your browser passwords for you.
Two-factor authentication security may not be sufficient to protect user accounts either, if session cookie data is also present in memory; extraction of the data may lead to session hijacking attacks using the data.
A Cyberark security researcher describes several different types of clear-text credential data that can be extracted from the browser’s memory.
Username + password used when signing into a targeted web application
URL + Username + Password automatically loaded into memory during browser’s startup
All URL + username + password records stored in Login Data
All cookies belonging to a specific web application (including session cookies)Testing your browsers
The issue was reported to Google and it received the “wont fix” status quickly. The reason given is that Chromium won’t fix any issues that are related to physical local access attacks.
Zeev Ben Porat published a follow-up article on the CyberArk blog, which describes mitigation options and different types of attacks to exploit the issue.
How to test your browsers
Windows users may use the free tool Process Hacker to test their browsers. Just download the portable version of the program, extract its archive and run the Process Hacker executable to get started.
Enter a username, password or other sensitive data in the browser that you want to test.
Double-click on the main browser process in the process listing to display details.
Switch to the Memory tab.
Activate the Strings button on the page.
Select OK on the page.
Activate the Filter button in the window that opens, and select “contains” from the context menu.
Type the password or other sensitive information in the “Enter the filter pattern” field and select ok.
Process Hacker returns the data if it is found in process memory.
I highly recommend using a proper password manager rather than storing your passwords in your browser, which encrypts all your data and protects your passwords with 2 factor authentication.
I have always taught my kids about scams, online safety and security from an early age, yet despite my efforts, one of my sons still managed to get scammed by one of these scumbag fraudsters recently, emptying his bank account.
Halifax Bank did not care and wouldn’t help, even though they admitted they knew it was a scam right away as soon as they saw the transactions. The ombudsmen also were of no use at all and were completely biased and sided with the bank, despite us providing undeniable proof that this was unusual behaviour on his account and that the bank admitted they are fully away that this happens all the time, can easily identify bitcoin purchases and identify them as a likely scan due to the unusual activity on a customers account, but simply don’t care and take ZERO steps to stop such scams or warn customers.
As any parent will know, kids generally refuse to listen to any advice their parents give them, so I am hoping this is a painful lesson learnt and he will heed my advice in the future. In the meantime, I thought I would share some advice with the rest of my readers, which I hope that you may find useful and that it may stop someone from becoming a victim of this scam in the future.
Please note Any new reports of fraud or cybercrime should be reported to Action Fraud or 101.
Over £230 million has been lost to investment scams over the last two years. According to UK Finance, in the first half of 2021 alone over £107 million was lost to this type of fraud. Investment scammers are changing their tactics regularly, but the frauds they perpetrate usually have a similar theme. You will be persuaded or pressured into investing in something that either did not exist, or was a fraud all along. If you made an investment and didn’t get your money back, it is likely that you were tricked by a scammer.
How does this scam work?
Fraudsters will cold call victims and use social media platforms to advertise ‘get rich quick’ investments in mining and trading in cryptocurrencies such as Bitcoin.
Fraudsters will convince victims to sign up to cryptocurrency investment websites and to part with their personal details such as credit card details and driving licences to open a trading account. The victim will then make an initial minimum deposit, after which the fraudster will call them to persuade them to invest again in order to achieve a greater profit.
In some cases, victims have realised that they have been defrauded, but only after the website has been deactivated or the suspects can no longer be contacted.
The most important things to remember is if an investment opportunity sounds too good to be true, it probably is.
Know the warning signs of a possible fraud:
Unexpected contact – either by telephone, email or social media
Time pressure – being offered a bonus or discount if an investment is made before a set date/ the offer is only available for a short period
Unrealistic returns – returns that sound too good to be true
Flattery – being over friendly when discussing investment opportunities
Social proof – They may share fake reviews and claim other clients have invested or want in on the deal. Even your own friends or people you know may have been scammed into making fake reviews or your friends social media accounts may have been hacked and it may not be them making the posts.
How to protect yourself
Reject unsolicited investment offers whether made online, on social media or over the phone. Be wary even if you initiated contact.
Only use the telephone number and email address on the FCA Register, not the contact details the firm gives you and look out for subtle differences.
Stay in control – avoid uninvited investment offers, especially those over cold calls. If you’re thinking about making an investment, get independent advice and thoroughly research the company first!
When a firm doesn’t allow you to call them back. Never deal with people solely via messenger or social media. Online scammers will usually go out of their way to avoid speaking to you on the phone, as they will not want you to hear their voice or know their phone number. Usually they will be based in another country.
If a friend, family member or someone you know contacts you or makes a recommendation, always check it is actually them you are speaking to and not a scammer who has hacked their account. Call them and actually speak to them on the phone so that you can verify their identity and ask them if they have been paid to make that review or recommendation.
Test if you can spot an investment scam from a smart investment by taking the Scam or Smart quiz, visit www.fca.org.uk/scamsmart to find out more.
What to do if you’ve been a victim of Financial Investment fraud
You could be targeted again: Fraudsters sometimes re-establish contact with previous victims claiming that they can help them recover lost money, this is just a secondary scam. Hang up on any callers that claim they can get your money back for you.
Identity theft: If you suspect your identity may have been stolen, you can check your credit rating quickly and easily online. You should do this every few months anyway, using a reputable service provider and follow up on any unexpected or suspicious results.
Legal advice: In many cases of fraud there is a close correlation between what may be considered fraud and the civil tort of deceit and/or breach of contract, for which there are civil litigation options. We would always advise that you seek professional legal advice or contact Citizens Advice to understand your options.
You can also contact the Financial Conduct Authority’s consumer helpline on 0800 111 6768 or report suspicious businesses or individuals by using the reporting form on their website.
Refundee – could help get your money back from your bank.
Be aware of Recovery Fraud!
What it is
When someone who has been a victim of fraud in the past is contacted again by fraudsters. They pretend to be a government, police or law agency that can help recover the money that was lost, but ask for a fee to get it back.
Protect yourself
Be ready for fraud recovery scams if you’ve been a victim in the past. Challenge any calls, letters or emails from people you don’t know or companies you’ve never contacted.
If you’re asked to pay, or give your bank account details, end all contact.
Ask how they found out that you had been a victim. Any report of fraud is protected by law and can’t be shared with anyone else outside of law enforcement agencies.
Spot the signs
You’re contacted by an agency that knows a lot about the money you lost, but they want a fee first. Genuine agencies never ask for fees to recover money lost to fraudsters.
They’ve contacted you with a web-based email address, such as @Yahoo or @Hotmail. Genuine government or law enforcement agencies and law firms don’t use webmail.
If you’ve been a victim of fraud in the past, whoever took your money may keep your contact information and contact you again.
This time, they’ll pose as an organisation that has been made aware of your loss. They’ll claim they can arrest the fraudster, or even recover the money you lost. In either case, they say you’ll need to pay a fee first. This is a form of advance fee fraud; you’ll never get any money back.
If you pay, they’ll keep coming back to you with another cost that has to be paid, before your money can be returned.
If you ask them to take the fees from the money they claim to have recovered, they will give reasons why this isn’t possible. For example, they might tell you that your money is under the control of a court and can only be paid back to you by them.
The fraudsters may also ask you to provide details of your bank account so they can pay your money into it. They will use this information to empty your account.
Never ASSUME – Never assume a caller is genuine.
Never BELIVE – Never believe a caller is genuine – Scammers may ‘spoof’ official telephone numbers, so the call display may show your banks telephone number, but it does not mean it is a genuine call.
Always CONFIRM – Always confirm if the call is genuine –Ask for identification ( Name, Branch, employee number etc). Tell the caller you will hang up and call back to confirm. Call the bank on the number shown on their website using a different phone, or wait at least 10 minutes. Ask if it was a genuine call.
I have recently come across this great FREE tool from Microsoft called Clarity, a user behavior and website debugging analytics tool unlike any other.
What Clarity does is provide useful insights into how users interact with and use your site in realtime, making it completely different from other analytics tools, including Google Analytics.
For years Google Analytics has been the leader in the analytics market with it’s free google analytics platform. Its dominant role in providing website operators with analytical visitor data has put it at the forefront of website usage analysis.
Microsoft is now set to change the game with its own completely free UX analytics tool that can record and show you exactly what users are actually doing on your website. Microsoft Clarity, provides engagement metrics, recordings, heatmaps, and website performance data that will help you improve user experience and design across desktop and mobile screens with real evidence and it allows you to do so in a way that helps to respect your users’ privacy and data security.
Google Optimize integration (they have informed me this is coming in the next couple of weeks.)
Microsoft Clarity Basics:
With Microsoft Clarity, website owners no longer have to pay for expensive solutions like Hotjar, CrazyEgg, or Lucky Orange to gather website visitor metrics to enable them to make useful and relevant changes to their website to improve the user experience (UX), while still respecting your users’ privacy and being fully GDPR compliant.
The goal of Clarity is to make user analytics easy. When your users experience on your website can be monitored and viewed visually it can provide a much clearer picture of why your visitors bounce (leave your website immediately), time spent on site, the pages they visit and how they navigate around your site.
As a website/business owner, understanding the behavior of your visitors is very important to improving conversion rates and turning your visitors into paying customers. With Clarity, you can get an inside look at how your users behave while they are on your website without having to sort through a lot of data that you might not be interested in or even understand.
Additionally, you will be happy to hear that Clarity is designed to have a very low impact on your websites performance. This means that your users aren’t going to have to wait longer for your website to load. With no restrictions or limits on traffic, Clarity is a great option for any size website.
Clarity’s Dashboard
Using the insights dashboard, you can see aggregate metrics that will help you better understand your website’s traffic. On the dashboard, you can easily see how many users were trying to click on links that something that is not a link, trying to click on a link that was too small, how many people scrolled up and down a page looking for information, JavaScript errors, and the average time a user spends on your site.
You can also use session filters (how long a user was on the site) to learn even more about user behavior. For example, you can see data in only a particular country or on a specific operating system. You could also change the timeframe to see performance information for different times of the day.
Session Recordings
Do you want to know how people interact with your website? Session playbacks are an excellent resource for website managers. With session playbacks, you can see if users are clicking on your links, CTAs, and more to better understand what is working for your website and what isn’t.
These playbacks also help you see novel patterns like “rage clicks” and “excessive scrolling” during your users’ sessions. Rage clicks are clicks that a user makes on a portion of your page that they think should link to another page or website. When you see these kinds of clicks, it is a good indicator that you need to provide a link because your website is non-intuitive.
When it comes to pricing these kinds of tools, the number of recordings you get and the amount of storage time is a huge driver of cost. This is why Microsoft launching a free tool with seemingly unlimited recordings and 12 month’s of storage is a game changer. Of course their onedrive cloud storage platform will have helped with this.
It’s hard to tell if the data value Microsoft (and ultimately Bing Search) gets from this tool, will truly keep Clarity free forever, but as of right now it seems to have a street value of well over $300/month. For digital agencies managing multiple websites the value could be worth much more.
View Heatmaps of Your User’s Webpage Browsing
Heatmaps can be incredibly important for companies to see what people care about when viewing your website. With Clarity, you can see both clickmaps and scrollmaps.
Clickmaps show you what content is the most important to your users and better for desktop view of user engagemetn.
Scrollmaps are better for mobile view and shows you when people stop and what is most important on your pages.
Either way, you can see exactly what your visitor are interacting with to determine if your design is successful or how modify your website to encourage the user behavior you want.
Clarity aggregates these two different types of data into their heatmaps so that you can quickly see important behaviors and trends that your users are displaying on your pages.
Filters
Clarity allows you to filter your data by user info, user actions, paths, traffic, sessions, page and custom.
For some folks, analysis on the types of traffic channels is important. For example, your Paid Search ad should be reviewed and monitored differently than referral, email, or organic search traffic.
One previous complaint was the inability to filter traffic by source/campaign, but this feature has since been added, although I have yet been able to test it out. I will update this article once I have done so.
They have also added the ability to create segments.
To avoid multiple manual typings, you can save groups of filters into segments. Segments can be applied to filters and custom tags.
You can create, apply, delete, clear, and upgrade a segment from any of the following features:
Dashboard
Recordings
Heatmaps
What Does Microsoft Clarity Mean for Industry Software?
Clarity certainly makes tracking user data cheap and easy for the digital marketing community. And, since Clarity is similar to other services like those provided by Lucky Orange, Crazy Egg, and Hotjar, we know there is a market for this type of software.
The only cost is taking the time or paying someone for the analysis time if you cannot do it yourself. It will be curious to see what happens with this type of analytics data now that it’s free and how many companies jump on the bandwagon of actually using this for more than a novelty, but actually influencing design and UX decisions.
I have already implemented Clarity on my own websites to see how it performs and if I can use it along with Google Analytics to improve the UX on my websites and the services I provide to my customers.
Online businesses and marketers have always searched for reliable strategies to connect with consumers and promote their products.
Fortunately, the Internet offers plenty of channels, including awesome marketing tips that can help them reach thousands of people instantly and conveniently.
So if you’re seeking the right digital marketing channels to boost your online business, check out these six strategies:
This strategy allows you to present regularly your latest products, items on sale, new blog posts, upcoming events, and other activities to your subscribers.
You can insert photos and links that they can click on, directing them to your site or landing pages and exploring your offers.
Follow these tips to help you develop a winning email marketing strategy to turbo-boost your campaigns:
Create eye-catching pop-ups. Invite your visitors to join your email list by attention-grabbing pop-ups. Use beautiful designs, give discounts, and get only the necessary details, such as customers’ names and email addresses.
Jiggy Puzzles has this sample colorful pop-up enticing you with a 10-percent discount when signing up for their email list:
Image Source: Jiggy Puzzles.
Design your email newsletters attractively. Leverage stunning newsletter templates and ready-made layouts. This way, you can simply fill in blank sections with your product photos, links, texts, and other elements.
Build email funnels. Plan your messages according to the stages of the customer journey your subscribers are in. For example, first-time subscribers receive a welcome message, shoppers with abandoned carts receive enticing messages to complete their purchases, etc.
Here’s a sample welcome message by Black Mango, featuring ratings and reviews, the promised discount code, and a CTA button for quick shopping and instant conversions:
Image Source: Black Mango
Finally, automate your email campaigns to personalize your messages and send them instantly according to your set triggers and schedules.
You can even automate your transactional and client support emails using robust customer service email management software.
2. Customer feedback integration with marketing
Feedback from your customers can be a goldmine of information and insights to help improve your products, services, customer experience, and your marketing efforts.
Customer feedback allows you to get an outsider’s perspective on your business and understand your customers and their needs better.
Make providing feedback more engaging and easier for your consumers. Get feedback using emojis to entice customers into providing their two cents about their experience with your brand.
Use tools such as Emoji Response to create custom feedback forms with emoji widgets as rating options.
The tool consolidates and analyzes your collected feedback data. It helps you extract relevant insights to spot gaps in your marketing and the customer experience and address weak points to improve them.
Image source: emailresponse.com.
Incorporating customer feedback into your marketing and business strategy can help you:
Assess your marketing initiatives’ performance
Map out the customer journey
Be more proactive about communicating with your audience
Leverage positive experiences from satisfied customers as social proof in your ads
Develop more customer-focused marketing content and strategies
SEO is a set of practices to optimize your website and online content for higher rankings in the search engine results pages (SERPs).
The higher you appear on the search rankings, the better your chances of customers clicking on your web pages, increasing your site traffic and number of potential buyers.
The likelihood of your web pages appearing on search results usually depends on factors such as keyword relevance, domain authority, mobile responsiveness, page load speed, and others.
For example, when I type in “cheap cupcakes in US,” these results appear, featuring shops such as Magnolia Bakery and Sprinkles Cupcakes:
Get the best possible SEO results for your online business with these tips:
Get your loading speed at below three seconds and optimize your pages, images’ and videos’ size and resolution. Consider investing in better quality cloud hosting or a cheap dedicated server so you don’t have to share resources with other website, improving your page load speed.
Target high-volume, low-competitive keywords relevant to your niche.
Add more pages to your website by releasing new products, writing blog posts daily, creating landing pages, and more.
SEO typically relates to other marketing strategies, so you can integrate these with your promotional campaigns.
It’s also crucial to get expert tips and information, such as learning from the commonly overlooked blogging mistakes that can affect your SEO rankings.
If you’re working with a marketing agency, MSP marketing service provider, or any other third-party company, discuss how you can harmonize your SEO strategies with your other campaigns to achieve a unified promotional plan.
It’s also vital to use reliable SEO tools such as SERanking to help improve your content and reputation and website’s code, supporting your efforts to boost your on-page, off-page, and technical SEO strategies.
4. Video marketing
Video marketing is the practice of leveraging videos to promote your products, boost customer engagement on digital platforms, educate consumers, and reach more audiences.
When produced strategically, these videos can grab your customers’ attention, build connections with them, and capture their trust.
Patagonia gives a stellar example of video marketing on their website:
Image Source: Patagonia.
This online shop posts its films with compelling CTA buttons telling visitors to watch them. They also regularly post videos on their YouTube channel:
Execute these best practices when running video marketing campaigns:
Diversify your videos into tutorials, product demos, customer testimonials, etc.
Post or embed them on various platforms, such as your website, email newsletters, and social media.
Get to your point in under five to 10 seconds.
Tell a gripping, interactive story.
Leverage robust digital marketing software such as Content Management System (CMS) to simplify adding and modifying video content on your website and social channels.
You can also couple your video marketing campaigns with reliable business intelligence tools to measure your performance and apply data-based improvements.
If you don’t have the in-house expertise and resources to produce high-quality videos, you can always work with a reliable digital marketing agency and professional video marketing service providers.
5. Brand collaborations
Brand partnerships or collaborations empower you to bolster your business by capitalizing on another company’s clout and audience.
Two brands serving the same consumers can offer distinct product lines and aid each other’s growth. You and your partner company can host giveaways, co-produce content, and roll out your joint merchandise together.
When you harness another brand’s customers, your marketing campaigns can capture a wider audience and skyrocket your success.
Here are a few tips for your brand collaborations:
Leverage social fan pages. Fan pages can contribute significantly to your social media lead generation and marketing efforts. They have established groups of enthusiasts on various subjects (e.g., pets, surfing, fitness, etc.). Since these themes already interest them, promoting your products and engaging the followers becomes easier. Send them a private message to begin your partnership.
Tap the right influencers. If you have a limited audience and want to amplify your exposure, tap influencers — people who are popular online, typically on social media, and often have thousands to millions of followers. Pick influencers who can positively represent your brand, exhibit your goods, and transform their followers into buyers.
6. Content marketing
Content marketing is among the evergreen marketing strategies on the Internet. It is the consistent, strategic act of creating, publishing, and promoting relevant online resources to captivate, engage, and convert your visitors.
This strategy is crucial because it answers your target audience’s queries. Today’s customers also expect their favorite brands to generate excellent content regularly.
Your content can come in several formats: blog posts, photos, videos, images, infographics, ebooks, quizzes, podcasts, webinars, and many more.
bioClarity shows a perfect example:
image Source: bioClarity.
bioClarity has several narrative guides under various categories that visitors can choose to go to directly. It also how-to tutorial videos:
Image Source: bioClarity.
And a skincare quiz so shoppers can determine the best product for them:
Image Source: bioClarity.
Do these things when producing your content:
Focus on offering value rather than forcing customers to buy your products. This increases their buy-in and loyalty.
For instance, you can use landing page copy such as “Purchase well-written articles and get free backlinks” so potential customers can quickly see the value your brand can give them, encouraging them to convert.
Vary your content formats, or transform old resources into new materials.
Include calls-to-action (CTAs), such as, “Shop now” and “Explore gallery,” to compel customers to perform conversion-oriented activities.
Sprinkle your target keywords to boost your SEO efforts.
With content marketing, you can supercharge your products’ significance and motivate your customers to keep interacting with your business.
Don’t forget to organize, store, and centralize your content marketing assets and materials by using reliable marketing project management software.
Turbo-boost your online business now.
Leverage these and other digital marketing strategies and monitor and improve your execution to get your best possible online business performance.
Remember to align your campaigns with the current consumer demands, adopting new strategies that may emerge when appropriate, to ensure you keep and expand your target customers.
Did you know that company directors are twice as likely to be victims of ID fraud than anyone else. It’s easy to see why when you consider just how easy it is for someone to commit fraud against your company.
Companies House, the UK’s registrar of companies, will happily accept documents submitted via post ‘on good faith’. This means any person can simply complete a form with a fake signature and make changes to your business without your consent or knowledge. This includes:-
Change your company’s registered office
Resign current directors and appoint new ones
File closure documents
Companies house states:-
We carry out basic checks to make sure that the documents have been fully completed and signed, but we do not have the statutory power or capability to verify the accuracy of the information that corporate entities send to us.
We accept all information that such entities deliver to us in good faith and place it on the public record.
In order to avoid such issues, it is highly recommended to sign up for the protected online filing services (PROOF), and make sure you use a secure password manager to store your login details.
This free service lets you protect your company from unauthorised changes to your records. It prevents the filing of certain paper forms, including:
changes to your registered office address
changes to your officers (appointments, resignations or personal details)
changes to your company name by special resolution
It’s important that your company’s records are correct because they’re sometimes used to check its legitimacy if you apply for a loan.
Fraudsters are known to hijack a company by changing the details of the company’s directors and registered office. This leaves the company vulnerable to further fraud.
Companies House deals with around 50 to 100 cases of corporate identity theft every month. If you suspect fraudulent activity against a company you should report this to Companies House and the police.
Companies house can only assist with issues that involve forms being filed at Companies House, so you should get in touch with them if you have concerns that:
a registered office has been changed without the company’s knowledge or consent
an individual has been appointed as an officer without their knowledge or consent
a company name has been changed without permission
an unauthorised address is being used for a registered office or officer’s service address
If these situations apply, you’ll need to email [email protected] with as much information as possible – including your own contact details – and they will ensure this is investigated.
What they cannot do
It often surprises people but Companies House does not have any investigatory powers, and what they are able to do or not is largely determined by the Companies Act 2006. It seems they get quite a few enquiries from people asking them to investigate companies but it’s not something they are able to do.
Any allegations of fraudulent activity should always be reported directly to the police. That said, they say that they do work closely with various law enforcement authorities, providing them with information on a request basis, and do have dedicated colleagues who are able to assist with this.
Fraud Protection Service
Combat company fraud by receiving an email alert whenever a change is made to your business, whether this was with your consent or not.
Any changes made to your company (those mentioned above, and more) will be monitored and you will be sent an email notification whenever any changes are detected. You can then act swiftly to ensure no permanent damage is done.
Recent Comments