New York Attorney General Letitia James today provided warnings and tips to consumers and businesses who could potentially experience residual impacts from the ongoing crisis in Ukraine. The Office of the Attorney General (OAG) notes that consumers and businesses should be mindful of any potential price gouging of fuel, other goods and services, and take actions to protect themselves against potential cybersecurity threats that may develop amid the crisis.
“As the devastating conflict in Ukraine continues to escalate, New Yorkers must be prepared for potential impacts of the conflict on their wallets and their cybersecurity,” said Attorney General James. “Both consumers and businesses should take the necessary precautions to address the ongoing risks. I encourage anyone who has experienced issues concerning the price gouging of fuel or threats to cybersecurity to contact my office.”
Price Gouging of Fuel
Due to Russia’s role as the world’s second-largest producer of natural gas and one of the world’s largest oil-producing nations, the crisis may lead to market disruptions and potentially inflated prices at the pump. New York law prohibits sellers of fuel and other vital and necessary goods from charging unconscionably excessive prices during an abnormal market disruption, including disruptions caused by world conflicts. New York consumers are urged to report dramatic gasoline price increases to OAG for investigation.
When reporting price gouging to OAG, consumers should:
- Report the specific increased prices, the dates, and places that they saw the increased prices, and the types of fuel being sold;
- Provide copies of their sales receipts and photos of the advertised prices, if available; and
- Buy only as much fuel as they need and not to stock up out of fear of a potential future shortage.
Cybersecurity Best Practices for Consumers and Businesses
While there is currently no active cybersecurity alert, the U.S. Department of Homeland Security has encouraged consumers and businesses of all sizes to ensure they are taking appropriate measures to protect their systems. The OAG has previously investigated issues relating to cybersecurity and provided guidance to both consumers and businesses about how they can best protect themselves from cybersecurity threats.
For businesses these safeguards include the following:
- Use bot detection systems (software designed to block activity from “bots,” or automated software that may, for example, generate hundreds of thousands of login attempts), multi-factor authentication, and strong password requirements for most accounts;
- Develop processes to manage software updates, limit employee access to systems according to their job functions, maintain the security of remote access to company systems, and identify and manage security vulnerabilities (in particular, critical vulnerabilities or vulnerabilities known to be exploited in the wild);
- Implement antivirus software, endpoint detection and response software;
- Implement technical safeguards to filter emails likely to be phishing attempts, and train employees on phishing and other potential scams; and
- Review and test your incident response and business continuity plans. The response plan should include processes for investigation (e.g., determining what information/systems were accessed), remediation (e.g., blocking attackers’ continued access to impacted systems), and notice (e.g., alerting potentially impacted customers). The business continuity plan should include processes to maintain essential services and restore systems from offline backups.
Additionally, Attorney General James recommends consumers take the following steps to safeguard their online accounts against cybersecurity threats:
- Protect your passwords: Use a password manager to keep track of your passwords, and never reuse passwords. While reusing login information may be convenient, it can also put your information at risk. A password manager on your phone, computer, or browser can help you generate strong passwords and automatically fill them in when you log in to a website or an app. Password managers can also check if your passwords have been stolen in a data breach.
- Enable two-factor authentication (2FA): 2FA can provide an extra layer of security by requiring anyone logging in to an account to provide another credential, such as a one-time code sent by SMS or email. Most attackers that have access to a stolen password will not have access to a secondary credential. If a website or app offers 2FA, make sure to enable it for your account.
- Watch out for online scams: Scammers may email, text message, or even call you to trick you into clicking a link, sharing your personal information, or sending money or gift cards. These scammers might pretend to be familiar companies, the government, or someone you know. Make sure you double check the email address or phone number contacting you to see if it’s legitimate. Instead of responding to an email or text from a company, we encourage you to go to the company’s official website and call the customer service number listed. Also, be careful about publicly sharing your information, such as through social media.
- Check regularly for unauthorized activity: Not all companies will notify users when their online accounts have been compromised. You should regularly check your online accounts for unauthorized transactions and activity, and immediately contact the service (and credit card company, if appropriate) if you see something suspicious.
- Regularly run antivirus software: Computer viruses can run in the background without your knowing, so we encourage you to run antivirus software regularly to identify and address unknown threats.
- Update your software: Software updates often include important security updates, so make sure you are using the most up-to-date software and applications on all your devices.
- Sign up for breach notifications: You should register with a breach notification service, like Have I Been Pwned, that will send a notification if an account associated with your email or phone number has been compromised.
- Take suspicious activity seriously: If an online service notifies you of suspicious activity on your account, change your password immediately. If you use the same password for other accounts, change the passwords for those accounts as well.