New Phishing Scam Alert

We’ve been seeing plenty of phishing scams lately.

What are Phishing Scams?

These are when cybercriminals try to get unsuspecting victims to click on a malicious link to steal their private information. It’s usually carried out through an email where the scammer imitates a legitimate person or business.

Image result for phishing scam

Thieves will go through great lengths to create a message that appears to be from someone you trust. The latest attack that you need to know about is a malicious email claiming to be from Microsoft.

Current Active Phishing Scam

The email has a subject line that states, “Your Banking Assets Are Blocked.” The message claims to be from Benedict Brown, who is representing Microsoft Security Office. Warning: This is a fake email and contains a malicious link.

How this phishing attack works

fake-email

If you receive this email, delete it immediately. You also need to know how to prevent falling victim to a phishing scam.As you can see in the image above, the message tells the recipient that suspicious activity has been found with their bank accounts. It goes on to claim that their computer is infected with a virus or an exploit impacting banking operations.

The scammer says they have included a full report containing all relevant information pertaining to the suspicious activity. The recipient is then asked to download the report from an official server by clicking a link at the bottom of the message.

The link will actually take you to a malicious site that could infect your gadget with malware. Once you get to the site, you’ll be asked to open a malicious Office document. Then you will be asked to enable macros to view the document.

If you enable macros, your gadget will be infected with Neutrino bot malware. This malware allows the scammer to do several things:

  • Steal personal data – The cybercriminal can capture keystrokes, do form grabbing, and take screenshots from your gadget.
  • Perform DDoS attacks – DDoS stands for “distributed denial of service,” which is a techy way of saying “crashing a system or the whole internet.” It works when a targeted website or server is flooded by an overwhelming amount of requests from millions of connected machines in order to bring it down.
  • Download more malware
  • Make spoof DNS requests – Domain Name Server (DNS) spoofing is when cybercriminals exploit vulnerabilities found in the domain name server. They do this to redirect traffic from legit servers to fake ones.

Tips for Avoiding Phishing Scams

  • Be cautious with links – If you get an email or notification that you find suspicious, don’t click on its links. It’s better to type the website’s address directly into a browser. Before you ever click on a link, hover over it with your mouse to see where it is going to take you. If the destination isn’t what the link claims, do not click on it.
  • Do NOT enable macros – You should never download Word or Excel files attached to unsolicited emails to begin with. If you do open one of these documents and it says that you need to turn on macros, close the file and delete it immediately.
  • Do an online search – If you get a notification about something that seems shady, do an online search on the topic. If it’s a scam, there are probably people online complaining about it and you can find more information.
  • Watch for typos – Phishing scams are infamous for having typos. If you receive an email or notification from a reputable company, it should not contain typos.
  • Know what phishing emails look like – Typically, there are obvious signs that give away the fact that an email is fake.
  • Use multi-level authentication – When available, you should be using multi-level authentication. This is when you have at least two forms of verification, such as a password and a security question before you log into any sensitive accounts. .
  • Have strong security software – Having strong protection on your family’s gadgets is very important. The best defense against digital threats is strong security software.

Share This:

Beware Holiday Email Scams

It’s the holiday season, which means shopping is buzzing more than usual. Many of us are are using online storefronts to purchase our gifts. While this is quite convenient, it can also lead to some problems.

holidayscams-100532824-primaryidge

We know that scam emails are nothing new, but recently a fake email claiming to come from Amazon has cycled around. The message reads as follows:

Hello,

There was a problem processing your order. You will not be able to access your account or place orders with us until we confirm your information.click here to confirm your account. We ask that you not open new accounts as any order you place may be delayed.

 

For more details, read our Amazon Prime Terms & Conditions.

Of course, this is garbage. Clicking on the link in this email leads you to a fake “Amazon” login page, where the scammers ask you to kindly enter your credit card information. Once you’ve done so, it redirects you to the real Amazon website, but the damage is already done.

It’s worth reiterating email safety tips so you don’t fall victim to traps like these. Never click through links in emails that ask for personal information. If you receive an email you aren’t sure about, go to amazon.com in your browser and sign into your account from there. Amazon and other reputable companies will never ask you for your password or other sensitive info via email.

Amazon also asks that if you receive a spoofed email like this, forward it to stop-spoofing@amazon.com so they can review it.

Of course, this is garbage. Clicking on the link in this email leads you to a fake “Amazon” login page, where the scammers ask you to kindly enter your credit card information. Once you’ve done so, it redirects you to the real Amazon website, but the damage is already done.

It’s worth reiterating email safety tips so you don’t fall victim to traps like these. Never click through links in emails that ask for personal information. If you receive an email you aren’t sure about, go to amazon.com in your browser and sign into your account from there. Amazon and other reputable companies will never ask you for your password or other sensitive info via email.

Amazon also asks that if you receive a spoofed email like this, forward it to stop-spoofing@amazon.com so they can review it.

Share This:

Security Tips for Your Traveling Phone

Today there is not much tech news worthy of our time here, which is the norm for a Sunday morning. So as always when the tech news is light and I have a little time (and the energy) I often take the time to review something that I think is important for all of you, my dedicated readers.

I am on a short vacation @ Disney World for my birthday so what you have here is a well timed technology article!

OK I admit it. “People Watching” is actually a part of my Disney experience and one of the first things you notice about people these days, is that even when they are on vacation, most are glued to their smartphones.

Here are some tips for keeping your smartphone secure.

Do Not Have Your Phone Stolen

Sounds obvious, right? And yet it happens all the time. Did you know that 2.1 million cell phones were reported stolen in 2014. If a thief takes your phone, they can learn a lot about you, including where you live, where you work, who your bank is, your credit card information, saved passwords and much more.

Don’t bury your nose in your phone while you’re walking on the street, especially in large cities, or places like Disney World. Stay vigilant in tourist areas, which are usually hotbeds for pick pocketing. Keep your phone out of reach of criminals by keeping it your bag or front pocket.

Lock Your Phone!

lock screenIf you don’t already have a screen lock, set it up now. It’s the most basic line of defense to stop thieves from riffling through your phone if it ends up in their hands.

On Android, you can use a password, PIN (pictured right) or swipe lock. PINs and passwords, especially ones longer than four characters, are harder to crack, so they’re a bit safer. Some Android phones also have fingerprint readers to unlock the screen, which is is a safe and convenient option.

With iPhones, you can use a PIN. For the iPhone 5S and newer there’s Touch ID which is a simple yet effective fingerprint lock. Pick whichever method works best for you and use it.

Any of these precautions will stop of bad day (losing your phone) from becoming a very scary day because all of your data will be locked out and you will have time to report the phone lost or stolen and have it wiped. More on that in upcoming article.

Track Your Phone!

Should your phone ever go missing, you can track its location and remotely lock or erase it. Here are a few steps to take to make sure you’re set up to do this.

On Android, go into the Google Settings app (separate from the regular Settings app) and tap Security. Under Android Device Manager, make sure both “Remotely locate this device” and Allow remote lock and erase” are turned on. With those two settings, you can track your phone on a map from your computer and erase your phone should it be stolen or misplaced.

Disney Magic + Device Finder = A Success Story

A personal Story. Two years ago one of my family members forgot his iPhone on a Disney bus when we were traveling to the Magic Kingdom. A short time after getting off the bus we were walking through the park when he realized the phone was missing. Using the Device Finder we could see that it was traveling through Disney property – on the bus. We called Disney customer support and they worked with the travel department and found the phone and returned it (within and a couple of hours). Yes there was some Disney Magic here but that could not have happened as easily if the Device Finder was not turned on.

For iPhones and other iOS-powered gadgets, Apple has Find My iPhone, a feature that is turned on by default and lets you find your iOS device on a map, lock it, and remotely wipe it. Log in into the Find iPhone app with your iCloud account to check that it’s set up correctly.

Always Use Protection (Especially You Android Users)

Antivirus protection, that is. Android phones (and to a lesser extent, iPhones) are susceptible to malware, but an app like Lookout, Avast or TrustGo scans your phone to find these dangerous programs and helps you remove them.

Though iPhones can get malware, there aren’t any antivirus apps you can use. Instead, Apple pushes out security patches when it finds flaws in iOS that would let malware get in.

Beware Free Wi-Fi

Free, unsecured Wi-Fi networks generally leave you vulnerable to other people checking out what you’re doing online. Even worse, an open Wi-Fi network could be a spoof designed explicitly to steal your information.

Free Wi-Fi at a cafe or airport is generally safe, but make sure you don’t access any sensitive information (like your bank’s website) while using them. Definitely steer clear of connecting to random open networks you don’t recognize. They aren’t worth the risk.

Avoid Clicking on Suspicious Links

Phishing is a common tactic criminals use to get you to reveal personal data or infect your phone with malware.

If you get a random text with link from someone you don’t know, do not click it. It could be someone trying to get information out of you, or worse, malware that can control your phone and send information back to hackers.

Check our my April 20th post about how to avoid email scams.

One final tip would be to simply leave the blasted phone home while on vacation  but we all know that is simply not going to happen.

Share This:

Avoiding Email Scams with 10 Easy Tips

Recently I have been asked about a couple of suspicious email messages, which were both of course not legitimate messages but scams in which the sender, a truly bad guy was “phishing” in order to steal money from the receiver.

Every day countless phishing emails are sent to unsuspecting victims all over the world. While some of these messages are so outlandish that they are obvious frauds, others can be a bit more convincing. So how do you tell the difference between a phishing message and a legitimate message? Unfortunately, there is no one single technique that works in every situation, but there are a number of things that you can look for.

This article lists 10 of them.

1: The message contains a mismatched URL

One of the first things I recommend checking in a suspicious email message is the integrity of any embedded URLs (or website addresses). Often the URL in a phishing message will appear to be perfectly valid. However, if you hover your mouse over the top of the URL, you should see the actual hyperlinked address (at least in Outlook). If the hyperlinked address is different from the address that is displayed, the message is more then likely fraudulent or malicious.

2: URLs contain a misleading domain name

People who launch phishing scams often depend on their victims not knowing how the DNS naming structure for domains works. The last part of a domain name is the very telling. For example, the domain name info.brienposey.com would be a child domain of brienposey.com because brienposey.com appears at the end of the full domain name (on the right-hand side). Conversely, brienposey.com.maliciousdomain.com would clearly not have originated from brienposey.com because the reference to brienposey.com is on the left side of the domain name.

I have seen this trick used countless times by phishing artists as a way of trying to convince victims that a message came from a company like Microsoft or Apple. The phishing artist simply creates a child domain bearing the name Microsoft, Apple, or whatever. The resulting domain name looks something like this: Microsoft.maliciousdomainname.com.

I have found that sadly this often works because most people trust companies like “Microsoft” and “Apple” so when long standing names like this are used people often let their guard down. The lesson here is to never let your guard down when it comes to email messages.

3: The message contains poor spelling and grammar

Whenever a large company sends out a message on behalf of the company as a whole, the message is usually reviewed for spelling, grammar, and legality, among other things. So if a message is filled with poor grammar or spelling mistakes, it probably did not come from a major corporation’s legal department.

4: The message asks for personal information

No matter how official an email message might look, it’s always a bad sign if the message asks for personal information. Your bank does not need you to send it your account number. It already knows what that is. Similarly, a reputable company should never send an email asking for your password, credit card number, or the answer to a security question.

5: The offer seems too good to be true

There is an old saying that if something seems too good to be true, it probably is. That holds especially true for email messages. If you receive a message from someone unknown to you who is making big promises, the message is probably a scam.

6: You didn’t initiate the action

Just yesterday I received an email message informing me I had won the lottery! The only problem is that I have never-ever bought a lottery ticket. If you get a message informing you that you have won a contest you did not enter, you can bet that the message is a scam.

7: You’re asked to send money to cover expenses

One telltale sign of a phishing email is that you will eventually be asked for money. You might not get hit up for cash in the initial message. But sooner or later, phishing artists will likely ask for money to cover expenses, taxes, fees, or something similar. If that happens, you can bet that it’s a scam.

8: The message makes unrealistic threats

Although most of the phishing scams try to trick people into giving up cash or sensitive information by promising instant riches, some phishing artists use intimidation to scare victims into giving up information. If a message makes unrealistic threats, it’s probably a scam. Let me give you an example.

Just recently a workmate received an official looking email that was allegedly from a co-worker. The email went on to ask for our “account number” and “routing number”. Although it appeared to be an email from one staffer to another staffer the email originated from a hidden domain and as I mentioned in Tip #3 the spelling and grammar was poor.

Also – As I mentioned in Tip #4 – legitimate companies will not ask for sensitive information by email and you – of course should never-ever send this type of information via email.

9: The message appears to be from a government agency

Phishing artists who want to use intimidation don’t always pose as a bank. Sometimes they will send messages claiming to have come from a law enforcement agency like the IRS, the FBI, or just about any other entity that might scare the average law-abiding citizen.

I can’t tell you how government agencies work outside the United States. But here, government agencies do not normally use email as an initial point of contact. That isn’t to say that law enforcement and other government agencies don’t use email. However, law enforcement agencies follow certain protocols. They do not engage in email-based extortion.

10: Something just doesn’t look right

In Las Vegas, casino security teams are taught to look for anything that JDLRjust doesn’t look right, as they call it. The idea is that if something looks off, there’s probably a good reason why. This same principle also applies to email messages. If you receive a message that seems suspicious, it is usually in your best interest to avoid acting on the message.

Share This:

Snapchat Latest Phishing Attack Victim

Last week I wrote about the dangers of phishing attacks and here only days later we have yet another example of their danger.

A phishing attack this past Friday reportedly tricked a payroll department staffer at Snapchat into revealing private information about some current and former employees, the video messaging service said yesterday in an online apology. No internal systems were breached and no information about users was released, the company added.

Employees whose information was released have been contacted and offered two years of free identity Relevant Products/Services theft insurance and monitoring, according to the Snapchat blog post about the phishing incident. The company also reported the attack to the U.S. Federal Bureau of Investigation.

The phishing attack caused a payroll employee to believe an e-mail request for information came from Snapchat CEO Evan Spiegel. It’s a type of attack known as “spear phishing” that targets individuals or narrow groups of people rather than sending out e-mails to thousands of random users.

Quickly Reported to FBI

Snapchat stated that it responded “swiftly and aggressively” after learning of the suspicious e-mail and subsequent release of employee information.

“Within four hours of this incident, we confirmed that the phishing attack was an isolated incident and reported it to the FBI,” the company said in its statement.

The company added that it will “redouble our already rigorous training programs around privacy and security Relevant Products/Services in the coming weeks. Our hope is that we never have to write a blog post like this again.”

Phishing Is ‘No. 1 Attack Vector’

Scams involving spear phishing and other kinds of business e-mail compromise efforts “became a major problem in 2015,” according to a report on phishing activity trends released in December by the Anti-Phishing Working Group (APWG). Between the first and third quarters of last year, the number of reports of unique e-mail phishing campaigns ranged from just under 50,000 in January to nearly 150,000 in May, the report said.

Founded in 2003, the APWG is an international organization whose members include businesses, government organizations, law enforcement agencies and non-governmental organizations. Among the businesses participating are Cisco Relevant Products/Services, Facebook, Intel Relevant Products/Services’s McAfee, Microsoft Relevant Products/Services, PayPal and Symantec.

“Phishing is the No. 1 attack vector today and with good reason — it often leads to success,” noted PhishMe’s inaugural “Enterprise Phishing Susceptibility Report, also released in December. “An organization’s employees are the primary target, the means to the attackers’ end of gaining access to company systems. Employees are the easier targets due to their susceptibility to various emotional and contextual triggers.”

A company that provides “human-focused phishing defense solutions,” PhishMe gathered data Relevant Products/Services for the report by sending 8 million phishing simulation e-mails to more than 3.5 million employees of customer Relevant Products/Services companies. The research showed that employees most often responded to phishing e-mails in the morning, especially at 8 a.m., and they were most often tricked by e-mails with subject lines like “File from Scanner” or “Unauthorized Activity/Access.”

Providing behavioral conditioning to employees reduced the chances that they would respond to malicious e-mails by more than 97 percent after four simulations, the report added.

“It is important to train employees to report phishing attempts as soon as they are recognized in order to offset the likelihood that a phishing attempt will be responded to in its first several hours in a network environment,” according to the report.

Share This:

Tax Season is a Time to Be Aware of Phishing Attacks

It’s tax time, so you should think twice before clicking on that link in your email inbox. What may look like a legitimate communication from your bank, financial institution or email provider may actually be part of a scheme designed to steal the confidential information stored in your computer, or to gain access to the network it’s attached to.

Experts warn that tax season is a prime time for this brand of fraud known as “phishing” where hackers are out to steal your information in hopes of using it to file a false tax return.

Phishing emails remain one of the top causes of data breaches. While people are more aware of their danger than ever before, the lures continue to evolve and increase in sophistication, making it tough for the average person to discern which emails are legitimate and which ones aren’t.

Here are a few answers to common questions about phishing:

Why Is It So Bad This Time of Year?

Phishing peaks during tax season, partially because it’s a time of year that many people are accustomed to entering their most personal information such as their Social Security number or bank account information on websites.

Hackers can use this information to file false tax returns and steal your refund.

This year is no exception. Earlier this month, the IRS said that it stopped an attack on the e-filing portion of its website. Hackers tried to use a combination of malware and 464,000 Social Security numbers that had been stolen elsewhere to generate PIN numbers that could be used to file fraudulent returns.

Thankfully no taxpayer data was stolen from the IRS computer systems as a result of the hack.

Phishing also spikes around Christmas, with attacks in the form of fake delivery notifications. Thieves also often tie phishing emails to major sporting events, or natural disasters like overseas earthquakes.

What’s the Difference Between Phishing and Spear Phishing?

Phishing is like a person casually throwing a rod in a lake and waiting for a bite. Phishing emails don’t contain a lot of specifics, but are quick and easy to send out in mass quantities.

“Spear phishing” is much more targeted and personalized. The people behind those attacks spend time researching their targets in order to create highly customized emails that look much more legitimate and are much more likely to be clicked on.

The rise of social media has made this a lot easier. Thanks to Facebook and Twitter, details including a person’s place of employment, where they bank, like to shop and the names and ages of their children are just a few clicks away.

What Other Red Flags Should I Be on the Lookout For?

In an effort to get more people to click on a link before thinking about the possible consequences, many phishing emails will give an impression of scarcity, or include some kind of time limit.

For example, an email made to appear to be from a person’s bank or email provider may state that if that person doesn’t click on the enclosed link within 24 hours, they will be locked out of their account.

And while poor English and long, complex web links were previously sure signs of phishing, they’re not as prevalent anymore. Many overseas hackers are no longer using clunky translation websites, because there are fluent English speakers who specialize in translating phishing emails.

Meanwhile, it has become easier to shorten the Web links that direct a people to fake websites.

You should be wary of emails purported to be from banks, or other companies you do business with, but did not opt into emails from. Be aware that banks generally do not include Web links in emails.

Be aware of this. Links can take you to a fake website where you will be asked to login and those credentials will ultimately be stolen.

In addition phishing attacks do not just come in the form of email. They can come as text messages as well, with those links often containing viruses.

Is There Any Way To Prevent a Phishing-Related Hacking?

Basic cyber hygiene can go a long way toward preventing a data breach, even if a link in a phishing email gets accidentally clicked on.

Phishing-blog-header-image

Using different passwords for different accounts, two-factor authentication and changing passwords frequently all can be a big help. In addition, companies should test their employees by periodically sending out fake phishing emails to see who falls for them.

Also organizations need to make sure their security keys are up to date, along with their anti-spam filters, so past bad senders don’t keep getting through.

In the end – even you do not remember most of this – one simple rule will do a lot to protect you.

“Use Common Sense Before Responding to Email or Clicking on Links”

Share This: