1. Stimulus Scams
Now that a stimulus bill has been passed, keep an extra vigilant eye out for scams about that money.
As I sent last month, something as global as the current virus brings a surge of phishing and social engineering scams. Once you add money into the mix, the scams simply shift from sharing information with malicious links and attachments to requests for ‘verifying’ your information before you can receive your money.
Experts from KnowB4 put it this way, “Think about it – one of the fundamental components of a good phishing scam is to create a sense of urgency. And, in a lot of cases, people need the financial assistance established in the Stimulus Package in any of its available forms. The urgency is there… and in copious amounts.”
So what should you look out for?
- Be especially careful of any messages claiming to be from your (or a) bank, the IRS, or any other government agency. Whether it’s an urgent need to ‘verify’ your data or a request for your bank account information, hold off. The IRS has previously reported that it communicates primarily through the mail, and as of March 30th announced that distribution of checks will be automatic in approximately three weeks, with no action required for most people.
- If you receive any messages that pass the sniff test, navigate to the sender’s website independently and look for the supposed information there. If it turns out that you did get something legitimate from your bank or the IRS, then you’ll be able to log in safely and find the details in your account.
2. Weaponizing the Fear of Infection
Another timely scam has been reported that shows the adaptability of malicious actors. In this one, the sender is typically a spoofed hospital. And the message is a horrifying notification that you “have been exposed to the Coronavirus through personal contact with a ‘colleague/friend/family member’.” You are then directed to download a malicious attachment and proceed immediately to the hospital.
If you do open the attachment and follow the directions, you will be downloading a “sophisticated and dangerous backdoor trojan [that can] evade detection by security applications, worm its way deep into an infested system, and serve as a platform for a variety of criminal activities.”
You can imagine how effective this might be. The email is short and plain enough to be believable, and it plays on one of our biggest fears right now. Scammers are hoping that fear causes you to react without thinking and open the attachment.
Stay safe with these tips:
- Always try to stop yourself when an email makes you feel a strong emotion. Whether it’s fear, anger, or an adorable desire for puppies and kittens, the sender could be trying to push you towards taking an action–opening an attachment, clicking a link to donate, etc. Many times you’ll be fine (that’s what a lot of successful marketing has been built on), but pausing before you do so can save you a lot of trouble in the long run.
- Check the sender carefully. Does the sender’s email match the sender’s name? If it’s a hospital, is it your local hospital or one you’ve never heard of? Is it spelled exactly right? If you look the hospital up online, does it have the same address, phone number, logo, and style?
- Try to find another way to confirm before acting on a message like this. If it’s really from the hospital, then you might be able to find a phone number–not one included in the message–to call and get more information. And if you do decide to act on it and simply go to the hospital, then skip opening the attachment. You know there’s going to be plenty of forms and paperwork when you get there, so why risk it. With the overload our healthcare system is currently dealing with, does it even make sense for them to send customized attachments? You don’t have to be paranoid, but you can certainly question things.
3. A New Twist on Sextortion Campaigns
Remember those old Hair Club for men commercials where the guys says, ‘I’m not just the president; I’m also a client’? Well, I don’t just research these scams; I get them, too.
If you’ve been to one of our sessions on phishing, you may recall seeing an email I received that claimed to have caught me doing unspeakable or embarrassing things on my computer camera which would be shared if I didn’t cough up hundreds or thousands of dollars.
Now there’s a new twist. BleepingComputer reports a sextortion scam designed to get you to download their malware that hinges on curiosity rather than threats.
It appears as a message that your friend, not you, had his email hacked and was demanded to pay five hundred dollars or else the compromising photos of his girlfriend that were found would be sent to everyone in his address book. Since he didn’t, the hackers are sending you those photos in an attached file.
If you were curious enough to open the file, you would find blurred images that require content to be enabled. And if you enable, then the embedded macros in the attachment will deliver the malware.
So how can you protect yourself?
- Try not to let your curiosity get the best of you when it comes to unsolicited emails and attachments. We’re human, so we’re naturally curious. But before clicking on something like that, wondering if it could be real, ask yourself what could be the worst-case result from it. The answer is most likely a far higher price than you want to pay just to satisfy your curiosity.
- Similarly, try not to let fear get the best of you. Getting a message like this and being afraid it’s true, and wanting to confirm before letting your friend know they’ve been hacked, is both noble and dangerous for your own network. Let them know without confirming the evidence, and you’ll both be safer.
