1. Instagram Scams
According to a BBC article from January 31st, “the average number of Instagram frauds reported each month has increased by more than 50%” since the pandemic outbreak last year. This statistic comes from the national reporting center, Action Fraud, which says the amount of money reported lost per month has more than tripled.
There are romance scams similar to the one I sent you in February, and investment schemes without the romance from “influencers” who post photos of their lavish lifestyles that ‘you, too, can enjoy.’ But a simpler scam to look out for involves giveaways.
Contests work on social media to drive up engagement for businesses and to gather new leads. Many are legitimate. But scammers have taken to impersonating the brands and influencers holding the contests. They will reach out to you saying you were chosen and ask for your information or to pay for ‘shipping fees.’ Neither request is legitimate.
How can you avoid falling for this scam?
- We all like to win things. You can still participate, you just need to be especially vigilant about communication surrounding it. Pay attention to the terms such as when and how they will announce the winner. If you are contacted in any manner other than that, be suspicious.
- Carefully check the sender of any message asking you for your information or money. Even if you think it is legitimate. If you weren’t expecting it, find an independent way to confirm, such as by reaching out to the brand through their website or customer service.
2. Back to the Office Attacks
Now that everyone in Georgia over 16 is eligible to receive the vaccine, the expectation is a quicker ‘back-to-normal.’ And for many businesses, that means a return to the office. Scammers saw this time coming, and reports have already come in of attacks on that topic.
Examples describe surveys appearing to be from HR to gauge employees’ willingness to get the vaccine or interest levels in returning to the office. As a business owner myself, I can tell you we request feedback from our team on a regular basis. Our survey links do not lead to spoofed sites where scammers hope to harvest login credentials, however.
Other reports warn of a fake letter-from-the-CEO link that leads to malware downloads and policy change documents that staff must review before returning to the office.
So how can you stay safe from this?
- First, know your company’s policies on communication. Would this type of information come from a generic HR email address or a particular person? Do they often includes links or attachments, or do you have a centralized system for accessing documents that they would refer to? When in doubt, pick up the phone or send a chat and ask before clicking.
- Always stop before entering credentials on a site you did not independently navigate to or were not expecting to have to log into. That should always be a red flag.
- Any time you have a question or doubt, ask your IT team to check an email for you. You may not be able to point to exactly why you think something is off, but you will more than likely be right. And when it comes to your business’s network, your customers’ security, and your own peace of mind, it is always better to be safe than sorry.
3. Targeted Microsoft Spoofing
A sophisticated campaign designed to harvest credentials has recently been stopped by Area 1 Security. As we’ve seen before, however, if it’s effective once, we can expect it to show up again.
This scam targeted C-suite executives, high-level assistants, and financial departments across numerous industries. Part of what made it trickier is that it was sent only to certain individuals in each company. That means you didn’t hear 5 other coworkers asking if everyone else saw that message that didn’t seem quite right.
The scammers also did enough research to go after chiefs during their new-hire transition periods, when they might not know exactly how emails should appear or when a request was coming from an inappropriate sender. Plus, targeting executive level assistants is often overlooked but can be extremely effective as they tend to have access to a wealth of sensitive information.
Research and analysis showed these attacks to be a complicated combination of techniques to try to bypass Microsoft’s native defenses. The emails were well-written, not showing the awkward grammar or typos we use to easily identify spam. They centered on topics such as ‘Important Service Updates’ and Security Policy Updates or Patches that needed to be applied. They used spoofed sites to appear legitimate and sent forged invoices to receive real payments in attacker-owned accounts.
What can you do against this?
- Be suspicious of any links or attachments you were not expecting. Granted, that is harder to do when you’re a new employee without a baseline of normal activity, but being new is also an easy time to ask questions. Ask about everything.
- Stop every time you are sent to a website that requires your login credentials. If you did not navigate to it independently, ask your IT team to see if it’s safe before entering anything.
- Recognize that the old spammy messages so easy to identify with their errors and bad logos have evolved. Scammers build entire kits and programs to bypass our defenses and get into our inboxes. This is business to them, and it needs to be just as critical, if not more so, to us. So look at links carefully before clicking, call and ask about unexpected attachments before opening, and trust your instincts. Ask your IT team to scan anything that seems ‘off’; we are happy to help.
Bonus Scam Alert
This new threat is one to warn your family about. It is typically more effective when received in the home environment rather than at work.
An email comes in claiming that your subscription to some computer protection program has been renewed at an exorbitant price. Examples have referenced Geek Squad, Norton products, MalwareBytes, etc., and can range anywhere from $400-600. The email conveniently includes a phone number for you to call and cancel.
They want you to call.
Getting on the phone with them kicks off an elaborate process that involves well-trained “techs” who understand your confusion and frustration and convince you that the software you know you didn’t download is hidden on your machine and was probably inadvertently installed while browsing the Internet. They promise to locate it, remove it, and then refund your money.
The team at KnowBe4 describes the entire scam process involving two different calls, three different remote control software downloads, and a convincing attempt to log into your online bank account to ‘issue an immediate transfer’ as a refund. Gaining direct access to your bank account is their goal.
What can you do against this?
- Remember not to panic when you see unexpected emails like this. A simple check into your bank account or credit card could have shown that no such charge was made. They try to play on your shock, anger, or fear to get you to act (call them) without thinking.
- Never give out access to your bank account. Any legitimate business should be able to reverse a charge or issue a refund without requiring direct access.
