1. SEC Scam
The US Securities and Exchange Commission (SEC) has recently issued a warning of scam calls, voicemails, and emails.
The investor alert describes calls and messages that appear to come from the SEC. The topic is typically an unauthorized transaction or suspicious activity in your checking or other financial account. The scammer may say they need to confirm some information before allowing a trade to go through, or they may threaten you with penalties and fees that you need to pay before more serious action is taken. Their goal is to get you to share account information, PINs, passwords, etc., or to send money.
Some of these calls and emails have been reported to use actual SEC employee names, but the official alert states that the SEC does “not make unsolicited communications – including phone calls, voicemail messages, or emails – asking for payments related to enforcement actions, offering to confirm trades, or seeking detailed personal and financial information.”
How can you protect yourself?
- Be immediately skeptical if you ever receive an out-of-the-blue call or email from a government agency. In this case with the SEC, you can call (800) SEC-0330 or email help@SEC.gov to see if a communication is legitimate before sharing any personal information.
- This type of scam tries to use fear and intimidation to trick you into responding quickly. By spoofing the phone number and email of a real government agency, they appear to be an authority you shouldn’t question. But the point of sharing all these scams is to train you to do exactly that – question. Any real agency will allow you to confirm or verify before blindly taking action. These scams try to make you panic so you act without thinking. So remember, anytime a call or email elicits a strong reaction, especially of fear, stop and take a deep breath. Think through whether it makes sense, and verify independently before following their directions.
2. Don’t Take the Bait
There’s a new kind of email to look out for–the one that’s just bait.
According to Barracuda, an IT security company, “bait attacks, also known as reconnaissance attacks, are usually emails with very short or even empty content. The goal is to either verify the existence of the victim’s email account by not receiving any ‘undeliverable’ emails or to get the victim involved in a conversation that would potentially lead to malicious money transfers or leaked credentials.”
What’s tricky about bait emails is that there is nothing malicious to trigger your security filters. The messages often come from a Gmail address, and there are no suspicious links or attachments. In fact, many bait emails don’t have any text in them at all.
The goal of a bait email is to see if it gets opened, which lets the scammer know that the email address is valid, or even better, gets you to reply to it, so the scammer knows you are willing to respond. They then use your email address in a targeted attack later.
One example of a bait email simply said ‘Hi’ in the subject line. The recipient replied with ‘Hi, how can I help you?’ And within 48 hours, the recipient was part of a targeted attack.
Bait attacks show how scammers continue to evolve. When they send a bunch of malicious emails that get reported, their servers can be shut down. When they send a bunch of emails that bounce, they can get flagged, which means they are less likely to reach inboxes. When they send mysterious emails that people don’t know are part of their scam, two things happen. 1. They don’t get reported. 2. They have a list of email addresses that they know won’t bounce, which means many email filters won’t automatically reject them.
So how can you stay safe from this?
- The best thing you can do is to not open emails from people you don’t know. I realize that’s not always possible though. So if you do see any kind of message like this, please report it. Even though there is nothing malicious in the message, and even if you feel silly, it could be a bait attack. And if it is, the fact that you got it and opened it means you could receive a targeted attack. If you let us know about it, we may be able to increase security or monitoring for your account. And if you let us know about it before opening it, we can remove it and potentially keep you from being targeted.
- As tiring as it can be to remain alert for all the different email attacks and calls and texts we’re threatened with, paying attention to these scam trends is one of the best ways to stay safe and protect your network. Tactics will continue to change, and it always comes down to how we interact (or not) with these messages.
3. Customer Complaint Scam
Customer service is a fast-paced, critical part of any business. Questions need to be answered, fears calmed, and problems resolved. But what happens if, no matter what you do, a customer remains unhappy?
Experts at Sophos, a security software and hardware company, warn us of a scam that uses fake customer complaints to convince you to click on real malicious links.
The way it works is you get a message that appears to be from a manager or someone high up at your company. It says something along the lines of ‘we need to talk about…’ or ‘why didn’t you tell me about…’ and links to a supposed pdf of a customer complaint. It may also include an order to ‘call me immediately’ or something similar to make you nervous.
Naturally, you would be curious to know what the complaint is before calling. But clicking on the link takes you to a file download that will install malware on your computer.
As Sophos explains, “The goal of these cybercriminals is to make you feel guilty, and to convince you that through inaction on your part, you have caused serious inconvenience not only to the company as a whole, but also to someone more important than you in the organization.”
What can you do against this?
- Be good thing about this scam is that it has been reported with a couple of red flags we should all be able to recognize by now. For one thing, the messages often have obvious spelling or grammar errors. For another, if you click on the link, you’ll see it wants you to download a file. Someone within your company would much more likely attach a pdf or simply copy-and-paste the text of the complaint to discuss. Always stop yourself before downloading a file from a link you were not expecting.
- Try to recognize and stop yourself the moment you feel fear or panic as a reaction to an email. No one wants to look bad in front of their boss. But take the time to carefully check the to and from email addresses. Consider who the email appears to be from and ask yourself if it makes sense for them to be emailing you about a customer complaint. If you have any doubts at all, pick up the phone or send a chat message rather than clicking on the link. This scam is also trying to use your curiosity as a trigger, so try to be aware of that, too.
