1. Don’t Fall for the Fax Notification
A new scam has been reported that targets businesses and seeks to gain Microsoft 365 credentials.
It arrives as an email notifying you of a fax. The notification appears to come from various legitimate electronic fax services, like eFax, for example, and the email can also be sent from a legitimate, though compromised, email account. This is how it gets past most spam filters.
The message typically includes a thumbnail image of the fax and tries to pique your curiosity enough to click a link to view the document. Once you do, however, you will find yourself on a fake Microsoft login site where the scammer hopes you’ll enter your credentials.
How you can avoid this scam:
- First, know what electronic fax service your business uses, if any. That way, you can immediately rule out any notifications from other programs as scams.
- If the message you receive looks authentic enough that you click to view and you arrive at a Microsoft login page, numerous alarms should go off in your mind. Check with someone in your company about the protocol for receiving digital faxes, or, better yet, send the notification email to your IT support team. Let us test it for you.
- Always be suspicious of login pages you did not directly navigate to. Consider the level of access you could be giving away versus the information you may receive. Did anyone tell you to expect a fax? Do you normally receive information via fax? And if so, is this the standard method you use for retrieving them? If anything seems strange, ask first.
2. Take a Moment to Zoom Out
Scammers like to capitalize on what’s popular. So now that using Zoom and other conferencing tools has become the norm, it is the topic of numerous phishing attempts.
You may receive an email, text, or social media message, complete with Zoom logo, saying your account has been suspended…but can be reactivated by clicking on an enclosed link. Or you may be alerted to a meeting you missed…and you’ll find a convenient link with details and possibly even a way to reschedule. You may even receive what looks like a welcome message, as if someone else invited you…which of course you can accept by clicking on the enclosed link to activate your new account.
However, if you click on any of those links, you will either find yourself on a login page for stealing your credentials, or you will have automatically begun downloading malware.
These messages work because we often need Zoom for our jobs. Or it’s the only lifeline to faraway family and friends. So the messages play on the fear of missing out, and they disguise it with realistically copied branding.
So how can you stay safe from this?
- Always think before you click. If you receive a warning that your account has been suspended, navigate to the website independently and log in. You’ll be able to see and address any issues. If you get notified of a missed meeting, check your calendar first. A quick glance could confirm that you had nothing scheduled in the first place. And if you receive an invitation to activate your account, you can often sign up without clicking any links. Simply go to the program’s website and create any account you want.
- The main reminder here is to stop yourself before clicking. No matter what the message says, ask yourself why you’re getting it. If it seems legitimate, ignore the link and log in independently. And, as above, you can always send such messages to your IT support team to check for you just in case.
3. DMV (or DDS) Text Scam
The state of New York’s Department of Motor Vehicles recently reported a smishing scam. A text went out to people claiming to be from the DMV. It said they needed to update their driver’s license information because of a new compliance requirement. The text contained a link to a fake NY DMV website where the scammers tried to collect personal information.
Despite this only being reported in NY so far, it could roll out in other states. And with all the ways we interact with businesses online, a text with a link is not as obvious a ploy as it once was.
What can you do against this?
- Look for any telltale signs first: spelling and grammar mistakes, the sender not matching who the message says it’s from, and a URL that is not the official, secure webpage it should be.
- Beyond the basics, train yourself to stop before clicking on any unsolicited links in texts or emails. In this case, navigate to the DMV website independently where you can safely log in and see any official notices. Most government agencies tell us they will never ask you to transmit personal information through email or over the phone. They send letters in the mail in order to protect your security. So if you get a message like this, take a screenshot and report it, and then delete it.
