A Couple of Stats to Set the Stage:
1. A December report from the FTC (click image to view) shows that people lost more than 148 million in gift card scams in just the first 9 months of 2021.
- Tip: Always be suspicious when payment is requested via gift cards. As the FTC report says, “Scammers can get quick cash, the transaction is largely irreversible, and they can remain anonymous.”
2. Truecaller’s 2021 Global Spam Report shows spam calls on the rise and becoming more sophisticated.
“Americans receive approximately 1.4 billion spam calls per month, based on the number of smartphone users and average number of spam calls Truecaller users receive daily.”
- Tip: Never give out personal information to an unsolicited caller. Get whatever details you can and get off the phone. Find some way to verify the information and then call back if it’s legitimate
1. Fake Spam Notifications
This new scam on the rise targets Microsoft users.
You receive an authentic-looking email from ‘quarantine’ with Microsoft in the domain.
The message tells you that you have 1 or multiple messages that have been blocked and need to be reviewed.
The message has a convincing look and format, including the Office 365 logo.
If you click the blue Review button, you will be taken to a page that requires you to log in. A tricky detail on this page is how they show ‘Session Expired’ in the login box which could trick you into thinking it is legitimate.
If you do type in your credentials, however, you have just given them to the criminals.
How can you protect yourself?
- Always stop before entering your credentials on a page someone else sent you to.
- Even if you think this is a legitimate Microsoft login page and you see a padlock in the URL.
- Even if the message that contained the link looks completely convincing.
- If you did not actively navigate to a page you expected to have to log into, then do not enter your credentials.
- Backing up to the message itself, knowing how your company communicates quarantined messages will help you identify this as fake.
- Do you get them directly from Microsoft, from a spam filtering service, or from your IT team? Do they look like this message and include all the security measures your company told you to expect? If not, or if you are in any way uncertain, send the message to us to check out.
2. TSA PreCheck Scam
Planning any travel in 2022? Many businesses are, and even more personal trips are expected. This scam targets anyone considering signing up for or renewing their TSA PreCheck.
It begins as an email that includes some version of ‘Visa’ or ‘Immigration’ in the sender.
You may notice a red flag that the sender is not a ‘tsa.gov’ email address, but not everyone would notice that or consider it strange. Many TSA PreCheck Enrollment Centers are not government entities.
What makes this scam scary is how it does “one of the best jobs impersonating a website ever seen,” according to KnowBe4. Rather than to a quickly thrown together landing page, clicking the link in the email takes you to a nearly full-fledged website with an entirely believable application process.
In addition, unlike most scams, it doesn’t ask for payment up front.
You go through the steps to fill out your personal information and select a security interview time from the windows available. Then, when you certify that everything has been entered correctly, you are asked to pay, along with believable disclaimers of processing time.
Researchers at Abnormal Security say that “This is not the first time this scam has appeared, and it’s not likely to be the last… While this scam mostly targets consumers, organizations that pay for or reimburse employees for TSA PreCheck and related services should be wary of these emails reaching employee inboxes. As business travel resumes around the world, organizations should provide this information to employees as an added precaution.”
So how can you stay safe from this?
- As tempting as it is to click on links in unsolicited emails, train yourself not to. This entire scam can be avoided if you see the message about TSA PreCheck but navigate to the website on your own.
- It seems easier to click a link that’s right in front of you, but the risks make it far more work and less worth it.
- Also remember to check for secure URLs (https) with the exact right spelling.
- And if you have any hesitation about a sender, a message, or a link or webpage, trust your instincts. You can always ask your IT team to check something out for you.
3. Another Pandemic Warning
The global trend that just keeps giving to criminals still isn’t stopping. With the new omicron variant, scams about testing and getting information about restrictions have been reported.
As researchers at BleepingComputer put it, “Threat actors are quick to adjust to the latest trends and hot topics, and increasing people’s fears is an excellent way to cause people to rush to open an email without first thinking it through.”
Current examples (my Marketing person says we should call them ‘ex-scam-ples’) show offers of free testing.
If you click the links or buttons in the emails, you are directed to a spoofed health services website. There, they want you to enter your contact information and send a minimal fee, supposedly to cover the cost of shipping the results.
What’s interesting is that the fee isn’t important to these criminals. Getting a couple of dollars off a few hundred or thousand people can add up nicely, but what they are really taking is your financial information. And that can add up to a whole lot more.
What can you do against this?
- Continue to be vigilant about any unsolicited emails related to global or national trends
- Take note of the emotions an email makes you feel, if any. Scammers like to evoke fear and urgency so you are compelled to take action quickly
- Be suspicious of any free offers. Some can certainly be real, but remember the saying: “If you’re not paying for it, you’re not the customer; you’re the product being sold.”
