1. Survey Says…You just got scammed
Many businesses, including ours from time to time, will send out surveys to learn more about customers, feature requests, how attractive certain offers might be, etc.
In order to encourage participation, it is common to offer some kind of incentive. This can range anywhere from a coupon code or small gift card to entries in a drawing for a larger, more expensive prize.
But Naked Security by Sophos has reported a wave of surveys appearing to be from brand name businesses that are actually scams trying to steal your email login and/or credit card information.
The survey usually comes from a real company the scammers have spoofed. Often, it includes basic business questions you would expect about shopping preferences and store hours. Your suspicion should be raised, however, when they not only ask for your email address, but the password you use to log into it. No one sending you email needs your password to do so.
Aside from that red flag, how can you avoid falling for this?
- Pay attention to the details. In one example they reported, the brand name appeared to be an existing, legitimate hardware store, but the first few questions were about shopping habits at a grocery store.
- Look for indications of urgency. If there is a limited number of ‘prizes’ and they are showing how many (or few) are left as you go through the survey, they are most likely trying to get you to answer quickly and without thinking.
- Trust your gut. If the reward for answering a few survey questions seems too good to be true, it probably is. For example, getting a $1,000 iPhone in return for answering ten questions seems a bit over the top.
- Run if you see any requests for payment information. Well, report the website and then run. Many survey scams ask for a ‘nominal delivery fee’ or shipping cost to make that thousand dollar smartphone prize seem legit. But the form where you enter your credit card information feeds directly to the scammers. Which they will turn around immediately and use. If that happens to you, call the number on the back of your card immediately.
2. VPN Impersonation Scam
As so many companies switched to remote work setups, VPNs quickly became a lot more common. That makes them ripe for scams.
A virtual private network (VPN) is a secure type of connection that lets you use a laptop or home computer as if you were on your company’s network. This is a lot safer than most people’s home connections or free wi-fi used when traveling.
The recently reported phishing scam takes advantage of more (and new) VPN users, claiming there is a configuration update. The message often appears to be from your IT support team, but the link for updating it attempts to steal your O365 credentials.
Stay safe with these tips:
- Double- and triple-check any emails claiming to be from IT support. If it’s from us, the sender email will not have your company’s domain. And if it shows up as a contact in your domain, make sure it’s someone you would expect to send that kind of message.
- Ask first. There is no harm in checking. And there could be a lot of harm done without checking. Did your supervisor or IT team warn you this was coming? Did everyone get the email, even staff who never had VPNs set up for them?
- Always stop before entering your credentials on a site you did not independently navigate to. Did you hover over and carefully check the link before clicking? Does the landing page URL, text, and images pass detailed inspection? Does it make sense to give your O365 email and password for a VPN update? If you have doubts about anything, call or email your IT team.
3. BLM Phishing Forecast
Current events, especially global ones like the ongoing pandemic, attract any number of scams. Phishing emails can be quickly crafted and sent out en masse to prey on people’s fears, charitable natures, and other emotions.
One of the indicators that cybersecurity experts use to try to predict what attacks we’ll see next is to monitor domain registrations. The increase in registrations of a similar theme or topic shows what society is currently interested in, which is often quickly followed by more registrations with malicious intent.
“For example, over 20,000 domains related to COVID-19 were registered in just three weeks and 17% of them were related to maliciousness,” reports KnowBe4.
It may not sound like much, but that is more than 3,000 domains intended to steal your data.
KnowBe4 goes on to say that “the current blacklivesmatter movement is another moment in history that spammers and phishers are sure to take advantage of. Once you start seeing the domain registrations come, the scammers are not far behind.”
You can see a sampling of the domain names here.
What does this mean for you?
- Stay aware. Not every message about a current event is malicious. But scammers will always try to take advantage of situations when strong emotions are in play. Stay clear-headed, and do not click on links in an unsolicited message.
- Spread the word. Your awareness helps protect you and your network, but what about all the other people who have you in theirs? When we all know the warning signs and best practices, phishing won’t have any hooks left in it.
