1. Document and Parcel Delivery Scams
All those package delivery notification scams we’re used to receiving over the holidays are effective enough to have evolved. Researchers report an ongoing campaign based on DHL and FedEx shipping notifications.
The FedEx angle typically comes as an email telling you a document has been sent. The subject line may include a date it was supposedly sent on, and the message contains a few details about the document to seem legitimate. Then, of course, there is a link to view it. If you click on the link, you reach a spoofed landing page for you to enter your M365 credentials.
The DHL scam is slightly different, claiming that a parcel is waiting for you at the post office because of missing or incorrect delivery details. This message has ‘shipping documents’ attached for you to review. If you click to open them, you’ll see a blurred out spreadsheet with an Adobe login box in front. The login box will be pre-populated with your email address, appearing official, and will prompt you to enter your email password.
How can you avoid falling for this scam?
- Remember than any unsolicited message asking you to take an action – to click a link or open an attachment – should be treated with suspicion. Look closely at the details of the sender, hover over the link before clicking, and ask yourself if this is a normal way for someone to send you documents or a package.
- Any time you click an unsolicited link and reach a login page, stop. In this case, ask yourself why FedEx needs you to provide M365 credentials. Or why DHL needs you to log into your Adobe account or your email. Send the message to your IT team and have them (us) check it for you.
- We hate missing out on things – invitations, news, packages, and documents. Social engineering exploits that fact over and over again because it’s human nature. You can read more about it from a former team member here. So if you can learn to recognize the attempt, you’ll be able to stop yourself from clicking into trouble.
2. Vaccine Offers
As mentioned in December’s email, the global pandemic is too large a topic to be safe from scammers.
Carl Wearn, head of e-crime at Mimecast explains, “The majority of online scams rely on some form of human error, as it is far easier to compromise a single user than a whole system. Threat actors know this well and are continuing to exploit the human factor by tailoring scams to target current events and the fears of their victims.”
So now that vaccines are available on the national level, the number of targets is the entire population. And experts have recently reported a surge of 350% in vaccine scam emails impersonating the National Health System in the United Kingdom.
The messages typically say you have been selected for a shot based on family and medical history. You simply need to fill out some information to take advantage of the offer. The information you provide, such as your name, date of birth, and credit card details, however, will be sold on the dark web.
So how can you stay safe from this?
- Always carefully check ‘offer’ emails. Is the logo current and correct? Does the sender email match? Is this message from your particular doctor’s office or a statewide or federal agency that would be easier to spoof? Does the offer make sense? For example, if you have already received a shot, wouldn’t they have a record of that? If you call and confirm the message is fake, you may want to report the email as a scam.
- You probably receive legitimate messages from your healthcare or insurance providers. So ask yourself if they ever ask you to fill out information online that they already have. Usually, they just email appointment confirmations, reminders, and notices. Whenever you receive an unexpected message asking you to take an action, call them first.
- Any time your credit card details are requested, be suspicious. Send the message to your IT team and have them scan the email for you.
3. Utility Company Threats
Fresh off the headlines, Texas utility companies are warning customers about scams that threaten to turn off their power if they don’t pay overdue bills. This is another example of scammers using major events and trends to target their attacks.
The Federal Trade Commission (FTC) also warns of scammers taking advantage of ongoing extreme weather events to steal utility company customers’ money and personal information.
These scams come in the form of emails and phone calls. They are designed to scare you into complying and giving them money via credit cards, gift cards, or even money transfers. They can spoof phone numbers to appear from legitimate companies, and they can copy real company logos into their emails.
What can you do against this?
- Never give out your banking information over the phone, and be suspicious of any “business” accepting gift cards or money transfers as payment. If you take a call like this, get as many details as you can and then get off the phone. Call your utility provider independently.
- If you get an email like this, recognize that it’s trying to scare you and stop yourself. Don’t click on anything. Navigate independently to your account and see if you have any official messages there.
- Tell your friends and family members about these scams. Victims can lose hundreds and thousands of dollars when they’re not aware of these tactics that begin to seem so obvious to those of us who deal with them all the time. Let your IT team help you, report scams whenever you see them, and consider implementing employee awareness training to give your staff practical experience.
Bonus Scam Alert
With tax time and the added questions surrounding stimulus checks this year, experts are warning about W-2 scams and related threats.
As more and more companies allow employees to opt for digital delivery of their tax documents, rather than waiting for them in the mail, scammers are taking advantage. They send messages claiming to be from HR with malicious attachments or links to download your W-2. They may also try to send ‘Need to Know’ facts about your tax filing this year, or even ‘ways to avoid claiming your stimulus money as income.’
What can you do against this?
- Check your address book right now to see what messages should look like coming from HR. If you do get a message from HR and you’re not sure it’s real, pick up the phone (or chat) and ask.
- Be sure to check all your tax filing questions at irs.gov or with your accountant.
