1. Caller ID Spoofing Scams
This new trend is horrifying but can have a happy ending. Scammers are using caller ID spoofing–making the number they are calling from appear to be another phone number–to trick banks, credit cards, and victims.
If you’ve ever called Comcast and had the automated system ask if you are calling from the number on the account so it can immediately pull up the right information, then you can understand how part of this scam works.
A scammer uses caller ID spoofing to appear to be the victim and calls the number on the back of a credit card or the bank’s phone system. Because those systems are automated, the spoofed caller ID gives the scammer balance information as well as the most recent transactions in some cases.
The scammer then calls the victim, using caller ID spoofing again to pose as the bank or credit card, and has so much information that the victim believes it is legitimate. The purpose of this call is to convince the victim that fraud has occurred and have them confirm and “reset” a security word or passphrase.
Once the victim has given this information to the scammer, the scammer can call the bank or credit card with caller ID spoofing as the victim and have full access to the account using the new security word. Horrifying, right?
Well, here’s the happy ending/silver lining:
- You can easily avoid falling for this scam by not engaging in calls “from” your bank or credit card.
- You don’t have to be rude or tip them off, but you can get off the phone and contact the company using the number on the back of your card or contact information on their secure website. Then when the bank tells you they didn’t call, you can report the scam and let them look into it.
- To further protect yourself, since obviously the scammer has your phone number and the name of your bank or credit card, you can make sure there is no strange activity on any other accounts you may have. You can also change passwords, especially if any accounts share the same passwords (which they should not – get good password hygiene here). And you can consider a Dark Web monitoring service that will alert you if your credentials show up for sale.
2. Impersonating the SBA
Small businesses just can’t catch a break. As if dealing with the pandemic isn’t bad enough, a timely scam targeting small businesses has been reported. Emails appearing to come from the Small Business Administration claim to require the victim’s signature on an attached document. The email typically includes elements of the SBA’s branding and refers to application status or confirmation. The message might specifically mention the Paycheck Protection Program (PPP) or may refer to disaster relief loan paperwork.
If you open the attachment that needs to be signed and returned, however, you will be installing malware onto your computer. Some decrypted examples showed surveillance tools like keyloggers, webcam and microphone access, and browser history and password scraping malware that got installed.
Stay safe with these tips:
- Always use caution with attachments. In this case, as well as typically any other government agency, you can find the exact steps that will be used for an application process. Most likely they will spell out the ways they will contact you and what they will and will not ask for.
- Especially when you receive emails with attachments and action requests, check the sender carefully. Does the sender’s email match the sender’s name? Is it spelled exactly right? In this case, is it what the SBA told you to expect?
- Before opening an attachment you weren’t expecting, try to confirm its validity another way. Call if you can, but don’t use a phone number in that message. Perhaps ask someone else who has gone through the process. And if you can’t find a way to check on your own (or you don’t want to), then just ask your IT team. We can help with things like this.
3. Notflix
Is there anyone who still doesn’t have a Netflix account? Scammers are working angles with the masses who do as well as those who don’t.
For those who don’t already subscribe, scammers like to make fake Netflix signup sites. This gains them emails, addresses, and often billing account information. For subscribers, fake login sites can capture emails and passwords, which can then be used on the actual site to gain access to any personal or billing information stored in the account. Cybersecurity firm BrandShield recently reported 639 fraudulent domains using the word “Netflix,” 236 of which were established in March alone.
And yet another scam recently offered ‘free passes’ to help alleviate this extended time at home during the pandemic. This angle worked off a questionnaire, which of course meant filling out personal information, and then needed to be forwarded to ten friends. The free pass didn’t actually exist, but the scammers gained 11 new email addresses for phishing attacks and ‘friends’ they could use for social engineering.
So how can you protect yourself?
- Always check and double check the URL of websites you visit. Look for the padlock that indicates they are secure, and check the spelling carefully. Look for double letters or numbers that appear to be letters.
- Whenever you see a free offer, ask yourself why it’s free. There’s a popular saying that ‘if you aren’t paying for the product, you are not the customer; you are the product being sold.’ Now that’s not to say that something like free shipping offers are evil. They are usually just a way of motivating customers to spend more. But an offer to receive Netflix for free, when other people have to pay for it every month, should throw a warning flag.
