1. Fake Forward Phishing
Just in time for Halloween, we have a ‘zombie’ type of phishing attack to avoid. It appears as part of old email conversation, revived and brought back to life.
The message shows up with the genuine subject line and content you previously emailed with someone. The email thread may be full or partial and can date back months or even years. It will now include a link or attachment that the phisher is hoping you’ll click on since the original conversation was real.
Sound scary? You can outsmart it.
How you can avoid falling for this:
- Always look at the sender’s email address. Not just the name that appears, but the actual email address. In this scam, the sender will not be the real person you previously emailed, and you will see a different email address. It works through third-party programs that almost all businesses use, like Mailchimp and ConstantContact. Remember hearing about SendGrid’s spam problem a month ago? This isn’t their fault, but it is an example of how hackers can gain access indirectly. Once in an emailing system, they can harvest what they want and repurpose it into a scam like this.
- Always stop and think before you click or open an attachment. This scam hopes you will see the familiar message and not pay attention to details. Reports have said the link or attachment doesn’t really make sense with the genuine message, so if you slow down and read, you should be able to avoid falling into this trap.
2. Scamming Customer Support
Bad actors are using the contact forms on websites to try to deliver malware.
A typical example would be a message claiming to be from an illustrator whose work is being used without permission on that website. The message would be submitted through a business website form and might include a threat to sue. “Proof” is offered through a link to Google Drive where, supposedly, you could see the original, copyrighted artwork.
It all seems pretty reasonable. But anything downloaded will require that macros be enabled, which then allows the malware payload to be installed.
Stay safe with these tips:
- Repeat to yourself, your staff, and everyone you know to not click on unsolicited links. The fear of being sued is intended to make you less cautious, and it’s natural to be curious about the artwork. But you or your customer service specialist can investigate this in other ways. You may have a webmaster or an internal person who works on the website. You can also do a reverse image search on Google to find more information.
- Never enable macros. Especially in files from strangers. If a message seems legitimate, ask your IT team to find out if it’s safe.
- This particular scam can be so dangerous because the typical filters and flags aren’t being set off. You expect strangers and unknowns to submit through your website forms, and a simple link to Google Drive can be legitimate. So it is critical that they way such messages are handled–the human behavior part–is with education and awareness.
3. Special Disinformation Delivery
You’ve probably received at least one phishing email from a delivery service, such as UPS or FedEx, with a fake link to tracking or other package information. It’s an especially popular scam around the holidays. Now, you need to look out for them via text–vishing rather than phishing.
Recently, a vishing scheme like this went viral for two reasons. It went out to a massive number of victims, and then it was inaccurately reported to be tied to human sex trafficking.
The text appeared to be from the US Postal Service containing a link to information about a package. Clicking on the link would bring you to a customer satisfaction survey that required your credit card number. Then, someone shared a screenshot of the text and claimed that clicking on the link would allow the sender to track your location, which would be used by sex traffickers.
What can you do against this?
- First things first, do not click on a link about a package you are not expecting. If you’re ordering more lately, as many people are, check your package status in the app or when logged into the website where you purchased it. Secondly, no legitimate customer satisfaction survey would ask for your credit card number. It’s an attempt to steal your credentials.
- With regard to the conspiracy theory aspect, there is a positive and a negative side. The positive is that the viral sharing of it may have kept some victims from falling for the scam. The negative, however, is that it leads to so many false reports of sex trafficking that the national agency handling the hotline is diverted from real cases.
- Disinformation also leads to mental fatigue that can lead to lower cognitive functioning. You get tired of hearing stories that turn out to be untrue, so you start tuning everything out. You pay less attention, and that’s when a scam will trip you up. And things will only get worse as we near the November election. The election may not be a global event like the pandemic, but it is expected by experts to bring a flood of phishing and social engineering scams. So stay alert, and stay safe.
