October is Cybersecurity Awareness Month.
The National Cyber Security Alliance & the U.S. Department of Homeland Security launched Cybersecurity Awareness Month in October 2004.
It was created as a collaborative effort between government and industry to ensure that every American has the resources they need to stay safer and more secure online. Now in its 18th year, the need for ‘digital hygiene’ and safe online practices is more important than ever.
Infinity is proud to be a Champion of this initiative again, and we’ll be sharing useful tips and practical guides all month long. To get started in your office or at home, please feel free to use and share resources like the following from CISA and the NCSA.
- Own Your Role in Cybersecurity: Start with the Basics (Tipsheet)
- Tech Support Scams and How to Avoid Them (Infographic)
- Security Tips for Remote Workers (Tipsheet)
- Mobile Device Security (Tipsheet)
- Cyber Safety Starts at Home (Infographic)
1. Virtual Kidnapping
This horrific scam actually happened to someone on our team.
You get a call from someone close to you, typically your mom. You answer and hear a woman’s voice crying before the phone is taken away. You think it’s your mother, so naturally you start to panic, wondering what’s wrong. Then a man threatens to kill her if you don’t send money. He threatens to kill her if you call the police or try to call anyone else. He’ll give you an amount and will demand you pay through an app like Venmo or CashApp.
The whole experience is designed to be fast and overwhelming. These criminals use spoofing tools to make the call look like it’s coming from the actual contact in your phone. They won’t let you speak with the caller (your mom) and will threaten to hurt or kill her if you do anything other than comply.
The amount of money demanded typically ranges from one to five thousand dollars. And in one case, the victim was walked through the steps of installing the preferred payment app on her phone by the scammer in order to complete the transaction.
It’s quick money for the criminal, and they have no shame.
How can you avoid this scam?
- This type of extortion scheme has been around for decades, dating back to cold calls from Mexican prisons. It used to target Spanish speakers living in the southwestern US. Now, residents across the country are at risk. The FBI recommends the following:
- Try to slow down the process. It can help you think more clearly.
- Avoid sharing information about you or your family during the call. The scammer can repeat names or other things you say to sound more convincing.
- Ask to speak to your loved one.
- Ask them a personal question about your loved one, such as birth date or hair or eye color.
- Have someone else try to text or call your loved one if your requests are refused.
- Report the incident to your local police and file an FCC complaint (1-888-CALL-FCC.’
- This scam has evolved over the years. With many of us blocking or ignoring unknown callers on our cell phones now, the effectiveness comes from the call looking like one of your contacts. Scammers need both phone numbers for a successful spoof, but with all the data breaches, that information isn’t hard to come by. And while we may take it seriously when we know social security numbers are involved, we don’t normally take action when we hear phone numbers get leaked. But we should. So check your email and your phone number at haveibeenpwned.com. The first step is knowing your risk or current exposure.
2. Google Voice Scam
With all the online selling platforms available (Ebay, Marketplace, Etsy, even parts of Amazon), it’s possible to find almost anything you could want…or at least think you have. The various programs have differing levels of verification and security, and nearly all of them warn you that you accept liability for your transactions. Naturally, with the rise in popularity of these one-to-one online sales comes an increase in scam opportunities.
The Identity Theft Resource Center (ITRC), a nonprofit organization dedicated to supporting the victims of identity theft, building awareness, and helping resolve cases, reports the following:
“If you are looking to sell anything online, you should be aware of the Google Voice scam. Scammers are posing as interested buyers on online marketplaces and are trying to steal your personal information to create a fake Google Voice account in your name.”
One such report had a woman describe the process of being contacted by a buyer. They agreed on their deal and the buyer asked the seller for her phone number in order to coordinate pickup. Then, instead of calling to make arrangements, the buyer said they’d like to confirm by sending a verification code, since they had seen so many fake posts. Sounds reasonable. The seller got the code and was about to send it when she saw the warning that tells her not to share this code with anyone. She pushed back on the buyer who insisted the code was necessary to prove the seller was legit. The seller refused, and the buyer vanished, removing the user profile, too.
Of the 1,824 victim cases the ITRC received in August, 49% of them were Google Voice scams.
The scam is that with the verification code, the criminal can create a fraudulent Google Voice account in your name that is used to scam others.
The ITRC is also receiving reports from victims who claim to not have a Google Voice account. In this scenario, scammers set up a Google Voice account and link it to the phone number of the person they call so they can create a fake post selling the same items as a legitimate seller.
So how can you stay safe from this?
- The need for increased protection of our online accounts is why multifactor authentication (MFA) has become so much more popular, if not downright required. It adds verification steps beyond entering your password in order to gain access to your accounts (watch a 90-second video here). And these extra steps force criminals to get more creative. They need you to pass along those codes or PINs or other verifying information. That means you need to start treating that info as you do your passwords: no sharing. The seller above said she almost fell for the scam. It was only seeing the warning that comes with the verification code that made her stop and think about it.
- Try to stay alert for red flags whenever you are conducting business with someone you don’t know. Cash apps can be legitimate, but they are generally less secure than credit cards that offer fraud protection. Sellers who don’t have a selling history or buyers who refuse to go along with whatever procedure you put in place for your own safety should set off warning bells. Try to dig around and do your research before diving into any kind of money exchange with an online stranger.
3. Shortened LinkedIn URLs
According to Avanan, an email security company, scammers are using shortened LinkedIn URLs to disguise malicious links.
LinkedIn automatically shortens links that are longer than 26 characters. The URL is shortened to a “lnkd.in” link followed by several characters. Attackers are abusing this feature to avoid detection by users and security filters.
Examples report emails about missing information needed to move forward on a project, but the content of the message could be pretty much anything, and the target could be pretty much anyone.
By using a shortened link from a legitimate service, we are less likely to be suspicious. And the multiple redirects through harmless sites helps to fool security technologies that check for ph!shing pages. Ultimately, the link leads you to a page to download a pdf or tries to harvest your credentials.
“Check Point Research found that LinkedIn is the sixth-most impersonated brand in attempts globally in Q2 2021. That’s up two spots from Q1 2021.”
What can you do against this?
- Continue to be vigilant with every message, especially those with links or attachments. Scammers will continue to use more sophisticated tactics to hide their true intent and to get past the tools businesses put in place against them. Hovering over this link would likely do you no good, and that information can be manipulated as well. So it comes down to what you do when you are faced with the landing page. Question everything. If the email asked you for information, why would it offer a pdf to download? If you click on a link and end up on a login page, why would your login be the way to answer their question? Always stop before entering your credentials somewhere you did not navigate to independently.
- Keep reporting any scam messages you see, and remember that you can always ask your IT team to check messages you have doubts about. Trust your gut whenever something seems strange, and don’t hesitate to pick up the phone or send a chat to someone when you have a question.
