In this line of work, we see so many scams. And while many are evolving and sometimes even creative, there are often 3 factors in common that you can use to identify a suspicious email, text, or phone call.
The first 3 boxes in this diagram from KnowBe4 show these red flags:
- The message is unexpected/unsolicited.
- You’re being asked to do something out of the ordinary from that sender.
- There is urgency to perform the action ‘now.’
If you ask yourself these questions, and the answers are ‘yes,’ then ask yourself the last question before taking any action such as clicking a link, opening a pdf, etc.
And if that answer is yes, too, then report the message to us. We’ll check it out.
Healthy suspicion can protect you.
1. ‘Inflation’ Scams
The Federal Trade Commission (FTC) has recently issued consumer alerts about a variety of rising cost issues. As they point out, “Across the country, people are worried about high prices impacting their budgets. And scammers are taking notice.”
- Government grants for home repairs or unpaid bills
- Investment opportunities
- Enticing job offers
- Utility bill shutoff threat
These scams are showing up in emails, calls, and texts.
“They might say they’re from the government and giving away grant money for home repairs or unpaid bills. Or they have an investment that’s guaranteed to deliver quick and high returns. Or they know of a high-paying job that’s yours as soon as you pay a fee or give them your personal information. [Or] you get a call or text from someone pretending to be your utility company. The caller or text says you owe money (which is a lie). The scammers then send you a text—sometimes including your utility company’s logo— with a QR code and tell you to scan it at a Bitcoin ATM to make a payment or your service will be disconnected.”
What can you do to avoid this?
In each of these situations, the scammer is reaching out to you, which should immediately make you suspicious. And in the case of the utility payment scam, no legitimate company will text you that your services are about to be shut off. They are required to notify you in writing and offer some sort of repayment plan. In addition,
- The government won’t get in touch out of the blue about grants. It won’t call, text, reach out through social media, or email you. In fact, real government grants require an application, are completely free to apply for, and are always for a specific purpose.
- All investments have risks. No one can guarantee a specific amount of return on an investment, or that an investment will be successful.
- Honest employers won’t ask you to pay to get a job. If someone claims you can make a lot of money in a short time with little effort — you just need to pay for starter kits, “training,” or certifications — that’s a scam.
- Only scammers demand nonstandard payments. Real utility companies won’t demand payment by Bitcoin, gift cards, or money transfer through a company like MoneyGram or Western Union. Only scammers do.
2. PayPal Invoice Scam
A new scam has been reported by numerous security experts, using invoices from PayPal, with an updated spin.
If you prefer to listen than read, go to the 23:25 mark of this Secplicity podcast to hear about this scam.
Here’s how it works. A criminal sets up a PayPal account. From there, they use the PayPal platform to send fake invoices that either a) spoof an existing company or b) claim you have a pending charge to your account. In either case, they want you to call to dispute the charge.
That’s the new twist. These criminals take advantage of PayPal’s system to send real emails with real PayPal links but put their own language and phone number in the notes. So when you get this invoice and know you didn’t sign up for anything from Norton or Microsoft, you’d naturally call to dispute the charge.
If you do call, you’ll be greeted by some generic ‘customer service’ rep who listens to you and ultimately suggests you download a remote administration tool so they can ‘resolve’ your issue.
Spoiler alert: Any download will only cause you even more issues.
As Brian Krebs explains, “today’s scammers are less interested in stealing your PayPal login than they are in phishing your entire computer and online life with remote administration software, which seems to be the whole point of so many scams these days. Because why rob just one online account when you can plunder them all?”
How can you protect yourself?
- Accept that criminals are evolving their tactics. Up until now, you may have known to check the logo and sender in an email to make sure it wasn’t a bogus PayPal message. But since this scam is using the real platform, you need to be alert to other dangers.
- Log in to your account independently from that message to see if the invoice is legitimate. If not, then once you’re in the real system, you can contact Customer Service through the proper channels. Do not use phone numbers in unexpected emails that are designed to make you anxious or worried. Look up the phone number online if you don’t want to log into your account.
- Never download tools or programs to help resolve an issue with your account. PayPal or your bank or Microsoft, etc. can manage everything they need to within their own system; there is nothing they require on your computer.
3. Rising Robotext Scams
Did you know the Federal Communications Commission (FCC) has a Robocall Response Team? Well, they do. And now they are warning Americans that robotexts may be surpassing robocalls as a tool for criminals.
“Like robocalls, texts can be spoofed to mask the originating number and make it appear that the text is coming from a number you’re more likely to trust. Spoofers may opt for a local number, or impersonate a government agency, such as the IRS, or a company you’re familiar with. Scammers use these methods to get you to respond to a text.”
A recent FCC consumer alert lists some of the approaches you may see:
“Scam text message senders want you to engage with them. Like robocallers, a robotexter may use fear and anxiety to get you to interact. Texts may include false-but-believable claims about unpaid bills, package delivery snafus, bank account problems, or law enforcement actions against you. They may provide confusing information–as if they were texting someone else, incomplete information, or utilize other techniques to spur your curiosity and engagement. Some scammers may be after your money, but others may simply be trying to collect personal information or confirm that a number is active for use in future scams.”
One of the members of my team recently shared a text that appeared to be from TeleService. You may have seen it on our LinkedIn page.
TeleService is a legitimate tool used by BMW to send automatic car service needs and schedule appointments for you. But the person who got the text doesn’t have a BMW.
In another example last week, multiple employees at Axios, the news website, got fake messages appearing to be from the company’s president. Not everyone on staff received the message, but each one who did had it addressed specifically to him or her.
A security researcher from Sophos said it’s a scam tactic he has seen before and that a human takes over after someone responds to the initial robotext. He also said he hadn’t seen several employees at the same company be targeted like that before.
So how can you stay safe from this?
- If you don’t already, start thinking of your text messages just like your emails. Use the questions from the diagram at the top of this message to check for red flags.
- Remember not to click on unexpected links. And don’t provide any information about yourself or your accounts via text.
- Make sure your phone’s operating system is kept up-to-date as bug fixes and security improvements are rolled out.
- The FCC says you can forward unwanted texts to SPAM (7726).
- Check with your phone provider on ways to block or report unwanted messages.
