Top CyberSecurity Scams

New threats slide into our mailboxes every day. So we’re sharing a monthly digest of the latest and greatest of those attacks and how you can avoid falling for them. This will typically be a ‘Top 3’ cybersecurity scams. Enter your email below to receive it.

As IT professionals, we hear some real horror stories. They keep us motivated to provide you with the best protection available. And we know that awareness is key. So as your partner, we want to help arm you against these threats.

For more ways to improve your cybersecurity intelligence, browse that category of our blog, and sign up to receive this convenient, monthly email.

Top 3 Scams – April 1, 2019

Robocall Scams

Bad actors are automating robocall scams worldwide. Recently, there has been a rise in this type of fraud. They have a variety of attacks that you should watch out for.

Here are a few examples:

Bank account and credit card scams where the bad guy claims to be an official from your bank or credit card company
Extortion scams where they request payment for a kidnapped friend or family member
Callback scams where you are tricked into calling back a very expensive international number

Always be suspicious when a company calls you requesting action right then over the phone. Legitimate businesses will typically contact you via email or by letter to notify you of issues with your account and inform you of any corrective steps.

If you receive a call from a company urging you to complete a request, politely get off the phone and then call the company directly to investigate. Scammers can spoof any number they like, so even if it looks legitimate, it can be fake.

Never provide personal information over the phone unless you’re the one who initiated the call.

Consider getting on the national Do Not Call registry. The FTC allows you to report numbers that do not comply after you’ve been on the list for 31 days. You can also report robocalls whether or not you are on the list.

Malware thru Messaging Apps

As if email and phone calls aren’t enough, bad actors are using popular messaging apps to trick you into downloading malware. These scammers know you’re used to looking out for suspicious emails, so they’re hoping to catch you off guard in the messaging apps you may use.

The attack is simple: The bad guys send a malicious link in apps such as Skype and Facebook Messenger. If you click on this link, a complex attack begins and you’re left with a ransomware-infected machine.

Don’t fall for this messaging scam!

If you receive a suspicious message from someone you don’t know, don’t even open it.

Never click on a link in a message unless you know the sender is legitimate.

If you think the message is okay, always hover over links to see where they are taking you. If you’re unsure, don’t click!

Child P0rn Phishing Attack

This new blackmail/sextortion scam is pure evil.

You get an email that claims the CIA is about to bust you for child p*rn unless you pay 5,000 dollars to have the sender delete your records. It includes a case number and (fast-approaching) fictional arrest date.

What makes this especially dangerous, even for those who know they have never looked at anything being described, is that there is a link you might be tempted to click for information, whether out of shock, fear, or curiosity.

That link, once clicked, will install the very materials they claim you’re going to get arrested for and will add related searches to your browsing history. Then they notify the authorities about you!

Always resist the urge to click when it is strongest. Any message that scares you that much or makes you so angry is most likely an attempt to override your logic and good sense.

Immediately report such a message to your IT team.

Top 3 Scams – March 1, 2019

Tech Support Scans

You’re browsing online. The attack usually goes like this: First, you receive a fake Windows Alert pop-up message claiming “Your PC might be infected” and to “click OK to do a quick 10-second scan.”

When you click OK, a very realistic-looking, but very fake, ”system scan” runs within your browser. The scan looks almost identical to your antivirus software’s real system scans.

Once the “scan” ends, you’re told that your PC is indeed infected and that you need to download and install an update to the antivirus software. Don’t do it! This “update” is actually an unwanted application that will install onto your computer.

Never trust internet pop-ups. They often use scare tactics to get you to call a number for tech support or download an application to “fix” the problem.

Go to your IT administrator (if at work) or a reputable computer repair company (if at home) if you think something is wrong with your computer.

Dangerous Office Attachments Bypassing Email Security

As always, be suspicious of email attachments because attackers are finding new ways to get around email security filters. The latest attack includes Microsoft Office attachments containing hyperlinks to dangerous websites.

If you unknowingly download one of these attachments and click on a link from within the document, you will be brought to a malicious website that steals your sensitive information. This particular attack is usually carried out with Microsoft Word attachments, but dangerous links are certainly not limited to files with .docx file extensions. This attack could occur with almost any file type.

Remember the following to prevent this type of attack from happening to you:

Never open attachments from people you don’t know.
Don’t open any attachment unless you have asked for it or have verified with the sender (through a channel other than email) that it is legitimate.
Before clicking on any link in an email or email attachment, hover over it to see where it will take you.

Bogus Job Offers

This one is tricky. A series of phishing campaigns are targeting companies in various industries with phony job offers using direct messages on LinkedIn, according to researchers at Proofpoint.

The attacker initially makes contact by sending an invitation to the target on LinkedIn with a short message regarding a job opportunity.

Within a week after the target accepts the invitation, the attacker will send a follow-up email with either a link or a PDF attachment that contains embedded URLs.

These links take the target to a spoofed version of a real staffing service, which forces the download of either a Word document or a JScript loader. This document or loader will result in the installation of a JScript backdoor known as “More_eggs” which can then install malware or be used to gather information from the machine.

You expect strangers to reach out to you about jobs on LinkedIn, so you’ve got to be incredibly vigilant to avoid this.

Do some independent research on the supposed offer.
If you can’t find out about the company or position, Google the person contacting you.
Look very carefully at the staffing service site you’re directed to. Make sure there are no tricky spellings in the URL or missing or strange information in the rest of the website.
Remember to always be suspicious of downloads.

Top 3 Scams – February 1, 2019

CEO Fraud

The bad guys are getting creative with CEO Fraud and gift card scams. This particular campaign involves a bad guy impersonating one of your executives, and then asking you to buy gift cards for customers. They even allow the employee to take one for themselves (how generous!). The unknowing employee is instructed to go to the store and physically buy the cards, then email or text the gift card numbers to “the boss.”

Try to think of gift cards like cash, and never blindly comply with a request like this. Call the supposed sender directly to determine whether the request is valid or a scam. Sometimes it’s OK to say “no” to the CEO!

False File Hosting

Bad actors have come up with another way to trick you. Now they are using sites like Dropbox, Google Drive, and other file hosting sites for their evil attacks.

They put a malicious file on these sites, and they use that site to send you an invite to log in and open/click on that infected file. The invites look legit because they are. They really came from that site and are identical to the normal invites. So what to look out for?

Email invites to open a shared file somewhere in the cloud that you did not ask for.
Emails that require you to log into a site to see something important. Don’t enter anything.

Always be suspicious of links in emails that you did not expect or did not ask for. If you decide to log into a file sharing site like Dropbox, enter the address in your browser or use a bookmark you set yourself earlier.

Tax Time

The IRS saw nearly double the number of tax-related scam incidents in 2018 compared to 2017. Watch out for scams claiming to be from the IRS or from tax firms. These emails purporting to come from the IRS demand a payment or threaten to seize the recipient’s tax refund. Those involving tax firms seek to solicit personal, tax, or financial information. Similar scams target employers by impersonating employees.

The IRS suggests the following steps to avoid becoming a victim of phishing:

Be Vigilant – Employers and businesses providing tax services can best protect themselves from phishing attacks by educating employees with Security Awareness Training. Employees are trained on phishing tactics in order to heightened their sense of security, making it easier to spot a malicious email and avoid becoming a victim.
Use Security Software – The use of email, web, and DNS scanning solutions can reduce the number of potentially malicious messages that reach an Inbox.
Use Strong Passwords – Make unique, complex passwords for each account used.
Use Multi-Factor Authentication – When available, use MFA to better secure access to online applications, websites, and data.

Emails impersonating the IRS can be forwarded to phishing@irs.gov.

Protect yourself and your network.

Think Before You Click.