Top Cybersecurity Scams

Netflix and Steal

A Netflix phishing scam is going after users’ payment information and Netflix credentials, according to Naked Security. The phishing emails inform recipients that they’ve missed a payment and they’ll need to login and fix their billing information to resolve the issue.

The emails themselves contain some glaring typos and grammatical issues, including repeated misspellings of “invoice” and the phrase “you local bank being held a transaction.” The phishing site itself is more convincing, however.

The scammers took the time to obtain a valid HTTPS certificate, and they’ve hosted the site on a subdomain with a very long URL consisting of random characters. As a result, the primary domain is pushed out of sight in the browser bar, so the user doesn’t realize they are not on netflix.com. The login page looks perfectly legitimate, as does the page to enter payment card details.

The scammers made another mistake, however, by including an intermediate page that asks users how they want to pay their bill in order to “resrtart” their membership. This page offers a number of options, including one to purchase gift cards. The option to buy gift cards is inexplicably written in French, unlike the rest of the page.

While these warning signs seem easy to spot when you know it’s a scam, they might not be so apparent if you aren’t looking for them or if you are in a hurry.

A similar scam is circulating about PayPal, with the message that an unknown device has accessed your account. This one also has one or two grammatical red flags, but overall looks convincing enough to have gained a wealth of personal information from victims.

So what can you do? 

• Force yourself to stop and think before clicking on ANY emails warning about account issues or breaches. Our fear of being compromised is what the bad actors count on, but most legitimate businesses will not try to scare you.
• Always confirm issues independently of the links in these types of emails. Open a separate browser window and log into your account; if there is an official problem, you will be able to see and fix it that way.
• Verify account problems by calling. Don’t use any contact numbers included in a message like those above, but reach out and speak with someone if you have questions.

Selfie Scams

Researchers at Kaspersky Lab have observed a spike in fraud surrounding the use of selfies to gain access to sensitive data, Planet Biometrics reports.

Some legitimate online services ask users to upload a photo of themselves holding their ID in order to verify their identity.

If a scammer gets their hands on one of these photos, they can impersonate you online. These photos are valuable on the black market for this reason.

Scammers are collecting these types of selfies via phishing emails that purport to come from payment services and banks. The emails try to convince recipients to go to legitimate-looking phishing sites and upload a selfie with their ID visible.

It’s best to avoid uploading selfies with your ID at all, if possible, because anything you upload to the internet can potentially be stolen at some point. If you do need to do so, make absolutely certain you’re on the correct site and verify that the service is legitimate.

Stay safe with these tips:

• Before confirming your identity in this way, ask the company if there is any other way to verify.
• If you have to do it, look through the site for signs that it is legitimate before uploading. Check that it is secure, showing a locked padlock in the URL. See if there are terms and conditions explaining how they will use your image and how long it will be stored. If you see all this and still have a bad feeling, trust your gut.

Movie Mania

TechRepublic reports that Kaspersky researchers have identified sixty-five malicious files masquerading as online copies of Star Wars: The Rise of Skywalker. 

The files are spread via phishing sites and social media accounts that pose as official movie pages. In addition to distributing malware, the sites also ask users to enter their credit card data before they can watch the film.

Tatiana Sidorina, a security researcher at Kaspersky, said in a statement that attackers frequently take advantage of popular movies and shows to spread malware.

“It is typical for fraudsters and cybercriminals to try to capitalize on popular topics, and Star Wars is a good example of such a theme this month,” Sidorina said. “As attackers manage to push malicious websites and content up in the search results, fans need to remain cautious at all times. We advise users to not fall for such scams and instead enjoy the end of the saga on the big screen.”

So how can you protect yourself?  

• The easiest protection is to avoid pirated material altogether. But the reality is that your network may be shared by others who may not be so careful. So keep in mind (and teach your children) that a company trying to make money from movie ticket sales is highly unlikely to also release a free online version, no matter how authentic their site looks.
• Never enter information, especially payment information, on a site claiming to offer free movies. If it’s free, what could they possibly need payment for? 
• Use the Force: that’s your reason, common sense, and your instincts. If something seems ‘off,’ it most likely is.

Top Ten Most Impersonated Brands by Phishers in Q3

Since this will be the last scams alert of 2019, we thought this blanket warning would be most helpful to start with. There are still two distinct attacks to look out for below. And if you receive our newsletter, you already know about the Disney+ issue (and have hopefully changed your password).

Why does this matter to you? 

• The old advice of looking for typos and weird grammar isn’t cutting it anymore. Phishing scams today are far more sophisticated. So if you use ANY of the companies listed above—and who doesn’t—be vigilant of messages appearing to be from them.
• If you feel an email from any of these companies is wrong for any reason, trust your gut. Log into your account independently, and if you find out the email was a scam, report it.
• Sometimes your brain can recognize minor variations, such as a different shade of color in a logo or the wrong font, without you consciously realizing it. Maybe the greeting isn’t what you’re used to seeing from that company. Everything else might seem fine: that’s how tricky these criminals are getting.
• Hover over links as always, and recognize fear tactics as a reason to pause. Authentic brands typically don’t want you to panic and lose trust in them.

Don’t Get Sway-ed

Malicious actors have apparently decided that the future of phishing lies in exploiting trusted online services. You have undoubtedly seen the upshot of that decision in your inbox: an endless stream of phishing emails pushing links to malicious content hosted on services like Dropbox, Sharepoint/OneDrive, and Evernote, to name a few. Now the bad guys have a new favorite online service to exploit: Microsoft Sway.

If you’re not familiar with it, “Sway is an app that makes it easy to create and share interactive reports, personal stories, presentations, and more,” according to Microsoft. Essentially, you can make mini websites quickly and easily.

So far these criminals have not yet fully exploited Sway’s integration with other online services, such as YouTube and Facebook. (Give them time.) What they are doing, though, is skillfully deploying Sway to leverage the inherent trust that users place in Microsoft in order to trick you into clicking through to slick, convincing web pages that offer an inviting opportunity to cough up your login credentials.

These phishing attempts appear to link to Microsoft Teams, company surveys, file sharing, and voicemail message centers, for example.

Stay safe with these tips:

• Question everything. Is that message really from your coworker? Would HR send a survey link this way? Does that sound like the CEO?
• Pay attention to details, and pick up the phone (or use a separate messaging tool) to confirm with the sender before clicking on any links or files you did not ask for or weren’t expecting.

Fake Browser Updates

Malware delivered via fake browser updates is back and more sophisticated than ever.

Leveraging vulnerable website content management platforms–typically older versions of WordPress, Drupal, etc., that can be exploited by non-updated security code or bugs–these attacks seek to trick users into installing malware under the guise that their web browser is out-of-date.

We all know that software, including your web browser, will eventually need to be updated. So, it’s not so out-of-the-ordinary for users to be notified that a newer version of Chrome or Firefox, for example, is available.

Generally, this kind of notification uses the operating system’s normal update mechanisms. But anyone not familiar with how updates usually work, or someone in a hurry, can easily fall for this attack.

The initial malicious webpage performs a ton of browser validation and then transparently navigates the victim’s browser to a malicious page that, in turn, redirects them to a browser update screen that says something like, “You are using an older version of Chrome.” Other details may be included, and then there is typically a big green or red button saying Update Chrome, or the name of your browser.

So how can you protect yourself?  

• Be skeptical of updates coming through your web browser as a link to click on. In the case of Chrome, for example, authentic updates will appear as an icon in the upper right corner where you typically see 3 vertical dots and the customizing menu. 
• Ask your IT team before clicking. Typically they will handle software updates for you automatically. If you haven’t used a particular browser in a while, manual updates may be necessary and they can make sure it’s done safely.

Performance Appraisal Scam

Recently, experts uncovered a phishing scheme in which cybercriminals try to mimic the performance appraisal process of the target company.

The attack is twofold: Recipients think that the appraisal (a) is mandatory and (b) can lead to a pay raise. It’s worth noting that in some companies such appraisals are a routine part of the salary revision process and that’s why they don’t raise any suspicions.

It all begins, as usual, with an e-mail. The employee receives a message that appears to be from HR, recommending a performance appraisal. The text of the message contains a link to a website with an “appraisal form” to be filled out.

According to the instructions, the user must follow the link, log in, wait for an e-mail with additional details, and select one of three options. For anyone new to the company and its appraisal procedure, the sequence of steps might look convincing. Only the website address (which is unrelated to any corporate resources) could arouse suspicion.

If the employee clicks the link, they will see an “HR portal” login page. Unlike many phishing resources meant to look like login pages for business services, this one looks quite primitive, with a bright monochrome or gradient background and data entry fields covering the page. For the sake of authenticity, the scammers invite the user to accept the privacy policy (without providing a link to any such document).

The victim is asked to enter their username, password, and e-mail address. In some cases, the scammers direct them to enter their work address. By clicking the Sign In or Appraisal button, the employee actually forwards the data to the cybercriminals.

At this point, the “appraisal” is likely to come to an abrupt end. The employee may wait a while — in vain — for the promised e-mail with further details to arrive. In the best-case scenario, they might suspect something is wrong, or send a kindly reminder to the real HR department, which will then notify IT security. Otherwise, the company might not detect the identity theft for months.

How can you avoid this? 

• Use up-to-date spam filters to intercept phishing e-mails before they even get close to anyone’s inbox.
• Issue regular reminders that employees should treat any links in emails with caution, opening them only if their authenticity is certain. Simulated phishing tools have proven most effective with this kind of awareness training.
• Remind staff not to enter work account details on any outside websites, and clearly define the types of communication they can and should not expect to come from HR.
• Sign up for Dark Web monitoring. This service searches for any of your business domain credentials listed for sale or otherwise posted on the dark web. It can also be used on an individual basis for identity theft prevention.

Stripe Credentials

Cofense warns of a phishing campaign going after credentials for the Stripe online payment platform. The attackers are sending emails purporting to be from Stripe Support, telling the recipient that their account details are invalid and their account will be placed on hold unless they fix the issue immediately.

“This is cause for panic among businesses that rely solely on online transactions and payments,” Cofense explains. “Fear and urgency are the most common emotions threat actors play on, spurring otherwise rational people to make irrational decisions.

”A notable aspect of this campaign is the attacker’s use of the HTML tag to hide the destination of the link to the phishing page. The emails contain hyperlinks that say “Review your details.” When the victim hovers over this hyperlink to see what the URL is, they’ll just see “Review your details” where the URL should be.

If they click on the link, the victim will be taken to a spoofed Stripe login page. After entering their credentials, they’ll be asked to enter their bank account number and phone number. Finally, the phishing page will tell them they’ve entered the wrong password and redirect them to the real Stripe login page.

The attackers have taken steps to ensure the victim doesn’t realize they’ve handed over their credentials and bank account details. Many people would simply think they entered the wrong password and then continue to log in to their legitimate Stripe account, where they would see that everything is all right. New-school security awareness training can teach your employees to watch out for these tactics so they can avoid being scammed.

Stay safe with these tips:

• Remain calm in the face of emails about account and password warnings. If you do not use Stripe, then simply delete or report this phishing email as directed.
• Always carefully check links before clicking and web addresses on pages you are directed to. Look for typos, inconsistencies, and anything that raises doubt.
• Navigate to the account in question independently. If there is an actual issue, you will find it on the authentic website. 

Bank Vishing

Bank vishing scams – the telephone equivalent of phishing – are growing more convincing and harder to detect, CNN reports.

A San Francisco man describes “the most credible phishing attempt I’ve experienced to date.”

He said he received two phone calls from the same number, and he answered the phone the second time. A woman on the other end told him she worked for his bank and asked if he had just tried to use his card in Miami. He said no, and the woman began to walk him through the process of securing his account.

She asked him for his member number, and he gave it to her. He then received a text message from the bank’s phone number containing a code, which he read out to the woman. This was actually a password reset code, and it granted her access to his bank account.

Next, the woman told him they needed to block his PIN, and asked what his PIN was. At this point he realized it was a scam, since no real bank should ask you for your PIN, and he hung up immediately.

In hindsight, the man believes he should have been more suspicious of the caller from the outset. “When I read that thread now, that’s one red flag after another,” he told CNN. “But it’s hard to express the social engineering component of it. My guard wasn’t up in the way it should’ve been.”

So how can you protect yourself?  

• Find out what information your bank will and will not ever ask you for over the phone or via email. 
• When you receive calls like this, tell them you can’t talk at that moment. Ask for a way to call them back later. Then hang up and call your bank directly to find out if it’s legitimate. You can also report the scammer’s phone number.

Amazon ‘Update Account’ Scam

Bad guys are targeting Amazon customers, urgently claiming you need to update your information or your account will be permanently disabled. They count on you getting worried and acting quickly without thinking it through.

The phishing emails purport to be notifications from Amazon informing you that you need to update your information within twenty-four hours or your account will be permanently disabled.

When you click the “Update Now” button in the email, you’ll be taken to a convincing imitation of an Amazon login page. After entering your credentials, the phishing page will present a form for you to input your name, address, phone number, and date of birth. Next, you’ll be asked to provide your credit card and bank account information–all information you’ve probably given to Amazon before.

Finally, the phishing site informs you that your account has been recovered and says you’ll be automatically logged out. You are then redirected to the real Amazon website.

The email itself has several red flags like typos and bad grammar, but the worry people have about losing their Amazon accounts makes them click anyway.

How can you avoid this? 

• Even if an email is perfect (no typos or strange grammar), leave the links alone and navigate to your accounts independently.
• Recognize when emails immediately make you feel fear or dread, and use that as a trigger to stop and think before you click.

Watch Out for Fake Video Scams

The bad guys are using social media messaging platforms and emails to send dangerous phishing links that are disguised as a link to a video. The scammers provoke you into clicking by asking, “Is this you in the video???”

Don’t fall for this.

They are counting on an impulsive emotional reaction. It’s important to note that these attacks almost never actually involve a video; they’re only creating a reason for you to click the malicious link.

What makes them especially dangerous is when they come through social media platforms, appearing as if from a friend or someone you know.

Stay safe with these tips:

• Be wary of these types of messages and any unexpected links…even when they appear to be from someone you know. Cybercriminals often hack social media accounts so they can send these messages to everyone connected to the stolen account.
• Remember to never click on a link you’re not expecting. Even when it’s from someone you know, call or find some other way to verify first. In the case of social media accounts, look and see if your connection has posted anything about having gotten hacked. 

Yahoo Settlement Scam

Yahoo is close to reaching a $117.5 million settlement in a class-action lawsuit over a series of data breaches that affected users between 2012 and 2016 — and you could be eligible for a $100 check and/or free credit monitoring if you had an account during that period.

From 2012 through 2016, several hacks penetrated Yahoo systems and stole billions of records. While this settlement is not nearly as big as the $700 million settlement that credit agency Equifax agreed to for its 2017 data breach involving 147 million records, it’s still enough of a phish bait to deceive people into disclosing their personal information.

Yahoo is offering two years of free credit-monitoring services to anyone who had a compromised account, along with various refunds and up to $25,000 in out-of-pocket losses, if applicable. If you can verify that you already have credit-monitoring, then you can ask for a cash payment of $100.

Similar to scams surrounding the Equifax settlement, bad guys are using the “urgency” trick. Yahoo’s settlement is a set amount, meaning there’s only so much cash to go around, so if you’re going to make a claim, you’d better do it fast.

They are sending phishing attacks that look like they come from Yahoo. When you click on the links, you wind up on a fake website that looks like it’s Yahoo, but will try to steal your personal information. Don’t fall for it.

So how can you protect yourself?  

• First, don’t be dazzled by the offer of “free money.” If you never had a Yahoo account, then simply delete and move on. 
• If you were affected by the breach, find the proper settlement links online, independent of unsolicited emails like this.
  
• Always think before you click. Especially when receiving unexpected alerts or offers. Cybercriminals play on your emotions of excitement and fear to push you to act without thinking. 

Unusual Sign-in Activity Scam

This one is tricky. It’s a phishing campaign that pretends to be an “Unusual sign-in activity” alert from Microsoft.

With companies such as Google and Microsoft commonly sending users alerts when unusual activity has been discovered on their account, you may feel it’s normal to receive them and click on the enclosed link without thinking about it. Attackers are capitalizing on this by sending emails that pretend to be “Microsoft account unusual sign-in activity” alerts.

When compared to the legitimate email notifications sent by Microsoft, the scam looks almost identical, with the same information fields and even the same sender address of “account-security-noreply@accountprotection.microsoft.com.” What’s different, though, is that when you click on the “Review recent activity” email link, instead of going to Microsoft to review your account’s sign-in activity, you are brought to a fake landing page on a non-Microsoft site that asks you to login.

When a victim enters their credentials, the information will be saved for the phishers to retrieve later so they can access that account whenever they want.

No matter what credentials are entered in the fake login form, the user will always be redirected to an error page on Microsoft’s live.com site. This is to make it look like there is a problem with your account and that nothing strange is going on.

How can you avoid this? 

• Always check the From/sender address, but don’t always trust it. Email addresses can be easily spoofed.
• Pay close attention to the link when hovering over it before clicking as well as looking at the URL if you do click. Is it spelled correctly? Is it secure? Microsoft will always be an https: link. 
• Try to stop yourself before clicking on the email link automatically. Think back to when and where the “unusual activity” may have been and whether you should have received the warning in the first place.

Fortnite Hacks…or Hackers?

This scam may be more geared toward your children, but with 250+ million Fortnite users worldwide, it’s worth sharing with everyone.

It’s a ransomware scam disguised as a game hack tool. The offer is a ‘cheat’ for better aim or to know the location of other players in the game. It is believed to appear as a link in the forums and that the ransomware gets installed when the tool is downloaded.

Upon activation, a timer appears on the screen, telling the player his or her files will be deleted if the ransom is not paid before time runs out. After the first two hours, everything in the photos folder will go. After another two hours, the desktop folder. After a third timer, the documents folder.

According to Cyren, the ransomware was still active on Fortnite as of August 21st.

Stay safe with these tips:

• Remind your children that cheaters never win. Just kidding. Who didn’t use codes and tricks to beat Atari or Nintendo games?
• Always be suspicious of downloads. Whenever possible, search for info about them online before choosing to install. Scams are often reported quickly to help others avoid falling victim. 

Take it to the Bank

Financial phishing is getting even more popular.

Researchers at NormShield have released their State of Financial Phishing report that shows an increase in website domains that impersonate financial institutions registered so far this year, with thousands more expected.

That’s important because criminals are getting more savvy, setting up these sites and then waiting to use them. Their phishing attacks are more complex and targeted as well. They are copying actual bank promotions that link to their fake sites in order to steal your credentials and other sensitive information.

So how can you protect yourself?  

• Always think before you click. Especially when receiving unexpected alerts or offers from what seems to be your financial institution. Cybercriminals play on your emotions of excitement and fear to push you to act without thinking. 
• Contact your bank independently of the email. Open your own browser window to log in, or give them a call. Legitimate offers will be confirmed, and phishing attacks can be reported.
  

OneNote Audio Note Scam

Phishing scammers are coming up with more innovative methods to convince their targets to provide login credentials. Such is the case with a new OneNote Audio Note phishing campaign that is currently underway.

Bleepingcomputer reports that “this campaign comes in the form of an email with the subject ‘New Audio Note Received’ and claims that you have received a new audio message from a contact in your address book.” In order to listen to the message, of course, you need to click on a link to listen to it.

Of particular interest is that the phishing scammers are now commonly including footer notes stating the email is safe as it was scanned by a security software. Along with the screenshots, it can look convincing. However, when you click on the “Listen to full message here” link, you will be brought to a fake OneNote Online page hosted on Sharepoint.com. This page states that “You have a new audio message” and then prompts you to click on a link to listen to it. And you will have given the scammers your Microsoft login information.

Remember the following to protect yourself from phishing attempts like this: 

• Before clicking, hover over links to see where they are pointing. Never click on a link in a message unless you’re certain the sender is legitimate.
• For that matter, consider who is sending you this audio note. Do you use OneNote? Was this expected? If not, reach out to the supposed sender to check before clicking. 
• Whenever you get an email from an online service you use, log in to your account through your browser, not through links in the email.

More Government Impersonators

The Federal Trade Commission has warned that complaints about scammers impersonating government agencies reached a record high this spring, with more than 46,000 complaints registered in May alone. The majority of these scams purported to come from the Social Security Administration (as I shared in May), but other popular choices for impersonation included the Health Department, the IRS, and various law enforcement agencies.

Most of the scams tried to obtain payment via gift cards, which the FTC says “is a dead giveaway that the consumer is dealing with a scammer.” Six percent of the people who reported the scams said they fell victim, with the median amount of money lost being $960.

The FTC states that the fraudsters use social engineering techniques that are very effective, but that can be easily recognized once someone knows what to look for. “The vast majority of people who report this type of scam say it started with a phone call, and these callers have their mind games down pat,” an FTC blog post said.

“Government impersonators can create a sense of urgent fear, telling you to send money right away or provide your social security number to avoid arrest or some other trouble. Or they can play the good guy, promising to help you get some free benefit like a grant or prize, or even a back brace. Scammers like to make the situation so immediate that you can’t stop to check it out.”

It’s worth keeping in mind that these numbers only reflect the scams that were reported, so the actual number of attempted scams is probably much higher. Providing new-school security awareness training is one of the best ways for organizations to ensure that their employees can resist all types of social engineering.

Stay safe with these tips:

• Pay attention when you get a call out of the blue. If it’s a legitimate government agency, you should be able to get a phone number, possibly a case or account ID, and other ways to verify before sharing your information.
• Remember that payment via gift card should always be a red flag. 
• Check online or contact the official agency yourself before taking any action from a call like this. 

Don’t Be Fooled by the File Type

Be on the lookout for a brand new phishing attachment. The bad guys are using a different type of file to trick you, and it could reach your inbox.

They’re sending phishing emails with SHTML file attachments (.shtml extension). These types of files are typically used on web servers and may not always be caught by spam filters.

If you “open” this attachment, you’ll be brought to a dangerous website that requests sensitive information.

So how can you avoid this?  

• Always check the details, such as file type, on an attachment you weren’t expecting. If you see .shtml, consider whether that makes sense. 
• Never click on an unexpected attachment. Call to confirm with the sender first.
  

Brand Impersonation Attacks are at an All-time High

According to recent reports, phishing attacks that use brand impersonation are at an all-time high. Cyber criminals are posing as familiar companies so they can trick you and get access to your account in order to steal sensitive data or target additional employees.

Here’s how it typically happens:

Attackers send you a standard-looking email appearing to be from a service or company that you use, such as Office 365. In one example, the subject may be a warning about your files getting deleted. Clicking the link in the email will take you to a fake (but very realistic) login page. The most deceiving part of some of these fake pages is that the web address appears to be safe.

The URL may end with a legitimate domain like “windows.net,” because the bad guys are hosting these pages with Microsoft’s Azure cloud services. But if you enter your information here, the bad guys will gain access to one or more of your accounts which they can use to steal data or plan further attacks on your organization.

Remember the following to protect yourself from brand impersonations:

• Look carefully at the domain in sender addresses. Does it say “microsoft.com” or “micronsoft.com”?
• Before clicking, hover over links to see where they are pointing. Never click on a link in a message unless you’re certain the sender is legitimate. 
• Whenever you get an email from an online service you use, log in to your account through your browser, not through links in the email.

Beware of Voicemail Phishing Scams

If your organization uses online voicemail services, you’ve probably used links in notification emails to check your new messages. Lately, scammers are creating look-alike notification messages that trick you into giving up your login credentials.

The fake voicemail notification takes you through a series of steps. First it will prompt you to click a link to listen to your “new message.” Then, you’re directed to a web page containing another link to click on so you can finally hear your new message.

If you click these links, you’ll be brought to a realistic-looking Microsoft sign-in page where you’re prompted for your email and password. If you enter your login details here, the bad guys will have full access to your account, where they can steal sensitive data or perform further attacks on your organization.

Stay safe with these tips:

• If you’re already logged into your email account, you shouldn’t be prompted to log in again. So if you see a new login page, question it.
• Before clicking, hover over links to see where they’re taking you. When asked to log in to an online service, type the web address into your browser rather than using links in the unexpected email. 
• Get familiar with the format of your voicemail notification emails. If you’re ever in doubt, contact the proper department in your organization before clicking on any links or downloading any attachments. 

Google Calendar Meeting Scams

The bad guys are using unsolicited Google Calendar notifications now to trick users into clicking malicious links.

Here’s how it works:

Scammers send a Google user a calendar invite complete with meeting topic and location information. Inside the details of the appointment lies a malicious link that looks like it’s pointing you back to ‘meet.google.com’ for more details. If you click on it, however, typical tactics will be employed to try to infect your machine with malware and so on.

This kind of attack has a massive attack surface, given the number of people utilizing Google’s Calendar service, i.e., millions. It also has contextual appeal by being hidden within a meeting invite and uses a seemingly valid URL for more information.

So how can you avoid this?  

• Stop and think before clicking on any unexpected meeting requests. Do you know the sender? Does the subject make sense?
• Hover over the link before clicking. If it looks legitimate but you still have a bad feeling, trust your gut. Reach out to the sender through a separate email or phone call.
  

Surprise, You’re Getting Sued

A very effective email phishing and malware attack has come out disguised as a nastygram from a law firm. The scam typically notifies you that you’re being sued, and it instructs you to review the attached file and respond within a few days — or else. The kicker? The attached Word documents are booby-trapped with a trojan used to drop malware on your computer.

This scam was discovered as part of a phishing kit. That’s right, there are ready-made kits hackers can purchase, customize, and put in play. It has some spelling mistakes and awkward grammar that might tip off the vigilant reader, but what’s troubling is how the phishing kit included five booby-trapped Microsoft Word docs to choose from, and none of those files were detected as malicious by more than three of the five dozen or so antivirus products that scanned the Word docs on May 22, ten whole days after they were spammed out.

Also of concern? A legitimate law firm was spoofed in this attack. According to reports, someone had recently called them to complain about a phishing scam, but beyond that the firm didn’t have any knowledge of the matter.

So aside from putting your own lawyer on speed dial, what can you do to avoid this scam?

• Anytime an unsolicited email evokes a strong emotion (such as fear), stop and think before you click. Look up the law firm online, and call them. Do not click on any links or use any contact information in the message.
• Try to remember that legal proceedings typically require serving papers in person, through the mail, or even by putting a notice in the newspaper. 
• Never open attachments you aren’t expecting, especially from people you don’t know.

Customer Service, How May I Rob You?

In this new age of social media customer service, scammers are seeing opportunity.

As digital giants like Twitter and Facebook scramble to keep up with fake news and fake accounts, some are bound to slip through. So when you want to make a complaint about goods or services and get some sort of fast and public resolution, use caution.

It works like this: you tweet to the company about being overbilled or missed delivery, etc. A very similarly named account that may include “CS” or some customer service variation responds to you.

They’ll ask for basic information such as name, address, and account number or login. But then there’s ‘trouble locating your account’ so further information is requested. This may be your date of birth and phone number.

Once they have your phone number, they call posing as the company and can request even more personal information in a seemingly reasonable way. This may include the bank account you use to pay that company and possibly some security questions for “verifying.”

You’re happy to do whatever it takes to get resolution to your problem, so you may not realize that you’ve now handed over the keys to your entire bank account and login details that can be sold on the Dark Web.

This very scam was used in England to wipe out a woman’s bank account and take out multiple loans in her name. So what can you do, especially when it seems that a public complaint is the only way to get some attention?

• Check to see if the account is verified on Twitter or Facebook or whatever social platform you’re using. Not all businesses will be verified, but large corporations typically are.
• Visit the company’s website to find out the account(s) they use for customer service. Look at their contact page or hover over their social media icons to see their official handles. 
• Limit your exposure by submitting complaints through the company’s chat or email system, and leave social media for more social pursuits. 

Holiday Hacking

The bad guys are known to use holidays such as Memorial Day to try to get you to click on a dangerous link or download a malicious attachment. They can pose as charities asking for donations, especially for veterans on this holiday, and they often mimic sales from major retailers. These scams will probably crop up again for the Fourth of July.

Whether you’re traveling for the holiday weekend or staying home to take advantage of online shopping deals, be cautious when performing any types of online transactions. Be suspicious of any out-of-the-ordinary emails, and be mindful of what information you’re sharing over your phone when you’re on the road.

• If you’re being asked for donations and it’s not a company you have given to before, navigate to the company’s website independently. Do not click on any of the links in the message. 
• If you receive an incredible deal or offer in your inbox, visit the website independently. Private offers may not be listed publicly, so if you don’t see the deal, call the company before clicking any links in the email.
• If you’re traveling, remember to turn off your mobile device’s Bluetooth when not in use. Cyber criminals can pair with your phone’s open Bluetooth connection and steal personal information.
  

SSN Robocall Scams

Be on the lookout for a popular robocall scam that is tricking people into believing their Social Security number (SSN) has been suspended.

The robocall tells you to call the number provided to speak with a government agent about the issue. Some of the robocalls even threaten to issue an arrest warrant if the victim doesn’t respond.

When you call the number back, you are actually speaking with a fake government agent. This scammer will try to trick you into giving up sensitive personal information like your SSN, birth date, and bank account number.

Always remember the following to stay safe from tricks like this:

• Your Social Security Number can never be suspended.
• The Social Security Administration will never threaten to arrest anyone.
• You should not share any personal information with someone you don’t know over the phone.
• If you get this type of call, hang up immediately and report the call to the appropriate agency.

PDFs as Phishbait

The use of malware-laden PDF email attachments has spiked in recent months, internet security company SonicWall has found. Over the course of 2018, SonicWall detected 47,000 new attack variants using PDFs, while they observed more than 73,000 of these variants last month alone. 67,000 of these PDFs linked to scammers, while 5,500 contained links to malware downloads.

John Oates at the Register writes, “Other attacks have been known to nick login details by tricking the user into opening malicious PDFs that use remote document loading mechanisms to capture and leak your credentials.”

Most of the attacks observed by SonicWall simply used PDFs to smuggle malicious links through email security filters. Many security filters struggle to analyze content inside PDFs, so an attacker stands a better chance of getting through to their victim if they place the link in one of these files.

SonicWall notes that PDFs are generally thought of as a safe file type, so users often don’t hesitate to open them. Given the pervasiveness of PDFs within corporate and government environments, employees need to know how to avoid these attacks.

How to protect yourself:

• If you receive a message with an attachment from someone you don’t know, do not open the attachment. Even if it’s a pdf.
• Never click on a link in a message or in an attachment unless you know the sender is legitimate.
• If you think the message is okay, always hover over links to see where they are taking you. If you’re unsure, don’t click!

Fake Emails from HR

The bad guys know how easy it is to trick you with emails that spoof–or appear to come from–your Human Resources team. These attacks are everywhere right now.

The emails are often centered around topics such as “new” or “updated” policies, employee benefits, employee handbooks, payroll, and W-2 information.

Whenever you receive an email from your HR team, you may feel compelled to open the email and address it right away. The sense of authority that comes with HR emails is how the bad guys trick you. They’re counting on you falling victim to this sense of authority so you end up clicking before you think

If you receive an unexpected email appearing to come from your HR team, or an HR-related service, always remember the following:

• Pick up the phone and speak with someone who can confirm the request is valid BEFORE you click on any links or download any attachments.
• Log in to the HR-related service account through your browser (not through links in the email) to check the validity of the information in the email.
• If it’s a scam, immediately report the message to your IT team and your HR department.
  

Robocall Scams

Bad actors are automating robocall scams worldwide. Recently, there has been a rise in this type of fraud. They have a variety of attacks that you should watch out for.

Here are a few examples:

• Bank account and credit card scams where the bad guy claims to be an official from your bank or credit card company
• Extortion scams where they request payment for a kidnapped friend or family member
• Callback scams where you are tricked into calling back a very expensive international number

Always be suspicious when a company calls you requesting action right then over the phone. Legitimate businesses will typically contact you via email or by letter to notify you of issues with your account and inform you of any corrective steps.

If you receive a call from a company urging you to complete a request, politely get off the phone and then call the company directly to investigate. Scammers can spoof any number they like, so even if it looks legitimate, it can be fake.

Never provide personal information over the phone unless you’re the one who initiated the call.

Consider getting on the national Do Not Call registry. The FTC allows you to report numbers that do not comply after you’ve been on the list for 31 days. You can also report robocalls whether or not you are on the list.

Malware thru Messaging Apps

As if email and phone calls aren’t enough, bad actors are using popular messaging apps to trick you into downloading malware. These scammers know you’re used to looking out for suspicious emails, so they’re hoping to catch you off guard in the messaging apps you may use.

The attack is simple: The bad guys send a malicious link in apps such as Skype and Facebook Messenger. If you click on this link, a complex attack begins and you’re left with a ransomware-infected machine.

Don’t fall for this messaging scam!

If you receive a suspicious message from someone you don’t know, don’t even open it.

Never click on a link in a message unless you know the sender is legitimate.

If you think the message is okay, always hover over links to see where they are taking you. If you’re unsure, don’t click!

Child P0rn Phishing Attack

This new blackmail/sextortion scam is pure evil.

You get an email that claims the CIA is about to bust you for child p*rn unless you pay 5,000 dollars to have the sender delete your records. It includes a case number and (fast-approaching) fictional arrest date.

What makes this especially dangerous, even for those who know they have never looked at anything being described, is that there is a link you might be tempted to click for information, whether out of shock, fear, or curiosity.

That link, once clicked, will install the very materials they claim you’re going to get arrested for and will add related searches to your browsing history. Then they notify the authorities about you!

Always resist the urge to click when it is strongest. Any message that scares you that much or makes you so angry is most likely an attempt to override your logic and good sense.

Immediately report such a message to your IT team.

Tech Support Scans

You’re browsing online. The attack usually goes like this: First, you receive a fake Windows Alert pop-up message claiming “Your PC might be infected” and to “click OK to do a quick 10-second scan.”

When you click OK, a very realistic-looking, but very fake, ”system scan” runs within your browser. The scan looks almost identical to your antivirus software’s real system scans.

Once the “scan” ends, you’re told that your PC is indeed infected and that you need to download and install an update to the antivirus software. Don’t do it! This “update” is actually an unwanted application that will install onto your computer.

Never trust internet pop-ups. They often use scare tactics to get you to call a number for tech support or download an application to “fix” the problem.

Go to your IT administrator (if at work) or a reputable computer repair company (if at home) if you think something is wrong with your computer.

Dangerous Office Attachments Bypassing Email Security

As always, be suspicious of email attachments because attackers are finding new ways to get around email security filters. The latest attack includes Microsoft Office attachments containing hyperlinks to dangerous websites.

If you unknowingly download one of these attachments and click on a link from within the document, you will be brought to a malicious website that steals your sensitive information. This particular attack is usually carried out with Microsoft Word attachments, but dangerous links are certainly not limited to files with .docx file extensions. This attack could occur with almost any file type.

Remember the following to prevent this type of attack from happening to you:

• Never open attachments from people you don’t know.
• Don’t open any attachment unless you have asked for it or have verified with the sender (through a channel other than email) that it is legitimate.
• Before clicking on any link in an email or email attachment, hover over it to see where it will take you.

Bogus Job Offers

This one is tricky. A series of phishing campaigns are targeting companies in various industries with phony job offers using direct messages on LinkedIn, according to researchers at Proofpoint.

The attacker initially makes contact by sending an invitation to the target on LinkedIn with a short message regarding a job opportunity.

Within a week after the target accepts the invitation, the attacker will send a follow-up email with either a link or a PDF attachment that contains embedded URLs.

These links take the target to a spoofed version of a real staffing service, which forces the download of either a Word document or a JScript loader. This document or loader will result in the installation of a JScript backdoor known as “More_eggs” which can then install malware or be used to gather information from the machine.

You expect strangers to reach out to you about jobs on LinkedIn, so you’ve got to be incredibly vigilant to avoid this.

• Do some independent research on the supposed offer.
• If you can’t find out about the company or position, Google the person contacting you.
• Look very carefully at the staffing service site you’re directed to. Make sure there are no tricky spellings in the URL or missing or strange information in the rest of the website.
• Remember to always be suspicious of downloads.