Top Cybersecurity Scams

Evolving Business Email Compromise (BEC) Attacks

BEC attacks, also know as CEO fraud, have been around for quite some time now. They have been proven to be successful, which of course means scammers are going to continue to use and develop them. and we recently featured a blog with video about how to combat them. What’s important to look out for now are the different angles these attacks have begun to take.

Recent BEC attacks rely more on social engineering. The messages are more indirect than simply asking for a wire transfer, which can make anyone suspicious. The 3 latest to look out for are ‘the handoff,’ payroll diversions, and aging report scams.

• The handoff can be an email to someone in Finance seeming to be from the CEO. It will ask you to reach out to an attorney about an acquisition or project. The ‘CEO’ and ‘attorney’ both work for the cybercriminal gang, so they can play off each other with questions and ‘information.’ At some point a sum of money will be required, which the ‘CEO’ will approve you to send.
• Payroll diversions typically go to HR and appear to be from an employee. This ’employee’ will ask to update their bank info used for direct deposit. Even if you don’t reveal existing information and send a blank form, the form they send back to you will have their criminal bank account information so the real employee will no longer be paid. It’s a perfectly normal request, so if your process does not have any other checks or verification built in, this can easily slip by.
• The aging report scam could be directed to a variety of departments. In this, an email appears to be from a vendor, requesting an aging report, which is non-threatening. Once the criminal has it, however, he or she can reach out to others, using the invoice and payment details in the report to seem convincing enough to change the banking information to their illicit account.

As KnowBe4 puts it, “modern BEC attacks leverage some really good social engineering that security defenses aren’t able to detect or prevent because there is nothing technical about it.” Criminals are willing to take a little longer to let their targets put their guard down before going after the wire transfer.

How can you avoid this scam?

• Train your people. Make sure everyone knows how much more sophisticated these scams have become. Then build verification steps into your process that require methods other than email. It may be as simple as a text to a personal cell phone, a work chat, or a call to your vendor, but it can prevent a lot of trouble.
• Ask your IT partner to check any emails you aren’t sure of. A message can come to you looking perfectly normal, but sender names and addresses can be spoofed. And with no attached files or malicious links to trigger a scan or filter alarm, the typical email protections can miss these messages. But your IT partner can look more closely.

Fake Quickbooks Invoices

Quickbooks, known as the #1 accounting software for small businesses, is being used in a new global scam.

Bitdefender reports that the campaign began in April. Scams using Quickbooks angles often increase around tax time in the US anyway, but this one isn’t about taxes. This campaign targets the 3 million businesses worldwide that use the software, sending fake invoices and payment notifications.

The messages are simple, claiming to have your invoice attached for review or your order sent once payment is remitted, and they are not only sent to people in Finance or Accounting. They come from a spoofed address that looks legitimate (‘quickbooks@xxxx.intuit.com’) and contain convincing Quickbooks graphics. There is also an Excel attachment that supposedly shows the invoice details.

The real threat is in the attachment. A hidden macro will install credential-stealing malware in most cases. In some cases, the malware has been updated to deliver ransomware as well.

So how can you stay safe from this?

• Always be suspicious of attachments. Curiosity is so hard to control, and when we see an invoice amount, even if we’re not expecting one, we want to know what it’s about. Stop immediately anytime you see a popup asking you to enable macros. As I’ve mentioned before, macros can be useful, but never enable them unless you are 100% certain they are safe.
• Make sure everyone in the company knows about something as widespread as this. You may have employees who don’t know whether or not you use Quickbooks or who don’t understand the risks of opening that attachment. You may have employees outside the Finance Department who order promotional items or office supplies; they need to be warned as well.
• Once again, ask your IT partner to check anything you are unsure of. Emails with attachments that you weren’t expecting seem suspicious when we talk about them like this, but can easily slip into the normal workday without raising any red flags.

Search Ad Scams

This last scam is not an attack on your business or an email to look out for. But it is serious enough for the FBI to issue a private industry notification about it to financial institutions.

The scam uses ads in search engine results, such as Google or Bing. Cybercrime gangs create fake banking website links that appear as ads or sometimes in organic search results to try to harvest your credentials.

If you run a search, often the first result is an ad pointing to exactly what you want. If you were looking for your bank and it is one of these scam links, once you click on it you are taken to what looks like that bank’s login portal. You enter your login, password, phone number, and security question answers, but you don’t get access to your account as you should. This is because it’s a spoofed site. Instead, the criminals call you, posing as the institution. They involve you in a lengthy conversation supposedly aimed at restoring your access, all while they use your credentials to log into the legitimate site and start making transfers.

What can you do against this?  

• Be careful where you click, especially if you are trying to log into your bank account. You may find using an app to be less risky, and you should almost never use an advertising link. This is not because ads are less secure by nature, but they are being paid to show up there. And as Google explains in its Ads & Commerce Blog, they removed 5,000 bad ads per minute in 2019. That’s just how vast the Internet is. Their tools may detect the reported malicious links and known violators easily, but the more sophisticated ones often have to have resources prioritized to find them based on trends and other available data. It’s a game of catch-up trying to prevent anything malicious from being shown to people.
• Always double- and triple-check the domain of any site you are going to log into. Spoofing banks and major brand websites like Microsoft and Amazon, for example, is what these criminals get paid to do. So it takes careful attention to detail to be able to spot the fakes. 

Ransomware on the Rise

A recent report from Coveware talks about ransomware trends from Q1 of 2021. For one thing, the ransom amounts are higher, on average increasing more than 40%. For another, the attacks are automated and tactical, with law firms and professional services companies being targeted most often. And on top of all that, the average downtime following a ransomware attack grew 10% in the last quarter to 23 days.

The latest information also points to a shift in method – from targeting specific individuals through email to exploiting network vulnerabilities. And disturbing analysis from a threat intelligence group tells us these scammers are creating ransomware cartels, which means gangs or groups of cybercriminals joining together to share resources, tactics, and profits.

As KnowBe4 sums up, “Cartels are also…reinvesting profits made from successful attacks to enhance their tactics. Unfortunately, it is only getting more and more easier [sic] for these ransomware gangs to infiltrate your organization.”

How can you avoid this scam?

• Shore up your network: Run an assessment, do penetration testing. Make sure you have all the latest updates. Go through your user list and current employees and make sure the only people who have access should have it. And don’t forget all the remote access points you may have enabled this past year. It is much harder to protect personal computers and home wifi networks, but you can put policies in place for best practices and educate your team about the real risk this poses to your business.
• Check on your backups. Test them. Make sure their frequency is what you need to recover properly (once a day, once an hour, every five minutes). Many scammers like to infiltrate and sit quietly for a while. They will turn off automatic backups and wait until the last one is irrelevant. Then they block you out of your own system and hit you with the ransom demand. If you’re not regularly testing that your backups truly work and aren’t just a fake log, for example, you will be blindsided.
• Continue to be vigilant about email attacks as well. Just because experts are reporting a trend toward network breaches doesn’t mean scammers will stop sending malicious emails. So if you or a coworker gets a message threatening extortion, or any other panic-inducing topic, remember to stop first. Remind yourself that any message trying to elicit a strong emotion (such as fear), does so with the goal that you will react without thinking.

Smishing – The Next Frontier

SMS texting scams are increasing at alarming rates. Proofpoint reported a 328% increase from Q2 of 2020 to Q3. And while it may seem like a personal problem on the surface, it can easily turn into a real business problem. Consider the company cell phones you issue. Or the business tools employees use on their personal cell phones for email or field work. We may like to think of our phones and apps as separate from work, but how true is that when they’re connected to the office wifi?

If you follow our Facebook page, you may have seen some sample texts posted recently. They are actual screenshots of scam texts received by our team. A few texts even addressed the person by name. They come from a variety of area codes and claim to be from companies such as UPS and Amazon. And while they may seem obviously suspicious sometimes, they work.

Take this example: Two Indonesian men were arrested 2 weeks ago for a malicious texting scam that impacted over 30,000 US citizens. The men sent 200 million text messages with links to fake government websites. They got personal information from the 30,000 who clicked and used it to steal 60 million from a legitimate relief program.

The message targeted people who have been out of work due to the pandemic. And although the money stolen didn’t come out of those individuals’ pockets, the personal information of those 30,000 people is now completely at risk. Where and how was it stored? Was it sold on the dark web?

So how can you stay safe from this?

• There are ways to prevent some of these messages from reaching you in the first place. Certain apps are available to do this, and both iOS and Android offer message blocking options. On an iPhone, you can also set messages from unknown senders to be automatically filtered to a separate list. Making sure you’re on the National Do Not Call Registry may help as well.
• Start thinking of texts the same way you do unsolicited emails. If you weren’t expecting it, and if you can’t confirm the sender, be suspicious.
• Be aware of the things legitimate businesses will and will not ask for via text. For example, Amazon states in their Help information, “We never ask for your password or personal information by text.” If you’re not sure about a business’s policies, check their website or call them first.

Poison PDFs

Almost anyone can open a PDF. Even if you don’t have Adobe Reader or some other program, you can often view the file in a web browser. This cross-platform ability makes PDFs the attachment tool of choice in massively increasing numbers. Researchers at Palo Alto Networks “noticed a dramatic 1,160% increase in malicious PDF files – from 411,800 malicious files to 5,224,056” from 2019-2020.

There are various methods most commonly used to get you to click on a link or linked image in a PDF. Look out for coupons, e-commerce account messages such as needing to update your payment information, and images made to look like they link to videos, particularly on financial topics such as stock charts and digital currency.

Also popular are fake captchas that pop up when you open a PDF and ask you to prove you’re human and fake file sharing through Dropbox or OneDrive, for example, to view a document supposedly being sent to you.

All 5 of these examples can be especially effective by embedding links that point to something called a ‘gating website.’ Gating websites can either redirect to one malicious website or to several of them in a sequential manner, rather than embedding the malicious link itself into the PDF. It makes these scams harder to trace and take down. It also gives the scammers the flexibility to change their objective from a credential stealing site to a credit card fraud site without having to rebuild their whole scam.

Efficient, right? As I’ve mentioned before, this is business to them.

What can you do against this?  

• Always be suspicious of email attachments. PDFs somehow seem safer to many people, but they can have malicious code or links embedded within them, just like any other file type. Always check the sender and the message for any red flags. Confirm with the sender via phone or chat before opening an attachment, or send any questionable messages to your IT team to check for you.
• Don’t be fooled by captchas. We’ve gotten so used to seeing them on website forms that we associate them with a valid security measure. But when used like this, as a popup from an email attachment, clicking that button is the same as clicking an unknown link.
• File sharing is tricky. We use so many cloud-based programs now that sharing a file via link is often more efficient than sending one as an attachment back and forth. But always stop and think before entering any credentials. And keep in mind that the way you share files internally may be different from how you access them from vendors or partners. 

Instagram Scams

According to a BBC article from January 31st, “the average number of Instagram frauds reported each month has increased by more than 50%” since the pandemic outbreak last year. This statistic comes from the national reporting center, Action Fraud, which says the amount of money reported lost per month has more than tripled.

There are romance scams similar to the one I sent you in February, and investment schemes without the romance from “influencers” who post photos of their lavish lifestyles that ‘you, too, can enjoy.’ But a simpler scam to look out for involves giveaways.

Contests work on social media to drive up engagement for businesses and to gather new leads. Many are legitimate. But scammers have taken to impersonating the brands and influencers holding the contests. They will reach out to you saying you were chosen and ask for your information or to pay for ‘shipping fees.’ Neither request is legitimate.

How can you avoid falling for this scam?

• We all like to win things. You can still participate, you just need to be especially vigilant about communication surrounding it. Pay attention to the terms such as when and how they will announce the winner. If you are contacted in any manner other than that, be suspicious.
• Carefully check the sender of any message asking you for your information or money. Even if you think it is legitimate. If you weren’t expecting it, find an independent way to confirm, such as by reaching out to the brand through their website or customer service.

Back to the Office Attacks

Now that everyone in Georgia over 16 is eligible to receive the vaccine, the expectation is a quicker ‘back-to-normal.’ And for many businesses, that means a return to the office. Scammers saw this time coming, and reports have already come in of attacks on that topic.

Examples describe surveys appearing to be from HR to gauge employees’ willingness to get the vaccine or interest levels in returning to the office. As a business owner myself, I can tell you we request feedback from our team on a regular basis. Our survey links do not lead to spoofed sites where scammers hope to harvest login credentials, however.

Other reports warn of a fake letter-from-the-CEO link that leads to malware downloads and policy change documents that staff must review before returning to the office.

So how can you stay safe from this?

• First, know your company’s policies on communication. Would this type of information come from a generic HR email address or a particular person? Do they often includes links or attachments, or do you have a centralized system for accessing documents that they would refer to? When in doubt, pick up the phone or send a chat and ask before clicking.
• Always stop before entering credentials on a site you did not independently navigate to or were not expecting to have to log into. That should always be a red flag.
• Any time you have a question or doubt, ask your IT team to check an email for you. You may not be able to point to exactly why you think something is off, but you will more than likely be right. And when it comes to your business’s network, your customers’ security, and your own peace of mind, it is always better to be safe than sorry.

Targeted Microsoft Spoofing

A sophisticated campaign designed to harvest credentials has recently been stopped by Area 1 Security. As we’ve seen before, however, if it’s effective once, we can expect it to show up again.

This scam targeted C-suite executives, high-level assistants, and financial departments across numerous industries. Part of what made it trickier is that it was sent only to certain individuals in each company. That means you didn’t hear 5 other coworkers asking if everyone else saw that message that didn’t seem quite right.

The scammers also did enough research to go after chiefs during their new-hire transition periods, when they might not know exactly how emails should appear or when a request was coming from an inappropriate sender. Plus, targeting executive level assistants is often overlooked but can be extremely effective as they tend to have access to a wealth of sensitive information.

Research and analysis showed these attacks to be a complicated combination of techniques to try to bypass Microsoft’s native defenses. The emails were well-written, not showing the awkward grammar or typos we use to easily identify spam. They centered on topics such as ‘Important Service Updates’ and Security Policy Updates or Patches that needed to be applied. They used spoofed sites to appear legitimate and sent forged invoices to receive real payments in attacker-owned accounts.

What can you do against this?  

• Be suspicious of any links or attachments you were not expecting. Granted, that is harder to do when you’re a new employee without a baseline of normal activity, but being new is also an easy time to ask questions. Ask about everything.
• Stop every time you are sent to a website that requires your login credentials. If you did not navigate to it independently, ask your IT team to see if it’s safe before entering anything.
• Recognize that the old spammy messages so easy to identify with their errors and bad logos have evolved. Scammers build entire kits and programs to bypass our defenses and get into our inboxes. This is business to them, and it needs to be just as critical, if not more so, to us. So look at links carefully before clicking, call and ask about unexpected attachments before opening, and trust your instincts. Ask your IT team to scan anything that seems ‘off’; we are happy to help.

Bonus Scam Alert

This new threat is one to warn your family about. It is typically more effective when received in the home environment rather than at work.

An email comes in claiming that your subscription to some computer protection program has been renewed at an exorbitant price. Examples have referenced Geek Squad, Norton products, MalwareBytes, etc., and can range anywhere from $400-600. The email conveniently includes a phone number for you to call and cancel.

They want you to call.

Getting on the phone with them kicks off an elaborate process that involves well-trained “techs” who understand your confusion and frustration and convince you that the software you know you didn’t download is hidden on your machine and was probably inadvertently installed while browsing the Internet. They promise to locate it, remove it, and then refund your money.

The team at KnowBe4 describes the entire scam process involving two different calls, three different remote control software downloads, and a convincing attempt to log into your online bank account to ‘issue an immediate transfer’ as a refund. Gaining direct access to your bank account is their goal.

What can you do against this?  

• Remember not to panic when you see unexpected emails like this. A simple check into your bank account or credit card could have shown that no such charge was made. They try to play on your shock, anger, or fear to get you to act (call them) without thinking.
• Never give out access to your bank account. Any legitimate business should be able to reverse a charge or issue a refund without requiring direct access. 

Document and Parcel Delivery Scams

All those package delivery notification scams we’re used to receiving over the holidays are effective enough to have evolved. Researchers report an ongoing campaign based on DHL and FedEx shipping notifications.

The FedEx angle typically comes as an email telling you a document has been sent. The subject line may include a date it was supposedly sent on, and the message contains a few details about the document to seem legitimate. Then, of course, there is a link to view it. If you click on the link, you reach a spoofed landing page for you to enter your M365 credentials.

The DHL scam is slightly different, claiming that a parcel is waiting for you at the post office because of missing or incorrect delivery details. This message has ‘shipping documents’ attached for you to review. If you click to open them, you’ll see a blurred out spreadsheet with an Adobe login box in front. The login box will be pre-populated with your email address, appearing official, and will prompt you to enter your email password.

How can you avoid falling for this scam?

• Remember than any unsolicited message asking you to take an action – to click a link or open an attachment – should be treated with suspicion. Look closely at the details of the sender, hover over the link before clicking, and ask yourself if this is a normal way for someone to send you documents or a package.
• Any time you click an unsolicited link and reach a login page, stop. In this case, ask yourself why FedEx needs you to provide M365 credentials. Or why DHL needs you to log into your Adobe account or your email. Send the message to your IT team and have them (us) check it for you.
• We hate missing out on things – invitations, news, packages, and documents. Social engineering exploits that fact over and over again because it’s human nature. You can read more about it from a former team member here. So if you can learn to recognize the attempt, you’ll be able to stop yourself from clicking into trouble.

Vaccine Offers

As mentioned in December’s email, the global pandemic is too large a topic to be safe from scammers.

Carl Wearn, head of e-crime at Mimecast explains, “The majority of online scams rely on some form of human error, as it is far easier to compromise a single user than a whole system. Threat actors know this well and are continuing to exploit the human factor by tailoring scams to target current events and the fears of their victims.”

So now that vaccines are available on the national level, the number of targets is the entire population. And experts have recently reported a surge of 350% in vaccine scam emails impersonating the National Health System in the United Kingdom.

The messages typically say you have been selected for a shot based on family and medical history. You simply need to fill out some information to take advantage of the offer. The information you provide, such as your name, date of birth, and credit card details, however, will be sold on the dark web.

So how can you stay safe from this?

• Always carefully check ‘offer’ emails. Is the logo current and correct? Does the sender email match? Is this message from your particular doctor’s office or a statewide or federal agency that would be easier to spoof? Does the offer make sense? For example, if you have already received a shot, wouldn’t they have a record of that? If you call and confirm the message is fake, you may want to report the email as a scam.
• You probably receive legitimate messages from your healthcare or insurance providers. So ask yourself if they ever ask you to fill out information online that they already have. Usually, they just email appointment confirmations, reminders, and notices. Whenever you receive an unexpected message asking you to take an action, call them first.
• Any time your credit card details are requested, be suspicious. Send the message to your IT team and have them scan the email for you.

Utility Company Threats

Fresh off the headlines, Texas utility companies are warning customers about scams that threaten to turn off their power if they don’t pay overdue bills. This is another example of scammers using major events and trends to target their attacks.

The Federal Trade Commission (FTC) also warns of scammers taking advantage of ongoing extreme weather events to steal utility company customers’ money and personal information.

These scams come in the form of emails and phone calls. They are designed to scare you into complying and giving them money via credit cards, gift cards, or even money transfers. They can spoof phone numbers to appear from legitimate companies, and they can copy real company logos into their emails.

What can you do against this?  

• Never give out your banking information over the phone, and be suspicious of any “business” accepting gift cards or money transfers as payment. If you take a call like this, get as many details as you can and then get off the phone. Call your utility provider independently.
• If you get an email like this, recognize that it’s trying to scare you and stop yourself. Don’t click on anything. Navigate independently to your account and see if you have any official messages there.
• Tell your friends and family members about these scams. Victims can lose hundreds and thousands of dollars when they’re not aware of these tactics that begin to seem so obvious to those of us who deal with them all the time. Let your IT team help you, report scams whenever you see them, and consider implementing employee awareness training to give your staff practical experience.

Bonus Scam Alert

With tax time and the added questions surrounding stimulus checks this year, experts are warning about W-2 scams and related threats.

As more and more companies allow employees to opt for digital delivery of their tax documents, rather than waiting for them in the mail, scammers are taking advantage. They send messages claiming to be from HR with malicious attachments or links to download your W-2. They may also try to send ‘Need to Know’ facts about your tax filing this year, or even ‘ways to avoid claiming your stimulus money as income.’

What can you do against this?  

• Check your address book right now to see what messages should look like coming from HR. If you do get a message from HR and you’re not sure it’s real, pick up the phone (or chat) and ask.
• Be sure to check all your tax filing questions at irs.gov or with your accountant. 

Medical Providers Targeted for Wire Fraud Scheme

The FBI has reported a scam targeting medical professionals. Individuals pretending to be members of a medical board, FBI agents, or DEA agents contact medical professionals and claim that their licenses have been compromised and are being used in a scheme to traffic drugs.

The scammers then direct the medical professionals to wire money as non-compliance fees and as refundable bonds to “move the investigation forward.” These funds are sometimes promised to be returned within three days. Some medical professionals are even told to transfer funds to additional foreign bank accounts because of “other entities that are linking fictitious accounts” to the target’s personal, business, and investment accounts.

This scam typically presents through texts and phone calls, often at the target’s workplace, and often using spoofed numbers. In some cases, email is used for contacting. Official-looking faxes containing ‘evidence’ are sometimes sent, often including publicly available information such as the target’s license number, business address, or National Provider Identifier.

How can you avoid falling for this scam:

• With spoofed numbers, this scam be a little trickier to identify. A spoofed number is when the information sent to your caller ID is deliberately false and typically made to appear as an official, recognized number. What you can do, however, is gather all the information you can, such as the ‘agent’s’ name, title, and badge number, and then get off the phone. You can then visit the agency website they claim to represent and call one of the numbers listed there. Do not simply re-dial the call you received. You should be able to confirm that the agent is legitimate, or you can then report the scam.
• Remember not to give away any of your own personal information on unsolicited calls. There is a wealth of data available to the public that can make a person seem legitimate, but if you did not initiate the call, be suspicious. Do not confirm anything. Get whatever information you can and then independently try to verify it.
• Always be suspicious of unsolicited requests to wire money, especially over the phone. Regulated agencies typically send letters in the mail and will have secure portals for legitimate fee payments. And they don’t often sound like something out of The Sopranos (needing money to ‘move an investigation forward’).

Beware that New Suitor

With Valentine’s Day just two weeks away, this next scam couldn’t be more timely. Interpol has issued a notice to its 194 member countries of fraud schemes starting on dating apps.

Scammers create accounts on dating sites and build artificial romances. Once the relationship has reached a level of regular communication and trust, the criminals start sharing investment tips with their targets and invite them to join in money-making schemes.

According to Interpol, “Victims download a trading app and open an account, buy various financial products and work their way up a so-called investment chain, all under the watchful eye of their new ‘friend.’ They are made to believe they can reach Gold or VIP status.

“As is often the case with such fraud schemes, everything is made to look legitimate. Screenshots are provided, domain names are eerily similar to real websites, and customer service agents pretend to help victims choose the right products.

“One day, however, all contact stops and victims are locked out of the account. They’re left confused, hurt, and worried that they’ll never see their money again.”

So how can you stay safe from this?

• Always be vigilant with strangers, especially when it leads to a request for money. And yes, someone on a dating app who you have not actually met, no matter how many pictures they have or how much you “click” when you chat/email/talk, is still a stranger. Online anyone can say or be anything.
• Be skeptical and do your research. If an investment deal sounds too good to be true, it probably is. Look up reviews for the app or trading website, and Google it to see if it has been reported by others before you.
• If you’re looking for love in all the wrong places, ask people you know to help set you up or join local groups. Dating apps can be great. But they won’t do the kind of screening your friends and family will. And if you do get scammed, report it so someone else won’t be.

Not Actually Government Assistance

It’s a new year with new government officials in place, and the scammers are happy to exploit it. Experts are reporting scams that pose as government assistance programs and target individuals.

This scam typically arrives through email and speaks of “emergency financial aid,” in one example. Compensation can be as high as five thousand dollars, and the message typically includes a link for details.

The emails are short and could seem plausible, given the stimulus conversations, small business programs, and other funding packages mentioned in the news. But if you click on the link for details, you’ll go to an official-seeming “government” site that asks for your personal information. If you submit the data, you’ll be told that someone will contact you soon. They won’t.

What can you do against this?  

• Look for the basic indicators first: spelling or grammar mistakes, the sender name not matching the sender email, and anything else that seems ‘off.’
• If the message passes the ‘sniff test,’ continue to use caution. Hover over the link before clicking on it. See if you can determine any particular program or government agency the message is supposedly from. If you’re still not sure, send it to your IT team to test it. The link may not be malicious, but your technology partners can find out more in a protected environment so you and your data are not at risk.

Bonus Scam Alert

Experts are warning that fake Parler links and downloads may soon hit the masses.

As you may recall from the headlines, Parler was the new social media platform that quickly attracted a large fanbase and was almost as quickly de-hosted by Amazon Web Services and removed from the Apple and Google app stores.

A couple of weeks ago, 70 TB of Parler data was leaked online. That data dump reportedly includes user profile data, user information, admin rights data, videos, and posts (including deleted posts).

So according to KnowBe4, “This massive haul of leaked data could allow malicious actors to individually target Parler users in campaigns as well as all manner of online scams.”

What can you do against this?  

• Former user or not, never click a link to download an app in an unsolicited message. If you were expecting a confirmation, okay (though I still don’t recommend it). But if a message comes to you out of the blue, go to the app store independently to ensure you are downloading the correct app and the most recent version.
• Remember to make yourself pause if any message seems to elicit a strong emotion, whether that’s excitement, fear, anger, etc. For example, if you were a Parler user upset by it going down and thrilled to hear it’s back up, you should still try to verify it some other way before clicking. And if you are disgusted to hear it’s back up, or curious to see what it’s really like, again, try to verify it independently first. 

Don’t Fall for the Fax Notification

A new scam has been reported that targets businesses and seeks to gain Microsoft 365 credentials.

It arrives as an email notifying you of a fax. The notification appears to come from various legitimate electronic fax services, like eFax, for example, and the email can also be sent from a legitimate, though compromised, email account. This is how it gets past most spam filters.

The message typically includes a thumbnail image of the fax and tries to pique your curiosity enough to click a link to view the document. Once you do, however, you will find yourself on a fake Microsoft login site where the scammer hopes you’ll enter your credentials.

How you can avoid this scam:

• First, know what electronic fax service your business uses, if any. That way, you can immediately rule out any notifications from other programs as scams.
• If the message you receive looks authentic enough that you click to view and you arrive at a Microsoft login page, numerous alarms should go off in your mind. Check with someone in your company about the protocol for receiving digital faxes, or, better yet, send the notification email to your IT support team. Let us test it for you.
• Always be suspicious of login pages you did not directly navigate to. Consider the level of access you could be giving away versus the information you may receive. Did anyone tell you to expect a fax? Do you normally receive information via fax? And if so, is this the standard method you use for retrieving them? If anything seems strange, ask first.

Take a Moment to Zoom Out

Scammers like to capitalize on what’s popular. So now that using Zoom and other conferencing tools has become the norm, it is the topic of numerous phishing attempts.

You may receive an email, text, or social media message, complete with Zoom logo, saying your account has been suspended…but can be reactivated by clicking on an enclosed link. Or you may be alerted to a meeting you missed…and you’ll find a convenient link with details and possibly even a way to reschedule. You may even receive what looks like a welcome message, as if someone else invited you…which of course you can accept by clicking on the enclosed link to activate your new account.

However, if you click on any of those links, you will either find yourself on a login page for stealing your credentials, or you will have automatically begun downloading malware.

These messages work because we often need Zoom for our jobs. Or it’s the only lifeline to faraway family and friends. So the messages play on the fear of missing out, and they disguise it with realistically copied branding.

So how can you stay safe from this?

• Always think before you click. If you receive a warning that your account has been suspended, navigate to the website independently and log in. You’ll be able to see and address any issues. If you get notified of a missed meeting, check your calendar first. A quick glance could confirm that you had nothing scheduled in the first place. And if you receive an invitation to activate your account, you can often sign up without clicking any links. Simply go to the program’s website and create any account you want.
• The main reminder here is to stop yourself before clicking. No matter what the message says, ask yourself why you’re getting it. If it seems legitimate, ignore the link and log in independently. And, as above, you can always send such messages to your IT support team to check for you just in case.

DMV (or DDS) Text Scam

The state of New York’s Department of Motor Vehicles recently reported a smishing scam. A text went out to people claiming to be from the DMV. It said they needed to update their driver’s license information because of a new compliance requirement. The text contained a link to a fake NY DMV website where the scammers tried to collect personal information.

Despite this only being reported in NY so far, it could roll out in other states. And with all the ways we interact with businesses online, a text with a link is not as obvious a ploy as it once was.

What can you do against this?  

• Look for any telltale signs first: spelling and grammar mistakes, the sender not matching who the message says it’s from, and a URL that is not the official, secure webpage it should be.
• Beyond the basics, train yourself to stop before clicking on any unsolicited links in texts or emails. In this case, navigate to the DMV website independently where you can safely log in and see any official notices. Most government agencies tell us they will never ask you to transmit personal information through email or over the phone. They send letters in the mail in order to protect your security. So if you get a message like this, take a screenshot and report it, and then delete it.

Unhappy Holidays

Tis the season…for an increase in shopping scams.

From unbelievable deals to undeliverable packages, and even fake charities, the holiday season scams that proved successful last year have returned.

You may have already seen a Black Friday or Cyber Monday email offering a thousand dollar TV marked down 90%.

You may have been sent a text message that your FedEx parcel couldn’t be delivered and you need to click on the tracking link in order to update or confirm the address.

You may even have been called and asked to support a heart-warming charity trying to help those in need this particularly difficult holiday season.

At first blush, any of these could be legitimate. To protect yourself when they aren’t, please keep in mind the points below.

And if you enjoy video, watch this three minute interview at WTOC where Cyreia Sandlin and Chuck discuss some warning signs of these typical holiday scams.

How to stay safe:

• ‘If it’s too good to be true, it probably is.’ It’s an old saying that’s still true. When you see an incredible offer, ask yourself how the company could stay in business if it were real. In the example above, is the TV not worth the original, thousand dollar price? If it is, how could the company last selling it for one hundred dollars? And if it’s not, then what else about this ‘deal’ isn’t true?
• Before clicking on any link, whether in text or email, train yourself to stop for a second. A tracking link or delivery issue is such a plausible topic that these scams continue to work. But check for signs of a generic message that could be sent to multiple people. For example, does it address you by name? A legitimate company will have your account information. Does it have any identifying details of the order? And is it from the right shipping company? You may not always know when a business uses UPS rather than FedEx, but you should have a confirmation email you can refer back to. Rather than clicking on the unsolicited message link, go back to the original, official one.
• If you are approached by a charity, whether by phone or email, do your homework before giving. There are so many legitimate organizations working tirelessly to improves the lives of others and relying on your help to do so. Unfortunately, there are also others that come up with similar names and missions solely to steal your money. So ask questions. Don’t let them rush you. Look them up independently. And feel free to say, “no.”

Fake Teams Update Ad

This scam has been used to target numerous industries, most recently education (K-12). It appears as an ad, trying to lure you into updating your Microsoft Teams software.

What’s particularly dangerous about it is that simply clicking on the ad starts downloading the malicious payload. You won’t be sent to a landing page first where they can try to steal your credentials and where you may see signs of a scam. Instead, your click starts a script that will typically steal your sensitive information and open a backdoor into your computer (and network). You’ll also get an authentic copy of Teams installed to help hide what’s really happening.

So how do you avoid a trap like this?

• Always be careful of ads. If you see one that sounds appealing, navigate to the website independently and see if the offer is real. You can also open a new tab and search using the terms in the ad to see if it has been reported as a scam.
• If you’re not already, consider using a web browser that can filter and block malicious websites. A tool like that should keep such an ad from even appearing to you. You can also have settings to block executable files from downloading unless they come from trusted sources.
• With regard to software you need or want, always ask your IT partner first. We’re constantly testing out something new, and we’ve worked with so many programs already, that we can usually give some well-rounded recommendations. And we typically roll out updates to programs automatically during off-hours so they don’t impact your day.

Vaccine Scams

A global pandemic is the gift that keeps on giving to criminals. Bad actors have already issued scams about current statistics and infection maps, government funding. tracking apps, and employment rights and layoffs. And now, experts expect them to shift to the vaccine.

The logical concerns and questions people have will become the focus of these scams. Issues such as whether the vaccine may be safe, when and where it can be taken, and how much it will cost will be used as bait in emails and online surveys.

Messages seeming to come from HR could have links to insurance coverage information. Emails appearing to be from government agencies or local pharmacies may link to ‘your nearest vaccine location.’ Some may even claim to let you register or reserve your dose in advance.

They will all try to play off your natural curiosity, fear, or concern. They will all cause you nothing but trouble.

What can you do against this?  

• Awareness training is critical. Scams used to be easier to spot. They typically had bad or no graphics, and the grammar was atrocious. Now, they can copy company logos perfectly and use tricks to hide their malicious domains. So it’s up to us to be vigilant. We need to know the warning signs and look out for them. We need to stop and think before every click. And we need to tell those around us to as well. Because a network is only as strong as what its weakest link lets in.
• If my team or I can help in any way more than sending this monthly information, please let me know. It’s been a long, strange year, and I am honored to say we’re still here for you.

Don’t Fall for Fake Windows Defender

As anticipated, phishing attacks and hackers continue to become more sophisticated. A new effort to make authentic-looking Windows Defender graphics, combined with some security-related logos such as McAfee, is convincing users to enable malicious macros.

This phishing attack typically arrives as an email with an invoice or other financial files attached. Once you open the attachment in Excel, you’ll see a yellow bar warning you that “Macros have been disabled” next to a button to “Enable Content.” Then on the screen below, where you would typically see the spreadsheet, you see the Windows Defender and other logos with official-sounding steps to view the enclosed information.

At a glance, it can appear authentic. But if you enable the content, you’ll download the Qbot malware built into the document that can steal everything on your computer and leave the door open for attackers to get back in whenever they want.

How you can avoid falling for this:

• It starts with the phishing email, so look for all the usual signs. Check the sender’s name and email address, look for any strange text in the message, and make sure the attachments are appropriate before opening them.
• If you open an attachment that ever requires you to enable macros, stop. In rare cases, when you are one hundred percent certain of the sender and you were expecting such a file, they can be fine. But if you have any doubt at all, ask your IT professionals to check the file for you first. We have scanning tools and other advanced options to investigate securely without putting you or your network at risk.

Social Media Scams Increase Exponentially

If you don’t have a single account on Facebook, LinkedIn, Twitter, YouTube, Instagram, Pinterest, TikTok, or any other social media platform, kudos to you. According to Omnicore’s Social Media Benchmark Report 2020, eight out of ten Americans have at least one account, and the average Internet user has eight accounts.

So for eighty percent of us, extra care is required for our social media interactions.

A recent report from the Federal Trade Commission (FTC) found scams on social media to have skyrocketed this year since the beginning of the pandemic. And ZeroFOX researchers, who say their data aligns with the the FTC report, say scamming incidents have increased by more than five hundred percent compared to last year.

The biggest increases in scams focus on money-flipping, money mules, and HR-related gambits.

These angles target people who have lost jobs and income, and their effectiveness means researchers expect them to continue.

Stay safe with these tips:

• Remind yourself that if a deal sounds too good to be true, it probably is. And if it’s coming to you in the form of a social media post or message about a low-investment dollar amount that will come back to you in double, triple, or even more, then it’s most likely not a legitimate investment in the first place. That’s not to say all low-cost investments are scams. For example, you can purchase stock slices from Charles Schwab for as little as five dollars according to their website. Charles Schwab is a reputable business. However, sending fifteen dollars to an individual through PayPal with the expectation that you will receive sixty back in a week is much less likely to pay off.
• When it comes to HR scams, yes, there are real jobs out there. But you have to do your homework. When a ‘recruiter’ you’ve never met sends you a message on LinkedIn and wants you to fill out paperwork with your personal information, be skeptical. Protect yourself by looking into the company they say they’re with. Try to find a relevant job posting. If it’s not listed, ask questions until you are satisfied. Most legitimate recruiters will direct you to a secure website where they track their candidates. If someone sends you a Word document that needs macros enabled, delete it.

Election Threats

As predicted last month, scams focusing on the election have recently been reported in Florida and Alaska. Despite all the early voting, these last few days will almost certainly reveal more.

This particular scam comes in the form of an email threatening to ‘come after you’ if you do not vote for President Trump. The message sender appears to be the Proud Boys, a group founded in 2016 that currently supports Trump, but the chairman of the group says it is definitely not from them and that they do not send emails.

The scam typically claims to have your information and sometimes includes your street address. It also claims to have access to the voting infrastructure and demands you set your political party to Republican and vote for Trump. Or else.

What can you do against this?  

• While it may be startling to receive a threatening email that also includes your street address, try to remain calm. Remember that there are many public records that can include your address. Report any kind of message like this to your election officials, and rest assured that the FBI as well as the CISA are investigating.
• Scams like this may seem laughable to many, but they work by planting a small seed of doubt that it could be true. If your address and email address are correct, look closely at the name that most of these messages begin with. Instances have been reported of a different first name than the recipient, which is an indicator of mismatched data in lists or an error in the scammer’s script. In any event, report any message like this and delete it. Then vote for whoever you want.

Fake Forward Phishing

Just in time for Halloween, we have a ‘zombie’ type of phishing attack to avoid. It appears as part of old email conversation, revived and brought back to life.

The message shows up with the genuine subject line and content you previously emailed with someone. The email thread may be full or partial and can date back months or even years. It will now include a link or attachment that the phisher is hoping you’ll click on since the original conversation was real.

Sound scary? You can outsmart it.

How you can avoid falling for this:

• Always look at the sender’s email address. Not just the name that appears, but the actual email address. In this scam, the sender will not be the real person you previously emailed, and you will see a different email address. It works through third-party programs that almost all businesses use, like Mailchimp and ConstantContact. Remember hearing about SendGrid’s spam problem a month ago? This isn’t their fault, but it is an example of how hackers can gain access indirectly. Once in an emailing system, they can harvest what they want and repurpose it into a scam like this.
• Always stop and think before you click or open an attachment. This scam hopes you will see the familiar message and not pay attention to details. Reports have said the link or attachment doesn’t really make sense with the genuine message, so if you slow down and read, you should be able to avoid falling into this trap.

Scamming Customer Support

Bad actors are using the contact forms on websites to try to deliver malware.

A typical example would be a message claiming to be from an illustrator whose work is being used without permission on that website. The message would be submitted through a business website form and might include a threat to sue. “Proof” is offered through a link to Google Drive where, supposedly, you could see the original, copyrighted artwork.

It all seems pretty reasonable. But anything downloaded will require that macros be enabled, which then allows the malware payload to be installed.

Stay safe with these tips:

• Repeat to yourself, your staff, and everyone you know to not click on unsolicited links. The fear of being sued is intended to make you less cautious, and it’s natural to be curious about the artwork. But you or your customer service specialist can investigate this in other ways. You may have a webmaster or an internal person who works on the website. You can also do a reverse image search on Google to find more information.
• Never enable macros. Especially in files from strangers. If a message seems legitimate, ask your IT team to find out if it’s safe.
• This particular scam can be so dangerous because the typical filters and flags aren’t being set off. You expect strangers and unknowns to submit through your website forms, and a simple link to Google Drive can be legitimate. So it is critical that they way such messages are handled–the human behavior part–is with education and awareness.

Special Disinformation Delivery

You’ve probably received at least one phishing email from a delivery service, such as UPS or FedEx, with a fake link to tracking or other package information. It’s an especially popular scam around the holidays. Now, you need to look out for them via text–vishing rather than phishing.

Recently, a vishing scheme like this went viral for two reasons. It went out to a massive number of victims, and then it was inaccurately reported to be tied to human sex trafficking.

The text appeared to be from the US Postal Service containing a link to information about a package. Clicking on the link would bring you to a customer satisfaction survey that required your credit card number. Then, someone shared a screenshot of the text and claimed that clicking on the link would allow the sender to track your location, which would be used by sex traffickers.

What can you do against this?  

• First things first, do not click on a link about a package you are not expecting. If you’re ordering more lately, as many people are, check your package status in the app or when logged into the website where you purchased it. Secondly, no legitimate customer satisfaction survey would ask for your credit card number. It’s an attempt to steal your credentials.
• With regard to the conspiracy theory aspect, there is a positive and a negative side. The positive is that the viral sharing of it may have kept some victims from falling for the scam. The negative, however, is that it leads to so many false reports of sex trafficking that the national agency handling the hotline is diverted from real cases.
• Disinformation also leads to mental fatigue that can lead to lower cognitive functioning. You get tired of hearing stories that turn out to be untrue, so you start tuning everything out. You pay less attention, and that’s when a scam will trip you up. And things will only get worse as we near the November election. The election may not be a global event like the pandemic, but it is expected by experts to bring a flood of phishing and social engineering scams. So stay alert, and stay safe. 

Spearphishing through LinkedIn Jobs

This scam is currently being reported in regard to a System Administrator job posting on LinkedIn. It’s worth sharing and being aware of, however, because the approach could be broadened and used for any type of job posting on LinkedIn.

This is how it works: a job is posted on LinkedIn. People who engage with the listing are responded to and sent a Word document as part of the application process. The sender claims the Word file is protected under GDPR and that macros need to be enabled to open and use it.

If those macros are enabled, a series of malicious actions occurs including downloading system-specific malware payloads. Credential harvesting, deletion of security log entries, and lateral movement (how cyber criminals try to move deeper within your network) are all part of the attack.

So how can you avoid falling for this?

• Always be suspicious of someone requesting or demanding that macros be enabled. Macros are a series of operations, like a program, that can run on your computer from within a file like Word or Excel. They can be useful and harmless, but they can also hide malicious activities. If you did not build them yourself, or you do not know and trust the person sending you a file with macros in it, do not enable them.
• Go ahead and be skeptical. If you are applying for a job that was posted on LinkedIn, why would you also have to fill out and return a Word document? Does the company not have a website form or other means of accepting applications? You can provide a lot of personal information when applying for a job, so if the process seems strange, call and ask first.

Job Dismissal Scam

In another employment-related scam, Kaspersky, a global cybersecurity company, reports this Q2 trend.

An email appearing to come from HR tells the victim that the company has been forced to discharge him or her due to the pandemic-induced recession. The email comes with an attached form to request applicable severance pay. Fortunately, the firing isn’t real. But unfortunately, the attachment contains malware.

Stay safe with these tips:

• Double- and triple-check any emails claiming to be from Human Resources. Make sure the email address is perfectly correct. Consider whether the message is something that would be coming through email.
• Even when an email appears to be internal, stop yourself before opening attachments. Pick up the phone and check with your HR Department before clicking any links or opening any files.
• It’s easy to get swept up in the emotions of finding out you’ve been fired. That’s what cyber criminals bank on: emotions clouding your ability to think. So train yourself to pause before taking any action on any email. That simple habit could save you a lot of grief.

Vaccine Phishing

As we’ve seen time and time again, global issues attract cyber criminal scams. This pandemic alone has seen phishing emails about maps, statistics, tracking reports, funding resources, and employment angles. Now, the messages are shifting to vaccines.

Checkpoint, a leading provider of cyber security solutions to governments and corporate enterprises globally, reports “a doubling in the number of vaccine-related new coronavirus domains between June and July. In fact, 1 out of every 25 malicious coronavirus-related websites’ landing pages is vaccine related.”

The emails being reported can come through with a malicious attachment, prompting you to download the latest list of approved vaccines, or with a link that redirects you to a spoofed medical site where you would enter your personal details in order to get the promised information.

In either case, the goal is to steal your credentials.

So what can you do?  

• Remain suspicious of unsolicited messages related to global events like the pandemic. If you receive ‘groundbreaking’ or ‘unreleased’ information about a vaccine, look carefully at the sender. If it is someone you know, is it normal that they would send you a message like this? If it is someone you don’t know, treat it with skepticism. If you get it at work, report it to your IT team.
• Curiosity, like fear, is a tool scammers use to get you to take action. If you train yourself to always stop for a moment before doing anything with an email, you will be far less likely to fall prey to it. 

Voicemail Notification Scam

Many phone systems, like ours, for example, provide the convenience of sending voicemails as attachments to emails. There are phishing scams taking advantage of that, and researchers tell us those scams are increasing. The increase means the scams are effective, so be on guard.

The scam typically appears as a system-generated notification. It may have an attachment, or it may link to an ‘encrypted’ page where you would enter your credentials before being able to access the message. Either way, it’s malicious. These scams have spoofed O365 or Outlook, Cisco, Google, and other major brands, trying to steal your credentials.

So how can you avoid falling for this?

• Find out what a legitimate voicemail message looks like in your company. Is it a link or an attachment? Who does it come from? If your company doesn’t send messages like this, then report any you receive.
• Stop any time you are asked for credentials. If it is something being requested, rather than a login you are initiating yourself, are you sure it is a legitimate request? Check the URL very carefully, and when in doubt, ask your IT team.
• If you happen to be near your office phone, an easy way to check is to see if you have any missed calls. If you get an email about a voicemail, but you don’t have any missed calls, it is most likely a scam.

Quarantined Emails Scam

No one likes missing an important email. This scam plays on that fear by appearing to notify you of messages stuck in quarantine.

The scam email comes from a ‘service desk’ and has a button or link for you to click and release the supposedly quarantined messages. That link goes to a page customized to impersonate your email login portal in an attempt to steal your credentials.

Stay safe with these tips:

• Double- and triple-check any emails claiming to be from any kind of Service Desk or IT support team. If it’s from us, for example, the sender email will be support[at]infinityinc.us. It will not say “Service Desk” or come from any .com address.
• If you see an email like this for the first time and you’re not sure if it’s legitimate, ask. There is no harm in checking. And there could be a lot of harm done without checking.
• Always stop before entering your credentials on a site you did not independently navigate to. Did you hover over and carefully check the link before clicking? Does the landing page URL, text, and images pass detailed inspection? Does it make sense to give your email and password to release quarantined messages? If you have doubts about anything, call or email your IT team.

Pandemic-related Workplace Lawsuit Scams

According to a major law firm, workplace lawsuits related to the pandemic are increasing exponentially (based on numbers from April, May, and June – see link below). These include discrimination and leave cases filed at the state and federal levels, as well as class action lawsuits.

Cybersecurity experts are warning businesses to inform their employees that scams about this are coming. One example may appear to be from HR with an attachment or a link to information on ‘updated work rules’ or ‘new leave requirements.’ Another example would appear to be from a law firm reaching out to you as a potential ‘victim of unsafe working conditions.’

In either case, the goal is to deliver malware or steal your credentials.

You can view the law firm’s litigation tracker information here.

What does this mean for you?  

• Remain suspicious of unsolicited messages related to global events like the pandemic. If the message appears to be from your HR department, carefully check that it is the right sender and not a close spoof. You can also pick up the phone and ask HR if they sent such information before opening it.
• It’s natural to be curious if you see a professional-looking email from a law firm about a class action lawsuit. Remember to hover over any links before clicking to see where they point. You can also Google the firm and see if a) it really exists, b) it handles that kind of case, and c) if the information in the email matches what’s online. Then you can pick up the phone and call. If the email is a scam, you may be helping to make them aware of it. 

Survey Says…You just got scammed

Many businesses, including ours from time to time, will send out surveys to learn more about customers, feature requests, how attractive certain offers might be, etc.

In order to encourage participation, it is common to offer some kind of incentive. This can range anywhere from a coupon code or small gift card to entries in a drawing for a larger, more expensive prize.

But Naked Security by Sophos has reported a wave of surveys appearing to be from brand name businesses that are actually scams trying to steal your email login and/or credit card information.

The survey usually comes from a real company the scammers have spoofed. Often, it includes basic business questions you would expect about shopping preferences and store hours. Your suspicion should be raised, however, when they not only ask for your email address, but the password you use to log into it. No one sending you email needs your password to do so.

Aside from that red flag, how can you avoid falling for this?

• Pay attention to the details. In one example they reported, the brand name appeared to be an existing, legitimate hardware store, but the first few questions were about shopping habits at a grocery store.
• Look for indications of urgency. If there is a limited number of ‘prizes’ and they are showing how many (or few) are left as you go through the survey, they are most likely trying to get you to answer quickly and without thinking.
• Trust your gut. If the reward for answering a few survey questions seems too good to be true, it probably is. For example, getting a $1,000 iPhone in return for answering ten questions seems a bit over the top.
• Run if you see any requests for payment information. Well, report the website and then run. Many survey scams ask for a ‘nominal delivery fee’ or shipping cost to make that thousand dollar smartphone prize seem legit. But the form where you enter your credit card information feeds directly to the scammers. Which they will turn around immediately and use. If that happens to you, call the number on the back of your card immediately.

VPN Impersonation Scam

As so many companies switched to remote work setups, VPNs quickly became a lot more common. That makes them ripe for scams.

A virtual private network (VPN) is a secure type of connection that lets you use a laptop or home computer as if you were on your company’s network. This is a lot safer than most people’s home connections or free wi-fi used when traveling.

The recently reported phishing scam takes advantage of more (and new) VPN users, claiming there is a configuration update. The message often appears to be from your IT support team, but the link for updating it attempts to steal your O365 credentials.

Stay safe with these tips:

• Double- and triple-check any emails claiming to be from IT support. If it’s from us, the sender email will not have your company’s domain. And if it shows up as a contact in your domain, make sure it’s someone you would expect to send that kind of message.
• Ask first. There is no harm in checking. And there could be a lot of harm done without checking. Did your supervisor or IT team warn you this was coming? Did everyone get the email, even staff who never had VPNs set up for them?
• Always stop before entering your credentials on a site you did not independently navigate to. Did you hover over and carefully check the link before clicking? Does the landing page URL, text, and images pass detailed inspection? Does it make sense to give your O365 email and password for a VPN update? If you have doubts about anything, call or email your IT team.

BLM Phishing Forecast

Current events, especially global ones like the ongoing pandemic, attract any number of scams. Phishing emails can be quickly crafted and sent out en masse to prey on people’s fears, charitable natures, and other emotions.

One of the indicators that cybersecurity experts use to try to predict what attacks we’ll see next is to monitor domain registrations. The increase in registrations of a similar theme or topic shows what society is currently interested in, which is often quickly followed by more registrations with malicious intent.

“For example, over 20,000 domains related to COVID-19 were registered in just three weeks and 17% of them were related to maliciousness,” reports KnowBe4.

It may not sound like much, but that is more than 3,000 domains intended to steal your data.

KnowBe4 goes on to say that “the current blacklivesmatter movement is another moment in history that spammers and phishers are sure to take advantage of. Once you start seeing the domain registrations come, the scammers are not far behind.”

You can see a sampling of the domain names here.

What does this mean for you?  

• Stay aware. Not every message about a current event is malicious. But scammers will always try to take advantage of situations when strong emotions are in play. Stay clear-headed, and do not click on links in an unsolicited message.
• Spread the word. Your awareness helps protect you and your network, but what about all the other people who have you in theirs? When we all know the warning signs and best practices, phishing won’t have any hooks left in it. 

Covid Data Spreadsheet Scam

Last week, Microsoft warned about a phishing attack that looks like it is from Johns Hopkins University and has an Excel attachment. The spreadsheet claims to have stats and graphs about the number of coronavirus deaths in America. If you open the attachment and click on ‘Enable Content,’ it will download software that allows cybercriminals to take over your computer and steal confidential information.

The campaign began on May 12 and has been described as “massive.” Several hundreds of unique Excel files have been used, but they all result in the same malicious download. Further complicating matters, the remote access tool being used is legitimate; it is the macros in the Excel sheet that are malicious.

You may think that months into the pandemic these scams would be less effective, but they are still going strong.

How can you avoid falling for this?

• Remember to always be suspicious of unsolicited attachments. If the content is of interest to you, then go to the source. Johns Hopkins shares a wealth of information on their website that you can access and has publicly stated that they do not send attachments in their daily reports.
• Ask your IT team to scan suspicious emails and/or attachments. You don’t have to figure it all out on your own. If you can’t tell whether something might be dangerous, have your professionals test it just to be safe.

Scams Targeting the Unemployed

New job scams are doing the rounds, preying on people who may be recently unemployed or need to find remote work for various reasons (lack of childcare or public transportation, etc.).

One of these offers five thousand dollars a month working as a personal assistant. It sounds like a great deal and potentially plausible, being on call to run errands and do personal chores for busy executives, but it is actually a scam run by criminals that will try to use their victims for money laundering.

The scam works by establishing trust through a series of typical errands. Then the remote worker is asked to move funds or conduct transactions, not realizing that they involve stolen money. The remote worker has just been made a money mule. And the FBI points out that even doing so unknowingly is criminal behavior, punishable by law.

Another employment scam arrives through SMS, or text. It advertises an immediate job opening with a link to the information. The link goes to a spoofed employment or staffing site where personal information is required in order to apply for the job. Victims of this scam have provided their social security number, date of birth, and address before finding out the truth.

Stay safe with these tips:

• While remote work has been steadily increasing in popularity, you should still be suspicious of unsolicited emails or texts advertising such positions. Unless they come from a headhunter you know, they are typically a widespread scam to either steal your personal information or make you an unknowing accomplice.
• Keep in mind that urgency is a tactic used by scammers to get you to click without thinking or doing research. And if an offer seems too good to be true, it usually is.
• Take the time to check a company’s website and call or email their HR department before filling out information for a job. It’s true that not all positions are posted publicly, but if there is a real opportunity, you should be able to speak to a real person about it.

Contact-Tracing Scam

Another SMS or texting scam to look out for centers on pandemic contact-tracing. As of the end of May, this scam has been reported primarily in the UK, but experts expect it to spread globally as contact-tracing apps roll out across the world.

Contact-tracing is designed to notify people when someone they have interacted with tests positive or shows symptoms, so that person can take preventive measures and/or get tested. Some apps have already come out to help share this information, and more are being tested.

The scam works by appearing to be a text from one of these apps, saying someone you know is at risk and it is recommended that you get tested or self-isolate. The message includes a link for you to enter your personal information to supposedly confirm the contact and then help notify others you have been in contact with. However, your personal information is really used to gain access to bank accounts and steal from you.

So how can you protect yourself?  

• Stay vigilant. Scammers will always try to take advantage of emergencies when people are worried and fearful and not always thinking clearly. Do not click on a link in an unsolicited message.
• If the message includes information about the app, try to confirm independently that it is legitimate. If you worry it might be true, contact your local health center without interacting with the message link. They can discuss symptoms and risk with you, and you can arrange a test if necessary. 

Caller ID Spoofing Scams

This new trend is horrifying but can have a happy ending. Scammers are using caller ID spoofing–making the number they are calling from appear to be another phone number–to trick banks, credit cards, and victims.

If you’ve ever called Comcast and had the automated system ask if you are calling from the number on the account so it can immediately pull up the right information, then you can understand how part of this scam works.

A scammer uses caller ID spoofing to appear to be the victim and calls the number on the back of a credit card or the bank’s phone system. Because those systems are automated, the spoofed caller ID gives the scammer balance information as well as the most recent transactions in some cases.

The scammer then calls the victim, using caller ID spoofing again to pose as the bank or credit card, and has so much information that the victim believes it is legitimate. The purpose of this call is to convince the victim that fraud has occurred and have them confirm and “reset” a security word or passphrase.

Once the victim has given this information to the scammer, the scammer can call the bank or credit card with caller ID spoofing as the victim and have full access to the account using the new security word. Horrifying, right?

Well, here’s the happy ending/silver lining: 

• You can easily avoid falling for this scam by not engaging in calls “from” your bank or credit card.
• You don’t have to be rude or tip them off, but you can get off the phone and contact the company using the number on the back of your card or contact information on their secure website. Then when the bank tells you they didn’t call, you can report the scam and let them look into it.
• To further protect yourself, since obviously the scammer has your phone number and the name of your bank or credit card, you can make sure there is no strange activity on any other accounts you may have. You can also change passwords, especially if any accounts share the same passwords (which they should not – get good password hygiene here). And you can consider a Dark Web monitoring service that will alert you if your credentials show up for sale.

Impersonating the SBA

Small businesses just can’t catch a break. As if dealing with the pandemic isn’t bad enough, a timely scam targeting small businesses has been reported. Emails appearing to come from the Small Business Administration claim to require the victim’s signature on an attached document. The email typically includes elements of the SBA’s branding and refers to application status or confirmation. The message might specifically mention the Paycheck Protection Program (PPP) or may refer to disaster relief loan paperwork.

If you open the attachment that needs to be signed and returned, however, you will be installing malware onto your computer. Some decrypted examples showed surveillance tools like keyloggers, webcam and microphone access, and browser history and password scraping malware that got installed.

Stay safe with these tips:

• Always use caution with attachments. In this case, as well as typically any other government agency, you can find the exact steps that will be used for an application process. Most likely they will spell out the ways they will contact you and what they will and will not ask for.
• Especially when you receive emails with attachments and action requests, check the sender carefully. Does the sender’s email match the sender’s name? Is it spelled exactly right? In this case, is it what the SBA told you to expect?
• Before opening an attachment you weren’t expecting, try to confirm its validity another way. Call if you can, but don’t use a phone number in that message. Perhaps ask someone else who has gone through the process. And if you can’t find a way to check on your own (or you don’t want to), then just ask your IT team. We can help with things like this.

Notflix

Is there anyone who still doesn’t have a Netflix account? Scammers are working angles with the masses who do as well as those who don’t.

For those who don’t already subscribe, scammers like to make fake Netflix signup sites. This gains them emails, addresses, and often billing account information. For subscribers, fake login sites can capture emails and passwords, which can then be used on the actual site to gain access to any personal or billing information stored in the account. Cybersecurity firm BrandShield recently reported 639 fraudulent domains using the word “Netflix,” 236 of which were established in March alone.

And yet another scam recently offered ‘free passes’ to help alleviate this extended time at home during the pandemic. This angle worked off a questionnaire, which of course meant filling out personal information, and then needed to be forwarded to ten friends. The free pass didn’t actually exist, but the scammers gained 11 new email addresses for phishing attacks and ‘friends’ they could use for social engineering.

So how can you protect yourself?  

• Always check and double check the URL of websites you visit. Look for the padlock that indicates they are secure, and check the spelling carefully. Look for double letters or numbers that appear to be letters.
• Whenever you see a free offer, ask yourself why it’s free. There’s a popular saying that ‘if you aren’t paying for the product, you are not the customer; you are the product being sold.’ Now that’s not to say that something like free shipping offers are evil. They are usually just a way of motivating customers to spend more. But an offer to receive Netflix for free, when other people have to pay for it every month, should throw a warning flag. 

Stimulus Scams

Now that a stimulus bill has been passed, keep an extra vigilant eye out for scams about that money.

As I sent last month, something as global as the current virus brings a surge of phishing and social engineering scams. Once you add money into the mix, the scams simply shift from sharing information with malicious links and attachments to requests for ‘verifying’ your information before you can receive your money.

Experts from KnowB4 put it this way, “Think about it – one of the fundamental components of a good phishing scam is to create a sense of urgency. And, in a lot of cases, people need the financial assistance established in the Stimulus Package in any of its available forms. The urgency is there… and in copious amounts.”

So what should you look out for? 

• Be especially careful of any messages claiming to be from your (or a) bank, the IRS, or any other government agency. Whether it’s an urgent need to ‘verify’ your data or a request for your bank account information, hold off. The IRS has previously reported that it communicates primarily through the mail, and as of March 30th announced that distribution of checks will be automatic in approximately three weeks, with no action required for most people.
• If you receive any messages that pass the sniff test, navigate to the sender’s website independently and look for the supposed information there. If it turns out that you did get something legitimate from your bank or the IRS, then you’ll be able to log in safely and find the details in your account.

Weaponizing the Fear of Infection

Another timely scam has been reported that shows the adaptability of malicious actors. In this one, the sender is typically a spoofed hospital. And the message is a horrifying notification that you “have been exposed to the Coronavirus through personal contact with a ‘colleague/friend/family member’.” You are then directed to download a malicious attachment and proceed immediately to the hospital.

If you do open the attachment and follow the directions, you will be downloading a “sophisticated and dangerous backdoor trojan [that can] evade detection by security applications, worm its way deep into an infested system, and serve as a platform for a variety of criminal activities.”

You can imagine how effective this might be. The email is short and plain enough to be believable, and it plays on one of our biggest fears right now. Scammers are hoping that fear causes you to react without thinking and open the attachment.

Stay safe with these tips:

• Always try to stop yourself when an email makes you feel a strong emotion. Whether it’s fear, anger, or an adorable desire for puppies and kittens, the sender could be trying to push you towards taking an action–opening an attachment, clicking a link to donate, etc. Many times you’ll be fine (that’s what a lot of successful marketing has been built on), but pausing before you do so can save you a lot of trouble in the long run.
• Check the sender carefully. Does the sender’s email match the sender’s name? If it’s a hospital, is it your local hospital or one you’ve never heard of? Is it spelled exactly right? If you look the hospital up online, does it have the same address, phone number, logo, and style?
• Try to find another way to confirm before acting on a message like this. If it’s really from the hospital, then you might be able to find a phone number–not one included in the message–to call and get more information. And if you do decide to act on it and simply go to the hospital, then skip opening the attachment. You know there’s going to be plenty of forms and paperwork when you get there, so why risk it. With the overload our healthcare system is currently dealing with, does it even make sense for them to send customized attachments? You don’t have to be paranoid, but you can certainly question things.

A New Twist on Sextortion Campaigns

Remember those old Hair Club for men commercials where the guys says, ‘I’m not just the president; I’m also a client’? Well, I don’t just research these scams; I get them, too.

If you’ve been to one of our sessions on phishing, you may recall seeing an email I received that claimed to have caught me doing unspeakable or embarrassing things on my computer camera which would be shared if I didn’t cough up hundreds or thousands of dollars.

Now there’s a new twist. BleepingComputer reports a sextortion scam designed to get you to download their malware that hinges on curiosity rather than threats.

It appears as a message that your friend, not you, had his email hacked and was demanded to pay five hundred dollars or else the compromising photos of his girlfriend that were found would be sent to everyone in his address book. Since he didn’t, the hackers are sending you those photos in an attached file.

If you were curious enough to open the file, you would find blurred images that require content to be enabled. And if you enable, then the embedded macros in the attachment will deliver the malware.

So how can you protect yourself?  

• Try not to let your curiosity get the best of you when it comes to unsolicited emails and attachments. We’re human, so we’re naturally curious. But before clicking on something like that, wondering if it could be real, ask yourself what could be the worst-case result from it. The answer is most likely a far higher price than you want to pay just to satisfy your curiosity.
• Similarly, try not to let fear get the best of you. Getting a message like this and being afraid it’s true, and wanting to confirm before letting your friend know they’ve been hacked, is both noble and dangerous for your own network. Let them know without confirming the evidence, and you’ll both be safer. 

The Health Information that Gives Viruses

When something makes global headlines, like the Coronavirus has, the scams are quick to follow. The World Health Organization (WHO) has put out an alert about ongoing phishing attacks that impersonate the WHO and try to steal confidential information and deliver malware.

These attacks come in various forms. One may include a link to an “updated map of confirmed cases” or a map claiming to predict where the virus will spread to next. Others may attach a document of “safety measures” to review and share with your family and business. And others try to get your personal information as a request from the WHO.

There is obviously a lot of information being shared about this virus and ways to try to prevent getting sick as it impacts people worldwide.

So what can you do? 

• Be suspicious of any unsolicited messages. Especially when it appears that you have been contacted by an agency such as the WHO, find another way to verify its legitimacy before engaging with anything in the message.
• Independently navigate to the website and find any pertinent maps or information there. If it’s really from the WHO, then it won’t be private and emailed solely to you. There are also other agencies to contact for information, such as the CDC or NIH.

Beware the Browser Extension

We do so much online that adding browser extensions to type less, shop more frugally, and save passwords, for example, can seem like a godsend. But beware: not all browser extensions are created equally.

Google recently removed more than 500 extensions that were found to be stealing private browsing data and perpetrating ad fraud, among other unsavory activities.

They were discovered through an advertising-as-a-service Chrome extension designed for businesses. Rather than help advertise their businesses, however, the users of the extension fell under server commands to visit a round robin of sites to accumulate fraudulent ad revenue. Some sites were benign and others malvertising, or phishing sites. The extension also had code giving itself extensive permissions for accessing data and was able to steal private browsing data from the infected browsers.

Stay safe with these tips:

• Always vet the software you plan to install. Whether it is on a desktop computer, a laptop, or a phone, just because something is available through the Google App Store (or Apple’s or any other), does not mean it is secure. This applies to extensions, plug-ins, apps, etc.
• Remember the saying that, “if you’re not paying for the product (or not sure exactly what it is), then YOU are the product.” If a deal seems too good to be true, it probably is. As one of my employees likes to say, “trust…but verify.”

Seasonal Scams: Valentine’s Day Edition

According to the FBI’s Internet Crime Complaint Center latest figures, confidence/romance scams cost victims an astounding $475,014,032 in 2019.

As if dating and relationships don’t already cost too much and often end in heartbreak…

That’s just a joke. All these scams can paint a pretty depressing picture, so I like to lighten things up every once in a while. They’re a serious problem, but my team and I don’t want you to feel overwhelmed. You’re already taking an important first step by embracing awareness. And when you’re ready to talk next steps, we’re here.

In any event, holidays will continue to attract scammers. They’re an easy opportunity to send appropriately themed messages that can play on your emotions or seem like a realistic offer to download that dating app full of malware or con artists for an extremely low entry price.

“For cybercriminals, Valentine’s Day is just another holiday and the opportunity for just another scam,” explains Terence Jackson, chief information security officer at Thycotic. “If you don’t know who the mark is, it’s most likely you. Phishing is still the attacker’s weapon of choice, and there will be no shortage of well-crafted emails and messages designed to emotionally engage you and prevent you from making rational decisions.”

Next up will be St. Patrick’s Day. Then Easter, Tax Day, etc. So keep an extra eye out for those ‘lucky’ deals and offers that will send you ‘over the rainbow.’ Many will be legitimate sales, but others will be designed to steal your passwords, your money, and your faith in humanity.

So how can you protect yourself?  

• Try to be more aware around all the holidays. There’s usually a lot going on, so scammers think they can slide in unnoticed and catch you clicking on a malicious link while you’re distracted.
• Pay attention to your emotions. When you’re reading or watching something online, and it tugs on your heartstrings, try to pause before opening your purse strings. Generosity should be admired rather than punished, but there will always be bad actors trying to take advantage or others’ good intentions. 

Capitalizing on Celebrities

The news of Kobe Bryant’s death shocked everyone at the beginning of this week. As a beloved athlete and respected entrepreneur and investor, his death made headlines and continues to receive attention and emotional responses.

Bad actors love to exploit this kind of situation in a variety of ways. They’ll use the Bryant helicopter crash as bait with links to ‘special news coverage,’ secret footage, places to post your sympathetic messages, and even as funding grabs for the other victims of the accident.

Whatever tactic is used, you will wind up with either infected workstations at the house or in the office, giving out personal information, or unleashing ransomware on your network.

What can you do? 

• Always remember to be wary when someone is tugging at your emotions or offering special access, e.g., never before seen footage. If you receive an email with anything like this, force yourself to stop and look before clicking on anything. Check the sender, and hover over the links.
• Browse to websites independently of email. For example, if a message claims to show an NBC behind-the-scenes special on Bryant or interview outtakes, try Googling it first. If it really exists from NBC, you should be able to find it. They want the website traffic, and they’ll want you to share and post about their content.

No Such Thing as a Temporary Social Security Number

Researchers at Kaspersky have come across a phishing site that’s posing as a data leak protection service set up by the US government.

The site claims to be compensating victims of data breaches, offering cash “to residents of all countries around the world.” The website is well-designed and looks like an official government site, despite some grammatical irregularities and the mention of a non-existent “US Trading Commission.”

Users are invited to enter their names and phone numbers to see if they’re entitled to receive compensation. The site warns that entering false information is illegal, but the researchers found that the output will be the same regardless of what is entered.

“For example, we [researchers] inquired about the personal data of a citizen named fghfgh fghfgh. The site pondered for a while, seemingly connecting to a database of information about leaks…and lo and behold, found that our fictional character with an unpronounceable name had indeed had their data leaked. Moreover, it turned out that someone had already used their photos, videos, and contact information, and so fghfgh was entitled to compensation in excess of $2,500!”

After entering your info and seeing how much money you could be owed, you are asked to provide your payment card information and Social Security number (SSN) in order to receive your money.

There is also an option for non-US citizens who don’t have a SSN. They’ll be taken to a page where they can purchase a temporary SSN for just nine dollars. The scam ends after the victim has either provided their SSN and payment information, or after they’ve forked over the nine dollars.

Stay safe with these tips:

• Being the victim of a breach is scary and all too possible nowadays. But you should be immediately suspicious of anyone asking for your social security number over the phone or through a website.
• There are some legitimate services that can see if your information has been compromised. We can perform Dark Web searches for you and your business, and haveibeenpwned.com is a website search tool that you can put your email into and see if it has been involved in known breaches. You can then use that information to change your password and possibly close old online accounts.

Windows 7 Support Scams

As you know, Microsoft ended support for the Windows 7 operating system on January 14th. Scammers are taking advantage of the long-anticipated news to launch tech support scams, according to the Better Business Bureau (BBB).

These scams are typically conducted over the phone, with the scammer posing as a Microsoft employee. The scammer will use social engineering to either call you out of the blue, or they’ll use computer pop-ups or emails to convince you to call them.

“The caller may seem friendly and helpful, but they are far from it,” the BBB explains. “They may convince you to pay yearly fees (that don’t exist) or request remote access to your computer under the guise of installing software. If you pay the fees, you could lose hundreds of dollars. But if you allow the scammer access to your computer, your secure personal information, such as banking details and login credentials, can be compromised. This puts you at risk for identity theft.”

So how can you protect yourself?  

• First, know that Microsoft will never call you unsolicited. They do not offer support by calling or pushing popups on your computer.
• In fact, you should always be suspicious when someone calls out of the blue offering to remote into your computer. Our advice is to tell them you can’t talk at the moment and then call us or report it directly to Microsoft. 
• You should also make an immediate plan to upgrade or replace that Windows 7 operating system. Even without scammers calling you, vulnerabilities will continue to be discovered that Microsoft is no longer offering security patches for.

Netflix and Steal

A Netflix phishing scam is going after users’ payment information and Netflix credentials, according to Naked Security. The phishing emails inform recipients that they’ve missed a payment and they’ll need to login and fix their billing information to resolve the issue.

The emails themselves contain some glaring typos and grammatical issues, including repeated misspellings of “invoice” and the phrase “you local bank being held a transaction.” The phishing site itself is more convincing, however.

The scammers took the time to obtain a valid HTTPS certificate, and they’ve hosted the site on a subdomain with a very long URL consisting of random characters. As a result, the primary domain is pushed out of sight in the browser bar, so the user doesn’t realize they are not on netflix.com. The login page looks perfectly legitimate, as does the page to enter payment card details.

The scammers made another mistake, however, by including an intermediate page that asks users how they want to pay their bill in order to “resrtart” their membership. This page offers a number of options, including one to purchase gift cards. The option to buy gift cards is inexplicably written in French, unlike the rest of the page.

While these warning signs seem easy to spot when you know it’s a scam, they might not be so apparent if you aren’t looking for them or if you are in a hurry.

A similar scam is circulating about PayPal, with the message that an unknown device has accessed your account. This one also has one or two grammatical red flags, but overall looks convincing enough to have gained a wealth of personal information from victims.

So what can you do? 

• Force yourself to stop and think before clicking on ANY emails warning about account issues or breaches. Our fear of being compromised is what the bad actors count on, but most legitimate businesses will not try to scare you.
• Always confirm issues independently of the links in these types of emails. Open a separate browser window and log into your account; if there is an official problem, you will be able to see and fix it that way.
• Verify account problems by calling. Don’t use any contact numbers included in a message like those above, but reach out and speak with someone if you have questions.

Selfie Scams

Researchers at Kaspersky Lab have observed a spike in fraud surrounding the use of selfies to gain access to sensitive data, Planet Biometrics reports.

Some legitimate online services ask users to upload a photo of themselves holding their ID in order to verify their identity.

If a scammer gets their hands on one of these photos, they can impersonate you online. These photos are valuable on the black market for this reason.

Scammers are collecting these types of selfies via phishing emails that purport to come from payment services and banks. The emails try to convince recipients to go to legitimate-looking phishing sites and upload a selfie with their ID visible.

It’s best to avoid uploading selfies with your ID at all, if possible, because anything you upload to the internet can potentially be stolen at some point. If you do need to do so, make absolutely certain you’re on the correct site and verify that the service is legitimate.

Stay safe with these tips:

• Before confirming your identity in this way, ask the company if there is any other way to verify.
• If you have to do it, look through the site for signs that it is legitimate before uploading. Check that it is secure, showing a locked padlock in the URL. See if there are terms and conditions explaining how they will use your image and how long it will be stored. If you see all this and still have a bad feeling, trust your gut.

Movie Mania

TechRepublic reports that Kaspersky researchers have identified sixty-five malicious files masquerading as online copies of Star Wars: The Rise of Skywalker. 

The files are spread via phishing sites and social media accounts that pose as official movie pages. In addition to distributing malware, the sites also ask users to enter their credit card data before they can watch the film.

Tatiana Sidorina, a security researcher at Kaspersky, said in a statement that attackers frequently take advantage of popular movies and shows to spread malware.

“It is typical for fraudsters and cybercriminals to try to capitalize on popular topics, and Star Wars is a good example of such a theme this month,” Sidorina said. “As attackers manage to push malicious websites and content up in the search results, fans need to remain cautious at all times. We advise users to not fall for such scams and instead enjoy the end of the saga on the big screen.”

So how can you protect yourself?  

• The easiest protection is to avoid pirated material altogether. But the reality is that your network may be shared by others who may not be so careful. So keep in mind (and teach your children) that a company trying to make money from movie ticket sales is highly unlikely to also release a free online version, no matter how authentic their site looks.
• Never enter information, especially payment information, on a site claiming to offer free movies. If it’s free, what could they possibly need payment for? 
• Use the Force: that’s your reason, common sense, and your instincts. If something seems ‘off,’ it most likely is.