Tag Archive for Confidence trick

| April 7, 2016
Comments Off on 9 Emails You Should Never Open

9 Emails You Should Never Open

9 Emails You Should Never OpenThe increasing pace of life coupled with mobile computing which bombards us with emails and messages, from more sources, and across more devices than ever before has created what Proofpoint calls a generation of trigger-happy clickers.

fake emails from cyber criminals.Trigger-happy clickers are falling more and more for fake emails from cybercriminals. These fake emails are so convincing and compelling that they fool 10% of recipients into clicking on the malicious link according to the article. To put that into context a legitimate marketing department typically expects <2% click rate on their advertising campaigns.

So, despite the best efforts of security professionals, too many people are still falling prey to email scams at home and work. Whether it’s a get-rich-quick scheme or a sophisticated spearphishing attack, here are some emails to steer clear of:

1. The government scam

These emails look as if they come from government agencies, such as the IRS, FBI, or CIA. If these TLA’s want to get a hold of you, it won’t be through email.

2. The “long-lost friend”

tries to make you think you know themThis scammer tries to make you think you know them, but it might also be a contact of yours that was hacked.

3. The billing issue

These emails typically come in the form of legitimate-looking communications. If you catch one of these, log into your member account on the website or call the call center.

4. The expiration date

A company claims your account is about to expire, and you must sign in to keep your data. Again, sign in directly to the member website instead of clicking a link in the email.

5. You’re infected

you’re infected with a virusA message claims you’re infected with a virus. Simple fix: Just run your antivirus and check. In a recent twist, scammers claiming to be computer techs associated with well-known companies like Microsoft. They say that they’ve detected viruses or other malware on your computer to trick you into giving them remote access or paying for software you don’t need.

Scammers have been peddling bogus security software for years. They set up fake websites, offer free “security” scans, and send alarming messages to try to convince you that your computer is infected with malware. Then, they try to sell you software to fix the problem. At best, the software is worthless or available elsewhere for free. At worst, it could be malware — software designed to give criminals access to your computer and your personal information.

But wait it gets worse – If you paid for their “tech support” you could later get a call about a refund. The refund scam works like this: Several months after the purchase, someone might call to ask if you were happy with the service. When you say you weren’t, the scammer offers a refund.

Or the caller may say that the company is going out of business and providing refunds for “warranties” and other services.

The scammers eventually ask for a bank or credit card account number. Or they ask you to create a Western Union account. They might even ask for remote access to your computer to help you fill out the necessary forms. But instead of putting money in your account, the scammers withdraw money from your account.

6. You’ve won

you won a contest you never enteredClaims you won a contest you never entered. You’re not that lucky; delete it. It’s illegal to play a foreign lottery. Any letter or email from a lottery or sweepstakes that ask you to pay taxes, fees, shipping, or insurance to claim your prize is a scam.

Some scammers ask you to send the money through a wire transfer. That’s because wire transfers are efficient: your money is transferred and available for pick up very quickly. Once it’s transferred, it’s gone. Others ask you to send a check or pay for your supposed winnings with a credit card. The reason: they use your bank account numbers to withdraw funds without your approval, or your credit card numbers to run up charges.

7. The bank notification

An email claiming some type of deposit or withdrawal. Give the bank a call to be safe.

8. Playing the victim

emails make you out to be the bad guyThese emails make you out to be the bad guy and claim you hurt them in some way. Ignore.

9. The security check

A very common phishing scam where a company just wants you to “verify your account.” Companies almost never ask you to do this via email.

What To Do Instead of Clicking Links

In the case of your bank or other institution, just go to the website yourself and log in. Type in the address manually in the browser or click your bookmark. That way you can see if there’s something that needs taken care of without the risk of ending up on a phishing site.

In the case of your friend’s email, chances are that they copied/pasted the link into the message. That means you can see the full address. You can just copy/paste the address into the browser yourself without clicking anything. Of course, before doing that make sure you recognize the website and that it’s not misspelled.

Proofpoint’s bottom line is that unless you explicitly know and trust it, avoid it. That’s all there is to it. Make this a habit and you can avoid one of the biggest mistakes in internet safety.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , ,
| July 30, 2015
Comments Off on Spear Phishing

Spear Phishing

Spear PhishingAs long as there have been people, there have been scammers of some kind. Today, cybercriminals use the same technology email, instant messaging, chats, that helps everyone else in their daily lives. The only difference is that they use it for wrongdoing. The results of a recent JPMorgan Chase company hack prove it. The banking giant fell victim to a spear phishing attack.

PhisingThe outcome of the JPMorgan Chase & Co., hack says that over 76 million user accounts were compromised. It is also very likely that other banks were breached by the same attackers. The breach of JPMorgan Chase should serve as a reminder that even large, sophisticated businesses can be breached by today’s phishing expeditions.

Attackers were able to penetrate JPMorgan Chase’s defenses and roam their networks undetected for months most likely due to one worker who fell victim to a spear phishing attack. Corporate security and hackers are engaged in an asymmetric fight right now. The good guys have to protect the entire enterprise while the bad guys only need a single point of failure to gain access, just one user to fall victim to a spear phishing attack and they are in.

The bad guys have the advantage

Nigerian princeAnyone can claim to be a Nigerian prince from behind their computer screen and bilk unsuspecting targets for their financial information over email. All it takes is a valid email account – personal or otherwise. With the hacker’s advantage in mind, here are some tips to help avoid spear phishing attacks and prevent the attacker’s access to your firm.

Spear Phishing

Today’s phishing attacks are not the crude, typo-filled emails from Nigeria of yesteryear. Spear-phishers carefully research their targets. They will know your manager’s name, the names of your co-workers, and perhaps the projects you’re assigned to. This knowledge and detail make spear-phishing very effective.

No matter what the nature of an email account is, it is susceptible to all the dangers of the Internet. This is bad news for businesses that use email, and a lot of organizations out there fit that bill to a T. The more that a company uses email, the greater the chance that they will experience a data breach of some kind.

There is really nothing stopping a well-crafted phishing scam from appearing in a corporate inbox and fooling an unwitting employee. Here is a look at three of the email-based scams that could be threatening your business right now:

Vendor identity fraud

According to a report from Virginia TV station WHSV, the Better Business Bureau is warning businesses of a recent scam that targets this daily operation as a way to siphon money from corporate bank accounts. The BBB describes the attack:

As part of your job, you pay invoices for several of your business’s vendors … One day, you receive an urgent email from an executive in your company telling you to change how you pay invoices from a vendor. Instead of sending a check, you now need to wire the money straight to a bank account.

SPAM emailThis phishing attack is made possible by malicious hacking. Cybercriminals break into company emails and gain enough information to impersonate one of the organization’s suppliers. Next, they send off the false email that tells some poor admin to wire the payment to the hackers instead of the supplier and leave businesses out hundreds of thousands of dollars depending on the nature of the vendor.

Hackers impersonate branch of FBI

Nobody likes being accused of crimes that they didn’t commit. This is especially true when the FBI is involved. But a new scheme involving the Internet Crime Complaint Center has many people thinking their arrest is imminent if they do not fork over a hefty fine via online transaction – something that is unheard of in real law enforcement agencies and that the FBI has been forced to address. DailyFinance contributor Mitch Lipka wrote:

The emails claim that the victim is the subject of a criminal report and that charges are forthcoming … They are then told that they have one or two days to respond or risk arrest, IC3 said. Those who respond are told they have to send money via prepaid cards if they want to avoid prosecution.

Fooled by “clients”

Lawyers are trained to always read between the lines and examine the fine print in legal documents, but what about in their supposedly secure communications?

This is one concept that has been inadvertently brought up in New Zealand thanks to a scam targeting law firms and their clients. There are plenty of things that can be done over email, but that doesn’t mean that they should be. Client and lawyer communications are one of these tasks. According to The National Business Review, criminals will pose as either a law professional or someone they currently represent, asking the opposite party to make a payment or carry out a transaction. This not only puts funds in danger but also sensitive information. This may land a law firm in serious legal trouble.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| April 29, 2014
Comments Off on Social Engineering Terms

Social Engineering Terms

Social Engineering Terms Social engineering means manipulating a person to get access without authorization. Practically speaking, it’s a blanket term for non-technical hacking. FierceITSecurity gives the classic example: Hacker calls target and pretends to be “from the IT department,” getting the target to divulge a password or other sensitive corporate information.

non-technical means.Derek C. Slater at FierceITSecurity discusses a short-list of social engineering terms with Chris Hadnagy, author of the book “Unmasking the Social Engineer: The Human Element of Security.” The author explained that some of the terms below aren’t social engineering per se, but they are related to the same goal: Gaining unauthorized access to information, systems, and facilities through deception and other non-technical means.

In his Social Engineering course, Mr. Hadnagy tells participants that one goal is that every target “will be glad to see them” because the social engineering methods covered seem friendly, not antagonistic. “It’s amazing how much information people will give you if you’re just nice to them,” he says. “Con men don’t look malicious–they’re the guys with the biggest smiles.

Social Engineering terms

Confidence manConfidence trick: The ‘con’ in “con man” refers to gaining the confidence of the target before attempting to exploit him. Examples: The movie Grifters with John Cusack, and every Ponzi scheme from Charles Ponzi himself on through to Bernie Madoff and whoever’s doing it now. And somebody’s doing it now warns the article.

Amygdala hijacking: Your amygdala is the part of your brain that manages decision-making and emotional responses. “Amygdala hijacking” in the social engineering context means putting the target emotionally off-balance by causing stress, or contacting the person during an unusually stressful time, according to Hadnagy. That means the target is less rational and more vulnerable to exploitation.

Amygdala hijackingExample: Friday at 4:30 pm, or the day before holiday vacation starts, many employees–not you or me, obviously–are anxious to get out of the office. That’s a perfect time for a pretexting call (see below) or a hacker-simulated crisis, putting the target further off-balance and making them more likely to do whatever is expedient–giving information over the phone or via email to make the “crisis” go away.

Elicitation: means getting information without asking for it directly.

Influencing:  Mr. Hadnagy says influencing means provoking a desired response from the target “while getting them to think it’s their idea.”

Manipulation: involves getting the target to perform the desired action, regardless of whose idea they think it is. Unlike influence, manipulation could involve a direct or implied threat, for example.

Pretexting: Mr. Hadnagy’s definition, is equal to method acting. The social engineer doesn’t just say “I’m Bob”–he becomes Bob.

Example: Contracted to test one company’s defenses, Hadnagy gained access to various facilities by posing as Paul the Pest Inspector. “I had the uniform with the name patch, I had Paul’s business cards, and for a day before the event, my team was calling me ‘Paul’,” he says.

Phishing: is the use of email as a conduit for social engineering attacks.

PhishingExample: Know those emails that start “I’m Prince Phillip and I need help transferring my royal fortune to an American bank”–the venerable so-called 419 or Nigerian scam? People still fall for those. It’s a phishing attack and an example of a confidence scam.

Spear-phishing: Spear-phishing is a more targeted form of phishing. Instead of blasting that “I’m a Prince” email to everyone with an email address, a spear-phishing attack is personalized to reach a small group or individual.

Example: A hacker identifies a target, Fred, and finds personal details, professional connections, and current project information via Fred’s LinkedIn profile. He then sends the target an email that is correctly addressed to Fred, appears to come from a real colleague, and references specific project details. Fred is much more likely to click on malicious links or open attachments in this email than he is likely to respond to Prince Phillip spam.

These next four terms don’t involve deception. However, they’re all important non-technical information attacks and can work in concert with social engineering efforts.

Harvesting – is using publicly available sources–particularly on social media, these days–to gather information about a target for later use in social engineering.

Dumpster diving – means what it sounds like: rooting through the trash to find discarded papers or items with valuable information. This is less glamorous than social engineering, but it’s also a useful form of harvesting and doesn’t need human interaction. (rb- I have covered the dangers of dumpster diving on Bach Seat since 2010.)

Shoulder surfing – means reading sensitive information on-screen and over the shoulder of a legitimate user.

Tailgating – is the ancient practice of going through a physical access point on the heels of someone who has an access card, key, or entry code. Catching the door before it shuts behind them, as it were.

rb-

Whether it is your home or corporate email account, social engineering is dangerous. Being educated about the risks of social engineering is critical. The next time someone reaches out via email or the phone, take a second and ask a few questions before you give away your digital identity unless of course they also have a candy bar

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
| December 19, 2011
One comment

McAfee’s 12 Scams of Christmas

McAfee's 12 Scams of ChristmasBefore logging on from a PC, Mac, or mobile device for the last-minute holiday online shopping madness, consumers should look out for these 12 Scams of Christmas identified by anti-malware firm McAfee:

1. Mobile Malware—A National Retail Federation (NRF) survey found that 52.6% of U.S. consumers who own a smartphone will use it for holiday shopping. Malware targeting mobile devices is rising, and Google’s (GOOG) Android smartphones are most at risk. McAfee cites a 76% increase in Android malware in the second quarter of 2011, making it the most targeted smartphone platform.

Malicious Mobile ApplicationsNew malware has recently been found that targets QR codes, a digital bar code that consumers might scan with their smartphone to find good deals or to learn about products they want to buy.

2. Malicious Mobile Applications—These are mobile apps designed to steal information from smartphones or send expensive text messages without a user’s consent. Dangerous apps are usually offered for free and masquerade as fun applications, such as games. Last year, 4.6 million Android smartphone users downloaded a wallpaper app that collected and transmitted user data to a site in China.

Facebook3. Phony Facebook Promotions and Contests—Who doesn’t want free stuff? Unfortunately, cyber scammers know that “free” things are attractive lures, and they have sprinkled Facebook with phony promotions and contests to gather personal information. A recent scam advertised two free airline tickets but required participants to complete multiple surveys requesting personal information.

4. Scareware, or Fake Antivirus software—Scareware is fake antivirus software that tricks people into believing that their computer is at risk or already infected, so they agree to download and pay for phony software. This is one of the most common and dangerous Internet threats today, victimizing one million victims each day. In 2010, McAfee reported that scareware represented 23% of all dangerous Internet links, which has been resurgent recently.

5. Holiday Screen savers—Bringing holiday cheer to your home or work PC sounds like a fun idea to get into the holiday spirit, but be careful. A recent search for a Santa screen saver that promises to let you “fly with Santa in 3D” was malicious. Holiday-themed ringtones and e-cards have also been known to be malicious.

Mac Malware6. Mac Malware – Until recently, Mac users felt insulated from online security threats since most were targeted at PCs. However, with the growing popularity of Apple (AAPL) products, cybercriminals have designed a new wave of malware directed squarely at Mac users. According to McAfee Labs, as of late 2010, there were 5,000 pieces of malware targeting Macs, and this number is increasing by 10 percent each month.

7. Holiday Phishing Scams—Phishing is tricking consumers into revealing information or performing actions they wouldn’t normally do online using phony emails or social media posts. Cyber scammers know that most people are busy around the holidays, so they tailor their emails and social messages with holiday themes to trick recipients into revealing personal information.

  • This is a fake notice from UPS (UPS) saying you have a package and need to complete an attached form. The form asks for personal or financial details to complete the delivery, and it sends that information straight into the hands of cyber scammers.
  • Banking phishing scams continue to be popular, and the holiday season means consumers will spend more money and check bank balances more often. From July to September of this year, McAfee Labs identified about 2,700 phishing URLs per day.
  • Smishing –SMS phishing remains a concern. Scammers send fake messages via text alert to a phone, notifying an unsuspecting consumer that his bank account has been compromised. The cybercriminals then direct the consumer to call a phone number to get it reactivated and collect the user’s personal information, including his Social Security number, address, and account details.

Online Coupon Scams8. Online Coupon Scams—An estimated 63 percent of shoppers search for coupons when they buy something online. October 2011 NRF data shows that 17.3 percent of smartphone users and 21.5 percent of tablet consumers use mobile devices to redeem those coupons. But watch out because scammers know that offering an irresistible online coupon can get people to hand over some of their personal information.

9. Mystery Shopper Scams—Mystery shoppers are hired to shop in a store and report back on the customer service. Scammers use this fun job to lure people into revealing personal and financial information. There have been reports of scammers sending text messages to victims, offering to pay them $50 an hour to be mystery shoppers and instructing them to call a number if they are interested. Once the victim calls, they are asked for personal information, including credit card and bank account numbers.

Scareware10. Hotel “Wrong Transaction” Malware Emails – Many people travel over the holidays, so it is no surprise that scammers have designed travel-related scams to get users to click on dangerous emails. In one example, a scammer sent out emails that appeared to be from a hotel, claiming that a “wrong transaction” had been discovered on the recipient’s credit card. It then asked them to fill out an attached refund form. Once opened, the attachment downloads malware onto their machine.

11. “It” Gift Scams—Hot holiday gifts sell out early in the season every year. Not only do sellers mark up the price of the must-have toy, but scammers also start advertising them on rogue websites and social networks, even if they don’t have them. So, consumers could wind up paying for an item and giving away credit card details only to receive nothing in return. Once the scammers have the personal financial information, there is little recourse.

12. “I’m away from home” Scammers – Posting information about a vacation on social networking sites could be dangerous. If someone is connected with people they don’t know on Facebook or other social networking sites, they could see their post and decide it may be a good time to rob them. Furthermore, a quick online search can quickly turn up their home address.

How to Protect Yourself

  • Only download mobile apps from official app stores, such as iTunes and the Android Market, and read user reviews before downloading them.
  • Be extra vigilant when reviewing and responding to emails.
  • Watch out for too-good-to-be-true offers on social networks. Never agree to share your personal information to take part in a promotion.
  • Don’t accept requests on social networks from anyone you don’t know in real life. Wait to post pictures and comments about your vacation until you’ve already returned home.
Related articles

Mobile Threats Top Holiday Scam List (pcworld.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,