Phone scams, job scams and contact page scams.
Welcome to Cyber Security Today. It’s Monday April 12th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Usually one of the best ways to defeat a scam is to wait before acting. That’s the case with a telephone scam used by crooks for years, and which last week victimized people in Calgary. It works like this: The victim gets a call on their landline from someone purporting to be from a bank. The caller warns of a problem with the victim’s credit card. Knowing people are suspicious of such calls, the victim is asked to immediately hang up and phone the number on the back of their credit card as a way to verify the call is real. The victim hangs up and quickly calls the number. The person who answers the phone says they’re from the bank, and gets the victim to give personal information including the account password. Then the victim’s bank account is emptied.
The scam works for two reasons: It counts on people acting quickly. Creating a sense of urgency is a big part of any scam. And it works because, unfortunately, crooks have technology to seize control of an open phone line and keep it open for several minutes when a person hangs up. When the victim picks up the receiver to call the bank the crooks play a recording of a dial tone. The victim isn’t really calling the bank. They end up speaking to a second crook.
The RCMP urges people who get calls like this to wait several minutes before phoning the bank. That clears the phone line. Even better, if you have a cell phone or access to a second phone number, use that to call the bank. Or, if you can, get in your car and go to a branch of your bank. Remember, a bank won’t ask to you over the phone to provide personal information or your password. They will confirm an abuse of your card, and then say they will issue a new card. Another tip: Don’t trust call display on your phone to show the name of a real caller. This can be faked.
Employees at organizations have been warned for years to be careful opening attachments. A new alert from Microsoft gives the latest reason: Scammers are sending out messages to firms with complaints, asking victims to click on link or attachment with evidence of an allegation. For example, one message seen pretends to be from a photographer alleging the organization’s website is using one of their photographs without permission. Some sort of legal action is threatened. The proof is allegedly in the linked document, which is a page hosted on Google. To see the document the victim has to enter their Google username and password. What ends up happening is the installation of malware that steals corporate data, infects other machines and may lead to ransomware. This scam works in part like the phone scam I talked about: It counts on worried people wanting to do the right thing.
This scam also abuses the ‘contact us’ web page many organizations have so people can report problems. That’s how the crook sends the threatening message. Often, to make sure these contact forms aren’t filled out automatically by software hosted by crooks the page has a human verification process: A person has to type in a random combination of letters and numbers, or click on several of a series of pictures that correctly has bicycles or something. However, in this particular campaign the attackers seem to have a way around this.
If you get a message like this, don’t click on the link. Forward it to the IT or security team warning that the message looks suspicious. Never enter your Google or Microsoft credentials on messages that you aren’t expecting. For IT teams, a good antivirus or anti-malware solution should catch this scam.
Security researchers at Tessian are warning about recent online job scams. Crooks are posting job opportunities on legitimate job sites. People who respond are sent an email asking them to perform a task for the interview process explained in an attachment or a link to a website. The goal of crooks is to get victims to fill out personal information in a form. They may also ask the victim to go to what appears to be a credit check website and fill out personal information. Then the crooks use that data for identity fraud. Another type of scam takes advantage of people who say on social media or LinkedIn that they’re looking for a job. Crooks may then send job pitches to them, or send email that pretends to be from the government with advice on how to apply for unemployment insurance. No government agency will contact you out of the blue asking you to apply for benefits. As for avoiding online job scams, always be careful dealing with employment opportunities online where you don’t have the ability to speak to people in person. Verify the legitimacy of a send by calling an organization with a number on the organization’s website. Don’t trust phone numbers in a suspicious email. And carefully inspect the email addresses of senders.
Recently 500 million LinkedIn user profiles have been offered for sale by crooks. LinkedIn told reporters at Cybernews there was no data breach. Instead the data may have been scraped from LinkedIn or is an aggregation of data from a number of other websites. However, on Friday a new collection of over 300 million LinkedIn profiles was put up for sale. Some of this may be copies of the earlier data. The email addresses being sold could be used for phishing, for scam messages on LinkedIn pretending to be from someone you know, identity fraud or for attempts to get at LinkedIn passwords. As always these days, watch for suspicious email and text messages.
That’s it for now.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.