Over the past five years, the number and intensity of scams and attacks over email has exploded. The move to cloud-hosted services has only served to increase the intensity of these attacks. It is more important than ever to be vigilant.
To better educate you, here are some common attacks:
The expiring subscription scam – “Your subscription is expiring…”
- They pretend to be Microsoft, Norton Security, Google, Apple, or some other recognizable brand in this attack. They tell you that your subscription is expiring and you need to renew it.
- When you click on the link, they take you to a very convincing-looking login page. Some of these login pages look EXACTLY like the login screens that you see every day.
- When you try to enter your credentials, it will tell you that the password is invalid. Most people will start entering all of the various passwords that they use. And you just gave away your credentials. Perhaps for more than one site.
The notification scam – Most of these notices are scams and can be ignored. If you aren’t sure, ask the IT staff.
- “Your payment has been received”
- “Your order has been received”
- “Your order has shipped”
- “Your account/password has been compromised”
- “Your password has been changed”
- “Here is your Purchase Order for ….”
- The common thread on this attack is that you are being notified of activity that you did not initiate.
When in doubt… ask the IT department or your manager.
The impersonation scam – In this scam, you receive an email from someone who uses the name of someone else inside the company:
- From: Joe President <firstname.lastname@example.org>
- Notice that the REAL email address is given inside the brackets, and it isn’t from our mail system. Usually, it is from someone’s hacked email account on the Google/Yahoo/AOL platform.
- In the email, they try to convince you to carry out some action, such as
- Buying gift cards – Most non-retail businesses/organizations NEVER use gift cards to either pay for or receive payments for services.
- Changing direct deposit account numbers – As a policy, ALL changes to direct payroll deposit must be made in writing and delivered in person or via a supervisor, never over email or phone.
- Changing home addresses or phone numbers – All changes to personal information must be made in writing and delivered in person.
- Changing insurance/retirement beneficiaries – All changes to personal information must be made in writing and delivered in person.
- Paying an invoice – Consult your accounting department to find the best method for validating an invoice before payment.
Scam-artists are even placing phone calls into organizations looking to carry out these same activities. They pretend to be police departments, court systems, or IT support organizations. If you aren’t sure, stop and ask your supervisor or the IT staff.
The cloud-hosted document attack – You receive an email that links to a PDF file or some other document hosted on Dropbox, Box, One-Drive, SharePoint, or Google Drive.
- The PDF has instructions for you to click on a link or download some other file. Often, the file is a password-protected ZIP file, and they give you the password in the document. DANGER WILL ROBINSON!!!! This attack is designed to evade our spam filters and antivirus software.
- Password-protected ZIP and PDF files cannot be scanned by security software. By opening these files, you are inviting your system to get infected.
Cell Phone attacks- Many organizations are adopting Multi-Factor authentication (MFA) to combat credential phishing. The “bad guys” took notice and are now looking for ways to get around MFA.
- If they can clone your phone, then they can receive a copy of your text messages.
- If you install apps/games on your phone that contain malware/viruses, the bad guys can use this to intercept the MFA codes on your phone.
In conclusion, the best defense against these attacks is common sense and vigilance. If something seems off about an email, it’s probably a scam. Ask for help.
If you think you have fallen prey to one of these attacks, contact the IT staff immediately. They will guide you through the right steps to recover from it.
Just changing your password is not enough. If a bad guy has gained access to your email account, they will often place mailbox rules in there to help them maintain access to your accounts, even after a password change is completed.