With the recent increase in data breaches of high-profile companies like Facebook and LinkedIn, spammers have access to a wealth of up-to-date potential victim information. They have names, email addresses, phone numbers, job positions, and more.
As a result, we have seen a surge in spam emails and phone calls. While almost all of them get caught by spam filters and phone company screening, fraudsters are getting more creative and finding ways to evade detection. With all the information they obtained in these breaches, it is no surprise they can trick filters into letting their communications through.
With recent ransomware attacks like the Colonial Pipeline and Irelands’ health services systems, it is important to be able to be vigilant and recognize these attempts to defraud you. Below are a few tips on how to recognize these fraudsters and keep yourself and your organization from falling into their traps.
Passwords & personal information
First and foremost, no respectable organization will ever contact you asking for a password. It does not matter who they are (or claim to be), never reply to request for your password for any reason. The same goes for personal information. They may include a form to fill out or simply ask you to provide a list of information such as your mailing address, phone number, or even your social security number. These are usually in the context of winning a contest by someone like Amazon or being owed money by an organization like the IRS.
If you think about it, if the IRS or Amazon owed you anything, wouldn’t they already have all that information? These are attempts to get enough information to perform various types of identity theft. This information should be protected as though it were your banking or social security information.
Attackers will sometimes claim to be from Microsoft, Google, or some other big tech organization and give you some reason that they need to remote into your computer using something like Team Viewer or Anydesk for some technical issue they have detected. Some may even claim to be from “your IT support” to try to trick you into allowing them access.
Once they have access, they will install some sort of back door to allow them access later to install malware, steal your data, or even scam you further. Nobody should have remote access to your system except your own IT support (that you know or can validate). Never allow someone who has contacted you via email or phone that you don’t directly know to remote into your computer for any reason.
They will often refer to agencies that do not exist or refer to them vaguely. Other times they will out and out claim to be from the IRS or SSA. They will use scare tactics and inflate the urgency of a situation to get you to act without thinking the actions through. All of these are an effort to make you feel like you are in immediate risk. This is a psychological trick to trigger you to respond to their instructions which may seem legit at the time. Click here for more tips on identifying fraudulent email subject lines.
You can also spot fakes by looking at the name of the sender, the organization they claim to be from, and the email address… they will frequently not match. If you look at the domain (the part of the email address after the “@” symbol), it will not match the organization they claim to be from. For example, the email may claim to be from LinkedIn Tech Support, but you see that the email address from which the message was sent was @gmail.com.
This message was an attempt to gather personal information. In the area below the screenshot is a list of information they want you to send back including name, address, social security number, and more. Never reply to these messages. No government (or any other legit organization, for that matter) would send a communication of this sort by email. Notice the poor grammar and odd capitalization. This is one of the giveaways. Also, if you search for “United Nations Fund Compensation Unit” you will find no such agency exist. An agency with a similar name does, but has nothing to do with tax processing.
This is an example of a “phishing” email that is attempting to steal your login credentials. Notice that the email address does not match the organization that it claims to be, in this case Indeed. The attachment (which you should not open in the real world) is a fake login. Other attempts will use a web link to a fraudulent login page.
If you were to attempt to log in here, this will send your credentials directly to hackers that will use your account fraudulently. No legit website will ever ask for this information from you via an email. Never log in to any services such as social media, Office 365, or CRM systems from a link in an email. Use your browser to navigate directly to those sites and log in from there. If there is an issue, this is where you will be alerted.
This entertaining gentleman takes you through how one of these scams works with an actual live scammer. He does this for a number of reasons. One is to raise awareness and teach people how these scams work. Another is to waste their time. Every minute he spends on the phone with them is a minute they aren’t scamming a real person. In addition to wasting their time and teaching the population at large how to avoid getting scammed, he works with law enforcement to stop and even catch these criminals.
How can we help you stay safe?
Whether you need email filtering, personnel training, system monitoring, or anything else to help your organization stay safe, we’re happy to help!