Red Hat is backing a Cloud Native Computing Foundation (CNCF) project that aims to improve the security of containers in Kubernetes clusters by running them inside hardware-enforced enclaves.…
One of the oldest tricks in the cybercrime playbook is phishing. It first hit the digital scene in 1995, at a time when millions flocked to America Online (AOL) every day. And if we know one thing about cybercriminals, it’s that they tend to follow the masses. In earlier iterations, phishing attempts were easy to spot due to link misspellings, odd link redirects, and other giveaways. However, today’s phishing tricks have become personalized, advanced, and shrouded in new disguises. So, let’s take a look at some of the different types, real-world examples and how you can recognize a phishing lure.
Every day, users get sent thousands of emails. Some are important, but most are just plain junk. These emails often get filtered to a spam folder, where phishing emails are often trapped. But sometimes they slip through the digital cracks, into a main inbox. These messages typically have urgent requests that require the user to input sensitive information or fill out a form through an external link. These phishing emails can take on many personas, such as banking institutions, popular services, and universities. As such, always remember to stay vigilant and double-check the source before giving away any information.
A sort of sibling to email phishing, link manipulation is when a cybercriminal sends users a link to malicious website under the ruse of an urgent request or deadline. After clicking on the deceptive link, the user is brought to the cybercriminal’s fake website rather than a real or verified link and asked to input or verify personal details. This exact scenario happened last year when several universities and businesses fell for a campaign disguised as a package delivery issue from FedEx. This scheme is a reminder that anyone can fall for a cybercriminals trap, which is why users always have to careful when clicking, as well as ensure the validity of the claim and source of the link. To check the validity, it’s always a good idea to contact the source directly to see if the notice or request is legitimate.
Corporate executives have always been high-level targets for cybercriminals. That’s why C-suite members have a special name for when cybercriminals try to phish them – whaling. What sounds like a silly name is anything but. In this sophisticated, as well as personalized attack, a cybercriminal attempts to manipulate the target to obtain money, trade secrets, or employee information. In recent years, organizations have become smarter and in turn, whaling has slowed down. Before the slowdown, however, many companies were hit with data breaches due to cybercriminals impersonating C-suite members and asking lower-level employees for company information. To avoid this pesky phishing attempt, train C-suite members to be able to identify phishing, as well as encourage unique, strong passwords on all devices and accounts.
Just as email spam and link manipulation are phishing siblings, so too are whaling and spear-phishing. While whaling attacks target the C-suite of a specific organization, spear-phishing rather targets lower-level employees of a specific organization. Just as selective and sophisticated as whaling, spear-phishing targets members of a specific organization to gain access to critical information, like staff credentials, intellectual property, customer data, and more. Spear-phishing attacks tend to be more lucrative than a run-of-the-mill phishing attack, which is why cybercriminals will often spend more time crafting and obtaining personal information from these specific targets. To avoid falling for this phishing scheme, employees must have proper security training so they know how to spot a phishing lure when they see one.
With so many things to click on a website, it’s easy to see why cybercriminals would take advantage of that fact. Content spoofing is based on exactly that notion – a cybercriminal alters a section of content on a page of a reliable website to redirect an unsuspecting user to an illegitimate website where they are then asked to enter personal details. The best way to steer clear of this phishing scheme is to check that the URL matches the primary domain name.
When users search for something online, they expect reliable resources. But sometimes, phishing sites can sneak their way into legitimate results. This tactic is called search engine phishing and involves search engines being manipulated into showing malicious results. Users are attracted to these sites by discount offers for products or services. However, when the user goes to buy said product or service, their personal details are collected by the deceptive site. To stay secure, watch out for potentially sketchy ads in particular and when in doubt always navigate to the official site first.
With new technologies come new avenues for cybercriminals to try and obtain personal data. Vishing, or voice phishing, is one of those new avenues. In a vishing attempt, cybercriminals contact users by phone and ask the user to dial a number to receive identifiable bank account or personal information through the phone by using a fake caller ID. For example, just last year, a security researcher received a call from their financial institution saying that their card had been compromised. Instead of offering a replacement card, the bank suggested simply blocking any future geographic-specific transactions. Sensing something was up, the researcher hung up and dialed his bank – they had no record of the call or the fraudulent card transactions. This scenario, as sophisticated as it sounds, reminds users to always double-check directly with businesses before sharing any personal information.
As you can see, phishing comes in all shapes and sizes. This blog only scratches the surface of all the ways cybercriminals lure unsuspecting users into phishing traps. The best way to stay protected is to invest in comprehensive security and stay updated on new phishing scams.
The post The Seven Main Phishing Lures of Cybercriminals appeared first on McAfee Blog.
End users, often viewed by infosec specialists as a corporation's weakest link, appear to be finally understanding the importance of good security and privacy practices.…
It is never too late to start a career in cybersecurity — this may sound cliché, but it holds a lot of truth. If you are passionate about the topic and are ready to put in the work to acquire the skills and knowledge needed, anyone, regardless of educational background, can break into cybersecurity.
At the age of 26, I started a four-year bachelor’s degree in digital forensics. I got introduced to the field by chance after working in data analytics for a few years and taking a college class on criminology. The program that I signed up for was mostly remote, with 80% independent preparation and bi-monthly on-site weekends at the university. I quickly realized that this model of education works great for me — I could read the materials provided by the program at my own pace and use as much external materials to supplement my understanding as needed. While the program was designed for working professionals and classes were spread out over four years, instead of the usual three years for a bachelor’s degree in Germany, it required a lot of discipline to complete the coursework while having a full-time job. Along the way, I learned several things about combining the responsibilities of adult life and achieving the study goals I had set for myself.
Below, I will outline a few recommendations to follow if you would like to break into the security field as an adult learner.
Use visual support to communicate your goals and timeline to others. This makes it easy for them to understand where you stand and why you might pass on the dinner invitation for next weekend.
Small reminders like the one above can help you stay motivated and focused.
One of the first events that I attended as a student was an information day by the German research institute Fraunhofer Institute for Secure Information Technology (SIT). Public institutions like this one tend to offer more affordable events and discount rates for students.
Appreciate the small steps forward and be gentle to your mental health.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Shiva Persaud is the director of security engineering for Cisco. His team is responsible for the Cisco Secure Development Lifecycle (CSDL), a set of practices based on a “secure-by-design” philosophy developed to ensure that security and compliance are top-of-mind in every step of a solution’s lifecycle. This blog is the third in a series focused on M&A cybersecurity, following Jason Button’s post on Demonstrating Trust and Transparency in Mergers and Acquisitions.
One of the most important considerations when Cisco acquires a company, is ensuring that the security posture of the acquisition’s solutions and infrastructure meets the enterprise’s security standards. That can be a tricky proposition and certainly doesn’t happen overnight. In fact, at Cisco, it only comes about thanks to the efforts of a multitude of people working hard behind the scenes.
“The consistent message is that no matter where a product is in its security journey, from inception to end-of-life activities, there’s still a lot of work that can happen to lead to a better security outcome,” says Persaud.
While Persaud and his team work within Cisco on all the company’s products and solutions, they also play a critical role in maintaining security standards in Cisco’s mergers and acquisitions (M&A) work.
Simply put, Persaud’s team is tasked with identifying the security risks posed by an acquisition’s technology and helping teams mitigate those risks.
“It starts with a risk assessment where we ask ourselves what an attacker would do to compromise this specific technology,” says Persaud. “What are the industry best practices for securing this type of technology? What do our customers expect this technology to provide from a security perspective? And once we have those risks enumerated, we prioritize them to decide which is the most important to take care of first.”
To anticipate where a hacker might find vulnerabilities and the actions they might take, the CSDL team must put themselves in that attack mindset. Fortunately for Persaud, his interest in computer security started as early as middle school. “It just kind of grew from there,” he says. “For many folks I’ve worked with and hired over the years, it’s a similar situation.”
That lifelong interest and experience work to the team’s advantage. They take a risk-based approach to security, in which they identify all the issues that need to be fixed and then rate them based on the likelihood of occurrence and seriousness of the results of an attack. Those ratings inform their decisions on which issues to fix first.
“We come up with ways to go mitigate those risks and co-author a plan called the Security Readiness Plan, or SRP,” Persaud says. “Then we partner with teams to take that plan and execute it over time.”
In alignment with CSDL’s continuous approach to security throughout a solution’s lifecycle, Persaud says that “security is a journey, so the workflow to finish the secure development lifecycle never ends.”
While initial onboarding of an acquired company—including completion of the initial risk assessment and the SRP—typically ends within several months of the acquisition. Persaud adds, “The work continues as the technology is integrated into a larger tech stack or as it’s modified and sold as a standalone offering to our customers.” As the solution or technology evolves and begins to include new features and functionalities, the CSDL work continues to make sure those features are secure as well.
That work can have its obstacles. Persaud says that one of the primary challenges his team deals with is cutting through the flurry of activity and bids for the acquisition’s attention that come pouring in from all sides. It’s a crazy time for both Cisco and the acquisition, with many important tasks at the top of everyone’s to-do lists. “Not just in the security realm,” says Persaud,” but in many other areas, too. So being able to get the acquisition to focus on security in a meaningful way in the context of everything else that’s happening is a major challenge.”
Another challenge is dealing with acquisitions that might not have much security expertise on their original team. That means they’re not able to give Persaud’s team much help in determining where security risks lie and how serious they are—so Cisco’s engineers have a lot more investigative work to do.
When asked what advice he would give to organizations that want to maintain a good security posture when acquiring another company, Persaud names three key factors.
To succeed in M&A security, it’s critical that the organization’s board of directors, CEO, and all subsequent levels of management support and be committed to meeting a high level of security standards and outcomes. The remaining management of the acquisition also needs to be on board with the security commitment, and both organizations should make sure that all employees recognize that commitment and support. If management support is not there, the work ultimately won’t get done. It can be difficult and time-consuming and without companywide recognition of its key importance, it won’t get prioritized, and it will get lost in the myriad of other things that all the teams have to do.
The issue of security can get really complicated, very quickly. Persaud says it’s smart to find industry standards and best practices that already exist and are available to everyone, “so you’re not reinventing the wheel—or more concerning, reinventing the wheel poorly.”
Where to look for those industry standards will vary, depending on the technology stack that needs to be secured. “If you are interested in securing a web application,” says Persaud, “then starting with the OWASP Top Ten list is a good place to start. If you are selling a cloud offer or cloud service, then look at the Cloud Security Alliance’s Cloud Controls Matrix (CCM) or the Cisco Cloud Controls Framework.”
One way to think of it, Persaud says, is that there are a variety of security frameworks certain customers will need a company to adhere to before they can use their solutions. Think frameworks like FedRAMP, SOC-2, Common Criteria, or FIPS.
“You can align your product security work to those frameworks as a baseline and then build on top of them to make technology more resilient.” It’s a great place to start.
It’s essential that an organization be very clear on what it wants to accomplish when it comes to ensuring security of an acquisition’s solutions and infrastructure. This will help it avoid “trying to boil the whole ocean,” says Persaud.
Persaud and his team talk about working up to security fitness the way a runner would start with a 5K and work up to an Ironman competition. “You take progressive steps towards improving,” he says. “You’re very explicit about what milestones of improvement you’ll encounter on your journey of good security.”
Persaud says Cisco is uniquely positioned to help organizations maintain security standards when acquiring other companies. He points to three critical differentiators.
“The level of visibility and support that we have for security at Cisco, starts with our board of directors and our CEO, and then throughout the organization,” says Persaud. “This is a very special and unique situation that allows us to do a lot of impactful work from a security perspective,”
Cisco has long been adamant about security that’s built in from the ground up and not bolted on as an afterthought. It’s the reason the CSDL exists, as well as the Cisco Security & Trust Organization and the many, many teams that work every day to infuse security and privacy awareness into every product, service, and solution—including the technology and infrastructure of newly acquired companies.
Once Persaud’s team has identified and assessed the security risks of an acquisition, his and other teams go about helping the acquisition address and mitigate those risks. Cisco provides a set of common building blocks or tools that teams can use to improve the security posture of an acquisition.
“We have secure libraries that teams can integrate into their code base to help them do certain things securely, so that the individual teams don’t have to implement that security functionality from scratch,” says Persaud. “And Cisco produces certain pieces of hardware that can be leveraged across our product lines, such as secure boot and secure storage.”
“Cisco’s operations stack also has various services acquisitions can use,” says Persaud. “An example of this comes from our Security Vulnerability and Incident Command team (SVIC). They provide logging capabilities that cloud offers at Cisco can leverage to do centralized logging, and then monitor those logs. SVIC also offers a security vulnerability scanning service so individual teams don’t have to do it independently.”
Another critical building block is Persaud’s team and their expertise. They act as a valuable resource that teams can consult when they want to build a new feature securely or improve the security of an existing feature.
Persaud concludes, “Cisco has an extremely strong and active security community where teams can ask questions, gain insights, give guidance, troubleshoot issues, share ideas and technology, and discuss emerging security topics. The community is committed to helping others instead of competing against each other. Members have the mindset of enriching the overall approach to security at Cisco and learning from any source they can to make things continually better.
Managing Cybersecurity Risk in M&A
Demonstrating Trust and Transparency in Mergers and Acquisitions
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Singtel has confirmed that another Australian business it owns, consulting unit Dialog, has fallen victim to a cyber burglary just weeks after the mammoth data leak at telco Optus was revealed.…
What are the warning signs that someone has hijacked your Steam account? Here is what to look for and what you can do to get your account back.
The post Steam account hacked? Here’s how to get it back appeared first on WeLiveSecurity
A Russia based threat group that set up a malware distribution shop earlier this year is behind a Swiss Army knife-like botnet that comes with a range of other malicious capabilities, from stealing information to mining cryptocurrency.…
Opinion People are the biggest problem in corporate infosec. Make them the biggest asset. …
Supposedly ingenious schemes to revolutionize the finance industry with crypto are not hard to find – nor are their failures. And scarcely a day passes on which a cryptocurrency venture's infosec is not found wanting. That sad situation is causing financial institutions sufficient pain that Mastercard thinks the time is ripe for a service that helps lenders to understand if their customers' crypto purchases are dangerous.…
An internet security mechanism called Resource Public Key Infrastructure (RPKI), intended to safeguard the routing of data traffic, can be broken.…
Comment It's getting difficult these days to find a ransomware group that doesn't steal data and promise not to sell it if a ransom is paid off. What's more, these criminals are going down the extortion-only route, and not even bothering to scramble your files with encryption.…
In brief An executive order signed by President Biden on Friday to setting out fresh rules on how the US and Europe share people's private personal info may still fall short of the EU's wishes, says the privacy advocate who defeated the previous regulations in court.…
A couple of vulnerabilities in Ikea smart lighting systems can be exploited to make lights annoyingly flicker for hours.…
Geez it's nice to be home 😊 It's nice to live in a home that makes you feel that way when returning from a place as beautiful as Bali 😊 This week's video is dominated by the whole discussion around this tweet:
I love that part of the Microsoft Security Score for Identity in Azure improves your score if you *don't* enforce password rotation, what a sign of the times! Who out there still works somewhere that forces rotation (because "reasons")? pic.twitter.com/a2yQQvNRpa
— Troy Hunt (@troyhunt) October 6, 2022
I love this for the way it throws traditional logic out the window, logic we all knew sucked and I suspect the massive engagement the tweet drove is due to precisely that: Microsoft giving us all a good reason to whinge about a sucky practice that still prevails so broadly. So... I hope you enjoy listening to just how bad enforced password rotation sucks 😊
Cryptocurrency exchange Binance temporarily halted its blockchain network on Thursday in response to a cyberattack that led to the theft of two million BNB tokens, notionally exchangeable for $566 million in fiat currency.…
When U.S. consumers have their online bank accounts hijacked and plundered by hackers, U.S. financial institutions are legally obligated to reverse any unauthorized transactions as long as the victim reports the fraud in a timely manner. But new data released this week suggests that for some of the nation’s largest banks, reimbursing account takeover victims has become more the exception than the rule.
The findings came in a report released by Sen. Elizabeth Warren (D-Mass.), who in April 2022 opened an investigation into fraud tied to Zelle, the “peer-to-peer” digital payment service used by many financial institutions that allows customers to quickly send cash to friends and family.
Zelle is run by Early Warning Services LLC (EWS), a private financial services company which is jointly owned by Bank of America, Capital One, JPMorgan Chase, PNC Bank, Truist, U.S. Bank, and Wells Fargo. Zelle is enabled by default for customers at over 1,000 different financial institutions, even if a great many customers still don’t know it’s there.
Sen. Warren said several of the EWS owner banks — including Capital One, JPMorgan and Wells Fargo — failed to provide all of the requested data. But Warren did get the requested information from PNC, Truist and U.S. Bank.
“Overall, the three banks that provided complete data sets reported 35,848 cases of scams, involving over $25.9 million of payments in 2021 and the first half of 2022,” the report summarized. “In the vast majority of these cases, the banks did not repay the customers that reported being scammed. Overall these three banks reported repaying customers in only 3,473 cases (representing nearly 10% of scam claims) and repaid only $2.9 million.”
Importantly, the report distinguishes between cases that involve straight up bank account takeovers and unauthorized transfers (fraud), and those losses that stem from “fraudulently induced payments,” where the victim is tricked into authorizing the transfer of funds to scammers (scams).
A common example of the latter is the Zelle Fraud Scam, which uses an ever-shifting set of come-ons to trick people into transferring money to fraudsters. The Zelle Fraud Scam often employs text messages and phone calls spoofed to look like they came from your bank, and the scam usually relates to fooling the customer into thinking they’re sending money to themselves when they’re really sending it to the crooks.
Here’s the rub: When a customer issues a payment order to their bank, the bank is obligated to honor that order so long as it passes a two-stage test. The first question asks, Did the request actually come from an authorized owner or signer on the account? In the case of Zelle scams, the answer is yes.
Trace Fooshee, a strategic advisor in the anti money laundering practice at Aite-Novarica, said the second stage requires banks to give the customer’s transfer order a kind of “sniff test” using “commercially reasonable” fraud controls that generally are not designed to detect patterns involving social engineering.
Fooshee said the legal phrase “commercially reasonable” is the primary reason why no bank has much — if anything — in the way of controlling for scam detection.
“In order for them to deploy something that would detect a good chunk of fraud on something so hard to detect they would generate egregiously high rates of false positives which would also make consumers (and, then, regulators) very unhappy,” Fooshee said. “This would tank the business case for the service as a whole rendering it something that the bank can claim to NOT be commercially reasonable.”
Sen. Warren’s report makes clear that banks generally do not pay consumers back if they are fraudulently induced into making Zelle payments.
“In simple terms, Zelle indicated that it would provide redress for users in cases of unauthorized transfers in which a user’s account is accessed by a bad actor and used to transfer a payment,” the report continued. “However, EWS’ response also indicated that neither Zelle nor its parent bank owners would reimburse users fraudulently induced by a bad actor into making a payment on the platform.”
Still, the data suggest banks did repay at least some of the funds stolen from scam victims about 10 percent of the time. Fooshee said he’s surprised that number is so high.
“That banks are paying victims of authorized payment fraud scams anything at all is noteworthy,” he said. “That’s money that they’re paying for out of pocket almost entirely for goodwill. You could argue that repaying all victims is a sound strategy especially in the climate we’re in but to say that it should be what all banks do remains an opinion until Congress changes the law.”
However, when it comes to reimbursing victims of fraud and account takeovers, the report suggests banks are stiffing their customers whenever they can get away with it. “Overall, the four banks that provided complete data sets indicated that they reimbursed only 47% of the dollar amount of fraud claims they received,” the report notes.
How did the banks behave individually? From the report:
-In 2021 and the first six months of 2022, PNC Bank indicated that its customers reported 10,683 cases of unauthorized payments totaling over $10.6 million, of which only 1,495 cases totaling $1.46 were refunded to consumers. PNC Bank left 86% of its customers that reported cases of fraud without recourse for fraudulent activity that occurred on Zelle.
-Over this same time period, U.S. Bank customers reported a total of 28,642 cases of unauthorized transactions totaling over $16.2 million, while only refunding 8,242 cases totaling less than $4.7 million.
-In the period between January 2021 and September 2022, Bank of America customers reported 81,797 cases of unauthorized transactions, totaling $125 million. Bank of America refunded only $56.1 million in fraud claims – less than 45% of the overall dollar value of claims made in that time.
–Truist indicated that the bank had a much better record of reimbursing defrauded customers over this same time period. During 2021 and the first half of 2022, Truist customers filed 24,752 unauthorized transaction claims amounting to $24.4 million. Truist reimbursed 20,349 of those claims, totaling $20.8 million – 82% of Truist claims were reimbursed over this period. Overall, however, the four banks that provided complete data sets indicated that they reimbursed only 47% of the dollar amount of fraud claims they received.
Fooshee said there has long been a great deal of inconsistency in how banks reimburse unauthorized fraud claims — even after the Consumer Financial Protection Bureau (CPFB) came out with guidance on what qualifies as an unauthorized fraud claim.
“Many banks reported that they were still not living up to those standards,” he said. “As a result, I imagine that the CFPB will come down hard on those with fines and we’ll see a correction.”
Fooshee said many banks have recently adjusted their reimbursement policies to bring them more into line with the CFPB’s guidance from last year.
“So this is heading in the right direction but not with sufficient vigor and speed to satisfy critics,” he said.
Seth Ruden is a payments fraud expert who serves as director of global advisory for digital identity company BioCatch. Ruden said Zelle has recently made “significant changes to its fraud program oversight because of consumer influence.”
“It is clear to me that despite sensational headlines, progress has been made to improve outcomes,” Ruden said. “Presently, losses in the network on a volume-adjusted basis are lower than those typical of credit cards.”
But he said any failure to reimburse victims of fraud and account takeovers only adds to pressure on Congress to do more to help victims of those scammed into authorizing Zelle payments.
“The bottom line is that regulations have not kept up with the speed of payment technology in the United States, and we’re not alone,” Ruden said. “For the first time in the UK, authorized payment scam losses have outpaced credit card losses and a regulatory response is now on the table. Banks have the choice right now to take action and increase controls or await regulators to impose a new regulatory environment.”
Sen. Warren’s report is available here (PDF).
There are, of course, some versions of the Zelle fraud scam that may be confusing financial institutions as to what constitutes “authorized” payment instructions. For example, the variant I wrote about earlier this year began with a text message that spoofed the target’s bank and warned of a pending suspicious transfer.
Those who responded at all received a call from a number spoofed to make it look like the victim’s bank calling, and were asked to validate their identities by reading back a one-time password sent via SMS. In reality, the thieves had simply asked the bank’s website to reset the victim’s password, and that one-time code sent via text by the bank’s site was the only thing the crooks needed to reset the target’s password and drain the account using Zelle.
None of the above discussion involves the risks affecting businesses that bank online. Businesses in the United States do not enjoy the same fraud liability protection afforded to consumers, and if a banking trojan or clever phishing site results in a business account getting drained, most banks will not reimburse that loss.
This is why I have always and will continue to urge small business owners to conduct their online banking affairs only from a dedicated, access restricted and security-hardened device — and preferably a non-Windows machine.
For consumers, the same old advice remains the best: Watch your bank statements like a hawk, and immediately report and contest any charges that appear fraudulent or unauthorized.
The US Department of Energy has proposed regulations to financially reward cybersecurity modernization at power plants by offering rate deals for everything from buying new hardware to paying for outside help.…
A look back on the key trends and developments that shaped the cyberthreat landscape from May to August of this year
The post Key takeaways from ESET Threat Report T2 2022 – Week in security with Tony Anscombe appeared first on WeLiveSecurity
Your phone buzzes. You hope it’s a reply from last night’s date, but instead you get an entirely different swooping feeling: It’s an alarming SMS text alerting you about suspicious activity on your bank account and that immediate action is necessary.
Take a deep breath and make sure to read the message carefully. Luckily, your assets could be completely safe. It could just be a smisher.
Smishing, or phishing over SMS, is a tactic where cybercriminals impersonate reputable organizations or people and trick people into handing over their PII or financial details. Sometimes they can seem very credible with the information they have, and you may have even been expecting a correspondence of a similar nature.
So how can you tell when an SMS text is real and requires your attention? And how should you deal with a smisher to keep your identity safe?
Like email phishing and social media phishing,
SMS text phishing often tries to use a strong emotion – like fear, anger, guilt, or excitement – to get you to respond immediately and without thinking through the request completely.
In the case of one coordinated smishing attack, cybercriminals not only impersonated financial institutions but collected PII on their targets ahead of time. The criminals then used these personal details – like old addresses and Social Security Numbers – to convince people that they were legitimate bank employees.1 But since when does a bank try to prove itself to the customer? Usually, it’s the other way around, where they’ll ask you to confirm your identity. Be wary of anyone who texts or calls you and has your PII. If you’re ever suspicious of a caller or texter claiming they’re a financial official, contact your bank through verified channels (chat, email, or phone) you find on the bank’s website to make sure.
Smishers often keep up with current events and attempt to impersonate well-known companies that have a reason to reach out to their customers. This adds false legitimacy to their message. For example, in the summer of 2022, Rogers Communications, a Canadian telecommunications provider, experienced an extended loss of service and told customers they could expect a reimbursement. Smishers jumped on the opportunity and sent a barrage of fake texts requesting banking details in order to carry out the reimbursement.2 However, Rogers credited customers directly to their Rogers accounts.
If you receive a suspicious text, go through these three steps to determine if you should follow up with the organization in question or simply delete and report the text.
Do you have text alerts enabled for your bank and utility accounts? If not, disregard any text claiming to be from those organizations. Companies will only contact you through the channels you have approved. Also, in the case of the Rogers smishing scheme, be aware of how a company plans to follow up with customers regarding reimbursements. You can find information like this on their official website and verified social channels.
If the tone of the text urges you to act quickly or proposes a dire consequence of ignoring the message, be on alert. While suspicious activity on your credit card is serious, your bank will likely reimburse you for charges you didn’t make, so you have time to check your bank account and see recent activities. Official correspondence from financial institutions will always be professional, typo-free, and will try to put you at ease, not make you panic.
Whenever you get a text from someone you don’t know, it’s a good practice to do an internet search for the number to see with whom it’s associated. If it’s a legitimate number, it should appear on the first page of the search results and direct to an official bank webpage.
Once you’ve identified a fake SMS alert, do not engage with it. Never click on any links in the message, as they can redirect you to risky sites or download malware to your device. If you have McAfee Safe Browsing on your mobile, it can be your backup if you accidentally open a malicious link.
Also, don’t reply to the text. A reply lets the criminal on the other end know that they reached a valid phone number, which may cause them to redouble their efforts. Finally, block the number and report it as spam.
A great absolute rule to always follow is to never give out your Social Security Number, banking information, usernames, or passwords over text.
To give you peace of mind in cases where you think a malicious actor has access to your PII, you can count on McAfee+. McAfee+ offers a comprehensive suite of identity and privacy protection services to help you feel more confident in your digital life.
1PC Mag, “Scammers Are Using Fake SMS Bank Fraud Alerts to Phish Victims, FBI Says”
2Daily Hive, “Rogers scam alert: Texts offering credit after outage are fake”
The post What Is Smishing? Here’s How to Spot Fake Texts and Keep Your Info Safe appeared first on McAfee Blog.