
❌ About FreshRSS
There are new available articles, click to refresh the page.
Before yesterdaySecurity

New TOITOIN Banking Trojan Targeting Latin American Businesses

Businesses operating in the Latin American (LATAM) region are the target of a new Windows-based banking trojan called TOITOIN since May 2023. "This sophisticated campaign employs a trojan that follows a multi-staged infection chain, utilizing specially crafted modules throughout each stage," Zscaler researchers Niraj Shivtarkar and Preet Kamal said in a report published last week. "These modules

Hackers Exploiting Unpatched WordPress Plugin Flaw to Create Secret Admin Accounts

By Ravie Lakshmanan
As many as 200,000 WordPress websites are at risk of ongoing attacks exploiting a critical unpatched security vulnerability in the Ultimate Member plugin. The flaw, tracked as CVE-2023-3460 (CVSS score: 9.8), impacts all versions of the Ultimate Member plugin, including the latest version (2.6.6) that was released on June 29, 2023. Ultimate Member is a popular plugin that facilitates the

New Mystic Stealer Malware Targets 40 Web Browsers and 70 Browser Extensions

By Ravie Lakshmanan
A new information-stealing malware called Mystic Stealer has been found to steal data from about 40 different web browsers and over 70 web browser extensions. First advertised on April 25, 2023, for $150 per month, the malware also targets cryptocurrency wallets, Steam, and Telegram, and employs extensive mechanisms to resist analysis. "The code is heavily obfuscated making use of polymorphic

Beware: 1,000+ Fake Cryptocurrency Sites Trap Users in Bogus Rewards Scheme

By Ravie Lakshmanan
A previously undetected cryptocurrency scam has leveraged a constellation of over 1,000 fraudulent websites to ensnare users into a bogus rewards scheme since at least January 2021. "This massive campaign has likely resulted in thousands of people being scammed worldwide," Trend Micro researchers said in a report published last week, linking it to a Russian-speaking threat actor named "Impulse

Service Rents Email Addresses for Account Signups

By BrianKrebs

One of the most expensive aspects of any cybercriminal operation is the time and effort it takes to constantly create large numbers of new throwaway email accounts. Now a new service offers to help dramatically cut costs associated with large-scale spam and account creation campaigns, by paying people to sell their email account credentials and letting customers temporarily rent access to a vast pool of established accounts at major providers.

The service in question — kopeechka[.]store — is perhaps best described as a kind of unidirectional email confirmation-as-a-service that promises to “save your time and money for successfully registering multiple accounts.”

“Are you working on large volumes and are costs constantly growing?” Kopeechka’s website asks. “Our service will solve all your problems.”

As a customer of this service, you don’t get full access to the email inboxes you are renting. Rather, you configure your botnet or spam machine to make an automated application programming interface (API) call to the Kopeechka service, which responds with a working email address at an email provider of your choosing.

Once you’ve entered the supplied email address into the new account registration page at some website or service, you tell Kopeechka which service or website you’re expecting an account confirmation link from, and they will then forward any new messages matching that description to your Kopeechka account panel.

Ensuring that customers cannot control inboxes rented through the service means that Kopeechka can rent the same email address to multiple customers (at least until that email address has been used to register accounts at most of the major online services).

Kopeechka also has multiple affiliate programs, including one that pays app developers for embedding Kopeechka’s API in their software. However, far more interesting is their program for rewarding people who choose to sell Kopeechka usernames and passwords for working email addresses.

Kopeechka means “penny” in Russian, which is generous verbiage (and coinage) for a service that charges a tiny fraction of a penny for access to account confirmation links. Their pricing fluctuates slightly based on which email provider you choose, but a form on the service’s homepage says a single confirmation message from to costs .07 rubles, which is currently equal to about $0.00087 dollars.

The pricing for Kopeechka works out to about a fraction of a penny per confirmation message.

“Emails can be uploaded to us for sale, and you will receive a percentage of purchases %,” the service explains. “You upload 1 mailbox of a certain domain, discuss percentage with our technical support (it depends on the liquidity of the domain and the number of downloaded emails).”

We don’t have to look very far for examples of Kopeechka in action. In May, KrebsOnSecurity interviewed a Russian spammer named “Quotpw who was mass-registering accounts on the social media network Mastodon in order to conduct a series of huge spam campaigns advertising scam cryptocurrency investment platforms.

Much of the fodder for that story came from Renaud Chaput, a freelance programmer working on modernizing and scaling the Mastodon project infrastructure — including,, and Chaput told KrebsOnSecurity that his team was forced to temporarily halt all new registrations for these communities last month after the number of new registrations from Quotpw’s spam campaign started to overwhelm their systems.

“We suddenly went from like three registrations per minute to 900 a minute,” Chaput said. “There was nothing in the Mastodon software to detect that activity, and the protocol is not designed to handle this.”

After that story ran, Chaput said he discovered that the computer code powering Quotpw’s spam botnet (which has since been released as open source) contained an API call to Kopeechka’s service.

“It allows them to pool many bot-created or compromised emails at various providers and offer them to cyber criminals,” Chaput said of Kopeechka. “This is what they used to create thousands of valid Hotmail (and other) addresses when spamming on Mastodon. If you look at the code, it’s really well done with a nice API that forwards you the confirmation link that you can then fake click with your botnet.”

It’s doubtful anyone will make serious money selling email accounts to Kopeechka, unless of course that person already happens to run a botnet and has access to ridiculous numbers of email credentials. And in that sense, this service is genius: It essentially offers scammers a new way to wring extra income from resources that are already plentiful for them.

One final note about Quotpw and the spam botnet that ravaged Chaput’s Mastodon servers last month: Trend Micro just published a report saying Quotpw was spamming to earn money for a Russian-language affiliate program called “Impulse Team,” which pays people to promote cryptocurrency scams.

The crypto scam affiliate program “Project Impulse,” advertising in 2021.

Websites under the banner of the Impulse Scam Crypto Project are all essentially “advanced fee” scams that tell people they have earned a cryptocurrency investment credit. Upon registering at the site, visitors are told they need to make a minimum deposit on the service to collect the award. However, those who make the initial investment never hear from the site again, and their money is gone.

Interestingly, Trend Micro says the scammers behind the Impulse Team also appear to be operating a fake reputation service called Scam-Doc[.]com, a website that mimics the legitimate for measuring the trustworthiness and authenticity of various sites. Trend notes that the phony reputation site routinely gave high trust ratings to a variety of cryptocurrency scam and casino websites.

“We can only suppose that either the same cybercriminals run operations involving both or that several different cybercriminals share the scam-doc[.]com site,” the Trend researchers wrote.

The ScamDoc fake reputation websites, which were apparently used to help make fake crypto investment platforms look more trustworthy. Image: Trend Micro.

According to the FBI, financial losses from cryptocurrency investment scams dwarfed losses for all other types of cybercrime in 2022, rising from $907 million in 2021 to $2.57 billion last year.

N. Korean ScarCruft Hackers Exploit LNK Files to Spread RokRAT

By Ravie Lakshmanan
Cybersecurity researchers have offered a closer look at the RokRAT remote access trojan that's employed by the North Korean state-sponsored actor known as ScarCruft. "RokRAT is a sophisticated remote access trojan (RAT) that has been observed as a critical component within the attack chain, enabling the threat actors to gain unauthorized access, exfiltrate sensitive information, and potentially

Tricks of the trade: How a cybercrime ring operated a multi‑level fraud scheme

By Roman Cuprik

A peek under the hood of a cybercrime operation and what you can do to avoid being an easy target for similar ploys

The post Tricks of the trade: How a cybercrime ring operated a multi‑level fraud scheme appeared first on WeLiveSecurity

Discord Admins Hacked by Malicious Bookmarks

By BrianKrebs

A number of Discord communities focused on cryptocurrency have been hacked this past month after their administrators were tricked into running malicious Javascript code disguised as a Web browser bookmark.

This attack involves malicious Javascript that is added to one’s browser by dragging a component from a web page to one’s browser bookmarks.

According to interviews with victims, several of the attacks began with an interview request from someone posing as a reporter for a crypto-focused news outlet online. Those who take the bait are sent a link to a Discord server that appears to be the official Discord of the crypto news site, where they are asked to complete a verification step to validate their identity.

As shown in this Youtube video, the verification process involves dragging a button from the phony crypto news Discord server to the bookmarks bar in one’s Web browser. From there, the visitor is instructed to go back to and then click the new bookmark to complete the verification process.

However, the bookmark is actually a clever snippet of Javascript that quietly grabs the user’s Discord token and sends it to the scammer’s website. The attacker then loads the stolen token into their own browser session and (usually late at night after the admins are asleep) posts an announcement in the targeted Discord about an exclusive “airdrop,” “NFT mint event” or some other potential money making opportunity for the Discord members.

The unsuspecting Discord members click the link provided by the compromised administrator account, and are asked to connect their crypto wallet to the scammer’s site, where it asks for unlimited spend approvals on their tokens, and subsequently drains the balance of any valuable accounts.

Meanwhile, anyone in the compromised Discord channel who notices the scam and replies is banned, and their messages are deleted by the compromised admin account.

Nicholas Scavuzzo is an associate at Ocean Protocol, which describes itself as an “open-source protocol that aims to allow businesses and individuals to exchange and monetize data and data-based services.” On May 22, an administrator for Ocean Protocol’s Discord server clicked a link in a direct message from a community member that prompted them to prove their identity by dragging a link to their bookmarks.

Scavuzzo, who is based in Maine, said the attackers waited until around midnight in his timezone time before using the administrator’s account to send out an unauthorized message about a new Ocean airdrop.

Scavuzzo said the administrator’s account was hijacked even though she had multi-factor authentication turned on.

“A CAPTCHA bot that allows Discord cookies to be accessed by the person hosting the CAPTCHA,” was how Scavuzzo described the attack. “I’ve seen all kinds of crypto scams, but I’ve never seen one like this.”

In this conversation, “Ana | Ocean” is a compromised Discord server administrator account promoting a phony airdrop.

Importantly, the stolen token only works for the attackers as long as its rightful owner doesn’t log out and back in, or else change their credentials.

Assuming the administrator can log in, that is. In Ocean’s case, one of the first things the intruders did once they swiped the administrator’s token was change the server’s access controls and remove all core Ocean team members from the server.

Fortunately for Ocean, Scavuzzo was able to reach the operator of the server that hosts the Discord channel, and have the channel’s settings reverted back to normal.

“Thankfully, we are a globally distributed team, so we have people awake at all hours,” Scavuzzo said, noting that Ocean is not aware of any Discord community members who fell for the phony airdrop offer, which was live for about 30 minutes. “This could have been a lot worse.”

On May 26, Aura Network reported on Twitter that its Discord server was compromised in a phishing attack that resulted in the deletion of Discord channels and the dissemination of fake Aura Network Airdrop Campaign links.

On May 27, Nahmii — a cryptocurrency technology based on the Ethereum blockchain — warned on Twitter that one of its community moderators on Discord was compromised and posting fake airdrop details.

On May 9, MetrixCoin reported that its Discord server was hacked, with fake airdrop details pushed to all users.

KrebsOnSecurity recently heard from a trusted source in the cybersecurity industry who dealt firsthand with one of these attacks and asked to remain anonymous.

“I do pro bono Discord security work for a few Discords, and I was approached by one of these fake journalists,” the source said. “I played along and got the link to their Discord, where they were pretending to be journalists from the Cryptonews website using several accounts.”

The source took note of all the Discord IDs of the admins of the fake Cryptonews Discord, so that he could ensure they were blocked from the Discords he helps to secure.

“Since I’ve been doing this for a while now, I’ve built up a substantial database of Discord users and messages, so often I can see these scammers’ history on Discord,” the source said.

In this case, he noticed a user with the “CEO” role in the fake Cryptonews Discord had been seen previously under another username — “Levatax.” Searching on that Discord ID and username revealed a young Turkish coder named Berk Yilmaz whose Github page linked to the very same Discord ID as the scammer CEO.

Reached via instant message on Telegram, Levatax said he’s had no involvement in such schemes, and that he hasn’t been on Discord since his Microsoft Outlook account was hacked months ago.

“The interesting thing [is] that I didn’t use Discord since few months or even social media because of the political status of Turkey,” Levatax explained, referring to the recent election in his country. “The only thing I confirm is losing my Outlook account which connected to my Discord, and I’m already in touch with Microsoft to recover it.”

The verification method used in the above scam involves a type of bookmark called a “bookmarklet” that stores Javascript code as a clickable link in the bookmarks bar at the top of one’s browser.

While bookmarklets can be useful and harmless, malicious Javascript that is executed in the browser by the user is especially dangerous. So please avoid adding (or dragging) any bookmarks or bookmarklets to your browser unless it was your idea in the first place.

China's Stealthy Hackers Infiltrate U.S. and Guam Critical Infrastructure Undetected

By Ravie Lakshmanan
A stealthy China-based group managed to establish a persistent foothold into critical infrastructure organizations in the U.S. and Guam without being detected, Microsoft and the "Five Eyes" nations said on Wednesday. The tech giant's threat intelligence team is tracking the activity, which includes post-compromise credential access and network system discovery, under the name Volt Typhoon. The

Zero Trust + Deception: Join This Webinar to Learn How to Outsmart Attackers!

By The Hacker News
Cybersecurity is constantly evolving, but complexity can give hostile actors an advantage. To stay ahead of current and future attacks, it's essential to simplify and reframe your defenses. Zscaler Deception is a state-of-the-art next-generation deception technology seamlessly integrated with the Zscaler Zero Trust Exchange. It creates a hostile environment for attackers and enables you to track

Vietnamese Threat Actor Infects 500,000 Devices Using 'Malverposting' Tactics

By Ravie Lakshmanan
A Vietnamese threat actor has been attributed as behind a "malverposting" campaign on social media platforms to infect over 500,000 devices worldwide over the past three months to deliver variants of information stealers such as S1deload Stealer and SYS01stealer. Malverposting refers to the use of promoted social media posts on services like Facebook and Twitter to mass propagate malicious

Google wins court order to force ISPs to filter botnet traffic

By Naked Security writer
CryptBot criminals are alleged to have plundered browser passwords, illicitly-snapped screenshots, cryptocurrency account data, and more.

Why Your Detection-First Security Approach Isn't Working

By The Hacker News
Stopping new and evasive threats is one of the greatest challenges in cybersecurity. This is among the biggest reasons why attacks increased dramatically in the past year yet again, despite the estimated $172 billion spent on global cybersecurity in 2022. Armed with cloud-based tools and backed by sophisticated affiliate networks, threat actors can develop new and evasive malware more quickly

Pig butchering scams: The anatomy of a fast‑growing threat

By Márk Szabó

How fraudsters groom their marks and move in for the kill using tricks from the playbooks of romance and investment scammers

The post Pig butchering scams: The anatomy of a fast‑growing threat appeared first on WeLiveSecurity

ScarCruft's Evolving Arsenal: Researchers Reveal New Malware Distribution Techniques

By Ravie Lakshmanan
The North Korean advanced persistent threat (APT) actor dubbed ScarCruft is using weaponized Microsoft Compiled HTML Help (CHM) files to download additional malware onto targeted machines. According to multiple reports from AhnLab Security Emergency response Center (ASEC), SEKOIA.IO, and Zscaler, the development is illustrative of the group's continuous efforts to refine and retool its tactics

SVB’s collapse is a scammer’s dream: Don’t get caught out

By Phil Muncaster

How cybercriminals can exploit Silicon Valley Bank's downfall for their own ends – and at your expense

The post SVB’s collapse is a scammer’s dream: Don’t get caught out appeared first on WeLiveSecurity

5 signs you’ve fallen for a scam – and what to do next

By Phil Muncaster

Here’s how to know you have fallen victim to a scam – and what to do in order to undo or mitigate the damage.

The post 5 signs you’ve fallen for a scam – and what to do next appeared first on WeLiveSecurity

Common WhatsApp scams and how to avoid them

By André Lameiras

Here's a roundup of some of the most common tricks that fraudsters use to dupe their victims on WhatsApp – and what you can do to protect yourself against them.

The post Common WhatsApp scams and how to avoid them appeared first on WeLiveSecurity

Threat Actors Adopt Havoc Framework for Post-Exploitation in Targeted Attacks

By Ravie Lakshmanan
An open source command-and-control (C2) framework known as Havoc is being adopted by threat actors as an alternative to other well-known legitimate toolkits like Cobalt Strike, Sliver, and Brute Ratel. Cybersecurity firm Zscaler said it observed a new campaign in the beginning of January 2023 targeting an unnamed government organization that utilized Havoc. "While C2 frameworks are prolific, the

NPM JavaScript packages abused to create scambait links in bulk

By Paul Ducklin
Free spins? Bonus game points? Cheap social media followers? What harm could it possibly do if you just take a tiny little look?!

10 signs that scammers have you in their sights

By Phil Muncaster

Don’t be their next victim – here’s a handy round-up of some the most common signs that should set your alarm bells ringing

The post 10 signs that scammers have you in their sights appeared first on WeLiveSecurity

SE Labs 2023 Annual Security Report Names Cisco as Best Next Generation Firewall

By Neville Letzerich

Cisco is honored to be this year’s winner of the Best Next Generation Firewall Award in the SE Labs 2023 Annual Report. This industry recognition validates Cisco’s continuous push towards harmonizing network, workload, and application security across hybrid and multicloud environments. I’m incredibly proud of the Cisco Secure Firewall team and am thankful for our amazing customers who continue to trust Cisco and develop their network security around our capabilities. 

SE Labs, a cybersecurity testing and evaluation firm, provides impartial and independent assessments of various cybersecurity products and solutions. In their 2023 Annual Report, SE Labs states: 

“Our Annual Security Awards recognizes security vendors that notonly do well in our tests, but perform well in the real world withreal customers. These awards are the only in the industry thatrecognize strong lab work combined with practical success.”

SE Labs Testing Methodology 

SE Labs performs tests on behalf of customers seeking independent proof-of-value assistance, as well as security vendors. At Cisco, we use third-party evaluations from multiple sources, including SE Labs, to augment our internal testing and to drive product improvement. 

Winners were determined after months of in-depth testing, based on a combination of continual public testing, private assessments and feedback from corporate clients who use SE Labs to help choose security products and services. The award further validates that our customers can expect superior threat protection and performance with Cisco Secure Firewall. 

SE Labs’ reports use the MITRE ATT&CK framework, employing both common “commodity” malware samples and sophisticated, targeted attacks. Their network security testing uses full attack chains to assess the detection and protection abilities of network devices and combinations of network and endpoint solutions. SE Labs publishes its testing methodologies and is BS EN ISO 9001: 2015 certified for The Provision of IT Security Product Testing. 

As a worldwide leader in networking and security, Cisco is better positioned than any other security vendor to incorporate effective firewall controls into our customers’ infrastructure — anywhere data and applications reside. We offer a comprehensive threat defense with industry-leading Snort 3 IPS to protect users, applications, and data from continuously evolving threats. Our solutions also leverage machine learning and advanced threat intelligence from Cisco Talos, one of the world’s largest commercial threat intelligence teams. 

Cisco Secure Firewall Key Features 

  • Cisco Secure Firewall’s threat-focused architecture enables superior visibility and control of network traffic. Many security practitioners today struggle with a lack of visibility into encrypted traffic, which is why Cisco has developed the differentiated Encrypted Visibility Engine that detects threats in encrypted traffic – with minimal to no decryption. Secure Firewall’s detailed analysis, visibility, and reporting enable organizations to rapidly gain insights into their network traffic, applications, and assets. 
  • Cisco Secure Firewall capabilities provide a unified security posture across the entire network. This is achieved through its tight integration with workload, web, email, and cloud security through our SecureX XDR platform. This integration increases the efficiency of the SecOps team, by accelerating threat investigation and response time. 
  • Designed to be adaptive and highly scalable in dynamic environments, Cisco Secure Firewall is expressly designed to reduce total cost of ownership. It helps teams save time with consistent policy enforcement, helping our customers realize up to a 195% return on investment over three years, as noted in the third-party research we commissioned with Forrester Consulting.   

In the constantly evolving world of cybersecurity, it is important to have access to the latest and most advanced technologies to stay ahead of threats. Whether you are an enterprise, government, healthcare, or a service provider organization, Cisco Secure Firewall provides top-ranked security. 

When you invest in Cisco Secure Firewall, you are investing in award-winning threat defense with capabilities that are built for the real world. Learn more about SE Labs 2023 Annual Report, Cisco Secure Firewall and how you can refresh your firewall. 

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels


Are online surveys legit and safe? Watch out for survey scams

By Phil Muncaster

“Can I tell a legitimate survey apart from a fake one?” is the single most important question you need to answer for yourself before taking any surveys online

The post Are online surveys legit and safe? Watch out for survey scams appeared first on WeLiveSecurity

Tech support scammers are still at it: Here’s what to look out for in 2023

By Phil Muncaster

Hello, is it me you’re looking for? Fraudsters still want to help you 'fix' a computer problem you never had in the first place.

The post Tech support scammers are still at it: Here’s what to look out for in 2023 appeared first on WeLiveSecurity

A Scam in the Family—How a Close Relative Lost $100,000 to an Elder Scam

By McAfee

Written by James Schmidt 

Editor’s Note: We often speak of online scams in our blogs, ones that cost victims hundreds if not thousands of dollars. This account puts a face on one of those scams—along with the personal, financial, and emotional pain that they can leave in their wake. This is the story of “Meredith,” whose aunt “Leslie” fell victim to an emerging form on online elder fraud. Our thanks to James for bringing it forward and to “Meredith’s” family for sharing it, all so others can prevent such scams from happening to them. 


“Embarrassing. Simply embarrassing.” She shook her head. “It’s too raw. I can’t talk about it right now. I need time.”   

Her aunt had been scammed. To the tune of $100,000 dollars. My colleague—we both work in the security industry—felt a peculiar sense of loss. 

“I work in this industry. I thought I’d done everything right. I’ve passed on enough warnings to my family and friends to ensure they’d avoid the fate of the scammed.  Simply because I’m in this industry does not imply my circle is always aware of all the threats to them, even if I do my best to teach them.” 

“My mental state, recently, borders on shame; this feeling, you know? How could someone working in my industry have something like this happen to a family member?”  

I told her many people working in other industries cannot control what happens to people in their families even if people in that industry had knowledge that could have helped them or otherwise avoided a problem altogether. 

“I know, but this simply should never have happened! My aunt is one of the smartest, most conscientious people I know, and she fell for this. It’s crazy and I can’t wrap my head around it.” 

My colleague, let’s call her Meredith (not her real name as she’s a bit ashamed to know this happened to a family member), told me the beginnings. 

Let’s call her aunt Leslie. 

Her story unfolds, the overall picture a pastiche of millions of people in the United States today. Her aunt is retired, bored, lonely, and isolated. She feels adrift without something to occupy her time; she was looking for companionship, connections, someone (anyone) to talk to. Her feelings intensified during the pandemic. She morphed into perfect prey for scammers of what is now known as the “Pig Butchering Scam.” 

The term “Pig Butchering” has a visceral and raw feel to it, which falls right in line with how brutal this scam can be. It’s a long con game, where the scammer befriends the victim and encourages them to make small investments through the scammer, which get bigger and bigger over time. The scammer builds trust early with what appear to be small investment wins. None of it is legit. The money goes right into the scammer’s pocket, even as the scammer shows the victim phony financial statements and dashboards to show off the bogus returns. Confidence grows. The scammer wrings even larger sums out of the victim. And then disappears.  

It was a targeted attack that started innocuously enough with a “fake wrong number”. An SMS arrives. A text conversation starts. The scammer then apologizes but tells Leslie someone gave them the number to initiate the text. 

The scammer then uses emotional and psychological techniques to keep Leslie hooked.  “How are you, are you having a nice day?” Leslie, being bored and interested, engages willingly.     

The scammer asks to talk directly, not via text: and a phone conversation ensues.  The scammer proceeds to describe—in very soothing detail—what they are doing, helping people, like Leslie, invest their “hard-earned money” into something that will make them more money, to help them out in retirement. 

Of course, it is too good to be true.  

“The craziest part of all of this is my aunt refuses—to this day—to believe she’s been scammed!” 

She still thinks this scammer is a “friend” even though the entire family is up in arms over this, all of whom beg her aunt to “open her eyes.” 

“My aunt still thinks she’d going to see that money again, or even make some money, which is crazy. The scammers are so good at emotional intelligence; really leveraging heartstrings and psychological makeup of the forlorn in society. My aunt finally agreed to stop sending more money to the scammers, but only after the entire family threatened to cut her off from the rest of the family. It took a lot to get her to stop trusting the scammers.” 

Meredith feels this is doubly sad as the aunt in question is not someone they’d ever imagine would in this predicament. She was always the upright one, always the diligent and hardworking and the best with money. She is smart and savvy and we could never imagine her to be taken by these people and taken so easily. It boggles the mind.” 

She did start to change in the last few years. And the pandemic created a weird situation. Retirement, loneliness from loss of a partner, and the added burden of the pandemic created a perfect storm for her to open herself up to someone willingly, simply for the sake of connection. 

“No one deserves this. It has rocked my family to the core. It is not only about the money, but we’ve found family bonds stretched. She believes these random people, these scammers, more than she believes her own family. Have we been neglectful of our aunt? Does she no longer put her faith in people she knows, rather gives money to complete strangers?” 

Being a security professional does not provide magical protection. We are more aware of scams and scammers, and how they work, and what to look for, and we try to do all we can to keep our family aware of scams out there in the big wide world, but we are human. We fall short. 

Diligence is action. Awareness is action. Education is action. 

We need to be better, all of us, at socializing risky things. We need to consistently educate our family and friends to protect themselves, not only via security software (which everyone should have as default) but by providing tips and tricks and warnings for things we all need to be on the lookout. This is not a one-time thing. The cliché holds true: “If you see something say something.” Repetition helps.  

In today’s world, the need for protecting people’s security, identity, and privacy is critical to keeping them safe. Scammers long stopped focusing on attacking only your computer. Now focus more than ever on YOU: your identity, your privacy, your trust. If they get you there, they soon get your money. 

As for contributing factors to scammers success with their victims, such as loneliness, isolation, and boredom, they all have remedies.  Make connections with your loved ones, especially those easily tagged as vulnerable, those you feel might be at risk. Reach out. It may be hard sometimes due to distance and other factors but make it a point to connect. There is a reason these scammers are succeeding. They are stepping into roles of companions to people who are desperate for connection.   

Most people are greatly saddened at seeing other people being “taken.” Let’s work together to help stop the scammers. 

Look out for each other, and get your people protected! 

Editor’s Closing Note:  

If you or someone you know suspects elder fraud, the following resources can help: 

For further reading on scams and scam prevention, check out the guides in our McAfee Safety Series, which provide in-depth advice on protecting your identity and privacy—and your family from scams. They’re ready to download and share. 

The post A Scam in the Family—How a Close Relative Lost $100,000 to an Elder Scam appeared first on McAfee Blog.

CISA Warns of Flaws in Siemens, GE Digital, and Contec Industrial Control Systems

By Ravie Lakshmanan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published four Industrial Control Systems (ICS) advisories, calling out several security flaws affecting products from Siemens, GE Digital, and Contec. The most critical of the issues have been identified in Siemens SINEC INS that could lead to remote code execution via a path traversal flaw (CVE-2022-45092, CVSS score: 9.9)

Top 10 Venmo scams: Don’t fall for these common tricks

By Phil Muncaster

Here's what to know about some of the most common ploys that scammers use on the payment app

The post Top 10 Venmo scams: Don’t fall for these common tricks appeared first on WeLiveSecurity

Multi-million investment scammers busted in four-country Europol raid

By Paul Ducklin
216 questioned, 15 arrested, 4 fake call centres searched, millions seized...

How To Recognize An Online Scam

By Alex Merton-McCann

It’s been a particularly busy and colourful week, scam-wise in our household. Between 4 family members, we’ve received almost 20 texts or emails that we’ve identified as scams. And the range was vast: from poorly written emails offering ‘must have’ shopping deals to terse text messages reprimanding us for overdue tolls plus the classic ‘Dear mum, I’ve smashed my phone’ and everything in between. 

There’s no doubt that scammers are dedicated opportunists who can pivot fast. They can pose as health authorities during a pandemic, charities after a flood or even your next big love on an online dating platform. And it’s this chameleon ability that means we need to always be on red alert! 

How Big An Issue Are Scams in Australia? 

According to the Australian Competition and Consumer Commission (ACCC), Aussies lost a record amount of more than $2 billion in scams in 2021. And that was with record levels of intervention from the government, law enforcement agencies and the private sector. The most lucrative scams were investment scams ($701 million) followed by payment redirection scams ($227 million) and then romance scams which netted a whopping $142 million. 

But the psychological trauma that is often experienced by victims can be equally as devastating. Many individuals will require extensive counselling and support in order to move on from the emotional scarring from being a victim of hacking. 

So, with scammers putting so much energy into trying to lure us into their web, how can we stay one step ahead of these online schemers and ensure we don’t become a victim? 

What You Can Do To Stay Ahead Of The Scammers 

While there are no guarantees in life, there are a few steps you can take so that you can quickly recognise an online scam. 

1. Slow Down 

If you’ve received a text message, email or call that you think is a scam, don’t respond. Take your time. Slow down and pause. If it’s a call, and you’re not sure – hang up! Or if it’s a text or email – delete it! But if you are concerned that it might be legitimate, call the company directly using the contact information from their official website or through their secure apps.  

2. Think First 

If you are being asked to share your personal information or pay money either via a text or phone call, take some time to think. Does it feel legitimate? Do you have a relationship with this organisation? Remember, scammers are very talented at pretending they are from organisations you know and trust. If in doubt, contact the company directly via their official communication channels. Or ask a trusted friend or family member for their input. But remember, NEVER click on any links in messages from people or organisations you don’t know – no exceptions!! 

3. If Concerned, Act Fast!  

Do not hesitate to take action if something feels wrong. If there are any transactions on your credit card or bank statements that don’t look right, call your bank immediately. If you think you may have given personal information to scammers, then act fast. I recommend calling ID Care – Australia and New Zealand’s national identity and cyber support service. They are a not-for-profit charity that provides support to individuals affected by identity and cyber security issues. 

ReportCyber is another way of notifying authorities of a scam. An initiative of the Australian Government and the Australian Cyber Security Centre, it helps authorities investigate and shut down scams. It’s also a good idea to report the scam to Scamwatch – the dedicated scam arm of the Australian Competition and Consumer Commission (ACCC). 

4. Get Ahead Of The Scammers 

We’ve all heard that ‘prevention is better than a cure’ so taking some time to protect yourself before a scammer comes your way is a no-brainer. Here are my top 5 things to do: 

  • Ensure all your online accounts have an individual complex password. Use a password manager – they’ll create and remember your passwords. 
  • Add multi-factor authentication whenever possible. This could be a code sent to your phone, a token or a secret question. 
  • Ensure you have security software on all your devices 
  • Close any online accounts you don’t use. It will reduce the probability of being caught in a data breach. 
  • Software updates are an important way of protecting your devices (and private info) from security vulnerabilities. So, ensure these are automated.  

Please don’t think smart people don’t get caught up in scams because they do!! Scammers are very adept at looking legitimate and creating a sense of urgency. With many of us living busy lives and not taking the time to think critically, it’s inevitable that some of us will become victims. And remember if you’re offered a deal that just seems too good to be true, then it’s likely a scam! Hang up or press delete!! 

The post How To Recognize An Online Scam appeared first on McAfee Blog.

Inside a scammers’ lair: Ukraine busts 40 in fake bank call-centre raid

By Naked Security writer
When someone calls you up to warn you that your bank account is under attack - it's true, because THAT VERY PERSON is the one attacking you!

“Suspicious login” scammers up their game – take care at Christmas

By Paul Ducklin
A picture is worth 1024 words - we clicked through so you don't have to.

OneCoin scammer Sebastian Greenwood pleads guilty, “Cryptoqueen” still missing

By Paul Ducklin
The Cryptoqueen herself is still missing, but her co-conspirator, who is said to have pocketed over $20m a month, has been convicted.

Oh, the scammers online are frightful

By Dave Lewis

Oh, the scammers online are frightful, and the deals they offer seem delightful. No matter what you think you know, let it go, let it go, let it go (to the tune of 1945’s Let it Snow by Vaughn Monroe with the Norton Sisters).

‘Tis the season to find ourselves awash in good tidings and, well, consumerism. While it’s only partly tongue in cheek, we must be honest with ourselves. We spend a lot of money online. Often, we find ourselves leaving things to the last minute and hope that the delivery folks can make the magic happen and send us all the widgets and grapple grommets while we surf the Internet from the safety of our sofas with coffee in hand.

But, not every deal is what it appears to be. Scammers are always lurking in the void of the Internet waiting for a chance to fleece the unexpecting from their hard-earned money. This can manifest itself to the unsuspecting in many ways. There are shipping frauds, gift card giveaways and vishing (phone-based scams).

Scams tend to rely on generating a false sense of urgency. The shipping scam emails often show up in our inboxes as a warning about a missed or delayed package that will be sent back to the point of origin if we don’t answer quickly. Of course, this requires a payment to receive the fictitious package.

These types of shipping scam emails are quite effective this time of year when more often than naught many people have enough orders coming to their house to make a fort with the empty boxes.

The other kinds of attacks are the gift card scams and vishing. The first of which taps into the sense of excitement that a person might receive something for free. “Fill out this form with your credit card information for a chance to win a $200 gift card.” Sadly, this attack works well for older generations  for which giveaways were more common and they aren’t as accustomed to spotting digital swindlers.

The last scam that we will tackle here is often labeled as vishing or voice phishing. This is a method whereby the attackers call a victim and attempt to convince their target that they need to do something which will lead to the exposure of financial information while pressuring the victim to think if they don’t act quickly that they will miss an opportunity for personal gain.

Unfortunately, the aforementioned scams really bring in a lot of return for the criminal element. In 2021, over 92,000 victims over the age of 60 reported losses of $1.7 billion. This represents a 74 percent increase in losses over losses reported in 2020.

One additional scam that plays on the heart strings is the romance scams. A lot of single people find themselves lonely during the holidays and can be manipulated into thinking that they’ve found a romantic match. But this can drain the bank accounts as well.

In 2021, the IC3 received reports from 7,658 victims who experienced over $432 million in losses to Confidence Fraud/Romance scams. This type of fraud accounts for the highest losses reported by victims over the age of 60.

All these attacks prey on people’s emotional responses. So, how do we prepare ourselves? We need to make knowledge a capability and arm ourselves with information that will help us avoid being taken advantage of by criminals.

Passwords are a significant exposure. They are the digital equivalent of a house key. A password will work for anyone that has access to it. We need to utilize technologies such as multi-factor authentication (MFA) on websites where it is possible to do so. So even if bad actors have our password, the victim still needs to approve the login.

If we don’t have the option to use MFA it would be an excellent idea to make use of a password manager. This is a way to safely store passwords and not fall into the trap of reusing passwords on multiple sites. Attackers bank on human nature and if we use the same credentials on multiple sites there is a high possibility that the criminals could gain access to other sites if they compromise just one.

I’m usually one to eschew the practice of New Year’s resolutions but I’ll make an exception. Keep a keen sense about yourselves whenever you receive an email or SMS that you were not expecting. If a deal is too good to be true then, well, it most likely is a scam. If you’re in doubt, try to look up the phone number, email address, person or “organization” offering the “deal.” More often than not, you’ll find lots of people reporting that it’s a scam.

Rather than being visited by the three ghosts of holiday scams, make sure you and your loved ones are prepared for a happy holiday and a prosperous New Year.

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels


Google Launches OSV-Scanner Tool to Identify Open Source Vulnerabilities

By Ravie Lakshmanan
Google on Tuesday announced the open source availability of OSV-Scanner, a scanner that aims to offer easy access to vulnerability information about various projects. The Go-based tool, powered by the Open Source Vulnerabilities (OSV) database, is designed to connect "a project's list of dependencies with the vulnerabilities that affect them," Google software engineer Rex Pan in a post shared

A PayPal Email Scam Is Making the Rounds: Here’s How to Identify and Avoid It

By McAfee

Payment applications make splitting restaurant bills, taxi fares, and household expenses so much easier. Without having to tally totals at the table or fumble with crumpled bills, you and your companions can spend less stress and more time on the fun at hand. 

There are various payment apps available, and the company that may first come to mind is PayPal. PayPal is regarded as a safe platform where security and strong encryption are a priority; however, a recent and advanced phishing scam is putting PayPal users at risk of giving up large sums of money and their personally identifiable information (PII).1 

Let’s look at this “triple-pronged” PayPal phishing scam and review some tips to help you identify and proceed should you encounter it. 

1. The Email

The typical part of this three-sided scam is the phishing email component. According to one source, the phishing email comes from a legitimate-looking PayPal service email address. Luckily, the typos, odd punctuation, extra spaces, and grammar errors in the body of the email give away that it is a phishing attempt. Remember, phishing emails are often worded poorly or have errors. Large companies, especially ones like PayPal, have teams of content experts vetting all automated messages for such mistakes, so several mistakes in an email should set off your alarm bells. Proceed with caution and do not click on any links in the message. 

The email also included wording that encouraged the user to act quickly or be charged a lot of money. That’s another trademark of phishing emails: urgency. Take a deep breath and make sure to reread carefully all emails that “require” a quick response. Don’t be scared by dire consequences. Phishers rely on people to rush and not give themselves time to listen to their better judgement. 

2. The ‘One-ring’ Phone Scam

The PayPal phishing email included a support phone number that claimed it was toll free. In actuality, it was an international phone number. So, if the recipient of the phishing email didn’t quite believe the message but wanted to follow up, the scam could catch them with what’s called a one-ring phone scam.2 This occurs when someone unknowingly calls an international phone number and then gets charged by their phone company for the long-distance call. 

The best way to avoid one-ring phone scams is to never call a number you don’t recognize. Always go to an organization’s official website to find their contact information. 

3. The Fake Fraud Hotline

The third dimension of this PayPal scam was the international phone number in the phishing email connected the caller directly with the scammer who posed as the PayPal fraud department. The “customer service representative” then asked prying personal and financial questions to glean enough PII to break into a PayPal account or compromise the caller’s identity. This is the most damaging part of the scam. An excellent customer support team may be able to reimburse you your lost money; however, once your personal details are in nefarious hands, you can’t take them back. 

In addition to never calling numbers you haven’t verified, never give out passwords and never give out more personal information than you need to. Even in legitimate customer service calls, it’s not rude to ask why the representative requires the information they’re asking for. In a fake call, questions like that may fluster the scammer, so keep an ear tuned to their tone. 

For Peace of Mind, Partner With McAfee

Overall, our best advice for handling suspicious emails is to delete them. If it’s truly important, the sender will contact you again. And if a thief somehow stole money from one of your payment apps, the customer service team should be able to walk you through the steps to recover it. 

The transfer and handling of large sums of money would make anyone nervous. To give you peace of mind, consider partnering with a service that can help you recover should you ever fall for a scheme and compromise your PII. McAfee+ Ultimate helps you live your best life in private, and the service includes credit monitoring with all three credit bureaus, security freeze, and expert online support to help you navigate any scams you encounter. 

Having McAfee+ can protect you from email phishing scams like this. Here are some of the top agencies to report this scam to, if it happens to you: Paypal Fraud Department,  Federal Trade Commision , Cybersecurity & Infrastructure Security Agency IC3 

“Report it. Forward phishing emails to (an address used by the Anti-Phishing Working Group, which includes ISPs, security vendors, financial institutions, and law enforcement agencies). Let the company or person that was impersonated know about the phishing scheme.” – 

1ZDNET, “Watch out for this triple-pronged PayPal phishing and fraud scam.” 

2Federal Communications Commission, “‘One Ring’ Phone Scam.” 

The post A PayPal Email Scam Is Making the Rounds: Here’s How to Identify and Avoid It appeared first on McAfee Blog.

Hack-for-Hire Group Targets Travel and Financial Entities with New Janicab Malware Variant

By Ravie Lakshmanan
Travel agencies have emerged as the target of a hack-for-hire group dubbed Evilnum as part of a broader campaign aimed at legal and financial investment institutions in the Middle East and Europe. The attacks, which took place during 2020 and 2021 and likely went as far back as 2015, involved a revamped variant of a malware called Janicab that leverages a number of public services like WordPress

BeReal – The Newest Kid On The Social Media Block

By Alex Merton-McCann

Without doubt, the biggest criticism we all have of social media is that everyone always looks fabulous! And while we all know that everyone is only sharing the best version of themselves, let’s be honest – it can be a little wearing. Well, there’s a new social media platform that is determined to uproot our online curated lives by having users post very real pictures of themselves – with no time to stage or add filters! 

Developed in France in 2020, BeReal is where Aussie teenagers are currently spending their time and energy online. And to be honest, I can totally see why. It’s all about sharing random, authentic pics without having to spend time and energy making them look beautiful. In fact, my 19-year-old tells me that the uglier and weirder the photo, the better! How refreshing!!! 

How Does It Work? 

Once you’ve signed up, the app will send all users a notification at a random time throughout the day that it’s ‘time to BeReal’. As soon as the user opens the app to share a pic, they have just 2 minutes to take a picture of whatever they’re doing at that particular moment whether they’re on the bus, at the gym or chilling at home in trackies. The app will take 2 pictures using the front and back cameras so that your followers can see what you look like and where you are. 

Now, if you don’t manage to post in 2 minutes, you’re officially late and your friends will know. In fact, there’s a small amount of shame for being tardy – as if on some level you’re not committed to being authentic. But don’t let this worry you too much – we can’t wait around all day awaiting the notification to post! 

When you have uploaded your daily snap, your friends can comment, respond to your pic with ‘RealMojis’ and even see where you are in the world with the map feature. Users can also choose to upload their pics to the public feed where other users can leave “RealMoji’ reactions but no comments. But in order to access either the public feed or your friends’ photos, users will need to take their own picture too. 

Now for my favourite parts of this app – this app has NO filters, NO option to ‘like’ anything, NO follower counts and NO private messaging!! How liberating!!  

Is It Safe? 

Like all social media platforms, there are a few risks however with a bit of strategy and a few smarts, users should be able to have a safe and positive experience. And when compared to platforms where follower counts and likes are public, influencers dominate and comments are allowed, BeReal is definitely a great choice.  

Here are my top tips to keep the experience safe and positive: 

1. Disable Your Location To Avoid Being ‘Discoverable’ 

Before you share your pics, ensure you disable your location to avoid the app sharing your exact location on the map. You don’t want an ill-intentioned follower knowing your exact whereabouts! 

2. Think (Quickly) Before You Post 

The very brief 2-minute posting window may result in rushed decisions about what to post and potentially oversharing of personal information. So, ensure you (and your kids) know not to share anything that can identify their location, any identifiable numbers such as passports or licences or, their computer screens that may display confidential information.  

3. Don’t Feel Pressures to Post If You Can’t  

Accept that there will be times when you just can’t post within the 2-minute time frame.  You may be driving, sleeping or doing something far more important. You can absolutely still post late. 

4. Know How To Report Bad Behaviour 

If you see a post that is inappropriate, then report it immediately. It’s an investment in keeping the BeReal community as safe as possible. Simply tap the three dots at the top right of the post. A report button should appear. You will then have the option to flag the post as undesirable or inappropriate. 

5. Be Aware of the Comparison Trap!  

Like all social media platforms, users may compare their posts with others. They may think their lives are boring and predictable, particularly if their friends are doing more exciting things. If a young person is prone to anxiety or low mood, this may not be helpful. As a parent, reminding your kids that perception is not reality, and that one photo does not define a person may be required. But if it all gets too much, a digital detox might be just the thing!  

So, if your kids have embraced BeReal then your homework is pretty easy – join up too! It’s impossible to understand your kids’ online world if you don’t take some time to step inside it. And for what it’s worth – I think you’ll really like this one. The fact that there is no public like count, follower tally, filters or private messaging makes the Mama Bear in me very happy!! 

The post BeReal – The Newest Kid On The Social Media Block appeared first on McAfee Blog.

‘Tis the Season for Holiday Scams

By McAfee

This time of year, the air not only gets chillier but a bit cheerier for everyone … including online scammers. Holiday scams are a quick way to make a buck, and cybercriminals employ several holiday-themed schemes to weasel money and personally identifiable information (PII) from gift givers. 

Here are three common holiday scams to watch out for this year, plus a few tips to help you stay safe online. 

1. Gift Card Cracking

Gift cards are a standby present for the people on your list who are difficult to buy for or for people you don’t know too well but want to get them a small something. Whether the gift card is worth $5 or $500, an online scammer can steal the entire value through two techniques: a brute force attack or phishing. Known as gift card cracking, cybercriminals can take wild guesses at gift card codes and cash in the value for themselves by methodically guessing strings of numbers and letters and crossing their fingers for a match. Cybercriminals will also employ phishing emails, texts or social media direct messages to trick people into divulging gift card information. 

To avoid gift card cracking, encourage gift receivers to redeem their gift card quickly to shorten the amount of time a scammer has to guess the code correctly. Or, you could opt for a paper gift certificate from a small business that doesn’t require online redeeming at all. To avoid gift card phishing scams, do not engage with any type of correspondence that claims they can double the value of your gift card or claims that there’s a problem with it. Be instantly on alert if anyone asks for the activation code. If the gift card-issuing business really needs to replace your purchase, they’ll issue you a new code. They’ll never ask for your existing one. 

2. Last-minute Shopping Scams

Are you a procrastinator? Watch out for last-minute shopping scams that are targeted at people who leave their gift buying until deep in December. As with anything else, if it’s too good to be true, it probably is. Shopping scams often take the form of phishing emails where criminals impersonate a well-known merchant or shipping company.  

While sales often have a quick timeline, don’t let that short timeline pressure you into making an impulsive decision. Phishers rely on people’s excitement or inattention to trick them into giving up their credit card or banking information. Phishing emails, when you take the time to inspect them, are usually easy to spot. The logos are often blurry, there are often typos and grammar mistakes, and the tone of the message will seem “off.” Either it will sound very formal and impersonalized or it will sound very informal and seem pushy. 

To protect your finances during the holiday season, consider putting a lock on your credit. This is easy to do with McAfee credit lock. You can still use your credit card and shop as you normally would. A credit lock is useful because, in case a criminal gets ahold of your PII, they won’t be able to open lines of credit in your name. This protects your credit score, which is essential to keep in good standing if you hope to buy a house or take out a loan anytime soon. 

3. Social Media Ads and Fake Shopping Sites

Just because a “company” has an ad on Facebook or Instagram doesn’t mean that it’s a legitimate establishment. Before buying from an online store you’ve never heard of, do some background research on it and read customer reviews to make sure that it’s real and will deliver you a quality product.  

Take note of the online store’s URL before entering it. (You can preview the link by hovering over it with your cursor.) If the URL is a string of letters and numbers, it could be a malware site in disguise. One way to alert you to suspicious sites is McAfee Web Protection. Web Protection color codes links to identify potential malware and phishing sites and alert you to steer clear. 

Shop Safely This Holiday Season 

Your mind is already drawn in a bunch of different directions this holiday season (cooking, traveling, shopping, wrapping, tidying) so give yourself a respite from worrying about the safety of your identity and finances. McAfee+ Ultimate includes a VPN, Web Protection, credit lock, antivirus and more to cover all your bases to keep your devices and your PII safe. 

The post ‘Tis the Season for Holiday Scams appeared first on McAfee Blog.

Unwrapping Some of the Holiday Season’s Biggest Scams

By McAfee

Even with the holidays in full swing, scammers won’t let up. In fact, it’s high time for some of their nastiest cons as people travel, donate to charities, and simply try to enjoy their time with friends and family. 

Unfortunate as it is, scammers see this time of year as a tremendous opportunity to profit. While people focus giving to others, they focus on taking, propping up all manner of scams that use the holidays as a disguise. So as people move quickly about their day, perhaps with a touch of holiday stress in the mix, they hope to catch people off their guard with scams that wrap themselves in holiday trappings. 

Yet once you know what to look for, they’re relatively easy to spot. The same scams roll out every year, sometimes changing in appearance yet remaining the same in substance. With a sharp eye, you can steer clear of them. 

Watch out for these online scams this holiday season 

1. Shopping scams 

With Black Friday and Cyber Monday in the books, we can look forward to what’s next—a wave of post-holiday sales events that will likewise draw in millions of online shoppers. And just like those other big shopping days, bad actors will roll out a host of scams aimed at unsuspecting shoppers. Shopping scams take on several forms, which makes this a topic unto itself, one that we cover thoroughly in our Black Friday & Cyber Monday shopping scams blog. It’s worth a read if you haven’t done so already, as digs into the details of these scams and shows how you can avoid them.  

However, the high-level advice for avoiding shopping scams is this: keep your eyes open. Deals that look too good to be true likely are, and shopping with retailers you haven’t heard of before requires a little bit of research to determine if their track record is clean. In the U.S., you can turn to the Better Business Bureau (BBB) for help with a listing of retailers you can search simply by typing in their names. You can also use to look up the web address of the shopping site you want to research. There you can see its history and see when it was registered. A site that was registered only recently may be far less reputable than one that’s been registered for some time. 

2. Tech support scams  

Plenty of new tech makes its way into our homes during the holiday season. And some of that tech can be a little challenging to set up. Be careful when you search for help online. Many scammers will establish phony tech support sites that aim to steal funds and credit card information. Go directly to the product manufacturer for help. Often, manufacturers will offer free support as part of the product warranty, so if you see a site advertising support for a fee, that could be a sign of a scam. 

Likewise, scammers will reach out to you themselves. Whether through links from unsolicited emails, pop-up ads from risky sites, or by spammy phone calls, these scammers will pose as tech support from reputable brands. From there, they’ll falsely inform you that there’s something urgently wrong with your device and that you need to get it fixed right now—for a fee. Ignore these messages and don’t click on any links or attachments. Again, if you have concerns about your device, contact the manufacturer directly. 

3. Travel scams 

With the holidays comes travel, along with all the online booking and ticketing involved. Scammers will do their part to cash in here as well. Travel scams may include bogus emails that pose as reputable travel sites telling you something’s wrong with your booking. Clicking a link takes you to a similarly bogus site that asks for your credit card information to update the booking—which then passes it along to the scammer so they can rack up charges in your name. Other travel scams involve ads for cut-rate lodging, tours, airfare, and the like, all of which are served up on a phony website that only exists to steal credit card numbers and other personal information. 

Some of these scams can look quite genuine, even though they’re not. They’ll use cleverly disguised web addresses that look legitimate, but aren’t, so don’t click any links. If you receive notice about an issue with your holiday travel, contact the company directly to follow up. Also, be wary of ads with unusually deep discounts or that promise availability in an otherwise busy season or time. These could be scams, so stick with reputable booking sites or with the websites maintained by hotels and travel providers themselves. 

4. Fake charity scams 

Donations to an organization or cause that’s close to someone’s heart make for a great holiday gift, just as they offer you a way to give back during the holiday season. And you guessed it, scammers will take advantage of this too. They’ll set up phony charities and apply tactics that pressure you into giving. As with so many scams out there, any time an email, text, direct message, or site urges you into immediate action—take pause. Research the charity. See how long they’ve been in operation, how they put their funds to work, and who truly benefits from them.  

Likewise, note that there some charities pass along more money to their beneficiaries than others. As a general rule of thumb, most reputable organizations only keep 25% or less of their funds for operations, while some less-than-reputable organizations keep up to 95% of funds, leaving only 5% for advancing the cause they advocate. In the U.S., the Federal Trade Commission (FTC) has a site full of resources so that you can make your donation truly count. Resources like Charity Watch and Charity Navigator, along with the BBB’s Wise Giving Alliance can also help you identify the best charities. 

5. Online betting scams 

The holidays also mean a flight of big-time sporting events, and with the advent of online betting in many regions scammers want to cash in. This scam works quite like shopping scams, where bad actors will set up online betting sites that look legitimate. They’ll take your bet, but if you win, they won’t pay out. Per the U.S. Better Business Bureau (BBB), the scam plays out like this: 

“You place a bet, and, at first, everything seems normal. But as soon as you try to cash out your winnings, you find you can’t withdraw a cent. Scammers will make up various excuses. For example, they may claim technical issues or insist on additional identity verification. In other cases, they may require you to deposit even more money before you can withdraw your winnings. Whatever you do, you’ll never be able to get your money off the site. And any personal information you shared is now in the hands of scam artists.” 

You can avoid these sites rather easily. Stick with the online betting sites that are approved by your regional gambling commission. Even so, be sure to read the fine print on any promo offers that these sites advertise because even legitimate betting sites can freeze accounts and the funds associated with them based on their terms and conditions. 

Further protection from scams 

A complete suite of online protection software, such as McAfee+ Ultimate can offer layers of extra security. In addition to more private and secure time online with a VPN, identity monitoring, and password management, it includes web browser protection that can block malicious and suspicious links that could lead you down the road to malware or a phishing scam—which antivirus protection can’t do alone. Additionally, we offer $1M identity theft coverage and support from a recovery pro, just in case. 

And because scammers use personal information such as email addresses and cell phone numbers to wage their attacks, other features like our  Personal Data Cleanup service can scan high-risk data broker sites for your personal information and then help you remove it, which can help reduce spam, phishing attacks, and deny bad actors the information they need to commit identity theft. 

Scammers love a good thing—and will twist it for their own benefit. 

That’s why they enjoy the holidays so much. With all our giving, travel, and charity in play, it’s prime time for their scams. Yet a little insight into their cons, along with some knowledge as to how they play out, you can avoid them.  

Remember that they’re playing into the hustle and bustle of the season and that they’re counting on you to lower your guard more than you might during other times of the year. Keep an eye open for the signs, do a little research when it’s called for, and stick with reputable stores, charities, and online services. With a thoughtful pause and a second look, you can spare yourself the grief of a scam and fully enjoy your holidays. 

The post Unwrapping Some of the Holiday Season’s Biggest Scams appeared first on McAfee Blog.

3 New Vulnerabilities Affect OT Products from German Companies Festo and CODESYS

By Ravie Lakshmanan
Researchers have disclosed details of three new security vulnerabilities affecting operational technology (OT) products from CODESYS and Festo that could lead to source code tampering and denial-of-service (DoS). The vulnerabilities, reported by Forescout Vedere Labs, are the latest in a long list of flaws collectively tracked under the name OT:ICEFALL. "These issues exemplify either an

What Are Tailgating Attacks and How to Protect Yourself From Them

By McAfee

Whether you’re spending time on the web or working in the office, you want peace of mind knowing that you are in a safe environment. While most of us know to take precautions when online — protecting ourselves from things like phishing attacks and other cyber threats — we should also attend to our physical security. 

One concern is tailgating — a social engineering attack where someone gets physical access to a business to take confidential information or do other harm. 

Here are some ways to protect yourself from tailgating attacks, such as an unauthorized person following you into a restricted area while on the job. 

What is a tailgating attack?

Tailgating is a type of social engineering attack where an unauthorized person gains physical access to an off-limits location — perhaps a password-protected area — where they might steal sensitive information, damage property, compromise user credentials or even install malware on computers. 

Piggybacking” is closely related to tailgating, but it involves consent from the duped employee. So, while a worker might be unaware that someone has tailgated them into a restricted area with piggybacking, the hacker might convince a worker to provide access because they are posing as, say, a delivery driver. 

Who’s at risk of tailgating attacks?

Companies, particularly at risk of being targeted by tailgating scams, include those: 

  • With many employees, often moving inside and out of the premises 
  • With multiple entrance points into a building 
  • That receive deliveries of food, packages, documents, and other things regularly 
  • That have many subcontractors working for them 
  • Where employees aren’t thoroughly trained in physical and cybersecurity protocols 

Generally speaking, companies with robust security systems in place — including using biometrics, badges, or other identity and information security measures — are better protected from tailgating and piggybacking attacks.  

But that’s not to say that some smooth-talking fraudster can’t talk someone into letting them in or finding some way around those protections. 

What are common tailgating methods?

Common types of tailgating attacks that you should be aware of on the job include:  

  • Someone walking behind you into a secure area, depending on your common courtesy to keep the door open for them 
  • A courier or delivery driver who aren’t what they seem 
  • Someone with their hands full of items to trick you into opening the door for them 
  • A person who claims they’ve lost their work ID or forgotten it at home, so that you grant them admittance 

How to protect yourself from tailgating attacks 

Protecting yourself from tailgating attacks is partly a matter of learning about the issue, raising your level of awareness on the job, and depending on your employer, putting in place more effective security systems.  

Some solutions include: 

Increased security training

Many companies know how to train employees to recognize, avoid, and cope with online security issues but may forget to provide the same diligence to physical security. How to spot and deal with threats should be part of this training, plus cultivating an awareness of surroundings and people who might be out of place.   

Management should offer a clearly stated security policy taught to everyone, which might insist that no one be allowed into a secure area without the proper pass or identification. As the security policy is updated, all employees should be aware of changes and additions. 

These security measures should be part of an overall protection program, like McAfee+, which includes antivirus software, a firewall, identity monitoring, password management, web protection, and more. 

Smart badges and cards

If you have a large business spread over several floors, it can be hard for employees to know who works there and who doesn’t, leaving them susceptible to tailgating and piggybacking attacks. Requiring smart badges and cards to access restricted areas can help cut back on unauthorized intrusions and provide better access control. 

Building fully staffed reception areas with dedicated security personnel could also be part of a larger security system. 

Biometric scanners

Biometric scanners are an even more advanced way to provide proper authentication for a worker’s identity. They scan a unique physical or audible feature of a person and compare it to a database for approved personnel.  

Examples of biometric security include: 

  • Voice recognition 
  • Iris recognition 
  • Fingerprint scans 
  • Facial recognition 
  • Heart-rate sensors 

Understanding social engineering

One reason people are vulnerable to physical and cyberattacks is that they lack education on social engineering and the kinds of threats it poses.  

Workers need to understand the full range of social engineering techniques and know-how to protect themselves, whether in their social media accounts or physical work environment.  

For their part, companies can use simulated phishing emails and tailgating attacks to raise awareness and underline how to follow protocols in dealing with them. 

Video surveillance

If there are many ways to enter a business, it may make sense to put video surveillance on all entrances. Advanced video surveillance systems can use artificial intelligence (AI) and video analytics to scan the faces of people entering and compare them to a database of employee features. 

Discover how McAfee can help keep devices secure from hacking

Whether at work or at home, people want to be secure from attacks by cybercriminals who seek to take personal information. 

To add a layer of security to all their connected devices — including computers, smartphones, and tablets — an increasing number of people are turning to the comprehensive coverage of McAfee+ 

Features range from advanced monitoring of possible threats to your identity, automatic implementation of virtual private networks (VPNs) to deal with unsafe networks, and personal data clean-up, removing your information from high-risk data broker sites. 

McAfee protection allows you to work and play online with greater peace of mind. 

The post What Are Tailgating Attacks and How to Protect Yourself From Them appeared first on McAfee Blog.

10 tips to avoid Black Friday and Cyber Monday scams

By André Lameiras

It pays not to let your guard down during the shopping bonanza – watch out for some of the most common scams doing the rounds this holiday shopping season

The post 10 tips to avoid Black Friday and Cyber Monday scams appeared first on WeLiveSecurity

Multimillion dollar CryptoRom scam sites seized, suspects arrested in US

By Paul Ducklin
Five tips to keep yourself, and your friends and family, out of the clutches of "chopping block" scammers...


Ducktail Malware Operation Evolves with New Malicious Capabilities

By Ravie Lakshmanan
The operators of the Ducktail information stealer have demonstrated a "relentless willingness to persist" and continued to update their malware as part of an ongoing financially driven campaign. "The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account," WithSecure researcher Mohammad Kazem

How to Tell Whether a Website Is Safe or Unsafe

By McAfee

It’s important to know that not all websites are safe to visit. In fact, some sites may contain malicious software (malware) that can harm your computer or steal your personal contact information or credit card numbers.  

Phishing is another common type of web-based attack where scammers try to trick you into giving them your personal information, and you can be susceptible to this if you visit a suspicious site.  

Identity theft is a serious problem, so it’s important to protect yourself when browsing the web. Online security threats can be a big issue for internet users, especially when visiting new websites or following site links. 

So how can you tell if you’re visiting a safe website or an unsafe website? You can use a few different methods. This page discusses key things to look for in a website so you can stay safe online. 

Key signs of website safety and security

When you’re visiting a website, a few key indicators can help determine whether the site is safe. This section explores how to check the URL for two specific signs of a secure website. 

”Https:” in the website URL

“Https” in a website URL indicates that the website is safe to visit. The “s” stands for “secure,” and it means that the website uses SSL (Secure Sockets Layer) encryption to protect your information. A verified SSL certificate tells your browser that the website is secure. This is especially important when shopping online or entering personal information into a website. 

When you see “https” in a URL, the site is using a protocol that encrypts information before it’s sent from your computer to the website’s server. This helps prevent anyone from intercepting and reading your sensitive information as it’s transmitted. 

A lock icon near your browser’s URL field

The padlock icon near your browser’s URL field is another indicator that a webpage is safe to visit. This icon usually appears in the address bar and means the site uses SSL encryption. Security tools and icon and warning appearances depend on the web browser. 

Let’s explore the cybersecurity tools on the three major web browsers: 

  • Safari. In the Safari browser on a Mac, you can simply look for the lock icon next to the website’s URL in the address bar. The lock icon will be either locked or unlocked, depending on whether the site uses SSL encryption. If it’s an unsafe website, Safari generates a red-text warning in the address bar saying “Not Secure” or “Website Not Secure” when trying to enter information in fields meant for personal data or credit card numbers. Safari may also generate an on-page security warning stating, “Your connection is not private” or “Your connection is not secure.” 
  • Google Chrome. In Google Chrome, you’ll see a gray lock icon (it was green in previous Chrome versions) on the left of the URL when you’re on a site with a verified SSL certificate. Chrome has additional indicator icons, such as a lowercase “i” with a circle around it. Click this icon to read pertinent information on the site’s cybersecurity. Google Safe Browsing uses security tools to alert you when visiting an unsafe website. A red caution symbol may appear to the left of the URL saying “Not secure.” You may also see an on-page security message saying the site is unsafe due to phishing or malware. 
  • Firefox. Like Chrome, Mozilla’s Firefox browser will tag all sites without encryption with a distinctive marker. A padlock with a warning triangle indicates that the website is only partially encrypted and may not prevent cybercriminals from eavesdropping. A padlock with a red strike over it indicates an unsafe website. If you click on a field on the website, it’ll prompt you with a text warning stating, “This connection is not secure.” 

In-depth ways to check a website’s safety and security

Overall, the ”https” and the locked padlock icon are good signs that your personal data will be safe when you enter it on a website. But you can ensure a website’s security is up to par in other ways. This section will explore five in-depth methods for checking website safety. 

Use McAfee WebAdvisor

McAfee WebAdvisor is a free toolbar that helps keep you safe online. It works with your existing antivirus software to provide an extra layer of protection against online threats. WebAdvisor also blocks unsafe websites and lets you know if a site is known for phishing or other malicious activity. In addition, it can help you avoid online scams and prevent you from accidentally downloading malware. Overall, McAfee WebAdvisor is a useful tool that can help you stay safe while browsing the web. 

Website trust seals

When you’re browsing the web, it’s important to be able to trust the websites you’re visiting. One way to determine if a website is trustworthy is to look for trust seals. Trust seals are logos or badges that indicate a website is safe and secure. They usually appear on the homepage or checkout page of a website. 

There are many types of trust seals, but some of the most common include the Better Business Bureau (BBB) seal, VeriSign secure seal, and the McAfee secure seal. These seals indicate that a third-party organization has verified the website as safe and secure. 

While trust seals can help determine whether a website is trustworthy, it’s important to remember that they are not foolproof. Website owners can create a fake trust seal, so it’s always important to do your own research to ensure a website is safe before entering personal information. 

Check for a privacy policy

Another way to determine if a website is safe to visit is to check for a privacy policy. A privacy policy is a document that outlines how a website collects and uses personal information. It should also state how the site protects your data from being accessed or shared by scammers, hackers, or other unauthorized individuals. 

If a website doesn’t have a privacy policy, that’s a red flag that you shouldn’t enter any personal information on the site. Even if a website does have a privacy policy, it’s important to read it carefully so you understand how the site uses your personal data. 

Check third-party reviews

It’s important to do some preliminary research before visiting a new website, especially if you’re shopping online or entering personal data like your address, credit card, or phone number. One way to determine if a website is safe and trustworthy is to check third-party reviews. Several websites provide reviews of other websites, so you should be able to find several reviews for any given site.  

Trustpilot is one example of a website that provides reviews of other websites. 

Look for common themes when reading reviews. If most of the reviews mention that a website is safe and easy to use, it’s likely that the site is indeed safe to visit. However, if a lot of negative reviews mention problems with viruses or malware, you might want to avoid the site. 

Look over the website design

You can also analyze the website design when deciding whether a website is safe to visit. Look for spelling errors, grammatical mistakes, and anything that appears off. If a website looks like it was made in a hurry or doesn’t seem to be well-designed, that’s usually a red flag that the site might not be safe. 

Be especially careful of websites that have a lot of pop-ups. These sites are often spammy or contain malware. Don’t download anything from a website unless you’re absolutely sure it’s safe. These malicious websites rarely show up on the top of search engine results, so consider using a search engine to find what you’re looking for rather than a link that redirects you to an unknown website. 

Download McAfee WebAdvisor for free and stay safe while browsing

If you’re unsure whether a website is safe to visit, download McAfee WebAdvisor for free. McAfee WebAdvisor is a program that helps protect you from online threats, such as malware and viruses. It also blocks pop-ups and other intrusive ads so you can browse the web without worry. Plus, it’s completely free to download and use. 

Download McAfee WebAdvisor now and stay safe while browsing the web. 

The post How to Tell Whether a Website Is Safe or Unsafe appeared first on McAfee Blog.

Watch Out for These 3 World Cup Scams

By McAfee

What color jersey will you be sporting this November and December? The World Cup is on its way to television screens around the world, and scores of fans are dreaming of cheering on their team at stadiums throughout Qatar. Meanwhile, cybercriminals are dreaming of stealing the personally identifiable information (PII) of fans seeking last-minute vacation and ticket deals. 

Don’t let the threat of phishers and online scammers dampen your team spirit this World Cup tournament. Here are three common schemes cybercriminals will likely employ and a few tips to help you dribble around their clumsy offense and protect your identity, financial information, and digital privacy. 

1. Fake Contests

Phishers will be out in full force attempting to capitalize on World Cup fever. People wrapped up in the excitement may jump on offers that any other time of the year they would treat with skepticism. For example, in years past, fake contests and travel deals inundated email inboxes across the world. Some companies do indeed run legitimate giveaways, and cybercriminals slip in their phishing attempts among them. 

If you receive an email or text saying that you’re the winner of a ticket giveaway, think back: Did you even enter a contest? If not, treat any “winner” notification with skepticism. It’s very rare for a company to automatically enter people into a drawing. Usually, companies want you to act – subscribe to a newsletter or engage with a social media post, for example – in exchange for your entry into their contest. Also, beware of emails that urge you to respond within a few hours to “claim your prize.” While it’s true that real contest winners must reply promptly, organized companies will likely give you at least a day if not longer to acknowledge receipt. 

2. Travel Scams

Traveling is rarely an inexpensive endeavor. Flights, hotels, rental cars, dining costs, and tourist attraction admission fees add up quickly. In the case of this year’s host country, Qatar, there’s an additional cost for American travelers: visas.  

If you see package travel deals to the World Cup that seem too good to pass up … pass them up. Fake ads for ultra-cheap flights, hotels, and tickets may appear not only in your email inbox but also on your social media feed. Just because it’s an ad doesn’t mean it comes from a legitimate company. Legitimate travel companies will likely have professional-looking websites with clear graphics and clean website copy. Search for the name of the organization online and see what other people have to say about the company. If no search results appear or the website looks sloppy, proceed with caution or do not approach at all. 

Regarding visas, be wary of anyone offering to help you apply for a visa. There are plenty of government-run websites that’ll walk you through the process, which isn’t difficult as long as you leave enough time for processing. Do not send your physical passport to anyone who is not a confirmed government official. 

3. Malicious Streaming Sites

Even fans who’ve given up on watching World Cup matches in person aren’t out of the path of scams. Sites claiming to have crystal clear streams of every game could be malware spreaders in disguise. Malware and ransomware targeting home computers often lurk on sketchy sites. All it takes is a click on one bad link to let a cybercriminal or a virus into your device.  

Your safest route to good-quality live game streams is through the official sites of your local broadcasting company or the official World Cup site. You may have to pay a fee, but in the grand scheme of things, that fee could be a lot less expensive than replacing or repairing an infected device. 

Shore Up Your Defense With McAfee+ 

Here’s an excellent rule to follow with any electronic correspondence: Never send anyone your passwords, routing and account number, passport information, or Social Security Number. A legitimate organization will never ask for your password, and it’s best to communicate any sensitive financial or identifiable information over the phone, not email or text as they can easily fall into the wrong hands. Also, do not wire large sums of money to someone you just met online. 

Don’t let scams ruin your enjoyment of this year’s World Cup! With these tips, you should be able to avoid the most common schemes but to boost your confidence in your online presence, consider signing up for McAfee+. Think of McAfee+ as the ultimate goalkeeper who’ll block any cybercriminals looking to score on you. With identity monitoring, credit lock, unlimited VPN and antivirus, and more, you can surf safely and with peace of mind.  

The post Watch Out for These 3 World Cup Scams appeared first on McAfee Blog.

U.S. Authorities Seize Domains Used in 'Pig butchering' Cryptocurrency Scams

By Ravie Lakshmanan
The U.S. Justice Department (DoJ) on Monday announced the takedown of seven domain names in connection to a "pig butchering" cryptocurrency scam. The fraudulent scheme, which operated from May to August 2022, netted the actors over $10 million from five victims, the DoJ said. Pig butchering, also called Sha Zhu Pan, is a type of scam in which swindlers lure unsuspecting investors into sending

How social media scammers buy time to steal your 2FA codes

By Paul Ducklin
The warning is hosted on a real Facebook page; the phishing uses HTTPS via a real Google server... but the content is all fake


Black Friday and retail season – watch out for PayPal “money request” scams

By Paul Ducklin
Don't let a keen eye for bargains lead you into risky online behaviour...

Malicious Google Play Store App Spotted Distributing Xenomorph Banking Trojan

By Ravie Lakshmanan
Google has removed two new malicious dropper apps that have been detected on the Play Store for Android, one of which posed as a lifestyle app and was caught distributing the Xenomorph banking malware. "Xenomorph is a trojan that steals credentials from banking applications on users' devices," Zscaler ThreatLabz researchers Himanshu Sharma and Viral Gandhi said in an analysis published Thursday.

FIFA World Cup 2022 scams: Beware of fake lotteries, ticket fraud and other cons

By Juan Manuel Harán

When in doubt, kick it out, plus other tips for hardening your cyber-defenses against World Cup-themed phishing and other scams

The post FIFA World Cup 2022 scams: Beware of fake lotteries, ticket fraud and other cons appeared first on WeLiveSecurity

What Is Smishing and Vishing, and How Do You Protect Yourself?

By McAfee

Smishing and vishing are scams where criminals attempt to get users to click a fraudulent link through a phone text message, email, or voicemail. These scams are becoming increasingly popular as cybercriminals try to take advantage of people who are more likely to fall for them, such as those who aren’t as familiar with technology or who may be experiencing a crisis. 

Be aware that cybercrime and hacking can happen to anyone. Criminals are always looking for new ways to exploit people, and they know that others may not be cautious or recognize the warning signs of phishing scams when using the internet. That’s why it’s important to be aware of the different types of cybercrime and how to protect yourself. 

This article discusses how to protect yourself from smishing attempts and scams where criminals try to get you to click on a fraudulent link or respond to their voicemail message to steal your personal data. 

What is smishing?

Most people are familiar with phishing scams, where scammers try to trick you into giving them your personal or financial information by pretending to be a legitimate company or organization. But have you ever heard of smishing or vishing? 

Smishing is a type of phishing scam where attackers send SMS messages (or text messages) to trick victims into sharing personal information or installing malware on their devices. Vishing is almost identical to smishing, except cybercriminals use VoIP (Voice over IP) to place phone calls to trick victims instead of SMS (short message service) messages. 

Smishing messages often appear to be from a legitimate source, such as a well-known company or government agency. It may even include urgent language or threats in an effort to get victims to act quickly. In some cases, the message may also include a link that directs victims to a fake website where they are prompted to enter personal information or download malware. 

Examples of a smishing text message

Here are some examples of smishing text messages hackers use to steal your personal details: 

  • “We have detected unusual activity on your account. Please call this number to speak to a customer service representative.” 
  • “You have won a free gift card! Click here to claim your prize.” 
  • “Hi! We noticed that you’re a recent customer of ours. To finish setting up your account, please click this link and enter your personal information.” 
  • “Urgent! Your bank account has been compromised. Please click this link to reset your password and prevent any further fraud.” 
  • “Hey, it’s [person you know]! I’m in a bit of a bind and could really use your help. I sent you a link to my PayPal, could you send me some money?” 

How dangerous can smishing be?

If you fall for a smishing scam, you could end up giving away your personal information or money. Cybercriminals use smishing messages to get personal and financial information, like your credit card number or access to your financial services 

For example, one type of smishing scam is when you get a text message that looks like it’s from your bank. The message might say there’s been suspicious activity on your account and that you need to click on a link to verify your identity. If you do click on the link, you’ll be taken to a fake website where you’ll be asked to enter your banking information. Once the scammers have your login information, they have access to clean out your account. 

How can you protect yourself from smishing?

Smishing scams can be very difficult to spot, but there are some telltale signs to look for and steps to take to protect yourself. 

Recognize the signs of a smishing text

One of the easiest ways to protect yourself from smishing scams is to be able to recognize the signs of a smishing text message. Here are some tips: 

  • Be suspicious of any text messages that ask for personal information or include a link. 
  • Look closely at the sender’s name and number. Fraudulent messages often come from spoofed numbers that may look similar to a legitimate number but with one or two digits off. 
  • Look for errors in spelling or grammar. This can be another sign that the message is not legitimate. 
  • Beware of any text messages that create a sense of urgency or are threatening in nature. Scammers often use these tactics to get you to act quickly without thinking. 
  • If you’re not expecting a message from the sender, be extra cautious. 
  • If you’re unsure whether a text message is legitimate, call the company or organization directly to verify. 

Filter unknown text messages

While you can’t avoid smishing attacks altogether, you can block spam text messages you receive on your mobile phone. iPhone and Android have cybersecurity tools like spam filters and phone number blocking to help protect you from phishing attacks and malicious links. 

To set up spam filters on your iPhone: 

  1. Go to the Settings App 
  2. Go to Messages 
  3. Find the Filter Unknown Senders option and turn it on 

To set up spam filters on your Android mobile device: 

  1. Go to the Messaging App 
  2. Choose Settings 
  3. Tap Spam Protection and turn on Enable Spam Protection 

Use McAfee Mobile Security 

McAfee Mobile Security is a mobile security app that helps protect your phone from malware, phishing attacks, and other online threats. McAfee Mobile Security is available for Android and iOS cell phones. 

One of the benefits of using McAfee Mobile Security is that it can help detect and block smishing attacks. With identity monitoring, McAfee Mobile Security monitors your sensitive information like email accounts, credit card numbers, phone numbers, Social Security numbers, and more to protect against identity theft. They notify you if they find any security breaches. 

Other benefits include: 

  • Antivirus 
  • Secure VPN for privacy online 
  • Identity monitoring for up to 10 emails 
  • Guard your identity against risky Wi-Fi connections 
  • Safe browsing 
  • System Scan for the latest updates 

Keep your device and information secure with McAfee Mobile Security

These days, our lives are more intertwined with our mobile devices than ever. We use them to stay connected with our loved ones on social media, conduct our business, and even access our most personal, sensitive data. It’s no surprise that mobile cybersecurity is becoming increasingly important. 

McAfee Mobile Security is a comprehensive security solution that helps protect your device from viruses, malware, and other online threats. It also offers a variety of other features, like a secure VPN to protect your credit card numbers and other personal data 

Whether you’re browsing your favorite website, keeping up with friends on social media, or shopping online at Amazon, McAfee Mobile Security provides the peace of mind that comes from knowing your mobile device is safe and secure. 

So why wait? Don‘t let the smishers win. Get started today with McAfee Mobile Security and rest easy knowing your mobile device and sensitive information are protected. 

The post What Is Smishing and Vishing, and How Do You Protect Yourself? appeared first on McAfee Blog.

Don’t Get Caught Offsides with These World Cup Scams

By McAfee Labs

Authored by: Christy Crimmins and Oliver Devane

Football (or Soccer as we call it in the U.S.) is the most popular sport in the world, with over 3.5 billion fans across the globe. On November 20th, the men’s World Cup kicks off (pun intended) in Qatar. This event, a tournament played by 32 national teams every four years, determines the sport’s world champion. It will also be one of the most-watched sporting events of at least the last four years (since the previous World Cup). 

An event with this level of popularity and interest also attracts fraudsters and cyber criminals looking to capitalize on fans’ excitement. Here’s how to spot these scams and stay penalty-free during this year’s tournament. 

New Cup, who’s this? 

Phishing is a tool that cybercriminals have used for years now. Most of us are familiar with the telltale signs—misspelled words, poor grammar, and a sender email whose email address makes no sense or whose phone number is unknown. But excitement and anticipation can cloud our judgment. What football fan wouldn’t be tempted to win a free trip to see their home team participate in the ultimate tournament? Cybercriminals are betting that this excitement will cloud fans’ judgment, leading them to click on nefarious links that ultimately download malware or steal personal information. 

It’s important to realize that these messages can come via a variety of channels, including email, text messages, (also known as smishing) and other messaging channels like WhatsApp and Telegram. No matter what the source is, it’s essential to remain vigilant and pause to think before clicking links or giving out personal or banking information.  

For more information on phishing and how to spot a phisher, see McAfee’s “What is Phishing?” blog. 

Real money for fake tickets 

According to ActionFraud, the UK’s national reporting center for fraud and cybercrime, thousands of people were victims of ticket fraud in 2019—and that’s just in the UK. Ticket fraud is when someone advertises tickets for sale, usually through a website or message board, collects the payment and then disappears, without the buyer ever receiving the ticket.  


The World Cup is a prime (and lucrative) target for this type of scam, with fans willing to pay thousands of dollars to see their teams compete. Chances are most people have their tickets firmly in hand (or digital wallet) by now, but if you’re planning to try a last-minute trip, beware of this scam and make sure that you’re using a legitimate, reputable ticket broker. To be perfectly safe, stick with well-known ticket brokers and those who offer consumer protection. Also beware of sites that don’t accept debit or credit cards and only accept payment in the form of bitcoin or wire transfers such as the one on the fake ticket site below:  

The red box on the right image shows that the ticket site accepts payment via Bitcoin.  

Other red flags to look out for are websites that ask you to contact them to make payment and the only contact information is via WhatsApp. 

Streaming the matches 

Let’s be realistic—most of us are going to have to settle for watching the World Cup from the comfort of our own home, or the pub down the street. If you’re watching the tournament online, be sure that you’re using a legitimate streaming service. A quick Google of “FIFA World Cup 2022 Official Streaming” along with your country should get you the information you need to safely watch the event through official channels. The FIFA site itself is also a good source of information.  

Illegal streaming sites usually contain deceptive ads and malware which can cause harm to your device.  

Don’t get taken to the bank 

In countries or regions where sports betting is legal, the 2022 World Cup is expected to drive an increase in activity. There’s no shortage of things to bet on, from a simple win/loss to the exact minute a goal will be scored by a particular player. Everything is subject to wager.   

As with our previous examples, this increase in legitimate gambling brings with it an increase in deceptive activity. Online betting scams often start when users are directed to or search for gambling site and end up on a fraudulent one. After placing their bets and winning, users realize that while they may have “won” money, they are unable to withdraw it and are even sometimes asked to deposit even more money to make winnings available, and even then, they still won’t be. By the end of this process, the bettor has lost all their initial money (and then some, potentially) as well as any personal information they shared on the site.  

Like other scams, users should be wary of sites that look hastily put together or are riddled with errors. Your best bet (yes, again, pun intended) is to look for an established online service that is approved by your government or region’s gaming commission. Finally, reading the fine print on incentives or bonuses is always a good idea. If something sounds too good to be true, it’s best to double-check. 

For more on how you can bet online safely, and for details on how legalized online betting works in the U.S., check out our blog on the topic.  

Keep that Connection Secure 

Using a free public Wi-Fi connection is risky. User data on these networks is unprotected, which makes it vulnerable to cyber criminals. Whether you’re traveling to Qatar for a match or watching the them with friends at your favorite pub, if you’re connecting to a public Wi-Fi connection, make sure you use a trusted VPN connection. 

Give scammers a straight red card this World Cup 

For more information on scams, visit our scam education page. Hopefully, with these tips, you’ll be able to enjoy and participate in some of the World Cup festivities, after all, fun is the goal!  

The post Don’t Get Caught Offsides with These World Cup Scams appeared first on McAfee Blog.
