FreshRSS

🔒
❌ About FreshRSS
There are new available articles, click to refresh the page.
Before yesterdayYour RSS feeds

Incognito Darknet Market Mass-Extorts Buyers, Sellers

By BrianKrebs

Borrowing from the playbook of ransomware purveyors, the darknet narcotics bazaar Incognito Market has begun extorting all of its vendors and buyers, threatening to publish cryptocurrency transaction and chat records of users who refuse to pay a fee ranging from $100 to $20,000. The bold mass extortion attempt comes just days after Incognito Market administrators reportedly pulled an “exit scam” that left users unable to withdraw millions of dollars worth of funds from the platform.

An extortion message currently on the Incognito Market homepage.

In the past 24 hours, the homepage for the Incognito Market was updated to include a blackmail message from its owners, saying they will soon release purchase records of vendors who refuse to pay to keep the records confidential.

“We got one final little nasty surprise for y’all,” reads the message to Incognito Market users. “We have accumulated a list of private messages, transaction info and order details over the years. You’ll be surprised at the number of people that relied on our ‘auto-encrypt’ functionality. And by the way, your messages and transaction IDs were never actually deleted after the ‘expiry’….SURPRISE SURPRISE!!! Anyway, if anything were to leak to law enforcement, I guess nobody never slipped up.”

Incognito Market says it plans to publish the entire dump of 557,000 orders and 862,000 cryptocurrency transaction IDs at the end of May.

“Whether or not you and your customers’ info is on that list is totally up to you,” the Incognito administrators advised. “And yes, this is an extortion!!!!”

The extortion message includes a “Payment Status” page that lists the darknet market’s top vendors by their handles, saying at the top that “you can see which vendors care about their customers below.” The names in green supposedly correspond to users who have already opted to pay.

The “Payment Status” page set up by the Incognito Market extortionists.

We’ll be publishing the entire dump of 557k orders and 862k crypto transaction IDs at the end of May, whether or not you and your customers’ info is on that list is totally up to you. And yes, this is an extortion!!!!

Incognito Market said it plans to open up a “whitelist portal” for buyers to remove their transaction records “in a few weeks.”

The mass-extortion of Incognito Market users comes just days after a large number of users reported they were no longer able to withdraw funds from their buyer or seller accounts. The cryptocurrency-focused publication Cointelegraph.com reported Mar. 6 that Incognito was exit-scamming its users out of their bitcoins and Monero deposits.

CoinTelegraph notes that Incognito Market administrators initially lied about the situation, and blamed users’ difficulties in withdrawing funds on recent changes to Incognito’s withdrawal systems.

Incognito Market deals primarily in narcotics, so it’s likely many users are now worried about being outed as drug dealers. Creating a new account on Incognito Market presents one with an ad for 5 grams of heroin selling for $450.

New Incognito Market users are treated to an ad for $450 worth of heroin.

The double whammy now hitting Incognito Market users is somewhat akin to the double extortion techniques employed by many modern ransomware groups, wherein victim organizations are hacked, relieved of sensitive information and then presented with two separate ransom demands: One in exchange for a digital key needed to unlock infected systems, and another to secure a promise that any stolen data will not be published or sold, and will be destroyed.

Incognito Market has priced its extortion for vendors based on their status or “level” within the marketplace. Level 1 vendors can supposedly have their information removed by paying a $100 fee. However, larger “Level 5” vendors are asked to cough up $20,000 payments.

The past is replete with examples of similar darknet market exit scams, which tend to happen eventually to all darknet markets that aren’t seized and shut down by federal investigators, said Brett Johnson, a convicted and reformed cybercriminal who built the organized cybercrime community Shadowcrew many years ago.

“Shadowcrew was the precursor to today’s Darknet Markets and laid the foundation for the way modern cybercrime channels still operate today,” Johnson said. “The Truth of Darknet Markets? ALL of them are Exit Scams. The only question is whether law enforcement can shut down the market and arrest its operators before the exit scam takes place.”

Thanks FedEx, This is Why we Keep Getting Phished

By Troy Hunt
Thanks FedEx, This is Why we Keep Getting Phished

I've been getting a lot of those "your parcel couldn't be delivered" phishing attacks lately and if you're a human with a phone, you probably have been too. Just as a brief reminder, they look like this:

Thanks FedEx, This is Why we Keep Getting Phished
Thanks FedEx, This is Why we Keep Getting Phished
Thanks FedEx, This is Why we Keep Getting Phished

These get through all the technical controls that exist at my telco and they land smack bang in my SMS inbox. However, I don't fall for the scams because I look for the warning signs: a sense of urgency, fear of missing out, and strange URLs that look nothing like any parcel delivery service I know of. They have a pretty rough go of convincing me they're from Australia Post by putting "auspost" somewhere or other within each link, but I'm a smart human so I don't fall for this (that's a joke, read why humans are bad at URLs).

However... I am expecting a parcel. It's well into the 2020's and post COVID so I'm always expecting a parcel, because that's just how we buy stuff these days. And so, when I received the following SMS earlier this week I was expecting a parcel and I was expecting phishing attacks:

Thanks FedEx, This is Why we Keep Getting Phished

So... which is it? Parcel or phish? Let's see what the people say:

Referring to the parent tweet, is this message legit and should I pay the duty and taxes?

— Troy Hunt (@troyhunt) February 20, 2024

Whoa - that's an 87% "dodgy AF" vote from over 4,000 respondents so yeah, that's pretty emphatic. Why such an overwhelmingly suspicious crowd? Let's break that message down into 7 "dodgy AF" signs:

Thanks FedEx, This is Why we Keep Getting Phished
  1. Phishers commonly make typos in their messaging and I know "FedEx" always capitalises the "E". And what's with the "-Exp"? Dodgy AF!
  2. Why does the shipment number look so short? And why is it identical to the requested payment below? Dodgy AF!
  3. Ah, so it's urgent is it? Urgency is a core tenet of social engineering as it encourages people to act without properly thinking it though. Dodgy AF!
  4. Why are the "D" and the "T" capitalised? Dodgy AF!
  5. This is a US-headquartered global delivery parcel service, why aren't they telling me the currency? Or even using a dollar sign? Dodgy AF!
  6. Does this even need explaining? What's this "bpoint.com.au" service? It's definitely not a FedEx domain nor an Aussie gov one if we're talking duty and taxes. Dodgy AF!
  7. So... you're going to give me the contact details for any "query" (not "queries", so there's another grammatical red flag), the very practice we're now moving away from for one simple reason: because it's dodgy AF!

And so, I was with the 87% of other people. However... I was expecting a package. From FedEx. Coming from outside Australia so it may attract duty and taxes. And I really want to get this package because it's a new 3D printer from Prusa, and they're awesome!

There's a sage piece of advice that's always relevant in these cases and it's very simple: if in doubt, go the website in question and verify the request yourself. So, I went to the purchase confirmation from Prusa, found the shipping details and followed the link to the FedEx website. Now it was simply a matter of finding the section that talks about tax, except...

Thanks FedEx, This is Why we Keep Getting Phished

Dodgy. A. F.

I went all through that page and couldn't find a single reference to duty, nor for anything tax related. Try as I might, I couldn't establish the authenticity of the SMS by going directly to the (alleged) source. But what I could easily establish is that if you follow that link in the SMS, you can change the tracking number, the customer name and the amount to absolutely anything you want!

Thanks FedEx, This is Why we Keep Getting Phished

This is all done by simply changing the URL parameters; I'm not modifying the browser DOM or intercepting traffic or doing anything fancy, it's literally just query string parameter tampering reflected XSS style. This feels like every phishing site ever, not a payment service run by Australia's largest bank. Seriously, BPOINT is provided by the Commonwealth Bank and after the experience above, I'm at the point of reaching out to them and making a disclosure. Except that this is how the system was obviously designed to work and it's a completely parallel issue to phishy FedEx SMSs. Speaking of which, the very next morning I got another one from the same sender:

Thanks FedEx, This is Why we Keep Getting Phished

I don't know if this makes it better or worse 🤦‍♂️ Let's just jump into the highlights, both good and bad:

  1. My shipping number is now actually in the text of the email - yay!
  2. The words "duty" and "taxes" are now represented in the correct case - yay!
  3. The words "PAY NOW" are capitalised which seems... dodgy AF!
  4. And my favourite bit of all: the "link" isn't actually a link at all because it contains no scheme, no domain and no path, just the query string parameters! Dodgy AF!

It's quite unbelievable what they've done with the link because it makes the SMS entirely unactionable. It's impossible to click anywhere and pay the money. And while I'm here, why are all the query string parameter names now capitalised? It's like there's a completely different (broken) process somewhere generating these links. Or scammers just aren't consistent...

Because "dodgy AF" is the prevailing theme, I needed to dig deeper, so I searched for the 1800 number. One of the first results was for a Reverse Australia page for that number which upon reading the first 3 comments, perfectly summed up the sentiment so far:

Thanks FedEx, This is Why we Keep Getting Phished

And the more you read both on that site and other top links in the search results, the more people are totally confused about the legitimacy of the messages. There's only one thing to do - call FedEx. Not by the number in the (still potentially phishy) SMS, but rather via the number on their website. So, click the "Support" menu item, down to "Customer Support" and we end up here:

Thanks FedEx, This is Why we Keep Getting Phished

I'll save you the pain of reading the response that ensued, suffice to say that it only referred to email communications and boiled down to suggesting you read the domain of the sender. But I did manage to pin the system down on a phone number which as you'll see, is completely different to the one in the SMS messages:

Thanks FedEx, This is Why we Keep Getting Phished

So, I call the number and follow the voice prompts, selecting options via the keypad to route me through to the duty and taxes section. But eventually, several steps deep into the process, the system stops responding to key presses! "1" doesn't work and neither does "2" so without a response, the same message just repeats. But it does offer an alternative and suggestions I call 132610. That's the number I called in the first place to get stuck in this infinite loop!

I try again, this time following a different series of prompts that eventually asks for a tracking number and then proceeds to tell me precisely what the website already does! But it also provides the option to speak to a customer service operator and I'm actually promptly put through. The operator explains that my shipment is valued at US$799 which converts to AU$1,215.97 and it therefore subject to some inbound fees. "Great, but how much and does it match what's in the phishy SMSs I've received?" He promises someone will call be back shortly...

And then, out of the blue 3 days after the initial phishy SMS arrived, an email landed in my inbox:

Thanks FedEx, This is Why we Keep Getting Phished

The dollar figure, the BPOINT address and the messaging all lined up with the SMSs, but that's just merely correlation and if someone had both my phone number and email address they could easily attempt to phish both with the same details. But then, I looked at the attachment to the email and found this:

Thanks FedEx, This is Why we Keep Getting Phished

IT'S THE MISSING LINK!!!

My complete Prusa invoice was attached along with the order number, price and shipping details. In other words, 87% of you were wrong 😲

On a more serious note, Aussies alone are losing north of AU$3B annually to scams, and that's obviously only a drop in the ocean compared to the global scale of this problem. Our Australian Communications and Media Authority body (ACMA) recently reported 336M blocked scam SMSs and technical controls like these are obviously great, but absent from their reporting was the number of scam messages they didn't block. There's an easy explanation for this omission: they simply don't know how many are sent. But if I were to take a guess, they've merely blocked the tip of the iceberg. This is why in addition to technical controls, we reply on human controls which means helping people identify the patterns of a scam: requests for money, a sense of urgency, grammar and casing that's a bit off, odd looking URLs. You know, stuff like this:

Thanks FedEx, This is Why we Keep Getting Phished

What makes this situation so ridiculous is that while we're all watching for scammers attempting to imitate legitimate organisations, FedEx is out there imitating scammers! Here we are in the era of burgeoning AI-driven scams that are becoming increasingly hard for humans to identify, and FedEx is like "here, hold my beer" as they one-up the scammers at their own game and do a perfect job of being completely indistinguishable from them.

Ah well, as I ultimately lament in these situations, it's a good time to be in the industry 😊

Patchwork Using Romance Scam Lures to Infect Android Devices with VajraSpy Malware

By Newsroom
The threat actor known as Patchwork likely used romance scam lures to trap victims in Pakistan and India, and infect their Android devices with a remote access trojan called VajraSpy. Slovak cybersecurity firm ESET said it uncovered 12 espionage apps, six of which were available for download from the official Google Play Store and were collectively downloaded more than 1,400 times between

Inferno Malware Masqueraded as Coinbase, Drained $87 Million from 137,000 Victims

By Newsroom
The operators behind the now-defunct Inferno Drainer created more than 16,000 unique malicious domains over a span of one year between 2022 and 2023. The scheme “leveraged high-quality phishing pages to lure unsuspecting users into connecting their cryptocurrency wallets with the attackers’ infrastructure that spoofed Web3 protocols to trick victims into authorizing transactions,”

Mandiant's X Account Was Hacked Using Brute-Force Attack

By Newsroom
The compromise of Mandiant's X (formerly Twitter) account last week was likely the result of a "brute-force password attack," attributing the hack to a drainer-as-a-service (DaaS) group. "Normally, [two-factor authentication] would have mitigated this, but due to some team transitions and a change in X's 2FA policy, we were not adequately protected," the threat intelligence firm said 

Beware: Scam-as-a-Service Aiding Cybercriminals in Crypto Wallet-Draining Attacks

By Newsroom
Cybersecurity researchers are warning about an increase in phishing attacks that are capable of draining cryptocurrency wallets. "These threats are unique in their approach, targeting a wide range of blockchain networks, from Ethereum and Binance Smart Chain to Polygon, Avalanche, and almost 20 other networks by using a crypto wallet-draining technique," Check Point researchers Oded Vanunu,

Four U.S. Nationals Charged in $80 Million Pig Butchering Crypto Scam

By Newsroom
Four U.S. nationals have been charged for participating in an illicit scheme that earned them more than $80 million via cryptocurrency investment scams. The defendants – Lu Zhang, 36, of Alhambra, California; Justin Walker, 31, of Cypress, California; Joseph Wong, 32, Rosemead, California; and Hailong Zhu, 40, Naperville, Illinois – have been charged with conspiracy to commit money laundering,

Major Cyber Attack Paralyzes Kyivstar - Ukraine's Largest Telecom Operator

By Newsroom
Ukraine's biggest telecom operator Kyivstar has become the victim of a "powerful hacker attack,” disrupting customer access to mobile and internet services. "The cyberattack on Ukraine's #Kyivstar telecoms operator has impacted all regions of the country with high impact to the capital, metrics show, with knock-on impacts reported to air raid alert network and banking sector as

SpyLoan Scandal: 18 Malicious Loan Apps Defraud Millions of Android Users

By Newsroom
Cybersecurity researchers have discovered 18 malicious loan apps for Android on the Google Play Store that have been collectively downloaded over 12 million times. "Despite their attractive appearance, these services are in fact designed to defraud users by offering them high-interest-rate loans endorsed with deceitful descriptions, all while collecting their victims' personal and

Cybercriminals Using Telekopye Telegram Bot to Craft Phishing Scams on a Grand Scale

By Newsroom
More details have emerged about a malicious Telegram bot called Telekopye that's used by threat actors to pull off large-scale phishing scams. "Telekopye can craft phishing websites, emails, SMS messages, and more," ESET security researcher Radek Jizba said in a new analysis. The threat actors behind the operation – codenamed Neanderthals – are known to run the criminal enterprise as a

34 Cybercriminals Arrested in Spain for Multi-Million Dollar Online Scams

By Newsroom
Spanish law enforcement officials have announced the arrest of 34 members of a criminal group that carried out various online scams, netting the gang about €3 million ($3.2 million) in illegal profits. Authorities conducted searches across 16 locations Madrid, Malaga, Huelva, Alicante, and Murcia, seizing two simulated firearms, a katana sword, a baseball bat, €80,000 in cash, four high-end

U.S. DoJ Cracks Down on North Korean IT Scammers Defrauding Global Businesses

By Newsroom
The U.S. government has announced the seizure of 17 website domains used by North Korean information technology (IT) workers as part of an illicit scheme to defraud businesses across the world, evade sanctions, and fund the country's ballistic missile program. The Department of Justice (DoJ) said the U.S. confiscated approximately $1.5 million of the revenue that these IT workers collected from

Classiscam Scam-as-a-Service Raked $64.5 Million During the COVID-19 Pandemic

By THN
The Classiscam scam-as-a-service program has reaped the criminal actors $64.5 million in illicit earnings since its emergence in 2019. "Classiscam campaigns initially started out on classified sites, on which scammers placed fake advertisements and used social engineering techniques to convince users to pay for goods by transferring money to bank cards," Group-IB said in a new report. "Since

S3 Ep148: Remembering crypto heroes

By Paul Ducklin
Celebrating the true crypto bros. Listen now (full transcript available).

FBI warns about scams that lure you in as a mobile beta-tester

By Paul Ducklin
Apps on your iPhone must come from the App Store. Except when they don't... we explain what to look out for.

Protect yourself from ticketing scams ahead of the Premier League Summer Series USA Tour

By Tony Anscombe

There is a significant secondary marketplace where tickets can sell for several times their original value, opening the opportunity for scammers and fraud

The post Protect yourself from ticketing scams ahead of the Premier League Summer Series USA Tour appeared first on WeLiveSecurity

Beware: 1,000+ Fake Cryptocurrency Sites Trap Users in Bogus Rewards Scheme

By Ravie Lakshmanan
A previously undetected cryptocurrency scam has leveraged a constellation of over 1,000 fraudulent websites to ensnare users into a bogus rewards scheme since at least January 2021. "This massive campaign has likely resulted in thousands of people being scammed worldwide," Trend Micro researchers said in a report published last week, linking it to a Russian-speaking threat actor named "Impulse

Service Rents Email Addresses for Account Signups

By BrianKrebs

One of the most expensive aspects of any cybercriminal operation is the time and effort it takes to constantly create large numbers of new throwaway email accounts. Now a new service offers to help dramatically cut costs associated with large-scale spam and account creation campaigns, by paying people to sell their email account credentials and letting customers temporarily rent access to a vast pool of established accounts at major providers.

The service in question — kopeechka[.]store — is perhaps best described as a kind of unidirectional email confirmation-as-a-service that promises to “save your time and money for successfully registering multiple accounts.”

“Are you working on large volumes and are costs constantly growing?” Kopeechka’s website asks. “Our service will solve all your problems.”

As a customer of this service, you don’t get full access to the email inboxes you are renting. Rather, you configure your botnet or spam machine to make an automated application programming interface (API) call to the Kopeechka service, which responds with a working email address at an email provider of your choosing.

Once you’ve entered the supplied email address into the new account registration page at some website or service, you tell Kopeechka which service or website you’re expecting an account confirmation link from, and they will then forward any new messages matching that description to your Kopeechka account panel.

Ensuring that customers cannot control inboxes rented through the service means that Kopeechka can rent the same email address to multiple customers (at least until that email address has been used to register accounts at most of the major online services).

Kopeechka also has multiple affiliate programs, including one that pays app developers for embedding Kopeechka’s API in their software. However, far more interesting is their program for rewarding people who choose to sell Kopeechka usernames and passwords for working email addresses.

Kopeechka means “penny” in Russian, which is generous verbiage (and coinage) for a service that charges a tiny fraction of a penny for access to account confirmation links. Their pricing fluctuates slightly based on which email provider you choose, but a form on the service’s homepage says a single confirmation message from apple.com to outlook.com costs .07 rubles, which is currently equal to about $0.00087 dollars.

The pricing for Kopeechka works out to about a fraction of a penny per confirmation message.

“Emails can be uploaded to us for sale, and you will receive a percentage of purchases %,” the service explains. “You upload 1 mailbox of a certain domain, discuss percentage with our technical support (it depends on the liquidity of the domain and the number of downloaded emails).”

We don’t have to look very far for examples of Kopeechka in action. In May, KrebsOnSecurity interviewed a Russian spammer named “Quotpw who was mass-registering accounts on the social media network Mastodon in order to conduct a series of huge spam campaigns advertising scam cryptocurrency investment platforms.

Much of the fodder for that story came from Renaud Chaput, a freelance programmer working on modernizing and scaling the Mastodon project infrastructure — including joinmastodon.org, mastodon.online, and mastodon.social. Chaput told KrebsOnSecurity that his team was forced to temporarily halt all new registrations for these communities last month after the number of new registrations from Quotpw’s spam campaign started to overwhelm their systems.

“We suddenly went from like three registrations per minute to 900 a minute,” Chaput said. “There was nothing in the Mastodon software to detect that activity, and the protocol is not designed to handle this.”

After that story ran, Chaput said he discovered that the computer code powering Quotpw’s spam botnet (which has since been released as open source) contained an API call to Kopeechka’s service.

“It allows them to pool many bot-created or compromised emails at various providers and offer them to cyber criminals,” Chaput said of Kopeechka. “This is what they used to create thousands of valid Hotmail (and other) addresses when spamming on Mastodon. If you look at the code, it’s really well done with a nice API that forwards you the confirmation link that you can then fake click with your botnet.”

It’s doubtful anyone will make serious money selling email accounts to Kopeechka, unless of course that person already happens to run a botnet and has access to ridiculous numbers of email credentials. And in that sense, this service is genius: It essentially offers scammers a new way to wring extra income from resources that are already plentiful for them.

One final note about Quotpw and the spam botnet that ravaged Chaput’s Mastodon servers last month: Trend Micro just published a report saying Quotpw was spamming to earn money for a Russian-language affiliate program called “Impulse Team,” which pays people to promote cryptocurrency scams.

The crypto scam affiliate program “Project Impulse,” advertising in 2021.

Websites under the banner of the Impulse Scam Crypto Project are all essentially “advanced fee” scams that tell people they have earned a cryptocurrency investment credit. Upon registering at the site, visitors are told they need to make a minimum deposit on the service to collect the award. However, those who make the initial investment never hear from the site again, and their money is gone.

Interestingly, Trend Micro says the scammers behind the Impulse Team also appear to be operating a fake reputation service called Scam-Doc[.]com, a website that mimics the legitimate Scamdoc.com for measuring the trustworthiness and authenticity of various sites. Trend notes that the phony reputation site routinely gave high trust ratings to a variety of cryptocurrency scam and casino websites.

“We can only suppose that either the same cybercriminals run operations involving both or that several different cybercriminals share the scam-doc[.]com site,” the Trend researchers wrote.

The ScamDoc fake reputation websites, which were apparently used to help make fake crypto investment platforms look more trustworthy. Image: Trend Micro.

According to the FBI, financial losses from cryptocurrency investment scams dwarfed losses for all other types of cybercrime in 2022, rising from $907 million in 2021 to $2.57 billion last year.

Tricks of the trade: How a cybercrime ring operated a multi‑level fraud scheme

By Roman Cuprik

A peek under the hood of a cybercrime operation and what you can do to avoid being an easy target for similar ploys

The post Tricks of the trade: How a cybercrime ring operated a multi‑level fraud scheme appeared first on WeLiveSecurity

Vietnamese Threat Actor Infects 500,000 Devices Using 'Malverposting' Tactics

By Ravie Lakshmanan
A Vietnamese threat actor has been attributed as behind a "malverposting" campaign on social media platforms to infect over 500,000 devices worldwide over the past three months to deliver variants of information stealers such as S1deload Stealer and SYS01stealer. Malverposting refers to the use of promoted social media posts on services like Facebook and Twitter to mass propagate malicious

Google wins court order to force ISPs to filter botnet traffic

By Naked Security writer
CryptBot criminals are alleged to have plundered browser passwords, illicitly-snapped screenshots, cryptocurrency account data, and more.

Pig butchering scams: The anatomy of a fast‑growing threat

By Márk Szabó

How fraudsters groom their marks and move in for the kill using tricks from the playbooks of romance and investment scammers

The post Pig butchering scams: The anatomy of a fast‑growing threat appeared first on WeLiveSecurity

SVB’s collapse is a scammer’s dream: Don’t get caught out

By Phil Muncaster

How cybercriminals can exploit Silicon Valley Bank's downfall for their own ends – and at your expense

The post SVB’s collapse is a scammer’s dream: Don’t get caught out appeared first on WeLiveSecurity

5 signs you’ve fallen for a scam – and what to do next

By Phil Muncaster

Here’s how to know you have fallen victim to a scam – and what to do in order to undo or mitigate the damage.

The post 5 signs you’ve fallen for a scam – and what to do next appeared first on WeLiveSecurity

Common WhatsApp scams and how to avoid them

By André Lameiras

Here's a roundup of some of the most common tricks that fraudsters use to dupe their victims on WhatsApp – and what you can do to protect yourself against them.

The post Common WhatsApp scams and how to avoid them appeared first on WeLiveSecurity

NPM JavaScript packages abused to create scambait links in bulk

By Paul Ducklin
Free spins? Bonus game points? Cheap social media followers? What harm could it possibly do if you just take a tiny little look?!

10 signs that scammers have you in their sights

By Phil Muncaster

Don’t be their next victim – here’s a handy round-up of some the most common signs that should set your alarm bells ringing

The post 10 signs that scammers have you in their sights appeared first on WeLiveSecurity

Are online surveys legit and safe? Watch out for survey scams

By Phil Muncaster

“Can I tell a legitimate survey apart from a fake one?” is the single most important question you need to answer for yourself before taking any surveys online

The post Are online surveys legit and safe? Watch out for survey scams appeared first on WeLiveSecurity

Tech support scammers are still at it: Here’s what to look out for in 2023

By Phil Muncaster

Hello, is it me you’re looking for? Fraudsters still want to help you 'fix' a computer problem you never had in the first place.

The post Tech support scammers are still at it: Here’s what to look out for in 2023 appeared first on WeLiveSecurity

A Scam in the Family—How a Close Relative Lost $100,000 to an Elder Scam

By McAfee

Written by James Schmidt 

Editor’s Note: We often speak of online scams in our blogs, ones that cost victims hundreds if not thousands of dollars. This account puts a face on one of those scams—along with the personal, financial, and emotional pain that they can leave in their wake. This is the story of “Meredith,” whose aunt “Leslie” fell victim to an emerging form on online elder fraud. Our thanks to James for bringing it forward and to “Meredith’s” family for sharing it, all so others can prevent such scams from happening to them. 

 

“Embarrassing. Simply embarrassing.” She shook her head. “It’s too raw. I can’t talk about it right now. I need time.”   

Her aunt had been scammed. To the tune of $100,000 dollars. My colleague—we both work in the security industry—felt a peculiar sense of loss. 

“I work in this industry. I thought I’d done everything right. I’ve passed on enough warnings to my family and friends to ensure they’d avoid the fate of the scammed.  Simply because I’m in this industry does not imply my circle is always aware of all the threats to them, even if I do my best to teach them.” 

“My mental state, recently, borders on shame; this feeling, you know? How could someone working in my industry have something like this happen to a family member?”  

I told her many people working in other industries cannot control what happens to people in their families even if people in that industry had knowledge that could have helped them or otherwise avoided a problem altogether. 

“I know, but this simply should never have happened! My aunt is one of the smartest, most conscientious people I know, and she fell for this. It’s crazy and I can’t wrap my head around it.” 

My colleague, let’s call her Meredith (not her real name as she’s a bit ashamed to know this happened to a family member), told me the beginnings. 

Let’s call her aunt Leslie. 

Her story unfolds, the overall picture a pastiche of millions of people in the United States today. Her aunt is retired, bored, lonely, and isolated. She feels adrift without something to occupy her time; she was looking for companionship, connections, someone (anyone) to talk to. Her feelings intensified during the pandemic. She morphed into perfect prey for scammers of what is now known as the “Pig Butchering Scam.” 

The term “Pig Butchering” has a visceral and raw feel to it, which falls right in line with how brutal this scam can be. It’s a long con game, where the scammer befriends the victim and encourages them to make small investments through the scammer, which get bigger and bigger over time. The scammer builds trust early with what appear to be small investment wins. None of it is legit. The money goes right into the scammer’s pocket, even as the scammer shows the victim phony financial statements and dashboards to show off the bogus returns. Confidence grows. The scammer wrings even larger sums out of the victim. And then disappears.  

It was a targeted attack that started innocuously enough with a “fake wrong number”. An SMS arrives. A text conversation starts. The scammer then apologizes but tells Leslie someone gave them the number to initiate the text. 

The scammer then uses emotional and psychological techniques to keep Leslie hooked.  “How are you, are you having a nice day?” Leslie, being bored and interested, engages willingly.     

The scammer asks to talk directly, not via text: and a phone conversation ensues.  The scammer proceeds to describe—in very soothing detail—what they are doing, helping people, like Leslie, invest their “hard-earned money” into something that will make them more money, to help them out in retirement. 

Of course, it is too good to be true.  

“The craziest part of all of this is my aunt refuses—to this day—to believe she’s been scammed!” 

She still thinks this scammer is a “friend” even though the entire family is up in arms over this, all of whom beg her aunt to “open her eyes.” 

“My aunt still thinks she’d going to see that money again, or even make some money, which is crazy. The scammers are so good at emotional intelligence; really leveraging heartstrings and psychological makeup of the forlorn in society. My aunt finally agreed to stop sending more money to the scammers, but only after the entire family threatened to cut her off from the rest of the family. It took a lot to get her to stop trusting the scammers.” 

Meredith feels this is doubly sad as the aunt in question is not someone they’d ever imagine would in this predicament. She was always the upright one, always the diligent and hardworking and the best with money. She is smart and savvy and we could never imagine her to be taken by these people and taken so easily. It boggles the mind.” 

She did start to change in the last few years. And the pandemic created a weird situation. Retirement, loneliness from loss of a partner, and the added burden of the pandemic created a perfect storm for her to open herself up to someone willingly, simply for the sake of connection. 

“No one deserves this. It has rocked my family to the core. It is not only about the money, but we’ve found family bonds stretched. She believes these random people, these scammers, more than she believes her own family. Have we been neglectful of our aunt? Does she no longer put her faith in people she knows, rather gives money to complete strangers?” 

Being a security professional does not provide magical protection. We are more aware of scams and scammers, and how they work, and what to look for, and we try to do all we can to keep our family aware of scams out there in the big wide world, but we are human. We fall short. 

Diligence is action. Awareness is action. Education is action. 

We need to be better, all of us, at socializing risky things. We need to consistently educate our family and friends to protect themselves, not only via security software (which everyone should have as default) but by providing tips and tricks and warnings for things we all need to be on the lookout. This is not a one-time thing. The cliché holds true: “If you see something say something.” Repetition helps.  

In today’s world, the need for protecting people’s security, identity, and privacy is critical to keeping them safe. Scammers long stopped focusing on attacking only your computer. Now focus more than ever on YOU: your identity, your privacy, your trust. If they get you there, they soon get your money. 

As for contributing factors to scammers success with their victims, such as loneliness, isolation, and boredom, they all have remedies.  Make connections with your loved ones, especially those easily tagged as vulnerable, those you feel might be at risk. Reach out. It may be hard sometimes due to distance and other factors but make it a point to connect. There is a reason these scammers are succeeding. They are stepping into roles of companions to people who are desperate for connection.   

Most people are greatly saddened at seeing other people being “taken.” Let’s work together to help stop the scammers. 

Look out for each other, and get your people protected! 

Editor’s Closing Note:  

If you or someone you know suspects elder fraud, the following resources can help: 

For further reading on scams and scam prevention, check out the guides in our McAfee Safety Series, which provide in-depth advice on protecting your identity and privacy—and your family from scams. They’re ready to download and share. 

The post A Scam in the Family—How a Close Relative Lost $100,000 to an Elder Scam appeared first on McAfee Blog.

Top 10 Venmo scams: Don’t fall for these common tricks

By Phil Muncaster

Here's what to know about some of the most common ploys that scammers use on the payment app

The post Top 10 Venmo scams: Don’t fall for these common tricks appeared first on WeLiveSecurity

Multi-million investment scammers busted in four-country Europol raid

By Paul Ducklin
216 questioned, 15 arrested, 4 fake call centres searched, millions seized...

How To Recognize An Online Scam

By Alex Merton-McCann

It’s been a particularly busy and colourful week, scam-wise in our household. Between 4 family members, we’ve received almost 20 texts or emails that we’ve identified as scams. And the range was vast: from poorly written emails offering ‘must have’ shopping deals to terse text messages reprimanding us for overdue tolls plus the classic ‘Dear mum, I’ve smashed my phone’ and everything in between. 

There’s no doubt that scammers are dedicated opportunists who can pivot fast. They can pose as health authorities during a pandemic, charities after a flood or even your next big love on an online dating platform. And it’s this chameleon ability that means we need to always be on red alert! 

How Big An Issue Are Scams in Australia? 

According to the Australian Competition and Consumer Commission (ACCC), Aussies lost a record amount of more than $2 billion in scams in 2021. And that was with record levels of intervention from the government, law enforcement agencies and the private sector. The most lucrative scams were investment scams ($701 million) followed by payment redirection scams ($227 million) and then romance scams which netted a whopping $142 million. 

But the psychological trauma that is often experienced by victims can be equally as devastating. Many individuals will require extensive counselling and support in order to move on from the emotional scarring from being a victim of hacking. 

So, with scammers putting so much energy into trying to lure us into their web, how can we stay one step ahead of these online schemers and ensure we don’t become a victim? 

What You Can Do To Stay Ahead Of The Scammers 

While there are no guarantees in life, there are a few steps you can take so that you can quickly recognise an online scam. 

1. Slow Down 

If you’ve received a text message, email or call that you think is a scam, don’t respond. Take your time. Slow down and pause. If it’s a call, and you’re not sure – hang up! Or if it’s a text or email – delete it! But if you are concerned that it might be legitimate, call the company directly using the contact information from their official website or through their secure apps.  

2. Think First 

If you are being asked to share your personal information or pay money either via a text or phone call, take some time to think. Does it feel legitimate? Do you have a relationship with this organisation? Remember, scammers are very talented at pretending they are from organisations you know and trust. If in doubt, contact the company directly via their official communication channels. Or ask a trusted friend or family member for their input. But remember, NEVER click on any links in messages from people or organisations you don’t know – no exceptions!! 

3. If Concerned, Act Fast!  

Do not hesitate to take action if something feels wrong. If there are any transactions on your credit card or bank statements that don’t look right, call your bank immediately. If you think you may have given personal information to scammers, then act fast. I recommend calling ID Care – Australia and New Zealand’s national identity and cyber support service. They are a not-for-profit charity that provides support to individuals affected by identity and cyber security issues. 

ReportCyber is another way of notifying authorities of a scam. An initiative of the Australian Government and the Australian Cyber Security Centre, it helps authorities investigate and shut down scams. It’s also a good idea to report the scam to Scamwatch – the dedicated scam arm of the Australian Competition and Consumer Commission (ACCC). 

4. Get Ahead Of The Scammers 

We’ve all heard that ‘prevention is better than a cure’ so taking some time to protect yourself before a scammer comes your way is a no-brainer. Here are my top 5 things to do: 

  • Ensure all your online accounts have an individual complex password. Use a password manager – they’ll create and remember your passwords. 
  • Add multi-factor authentication whenever possible. This could be a code sent to your phone, a token or a secret question. 
  • Ensure you have security software on all your devices 
  • Close any online accounts you don’t use. It will reduce the probability of being caught in a data breach. 
  • Software updates are an important way of protecting your devices (and private info) from security vulnerabilities. So, ensure these are automated.  

Please don’t think smart people don’t get caught up in scams because they do!! Scammers are very adept at looking legitimate and creating a sense of urgency. With many of us living busy lives and not taking the time to think critically, it’s inevitable that some of us will become victims. And remember if you’re offered a deal that just seems too good to be true, then it’s likely a scam! Hang up or press delete!! 

The post How To Recognize An Online Scam appeared first on McAfee Blog.

Inside a scammers’ lair: Ukraine busts 40 in fake bank call-centre raid

By Naked Security writer
When someone calls you up to warn you that your bank account is under attack - it's true, because THAT VERY PERSON is the one attacking you!

“Suspicious login” scammers up their game – take care at Christmas

By Paul Ducklin
A picture is worth 1024 words - we clicked through so you don't have to.

OneCoin scammer Sebastian Greenwood pleads guilty, “Cryptoqueen” still missing

By Paul Ducklin
The Cryptoqueen herself is still missing, but her co-conspirator, who is said to have pocketed over $20m a month, has been convicted.

Oh, the scammers online are frightful

By Dave Lewis

Oh, the scammers online are frightful, and the deals they offer seem delightful. No matter what you think you know, let it go, let it go, let it go (to the tune of 1945’s Let it Snow by Vaughn Monroe with the Norton Sisters).

‘Tis the season to find ourselves awash in good tidings and, well, consumerism. While it’s only partly tongue in cheek, we must be honest with ourselves. We spend a lot of money online. Often, we find ourselves leaving things to the last minute and hope that the delivery folks can make the magic happen and send us all the widgets and grapple grommets while we surf the Internet from the safety of our sofas with coffee in hand.

But, not every deal is what it appears to be. Scammers are always lurking in the void of the Internet waiting for a chance to fleece the unexpecting from their hard-earned money. This can manifest itself to the unsuspecting in many ways. There are shipping frauds, gift card giveaways and vishing (phone-based scams).

Scams tend to rely on generating a false sense of urgency. The shipping scam emails often show up in our inboxes as a warning about a missed or delayed package that will be sent back to the point of origin if we don’t answer quickly. Of course, this requires a payment to receive the fictitious package.

These types of shipping scam emails are quite effective this time of year when more often than naught many people have enough orders coming to their house to make a fort with the empty boxes.

The other kinds of attacks are the gift card scams and vishing. The first of which taps into the sense of excitement that a person might receive something for free. “Fill out this form with your credit card information for a chance to win a $200 gift card.” Sadly, this attack works well for older generations  for which giveaways were more common and they aren’t as accustomed to spotting digital swindlers.

The last scam that we will tackle here is often labeled as vishing or voice phishing. This is a method whereby the attackers call a victim and attempt to convince their target that they need to do something which will lead to the exposure of financial information while pressuring the victim to think if they don’t act quickly that they will miss an opportunity for personal gain.

Unfortunately, the aforementioned scams really bring in a lot of return for the criminal element. In 2021, over 92,000 victims over the age of 60 reported losses of $1.7 billion. This represents a 74 percent increase in losses over losses reported in 2020.

One additional scam that plays on the heart strings is the romance scams. A lot of single people find themselves lonely during the holidays and can be manipulated into thinking that they’ve found a romantic match. But this can drain the bank accounts as well.

In 2021, the IC3 received reports from 7,658 victims who experienced over $432 million in losses to Confidence Fraud/Romance scams. This type of fraud accounts for the highest losses reported by victims over the age of 60.

All these attacks prey on people’s emotional responses. So, how do we prepare ourselves? We need to make knowledge a capability and arm ourselves with information that will help us avoid being taken advantage of by criminals.

Passwords are a significant exposure. They are the digital equivalent of a house key. A password will work for anyone that has access to it. We need to utilize technologies such as multi-factor authentication (MFA) on websites where it is possible to do so. So even if bad actors have our password, the victim still needs to approve the login.

If we don’t have the option to use MFA it would be an excellent idea to make use of a password manager. This is a way to safely store passwords and not fall into the trap of reusing passwords on multiple sites. Attackers bank on human nature and if we use the same credentials on multiple sites there is a high possibility that the criminals could gain access to other sites if they compromise just one.

I’m usually one to eschew the practice of New Year’s resolutions but I’ll make an exception. Keep a keen sense about yourselves whenever you receive an email or SMS that you were not expecting. If a deal is too good to be true then, well, it most likely is a scam. If you’re in doubt, try to look up the phone number, email address, person or “organization” offering the “deal.” More often than not, you’ll find lots of people reporting that it’s a scam.

Rather than being visited by the three ghosts of holiday scams, make sure you and your loved ones are prepared for a happy holiday and a prosperous New Year.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

A PayPal Email Scam Is Making the Rounds: Here’s How to Identify and Avoid It

By McAfee

Payment applications make splitting restaurant bills, taxi fares, and household expenses so much easier. Without having to tally totals at the table or fumble with crumpled bills, you and your companions can spend less stress and more time on the fun at hand. 

There are various payment apps available, and the company that may first come to mind is PayPal. PayPal is regarded as a safe platform where security and strong encryption are a priority; however, a recent and advanced phishing scam is putting PayPal users at risk of giving up large sums of money and their personally identifiable information (PII).1 

Let’s look at this “triple-pronged” PayPal phishing scam and review some tips to help you identify and proceed should you encounter it. 

1. The Email

The typical part of this three-sided scam is the phishing email component. According to one source, the phishing email comes from a legitimate-looking PayPal service email address. Luckily, the typos, odd punctuation, extra spaces, and grammar errors in the body of the email give away that it is a phishing attempt. Remember, phishing emails are often worded poorly or have errors. Large companies, especially ones like PayPal, have teams of content experts vetting all automated messages for such mistakes, so several mistakes in an email should set off your alarm bells. Proceed with caution and do not click on any links in the message. 

The email also included wording that encouraged the user to act quickly or be charged a lot of money. That’s another trademark of phishing emails: urgency. Take a deep breath and make sure to reread carefully all emails that “require” a quick response. Don’t be scared by dire consequences. Phishers rely on people to rush and not give themselves time to listen to their better judgement. 

2. The ‘One-ring’ Phone Scam

The PayPal phishing email included a support phone number that claimed it was toll free. In actuality, it was an international phone number. So, if the recipient of the phishing email didn’t quite believe the message but wanted to follow up, the scam could catch them with what’s called a one-ring phone scam.2 This occurs when someone unknowingly calls an international phone number and then gets charged by their phone company for the long-distance call. 

The best way to avoid one-ring phone scams is to never call a number you don’t recognize. Always go to an organization’s official website to find their contact information. 

3. The Fake Fraud Hotline

The third dimension of this PayPal scam was the international phone number in the phishing email connected the caller directly with the scammer who posed as the PayPal fraud department. The “customer service representative” then asked prying personal and financial questions to glean enough PII to break into a PayPal account or compromise the caller’s identity. This is the most damaging part of the scam. An excellent customer support team may be able to reimburse you your lost money; however, once your personal details are in nefarious hands, you can’t take them back. 

In addition to never calling numbers you haven’t verified, never give out passwords and never give out more personal information than you need to. Even in legitimate customer service calls, it’s not rude to ask why the representative requires the information they’re asking for. In a fake call, questions like that may fluster the scammer, so keep an ear tuned to their tone. 

For Peace of Mind, Partner With McAfee

Overall, our best advice for handling suspicious emails is to delete them. If it’s truly important, the sender will contact you again. And if a thief somehow stole money from one of your payment apps, the customer service team should be able to walk you through the steps to recover it. 

The transfer and handling of large sums of money would make anyone nervous. To give you peace of mind, consider partnering with a service that can help you recover should you ever fall for a scheme and compromise your PII. McAfee+ Ultimate helps you live your best life in private, and the service includes credit monitoring with all three credit bureaus, security freeze, and expert online support to help you navigate any scams you encounter. 

Having McAfee+ can protect you from email phishing scams like this. Here are some of the top agencies to report this scam to, if it happens to you: Paypal Fraud Department,  Federal Trade Commision , Cybersecurity & Infrastructure Security Agency USA.gov IC3 

“Report it. Forward phishing emails to reportphishing@apwg.org (an address used by the Anti-Phishing Working Group, which includes ISPs, security vendors, financial institutions, and law enforcement agencies). Let the company or person that was impersonated know about the phishing scheme.” – FTC.gov 

1ZDNET, “Watch out for this triple-pronged PayPal phishing and fraud scam.” 

2Federal Communications Commission, “‘One Ring’ Phone Scam.” 

The post A PayPal Email Scam Is Making the Rounds: Here’s How to Identify and Avoid It appeared first on McAfee Blog.

BeReal – The Newest Kid On The Social Media Block

By Alex Merton-McCann

Without doubt, the biggest criticism we all have of social media is that everyone always looks fabulous! And while we all know that everyone is only sharing the best version of themselves, let’s be honest – it can be a little wearing. Well, there’s a new social media platform that is determined to uproot our online curated lives by having users post very real pictures of themselves – with no time to stage or add filters! 

Developed in France in 2020, BeReal is where Aussie teenagers are currently spending their time and energy online. And to be honest, I can totally see why. It’s all about sharing random, authentic pics without having to spend time and energy making them look beautiful. In fact, my 19-year-old tells me that the uglier and weirder the photo, the better! How refreshing!!! 

How Does It Work? 

Once you’ve signed up, the app will send all users a notification at a random time throughout the day that it’s ‘time to BeReal’. As soon as the user opens the app to share a pic, they have just 2 minutes to take a picture of whatever they’re doing at that particular moment whether they’re on the bus, at the gym or chilling at home in trackies. The app will take 2 pictures using the front and back cameras so that your followers can see what you look like and where you are. 

Now, if you don’t manage to post in 2 minutes, you’re officially late and your friends will know. In fact, there’s a small amount of shame for being tardy – as if on some level you’re not committed to being authentic. But don’t let this worry you too much – we can’t wait around all day awaiting the notification to post! 

When you have uploaded your daily snap, your friends can comment, respond to your pic with ‘RealMojis’ and even see where you are in the world with the map feature. Users can also choose to upload their pics to the public feed where other users can leave “RealMoji’ reactions but no comments. But in order to access either the public feed or your friends’ photos, users will need to take their own picture too. 

Now for my favourite parts of this app – this app has NO filters, NO option to ‘like’ anything, NO follower counts and NO private messaging!! How liberating!!  

Is It Safe? 

Like all social media platforms, there are a few risks however with a bit of strategy and a few smarts, users should be able to have a safe and positive experience. And when compared to platforms where follower counts and likes are public, influencers dominate and comments are allowed, BeReal is definitely a great choice.  

Here are my top tips to keep the experience safe and positive: 

1. Disable Your Location To Avoid Being ‘Discoverable’ 

Before you share your pics, ensure you disable your location to avoid the app sharing your exact location on the map. You don’t want an ill-intentioned follower knowing your exact whereabouts! 

2. Think (Quickly) Before You Post 

The very brief 2-minute posting window may result in rushed decisions about what to post and potentially oversharing of personal information. So, ensure you (and your kids) know not to share anything that can identify their location, any identifiable numbers such as passports or licences or, their computer screens that may display confidential information.  

3. Don’t Feel Pressures to Post If You Can’t  

Accept that there will be times when you just can’t post within the 2-minute time frame.  You may be driving, sleeping or doing something far more important. You can absolutely still post late. 

4. Know How To Report Bad Behaviour 

If you see a post that is inappropriate, then report it immediately. It’s an investment in keeping the BeReal community as safe as possible. Simply tap the three dots at the top right of the post. A report button should appear. You will then have the option to flag the post as undesirable or inappropriate. 

5. Be Aware of the Comparison Trap!  

Like all social media platforms, users may compare their posts with others. They may think their lives are boring and predictable, particularly if their friends are doing more exciting things. If a young person is prone to anxiety or low mood, this may not be helpful. As a parent, reminding your kids that perception is not reality, and that one photo does not define a person may be required. But if it all gets too much, a digital detox might be just the thing!  

So, if your kids have embraced BeReal then your homework is pretty easy – join up too! It’s impossible to understand your kids’ online world if you don’t take some time to step inside it. And for what it’s worth – I think you’ll really like this one. The fact that there is no public like count, follower tally, filters or private messaging makes the Mama Bear in me very happy!! 

The post BeReal – The Newest Kid On The Social Media Block appeared first on McAfee Blog.

‘Tis the Season for Holiday Scams

By McAfee

This time of year, the air not only gets chillier but a bit cheerier for everyone … including online scammers. Holiday scams are a quick way to make a buck, and cybercriminals employ several holiday-themed schemes to weasel money and personally identifiable information (PII) from gift givers. 

Here are three common holiday scams to watch out for this year, plus a few tips to help you stay safe online. 

1. Gift Card Cracking

Gift cards are a standby present for the people on your list who are difficult to buy for or for people you don’t know too well but want to get them a small something. Whether the gift card is worth $5 or $500, an online scammer can steal the entire value through two techniques: a brute force attack or phishing. Known as gift card cracking, cybercriminals can take wild guesses at gift card codes and cash in the value for themselves by methodically guessing strings of numbers and letters and crossing their fingers for a match. Cybercriminals will also employ phishing emails, texts or social media direct messages to trick people into divulging gift card information. 

To avoid gift card cracking, encourage gift receivers to redeem their gift card quickly to shorten the amount of time a scammer has to guess the code correctly. Or, you could opt for a paper gift certificate from a small business that doesn’t require online redeeming at all. To avoid gift card phishing scams, do not engage with any type of correspondence that claims they can double the value of your gift card or claims that there’s a problem with it. Be instantly on alert if anyone asks for the activation code. If the gift card-issuing business really needs to replace your purchase, they’ll issue you a new code. They’ll never ask for your existing one. 

2. Last-minute Shopping Scams

Are you a procrastinator? Watch out for last-minute shopping scams that are targeted at people who leave their gift buying until deep in December. As with anything else, if it’s too good to be true, it probably is. Shopping scams often take the form of phishing emails where criminals impersonate a well-known merchant or shipping company.  

While sales often have a quick timeline, don’t let that short timeline pressure you into making an impulsive decision. Phishers rely on people’s excitement or inattention to trick them into giving up their credit card or banking information. Phishing emails, when you take the time to inspect them, are usually easy to spot. The logos are often blurry, there are often typos and grammar mistakes, and the tone of the message will seem “off.” Either it will sound very formal and impersonalized or it will sound very informal and seem pushy. 

To protect your finances during the holiday season, consider putting a lock on your credit. This is easy to do with McAfee credit lock. You can still use your credit card and shop as you normally would. A credit lock is useful because, in case a criminal gets ahold of your PII, they won’t be able to open lines of credit in your name. This protects your credit score, which is essential to keep in good standing if you hope to buy a house or take out a loan anytime soon. 

3. Social Media Ads and Fake Shopping Sites

Just because a “company” has an ad on Facebook or Instagram doesn’t mean that it’s a legitimate establishment. Before buying from an online store you’ve never heard of, do some background research on it and read customer reviews to make sure that it’s real and will deliver you a quality product.  

Take note of the online store’s URL before entering it. (You can preview the link by hovering over it with your cursor.) If the URL is a string of letters and numbers, it could be a malware site in disguise. One way to alert you to suspicious sites is McAfee Web Protection. Web Protection color codes links to identify potential malware and phishing sites and alert you to steer clear. 

Shop Safely This Holiday Season 

Your mind is already drawn in a bunch of different directions this holiday season (cooking, traveling, shopping, wrapping, tidying) so give yourself a respite from worrying about the safety of your identity and finances. McAfee+ Ultimate includes a VPN, Web Protection, credit lock, antivirus and more to cover all your bases to keep your devices and your PII safe. 

The post ‘Tis the Season for Holiday Scams appeared first on McAfee Blog.

Unwrapping Some of the Holiday Season’s Biggest Scams

By McAfee

Even with the holidays in full swing, scammers won’t let up. In fact, it’s high time for some of their nastiest cons as people travel, donate to charities, and simply try to enjoy their time with friends and family. 

Unfortunate as it is, scammers see this time of year as a tremendous opportunity to profit. While people focus giving to others, they focus on taking, propping up all manner of scams that use the holidays as a disguise. So as people move quickly about their day, perhaps with a touch of holiday stress in the mix, they hope to catch people off their guard with scams that wrap themselves in holiday trappings. 

Yet once you know what to look for, they’re relatively easy to spot. The same scams roll out every year, sometimes changing in appearance yet remaining the same in substance. With a sharp eye, you can steer clear of them. 

Watch out for these online scams this holiday season 

1. Shopping scams 

With Black Friday and Cyber Monday in the books, we can look forward to what’s next—a wave of post-holiday sales events that will likewise draw in millions of online shoppers. And just like those other big shopping days, bad actors will roll out a host of scams aimed at unsuspecting shoppers. Shopping scams take on several forms, which makes this a topic unto itself, one that we cover thoroughly in our Black Friday & Cyber Monday shopping scams blog. It’s worth a read if you haven’t done so already, as digs into the details of these scams and shows how you can avoid them.  

However, the high-level advice for avoiding shopping scams is this: keep your eyes open. Deals that look too good to be true likely are, and shopping with retailers you haven’t heard of before requires a little bit of research to determine if their track record is clean. In the U.S., you can turn to the Better Business Bureau (BBB) for help with a listing of retailers you can search simply by typing in their names. You can also use https://whois.domaintools.com to look up the web address of the shopping site you want to research. There you can see its history and see when it was registered. A site that was registered only recently may be far less reputable than one that’s been registered for some time. 

2. Tech support scams  

Plenty of new tech makes its way into our homes during the holiday season. And some of that tech can be a little challenging to set up. Be careful when you search for help online. Many scammers will establish phony tech support sites that aim to steal funds and credit card information. Go directly to the product manufacturer for help. Often, manufacturers will offer free support as part of the product warranty, so if you see a site advertising support for a fee, that could be a sign of a scam. 

Likewise, scammers will reach out to you themselves. Whether through links from unsolicited emails, pop-up ads from risky sites, or by spammy phone calls, these scammers will pose as tech support from reputable brands. From there, they’ll falsely inform you that there’s something urgently wrong with your device and that you need to get it fixed right now—for a fee. Ignore these messages and don’t click on any links or attachments. Again, if you have concerns about your device, contact the manufacturer directly. 

3. Travel scams 

With the holidays comes travel, along with all the online booking and ticketing involved. Scammers will do their part to cash in here as well. Travel scams may include bogus emails that pose as reputable travel sites telling you something’s wrong with your booking. Clicking a link takes you to a similarly bogus site that asks for your credit card information to update the booking—which then passes it along to the scammer so they can rack up charges in your name. Other travel scams involve ads for cut-rate lodging, tours, airfare, and the like, all of which are served up on a phony website that only exists to steal credit card numbers and other personal information. 

Some of these scams can look quite genuine, even though they’re not. They’ll use cleverly disguised web addresses that look legitimate, but aren’t, so don’t click any links. If you receive notice about an issue with your holiday travel, contact the company directly to follow up. Also, be wary of ads with unusually deep discounts or that promise availability in an otherwise busy season or time. These could be scams, so stick with reputable booking sites or with the websites maintained by hotels and travel providers themselves. 

4. Fake charity scams 

Donations to an organization or cause that’s close to someone’s heart make for a great holiday gift, just as they offer you a way to give back during the holiday season. And you guessed it, scammers will take advantage of this too. They’ll set up phony charities and apply tactics that pressure you into giving. As with so many scams out there, any time an email, text, direct message, or site urges you into immediate action—take pause. Research the charity. See how long they’ve been in operation, how they put their funds to work, and who truly benefits from them.  

Likewise, note that there some charities pass along more money to their beneficiaries than others. As a general rule of thumb, most reputable organizations only keep 25% or less of their funds for operations, while some less-than-reputable organizations keep up to 95% of funds, leaving only 5% for advancing the cause they advocate. In the U.S., the Federal Trade Commission (FTC) has a site full of resources so that you can make your donation truly count. Resources like Charity Watch and Charity Navigator, along with the BBB’s Wise Giving Alliance can also help you identify the best charities. 

5. Online betting scams 

The holidays also mean a flight of big-time sporting events, and with the advent of online betting in many regions scammers want to cash in. This scam works quite like shopping scams, where bad actors will set up online betting sites that look legitimate. They’ll take your bet, but if you win, they won’t pay out. Per the U.S. Better Business Bureau (BBB), the scam plays out like this: 

“You place a bet, and, at first, everything seems normal. But as soon as you try to cash out your winnings, you find you can’t withdraw a cent. Scammers will make up various excuses. For example, they may claim technical issues or insist on additional identity verification. In other cases, they may require you to deposit even more money before you can withdraw your winnings. Whatever you do, you’ll never be able to get your money off the site. And any personal information you shared is now in the hands of scam artists.” 

You can avoid these sites rather easily. Stick with the online betting sites that are approved by your regional gambling commission. Even so, be sure to read the fine print on any promo offers that these sites advertise because even legitimate betting sites can freeze accounts and the funds associated with them based on their terms and conditions. 

Further protection from scams 

A complete suite of online protection software, such as McAfee+ Ultimate can offer layers of extra security. In addition to more private and secure time online with a VPN, identity monitoring, and password management, it includes web browser protection that can block malicious and suspicious links that could lead you down the road to malware or a phishing scam—which antivirus protection can’t do alone. Additionally, we offer $1M identity theft coverage and support from a recovery pro, just in case. 

And because scammers use personal information such as email addresses and cell phone numbers to wage their attacks, other features like our  Personal Data Cleanup service can scan high-risk data broker sites for your personal information and then help you remove it, which can help reduce spam, phishing attacks, and deny bad actors the information they need to commit identity theft. 

Scammers love a good thing—and will twist it for their own benefit. 

That’s why they enjoy the holidays so much. With all our giving, travel, and charity in play, it’s prime time for their scams. Yet a little insight into their cons, along with some knowledge as to how they play out, you can avoid them.  

Remember that they’re playing into the hustle and bustle of the season and that they’re counting on you to lower your guard more than you might during other times of the year. Keep an eye open for the signs, do a little research when it’s called for, and stick with reputable stores, charities, and online services. With a thoughtful pause and a second look, you can spare yourself the grief of a scam and fully enjoy your holidays. 

The post Unwrapping Some of the Holiday Season’s Biggest Scams appeared first on McAfee Blog.

What Are Tailgating Attacks and How to Protect Yourself From Them

By McAfee

Whether you’re spending time on the web or working in the office, you want peace of mind knowing that you are in a safe environment. While most of us know to take precautions when online — protecting ourselves from things like phishing attacks and other cyber threats — we should also attend to our physical security. 

One concern is tailgating — a social engineering attack where someone gets physical access to a business to take confidential information or do other harm. 

Here are some ways to protect yourself from tailgating attacks, such as an unauthorized person following you into a restricted area while on the job. 

What is a tailgating attack?

Tailgating is a type of social engineering attack where an unauthorized person gains physical access to an off-limits location — perhaps a password-protected area — where they might steal sensitive information, damage property, compromise user credentials or even install malware on computers. 

Piggybacking” is closely related to tailgating, but it involves consent from the duped employee. So, while a worker might be unaware that someone has tailgated them into a restricted area with piggybacking, the hacker might convince a worker to provide access because they are posing as, say, a delivery driver. 

Who’s at risk of tailgating attacks?

Companies, particularly at risk of being targeted by tailgating scams, include those: 

  • With many employees, often moving inside and out of the premises 
  • With multiple entrance points into a building 
  • That receive deliveries of food, packages, documents, and other things regularly 
  • That have many subcontractors working for them 
  • Where employees aren’t thoroughly trained in physical and cybersecurity protocols 

Generally speaking, companies with robust security systems in place — including using biometrics, badges, or other identity and information security measures — are better protected from tailgating and piggybacking attacks.  

But that’s not to say that some smooth-talking fraudster can’t talk someone into letting them in or finding some way around those protections. 

What are common tailgating methods?

Common types of tailgating attacks that you should be aware of on the job include:  

  • Someone walking behind you into a secure area, depending on your common courtesy to keep the door open for them 
  • A courier or delivery driver who aren’t what they seem 
  • Someone with their hands full of items to trick you into opening the door for them 
  • A person who claims they’ve lost their work ID or forgotten it at home, so that you grant them admittance 

How to protect yourself from tailgating attacks 

Protecting yourself from tailgating attacks is partly a matter of learning about the issue, raising your level of awareness on the job, and depending on your employer, putting in place more effective security systems.  

Some solutions include: 

Increased security training

Many companies know how to train employees to recognize, avoid, and cope with online security issues but may forget to provide the same diligence to physical security. How to spot and deal with threats should be part of this training, plus cultivating an awareness of surroundings and people who might be out of place.   

Management should offer a clearly stated security policy taught to everyone, which might insist that no one be allowed into a secure area without the proper pass or identification. As the security policy is updated, all employees should be aware of changes and additions. 

These security measures should be part of an overall protection program, like McAfee+, which includes antivirus software, a firewall, identity monitoring, password management, web protection, and more. 

Smart badges and cards

If you have a large business spread over several floors, it can be hard for employees to know who works there and who doesn’t, leaving them susceptible to tailgating and piggybacking attacks. Requiring smart badges and cards to access restricted areas can help cut back on unauthorized intrusions and provide better access control. 

Building fully staffed reception areas with dedicated security personnel could also be part of a larger security system. 

Biometric scanners

Biometric scanners are an even more advanced way to provide proper authentication for a worker’s identity. They scan a unique physical or audible feature of a person and compare it to a database for approved personnel.  

Examples of biometric security include: 

  • Voice recognition 
  • Iris recognition 
  • Fingerprint scans 
  • Facial recognition 
  • Heart-rate sensors 

Understanding social engineering

One reason people are vulnerable to physical and cyberattacks is that they lack education on social engineering and the kinds of threats it poses.  

Workers need to understand the full range of social engineering techniques and know-how to protect themselves, whether in their social media accounts or physical work environment.  

For their part, companies can use simulated phishing emails and tailgating attacks to raise awareness and underline how to follow protocols in dealing with them. 

Video surveillance

If there are many ways to enter a business, it may make sense to put video surveillance on all entrances. Advanced video surveillance systems can use artificial intelligence (AI) and video analytics to scan the faces of people entering and compare them to a database of employee features. 

Discover how McAfee can help keep devices secure from hacking

Whether at work or at home, people want to be secure from attacks by cybercriminals who seek to take personal information. 

To add a layer of security to all their connected devices — including computers, smartphones, and tablets — an increasing number of people are turning to the comprehensive coverage of McAfee+ 

Features range from advanced monitoring of possible threats to your identity, automatic implementation of virtual private networks (VPNs) to deal with unsafe networks, and personal data clean-up, removing your information from high-risk data broker sites. 

McAfee protection allows you to work and play online with greater peace of mind. 

The post What Are Tailgating Attacks and How to Protect Yourself From Them appeared first on McAfee Blog.

10 tips to avoid Black Friday and Cyber Monday scams

By André Lameiras

It pays not to let your guard down during the shopping bonanza – watch out for some of the most common scams doing the rounds this holiday shopping season

The post 10 tips to avoid Black Friday and Cyber Monday scams appeared first on WeLiveSecurity

Multimillion dollar CryptoRom scam sites seized, suspects arrested in US

By Paul Ducklin
Five tips to keep yourself, and your friends and family, out of the clutches of "chopping block" scammers...

cryptorom-1200

How to Tell Whether a Website Is Safe or Unsafe

By McAfee

It’s important to know that not all websites are safe to visit. In fact, some sites may contain malicious software (malware) that can harm your computer or steal your personal contact information or credit card numbers.  

Phishing is another common type of web-based attack where scammers try to trick you into giving them your personal information, and you can be susceptible to this if you visit a suspicious site.  

Identity theft is a serious problem, so it’s important to protect yourself when browsing the web. Online security threats can be a big issue for internet users, especially when visiting new websites or following site links. 

So how can you tell if you’re visiting a safe website or an unsafe website? You can use a few different methods. This page discusses key things to look for in a website so you can stay safe online. 

Key signs of website safety and security

When you’re visiting a website, a few key indicators can help determine whether the site is safe. This section explores how to check the URL for two specific signs of a secure website. 

”Https:” in the website URL

“Https” in a website URL indicates that the website is safe to visit. The “s” stands for “secure,” and it means that the website uses SSL (Secure Sockets Layer) encryption to protect your information. A verified SSL certificate tells your browser that the website is secure. This is especially important when shopping online or entering personal information into a website. 

When you see “https” in a URL, the site is using a protocol that encrypts information before it’s sent from your computer to the website’s server. This helps prevent anyone from intercepting and reading your sensitive information as it’s transmitted. 

A lock icon near your browser’s URL field

The padlock icon near your browser’s URL field is another indicator that a webpage is safe to visit. This icon usually appears in the address bar and means the site uses SSL encryption. Security tools and icon and warning appearances depend on the web browser. 

Let’s explore the cybersecurity tools on the three major web browsers: 

  • Safari. In the Safari browser on a Mac, you can simply look for the lock icon next to the website’s URL in the address bar. The lock icon will be either locked or unlocked, depending on whether the site uses SSL encryption. If it’s an unsafe website, Safari generates a red-text warning in the address bar saying “Not Secure” or “Website Not Secure” when trying to enter information in fields meant for personal data or credit card numbers. Safari may also generate an on-page security warning stating, “Your connection is not private” or “Your connection is not secure.” 
  • Google Chrome. In Google Chrome, you’ll see a gray lock icon (it was green in previous Chrome versions) on the left of the URL when you’re on a site with a verified SSL certificate. Chrome has additional indicator icons, such as a lowercase “i” with a circle around it. Click this icon to read pertinent information on the site’s cybersecurity. Google Safe Browsing uses security tools to alert you when visiting an unsafe website. A red caution symbol may appear to the left of the URL saying “Not secure.” You may also see an on-page security message saying the site is unsafe due to phishing or malware. 
  • Firefox. Like Chrome, Mozilla’s Firefox browser will tag all sites without encryption with a distinctive marker. A padlock with a warning triangle indicates that the website is only partially encrypted and may not prevent cybercriminals from eavesdropping. A padlock with a red strike over it indicates an unsafe website. If you click on a field on the website, it’ll prompt you with a text warning stating, “This connection is not secure.” 

In-depth ways to check a website’s safety and security

Overall, the ”https” and the locked padlock icon are good signs that your personal data will be safe when you enter it on a website. But you can ensure a website’s security is up to par in other ways. This section will explore five in-depth methods for checking website safety. 

Use McAfee WebAdvisor

McAfee WebAdvisor is a free toolbar that helps keep you safe online. It works with your existing antivirus software to provide an extra layer of protection against online threats. WebAdvisor also blocks unsafe websites and lets you know if a site is known for phishing or other malicious activity. In addition, it can help you avoid online scams and prevent you from accidentally downloading malware. Overall, McAfee WebAdvisor is a useful tool that can help you stay safe while browsing the web. 

Website trust seals

When you’re browsing the web, it’s important to be able to trust the websites you’re visiting. One way to determine if a website is trustworthy is to look for trust seals. Trust seals are logos or badges that indicate a website is safe and secure. They usually appear on the homepage or checkout page of a website. 

There are many types of trust seals, but some of the most common include the Better Business Bureau (BBB) seal, VeriSign secure seal, and the McAfee secure seal. These seals indicate that a third-party organization has verified the website as safe and secure. 

While trust seals can help determine whether a website is trustworthy, it’s important to remember that they are not foolproof. Website owners can create a fake trust seal, so it’s always important to do your own research to ensure a website is safe before entering personal information. 

Check for a privacy policy

Another way to determine if a website is safe to visit is to check for a privacy policy. A privacy policy is a document that outlines how a website collects and uses personal information. It should also state how the site protects your data from being accessed or shared by scammers, hackers, or other unauthorized individuals. 

If a website doesn’t have a privacy policy, that’s a red flag that you shouldn’t enter any personal information on the site. Even if a website does have a privacy policy, it’s important to read it carefully so you understand how the site uses your personal data. 

Check third-party reviews

It’s important to do some preliminary research before visiting a new website, especially if you’re shopping online or entering personal data like your address, credit card, or phone number. One way to determine if a website is safe and trustworthy is to check third-party reviews. Several websites provide reviews of other websites, so you should be able to find several reviews for any given site.  

Trustpilot is one example of a website that provides reviews of other websites. 

Look for common themes when reading reviews. If most of the reviews mention that a website is safe and easy to use, it’s likely that the site is indeed safe to visit. However, if a lot of negative reviews mention problems with viruses or malware, you might want to avoid the site. 

Look over the website design

You can also analyze the website design when deciding whether a website is safe to visit. Look for spelling errors, grammatical mistakes, and anything that appears off. If a website looks like it was made in a hurry or doesn’t seem to be well-designed, that’s usually a red flag that the site might not be safe. 

Be especially careful of websites that have a lot of pop-ups. These sites are often spammy or contain malware. Don’t download anything from a website unless you’re absolutely sure it’s safe. These malicious websites rarely show up on the top of search engine results, so consider using a search engine to find what you’re looking for rather than a link that redirects you to an unknown website. 

Download McAfee WebAdvisor for free and stay safe while browsing

If you’re unsure whether a website is safe to visit, download McAfee WebAdvisor for free. McAfee WebAdvisor is a program that helps protect you from online threats, such as malware and viruses. It also blocks pop-ups and other intrusive ads so you can browse the web without worry. Plus, it’s completely free to download and use. 

Download McAfee WebAdvisor now and stay safe while browsing the web. 

The post How to Tell Whether a Website Is Safe or Unsafe appeared first on McAfee Blog.

Watch Out for These 3 World Cup Scams

By McAfee

What color jersey will you be sporting this November and December? The World Cup is on its way to television screens around the world, and scores of fans are dreaming of cheering on their team at stadiums throughout Qatar. Meanwhile, cybercriminals are dreaming of stealing the personally identifiable information (PII) of fans seeking last-minute vacation and ticket deals. 

Don’t let the threat of phishers and online scammers dampen your team spirit this World Cup tournament. Here are three common schemes cybercriminals will likely employ and a few tips to help you dribble around their clumsy offense and protect your identity, financial information, and digital privacy. 

1. Fake Contests

Phishers will be out in full force attempting to capitalize on World Cup fever. People wrapped up in the excitement may jump on offers that any other time of the year they would treat with skepticism. For example, in years past, fake contests and travel deals inundated email inboxes across the world. Some companies do indeed run legitimate giveaways, and cybercriminals slip in their phishing attempts among them. 

If you receive an email or text saying that you’re the winner of a ticket giveaway, think back: Did you even enter a contest? If not, treat any “winner” notification with skepticism. It’s very rare for a company to automatically enter people into a drawing. Usually, companies want you to act – subscribe to a newsletter or engage with a social media post, for example – in exchange for your entry into their contest. Also, beware of emails that urge you to respond within a few hours to “claim your prize.” While it’s true that real contest winners must reply promptly, organized companies will likely give you at least a day if not longer to acknowledge receipt. 

2. Travel Scams

Traveling is rarely an inexpensive endeavor. Flights, hotels, rental cars, dining costs, and tourist attraction admission fees add up quickly. In the case of this year’s host country, Qatar, there’s an additional cost for American travelers: visas.  

If you see package travel deals to the World Cup that seem too good to pass up … pass them up. Fake ads for ultra-cheap flights, hotels, and tickets may appear not only in your email inbox but also on your social media feed. Just because it’s an ad doesn’t mean it comes from a legitimate company. Legitimate travel companies will likely have professional-looking websites with clear graphics and clean website copy. Search for the name of the organization online and see what other people have to say about the company. If no search results appear or the website looks sloppy, proceed with caution or do not approach at all. 

Regarding visas, be wary of anyone offering to help you apply for a visa. There are plenty of government-run websites that’ll walk you through the process, which isn’t difficult as long as you leave enough time for processing. Do not send your physical passport to anyone who is not a confirmed government official. 

3. Malicious Streaming Sites

Even fans who’ve given up on watching World Cup matches in person aren’t out of the path of scams. Sites claiming to have crystal clear streams of every game could be malware spreaders in disguise. Malware and ransomware targeting home computers often lurk on sketchy sites. All it takes is a click on one bad link to let a cybercriminal or a virus into your device.  

Your safest route to good-quality live game streams is through the official sites of your local broadcasting company or the official World Cup site. You may have to pay a fee, but in the grand scheme of things, that fee could be a lot less expensive than replacing or repairing an infected device. 

Shore Up Your Defense With McAfee+ 

Here’s an excellent rule to follow with any electronic correspondence: Never send anyone your passwords, routing and account number, passport information, or Social Security Number. A legitimate organization will never ask for your password, and it’s best to communicate any sensitive financial or identifiable information over the phone, not email or text as they can easily fall into the wrong hands. Also, do not wire large sums of money to someone you just met online. 

Don’t let scams ruin your enjoyment of this year’s World Cup! With these tips, you should be able to avoid the most common schemes but to boost your confidence in your online presence, consider signing up for McAfee+. Think of McAfee+ as the ultimate goalkeeper who’ll block any cybercriminals looking to score on you. With identity monitoring, credit lock, unlimited VPN and antivirus, and more, you can surf safely and with peace of mind.  

The post Watch Out for These 3 World Cup Scams appeared first on McAfee Blog.

U.S. Authorities Seize Domains Used in 'Pig butchering' Cryptocurrency Scams

By Ravie Lakshmanan
The U.S. Justice Department (DoJ) on Monday announced the takedown of seven domain names in connection to a "pig butchering" cryptocurrency scam. The fraudulent scheme, which operated from May to August 2022, netted the actors over $10 million from five victims, the DoJ said. Pig butchering, also called Sha Zhu Pan, is a type of scam in which swindlers lure unsuspecting investors into sending

How social media scammers buy time to steal your 2FA codes

By Paul Ducklin
The warning is hosted on a real Facebook page; the phishing uses HTTPS via a real Google server... but the content is all fake

ffs-2fa-1200

Black Friday and retail season – watch out for PayPal “money request” scams

By Paul Ducklin
Don't let a keen eye for bargains lead you into risky online behaviour...

FIFA World Cup 2022 scams: Beware of fake lotteries, ticket fraud and other cons

By Juan Manuel Harán

When in doubt, kick it out, plus other tips for hardening your cyber-defenses against World Cup-themed phishing and other scams

The post FIFA World Cup 2022 scams: Beware of fake lotteries, ticket fraud and other cons appeared first on WeLiveSecurity

What Is Smishing and Vishing, and How Do You Protect Yourself?

By McAfee

Smishing and vishing are scams where criminals attempt to get users to click a fraudulent link through a phone text message, email, or voicemail. These scams are becoming increasingly popular as cybercriminals try to take advantage of people who are more likely to fall for them, such as those who aren’t as familiar with technology or who may be experiencing a crisis. 

Be aware that cybercrime and hacking can happen to anyone. Criminals are always looking for new ways to exploit people, and they know that others may not be cautious or recognize the warning signs of phishing scams when using the internet. That’s why it’s important to be aware of the different types of cybercrime and how to protect yourself. 

This article discusses how to protect yourself from smishing attempts and scams where criminals try to get you to click on a fraudulent link or respond to their voicemail message to steal your personal data. 

What is smishing?

Most people are familiar with phishing scams, where scammers try to trick you into giving them your personal or financial information by pretending to be a legitimate company or organization. But have you ever heard of smishing or vishing? 

Smishing is a type of phishing scam where attackers send SMS messages (or text messages) to trick victims into sharing personal information or installing malware on their devices. Vishing is almost identical to smishing, except cybercriminals use VoIP (Voice over IP) to place phone calls to trick victims instead of SMS (short message service) messages. 

Smishing messages often appear to be from a legitimate source, such as a well-known company or government agency. It may even include urgent language or threats in an effort to get victims to act quickly. In some cases, the message may also include a link that directs victims to a fake website where they are prompted to enter personal information or download malware. 

Examples of a smishing text message

Here are some examples of smishing text messages hackers use to steal your personal details: 

  • “We have detected unusual activity on your account. Please call this number to speak to a customer service representative.” 
  • “You have won a free gift card! Click here to claim your prize.” 
  • “Hi! We noticed that you’re a recent customer of ours. To finish setting up your account, please click this link and enter your personal information.” 
  • “Urgent! Your bank account has been compromised. Please click this link to reset your password and prevent any further fraud.” 
  • “Hey, it’s [person you know]! I’m in a bit of a bind and could really use your help. I sent you a link to my PayPal, could you send me some money?” 

How dangerous can smishing be?

If you fall for a smishing scam, you could end up giving away your personal information or money. Cybercriminals use smishing messages to get personal and financial information, like your credit card number or access to your financial services 

For example, one type of smishing scam is when you get a text message that looks like it’s from your bank. The message might say there’s been suspicious activity on your account and that you need to click on a link to verify your identity. If you do click on the link, you’ll be taken to a fake website where you’ll be asked to enter your banking information. Once the scammers have your login information, they have access to clean out your account. 

How can you protect yourself from smishing?

Smishing scams can be very difficult to spot, but there are some telltale signs to look for and steps to take to protect yourself. 

Recognize the signs of a smishing text

One of the easiest ways to protect yourself from smishing scams is to be able to recognize the signs of a smishing text message. Here are some tips: 

  • Be suspicious of any text messages that ask for personal information or include a link. 
  • Look closely at the sender’s name and number. Fraudulent messages often come from spoofed numbers that may look similar to a legitimate number but with one or two digits off. 
  • Look for errors in spelling or grammar. This can be another sign that the message is not legitimate. 
  • Beware of any text messages that create a sense of urgency or are threatening in nature. Scammers often use these tactics to get you to act quickly without thinking. 
  • If you’re not expecting a message from the sender, be extra cautious. 
  • If you’re unsure whether a text message is legitimate, call the company or organization directly to verify. 

Filter unknown text messages

While you can’t avoid smishing attacks altogether, you can block spam text messages you receive on your mobile phone. iPhone and Android have cybersecurity tools like spam filters and phone number blocking to help protect you from phishing attacks and malicious links. 

To set up spam filters on your iPhone: 

  1. Go to the Settings App 
  2. Go to Messages 
  3. Find the Filter Unknown Senders option and turn it on 

To set up spam filters on your Android mobile device: 

  1. Go to the Messaging App 
  2. Choose Settings 
  3. Tap Spam Protection and turn on Enable Spam Protection 

Use McAfee Mobile Security 

McAfee Mobile Security is a mobile security app that helps protect your phone from malware, phishing attacks, and other online threats. McAfee Mobile Security is available for Android and iOS cell phones. 

One of the benefits of using McAfee Mobile Security is that it can help detect and block smishing attacks. With identity monitoring, McAfee Mobile Security monitors your sensitive information like email accounts, credit card numbers, phone numbers, Social Security numbers, and more to protect against identity theft. They notify you if they find any security breaches. 

Other benefits include: 

  • Antivirus 
  • Secure VPN for privacy online 
  • Identity monitoring for up to 10 emails 
  • Guard your identity against risky Wi-Fi connections 
  • Safe browsing 
  • System Scan for the latest updates 

Keep your device and information secure with McAfee Mobile Security

These days, our lives are more intertwined with our mobile devices than ever. We use them to stay connected with our loved ones on social media, conduct our business, and even access our most personal, sensitive data. It’s no surprise that mobile cybersecurity is becoming increasingly important. 

McAfee Mobile Security is a comprehensive security solution that helps protect your device from viruses, malware, and other online threats. It also offers a variety of other features, like a secure VPN to protect your credit card numbers and other personal data 

Whether you’re browsing your favorite website, keeping up with friends on social media, or shopping online at Amazon, McAfee Mobile Security provides the peace of mind that comes from knowing your mobile device is safe and secure. 

So why wait? Don‘t let the smishers win. Get started today with McAfee Mobile Security and rest easy knowing your mobile device and sensitive information are protected. 

The post What Is Smishing and Vishing, and How Do You Protect Yourself? appeared first on McAfee Blog.

Don’t Get Caught Offsides with These World Cup Scams

By McAfee Labs

Authored by: Christy Crimmins and Oliver Devane

Football (or Soccer as we call it in the U.S.) is the most popular sport in the world, with over 3.5 billion fans across the globe. On November 20th, the men’s World Cup kicks off (pun intended) in Qatar. This event, a tournament played by 32 national teams every four years, determines the sport’s world champion. It will also be one of the most-watched sporting events of at least the last four years (since the previous World Cup). 

An event with this level of popularity and interest also attracts fraudsters and cyber criminals looking to capitalize on fans’ excitement. Here’s how to spot these scams and stay penalty-free during this year’s tournament. 

New Cup, who’s this? 

Phishing is a tool that cybercriminals have used for years now. Most of us are familiar with the telltale signs—misspelled words, poor grammar, and a sender email whose email address makes no sense or whose phone number is unknown. But excitement and anticipation can cloud our judgment. What football fan wouldn’t be tempted to win a free trip to see their home team participate in the ultimate tournament? Cybercriminals are betting that this excitement will cloud fans’ judgment, leading them to click on nefarious links that ultimately download malware or steal personal information. 

It’s important to realize that these messages can come via a variety of channels, including email, text messages, (also known as smishing) and other messaging channels like WhatsApp and Telegram. No matter what the source is, it’s essential to remain vigilant and pause to think before clicking links or giving out personal or banking information.  

For more information on phishing and how to spot a phisher, see McAfee’s “What is Phishing?” blog. 

Real money for fake tickets 

According to ActionFraud, the UK’s national reporting center for fraud and cybercrime, thousands of people were victims of ticket fraud in 2019—and that’s just in the UK. Ticket fraud is when someone advertises tickets for sale, usually through a website or message board, collects the payment and then disappears, without the buyer ever receiving the ticket.  

 

The World Cup is a prime (and lucrative) target for this type of scam, with fans willing to pay thousands of dollars to see their teams compete. Chances are most people have their tickets firmly in hand (or digital wallet) by now, but if you’re planning to try a last-minute trip, beware of this scam and make sure that you’re using a legitimate, reputable ticket broker. To be perfectly safe, stick with well-known ticket brokers and those who offer consumer protection. Also beware of sites that don’t accept debit or credit cards and only accept payment in the form of bitcoin or wire transfers such as the one on the fake ticket site below:  

The red box on the right image shows that the ticket site accepts payment via Bitcoin.  

Other red flags to look out for are websites that ask you to contact them to make payment and the only contact information is via WhatsApp. 

Streaming the matches 

Let’s be realistic—most of us are going to have to settle for watching the World Cup from the comfort of our own home, or the pub down the street. If you’re watching the tournament online, be sure that you’re using a legitimate streaming service. A quick Google of “FIFA World Cup 2022 Official Streaming” along with your country should get you the information you need to safely watch the event through official channels. The FIFA site itself is also a good source of information.  

Illegal streaming sites usually contain deceptive ads and malware which can cause harm to your device.  

Don’t get taken to the bank 

In countries or regions where sports betting is legal, the 2022 World Cup is expected to drive an increase in activity. There’s no shortage of things to bet on, from a simple win/loss to the exact minute a goal will be scored by a particular player. Everything is subject to wager.   

As with our previous examples, this increase in legitimate gambling brings with it an increase in deceptive activity. Online betting scams often start when users are directed to or search for gambling site and end up on a fraudulent one. After placing their bets and winning, users realize that while they may have “won” money, they are unable to withdraw it and are even sometimes asked to deposit even more money to make winnings available, and even then, they still won’t be. By the end of this process, the bettor has lost all their initial money (and then some, potentially) as well as any personal information they shared on the site.  

Like other scams, users should be wary of sites that look hastily put together or are riddled with errors. Your best bet (yes, again, pun intended) is to look for an established online service that is approved by your government or region’s gaming commission. Finally, reading the fine print on incentives or bonuses is always a good idea. If something sounds too good to be true, it’s best to double-check. 

For more on how you can bet online safely, and for details on how legalized online betting works in the U.S., check out our blog on the topic.  

Keep that Connection Secure 

Using a free public Wi-Fi connection is risky. User data on these networks is unprotected, which makes it vulnerable to cyber criminals. Whether you’re traveling to Qatar for a match or watching the them with friends at your favorite pub, if you’re connecting to a public Wi-Fi connection, make sure you use a trusted VPN connection. 

Give scammers a straight red card this World Cup 

For more information on scams, visit our scam education page. Hopefully, with these tips, you’ll be able to enjoy and participate in some of the World Cup festivities, after all, fun is the goal!  

The post Don’t Get Caught Offsides with These World Cup Scams appeared first on McAfee Blog.

The Worst Black Friday and Cyber Monday Scams – And How to Avoid Them

By McAfee

On Black Friday and Cyber Monday, the deals roll out. So do some of the worst Black Friday and Cyber Monday scams. 

Hackers, scammers, and thieves look to cash in this time of year by blending in with the holiday rush, spinning up their own fake shipping notices, phony deals, and even bogus charities that look legitimate at first glance, yet are anything but. Instead, they may be loaded with malware, point you to phishing sites that steal your personal info, or they may simply rip you off.   

Classically, many online scams play on emotions by creating a sense of urgency or even fear. And for the holidays, you can throw stress into that mix as well—the stress of time, money, or even the pressure of finding that hard-to-get gift that seems to be out of stock everywhere. The bad actors out there will tailor their attacks around these feelings, hoping that they’ll catch you with your guard down during this busy time of year. 

”The Five Least Wanted” – Top online shopping scams to avoid 

So while knowing how to spot a great gift at a great price is solid skill to have this time of year, so is the ability to spot a scam. Let’s look at some of the worst ones out there, along with what you can do to steer clear of them. 

1) The fake order scam  

Come this time of year, keeping tabs on all the packages you have in transit can get tricky. You may have an armload of them enroute at any given time, and scammers will look to slip into this mix with phony order confirmations sent to your mailbox or your phone by text. Packed with either an email attachment or a link to a bogus website, they’ll try to get you to download malware or visit a site that attempts to steal your identity.  

These messages can look quite legit, so the best way to keep track of your orders is on the sites where you purchased them. Go directly to those sites rather than clicking on any links or attachments you get. 

2) The phony tracking number scam 

This scam plays out much like the fake order scam, yet in this case the crooks will send a phony package tracking notification, again either as a link or as an attachment. For starters, legitimate retailers won’t send tracking numbers in an attached file. If you see anything like that, it’s surely a scam designed to inject malware onto your device. In the case of a link, the scammers aim to send you to a site that will steal your personal info, just like in the case above.  

Once again, the best way to track your packages is to go to the source. Visit the online store where you made your purchase, open your current orders, and get your package tracking information from there. 

3) The bogus website scam  

A classic scammer move is to “typosquat” phony email addresses and URLs that look awfully close to legitimate addresses of legitimate companies and retailers. So close that you may overlook them. They often appear in phishing emails and instead of leading you to a great deal, these can in fact link you to scam sites that can then lift your login credentials, payment info, or even funds should you try to place an order through them.  

You can avoid these sites by going to the retailer’s site directly. Be skeptical of any links you receive by email, text, or direct message—it’s best to go to the site yourself by manually typing in the legitimate address yourself and look for the deal there.  

4) The hot deal scam  

At the heart of holiday shopping is scarcity. And scarcity is something scammers love. There’s always some super-popular holiday item that’s tough to find, and scammers will spin up phony websites and offers around those items to lure you in. They may use the typosquatting technique mentioned above to pose as a legitimate retailer, or they may set up a site with their own branding to look legitimate on their own (or at least try). Either way, these scams can hurt you in a couple of ways—one, you’ll pay for the goods and never receive them; and two, the scammers will now have your payment info and address, which they can use to commit further fraud. 

If the pricing, availability, or delivery time all look too good to be true for the item in question, it may be a scam designed to harvest your personal info and accounts. Use caution here before you click. If you’re unsure about a product or retailer, read reviews from trusted websites to help see if it’s legitimate. (The Better Business Bureau is a great place to start—more on that in moment.) 

5) The fake charity scam 

In the season of giving, donating to charities in your name or in the name of others makes for a popular holiday gesture. Scammers know this too and will set up phony charities to cash in. Some indications that a phony charity has reached you include an urgent pitch that asks you to “act now.” A proper charity will certainly make their case for a donation, yet they won’t pressure you into it. Moreover, phony charities will outright ask for payment in the form of gift cards, wire transfers (like Western Union), money orders, or even cryptocurrency—because once those funds are sent, they’re nearly impossible to reclaim when you find out you’ve been scammed. 

There are plenty of ways to make donations to legitimate charities, and the U.S. Federal Trade Commission (FTC) has a site full of resources so that you can make your donation truly count 

So, how can I avoid getting scammed on Black Friday and Cyber Monday? 

Some of it takes an eagle eye that can spot these scams as they pop up in your inbox, texts, social media feed, and so on. Yet you have further ways you can keep safe while shopping on Black Friday, Cyber Monday, and any time. 

Stick with known, legitimate retailers online 

This is a great one to start with. Directly typing in the correct address for online stores and retailers is a prime way to avoid scammers online. In the case of retailers that you don’t know much about, the U.S. Better Business Bureau (BBB) asks shoppers to do their research and make sure that retailer has a good reputation. The BBB makes that easier with a listing of retailers you can search simply by typing in their name. 

Look for the lock icon in your browser when you shop 

Secure websites begin their address with “https,” not just “http.” That extra “s” in stands for “secure,” which means that it uses a secure protocol for transmitting sensitive info like passwords, credit card numbers, and the like over the internet. It often appears as a little padlock icon in the address bar of your browser, so double-check for that. If you don’t see that it’s secure, it’s best to avoid making purchases on that website.  

Pay with a credit card instead of your debit card  

In the U.S., the Fair Credit Billing Act offers the public protection against fraudulent charges on credit cards, where citizens can dispute charges over $50 for goods and services that were never delivered or otherwise billed incorrectly. Note that many credit card companies have their own policies that improve upon the Fair Credit Billing Act as well. However, debit cards aren’t afforded the same protection under the Act. Avoid using a debit card while shopping online and use your credit card instead.  

Use two-factor authentication on your accounts  

Two-factor authentication is an extra layer of defense on top of your username and password. It adds in the use of a special one-time-use code to access your account, usually sent to you via email or to your phone by text or a phone call. In all, it combines something you know, like your password, with something you have, like your smartphone. Together, that makes it tougher for a crook to hack your account. If any of your accounts support two-factor authentication, the few extra seconds it takes to set up is more than worth the big boost in protection you’ll get.  

Use a VPN if you’re shopping on public Wi-Fi  

Public Wi-Fi in coffee shops and other public locations can expose your private surfing to prying eyes because those networks are open to all. Using a virtual private network (VPN) encrypts your browsing, shopping, and other internet traffic, thus making it secure from attempts at intercepting your data on public Wi-Fi, such as your passwords and credit card numbers.  

What’s more, a VPN masks your whereabouts and your IP address, plus uses encryption that helps keep your activities private. As a result, companies and data brokers can potentially learn far less about you, your shopping, your travels, your habits, and any other information that they could possibly collect and otherwise profit from. 

Clean up your personal data online 

Yes, it’s true. Your information gets collected, bought, and solid online. In fact, personal information fuels a global data trading economy estimated at $200 billion U.S. dollars a year. Run by data brokers that keep hundreds and even thousands of data points on billions of people, these sites gather, analyze, buy, and sell this information to other companies as well as to advertisers. Likewise, these data brokers may sell this information to bad actors, such as hackers, spammers, and identity thieves who would twist this information for their own purposes. 

Getting your info removed from these sites can seem like a daunting task. (Where do I start, and just how many of these sites are out there?) Our Personal Data Cleanup can help by regularly scanning these high-risk data broker sites for info like your home address, date of birth, and names of relatives. It identifies which sites are selling your data, and depending on your plan, automatically requests removal. 

Protect your identity from identity thieves 

Another place where personal information is bought and sold, stored, and exchanged is the dark web. The problem is that it’s particularly difficult for you to determine what, if any, of your info is on the dark web, stashed away in places where hackers and thieves can get their hands on it. Identity monitoring can help. McAfee’s identity monitoring helps you keep your personal info safe by alerting you if your data is found on the dark web, an average of 10 months before our competitors. 

Monitored info can range anywhere from bank account and credit card numbers to your email addresses and government ID number, depending on your location. If your information gets spotted, you’ll get an alert, along with steps you can take to minimize or even prevent damage if the information hasn’t already been put to illegal use. 

Take advantage of identity protection 

Identity protection through McAfee takes identity monitoring a step further by offering, depending on your location and plan, identity theft coverage for financial losses and expenses due to identity theft, in addition to hands-on help from a recovery professional to help restore your identity—all in addition to the identity monitoring called out above, again depending on your location and plan. 

Monitor your credit 

Keeping an eye on your bills and statements as they come in can help you spot unusual activity on your accounts. A credit monitoring service can do that one better by keeping daily tabs on your credit report. While you can do this manually, there are limitations. First, it involves logging into each bureau and doing some digging of your own. Second, there are limitations as to how many free credit reports you can pull each year. A service does that for you and without impacting your credit score. 

Depending on your location and plan, McAfee’s credit monitoring allows you to look after your credit score and the accounts within it to see fluctuations and help you identify unusual activity, all in one place, checking daily for signs of identity theft. 

Use protection while you shop  

A complete suite of online protection software like McAfee+ can offer layers of extra security while you shop. In addition to the VPN, identity, credit monitoring, and other features mentioned above, it includes web browser protection that can block malicious and suspicious links that could lead you down the road to malware or a phishing scam—along with a password manager that can create strong, unique passwords and store them securely as well. Taken together, McAfee+ offers all-in-one online protection for your identity, privacy, and security that can keep you far safer when you shop online—and as you spend your time online in general. 

What should I do if I fall victim to a Black Friday or Cyber Monday scam? 

Even if you take the proper precautions the unexpected can happen. Whether it’s a scam, an identity crime, or flat-out theft, there are steps you can take right away to help minimize the damage. 

The first bit of advice is to take a deep breath and get right to work on recovery. From there, you can take the following steps: 

1. Notify the companies involved 

Whether you spot a curious charge on your bank statement, discover potentially a fraudulent account when you check credit report, or when you get an alert from your monitoring service, let the bank or organization involved know you suspect fraud or theft. With a visit to their website, you can track down the appropriate number to call and get the investigation process started. 

2. File a police report 

Some businesses will require you to file a local police report and acquire a case number to complete your claim. Beyond that, filing a report is a good idea in itself. Identity theft is still theft and reporting it provides an official record of the incident. Should your case of identity theft lead to someone impersonating you or committing a crime in your name, filing a police report right away can help clear your name down the road. Be sure to save any evidence you have, like statements or documents that are associated with the theft. They can help clean up your record as well. 

3. Contact your governmental anti-fraud or trade organization 

In the U.S., the identity theft website from the Federal Trade Commission (FTC) is a fantastic resource should you find yourself in need. In addition to keeping records of the theft, the FTC can provide you with a step-by-step recovery plan—and even walk you through the process if you create an account with them. Additionally, reporting theft to the FTC can prove helpful if debtors come knocking to collect on any bogus charges in your name. With a copy of your report, you can ask debtors to stop. 

4. Put on a credit freeze or lock 

An instance of identity fraud or theft, suspected or otherwise, is a good time to review your options for a credit freeze or lock. As mentioned earlier, see what the credit bureaus in your region offer, along with the terms and conditions of each. With the right decision, a freeze or lock can help minimize and prevent further harm. 

5. Continue to monitor 

Strongly consider using a monitoring service like the one we described earlier to help you continue to keep tabs on your identity. The unfortunate fact of identity theft and fraud is that it can mark the start of a long, drawn-out affair. One instance of theft can possibly lead to another, so even what may appear to be an isolated bad charge on your credit card calls for keeping an eye on your identity all around. Many of the tools you would use up to this point still apply, such as checking up on your credit reports, maintaining fraud alerts as needed, and reviewing your accounts closely—along with utilizing an identity monitoring service. 

6. Work with a recovery pro 

A recovery service can help you clean up your credit in the wake of fraud or theft, all by working on your behalf. Given the time, money, and stress that can come along with setting your financial record straight, leaning on the expertise of a professional can provide you with much-needed relief on several counts. 

Take an extra moment to spot those Black Friday and Cyber Monday scams  

Just as it’s always been, hackers, scammers, and thieves want to ruin a good thing. In this case, it’s your spirit of giving and sharing in the holiday season. Yet with this list of top scams and ways you can avoid them, you can keep bad actors like them at bay. Remember, they’re counting on you to be in a hurry this time of year, and maybe a bit stressed and a little disorganized to boot. Take your time while shopping out there and keep an eye out for their tricks. That extra moment can save you far more time and money than you may think. 

The post The Worst Black Friday and Cyber Monday Scams – And How to Avoid Them appeared first on McAfee Blog.

Trick or treat? Stay so cyber‑safe it’s scary – not just on Halloween

By André Lameiras

Gather around, folks, to learn about some of the ghastliest tricks used by criminals online and how you can avoid security horrors this Halloween and beyond

The post Trick or treat? Stay so cyber‑safe it’s scary – not just on Halloween appeared first on WeLiveSecurity

Parcel delivery scams are on the rise: Do you know what to watch out for?

By Phil Muncaster

As package delivery scams that spoof DHL, USPS and other delivery companies soar, here’s how to stay safe not just this shopping season

The post Parcel delivery scams are on the rise: Do you know what to watch out for? appeared first on WeLiveSecurity

Don’t get scammed when buying tickets online

By Jake Moore

With hot-ticket events firmly back on the agenda, scammers selling fake tickets online have also come out in force

The post Don’t get scammed when buying tickets online appeared first on WeLiveSecurity

10 common Zelle scams – and how to avoid them

By Phil Muncaster

Fraudsters use various tactics to separate people from their hard-earned cash on Zelle. Here’s how to keep your money safe while using the popular P2P payment service.

The post 10 common Zelle scams – and how to avoid them appeared first on WeLiveSecurity

The Seven Main Phishing Lures of Cybercriminals

By McAfee

One of the oldest tricks in the cybercrime playbook is phishing. It first hit the digital scene in 1995, at a time when millions flocked to America Online (AOL) every day. And if we know one thing about cybercriminals, it’s that they tend to follow the masses. In earlier iterations, phishing attempts were easy to spot due to link misspellings, odd link redirects, and other giveaways. However, today’s phishing tricks have become personalized, advanced, and shrouded in new disguises. So, let’s take a look at some of the different types, real-world examples and how you can recognize a phishing lure.

Be Wary of Suspicious Emails

Every day, users get sent thousands of emails. Some are important, but most are just plain junk. These emails often get filtered to a spam folder, where phishing emails are often trapped. But sometimes they slip through the digital cracks, into a main inbox. These messages typically have urgent requests that require the user to input sensitive information or fill out a form through an external link. These phishing emails can take on many personas, such as banking institutions, popular services, and universities. As such, always remember to stay vigilant and double-check the source before giving away any information.

Link Look-A-Likes

A sort of sibling to email phishing, link manipulation is when a cybercriminal sends users a link to malicious website under the ruse of an urgent request or deadline. After clicking on the deceptive link, the user is brought to the cybercriminal’s fake website rather than a real or verified link and asked to input or verify personal details. This exact scenario happened last year when several universities and businesses fell for a campaign disguised as a package delivery issue from FedEx. This scheme is a reminder that anyone can fall for a cybercriminals trap, which is why users always have to careful when clicking, as well as ensure the validity of the claim and source of the link. To check the validity, it’s always a good idea to contact the source directly to see if the notice or request is legitimate.

Gone Whaling

Corporate executives have always been high-level targets for cybercriminals. That’s why C-suite members have a special name for when cybercriminals try to phish them – whaling. What sounds like a silly name is anything but. In this sophisticated, as well as personalized attack, a cybercriminal attempts to manipulate the target to obtain money, trade secrets, or employee information. In recent years, organizations have become smarter and in turn, whaling has slowed down. Before the slowdown, however, many companies were hit with data breaches due to cybercriminals impersonating C-suite members and asking lower-level employees for company information. To avoid this pesky phishing attempt, train C-suite members to be able to identify phishing, as well as encourage unique, strong passwords on all devices and accounts.

Spear Target Acquired

 Just as email spam and link manipulation are phishing siblings, so too are whaling and spear-phishing. While whaling attacks target the C-suite of a specific organization, spear-phishing rather targets lower-level employees of a specific organization. Just as selective and sophisticated as whaling, spear-phishing targets members of a specific organization to gain access to critical information, like staff credentials, intellectual property, customer data, and more. Spear-phishing attacks tend to be more lucrative than a run-of-the-mill phishing attack, which is why cybercriminals will often spend more time crafting and obtaining personal information from these specific targets. To avoid falling for this phishing scheme, employees must have proper security training so they know how to spot a phishing lure when they see one.

Spoofed Content

With so many things to click on a website, it’s easy to see why cybercriminals would take advantage of that fact. Content spoofing is based on exactly that notion – a cybercriminal alters a section of content on a page of a reliable website to redirect an unsuspecting user to an illegitimate website where they are then asked to enter personal details. The best way to steer clear of this phishing scheme is to check that the URL matches the primary domain name.

Phishing in a Search Engine Pond

 When users search for something online, they expect reliable resources. But sometimes, phishing sites can sneak their way into legitimate results. This tactic is called search engine phishing and involves search engines being manipulated into showing malicious results. Users are attracted to these sites by discount offers for products or services. However, when the user goes to buy said product or service, their personal details are collected by the deceptive site. To stay secure, watch out for potentially sketchy ads in particular and when in doubt always navigate to the official site first.

Who’s That Caller?

With new technologies come new avenues for cybercriminals to try and obtain personal data. Vishing, or voice phishing, is one of those new avenues. In a vishing attempt, cybercriminals contact users by phone and ask the user to dial a number to receive identifiable bank account or personal information through the phone by using a fake caller ID. For example, just last year, a security researcher received a call from their financial institution saying that their card had been compromised. Instead of offering a replacement card, the bank suggested simply blocking any future geographic-specific transactions. Sensing something was up, the researcher hung up and dialed his bank – they had no record of the call or the fraudulent card transactions. This scenario, as sophisticated as it sounds, reminds users to always double-check directly with businesses before sharing any personal information.

As you can see, phishing comes in all shapes and sizes. This blog only scratches the surface of all the ways cybercriminals lure unsuspecting users into phishing traps. The best way to stay protected is to invest in comprehensive security and stay updated on new phishing scams.

The post The Seven Main Phishing Lures of Cybercriminals appeared first on McAfee Blog.

❌