Let’s face it, the online world is full of scammers, hackers and thieves. Being in the IT industry, I see the effects it can have on a company or individual. Even with the best antivirus software, the most secure firewall, and the latest operating system – you can still be a victim. That’s because hackers and scammers realize they can trick you into doing something much more easily than writing a program to circumvent your protection. While there are many tactics for this, there are some common ones I come across almost daily.
Beware of pop-ups claiming your computer is infected
One common tactic that scammers use is to advertise with a pop-up window or browser hijack that claims your computer is infected with a virus. The scary warning states your credit card numbers, personal banking files, chat logs and other private information is at risk. The ad provides a phone number and advises you to call tech support for assistance. However, calling the number is the last thing you would want to do. The scammers will take your credit card number, ask you to give them remote access to your computer, and then install more malware.
If you encounter one of these pop-ups, close the windows and run a full virus and malware scan, or contact your IT provider for assistance. Never give control of your computer to a third party unless its an IT provider you already have a relationship with.
Hang up on unknown tech support requests
While many scams use email and web ads to get your attention, cyber criminals also use the telephone. The scammer will call claiming to be from a recognized IT company such as Microsoft or Google, and tell you that your computer is infected. They might sound very convincing, knowing your name and address or other information about you. They will try and convince you to install software or visit a website that gives them access to your computer. They may also try to get your credit card information so they can bill you for phony services.
If you receive one of these unsolicited calls, hang up. These companies will rarely call you out of the blue. If you think it might be a legitimate call, you can always call back on the published number of the company. This lets you be certain you are speaking with a true representative, and not someone posing to be one.
Holiday Scams & Malware Campaigns
US-CERT reminds users to remain vigilant when browsing or shopping online this holiday season. Emails and ecards from unknown senders may contain malicious links. Fake advertisements or shipping notifications may deliver attachments infected with malware. Spoofed email messages and phony posts on social networking sites may request support for fraudulent causes.
To avoid seasonal campaigns that could result in security breaches, identity theft, or financial loss, users are encouraged to take the following actions:
- Avoid following unsolicited links or downloading attachments from unknown sources.
- Refer to these Tips to learn more about Shopping Safely Online and Avoiding Social Engineering and Phishing Attacks.
- Visit the Federal Trade Commission’s Consumer Information page on Charity Scams.
Offers too good to be true
Online classified ad websites like Craigslist are great for selling that old snowmobile, or finding a good deal on a car – but as the old adage goes “if it sounds too good to be true, it probably is”! I’ve sold lots of gear on Craigslist, and receive a fair amount of scammers trying their luck. More often than not they’ll attempt to convince you to ship an item, or pay a deposit if you’re trying to purchase something. Much of this is now done through text messaging, as it perceived to be more believable. Scammers will also post an ad for something of extreme value, but listed at a very low price.
If you’re selling or buying something on a classifieds site, be wary. Never accept offers of bank checks, certified checks or wire funds. Deal locally with people you can meet face-to-face. Never give out financial information.
Boss says pay the bills
Another scam known as “spear phishing” targets key people, usually executives or those with financial authority at a business. An email is sent that appears to be forwarded from someone in authority, such as the chief financial officer or the owner, asking to wire money to a vendor. The email may contain fake correspondence between whomever can authorize the transaction and the vendor or company, making it appear genuine. Even the email address itself may be “spoofed”, meaning the “from” line is altered to seem like a legitimate email address that matches the person being impersonated.
While you may think it would be easy to recognize, these emails can be very difficult to identify. I have personally witnessed four of these attempts with clients, at least two of which were successful in taking money. These are local businesses that have been robbed. In two of these cases, the executive was out of the country – and the scammer knew this because it was posted on the executive’s social media accounts.
While good SPAM filtering can help weed out some of these types of emails, no system is going to get 100% of them. Businesses should have policies and procedures in place that require verbal verification of money transfers such as these, and train employees to recognize these types of attempts.
Ask and you shall receive.
Right around tax season, this scam starts to ramp up. Either through email or a phone call, the scammer asks for personal information, such as social security numbers, dates of birth and other sensitive information. They may pose as an IRS employee, payroll or bookkeeper, even a principal at an organization. The scammer then uses this information to file tax returns and collect the refunds.
Beware of emails or phone calls claiming to be the IRS, or posing as someone in authority asking for sensitive information. Pick up the phone and call the person to confirm before providing any information. If you do need to email sensitive information, use a secure email system that encrypts the data. If you aren’t sure if you have this, ask your IT person