Tuesday, May 26, 2020
Banking Scam Emails - Phone Calls - Texts
Always watch for text messages, phone calls or emails that ask you for private information. Companies have warned their customers of these types of scams. “Don’t reply to an email, phone call or text message that tell you your account has been compromised, then asks you to give or confirm your personal or account information” Also never follow any links directly from a text message or email. If the service has issues with your account, you can resolve it by going directly to the website or calling them directly.
Thursday, January 30, 2020
Amazon Scam Phone Calls
Action Fraud, a fraud reporting center, has warned of a widespread phone scam targeting Amazon customers. The phone calls are automated and inform recipients that their Amazon account has been hacked. Victims are asked to press “1” in order to be connected with a human. This human will then use social engineering--that is, work to persuade them--in order to convince the victim to install remote access software on their computers. That malware then allows the attackers to steal financial information.
If you receive a phone call like this and are unsure of its legitimacy, Action Fraud says you should hang up and call Amazon using the customer service line on its website.
Unsolicited requests to remote access your computer should always raise a red flag. It’s easy to feel embarrassed when faced with unexpected or complex conversations but it’s okay to stop the discussion if you do not feel in control of it. If you’ve received an unexpected phone call, or other communication, stop and take a minute to think about whether an organization would get in touch with you out of the blue in this way. Instead, contact them directly using a known email or phone number.
Amazon echoed this advice in a statement, emphasizing that it won’t ask for personal information over the phone.
If you receive a suspicious phone call, email or text message claiming to be from Amazon, asking for payment, personal information or offering a refund you do not expect, please do not share any personal information, and disconnect any phone call immediately, the company said. Please also note that Amazon will never ask for your personal information, or ask you to make a payment outside of their website. If you received an e-mail regarding an order or Prime membership, or anything that you don't recognize, please forward the e-mail to stop-spoofing@amazon.com and then delete it. Do not click on any links in such emails.
Monday, December 9, 2019
Crooks are exploiting unpatched Android flaw to drain users’ bank accounts
Hackers are actively exploiting StrandHogg, a newly revealed Android
vulnerability, to steal users’ mobile banking credentials and empty
their accounts, a Norwegian app security company has warned.
“StrandHogg is unique because it enables sophisticated attacks without the need for the device to be rooted. To carry out attacks, the attacker doesn’t need any special permissions on the device. The vulnerability also allows an attacker to masquerade as nearly any app in a highly believable manner,” they noted.
StrandHogg allows attackers to show to users fake login screens and ask for all types of permissions that may ultimately allow them to:
As, according to the researchers, there’s no effective block or reliable detection method against StrandHogg on Android devices, users are advised to be on the lookout for things like:
Tips for telling if an app is exploiting StrandHogg include:
As always, you can keep yourself safer—not fully protected, but safer—by sticking to recommended apps on the Google Play Store. If an app seems suspicious in name, description, or awkwardness of reviews, do a little extra research to vet it before you slap it on your device. And resist the urge to sideload apps outside of the Google Play Store; you never know what you’re installing on your device, and you lose any potential protections Google can provide. And once a “dropper” app gets on your device, installing something that can then masquerade as a real app is all too easy.
How do I get rid of StrandHogg-exploiting apps?
“StrandHogg is unique because it enables sophisticated attacks without the need for the device to be rooted. To carry out attacks, the attacker doesn’t need any special permissions on the device. The vulnerability also allows an attacker to masquerade as nearly any app in a highly believable manner,” they noted.
StrandHogg allows attackers to show to users fake login screens and ask for all types of permissions that may ultimately allow them to:
- Read and send SMS messages (including those delivering second authentication factors)
- Phish login credentials
- Make and record phone conversations
- Listen to the user through the microphone
- Take photos through the device’s camera
- Get access to photos, files on the device, location and GPS information,the contacts list, phone logs, etc.
As, according to the researchers, there’s no effective block or reliable detection method against StrandHogg on Android devices, users are advised to be on the lookout for things like:
- Permissions asked from an app that shouldn’t require or need the permissions it asks for. For example, a calculator app asking for GPS permission.
- Permission pop-ups that don’t contain an app name
- Typos and mistakes in the user interface.
- Buttons and links in the user interface that does nothing when clicked on.
- Back button does not work like expected.
As always, you can keep yourself safer—not fully protected, but safer—by sticking to recommended apps on the Google Play Store. If an app seems suspicious in name, description, or awkwardness of reviews, do a little extra research to vet it before you slap it on your device. And resist the urge to sideload apps outside of the Google Play Store; you never know what you’re installing on your device, and you lose any potential protections Google can provide. And once a “dropper” app gets on your device, installing something that can then masquerade as a real app is all too easy.
How do I get rid of StrandHogg-exploiting apps?
If
you think you’re stuck with an app that’s exploiting StrandHogg, you
can always factory-reset your device. Set it up as a brand-new device,
rather than restoring from a backup, and you’ll be back to square one.
Otherwise,
you’ll have to figure out which app on your device is sketchy. I think
the easiest way to do this is to just start from scratch or, at minimum,
delete any apps on your device that you’ve previously downloaded.
You
can also try installing Lookout’s Security & Antivirus app, but there’s no guarantee that it’ll be able to detect every StrandHogg-exploiting app on your device.
Monday, October 14, 2019
Cybersecurity Tips
Don't click on direct links (in
emails, text messages, etc.), especially those that are asking you to
enter sensitive information. It's best to go directly to the
source/website.
Don't respond to phone requests asking for personal or financial information. If you are concerned, find the correct number and call the organization yourself.
Don't overshare on social media. These details can provide hackers with your location, ammunition to craft spear phishing attacks, and answers to security questions. Think before you share!
Don’t go “out of bounds” for comms. E.g. if you’re buying something on eBay, and the other party wants to negotiate via email instead of the bidding system.
Look out for emails which claim to have your password and say they’ve seen you visit bad websites, or recorded you in compromising positions.
Be skeptical of any request to change banking or wiring instructions, even if from a trusted person who you regularly conduct business with. Always verify before following through by calling the person using a previously discussed phone number.
Never reuse passwords between any website or service
Always be skeptical of any unexpected invoice, or request to get or pay for anything by using gift cards.
Create policies which require people getting unexpected requests for payment or changes in payment information to first verify by directly calling the person using a previously trusted phone number.
Never answer authentication recovery questions (e.g. What is your mother’s maiden name?) with real answers. Try to avoid altogether, but if forced to use, don’t use real answers. Treat each question and answer as a sort of password (e.g. frogdog65). Sadly, that means you’ll have to write down each question and answer for each website that requires them, but you’ll be far less likely to have your account hijacked.
Don't respond to phone requests asking for personal or financial information. If you are concerned, find the correct number and call the organization yourself.
Don't overshare on social media. These details can provide hackers with your location, ammunition to craft spear phishing attacks, and answers to security questions. Think before you share!
Don’t go “out of bounds” for comms. E.g. if you’re buying something on eBay, and the other party wants to negotiate via email instead of the bidding system.
Look out for emails which claim to have your password and say they’ve seen you visit bad websites, or recorded you in compromising positions.
Be skeptical of any request to change banking or wiring instructions, even if from a trusted person who you regularly conduct business with. Always verify before following through by calling the person using a previously discussed phone number.
Never reuse passwords between any website or service
Always be skeptical of any unexpected invoice, or request to get or pay for anything by using gift cards.
Create policies which require people getting unexpected requests for payment or changes in payment information to first verify by directly calling the person using a previously trusted phone number.
Never answer authentication recovery questions (e.g. What is your mother’s maiden name?) with real answers. Try to avoid altogether, but if forced to use, don’t use real answers. Treat each question and answer as a sort of password (e.g. frogdog65). Sadly, that means you’ll have to write down each question and answer for each website that requires them, but you’ll be far less likely to have your account hijacked.
Tuesday, September 24, 2019
Monday, September 16, 2019
Video Becomes the Next Big Bait for Social Engineering
Scammers are always looking for new ways to get potential victims to engage. It appears that the latest trend is to leverage our familiarity with watching video to spawn an attack.
Everyday, people all over the world are engaging with video content on social media as a stimulating medium to learn from or be entertained. So, it makes sense that the bad guys would want to take advantage of the lowered defenses of individuals through the use of fake links to videos.
Video links can be sent to a potential victim via email or social media channels, usually using an “Is this you in the video???” angle of attack to create an emotional response – and get them to click.
It’s important to note that almost none of these attacks involve video at all; they are simply creating the need for a victim to click a malicious link under the guise of it being a video of interest.
You should always be weary of such requests, even when seemingly coming from someone you know. Hacked social media accounts are valuable social engineering assets to cybercriminals, as they can be used to send the same “Is this you?” message to everyone connected to the compromised account.
Friday, August 9, 2019
Smishing and Vishing
What is smishing?
Smishing definition: Smishing (SMS phishing) is a type of phishing attack conducted using SMS (Short Message Services) on cell phones.
Just like email phishing scams, smishing messages typically include a threat or enticement to click a link or call a number and hand over sensitive information. Sometimes they might suggest you install some security software, which turns out to be malware.
Smishing example: A typical smishing text message might say something along the lines of, “Your ABC Bank account has been suspended. To unlock your account, tap here: https://bit.ly/2LPLdaU” and the link provided will download malware onto your phone. Scammers are also adept at adjusting to the medium they’re using, so you might get a text message that says, “Is this really a pic of you? https://bit.ly/2LPLdaU” and if you tap that link to find out, once again you’re downloading malware.
What is vishing?
Vishing definition: Vishing (voice phishing) is a type of phishing attack that is conducted by phone and often targets users of Voice over IP (VoIP) services like Skype.
It’s easy to for scammers to fake caller ID, so they can appear to be calling from a local area code or even from an organization you know. If you don’t pick up, then they’ll leave a voicemail message asking you to call back. Sometimes these kinds of scams will employ an answering service or even a call center that’s unaware of the crime being perpetrated.
Once again, the aim is to get credit card details, birthdates, account sign-ins, or sometimes just to harvest phone numbers from your contacts. If you respond and call back, there may be an automated message prompting you to hand over data and many people won’t question this, because they accept automated phone systems as part of daily life now.
How to prevent smishing and vishing
We’re on our guard a bit more with email nowadays because we’re used to receiving spam and scams are common, but text messages and calls can still feel more legitimate to many people. As we do more of our shopping, banking, and other activities online through our phones, the opportunities for scammers proliferate. To avoid becoming a victim you have to stop and think.
Although the advice on how to avoid getting hooked by phishing scams was written with email scams in mind, it applies to these new forms of phishing just as well. At root, trusting no one is a good place to start. Never tap or click links in messages, look up numbers and website addresses and input them yourself. Don’t give any information to a caller unless you’re certain they are legitimate – you can always call them back.
It’s better to be safe than sorry, so always err on the side of caution. No organization is going to rebuke you for hanging up and then calling them directly (having looked up the number yourself) to ensure they really are who they say they are.
Wednesday, July 31, 2019
Scam Of The Week: Equifax Settlement Phishing
ALERT: Internet bad guys
are now trying to trick you into filing an Equifax claim and get a $125 payment
because your personal data was in the Equifax data breach. They are
sending phishing
attacks that look like they come from Equifax and when you click on the
links, you wind up on a fake website that looks like it's Equifax, but will try
to steal your personal information. Don't fall for it.
if you want to file a claim, go the the legit FTC website and click on the blue "File a Claim" button. The website will check your eligibility for that claim, not everyone's information was compromised. Here is the link to the FTC site: https://www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement
Subscribe to:
Posts (Atom)