Phishing Starts Earlier and Earlier

It’s only early November, but you have probably already seen Christmas trees sold in stores. This is a trend known as “seasonal creep” in which retailers start selling seasonal items in advance of the actual season. Did you know that cybercriminals also follow this trend?

For example, Black Friday and Cyber Monday traditionally fell after Thanksgiving in the United States. However, these international shopping events now start as early as November 1. Cybercriminals take advantage of this trend by sending phishing emails disguised as advertisements and phony purchase receipts long before the holiday season begins.

Follow the tips below to shop safely this holiday season:

• Never click a link from an email or text message that you weren't expecting, even if the link appears to be for a store you recognize. Instead, use your browser to navigate directly to the retailer’s official website. 
• Watch out for malvertising. Malvertising is when cybercriminals try to phish shoppers through ads on social media and other websites. Always think before you click!

Be cautious of advertisements that promise outrageous deals. Remember that if something seems too good to be true, it probably is!

 

SECURITY HINTS & TIPS:

How to Keep Your Organization Safe in and Out of the Office

Whether you work from home or work in an office, the security of your organization must be one of your top priorities. While these two locations can feel quite different, you can use the same precautions no matter whether you’re working from the office or at home. Let’s look at some important cybersecurity rules and how they can be used both in the office and when you are working at home. Only Use Secure Devices Remember that your device is only as secure as the apps that are running on it. Never install an application or plugin without first checking with your IT department. Only use your work devices for work. If you are using your personal computer for work, we recommend that you create a separate user account with a unique username and password. In the office, network security is probably managed by your IT department. To help keep your home internet connection secure, use a complex password on your router. If your organization offers access to a Virtual Private Network (VPN), connect to that as well. Protect Your Physical Workspace In the office, watch out for piggybacking and tailgating. A piggybacker is someone who claims to be part of your organization and follows you into a secure area without the use of a badge or entry code. A tailgater is someone who waits for you to enter or exit a secure area and then sneaks in while the door is still open. Be suspicious of anyone who you do not recognize and don’t be afraid to ask for identification. At home, find a private and comfortable workspace, where no one can view your screen while you work. You must keep all sensitive information out of sight for any unauthorized persons, including your partners, children, and friends. Always lock your computer when you step away from your desk. If you leave your computer unlocked, anyone can use it to access sensitive data, steal your login credentials, or even install malware. Think Before You Click ·         Never click a link or download an attachment from an email that you weren’t expecting. Even if the sender appears to be part of a legitimate organization, the email address could be spoofed. ·         When an email asks you to log in to an account or online service, navigate to that service through your browser. Never click the link in the email. Navigating to the site directly ensures that you’re logging in to the real website and not a look-alike site. ·         When in doubt, call the sender of the email to be sure the request, link, or attachment is legitimate. Do not call the phone number provided within the email as it may be a fake number.

 When Cybercriminals Ask for a Manager

Customer retention and satisfaction are vital to most organizations’ success. Knowing how important this is, cybercriminals send fake customer complaints in hopes of catching you off guard. 

In a new phishing email, cybercriminals impersonate a member of your organization’s human resources or management team. The email addresses you by name, states “It is urgent request,” and tells you to call the sender immediately in regards to a customer complaint. Additionally, a PDF of the complaint appears to be linked within the email. If you click on the link, a webpage opens where you can download the customer complaint. Unfortunately, the file isn't actually a PDF. Instead, it's a dangerous piece of malware. 

Here’s how you can stay safe from similar scams:

• Think before you click. Cybercriminals exploit emotions, such as the fear or guilt of upsetting a customer, to trick you into clicking on malicious links.
• Watch for poor grammar and unusual phrasing in emails, such as “It is urgent request.” Emails from legitimate sources are more likely to use correct and natural language, such as "This is urgent" or "This is an urgent request."

Never click a link in an email that you weren’t expecting. If you’re not sure, reach out to the sender by phone to confirm the legitimacy of the email. 

 Online Shopping Steals

It’s Thanksgiving week in the United States, which means Black Friday and Cyber Monday are finally here! To celebrate, cybercriminals have created a record number of malicious online stores to trick unsuspecting shoppers. 

Cybercriminals create online stores that claim to sell hard-to-find items, such as trending makeup products or this year’s hottest toys. To lure in customers, cybercriminals run ads on other websites, on social media platforms, and even within Google search results. If you click one of these ads, you'll be taken to the malicious online store. These stores can be very convincing because they include real product images, descriptions, reviews, and a functional shopping cart and checkout process. Unfortunately, if you try to purchase something from one of these malicious stores, your money, mailing address, payment data, and any other personal information you provided will go straight to the cybercriminals. 

Follow the tips below to avoid these malicious online stores:

• Watch out for misspelled or look-alike domains. For example, cybercriminals may spoof the popular toy brand Squishmallows with spellings such as "Squishmellows" or "Squashmallows."
• Be cautious of stores that promise outrageous deals on high-demand products. Remember that if something seems too good to be true, it probably is!

Always shop from well-known and trusted retailers. If you haven’t shopped there before, look up reviews and customer feedback for that retailer. 

 Order Confirmation Imitation

If you’ve started your holiday shopping, you may have received purchase confirmation emails from Amazon, one of the world’s most popular retailers. Unfortunately, cybercriminals have also been sending their own version of these emails. In a new scam, cybercriminals impersonate Amazon to send fake purchase confirmation emails in hopes of receiving a special holiday gift: your credit card information.

In this scam, cybercriminals send you a fake purchase confirmation email that appears to come from Amazon. In the email, you can review details about the phony purchase, such as the payment amount and your mailing address. To review the purchase further, you can click a “View or manage order” button in the email. If you click this button, you’ll be taken to Amazon’s real website, but you won’t be able to find information about the purchase. As a last resort, you can call the customer service phone number in the email. If you call, you’ll be asked to provide your credit card number and CVV number to cancel the purchase. Instead of canceling the purchase, you’ll grant cybercriminals access to your credit card.

Don’t fall for this scam! Follow the tips below to stay safe:

• Watch out for fake customer service phone numbers. If you need assistance, check the vendor’s website to find their customer service phone number or email address.
• Don’t click links in emails you weren’t expecting. If you click a malicious link, malware or other malicious software may be downloaded onto your device.

Don’t share sensitive information, such as credit card numbers or social security numbers, over the phone.

 Piggybacking - Courtesy that could cost you

To kids, piggybacking is when someone jumps on your back and you carry them around for a while. In the business world, piggybacking is when you let someone that you do not know enter a door that you just opened. A lot of organizations rely on biometrics, key cards, or even regular keys to open locked doors. These could be doors to get into the building, parking garage, a particular office. Piggybacking is when someone you do not know, waits for you to open a locked door, and enters in behind you.

Many people allow this to happen because they want to be nice and courteous and open doors for people, you may even hold the door open for them. While this may be a nice gesture in public places, at the workplace, this could end up costing you. The bad guys, just like they would try and trick you with a fake email, are targeting your good nature, to gain access into a secured building.

If someone you do not know, is trying to enter the door behind you there are a couple of things you can do to still be courteous and follow the rules.

• Ask them where they are going and who they are there to see, then escort them to the office of the person they are going to see, and verify that they are supposed to be there.
• Kindly decline to let them in and explain that your organization has a strict no-piggybacking rule.

Once the bad guys have access to your offices, they can plug into any internet outlets, or sit down at any open and unlocked workstation, or place infected USB keys around the hallways and bathrooms. Remember, when it comes to piggybacking, kindly decline or insist on escorting them to the person they are there to see.

 #Bitcoin-Hostage-Videos

An elaborate new Bitcoin scam targets Instagram influencers and their followers. In this scam, cybercriminals send an influencer a phishing link that takes them to a fake Instagram login page. If the influencer tries to log in to their account, their login credentials are sent directly to the cybercriminals. Once the cybercriminals have access to the account, they can change the password and prevent the influencer from logging in. 

Then, the cybercriminals offer to release control of the influencer’s account if the influencer creates a very specific video. In the video, the influencer must say they invested a small amount of money into Bitcoin and gained a huge payout. They must also tag and thank the Instagram account that belongs to their “friend” who helped them invest. Of course, this “friend” is actually the cybercriminal holding their account hostage. Once the video is created, the cybercriminals post it to the influencer’s Instagram page for all their followers to see. The end goal is for these loyal followers to send bitcoins to the cybercriminals under the assumption that they will be making an investment, just like the influencer did. 

Here are some tips to stay safe from similar influencer scams:

• Hijacking a social media account is an easy way for cybercriminals to spread disinformation or scam several people at once. Don’t trust everything you see on social media, and be sure to report any suspicious activity. 
• To the general public, Bitcoin and other cryptocurrencies are still very new and complex. Before you buy coins, learn more about cryptocurrency from well-known and trusted sources. 

Never trust a get-rich-quick scheme. If something seems too good to be true, it probably is.

 A New Spam Scam

In a new scam, cybercriminals spoof Microsoft Office 365 by using the email address quarantine[at]messaging[dot]microsoft[dot]com to send you a spam notification. The fake notification claims that a seemingly important email with the subject line “[Your Organization’s Domain] Adjustment: Transaction Expenses Q3 UPDATE” has been quarantined. You are asked to review the email to confirm whether or not it should be marked as spam.

If you click on the Review button in the email, you will be taken to a phony Microsoft Office 365 login page. On this page, you are asked to provide your Microsoft credentials to access the supposedly quarantined email. Any information that you enter on this page will be delivered directly to the cybercriminals. 

Remember the following tips to stay safe:

• Never click on a link within an email that you were not expecting. 
• This type of attack isn’t exclusive to Microsoft products or Microsoft users. The technique could easily be used on a number of other programs. Always think before you click.

If you get a notification that you are unfamiliar with, reach out to your administrator or IT department. They can check to make sure the notification is legitimate.

 Netflix Scam Double Feature

Netflix is both the world’s largest streaming platform and one of the most impersonated brands among cybercriminals. There have been many Netflix-themed scams over the years, but most of these scams target one of two groups: current Netflix subscribers or potential Netflix subscribers.

To target current Netflix subscribers, cybercriminals send phony email notifications claiming there is a problem with your billing information. To target potential Netflix subscribers, cybercriminals send emails that advertise a deal for new accounts. Both phishing emails include links that lead to Netflix look-alike webpages where you’re asked to provide your personal and payment information. Any information you enter on these fake webpages is delivered straight to the cybercriminals. 

Remember the tips below to stay safe from streaming scams:

• Never click on a link within an email that you weren’t expecting, even if the email appears to come from a company or service you recognize.
• These types of scams aren’t limited to Netflix. Cybercriminals also spoof other streaming services, such as Disney+ and Spotify. Remember that if a deal seems too good to be true, it probably is. 

If you receive an unexpected notification, open your browser and navigate to the platform’s website. Then, you can log in to your account knowing that you’re on the platform’s real website and not a phony look-alike website.