Protecting Yourself from Online Scams

This living topic delves into the various methods and evolving tactics of online scams, particularly focusing on phishing scams. It covers new threats such as AI-driven phishing tools like WormGPT, deceptive practices like Facebook 'like farming,' and the persistent issue of fake emails from reputed organizations like Bank of America and TurboTax. The content emphasizes the importance of vigilance, skepticism, and proper reporting to mitigate these threats. It also highlights the inadequacies in corporate responses to phishing reports and offers tips for individual users to protect themselves online.

Latest

Phishing scams were 2024’s most common smartphone security threat

Survey suggests device makers could offer better protection

Featured Scams photo

There is no shortage of schemes that scammers use to target their victims, and the rapid development of artificial intelligence has only increased these threats. But what threat should consumers take most seriously?

A survey conducted by Omdia,  a technology research and advisory group, found that phishing scams remain the most significant security threat for smartphone users, with 24% of respondents reporting that they have fallen victim to these attacks. Phishing, which...

Read Article
Featured Scams photo

Article Timeline

Newest
  • Newest
  • Oldest
2024
2023
Article Image

Yahoo! leads Top 10 list of most phished brands

The next time something shows up in your email inbox that claims to be from Yahoo!, DHL, Microsoft, Google, or LinkedIn, resist clicking on it. In Check Point Research’s (CPR) latest Brand Phishing Report, those five brands are the ones most frequently imitated by criminals during the last quarter. 

Yahoo became the top brand impersonated in phishing attacks, climbing 23 spots and accounting for 20% of all brand phishing attempts. DHL – which got looped into phishing hell in a “BHL” impersonation scheme – suffered 16% of the attempts. 

Rounding out the Top 10 were Wetransfer (5.3%), Netflix (4.4%), FedEx (2.5%), HSBC (2.3%), and WhatsApp (2.2%).

Guess what – you’ve just won!

CPR said the attacks are pretty much the same lure – emails with subject lines that suggest a recipient has won awards and prize money. In Yahoo!’s case, CPR found the predominant subject line was “YAHOO AWARD” which was sent by senders with names such as “Award Promotion”, “Award Center”, “info winning” or “Award Winning”.

For most people, seeing an email that says they’ve “won” prize money up into the hundreds of thousands of dollars is hard not to give at least some time to. But, the con unfolds very quickly – asking the recipients to send their personal and bank details, claiming this information was necessary to transfer the winning prize money to their account. 

Most of that is same-old-song stuff, but the analysts said that these emails also contained a warning that the recipient – er, victim – must not tell people about winning the prize, because of legal issues. In other words, the scammers are worried that if the victim tells someone about this, that someone might hit ‘em over the head with a big dose of what’s really going on and the victim will stop, and the scammer will walk away with nothing.

The Instagram hook

CPR’s analysts said that the hook scammers were using for Instagram was built on the subject “blue badge form.” Blue badges are the little blue checkmark that appears next to an Instagram account's name in search and on the profile, and means Instagram has confirmed that an account is the real deal presence of the public figure, celebrity, or brand it represents. 

In this case, the scammers are playing up to people who they think would love the status of having a “blue badge.” and the intent of the email is to persuade the victim to click on a malicious link claiming that the person’s Instagram account has been reviewed and approved by Facebook, the owner of Instagram.

The link leads to a form that asks for specific personal details. Once you submit the form, you basically gave what you entered to the cybercriminals behind the campaign.

The next time something shows up in your email inbox that claims to be from Yahoo!, DHL, Microsoft, Google, or LinkedIn, resist clicking on it. In Check Po...

2022
Article Image

FCC moves to shut down 'ringless voicemail' robocalls

The Federal Communications Commission (FCC) continues to try making life more difficult for robocallers. In a new proposal, the agency wants to make it a requirement for robocallers to get consumers' permission before delivering a “ringless voicemail” -- a message left in a voicemail without a person's phone receiving a call.

The FCC is not giving up on full implementation of the Telephone Consumer Protection Act (TCPA), which protects consumers from unwanted robocalls, among other things. To date, the agency has done everything from handing out massive fines to companies that try to skirt the rules to forcing major telephone companies to meet the FCC’s mandate on robocall protection.

The latest effort came on Wednesday when FTC Chairwoman Jessica Rosenworcel shared her idea for a ban on ringless voicemails. She said if she could get the full Commission’s buy-in, it would further prove to consumers that the agency is serious about getting robocalls completely out of their lives. 

“Ringless voicemail can be annoying, invasive, and can lead to fraud like other robocalls—so it should face the same consumer protection rules,” Rosenworcel said. “No one wants to wade through voicemail spam, or miss important messages because their mailbox is full. This FCC action would continue to empower consumers to choose which parties they give permission to contact them.”

It’s “All About the Message”

Rosenworcel’s push comes about as a response to a petition filed by All About the Message LLC – a company that an investigation by Fortune found suggests is headed by two people, one of which is involved in a marketing firm that bills itself as a provider of "Ringless Voicemail for Auto Dealers.”

In the company’s petition to the FCC, it claims that “the delivery of a voice message directly to a voicemail box does not constitute a call that is subject to the prohibitions on the use of an automatic telephone dialing system...or an artificial or prerecorded voice that are set forth in the Telephone Consumer Protection Act."

The Chairwoman’s proposed action would define ringless voicemails as “calls” that require consumers’ prior express consent. It would also deny the petition and effectively end any chance that “ringless voicemail” robocalling technology could shift from a regulatory gray area to legal fair game.

The Federal Communications Commission (FCC) continues to try making life more difficult for robocallers. In a new proposal, the agency wants to make it a r...

2017
Article Image

Avoiding Amazon-related phishing scams

Joseph Steinberg recently got an email that appeared to be from Amazon, thanking him for making a purchase on Prime Day.

The email promised him a $50 bonus if he would click a link and post a review about the item. Steinburg, who is CEO of SecureMySocial, a firm that watches out for problematic posts, didn't bite. Writing in Inc. Magazine, he said he recognized it as one of the countless phishing schemes using Amazon's name and logo.

But many others might easily fall for it. If you had not made a Prime Day purchase you might be highly suspicious, but if you did make a purchase -- and millions of consumers did -- you might throw caution to the wind and go for the 50 bucks.

How to protect yourself

So if you are an Amazon customer, how do you protect yourself from all the scams that try to take advantage of that relationship. Amazon gets asked that question a lot, and has a page on its website that explains how to protect yourself.

For example, if you get an email about an order you didn't place, it's not from Amazon. The company would like you to send the email as an attachment to stop-spoofing@amazon.com. Make sure you don't open any attachments or click on any links in the email.

Amazon says other scams use a variety of reasons to ask for your user name and password. Should you turn that information over to a scammer, they can buy all kinds of merchandise on your account, charging it to the credit card you have on file.

Other scams will tell you that it's necessary to update your payment information. By directing you to a spoofed site, made to look like it's part of Amazon, the scammer can steal your credit card information.

Black market websites

There are black market sites on the web where scammers can then sell your user name and password, or your credit card info, for a small amount, such as $50 to $100. The purchaser can then use it to make a major purchase -- maybe more than one -- before the fraud is detected.

If you receive a suspicious email that you think could be from Amazon, there is a very simple way to tell if it is. Simply close the email and use your browser to go directly to Amazon.com.

If the email says you need to update your payment information, click on YourAccount and then Manage Payment options. If you really do need to update your payment information, the website will have that information.

There are other dead giveaways as well. Phishing emails sometimes are filled with typos and misspellings. In a legitimate link, the URL should start with https://www.amazon.com, followed by the code for the particular page on the Amazon site. If you don't see that in the link, then it's not a real Amazon webpage.

Joseph Steinberg recently got an email that appeared to be from Amazon, thanking him for making a purchase on Prime Day.The email promised him a $50 bo...

Article Image

Women's group used deceptive recruitment, NY charges

Millions of women have received emails from something called the International Women's Leadership Association, or IWLA. The emails give the impression that the organization has reviewed the qualifications of the recipient and decided to invite her to join their business networking group.

In fact, says New York Attorney General Eric T. Schneiderman, the company sent millions of emails without actually reviewing much of anything. The IWLA has agreed to pay a $200,000 penalty -- which was suspended because of the company's financial condition -- and will clean up its recruiting practices.

“Mass email solicitations cannot be used as a proxy for deceptive marketing practices,” said Schneiderman. “Honesty and transparency are the hallmarks of consumer protection, and those same principles must be upheld online.”

Schneiderman said the IWLA's solicitations come in various forms, but they all contained the statement, “it is my distinct pleasure to notify you that, in consideration of your contribution to family, career, and community, you have been selected as a woman of outstanding leadership.”

Schneiderman said the claim that individuals were chosen for membership based on a review of their qualification was false but nevertheless lured more than 100,000 women into signing up for membership over the last three years.

IWLA is a New York corporation with a main office located in Uniondale, New York. Its stated purpose is to provide “women with opportunities to meet, share and collaborate, whether in business or otherwise.” It claims to market its services to women at all stages of their career to help foster their upward mobility. The IWLA claims over 14,000 members who subscribe to its services and receive the benefits and privileges offered by the association.

Millions of women have received emails from something called the International Women's Leadership Association, or IWLA. The emails give the impression that...

2014
Article Image

Malware alert: ignore that order confirmation email!

With the December holiday-shopping season revving into full gear, the world's thieves, fraudsters and malware writers have been doing the same thing. If you have any web-based email accounts, chances are you've been noticing a recent uptick in the number of “order confirmation” messages landing in your inbox – and chances are they're all fraudulent, trying to trick you into loading dangerously nasty malware onto your computer.

Security blogger Brian Krebs went into some detail explaining the technical aspects of the latest batch of emails: those realistic-looking messages, allegedly from Walmart, Home Depot, Costco or similar retailers, will load a spam botnet called Asprox, which Krebs said is “a nasty Trojan that harvests email credentials and other passwords from infected machines, turns the host into a zombie for relaying junk email (such as the pharmaceutical spam detailed in my new book Spam Nation), and perpetuates additional Asprox malware attacks.”

But from a non-technical perspective, all you really need to do is notice that the emails, though professional-looking, are also addressed generically rather than specifically. Almost all dangerous malware or phishing emails do that.

Could apply to anyone

Consider, for example, the fake jury duty or court-appearance notice. If you get such a message, it's always vague enough that it could apply to anybody: “You must appear in court for jury duty.” “You are being sued for lots of money in court.”

Compare that to what a real jury duty or court appearance notice looks like: “Morton Finkleblatt of 37 West Street is ordered to appear in Federal District Court, 1500 Courthouse Plaza.”

Of course, if you actually get a notice it won't look like that, because your name isn't Morton Finkleblatt and you probably don't live at 37 West Street, either. Even if you do, those listed addresses are supposed to mention a city and state, too – specifically, the state where you personally live, and the city hosting the courthouse nearest you. Finally, an actual jury duty or court-appearance notice will come to you printed on paper, arriving in your old-fashioned mailbox.

Of course, that last bit isn't necessarily the case when you buy something from an online retailer: if the seller contacts you, it'll likely be via email rather than snail-mail. But those genuine, non-scammy emails will still include your specific identifying information — real messages from Amazon don't say “Your order has shipped,” they say “Wile E. Coyote, your order of ACME rocket-powered roller skates has shipped.”

The same holds true for Walmart, Home Depot, Target, Costco, and pretty much every legitimate online retailer out there: they might send you emails if you're a customer of theirs, but those emails are addressed specifically to you. And when you get real order-tracking emails or other information about a purchase you actually made, you're not asked to do anything as a result, certainly not asked to click on a link in the email or download some virus-ridden file attachment.

With the December holiday-shopping season revving into full gear, the world's thieves, fraudsters and malware writers have been doing the same thing. If yo...

2007

Email Scam Spoofs FTC

The Federal Trade Commission is warning consumers not to open a bogus email that claims to come from the FTC. The email states it is from the FTC Fraud Department and carries a virus.

"A bogus email is circulating that says it is from the FTC referencing a complaint filed with the commission against the email's recipient," the Commission advises.

The email includes links and an attachment that download a virus. As with any suspicious email, the FTC warns recipients not to click on links within the email and not to open any attachments.

The spoof email includes a phony senders address, making it appear the email is from frauddep@ftc.gov and also spoofs the return-path and reply-to fields to hide the emails true origin, according to the FTC.

"The email includes the FTC seal but contains grammatical errors, misspellings, and incorrect syntax," according to the federal regulators.

The FTC asks recipients of the email to forward it to spam@uce.gov and then delete the document.

The feds promise that emails sent to the spam address will be filed away in the FTCs spam database to assist with future investigations.

Simply opening the email does not appear to cause harm, according to the FTC. However, it is likely that anyone who has opened the emails attachment or clicked on the links has downloaded the virus on their computer, and should run an anti-virus program< the commission warned in a news release.

The virus appears to install a key logger that could potentially grab passwords and account numbers, the FTC said.

More Scam Alerts ...

Email Scam Spoofs FTC...

Scammer Claims To Be 'Verified By Visa'


Identity thieves are constantly looking for new ways to trick consumers into revealing personal information in response to phishing emails. Their latest ruse is to disguise themselves as Verified by Visa.

Your Bank of America card has been automatically enrolled in the Verified by Visa program, one version of the email says. To ensure your Visa card's security, it is important that you protect your Visa card online with a personal password. Please take a moment, and activate for Verified by Visa now.

Verified by Visa is a legitimate service that adds an additional layer of security to online credit card transactions. If your card is part of the Verified By Visa program, anyone using your card must use a password to complete the transaction.

But anyone responding to this email would not be enrolling in the program. Instead, the link in the email would take them to a duplicate site, controlled by the scammer.

There, they would be asked to enter their credit card information, and might even be asked to divulge the kind of personal information that could be used to change the cards billing address, or even steal the card holders identity.

The return address on the email is enroll@boa.com. Bank of America has been a favorite target of phishing scams lately. Security experts say thats because its such a big bank with lots of customers. Recipients of the email who are Bank of America customers are more likely to fall for the ruse than those who arent.

The dead giveaway that this particular email is a scam is the last line: Please note: If you FAIL to update your Visa card, it will be temporarily disabled.

Security experts note that scammers also use fear or pressure tactics to get recipients of their spam emails to comply.

More Scam Alerts ...

Identity thieves are constantly looking for new ways to trick consumers into revealing personal information in response to phishing emails....