Online Scams
There will likely never come a day when the online world is completely free from criminals, hackers and thieves. The best you can do is learn to recognize their tactics so you don't become a victim of things like:
- Credit card theft
- Pop-up ads that install spyware to capture your personal information
- Phishing sites posing as the real thing to lure you into their scams
- Spam emails, instant messages, and bogus Web sites that deliver spyware to your computer and compromise your computer security
- Loan fraud, mortgage fraud, lines-of-credit fraud, credit card fraud, commodities and services frauds that exploit consumers' credit worthiness
Phishing Scams
Scammers are getting increasingly good at making their email messages look legit. It can be difficult to distinguish a real message from a dangerous fake. Here are some simple things you can do to protect yourself from phishers who are out to steal your identity, your money or your security:
- Learn how to tell the difference between a legitimate company URL and an imposter.
- Mouse over all links before you click on them. Hover over the link, and you should see the actual URL displayed either next to your mouse arrow or in a corner of the window. If the actual URL isn't one that you recognize and trust, don't click! Even if the rest of the email looks legitimate. Never click on unknown email links.
- Pay attention to an email's 'Reply To' address. Even if the email seems to be from someone you know, look at the actual address.
- Never click on links to web logins. Instead, open a new browser window and type the company's address yourself.
- Beware of scare tactics informing you of account revalidation processes or quota limits. Most online services will never ask for your username and password by email.
- Don't fall for enticing 'Prize Winnings,' 'Purchase Order' or 'Work Opportunity' scams. You are not the 999,999th visitor.
Business Email Compromise Attacks (BEC)
A BEC is a highly focused phishing attack in which a cyber criminal impersonates a company's excutive in an attempt to get an employee, customer or vendor to transfer funds or sensitive information. The criminal will often study recent company news or research employees on social media in order to craft a very convincing message, making it harder for spam filters (and victims) to spot the fake.
BEC attacks can come from an email account that has been successfully phished, or it could come from a lookalike domain that is one or two letters different than the real address. These urgent requests usually appeal for money or sensitive data.
Always double-check before sending money or data, no matter who the email is from or how important the request seems.
For more information go to www.ic3.gov/media/2018/180611.
Bitcoin Blackmail/Extortion Scams
Beware of emails from individuals who claim to have compromising information on you and demand payment in Bitcoin (or any cryptocurrency). The scammer may say he has video of you from your webcam, or links to naughty sites he says you visited. He may even present you with one of your old passwords as "proof" (which he likely got from an old data breach). And he may threaten to send this embarrassing information to everyone in your contact list if you don't pay up.
It's a scam. Don't pay the ransom. Of course, if you still use the password that's presented, definitely stopo using that password and change it immediately. But do not respond to the email in any way.
More information:
- https://www.consumer.ftc.gov/blog/2018/08/how-avoid-bitcoin-blackmail-scam
- https://www.eff.org/deeplinks/2018/07/sextortion-scam-what-do-if-you-get-latest-phishing-spam-demanding-bitcoin
Gift Card Scams
Special situations (like pandemics, current events or holidays) give attackers an additional opportunity to attempt scams. At ODU, attackers have recently imitated people we know, created fake email accounts and sent messages to solicit personal information. Here's an example of how it could be done:
Let's say Big Blue works in ITS. An attacker might create an email account like bblue.odu@gmail.com, find a list of ITS employees on our website, then email those employees asking for their personal phone numbers. Big Blue's co-workers recognize his name and respond, not knowing they're giving personal information to a stranger.
Once the attacker has the cell phone numbers, the employees start to receive text messages about an urgent issue that requires payment in gift cards. It's a scam. And because the original emails don't contain malware, there is no way for us to systemically detect them as scams.
To protect yourself, always verify the identity of anyone you send personal information to, and never pay anyone in gift cards.
If you fall victim to a scam, open a police report with the ODU Police (police@odu.edu or 683-4000). You can also file an FBI complaint at the Internet Crime Complaint Center, www.IC3.gov . If you accidentally click on a suspicious link or think you might have been infected with malware, contact the ITS Help Desk.
Other Forms of Social Engineering
Social Engineering is a psychological attack in which an attacker tricks people into making mistakes in handing over their personal information.
Pretexting
An attacker creates a plausible fabricated story in order to increase the chances of gaining information or causing an undesirable action.
Defense: Go straight to the true source. If an email that appears to be from a co-worker seems suspicious, verify it directly with the individual outside of email.
Spear Phishing
A targeted phishing attack designed to trick an individual versus a broad audience. The attacker usually does research on a company's web site and then references current events or initiatives at that company to trick an employee.
Defense: Even if a message appears to be from a co-worker or other trusted associate, pause before taking an urgently requested action. Look for any indicators that something isn't right - maybe the "from:" address is one you have never seen, or the manner of communicating is a bit different than usual.
Baiting
An attacker uses a false promise or incentive - loan forgiveness, a salary study, free music, or inside information - as bait to trick a recipient into opening a malicious document or website.
Defense: Do not open a document or click on a URL in an email unless you are absolutely certain that it came from a trusted source with legitimate purpose.
Quid Pro Quo
The promise of some benefit in exchange for information or an action. One common approach is to impersonate an IT support person who promises some support benefit in exchange for a password, executing an attachment or disabling anti-virus.
Defense: Similar to baiting, verify the source before performing the request.
Watering-Hole
An attack in which a targeted individual or group is directed to a trusted website that has been compromised (or maybe an advertisement on the site has been compromised) in a way that injects malware onto the targeted individuals computer.
Defense: In addition to the usual precautions of not responding to suspicious email, make sure your operating system, web browser and applications are all patched and up to date, and enable anti-virus or endpoint protection that can detect when malicious software attempts to download or execute.
Rogue
The use of malicious software that poses as an anti-virus or a malware removal kit, often after a false claim that malware has been detected, causing a target to react out of fear.
Defense: Anti-virus or endpoint protection can increase confidence and lower the likelihood of falling victim to a rogue attack.
Tips to avoid social engineering schemes:
- Do not open emails, open attachments or follow URLs in emails from untrusted sources. If anything seems out of the ordinary or unlike the supposed sender in any way, contact the person directly, outside of email, to verify the source.
- Do not trust offers from strangers. If an offer seems too good to be true, it probably is.
- Follow safe computing practices and good computing hygiene.
Identity Theft
Spyware used for identity theft can be the most harmful and difficult type of spyware to remove. There are a few things you can do to protect yourself:
- Continually check the accuracy of personal documents and deal with any discrepancies right away.
- Practice safe email protocol:
- Don't open messages from unknown senders.
- Immediately delete messages you suspect to be spam.
- Avoid free software.
- Get the latest Windows patches.
- Use public computers with extreme caution.
- Beware of peer-to-peer file sharing services.
- Use anti-virus protection and a firewall.
- Get anti-spyware software protection.
Scams That Target Universities
The Internet Crime Complaint Center (IC3) is aware of multiple scams targeting universities, university employees and students across the nation. The scams range from Internet fraud to intrusions. The following are common scenarios: