Phishing

Educate Yourself and Avoid Becoming a Phishing Victim

Be careful about clicking on links in emails that purport to be from your helpdesk, CDC, Microsoft, your bank, the IRS, or another company that you deal with.

With this COVID-19 running rampant, and more people working from home, your work IT support folks may not be readily available to answer your technical questions. It’s in times like these when scammers easily find their victims. So one of the most important things you as a computer user can do, from a security perspective, is to safeguard your username and password to everything.

With the prevalence of web-based apps, and more people working from home, along with the usual Facebook, Amazon, or Netflix type of personal accounts, more vectors are being introduced through which scammers can trick you into giving up your personal information. They are getting more ingenious and sophisticated.  

Take for example the following email supposedly from PayPal:

PayPal Scam

At first glance, the email looks legitimate.  It comes with the official PayPal logo, has the same format as a typical email from PayPal. Also cites a legitimate merchant in storesupply.com. If you don’t have a PayPal account or haven’t recently purchased anything using PayPal, you would be more than concerned. However, if you look closely, there are several clues which prove this email is a scam.

  1. Look at the From Address.  The email says it’s coming from “service@intl.paypal.com“. But if you look at the actual address within the < > brackets, it shows the email coming from another domain which clearly has nothing to do with PayPal.
  2. If this transaction is something you don’t recognize, you would probably be inclined to immediately click on the Dispute this Transaction button, especially if you read the implicit threat of having only 24hrs to “DISPUTE” it. But without clicking on the button, and just hovering over it, you can see in the below address bar the address that the button will take you to. Again, it’s not PayPal.

Here is another example:

Office Phishing

Office365 is telling me that my password expired and I have to reset it. For the untrained eye, it looks legit. I may be busy at the time I receive this email, working against the clock to meet a deadline for a project, and I can’t afford to be locked out of my account. I panic, and without thinking, I click on the Password Reset button. It takes me to a webpage where I can sign into Microsoft and reset my password:

Office365

But what did I actually do? I just gave my username and password to some hacker. If you’re like most people (who don’t want to remember a billion different passwords), you may be using that username and password combination elsewhere, like to access your bank account.

The email above is what is called a phishing email. Phishing emails can be crafted to look legitimate, with official company logos (pulled from public company webpages), important sounding headers like ”From: CORPORATE IT HELPDESK, and big bold letters threatening a loss of account access. Clicking on the Password Reset button took me to a meticulously crafted, legitimate looking, sign-in page. All to give up my credentials to a hacker.

And the hacker doesn’t need 1,000 victims. To start, they just need 1 to fall for the scam. Once they have access to my email account, they can see what companies I deal with, maybe reset my banking password by using a “Forget my password” link on the company sign-in page. They can see who my contacts are and send them emails pretending to be from me, the CIO, or ”From: CORPORATE IT HELPDESK, and have my contact give up their personal information. In a large company, you’re bound to get users who unfortunately fall for the scam.

Using the same methods outlined above (checking the From address, hovering over links to see the actual destinations), you can spot fake emails.

Here’s another example:

You may get an email claiming to be from Facebook support, saying you need to reset your password. In the email you see a link that says:

Facebook Password Reset

But if you hover over it, you can see it just brings you back to unidatait.com (which in this case is a good thing!). But that’s how the scam works.

Other Types of Phishing

1. Confirm your Password or Update your Payment Method

With many people working from home, streaming services such as Netflix  and Disney+ have seen a huge increase in subscribers. This also means it’s prime time for hackers who send out official looking phishing emails pretending to be from the streaming company and asking you to Confirm your Email, Update your Password, or Update your Payment Methods, getting you to inadvertently enter the information on a fake webpage that appears to be the actual streaming service page.

2. Emails with attachments

Password reset emails are not the only type of phishing emails out there. Finance Department employees often receive emails with scary subjects like FINAL NOTICEINVOICE ATTACHED, or PLEASE PAY UPON RECEIPT, with what appear to be a PDF attachment (like below) in the body of the email, but instead it would actually be an image of a PDF document icon. They would, by habit, double-click to try to open the attachment but instead of opening a document they would be clicking on a link, that would launch their browser and open a fake webpage, where again they would be asked to enter their credentials.

PDF Icon

The image above only brings you back to unidatait.com, but you get the picture.

3. Beneficiary: a million dollars waiting for you!

This is to re-inform you that you have been shortlisted among the few lucky people to receive Five Hundred Thousand United States Dollars Non-Profitable charity funds from our deceased parents in your Name.

Your email was selected using a Random Email Picker Tools used today 7/11/2020 7:19:30 p.m..

Kindly get back to me on how your fund can get to you.

Bless you

Kind Regards
Mrs. Louise Gill.

Emails like this pass through any spam checker because there is nothing technically odd about the email. No attachments, no links. The hacker just wants you to reply back to start the conversation to get you to give up your info. It’s a bit of what’s called social engineering. And if you don’t know any better, down on your luck, need cash, especially in these trying times, you may do it.

Don’t.

What You Can Do to Not Become a Victim

First and foremost, be wary of the emails you receive. Ask basic questions like:

  • Was I expecting this email?
  • Is the email coming from a real address that I’ve seen before? (don’t just look at the name, look at the actual address)
  • Do I know the sender?
  • Am I expecting this attachment?

Don’t immediately click on links or attachments. Hover over them and make sure they are going to addresses and domains you recognize.

If available, use Two Factor Authentication or Multi-Factor Authentication.

Some online web-based applications offer 2FA/MFA as a second level of security. Typically it involves, in addition to using your username and password, getting a code on your phone or using some sort of Authenticator Application, like Google Authenticator, and entering that code on the website. The idea is, even if your password is stolen, only you would have access to your phone, so the hacker still won’t be able to get through without it. Most large companies use 2FA/MFA to provide access to company resources from outside the company network and that’s great! But that same username and password combination might be used for other outside apps that you access where you don’t have 2FA/MFA enabled. So that leads to the next tip.

Use different passwords for different applications.

You may have to use the same username (many companies use the email address as a username). But don’t reuse the same password for everything even if it is easier to remember. And try to make it complex. At least 8 characters, uppercase, lowercase, numbers, special characters. And change your passwords often, like every few months.

At Uni-Data, we can help you find, implement, and manage a cloud-based Anti-Phishing/SPAM solution that can reduce the amount of scam emails your employees receive, thereby increasing the security of your infrastructure.