Scam Radar — August 2024
Below are three new scams to keep on your radar, as well as some tips for how to avoid them. You can also receive some great tips at the bottom of this article on how to keep your organization safe from cybercriminals. Be on the look out for yourself, your family, and your clients! THINK BEFORE YOU CLICK!
CrowdStrike Outage Phishing Scams
Recently, a mass IT outage caused confusion and chaos. A buggy software update deployed by the cybersecurity company CrowdStrike impacted Windows computers worldwide. Systems were affected globally, resulting in delayed flights, business closures, and more. However, what is bad news for you is good news for cybercriminals. Cybercriminals often seek to turn major events to their advantage by sending out phishing emails or text messages related to the event. By using a major event that you are familiar with, they hope that they can trick you into clicking on malicious links or attachments.
Shortly after the outage, cybercriminals began creating fake websites. The websites claim to belong to IT workers who can assist with troubleshooting the outage and restoring access to affected computers. There are files on the fake websites that appear to be software updates for Windows computers. However, these files actually contain malware. If you download them, malicious software can be installed on your computer, giving cybercriminals access to your personal data!
Tips to Avoid Similar Scams:
This specific scam involves fake websites, but remember that cybercriminals will exploit this event in different ways. Be on the lookout for any suspicious activity related to the CrowdStrike outage.
Don’t download any files or attachments from websites or emails. Any troubleshooting related to the CrowdStrike outage should be addressed by your organization’s IT team.
Be cautious of unexpected calls, emails, or text messages that seem urgent to respond to. Cybercriminals will try to use this outage to trick you into acting impulsively.
These Travel Offers are too Good to be True
In this month’s scam, cybercriminals are taking advantage of travelers and tourists by sending out fake emails. The emails appear to be from legitimate airlines, hotels, and other travel-related organizations. However, the emails are actually a clever trick that scammers use to steal your money and personal information.
The email you receive could appear to be from any travel organization, and they usually offer a chance to win a prize or a travel package. Or the email may sound urgent, such as claiming that you need to resolve an issue with your Airbnb or hotel account. If you click the link in one of these emails, you will be taken to a fake website and instructed to enter your personal information or user credentials. Anything you enter on these fake websites is transmitted directly to the cybercriminals. You do not win a prize for following the instructions in the emails, but the cybercriminals do. They get your data!
Tips to Avoid Similar Scams:
Be skeptical of email offers that sound too good to be true.
Unsolicited emails that instruct you to take an urgent action should be treated very cautiously. Cybercriminals often try to create a sense of urgency to trick you into falling for their scams.
Legitimate travel organizations will not ask you to provide sensitive or personal information through email. Always make sure that you are using the organization’s official webpage before entering any information or user credentials.
Pastejack Attack
In this week’s scam, cybercriminals are trying to trick you into running malicious code using PowerShell, a powerful tool for executing commands on your computer. This technique is known as “pastejacking”, which involves copying and pasting malicious code into your computer and then allowing it to run.
This scam begins when you receive what appears to be an urgent email that contains an attachment. If you try to open the attachment, an error will display that says, “Failed to connect to the ‘OneDrive’ cloud service, to fix the error you need to update the DNS cache manually.” The message also provides a few lines of code and instructions on how to copy and paste it into a Windows PowerShell Terminal. The message urges you to take action, which is exactly what scammers want. If you follow their instructions, you will run a malicious command on your machine. The code will install malware, giving the scammers access to your personal data.
Tips to Avoid Similar Scams:
You will never receive a legitimate email that tells you to open an attachment using PowerShell. If you receive an email instructing you to use PowerShell, immediately report it to your IT team.
Be cautious of any emails that prompt you to take urgent action. Creating a sense of urgency is a common technique that scammers use to trick you.
If you are unsure about the legitimacy of an email or attachment, contact your organization’s IT or security team for further instructions.
How to Keep Your Organization Safe in and Out of the Office
Whether you work from home or work inside an office, the security of your organization must be one of your top priorities. While these two locations can feel quite different, you can use the same precautions regardless of where you work from. Let’s take a look at some important cybersecurity rules and how you can implement them, both at home and at the office.
Only Use Secure Devices
Remember that your device is only as secure as the apps you run on it. Never install an application or plugin without first checking with your IT department.
Only use your work devices for work. If you are using a personal computer to do your work, we recommend creating a secondary profile on your computer specifically for conducting business. Make sure to use a unique username and password for this account.
In the office, network security is probably managed by your IT department. To help keep your home internet connection secure, use a complex password on your router. If your organization offers access to a Virtual Private Network (VPN), connect to that as well.
Protect Your Physical Workspace
In the office, watch out for piggybacking and tailgating. A piggybacker is someone who claims to be part of your organization and follows you into a secure area without the use of a badge or entry code. A tailgater is someone who waits for you to enter or exit a secure area and then sneaks in while the door is still open. Be suspicious of anyone who you do not recognize and don’t be afraid to ask for identification.
At home, find a private and comfortable workspace, where no one can view your screen while you work. You must keep all sensitive information out of sight for any unauthorized persons, including your partners, children, and friends.
Always lock your computer when you step away from your desk. If you leave your computer unlocked, anyone can use it to access sensitive data, steal your login credentials, or even install malware.
Think Before You Click
Never click a link or download an attachment from an email that you weren’t expecting. Even if the sender appears to be part of a legitimate organization, the email address could be spoofed.
When an email asks you to log in to an account or online service, navigate to that service through your browser. Never click the link in the email. Navigating to the site directly ensures that you’re logging in to the real website and not a look-alike site.
When in doubt, call the sender of the email to be sure the request, link, or attachment is legitimate. Do not call the phone number provided within the email as it may be a fake number.
For more information regarding scams, please visit the Federal Trade Commission (FTC) Consumer Advice website.
You can also find details about the signs of a scam, how to avoid a scam, and how to report a scam in this article by the FTC — How to Avoid a Scam.
All contracted Agents receive FREE access to SMS-University, the industry’s most trusted, comprehensive online training platform, featuring numerous training modules, white-papers, and clear, concise education tools.
Sources:
Cited in article.
Recent Posts
70% shopping rates will make this AEP a war zone. Do you have your Battle Plan ready?
Attend one of our in-person AEP Disruptions Bootcamps, or be left behind.
July 23, 2024
Blue Springs, MO
July 25, 2024
St. Charles, MO
July 31, 2024
Columbia, MO