Phishing Scams to Look Out For

The Holiday season brings a lot of things with it.  The hustle and bustle, the holiday lights.  However, scammers are hard at work year-round and they even put in some overtime around the holidays.  That’s right, we typically see an uptick in phishing and spam emails this time of year.  Here are some examples of phishing scams to look out for.

Fedex Phishing

Phishing Scams to Look Out for: Fake Tracking Number

So, we all know there is a huge uptick in online shopping around the holidays.  With that comes an increased number of tracking messages from FedEx, UPS, and USPS.  A lot of these are legit, but the bad guys have gotten pretty good at mimicking them.  When you click on the button for tracking info it takes you to a malicious website.

You can avoid getting caught by taking a second to hover over the link before clicking.  This will display the full URL.  If it’s not from FedEx it will be obvious.  You’ll likely see a long URL with a bunch of random numbers and letters.  DON’T CLICK IT.  Delete the email and move on.

Account Security Phishing

Phishing Scams to Look Out for: Fake Account Expiration

Another common phishing email that has become prevalent recently is the fake account expiration email.  This prompts you to click on the link to make sure that your account doesn’t get shut down.  However, if you look carefully, you’ll realize that nowhere on the email does it tell you WHAT account they’re talking about.  If you hover over the link, you’ll likely see it directs you to a website you don’t want to go to.  Delete the email and move on.

Fake Resume

Phishing Scams to Look Out for: Fake Resume

Here’s another one to look out for.  We’ve seen an uptick in these recently for some reason.  Phishing email posing as a job seeker sending their resume.  If you click on the document and put in the provided code it will execute malicious code on your machine.  Most of these will likely get caught by the spam filter, but if they get through you want to make sure you delete them.  The juvenile name the bad guys selected in this instance should have been a red flag.  Don’t get caught.

Fake Resume

Phishing Scams to Look Out for: PayPal spoof email

For some reason PayPal seems to be one of the most spoofed of any brand.  Likely because if the bad guys can get access to your PayPal account, they can get credit card and banking information.  There are several red flags on this one.  If the text of an email ever seems odd you should pause.  If it seems like the person who wrote it doesn’t speak English as their first language, or if it contains unusual grammar errors you wouldn’t expect from a large company stop and think.  The formatting on this example is also terrible.

Look for things that are inconsistent for the brand.  If the formatting is off.  If they link doesn’t direct you to the URL you would expect.  Don’t fall for it.

Fake Resume

Phishing Scams to Look Out for: Document Upload Spoof

Another one we’ve been seeing more prevalently lately is a notification like the one above that you have a document waiting for you.  The example above references OneDrive, however we’ve seen these for Dropbox, Google Drive, DocuSign, and others.  The first thing to ask yourself is whether you’re expecting a document from someone.  If the answer is no, then you should take extra care.

Again, look at how the email is structured.  Where is it coming from?  Is the sending address legit?  If the email has a link and you hover over it does it direct you where you expect it to?  Are there spelling errors?  Take care and don’t get caught.

Fake Resume

Phishing Scams to Look Out for: Password Reset Email

This one is particularly tricky.  The bad guys leverage a user’s desire to be secure to get them to click on a link that will compromise them.  Some of these can be very well done, and copy the look and feel of the legit password reset emails exactly.

If you look closely here, you’ll notice that the senders email address is slightly different that you get on a legitimate request.  Again, previewing the link here could save you again.

If clicked this message directs you to decoy websites designed to collect your credentials.  Then the bad guys will immediately have access to all your email.  Scary business.  Watch out for this one.

Extortion Phishing

Phishing Scams to Look Out for: Shame and Extortion Email

The scariest thing about this email for most people is that they tell you right in the title what your password is, and they’re right.  Typically, it’s an older password, and you may not be using it for any of your accounts now, but it WAS your password.  How could they know that?  If they do know that does it mean that the rest of the email is also true?

Unfortunately, most of us have a password or two out there that have been burned.  We may not know about it, but we do.  You can check if yours have been here.  I know that I had a password compromised a few years back by our good friends at LinkedIn.  They had 164 million usernames and passwords that were breached in May of 2016, and I was one of the lucky ones.  The fact that they have an old password of yours does not mean they have access to your entire life.

However, if you are still using that password on ANY account ANYWHERE you should immediately go to work resetting it.  Really good password hygiene habits dictate that you don’t reuse passwords across different accounts, but I think that’s something most of us are still guilty of.  Reset it.

Don’t fall for the rest of their spiel.  DON’T GIVE THEM BITCOIN!  Just make sure that you’re not using your old password anymore, delete the email, and move on.  They don’t have embarrassing pictures of you, and there is not a real threat here.

Phishing Avoidance Guidelines

Here’s some basic steps on how to spot those nasty phishing emails from our friends at Security Metrics.

  1. Legit companies don’t request your sensitive information via email
  2. Legit companies usually call you by name
  3. Legit companies have domain emails
  4. Legit companies know how to spell
  5. Legit companies don’t force you to their website
  6. Legit companies don’t send unsolicited attachments
  7. Legit company’s links match legitimate URLs
  8. When in doubt, contact a professional!

If you ever have your doubts about an email, please run it by an IT professional before you click.  It’s much less bother for IT to take a quick look and verify legitimacy of the email in question than to try to clean up the mess after you click.

Here to Help

i.t.NOW is here to help, and we want you to all have a fantastic Holiday season.  If you’re a client of ours and ever have doubts about a suspicious email, please ask us.  The last thing your business needs for the holidays is a data breech.  We also have some great solutions for secure email that can cut down significantly on the amount of spam you get in the first place.  Contact us today to discuss secure email solutions.