Cybersecurity Blog

Scammers targeting MRU are getting very creative – 07/17/19

In September last year, the first of several targeted email scams arrived in Mount Royal inboxes. Since that time we have see a plethora of these scams spread across campus.  Up to now that have all  been emails from a supervisor asking a report to do a favor for them.

However, we must have ended up on some “the Best People to Scam” list as this week the scams have gotten very creative. First up is a dude in Indonesia contacting Wellness Services to help him sell a helicopter (I actually think this might be legit).  Second up is  an email to the MRFA insisting a charge from their store has appeared on a bank statement (definitely not legit).  Check out the pics!!

 

As entertaining as these emails are, that is not the reason why I am sharing them with you (well maybe a little bit). I am sharing them to give you a heads ups that MRU is being actively targeted and we all need to be on our toes. If you receive any email that is out of the ordinary, please take a closer look at it. If you aren’t sure if it is malicious, forward it to abuse@mtroyal.ca like your colleagues did and we can take a look. Everyone who reports an email gets a cool sticker. Be a superhero and report those malicious emails!

 

Must Read – MRU impersonators are spoofing real email addresses 07/03/19

The newest round of MRU impersonators are upping their game. The are now  spoofing legitimate email addresses. To do this, they accessed the source code of the email and changed its header information.  As a result, the displayed sender email address and sender’s name match and are correct. However, any replies to the email are sent to a different email address all together. Take a look.

 

 

Not only did they spoof the email address, but they also included the employees’ email signature. This makes it very hard to determine if the email is legitimate or not.

How do you protect yourself against this type of cyberattack? Easy,  do what your colleagues  did. Call the person who sent the unexpected email to verify that they actually sent it. By making that call, you not only protect yourself but also the person being impersonated.  Without it they have no way of knowing their email account may have been compromised.

To all of you who forwarded the email to abuse@mtroyal.ca, thank you!!  You are superheros! Don’t miss your chance to be a superhero, forward malicious emails to abuse@mtroyal.ca.

 

Another Canadian university targeted by MacEwan-like scam – 06/26/19

 

Last week was a rather exciting week for a Canadian university as a scammer tried to convince the university’s finance department  to deposit money into their account. The scammers were thwarted by a Finance clerk who followed procedure.  Yes, the superhero in this story is boring, annoying old procedure. Here is how it went down.

The university was building a new student centre.  So when a Finance clerk received a request for a direct deposit form that looked like it came from the construction company working on the project, they thought nothing of it. They replied to the email request with the form and instructed the company to complete it and forward it to the Finance VP’s admin assistant, as per procedure.

When the admin reviewed the form, everything looked fine at first glance. However when she called the construction company to confirm that they had sent the request, as per procedure, they learned that they had not.

Realizing that they were being targeted by a scammer. The University staff looked closer at both the emails and the completed form. They discovered two things. First the beginning of the email address was  correct, but the word “group” had been added to the end of it.  Second the name of the site manager on the form was correct but the signature on the form was clearly forged. Both of these red flags had been missed. However, because both the admin and the clerk had followed procedure, disaster was adverted.

Unfortunately the City of Burlington in Ontario wasn’t so lucky.  It isn’t know if procedures weren’t followed or if they weren’t in place. However, when they were targeted with a similar change-to-payment scam,  they lost $503, 000 to the scammers.

This is a reminder that procedures are in  place to help, not hinder. We are all human. We make mistakes. However, following procedure  helps us do our jobs successfully and keeps us out of trouble.  Regardless of which department you are in, follow your teams procedures. They are there to help.

 

New email scam impersonates MRFA president – 06/26/19

The following email showed up in MRU inboxes this week.

There are two things that make this email so convincing. First Melanie’s email address is, in fact, correct.  No, her email wasn’t compromised. It was spoofed.   Second, they name a colleague as the person who will reimburse you. A nice touch actually.  With such a convincing email, how the heck are you supposed to know this is a scam? Well, there are a few tells.

First off, the grammar is rather crappy. Not what you would expect from the president of the MRFA. Second, if you try calling Melanie to confirm she sent the email, you get a phone message saying the MRFA office is closed and she isn’t returning messages.  If the office is closed, why would she be sending money to vendors? Third there is a sense of urgency. The email says the money needs to be transferred today. Lastly, she is asking you to take money from your personal account. That is a HUGE red flag. Why on earth would she ask you to take money from your personal account to pay a vendor? Nothing makes sense in this email except the email address and name dropping.

The best way to protect yourself from this type of a scam, is to go slow and question everything. If something doesn’t add up, call the email sender to confirm that they sent the message. If you aren’t sure you can forward the message to abuse@mtroyal.ca and we will take a look at it for you.

That is just what Megan did. Thanks to her quick actions, we were able to track down those who received this message, notify them it was a scam and stop the attack in its tracks. Way to go Megan, you are a superhero!! Be a superhero like Megan, report malicious emails to abuse@mtroyal.ca and help protect your colleagues from scammers and hackers.

For Megans efforts, she will be receiving  a commitment sticker. Want your own sticker? Report an malicious email to abuse@mtroyal.ca or come down to see me on Main Street on August 20th from 10:00 am to 2:00 pm.  Pick up your sticker and spin the prize wheel to win cool swag.

 

 

 

Reply to emails cautiously – 05/22/19

 

Since September, the Mount Royal community has been targeted by a gift card scam.  With this scam, criminals send you an email that looks like it comes from your supervisor asking you if you are available. If you respond, they ask you to purchase gift cards and send them photos of the redemption codes. This past weekend another 300 or so Mount Royal inboxes received one of these scam emails.

Fortunately, we had more people reporting them than we had people responding to them. Some of those that did respond sent out personal information such as where they were located, photos and their plans for the weekend. To our knowledge, no one went as far as purchasing gift cards. We are thankful for that.

Realizing that you gave scammers personal information about yourself just feels creepy. It is also dangerous.  The criminals can then take that information and use it as content in malicious emails that are sent to yourself or others. This makes the emails seem legitimate  increasing the likely hood that someone will be tricked.

In addition to being dangerous, conversing with the scammers encourages them to continue targeting Mount Royal. If they get a response to an email, they know it is only a matter of time before they convince someone to follow through and purchase those gift cards. Ignoring their inquiries will not stop the attempts, but it will reduce their frequency.

The best way to defend yourself from giving out personal information to criminals is to check the sender’s email address before you read the body of the email.  That way you have a better idea of who you are talking to before you respond. They may still be a hacker, but the odds are much smaller. Just by taking this small simple step you greatly reduce your chances of sharing information that you wish you hadn’t.

 

 

Is it spam or is it phishing? 05/23/19

 

I am truly delighted with the number of malicious emails that are being forwarded to abuse@mtroyal.ca.  The Mount Royal community is doing a great job of letting us know what to look for and helping us defend their data. There is one question that people keep asking though, what is the difference between Spam and a phishing email? I thought I would take a moment to clarify.

Spam email
  • Goal is to sell you something.
  • It is sent to hundreds or thousands of people at a time.
  • Reading the email does not generate an emotional response.
  • It may or may not contain links
  • Clicking on the links will take you to the organizations website.
Phishing email
  • Goal is to steal your data or use your workstation as a tool to access data on other people’s devices.
  • It can be sent to thousands of people or just one or two.
  • Reading the email generates an emotional response.
  • It may or may not contain links and or attachments.
  • Clicking on the link or opening an attachment takes you to a fake web page and/or loads malware onto your device.

The easiest way to determine if what you are dealing with is spam or phishing is by examining the purpose of the email. If it looks like they are trying to sell you something, then it is probably spam. If it looks like they are trying to confuse or trick you, then it is likely phishing.

Spam emails should be marked as spam by clicking the stop sign icon in the Gmail menu bar. Phishing emails should be forwarded to abuse@mtroyal.ca. If you aren’t sure which one it is, forward it to abuse@mtroyal.ca and we can let you know.

 

Job scam landing in MRU inboxes – 05/13/19

 

The latest scam to make the rounds is an email that appears to offer the recipient an opportunity to apply for an admin position.  It looks like this:

The email comes from the Vice President of an organization called the Robert Sterling Clark Foundation.  It is a real organization and the sender’s email address appears to be legitimate. Most likely, the sender has had her email account hacked and the scammers are using it to send out these fraudulent emails.  The poor grammar and hotmail email address are clues that something isn’t quite right.

Without responding to the email, it is impossible to know exactly what the scam is. However there are some standards tactics used. In the first one, once you send them your resume  they offer you an interview but charge you a fee of several hundred dollars to participate. No company will ever charge you to be interviewed.

In the second tactic, you are either given an interview through text or email or just offered  the  job outright based on your resume.  Once you accept the position, they send you a cheque. You are then asked to deposit the cheque into your account and then immediately transfer the same amount of money from your account to another.  Of course in a few days their cheque bounces and your bank account is minus those funds.

No legitimate employer will offer you a job without a proper face to face interview. Nor is there a legitimate reason for an employer to send you a cheque and ask you to deposit it in your account only to have you immediately transfer it to another.

To protect yourself from job scams:

  1. Do not pay for an interview or for interview expenses.
  2. Do not accept a position that does not require a face to face interview.
  3. If you are asked to make purchases or transfer funds on your employers behalf, make sure any fund transfers or cheque deposits clear before you do so.
  4. Research perspective employers. Make sure you can reach your contact person through the company’s main contact number or email listed on their website. Check for reports of fraud involving the company.

Remember, if it seems too good to be true, it probably is. Just ask this woman from New Brunswick.

 

 

If it seems to good to be true, it is. 03/20/19

Everyone likes a good deal.  So when one of our analysts found a 2014 Jeep Wrangler Rubicon with less than 50000 km on Autotrader for $11500, his heart skipped a beat. This vehicle was loaded with aftermarket goodies and usually goes for four times the price.  Check her out, she is a beauty!!

 

 

He hoped with all his heart, that this was the real deal. However with the price being so low, his scam detector was running at full power. He contacted the seller and discovered that the vehicle belonged to her father who has just passed away. She knew nothing about jeeps and just wanted to get rid of it. Hmmm, that sounded plausible. He investigated further.

The seller informed him that if he wanted to purchase the jeep he would have to do it through WTC, otherwise known as Wiozacars Trading Corporation. Our analyst did some research and found that it was an escrow company with tons of good reviews from various sources going back several years. Oddly enough, there wasn’t one link in the three pages of search results to the company’s website. Maybe it didn’t have one. This might be legit after all.

Our analyst informed the seller that he was interested but didn’t know anything about WTC and asked for more information. The seller sent him detailed instructions on how to complete the transaction along with a link to the WTC website. That is when things started to fall apart. If the company had a website, why didn’t a Google search find it? He clicked the link the seller provided and found a very beautiful and professional looking fully functional website.

He decided to call their bluff and asked if his wife could look at the vehicle. Never mind that he was in Calgary and the vehicle was in Quebec. By now he was certain it was a scam, however he wanted to see what the sellers would do. Sure enough, after his request all communication stopped and the ad was removed from Autotrader. Scam confirmed.

No matter how badly you want to believe that once in a lifetime deal is the real thing, take the time to do your research. If their website doesn’t come up in a Google search or they are asking to use an unknown third party to do the transaction, walk away.

 

Brazen phishing email asks for passport information – 12/17/18

 

This week a new phishing email is popping up in Mount Royal inboxes. The cheeky criminals are coming right out and asking for passport details as well as other personal information. They don’t even bother with links or fancy look a like web pages.  They just ask for your information so they can send you money.  The email looks like this:

 

 

Because this is a low tech scam, people tend to let their guard down and be more receptive to getting hooked. The scammers count on this and hope the victim gets excited enough about the possibility of getting free money to give up their personal information.  Once they have it, they can use to to steal their identity and wreak havoc on their life.

This is definitely a case of, if it seems too good to be true then it probably is. No bank will email you out of the blue to ask you for passport information. If you refuse to accept reality and want to cling onto hope, then contact the bank directly to ask them if they are trying to transfer you some money.  Don’t ever send personal information like passport, driver’s license or credit card information in an email.

 

Cyber criminals try bomb threats, fail and turn to threats of acid attacks – 12/14/18

 

Last week inboxes across North America received phishing emails that threatened to blow up their place of business if they did not immediately pay $20 000 in bitcoin. The good news is there was no bomb.  The bad news is not everyone understood that.

Police departments across the continent were flooded with calls from panicked citizens reporting the bomb threats.  The bomb threats were so disruptive that police forces in the US and Canada issued reports and held press conferences assuring citizens that the threats were part of a phishing scam.

Unfortunately for the criminals, no one is paying the extortion fee. So while they get an A for getting everyone’s attention, they get an F for not making any money.

Having bombed with their bomb scare (sorry, I couldn’t resist), this week the criminals are threatening an acid attack if they aren’t paid. Apparently they are trying to repeat the success of their sextortion scam which netted them $146 380 in three days. So if you receive an email in broken English threatening to throw acid in your face if you don’t pay up, delete it.