Cybersecurity Blog

Criminals find a way around two step verification in Google – 04/11/18

Two step verification keeps criminals from accessing your account if your password is compromised. It is a great way to add an added level of security to your accounts. However, enterprising criminals have found a way around it.

How did they do it?  Is there some back door that they found? Have they created a new brute force hack technique? Nope. They just ask for the verification code. Low tech social engineering strikes again.

Here is how it works. They send you a text that looks like it comes from Google notifying you of a password reset. If you don’t want your password reset, you are instructed to text the word STOP. Once you do, you are asked to text 822 back to be sent a verification code to stop the password reset.  Once you receive the verification code, they ask you to text them the code back to confirm that you don’t want the password reset.  Pretty clever huh?

Of course what is happening is they are trying to get into your account but can’t because they don’t have the verification code. By playing the stop the password reset game they are hoping to catch you off guard so you just sent them the  code.

For the record, no one will ask you if you don’t want to do something with your account.  As soon as someone asks you for confirmation to NOT do something, you know the jig is up.  This is just another reminder that we have to read our texts and emails carefully and question anything that seems odd. The criminals count on you to react without thinking. Stop them in their tracks, think before you react.


Mount Royal Employees Receiving Recorded Messages From “Google” – 12/11/17

Several employees on campus have been receiving calls ask them to verify their business on Google.  The caller is a recorded voice or robo call. If you choose to press 1, you are connected to a person who tries to sell you a service.  They are not from Google, but are using Google’s name to sound legitimate. Their service is a scam as verification of a business on Google is done through snail mail, and there is no charge for it.

If you receive a robo call, make note of the organization calling and hang up.  You can then contact the organization directly and determine if they have a legitimate need to contact you.  Robo calls are usually trying to sell you something or are scams.

Scammers don’t just use robo calls to con you out of your hard earned money.  They will call you directly as well, creating a sense of urgency to trick you into signing up for an over priced service that you don’t need.  If a person calls you and asks for payment of a service over the phone, ask for the name of the organization and tell them you will call them back.  Google them and check reviews of their service. If you decide that you do want to sign up,  contact the organization directly using the contact information found in the Google search.  Do not be tricked into using a phone number that the caller gives you. If they are legitimate, you will be able to contact them using a publicly available number.

Threatening voicemail left at Mount Royal – 11/21/17

Yesterday one of our staff members checked her voicemail and found a nasty message from an “Officer” Robert William asking her or her attorney to call him immediately before “the legal situation unfolds”.  Our quick thinking staff member Googled the number, 905-581-1528 and discovered that it was a phone scam.

Had she called them, she would have been asked her personal information including her SIN.  Armed with that info, the crooks would have applied for credit cards and loans in her name, leaving her on the hook for the payments.  Only after months of paperwork and expensive legal fees would she have been able to clear her credit record and name.

This is just a reminder to never give out information people already should have, over the phone, in an email or text.  If someone calls you and tells you they are from your bank, a vendor, the CRA, RCMP or Calgary Police Service:

  1. Ask for their name.
  2. Tell them you will call them back.
  3. Call the organization’s switchboard directly using a number that you obtain from a Google search or that you have used before.
  4. Ask for the individual by name.

If they insist that the only way to reach them is through a number that they give you, you know that it is not a legitimate call. If they tell you that they may not be available when you call back, you should be able to have your account or file reviewed by someone else in the same department.

Remember, no legitimate agency threatens legal action over the phone.

ALERT – Phone scam targeting Mount Royal University – 10/11/17

Residence Services is reporting voice mail messages are being left on their phones threatening legal action if the call is not returned. The callers are requesting banking information and are calling from a 705 area code.

If you ever receive a threatening phone call requesting banking or personal information over the phone:

  1. Politely inform the caller you will call the organization or institution directly.
  2. Hang up.
  3. Call the organization or institution directly using a phone number that you know is legitimate. Do not use a phone number given to you by the caller.

Remember, if the call is legitimate you will be able to contact the caller through their organization/institution general contact number. If you cannot, you know the call is a scam and can ignore it.  For more information on phone scams, check out the Crime Stoppers Telephone Scams page.


Combating Vishing

Vishing, or phishing over the phone is often used by scammers to perform fraud or obtain information that they can use for a cyber attack at a later date. To protect yourself, when a stranger calls follow these rules:
  1. Expect no delay. If you answer the phone and someone doesn’t begin talking immediately, you are being connected to the next available telemarketer or scammer.  Hang up.
  2. Identify who is calling. As soon as you answer the phone, ask who is calling and who they work for. If they refuse to identify themselves or their company, hang up.
  3. Trust but verify. Ask the caller for their phone number and street address, then cheerly tell them you will call them back. Hangup and google the address and the phone number to see if they match the name of the company. Do not use the number that they gave you to call them back. Look up the company website and use the contact number listed there. Legitimate companies want you to call them back and have no issues giving you contact information.
  4. Determine what they want and ask them for details that they should have if they are legitimate. For example, if they are calling about a credit card, ask them which one. They should be able to give you the last few digits on the card or account. If they can’t give you specifics, hang up.
  5. Never respond to inquiries using yes, yup or uh huh. These confirmations can be misused to sign you up for services that you have no interest in. Instead use,  “That is correct” or another type of confirmation. For example, if they ask “Am I speaking to the owner of the house”, respond with “The owner of the house is speaking”.