This week has been a busy one for the security team. We have been slammed with a new phishing tactic, requests for cell phone numbers. Campus inboxes are receiving emails that appear to be coming from a supervisor. They look like this.
While this one contains a misspelled word, others look perfectly legit. The only clue is the weird sender email address.
Why do they want your cell phone number? Lots of reasons. First of all they can take your phone number and connect it to your email address which helps build out your data profile so advertisers can more easily target you with ads. Advertisers pay a premium for complete data profiles.
But the benefits don’t stop there. If they have your phone number, know where you work, have an email address and your name, they have enough information to impersonate you with your cell phone provider. If the customer service agent that answers the call doesn’t follow proper procedures, the scammer can port your number to a different carrier or disable your SIM card and get a new one. Either way you lose control of your phone number and the criminal now has access to everything that uses your phone number for confirmation. One MRU employee has already found out how damaging this type of attack can be.
Lastly they can send you lovely text messages containing links that appear to come from your bank, include offers for free stuff or opportunities to enter a contest. Clicking on these links load malware onto your device designed to steal passwords, contacts and data.
Your best defense against this type of attack, is to read the sender’s email address before you read the body of the message. If you see that the email is not from a Mount Royal account, you can delete the message before your emotions are triggered by the email content.
If you aren’t sure if an email is legit, you can check the Phish Bowl to see if it is listed there or you can forward the email to firstname.lastname@example.org. If you find a phishing email, don’t forget to report it by clicking the PhishAlarm button or forwarding it to email@example.com so we can warn your colleagues.
Mount Royal employees are receiving fraudulent calls from individuals pretending to be from the Canadian government. The caller explains there is an issue with your SIN number and as a result you are subject to legal action. You are asked to contact them immediately. Upon contacting them, you are told you must pay thousands in bitcoin to avoid being charged with fraud. This scam is similar to one currently making the rounds in Regina.
What makes this scam so concerning is the fraudsters are spoofing government agencies so the call looks like it is official. As well they are often robocalls which makes them sound even more legitimate. In response, the Canadian Anti-Fraud Centre has issued an alert asking people to be vigilant.
No government of Canada agency will call you over the phone and threaten you or ask for payment. Neither will the RCMP or police. If you receive a call of this nature, hang up the phone. If you are concerned there may be an issue with your SIN you can contact the government directly by visiting their website. You can also check with Equifax and Transunion to see if your SIN has been used to obtain additional credit without your knowledge.
This week several employees reported receiving calls from someone claiming to be from Adobe asking them if they wished to receive emailed documents about their products. Those who reported the calls declined, so I can’t say if the calls were legitimate sales calls from Adobe or if they were pretexting calls. Regardless of which they were, agreeing to be emailed documents usually doesn’t end well.
If the calls are legitimate sales calls, you could be agreeing to receiving hundreds of spam emails. If they are pretexting calls, the email they send you could have malware attached to it or contain a link to a webpage spoofing a legitimate site designed to steal your login credentials. To add to the misery, they could then take any information that you have given them over the phone and use it to create additional phishing emails that are almost impossible to detect.
Unfortunately this is the second time that we have had these type of calls on campus. As pretexting is on the rise, I suspect we are going to see a lot more of them in the coming months. This is a gentle reminder to be alert if someone calls you asking you for information they should already have or asks for personal information they shouldn’t know.
If it is a sales call and you are interested in their services, hang up the phone and call the company using a phone number listed on their official website. If it is from an organization that you know, hang up and call them directly using a phone number you know is legitimate. Never call them back on a phone number they give you.
This week a rather irritating phone campaign has hit the campus. Phone solicitors are calling employees and asking them to confirm their role. If the employee does, the caller asks if they can send them some email. This particular campaign is more annoying than malicious. However, it provides a great opportunity to review phone safety.
With people becoming more tech savvy and cybersafety aware, it is becoming harder for criminals to score with a simple phishing email. To increase the odds that their potential victims will be tricked, they are turning more and more to pre-texting. The phone is fast becoming their favorite tool.
Typically a target receives a phone call with the scammer pretending to be someone who is trusted or has a right to the information they are asking for. They will often ask questions that seem innocent enough. However they are gathering information about you and the University that they can use against you later. Armed with enough information, they can create a phishing email that is almost impossible to identify as malicious.
If you receive a phone call from someone who is asking for information they should already have or that they shouldn’t know, politely ask them for the name of their organization and then tell them you will contact them later. You can then hangup and call that organization directly using a number that you have either used before or comes from the organization’s official website. If you cannot reach the individual through the organization’s switchboard, then you know that it is a scam.
Two step verification keeps criminals from accessing your account if your password is compromised. It is a great way to add an added level of security to your accounts. However, enterprising criminals have found a way around it.
How did they do it? Is there some back door that they found? Have they created a new brute force hack technique? Nope. They just ask for the verification code. Low tech social engineering strikes again.
Here is how it works. They send you a text that looks like it comes from Google notifying you of a password reset. If you don’t want your password reset, you are instructed to text the word STOP. Once you do, you are asked to text 822 back to be sent a verification code to stop the password reset. Once you receive the verification code, they ask you to text them the code back to confirm that you don’t want the password reset. Pretty clever huh?
Of course what is happening is they are trying to get into your account but can’t because they don’t have the verification code. By playing the stop the password reset game they are hoping to catch you off guard so you just sent them the code.
For the record, no one will ask you if you don’t want to do something with your account. As soon as someone asks you for confirmation to NOT do something, you know the jig is up. This is just another reminder that we have to read our texts and emails carefully and question anything that seems odd. The criminals count on you to react without thinking. Stop them in their tracks, think before you react.
Several employees on campus have been receiving calls ask them to verify their business on Google. The caller is a recorded voice or robo call. If you choose to press 1, you are connected to a person who tries to sell you a service. They are not from Google, but are using Google’s name to sound legitimate. Their service is a scam as verification of a business on Google is done through snail mail, and there is no charge for it.
If you receive a robo call, make note of the organization calling and hang up. You can then contact the organization directly and determine if they have a legitimate need to contact you. Robo calls are usually trying to sell you something or are scams.
Scammers don’t just use robo calls to con you out of your hard earned money. They will call you directly as well, creating a sense of urgency to trick you into signing up for an over priced service that you don’t need. If a person calls you and asks for payment of a service over the phone, ask for the name of the organization and tell them you will call them back. Google them and check reviews of their service. If you decide that you do want to sign up, contact the organization directly using the contact information found in the Google search. Do not be tricked into using a phone number that the caller gives you. If they are legitimate, you will be able to contact them using a publicly available number.
Yesterday one of our staff members checked her voicemail and found a nasty message from an “Officer” Robert William asking her or her attorney to call him immediately before “the legal situation unfolds”. Our quick thinking staff member Googled the number, 905-581-1528 and discovered that it was a phone scam.
Had she called them, she would have been asked her personal information including her SIN. Armed with that info, the crooks would have applied for credit cards and loans in her name, leaving her on the hook for the payments. Only after months of paperwork and expensive legal fees would she have been able to clear her credit record and name.
This is just a reminder to never give out information people already should have, over the phone, in an email or text. If someone calls you and tells you they are from your bank, a vendor, the CRA, RCMP or Calgary Police Service:
- Ask for their name.
- Tell them you will call them back.
- Call the organization’s switchboard directly using a number that you obtain from a Google search or that you have used before.
- Ask for the individual by name.
If they insist that the only way to reach them is through a number that they give you, you know that it is not a legitimate call. If they tell you that they may not be available when you call back, you should be able to have your account or file reviewed by someone else in the same department.
Remember, no legitimate agency threatens legal action over the phone.
Residence Services is reporting voice mail messages are being left on their phones threatening legal action if the call is not returned. The callers are requesting banking information and are calling from a 705 area code.
If you ever receive a threatening phone call requesting banking or personal information over the phone:
- Politely inform the caller you will call the organization or institution directly.
- Hang up.
- Call the organization or institution directly using a phone number that you know is legitimate. Do not use a phone number given to you by the caller.
Remember, if the call is legitimate you will be able to contact the caller through their organization/institution general contact number. If you cannot, you know the call is a scam and can ignore it. For more information on phone scams, check out the Crime Stoppers Telephone Scams page.
- Expect no delay. If you answer the phone and someone doesn’t begin talking immediately, you are being connected to the next available telemarketer or scammer. Hang up.
- Identify who is calling. As soon as you answer the phone, ask who is calling and who they work for. If they refuse to identify themselves or their company, hang up.
- Trust but verify. Ask the caller for their phone number and street address, then cheerly tell them you will call them back. Hangup and google the address and the phone number to see if they match the name of the company. Do not use the number that they gave you to call them back. Look up the company website and use the contact number listed there. Legitimate companies want you to call them back and have no issues giving you contact information.
- Determine what they want and ask them for details that they should have if they are legitimate. For example, if they are calling about a credit card, ask them which one. They should be able to give you the last few digits on the card or account. If they can’t give you specifics, hang up.
- Never respond to inquiries using yes, yup or uh huh. These confirmations can be misused to sign you up for services that you have no interest in. Instead use, “That is correct” or another type of confirmation. For example, if they ask “Am I speaking to the owner of the house”, respond with “The owner of the house is speaking”.