For a while now, I have been warning about clicking on links in emails from organizations that you know. Instead, I have encouraged all of you to visit the organizations website directly using a bookmark. A report of a new phishing campaign targeting Stripe users shows why this advice is so important to take.
This campaign involves an email that tells the intended victim that there is something wrong with their account details. They are asked to login to their Stripe account to update them and given a handy button that appears to take them to the Strip login page. The page is of course a spoof and although it looks exactly like the real one, all credentials entered are collected by the thieves.
The fraudulent page is set up so that once you have entered your credentials in the fake login page, they use them to log you into your actual account. From your point of view, nothing is amiss. They now have your login credentials, you are non the wiser and they have hours if not days to withdraw funds before you even notice.
Although this campaign is targeting Stripe users at the moment, the same tactic is used to target all sorts of users. This is a gentle reminder to not click on links in emails from organizations that you know, but to use a bookmark instead. If you don’t have the site bookmarked you can use a search results, however proceed with caution as more and more fraudulent sites are appearing there.
Mount Royal employees are receiving fraudulent calls from individuals pretending to be from the Canadian government. The caller explains there is an issue with your SIN number and as a result you are subject to legal action. You are asked to contact them immediately. Upon contacting them, you are told you must pay thousands in bitcoin to avoid being charged with fraud. This scam is similar to one currently making the rounds in Regina.
What makes this scam so concerning is the fraudsters are spoofing government agencies so the call looks like it is official. As well they are often robocalls which makes them sound even more legitimate. In response, the Canadian Anti-Fraud Centre has issued an alert asking people to be vigilant.
No government of Canada agency will call you over the phone and threaten you or ask for payment. Neither will the RCMP or police. If you receive a call of this nature, hang up the phone. If you are concerned there may be an issue with your SIN you can contact the government directly by visiting their website. You can also check with Equifax and Transunion to see if your SIN has been used to obtain additional credit without your knowledge.
Those clever cybercriminals have come up with another tactic to get you to click on something you shouldn’t. Introducing the “I found an ID pass”, phishing email.
What makes this email so diabolical, is it has no sense of urgency. In fact it asks nothing of you at all. It simply lets you know that a pass was found and it is being mailed. It’s calm, indifferent manner lull’s you into thinking the email is harmless. It counts on the reader being so curious that they throw caution to the wind and click on the link to see whose ID was found. Quite ingenious really.
If you receive an email of this sort, delete it and wait for the mail to arrive.
One sure fire way to avoid becoming a victim of a cyberattack is to call the email sender to verify that they in fact sent the email. That is a message that I preach over and over again all over campus. I am happy to report that my message is being heard and acted upon…sort of.
Here is the email that one of our staff received in their inbox.
The staff member knows the sender and aside from the poor grammar, the email is spot on. The attachment was indeed a Sharepoint document, so she opened it. However when she found nothing but a greeting link to another document she paused. She knew that email addresses could be spoofed and realized she should confirm the legitimacy of the email. So she sent this email.
She correctly did not reply to the original email. But created a new one and sent it using an email address in her contact list. This is the reply that she received.
Before she could check the invoice, she received this email.
The sender’s email account had been hacked! It didn’t occur to our staff member that if someone else was using her colleague’s email address, it wouldn’t be her colleague who responded . She gets an A for verifying the legitimacy of the email. But she gets a F for talking to the hacker.
The lesson has been learned. When confirming email legitimacy, use the darn phone. A 30 second phone call can save you from a world of hurt.
The tools that cybersecurity professionals use are getting more and more sophisticated. They can now identify a known malicious link or attachment and strip it from the email so it never arrives in your inbox. To get around that limitation, hackers are hiding their malicious links and attachments in legitimate documents. This latest attack is a perfect example of that tactic.
This one is scary in it’s precision. It was sent to only two email addresses. Both recipients have higher level network and financial access. The email looks like this
It looks innocent enough. In fact, if you check the link it goes to a Microsoft site. Clicking the link takes you here.
This is a legitimate OneNote notebook. The icons however are just pictures, not clickable links and the links below them are flagged as malicious. Had the user clicked on the link, their login credentials would have been quietly harvested.
In this type of attack, the hacker often shares or pretends to share a document with you. The email usually asks for your input and is purposely vague and low key. Should you open one of these documents and find only links to another document, close the document and contact the IT Service desk. Your quick action could save your data.
A couple of extremely well done phishing emails that appears to come from Chase Bank and Amazon have appeared in Mount Royal inboxes. Interestingly enough, both come from the same email. Here is what they look like:
Criminals are getting better and better at creating emails that trick us into clicking. Remember, if you receive an email from an organization that you know, visit their website using a bookmark or search result and login to your account. You should be able to read any notifications from there. If not, you will be able to find official contact information so you can inquire about the legitimacy of the email that you received. If you find one of these nasty things in your inbox, delete it.
This week the campus community is finding a particularly clever phishing email in their spam folders. It looks like this:
This is the third time our illustrious leader has been impersonated. Although this email is mostly landing in spam folders, I thought I should bring it to your attention in case it sneaks into an inbox or two.
Your on-the-ball colleague caught this one because they checked the sender’s email address. This is a gentle reminder to follow their lead. With all emails that ask you to take some sort of action, whether it is opening an attachment, clicking on a link or providing information, always check the sending email address BEFORE you read the email. If the email address is wrong, it is less likely your emotions will be triggered and rational thought will be by passed.
If this darling arrives in your spam folder or inbox, it can safely be deleted.
Classes have begun and the hackers are betting that employees across campus will be ordering supplies. They have begun sending out fake order confirmations from Staples. These emails are extremely well done. Take a look.
I especially like the note at the bottom that specifically asks you to reply to the email. Just in case you are suspicious, they have given you some lovely directions that will put you in touch with them. Very clever.
The only real tell, unless you are super familiar with the email that Staples uses for order confirmations, is the View here button URL that takes you to chainetwork.club. Definitely not Staples.
As with all other emails that come from organizations that you are familiar with, visit their website directly to check orders, confirmations and payments. Do not use links in emails even if they look as legitimate as this one.
This week several employees reported receiving calls from someone claiming to be from Adobe asking them if they wished to receive emailed documents about their products. Those who reported the calls declined, so I can’t say if the calls were legitimate sales calls from Adobe or if they were pretexting calls. Regardless of which they were, agreeing to be emailed documents usually doesn’t end well.
If the calls are legitimate sales calls, you could be agreeing to receiving hundreds of spam emails. If they are pretexting calls, the email they send you could have malware attached to it or contain a link to a webpage spoofing a legitimate site designed to steal your login credentials. To add to the misery, they could then take any information that you have given them over the phone and use it to create additional phishing emails that are almost impossible to detect.
Unfortunately this is the second time that we have had these type of calls on campus. As pretexting is on the rise, I suspect we are going to see a lot more of them in the coming months. This is a gentle reminder to be alert if someone calls you asking you for information they should already have or asks for personal information they shouldn’t know.
If it is a sales call and you are interested in their services, hang up the phone and call the company using a phone number listed on their official website. If it is from an organization that you know, hang up and call them directly using a phone number you know is legitimate. Never call them back on a phone number they give you.
This week a rather irritating phone campaign has hit the campus. Phone solicitors are calling employees and asking them to confirm their role. If the employee does, the caller asks if they can send them some email. This particular campaign is more annoying than malicious. However, it provides a great opportunity to review phone safety.
With people becoming more tech savvy and cybersafety aware, it is becoming harder for criminals to score with a simple phishing email. To increase the odds that their potential victims will be tricked, they are turning more and more to pre-texting. The phone is fast becoming their favorite tool.
Typically a target receives a phone call with the scammer pretending to be someone who is trusted or has a right to the information they are asking for. They will often ask questions that seem innocent enough. However they are gathering information about you and the University that they can use against you later. Armed with enough information, they can create a phishing email that is almost impossible to identify as malicious.
If you receive a phone call from someone who is asking for information they should already have or that they shouldn’t know, politely ask them for the name of their organization and then tell them you will contact them later. You can then hangup and call that organization directly using a number that you have either used before or comes from the organization’s official website. If you cannot reach the individual through the organization’s switchboard, then you know that it is a scam.