Category Archives: Phishing

Naked Security Live – How to spot “government” scammers

Sometimes, cybercrooks claim to speak from a higher authority than just a missed home delivery

…sometimes they masquerade as an official government body, complete with all the right logos, the right terminology and even a realistic-looking website carefully cloned from the real deal.

Learn more about “government” scams and how to avoid them:

[embedded content]

Watch directly on YouTube if the video won’t play here.
Click the on-screen Settings cog to speed up playback or show subtitles.

Why not join us live next time?

Don’t forget that these talks are streamed weekly on our Facebook page, where you can catch us live every Friday.

We’re normally on air some time between 18:00 and 19:00 in the UK (late morning/early afternoon in North America).

Just keep an eye on the @NakedSecurity Twitter feed or check our Facebook page on Fridays to find out the time we’ll be live.

S3 Ep27: Census scammers, beg bounties and data breach fines [Podcast]

How scammers copied a government website almost to perfection. What to do about those fake “bug” hunters who ask for payment for finding “vulnerabilities” that aren’t. Why the Dutch data protection authority fined Booking.com for not sending in a data breach disclosure fast enough.

With Kimberly Truong, Doug Aamoth and Paul Ducklin.

Intro and outro music by Edith Mudge.

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Here are the podcasts and the video we said we’d put in the shownotes:


WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.

Criminals send out fake “census form” reminder – don’t fall for it!

Like many countries, the UK runs a census every ten years.

The census asks each household in the country to provide answers to a series of questions about the individuals living at that address, such as name, age, nationality, languages spoken, education, employment and health.

(More precisely, the census requires answers, rather than requesting them, because participation is mandatory.)

The census happens in any year ending in the digit -1, making 2021 a census year (except in Scotland, where it has been postponed until 2022 due to the coronavirus pandemic).

As you can imagine, most people are answering their 2021 census questions online, with the government sending random but unique 16-character access codes addressed to each known household by snail-mail.

You go to https://www.census.gov.uk/, put in the unique code, and complete the process online – no need to fill in a long paper form by hand and then snail-mail it back.

If you don’t complete the census form (the official closing date was Sunday 2021-03-21), you will receive a series of warning letters, each with a new 16-character code, urging you to get the job done, and reminding you that you could be fined £1000 if you don’t.

Beware fake forms

If you’re amongst those who haven’t finished off their census submissions yet, but who keep meaning to get around to it, make sure you don’t fall prey to fake “census reminder” notices sent out by cybercriminals!

And be careful even if you have finished off your form but think that there might be details you left out or completed incorrectly.

That’s because cybercrooks are taking advantage of the fact that the census is online by trying to phish you out of data that you wouldn’t hand over otherwise.

Here’s a example of a census scam sent in today by one of our readers – a totally bogus text message (SMS) “notification” about finalising your census submission:

As you can see, the server name here is obviously fake because it doesn’t end .gov.uk, which is a controlled domain available only to official national, regional and local government bodies in the UK. (The punctuation in this message is also messed up, but not all crooks are that careless.)

The server name here ends .com, which is a top-level domain where almost anyone can get almost any name they want.

For example, we just tried to buy madeup-domain-that-looks-governmental-2021.com, notquite­whatiseems.com and avoid1000poundfine.com, and were offered them for just £0.99 a year each.

So you ought to spot this as a scam right away, but if you do click through you will find a surprisingly believable mockup of the real UK Census 2021 website:

Instead of a 16-character code, the fake form asks for your postcode instead. (Note that the crooks could easily have sent you a made-up code and asked you to type it in, just for show, but in this case they didn’t.)

As you can imagine, the questions that the crooks ask you if you do put in a postcode look just like real census questions, on a site that looks much like the real deal.

The problem, of course, is that everything you reveal about yourself and your household goes directly to the crooks, not to the Office for National Statistics.

The criminals did make some grammatical mistakes in their forms that a native speaker of English might notice, and these would be another giveaway, along with the fake domain name, but the crooks have cloned the UK Office for National Statistics “look and feel” very believably.

Sadly, even if you answer a few questions before you realise it’s a scam and bail out, the crooks will still have all the answers you’ve entered up to that point, so it’s worth taking extra time to check your online surroundings before you put in any data at all.

What to do?

  • Check the domain name on websites carefully. UK government sites should end gov.uk. It’s hard for crooks to get control of one of those – they can’t just be bought online like .com domains can. Also, watch out for domain names where the left hand end looks legitimate, but the right-hand end says that it belongs to someone else, as in a name like census.gov.uk.example.com. The person who owns example.com also owns and can use all domain names that end with that name, not just plain example.com itself.
  • Don’t use links in text messages or emails. The Census 2021 website is well-known and easy to find through reliable sources, including printed on the Census snail-mail you ought to have received. If you find your own way to a websites where there is supposedly an “issue”, you won’t get suckered by fake links – whether that’s a “problem” with your bank, a “missed” home delivery or an online “order” you never actually placed.
  • Be extra cautious of links in text messages (SMSes). Text messages are short, simple and often written in abbreviated English, so the crooks are much less likely to make spelling and grammatical errors that might otherwise tip you off.

Instagram scams and how to avoid them

Since its launch in 2010, Instagram has seen more than 1 billion accounts opened, and users on the service share close to 100 million photos every day.

Instagram’s popularity may be down to the fact that it is a social media network like no other, offering a unique visual twist. Unlike Twitter and Facebook, the platform was specifically built around the sharing of images and videos.

Instagram has become part of many people’s daily lives, as they use it to communicate and engage with their friends and family. There are also many businesses and influencers who use the platform to make money.

But Instagram is not all happy videos and photos, showing off your new outfit, or boasting where you’re out eating dinner with your friend.

Unfortunately, the popularity of the platform makes it an ideal place for cybercriminals to operate large-scale scams.

This scamming has worsened over the past year, with the BBC claiming in January 2021 that Instagram fraud reports have increased by 50% since the coronavirus outbreak began in 2020.

As our digital lives continue to grow, and online scammers learn new tricks, it is important to know how to identify an Instagram scam, and what to do if you are targeted.

Here are the eight most common scams to watch out for, according to Instagram.

1. Phishing scams

Phishers try to get access to your Instagram account by sending you a suspicious link, either as an Instagram direct message or via email, where you are then tricked into putting in your username and password on a fake login page.

Once the crooks have your login details, they can access your personal information and even change your password to lock you out of your own account.

Fake Instagram “warnings”have been widespread recently, like the ones shown below claiming to be official copyright infringement warnings from Instagram itself:

Left. Fake email “copyright warning’ pretending to be from Instagram.
Right. DM claiming to be from an official Instagram account. (Note 13,000 “followers” but 0 posts!)

Always delete message requests of this sort without opening them or clicking on any links or buttons.



2. Fake influencer sponsors

Scammers are taking advantage of the rise in influencers on social media to exploit the influencers themselves.

These scammers pretend to be an established brand and offer influencers an advertising deal. If the influencer is unlucky enough to believe that the deal they are receiving is legitimate, they may hand over their personal banking details in order to be “paid” by the brand.

3. Romance scams

Not all Instagram scams are quick and simple. Some adversaries go to great lengths over long periods of time to trick their victims.

Romance scams are where fraudsters enter into a fake online relationships, often speaking with their targets for weeks, months or even years to earn and then to abuse their trust. Once the target is ensnared, the scammer starts asking for money for visas, flights, travel expenses and more.

But there’s always an excuse why the scammer wasn’t able to get the visa, or board the flight, or do whatever they said they would. (Sudden travel restrictions due to COVID-19 regulations have apparently become a popular excuse during the coronavirus pandemic.)

The scammer will continue asking for money for as long as the person at the other end continues to send it.

Avoid sending money over to someone you have never met face-to-face, even (perhaps especially) if the reason for sending the money is allegedly to meet them face to-face for the first time.

If you wire money to a scammer you are almost certainly never going to be able to get it back, even if you get law enforcement or the courts involved – sending a wire transfer is like handing over cash.



4. Giveaway scams

Instagram influencers often hold sponsored giveaways featuring limited-time promotions in which brands offer free products or services to a few lucky winners.

These giveaways are often extravagant, giving followers the opportunity to win designer clothes, expensive laptops, airpods, and so on.

Unfortunately, scammers will impersonate the trusted influencer and inform you that you have won the giveaway but in order to receive the prize you need to pay a “shipping fee” or provide personal information that they can then use for illegitimate purposes.

5. Loan scams

With these scams cybercriminals send you a direct message offering a loan with a great interest rate. All you need to do to secure this fantastic offer is pay a deposit.

Of course, as soon as you’ve transferred the funds, the loan offer, the scammer and your money all vanish.

6. Fake investment scams

These scams encourage you to invest in a dodgy “get rich quick” or “cash flipping” scam. Again, when you hand over your money the scammer disappears, and so do your funds.

Scammers often pose with expensive cars and designer clothes, claiming they’re “self-made” and became “rich” at a young age, in order to convince their victims to invest their money.

At the start you may receive emails or be given a website login with realistic looking but totally fake data that pretends your investments are performing well. Some victims therefore continue investing more and more money, and even convince their own friends and family to join in – until the scammers disappear with the lot.

7. Job scams

Scammers use the lure of what sounds like an amazing job in order to trick you into sharing personal information, possibly details such as home address, phone number, social security number, passport and immigration information and scans of ID documents such your driving licences.

The crooks aren’t asking for your personal data to vet you for a job – they’re after your information so they can commit what’s known as identity theft, where they use your details to apply for loans, credit cards and more in your name.

8. Credit card fraud

Credit card fraud often begin with an innocent looking social media post offering “quick cash”, such as a contest that offers a huge reward.

Click on the embedded link and you’ll be asked for your credit card information or your online banking credentials.

Once the scammers have managed to steal enough of your financial information, they will use your card details to make online purchases.

What to do?

Here are our top four tips for staying safe on Instagram:

  • Pick proper passwords. Don’t use the same password as you do on any other sites. If you think you may have given away your password on a fake site, change it as soon as you can before the crooks do. Consider using a password manager if you don’t have one already.
  • Don’t overshare. As much as it seems to be common to share a lot of your life on Instagram nowadays, you don’t have to give away everything about yourself. Also think about who or what is in the background of your photos before you upload them.
  • Stay vigilant. If an account or message seems suspicious to you, do not interact or reply to the account and do not click on any links they send you. If something seems too good to be true, assmue that it IS too good to be true.
  • Consider setting your account to private. If you aren’t trying to be an influencer whom everyone can see, and if you use Instagram more as a messaging platform to keep touch with your close friends than as a way to tell the world about yourself, you may want to make your account private. Only your followers will be able to see yout photos and videos. Review your list of followers regularly and kick off people you don’t recognise or don’t want following you any more.
Left. Use ‘Privacy’ option on the Instagram Settings page to make your account private.
Right. Toggle the ‘Private account’ slider on.


Naked Security Live – Beware copyright scams

If you’re active on social media, you probably know that copyright infringement is a big deal online, and that even accidentally including or referring to somebody else’s material can leave you facing a copyright complaint notice sent by the social media platform involved.

If you don’t sort out the complaint, you could end up locked out of your account or even have your account shut down.

Sadly, cybercriminals know this too, and use fake copyright infringement notices in an attempt to coerce you onto a fake website where they capture personal information such as your social media password.

Here’s what you need to know:

[embedded content]

Watch directly on YouTube if the video won’t play here.
Click the on-screen Settings cog to speed up playback or show subtitles.

Why not join us live next time?

Don’t forget that these talks are streamed weekly on our Facebook page, where you can catch us live every Friday.

We’re normally on air some time between 18:00 and 19:00 in the UK (late morning/early afternoon in North America).

Just keep an eye on the @NakedSecurity Twitter feed or check our Facebook page on Fridays to find out the time we’ll be live.

go top