Category Archives: Phishing

Fallen victim to online fraud? Here’s what to do…

This guest post is by Lisa Ventura, founder and CEO of the UK Cyber Security Association, a not-for-profit that raises awareness of the importance of cybersecurity for small and medium-sized businesses.

Online fraud is a huge challenge for businesses and consumers alike as cybercriminals continue to develop new mechanisms to separate innocent parties from their money.

As children we were warned not to talk to strangers or give them any personal information. Yet today we think nothing of sharing our details every time we make an online purchase.

More and more of us have become accustomed to doing more and more transactions online, especially since the COVID-19 pandemic hit last year, and it is easy to forget that there are people out there who will do anything to obtain money or personal information by deception.

How to spot online fraud

There are many types of online and identify scams, but here are some of the most common:

  • “Get rich quick” scams

With job uncertainty at an all-time high, attackers are preying on our vulnerabilities and financial worries during the crisis.

Some reports suggest that scams claiming you can “earn” lots of money from home with little effort and no risk have gone up by as much as 66% in the past year.

While we may all dream of earning big for doing very little, you should assume that anything that sounds to good to be true IS too good to be true.

Be especially wary of advertisements that tell that you can work whenever you like; stay away from jobs that involve handling money for other people; and watch out if you have to pay a fee to get started.

  • Fake shopping websites and “free” offers

Scammers set up websites that pretend to be the real deal and lure you in with “great offers” and “unbeatable savings” off the recommended retail price. Often these sites either ship fake items or simply take your money and don’t send anything at all.

Other shopping-based scams involve luring you in with a great deal, then “qualifying” you as the lucky winner of a high-value item such as a games console or a mobile phone. Everything is “free” except for a modest delivery charge that requires to put in your credit card data. The scammers then run off with your credit card details.

The Naked Security team has written extensively about phishing, which is sadly still one of the most common and effective cyberthreats around.

Simply put, phishing involves sending you a message that tricks you into clicking a bogus link, opening a booby-trapped file, installing malicious software or simply giving out personal data that you ought to have kept you yourself, such a password, address or account number.

Phishing isn’t just limited to email – it can also take place via SMS text messages (when it is known as smishing), over social media, through other messaging apps such as WhatsApp, or even via voice calls (known as vishing).

LEARN MORE ABOUT SMISHING AND HOW TO STAY SAFE

[embedded content]

(Watch directly on YouTube if the video won’t play here.)

  • Fake cybersecurity warnings

Sometimes when you are browsing the internet a pop-up appears out of nowhere saying that your computer is infected with viruses. Of course, there’s also a website you can visit for immediate help, and often a tollfree number to call so a “technician” can fix the problem for you right away.

If this happens to you, it’s almost certainly a scam. These fake ads and pop-ups are designed to get you to download and run “security” software for a not insignificant fee, or to pay to give remote access to a “technician” who will “remove” the non-existent security threat for you.

Only trust security information from the antivirus software that you are running. (And don’t forget to check, of course, make sure that your antivirus product is up-to-date, too.)

Can you get your money back?

If you bought an item from an online seller via a site such as Amazon or eBay, see if they can help or intervene.

In addition, you may be able to recover some of the funds you spent, depending on how you paid.

  • If you paid by debit card

If you used a debit card you may be able to get your bank to help you recover your money through the chargeback scheme. This is a transaction reversal made to dispute a card transaction and to secure a refund for the purchase.

Contact your card provider for details of their scheme in your country. However, don’t assume that you are going to get your money back.

  • If you paid by credit card

If you paid for goods or services with a credit card, most countries have regulations that give you have a greater protection if things go wrong. For example, UK consumers are protected under section 75 of the Consumer Credit Act, while Consumer Protection laws cover buyers in the US.

Unfortunately, whether you can make a claim or not depends on the type of scam you have fallen for, so please get in touch with your card provider for assistance.

  • If you paid by bank transfer

If you have been caught out by a convincing scam and unwittingly transferred money into another bank account, you should contact your bank immediately for help. They may help you try to recover the funds.

  • If you paid in cash, with cryptocurrency or by wire transfer

Unfortunately, if you paid in cash (or equivalent), you have almost certainly lost it all.

The only person who could refund your money in a case like this would be the scammer you just gave it to.

You may nevertheless want to report the fraud to the police in case they can take any action. If no one says anything, then it’s difficult for law enforcement to justify investigative or preventative action because it looks as though these crimes aren’t taking place.

What if you’re a victim?

Talking about what happened and hearing about the experiences of others who have been through similar experiences can help.

Support groups in the UK are available through charities such as Victim Support, Age UK and Citizens Advice.

Maintain your security hygiene

Here’s a recap of good security practice advice from the Naked Security team:

  • Reset your passwords if you’ve been phished, and if you know you’ve used the same password on other websites, change those too! 

LEARN HOW TO PICK A PROPER PASSWORD

[embedded content]

(Watch directly on YouTube if the video won’t play here.)

  • Patch early, patch often. Why be behind the crooks when you could be ahead? Be sure to get operating system updates as well as security fixes for the apps you use and for any devices such as routers, webcams and thermostats that you may have at home.
  • Use a password manager and 2FA to make it harder for the scammers. A password manager stops you putting real passwords into fake sites, which helps prevent you getting phished. And using two-factor authentication (2FA) means that your password alone is not enough for scammers to log in to your account.
  • Report scams if you can. It might not feel as though you are doing much to help, but if many people provide some evidence, there is a least a chance of doing something about it. On the other hand, if no one says anything, then nothing will or can be done.
 Below are scam reporting links for various Anglophone countries: AU: Scamwatch (Australian Competition and Consumer Commission) https://www.scamwatch.gov.au/about-scamwatch/contact-us CA: Canadian Anti-Fraud Centre https://antifraudcentre-centreantifraude.ca/index-eng.htm NZ: Consumer Protection (Ministry of Business, Innovation and Employment) https://www.consumerprotection.govt.nz/general-help/scamwatch/report-a-scam/ UK: ActionFraud (National Fraud and Cyber Crime Reporting Centre) https://www.actionfraud.police.uk/ US: ReportFraud.ftc.gov (Federal Trade Commission) https://reportfraud.ftc.gov/ ZA: Financial Intelligence Centre https://www.fic.gov.za/Resources/Pages/ScamsAwareness.aspx

SMS tax scam unmasked: Bogus but believable – don’t fall for it!

Every month of the year has some sort of tax relevance somewhere in the world, and tax scamming cybercrooks take advantage of the many different regional tax filing seasons to customise their criminality to where you live.

In the UK, the 2019/2020 tax year ended on 05 April 2020, and the deadline for filing your taxes electronically was 31 January 2021.

With a January filing deadline, it’s not surprising for UK tax refund scams to kick in about now.

After all, everyone loves a refund, although they’re usually very modest in the UK if you get one at all, because your employer (if you have one) is supposed to get the tax calculations that they do on your behalf pretty close to the target.

So we weren’t surprised, although we were disappointed, to receive our first SMS-based tax scam of the season last night, helpfully submitted by a Naked Security reader:

SMS message allegedly from HMRC, the official name of the UK tax office.
Delivered via a UK mobile number.

(HMRC is short for Her Majesty’s Revenue and Customs, and using that abbreviation in the UK is as usual and as expected as saying IRS in the United States.)

As regular Naked Security readers will know, there’s still a significant sector of the cyberunderworld that goes in for smishing, as SMS-based phishing attacks are colloquially known, for three simple reasons:

  • Everyone with a mobile phone can receive SMS messages. There’s no need to guess which internet-based messaging apps you’ve signed up for, because anyone with a phone that can receive calls can receive SMSes too.
  • SMSes are limited to 160 characters, including any web links. So there’s much less room for crooks to make spelling and grammatical errors, and they don’t need to bother with all the formalised cultural pleasantries (such as “Dear Your Actual Name“) that you’d expect in an email.
  • Links in phone messages take you straight to your phone’s browser. Mobile browsers generally have much less screen space to show you the sort of security details that you can access from your laptop browser. Once you’ve tapped on the link and the browser window has filled the screen, it’s harder to spot that you are on an imposter site.

Annoyingly believable

In this scam, we have to admit that the crooks pulled off a surprisingly believable sequence of web pages – not perfect, but visually believable nevertheless.

Their pages look similar to the pages you’d see on a genuine UK government site; they’ve included niceties such as a coronavirus warning in order to add a touch of timely realism; they’ve mostly used the right sort of terminology, such as remembering to ask for your National Insurance number instead of your SSN; and they’ve remembered not to put a -Z- in the word organisation.

Fortunately, however, they were stuck with a bogus website name, because although it’s easy to register .COM and .CO.UK domains in the UK, the .GOV.UK domain has a strict registration process that a cybercrook would find hard to bypass.

Also, as you will see if you take the time to check really carefully (try “reading” the text on the page backwards using your finger – an old trick for proofreading your own documents), the crooks have made various mistakes, such as spelling errors, that you would not expect on a website such as HMRC’s:

At first glance, the scam start page is a visually realistic clone of the real thing.
But look carefully: there are typos and errors here.

In this scam, the crooks also decided to take you straight to a bogus tax-related page.

However, the UK government gateway would make you login first, including using two-factor authentication, which would give you a different user experience:

Left. The scam landing page bypasses the regular government login page.
Right.Access to the UK tax site requires login first (2FA is compulsory).

You might think that 2FA is a hassle you could do without, but you can actually turn the “hiccup” that it puts in your way to your advantage.

Whenever your workflow is interrupted by a 2FA request, for example to retrieve a text message code or open up an authenticator app, use it as a reminder to implement the “Stop. Think. Connect” principle, and take some extra time to look again at all the security indicators you can find before you put in the 2FA code.

Check the address bar; go back and review which links you clicked to get there; take another look for giveaway mistakes in the messages and web pages you’ve seen so far. (Did you spot the weird word youu in the fake page above? If not, go back and look again now – it’s in the selection box labelled Individual.)

The phishing starts

The first phishing page asks for quite a lot of personal data:

The first phishing page of the scam.
Field names follows typical UK terminology, but HMRC doesn’t use “mother’s maiden” name as ID.

Then the crooks go after your bank account and credit card details.

If you didn’t realise before, you should figure that this is a scam at this point, because there’s simply no reason for anyone to ask for your credit card data in order to make a refund to your bank account.

In particular, the CVV code (usually three digits on the back of your card) is used for verifying online payments, and in this case you aren’t paying for anything:

The tax office does allow you to use a bank account for a refund.
But putting in credit card data (including CVV “secret code) is what you do for payments, not for refunds.

Next comes a rather neat “decoy page” – a sort of polite placeholder page that brings this fraudulent process to a believable finish, along with a believable reason to discourage you from checking up right away with the real HMRC website:

Decoy page to make you think the process completed innocently.
But look carefully: there are typos and errors here.

After a few seconds, the final fake page above (did you spot the typo asking you to bare with us?) redirects you to the official UK government gateway home page, and wipes out your browsing history so far.

This leaves you on a genuine page with no easy way to go back and double-check what just happened on the fake pages:

At the end,you get redirected to the real UK government portal
in order to round off the scam neatly.

What to do?

  • Find your own way there. If you can, ignore links in emails, SMSes or other messages, even if you think they are genuine. Bookmark the official website of your country’s tax office and only ever go there using your own link. (Or if you are in the UK, type in GOV.UK by hand and start there.) If you only ever visit important websites using bookmarks of your own, you will always sidestep crooks who send you phishing links.
  • Look for every hint of bogosity you can. This scam was surprisingly believable, but the telltale signs were there nevertheless: a giveaway spelling blunder by the crooks on the starting page, an obviously incorrect URL in the address bar, and a request for personal information that was irrelevant to the claimed refund.Take the time to look for signs of fakery – if the crooks make a visible mistake, take advantage of their error and make sure they don’t get away with it.
  • Consider an anti-virus with web filtering. Phishing prevention isn’t really about keeping the bad stuff, such as malware, out. It’s about keeping the good stuff, such as personal data, in. An anti-virus such as Sophos Home (available free for Windows and Mac) or Sophos Intercept X for Mobile (free for Android) doesn’t just block malware that tries to get onto your device but can help to stop you getting to rogue web pages in the first place, thus keeping you one step further away from harm.

LEARN MORE ABOUT SMS SCAMS AND HOW TO STAY SAFE

[embedded content]

(Watch directly on YouTube if the video won’t play here.)


S3 Ep12: A chat with social engineering hacker Rachel Tobac [Podcast]

How do you go from neuroscientist to DEFCON Social Engineering Capture the Flag champ? Find out from hacker and social engineering expert Rachel Tobac!

Rachel Tobac, CEO of SocialProof Security

Join us for a fascinating interview with Rachel about her journey, why you should always be “politely paranoid”, and the people who inspired her along the way.

Interviewer: Kimberly Truong.

Special guest: Rachel Tobac (@RachelTobac on Twitter), hacker and CEO of SocialProof Security.

Intro and outro music: Edith Mudge.


WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.

Does a friend “need money urgently”? Check your facts before paying out…

Thanks to Naked Security reader M Carter for their help with this article.

Last week, we warned of a Facebook Messenger scam that used a bogus video to lure you onto a phoney Facebook login page.

In that scam, the crooks were using stolen Messenger passwords to phish for yet more Messenger passwords by sending messages that genuinely seemed to come from friends and family.

Fraudulent messages of that sort are much more believable than email spam, for two reasons:

  • Social networks and instant messaging groups are often closed to outsiders, so you’re more inclined to trust messages within the group.
  • The fake messages really do come from friends’ accounts, just not from the friends themselves.

But what do criminals use stolen messaging passwords for, apart from stealing yet more passwords?

Here’s an example sent in by a Naked Security reader who was asked by a “friend” for help making a payment:

As you can see above, the scammers, who had access to the friend’s account, cut straight to the chase: “I need help paying a bill.

Although most of us would probably be suspicious right away, many of us will have friends and family members whom we’ve helped out financially before, so we might be willing (or at least polite enough) to enquire further.

The recipient in this case figured out this was a scam from the start, but decided to see how things would unfold if they gave a few carefully guarded answers.

Here’s how the conversation went:

The situation here is plausible – anyone who has ever been forced to take out a short-term “payday loan” will know that fees mount up quickly for missed payments – and many of us might decide that helping out a friend or family member is something we ought to do.

The payment details that we have redacted above, by the way, were genuine, identifying a finance company in the UK that is what you might call a “bank in the cloud” – a new online financial startup aimed at offering Banking-as-a-Service (BaaS) to help would-be online merchants build their own transactional apps and websites easily.

The recipient reported the scam to the company concerned, which we applaud.

Even though the bank can’t summarily close an account on the say-so of someone other than the account holder, we’re hoping that the report will go at least some way towards getting the account investigated and suspended.

Unfortunately, most people who get as far as receiving the account number in a scam of this sort will already be convinced that it really is their friend in a financial pickle at the other end, so they are unlikely to report the issue to the bank until after they realise they’ve been defrauded.

On the other hand, most people who figure this for a scam up front will simply ignore the message, and therefore won’t end up with an account number to report or a bank code to track down.

Notice how the scammers asked at the end for account details they could use for paying the money back.

Even though the crooks would know which account you paid the money out of (account details are recorded as part of the the transaction), there’s a chance you might give away yet more personal financial information if you were to reply to that final request.

Old scam, new twist

Interestingly, this sort of “need money urgently” scam, sent out from hacked accounts, was prevalent a few years ago under the guise of a friend who had been mugged on a trip abroad.

Back then, the amount of money was usually somewhat higher – often $800 or more, compared to the £290 (about $400) above, and you were told to send the money by wire transfer, an irreversible process that is equivalent to handing over cash.

The use of a wire transfer instead of a regular bank payment was justified on the grounds that the “victim” no longer had their bank card, or even any ID, and therefore needed the funds sent to them in a way that allowed them to get paid out at the other end in cash.

Details were often added to these “mugged abroad” scams to increase the urgency, for example that your friend would soon be thrown out of their hotel after cancelling their credit card, or was under pressure to come up with hospital fees to pay for the treatment they received after the mugging, or needed ready cash for transport to get to the nearest consulate to acquire an emergency passport.

These days, of course, people are not only wiser to the risks of wire transfer – namely that there is almost no possibility of recourse in the event of fraud – but also unlikely to be travelling abroad unexpectedly, thanks to coronavirus regulations.

So the scammers have reinvented an old fraud in a new guise, with “outstanding loan” standing in for “robbed on vacation”, and “online banking payment” taking the place of “wire transfer”.

What’s stayed the same is that you aren’t helping your friend at all, because your friend’s account was hacked, and the money is going straight to the crooks.

By the way, the reader who sent in the details to us was one of several mutual friends who received a fraudulent contact from the scammers via the hacked account.

What to do?

  • Always check your facts before you help friends in trouble. But take care how you get hold of a friend you’re worried about – never reply directly to an online account that could have been hacked. Find another way to contact your friend, based on information that you already have in your possession.
  • Let your friends know if you think they’ve been hacked. But never reply using the account that’s been hacked or else you are just tipping off the scammers. Find a different way to get hold of them, such as a phone call, where you’ll have a way to satisfy yourself you really are talking to them.
  • Use a password manager and 2FA to make it harder for the scammers. A password manager stops you putting real passwords into fake sites, which helps prevent you getting phished. And using 2FA means that your password alone is not enough for scammers to log in to your account.
  • Report scams if you can. It might not feel as though you are doing much to help, but if many people provide some evidence, there is a least a chance of doing something about it. On the other hand, if no one says anything, then nothing will or can be done.
     Below, we've listed scam reporting links for various Anglophone countries: AU: Scamwatch (Australian Competition and Consumer Commission) https://www.scamwatch.gov.au/about-scamwatch/contact-us CA: Canadian Anti-Fraud Centre https://antifraudcentre-centreantifraude.ca/index-eng.htm NZ: Consumer Protection (Ministry of Business, Innovation and Employment) https://www.consumerprotection.govt.nz/general-help/scamwatch/report-a-scam/ UK: ActionFraud (National Fraud and Cyber Crime Reporting Centre) https://www.actionfraud.police.uk/ US: ReportFraud.ftc.gov (Federal Trade Commission) https://reportfraud.ftc.gov/ ZA: Financial Intelligence Centre https://www.fic.gov.za/Resources/Pages/ScamsAwareness.aspx
    

Naked Security Live – Watch out for Messenger scams

Here’s our latest Naked Security Live talk, discussing IM scams and how to avoid them, as well as giving you some pointers on how to think like a scammer and thereby stay one step ahead.

Don’t forget that receiving a message from a friend’s account doesn’t always mean your friend actually sent the message – if their account has been hacked, then it could be a crook using your friend’s name to trick you.

Don’t be in too much of a hurry to click: as carpenters like to say, “Measure twice, cut once.

[embedded content]

Watch directly on YouTube if the video won’t play here.
Click the Settings cog to speed up playback or show subtitles.

Don’t forget that these talks are streamed weekly on our Facebook page, where you can catch us live every Friday.

We’re normally on air between 18:00 and 19:00 UK time (late morning/early afternoon in North America).

Just keep an eye on the @NakedSecurity Twitter feed or check our Facebook page on Fridays to find out the time we’ll be live.


go top