Realistic Gmail Login Page Used in Cleaver Phishing Scam

Hitting the news this week is a story about a Gmail scam that was actually seen by Wordfence and reported on about two months ago. In this one, Gmail users may receive a message with an attachment. It looks like one you already received, but is actually just a thumbnail of that one. However, if it’s clicked a dialogue pops up asking you to enter your login credentials for your Gmail account again.

This one is ridiculously realistic and looks nearly, if not exactly identical to the actual Gmail login page. Even those who are very experienced at detecting phishing have had some difficulty with this one. The only difference is the URL which starts with “data:text/htyml” rather than the typical “https://.”

If you are asked to login again to any account after you already have logged in, especially after you clicked an attachment, eye it with suspicion. Then try following to avoid installing malware or giving someone access to your account that you don’t intend to:

-Click the “X” to close the window and log out of your account and then try again.

-If it doesn’t allow you to click an “X” to close it, shut your browser down and restart it. If it still gives you trouble, restart your computer.

-Change your password just for extra safety. Make sure it’s unique to this account. Do this before doing the next steps.

-Check the other connections to your account in your Google account activity page under My Account > Manage your Google Activity > Personal info & privacy > Connected apps & sites. That will list what other devices are using your account and you can disconnect the ones that are not familiar. Then restart your browser.

-Use multifactor authentication (MFA) that is offered by Google for Gmail. There are several options for this in your Google account settings. The most secure one, and possibly the “wave of the future” in MFA is a secure key. This is a tiny device that is inserted in the USB port of your computer. It authenticates to your Google or other accounts and unless someone has that key, your account will not work. Some keys also work with mobile devices and many other companies are supporting this now including Facebook and Dropbox.

-If none of the available MFA options work for you, take an extra moment to make sure that you see the secure login indicators in the browser when entering sensitive information such as passwords. This is the “lock” icon that usually precedes the address of the site and/or make sure it has “https://” in front of the domain name. It’s no longer a guarantee of a secure site, but it is much more likely to be.

In addition, make sure that if you are not expecting an attachment or link from anyone, verify that it is legitimate before clicking. It is very easy to make an email address appear that it came from someone you know, when it really didn’t. So if you receive something out of the blue, text or call the sender to make sure before clicking it.

In this scam, as soon as a password is entered into the fake login dialogue box, someone logs into the account and the attackers start perusing your messages.

They use documents in them to send icon images in messages to contacts in the address book. This makes it appear that the messages are coming from someone the recipients actually know. A recent study by Avecto found that 68% of survey participants would click links from someone they know without question. That makes a scam like this one likely to be successful. With a little bit of caution, you can help prevent that.

© Copyright 2017 Stickley on Security

New Type of Phishing Attachment Proves No Attachments are Sacred

As if there aren’t enough phishing scams to watch for, there is another one targeting customers of several well-known banks and users of money transfer services. In an email that appears to have been sent by one of the following organizations, an attachment in an email requests users to open it to “verify” accounts, otherwise they will stay frozen.

The organizations used include, Chase Bank, Capital One, and Wells Fargo for online banking and PayPal and Venmo. The email claims that user accounts are frozen because “security alerts” were triggered and the user needs to verify the account to release it. There is an attachment that brings up the phishing page where personal information is requested.


This type of trick has been seen numerous times before. In fact, one targeting PayPal users was going around very recently. However, in most cases the attachments in the email messages that appear are disguised as PDF, EXE, or DOC. This one, however, is an HTML file, proving that, as Jim Stickley of Stickley on Security says, “Literally no type of attachment is guaranteed safe to open these days.”

The obvious message is never click attachments in email, particularly if they are unexpected or come from unknown senders. Always make sure they are not infected with some type of malware before opening. If you cannot be 100% sure, don’t do it.

If you need to verify your account details, log into your accounts directly by going to a previously bookmarked link or by typing in the address you know is the correct and safe one. If all looks well when you do that, you know for certain the email message was trying to phish you and you can pat yourself on the back for not falling victim to it.

The cloud security company that found this scam, Cyren said that this one is particularly common right now. It increased 50% over February in only the first half of March.

© Copyright 2017 Stickley on Security

Personal Finance for Millennials

Many Millennials, who graduated during a time of job scarcity and enormous student debt, are more than a little skittish about financial matters. After all, in addition to their own challenges, many saw their parents’ generation struggle with layoffs, stock market losses, and the housing crisis. Still, there’s a lot that today’s 20-somethings can do to build a brighter financial future.

Commit to Saving
If you’re living paycheck to paycheck, saving may seem out of reach. But the first step is to make a budget, identifying where, exactly, all of your money’s going now and pinpointing the wallet sucks that are keeping you from saving. Make it a goal to save at least 10-15% of your income, and start by creating an emergency fund with 3-6 months of living expenses. If, after seriously scrutinizing your budget, you just don’t see room for saving, at least commit to saving any financial windfalls—like bonuses and tax refunds – and saving future salary increases.

Looking for Supplemental Income
For many young people who are just starting out, the best way to find money to save is to generate additional income with a side job. If your employer doesn’t prohibit it, you might take on a second job during your off-hours or earn extra cash Ubering or pet-sitting. Or, if you’re a crafty sort, you could try selling your wares on a site like Etsy.

Start Investing Early
Once you have a decent emergency fund, you should start thinking about retirement. Yes, retirement! If your employer offers a 401(k) plan, sign up as soon as you’re eligible, because even small amounts set aside while you’re young will add up to a significant nest egg decades from now. And, if your employer offers 401(k) matching funds, be sure to contribute enough of your earnings to max out the match. Otherwise, you’re leaving money on the table.

Manage Your Debt
No discussion of Millennials’ finances would be complete without a word or two about student debt. If you’re carrying a heavy burden in federal loans, you may have options for restructuring your debt to make it more manageable. If your loans are with private lenders, you’ll have less flexibility, but focus first on paying off the loans with the highest interest rates. The same goes for credit card debt. New grads are often bombarded with credit card offers, so it’s easy to get in over your head. If that’s where you are, rip up any new offers and commit to whittling down your debt by refraining from new charges and always paying more than the monthly minimum.

Shape Up Your Credit Score
Being late with payments or, worse yet, defaulting on your credit obligations has a huge and negative impact on your credit score. This may not seem like a big deal if you’re not looking to buy a house or car anytime soon, but it isn’t just lenders who make decisions about you based on your credit score. A poor credit score can cause you to pay higher rates for car insurance in some states. Most landlords and many employers also check credit scores when evaluating candidates.



Mistakes on Your Tax Return Could Lead to an Audit

You’re not alone if your heart pounds when you see a letter from the Internal Revenue Service (IRS) in your mailbox. While some lucky filers get sent a letter because they’re due a larger refund, most of us fear the worst – an audit.

Those fears may be largely unfounded for the average household. Only about one percent of taxpayers get audited, and high-income taxpayers are disproportionately targeted.

If you are audited, it might not be like you imagine. An audit could focus on a particular line entry, credit or figure, and you might only need to mail or fax a copy of the relevant paperwork, such as an insurance report or receipt.

Even so, getting audited isn’t fun. In the best case, you have to take the time to dig through your records and respond. In the worst case, you have to do all that as well as pay penalties and interest.

What can you do to help reduce your risk of audit? Audits, or examinations as they’re also referred to, could be the result of a random selection, mismatched documents, deviation from the expected “norms” for similar returns or connection to someone who’s being audited. But there are a few things you can do to help minimize your chances of being audited.

Enter all your information correctly. Take an extra few minutes to double-check the information you entered when preparing your tax return. A misspelled name or wrong number could lead to an examination.

Include information from every form with your return. When an organization sends you a tax form, it also sends a copy to the IRS. The IRS has an automated system that can flag a return when you don’t include information from one of the forms you received.
Don’t treat a hobby as a business. You might enjoy your hobby and occasionally make some money from it, but that doesn’t make it a business. Business and hobby expenses are treated differently and you can’t claim a loss from your hobby. If you try, that could be a red flag.

Know the home-office rules. Many small business owners and contractors work from home, but that doesn’t automatically mean you can claim the home-office deduction. You can’t claim a guest bedroom where you occasionally work, the room (or part of a room) must be used exclusively and regularly for business.

Only claim the EIC if you have earned income. To qualify for the Earned Income Credit (EIC), you need to have earned income, such as wages or salary, for the year. Other types of income, including alimony, child support, unemployment benefits and Social Security won’t qualify you for the EIC.

Working with a professional tax preparer, such as a certified public accountant (CPA) or enrolled agent (EA) could help you avoid making errors, but it doesn’t guarantee you won’t be audited. Similar types of support are sometimes offered with online tax preparation software for a fee. In either case, if you’re required to pay more tax, the bill may get passed on to you.

Don’t let fear cost you. Some taxpayers shy away from claiming legitimate credits and deductions because they fear an audit. That could be a costly choice. There’s only a small chance you’ll get audited, and it could be quick and relatively painless — especially if you keep good records.

Fear also leads thousands of people to fall victim to tax-related scams. Thieves may impersonate an IRS agent, but the IRS will never call or email you requesting a specific type of payment. The IRS only initiates contact with taxpayers by mail, and you can choose among several methods of payment when you owe money.

Bottom line: While there’s no way to guarantee the IRS won’t ask questions about your tax return, don’t let fear of an audit keep you from using the credits or deductions you can rightfully claim. Filing a complete and accurate return could help minimize your chances of an audit, and if you do receive a notice, you may be able to quickly resolve the issue by following the instructions.

by Nathaniel Sillin

The Real Cost of Cyber Love?

Are you looking for love or friendship and perusing online sites to find it? Have you met someone with a sad story who asks you for money to help him or her out of a situation, to help buy needed supplies while in the military and overseas, or to buy a plane ticket so you can meet in person? Unfortunately, there are many scams where this happens. They are all some variation of what is often referred to as the “sweetheart scam.”

One that has been gaining steam lately combines the sweetheart scam and mobile banking. A lonely heart, let’s call her Eva, falls for someone far away. Let’s call this person Sam. Sam would love to meet Eva face to face. So he asks Eva to make a reservation on an airline so he can visit. He will deposit the money for the fare into her banking account directly, for efficiency. All Sam needs is her bank name and her mobile banking credentials and he will deposit a check directly into the account after he downloads the app. After all, love just can’t wait.

Unfortunately, right after he does it, something goes amiss and he cannot visit after all. He wants that money back, immediately via some type of money transfer service. Eva checks her account and it shows the money he deposit is indeed in her account, so she sends the money right away.

Unfortunately, Eva just got scammed. Sam never intended to meet her. He just wanted cash. You see, when you use mobile deposit with your financial institution, there is a period of time before the deposit is actually approved and funds are available. That time period differs for each financial institution and can range from 24 hours to several days, depending on circumstances. So, even if the mobile deposit says it was successful, the money may not actually be available right away. The check that Sam deposited bounced, of course and Eva was out the cost of a plane ticket.

It’s easy to get caught up in the moment when first meeting someone new. We want to trust people, but no one needs your mobile banking credentials. So keep those a secret no matter how hard a person tugs at your heartstrings. Unfortunately, there are a lot of people out there in the world with bad intentions. Don’t give them information that can be used to steal from you.

In some cases with this scam, if the victim refuses, the scammer threatens to sue or otherwise scare them out of money. Don’t let it happen to you. Keep your money close to your heart and let the scams of the world go.

© Copyright 2017 Stickley on Security

Movie Fans Targeted in iTunes Scam

Movies are a big business and it’s more popular than ever to grab your popcorn and Milk Duds and sit back on the sofa to stream them from iTunes. A recently found scam targets Canadian movie fans by sending a fake Apple invoice for movie rentals, counting on the user to request a refund.

In this case, the invoice purports to have charge for a list of movies that can add up to a rather large sum of money. The movies on the invoice are often those that were released somewhat recently, such as Jack Reacher: Never Go Back and Arrival, making it a bit more believable to potential victims. After the initial shock wears off of the amount on the invoice and the fact that the charges do not belong to the targeted victims, the next reaction is to scan the form for a way to get a refund or dispute charges.


Conveniently, the phishers put a link at the bottom of the document. It supposedly can be clicked to claim a full refund. However, it doesn’t go to Apple. It goes to a website registered in Norway. The information requested in the form that appears wants a lot of personal information, including date of birth, mother’s maiden name, and a social insurance number. Canadians need this last number to access government services. It is not needed to get a refund from Apple or most any other company. These should raise big red flags to the recipients.

The scam was spotted by researchers at security company Fortinet. The fake invoice arrives in an email message that at first glance appears to come from Apple, but if it’s expanded, it shows a strange email address from a Norwegian site. By using the mouse to hover over the link, it looks like a bunch of randomly generated characters, but definitely doesn’t look like an Apple link.

Remember that by taking a minute to check the link destination before clicking it, you can avoid being a victim of phishing. Hovering over them with the mouse pointer works for this, as does holding your finger on the link for a few seconds if you’re using a touch screen device. If the link destination doesn’t make sense to you, it’s probably a fake one.

If you receive something like this that claims false charges to any of your accounts, it’s even better to go directly into your accounts from previously bookmarked links than clicking anything. It’s getting more and more difficult to detect phishing messages, so try to get into a habit of not clicking them and going into accounts separately to avoid becoming the next victim. If all is clear in your account when you check that way, then you can be sure the message you received is indeed phishing.

Apple users are often the targets of phishing these days and not only in email. Smishing is on the rise as well. This is when the scammers use SMS/text messages to trick users (also called “smishing”). So watch for those fake links too.

Another tip for avoiding scams like this is to set charge alerts on your payment cards. You will get a message each time a charge is placed on your card for a limit you set. If you didn’t get an alert for the charges, it’s a clear signal that a phishing attack is at play.

© Copyright 2017 Stickley on Security