Olympic Ticket Scams are Stealing Big Money

RIO DE JANEIRO Brazil - february 08 2016: Samba school parade. Float Rio2016 opens the parades of Carnival 2016

As happened with the World Cup in Brazil, cybercriminals are exploiting the 2016 Summer Olympics set to begin this summer. Kaspersky Lab researchers reported seeing a spike in various phishing attacks, spam, and email scams that are using the 2016 event as a hook.

rioscam

Domain names that contain something related to the big event in Rio are being purchased, as well as cheap SSL certificates to make them seem legitimate and safer upon visiting the sites. The most effective scams being seen by the researchers involve phishing websites that appear as if they are ticket sales sites.

If you receive email messages claiming to offer deals to the events, check and recheck before clicking on links or opening attachments. In fact, go directly to a reputable website instead by manually typing in the address. Don’t open attachments, especially if they are unexpected or from unknown senders. Pay attention to the deals offered and if it sounds too good to be true, it probably is.

Also watch out for malvertising. These are malicious ads that appear on other websites, but if they’re clicked they execute malware of some type. These ads can be found on every type of site, including but certainly not limited to Facebook, Twitter, and even news sites. To avoid these ads, consider installing ad-blocking software. Just remember that they block all ads, not just malicious ones.

Always watch for scams and phishing when a big event such as the Olympics, Super Bowl, or World Cup is nearing. Cybercriminals know people will be hunting around the web for deals or looking for information, so they will certainly take advantage of that.

© Copyright 2016 Stickley on Security

PayPal Scam Scares Customers Out of Their Identity

scam

 

Yet another new phishing scam is going around like a bad cold. This one tries to get users of PayPal to click on a bogus link and enter in sensitive information, including social security numbers. But don’t do it. It’s most definitely a scam.

If you need to update information on any online account, go directly to the company’s website and log into your account. Preferably, you have all the important ones bookmarked so you are sure they are the correct ones. Most companies will not ask you to click a link or an attachment in order to update account information. Instead, they send you an email asking you to make changes directly in your account. PayPal is no exception.

paypalscreen

Don’t open any unfamiliar attachments or click links unless you are certain beyond any doubt that it’s legitimate. If you do feel your “spidey sense” kick in, place a phone call to the company to verify. When you do this, get the phone number directly from their website rather than using one that is in an email message. Criminals will put their own information in those messages and go to great lengths to convince you they are real. In fact, if the payout is potentially big enough, they will even set up bogus call centers to field calls from the phone numbers in those emails.

This scam tries to scare PayPal customers by saying they will have “limited access” to their accounts or that the accounts will be locked if the credentials are not verified. An HTML attachment is provided and if it’s clicked, it directs you to a malicious website where you are asked to enter in your personal information such as social security number, name, address, credit card details, and even your mother’s maiden name. Just beware that if you do enter them in that form, you may also be locked out of your own identity.

© Copyright 2016 Stickley on Security

Beware of Spam; It Might Be Loaded with Ransomware

Virus Protection Computer Antivirus Safety Spam Concept

“Be wary of emails with JavaScript attachments,” is the word coming from Microsoft this week. A recent blast of email messages has been tricking the recipients into clicking on javascript files and subsequently downloading ransomware to their computers.

These messages come in emails that have file names that are interesting enough that users want to click them; but don’t. They come with a .zip or .rar extension and include such malicious favorites as TeslaCrypt and Locky, which has been attacking hospitals most recently.

There are a few defenses against this. Ensure you always keep a recent backup of important files from your computers. Also, install trusted anti-malware software and make sure it’s kept up-to-date. While this particular attack may get around this, it’s still important to have it installed. Of course, never open attachments or click links in email messages that you suspect may not be legitimate, especially if they come from unknown senders. Remember that if the file has a .js or .jse extension, it should be considered suspect.

Finally, always keep your system updated with the latest critical and security patches. If you have an older operating system, such as Windows XP, consider upgrading to a newer version. Windows XP has not been supported for a couple of years now and as new exploits are found, the vulnerabilities they exploit will not be fixed.

Other tips to defend against this type of spam include:

  • Making sure to scan all email messages that come through with updated anti-malware software,
  • Disabling macros in Microsoft Office programs,
  • Disabling macro loading in the group policy, if you are in charge of a corporate network, and
  • Educating users on phishing and how to avoid it, including not clicking potentially suspicious links.

Remember that paying cybercriminals to unlock files they encrypted with ransomware is not recommended. Instead, restore any affected system with that recent backup you make sure to have on hand.

© Copyright 2016 Stickley on Security

Scammers Can Fake Caller ID Info

phone-scam

Your phone rings. You recognize the number, but when you pick up, it’s someone else. What’s the deal?

Scammers are using fake caller ID information to trick you into thinking they are someone local, someone you trust – like a government agency or police department, or a company you do business with – like your bank or cable provider. The practice is called caller ID spoofing, and scammers don’t care whose phone number they use. One scammer recently used the phone number of an FTC employee.

Don’t rely on caller ID to verify who’s calling. It can be nearly impossible to tell whether the caller ID information is real. Here are a few tips for handling these calls:

•If you get a strange call from the government, hang up. If you want to check it out, visit the official (.gov) website for contact information. Government employees won’t call out of the blue to demand money or account information.
•Don’t give out — or confirm — your personal or financial information to someone who calls.
•Don’t wire money or send money using a reloadable card. In fact, never pay someone who calls out of the blue, even if the name or number on the caller ID looks legit.
•Feeling pressured to act immediately? Hang up. That’s a sure sign of a scam.

If you’ve received a call from a scammer, with or without fake caller ID information, report it to the FTC and the FCC.

by Andrew Johnson
Division of Consumer and Business Education, FTC

Wire Fraud Phishing Scams on the Rise in 2016

Thin line flat design of internet banking transaction secure money transfer using credit card online financial business operations. Modern vector illustration concept isolated on white background.

Wire fraud phishing scams are not new. In fact, they seem to be on the rise. Between October 2013 and August 2015, the FBI reported that nearly $750 million was stolen from over 7,000 U.S. companies using this method.

It isn’t limited to the United States either. It happens in Canada and according to The Canadian Anti-Fraud Centre, this type of Business Executive Scam typically results in losses of more than $100,000 for a company. In that country, in the first eight months of 2015, this type of fraud cost companies $6 million. Compared to all of 2014, that is on target to surpass the $19 million from all of 2014.

What can people and companies do to avoid this?

  1. Read emails, particularly unsolicited ones very carefully if they present any kind of urgent situation that supposedly requires immediate attention. This is one clue that it may be phishing.
  2. If asked to wire or transfer funds from a company account, confirm and re-confirm with the requestor by means other than email to make sure it is legitimate. Don’t simply reply to a message.
  3. Set up a separation of duties process so that no one person can wire money alone. It should require signatures and approvals from at least two people.
  4. Pay attention to grammar and spelling, as well as logos and formatting of email messages, and signatures, even when you know the sender. It’s easy to fake an email address, so when in doubt, trash the message.
  5. Look for urgency cues such as “this needs to be done immediately,” or phrases like “I can’t answer calls right now, so please email back.” These make it seem urgent and attempt to bypass any separation of duties processes that may be in place.

Don’t forget that taking a few minutes to educate staff on how to identify fraudulent requests and phishing email will go a long way in protecting your organization.

© Copyright 2016 Stickley on Security

Bogus debts, bogus collections

 debt-collectors-real-fake

At the FTC, they sue abusive debt collectors and try to do right by people who’ve been harmed by unlawful practices. But they also try to protect people from being harmed in the first place. That’s exactly what this article sets out to do: warn you about debt collectors calling about debts that the FTC knows are bogus.

The bogus debts supposedly are payday loans from these companies: USFastCash, 500FastCash, OneClickCash, Ameriloan, United Cash Loans, AdvantageCashServices, or StarCashProcessing. The companies are real, but if you’re hearing from anyone other than those companies, the debts are fake and you don’t need to pay.

Sometimes, if they can’t collect money owed to them, companies sell lists of those debts to debt collectors. But, in this case, we know that didn’t happen. The company that processed and serviced loans from these companies told the FTC that it never sold any customer or account information to debt collectors. Their lawyer even filed a legal declaration saying that.

Even so, we’ve still heard about abusive calls from debt collectors claiming to be collecting money owed to the companies listed above – and we already know that’s not true. But we also know that many of the people who have been called never even had a loan with those lenders in the first place – so the debts themselves also are bogus.

What to do if you get a call from a debt collector who says you owe money to one of those companies? You have rights. Ask for a validation notice, which says what you owe and to whom. After you get it, consider sending a letter saying that you don’t owe the debt. If you’re getting debt collection calls, check your free credit report at annualcreditreport.com. If a debt you don’t recognize shows up there, follow the instructions to dispute the debt. And, as always, report any problems to the FTC.

by Christopher Koegel
Assistant Director, Division of Financial Practices, FTC