Don’t Take the Bait: Safeguarding against spear phishing attacks.
in Managing Money & Credit, Protecting Your IdentityMost of us are familiar with phishing scams: you receive an urgent-sounding email instructing you to change your password, verify an order, or pay a bill to avoid some kind imminent risk or loss. These scams can be very convincing, and everyone should be diligent about protecting passwords, using strong passwords, not on clicking suspicious links, and safeguarding their personal information to avoiding getting “phished.” This is a topic we return to regularly because scams evolve, and scammers employ increasingly sophisticated techniques to achieve their goals.
One of the most elaborate methods is known as “spear-phishing,” which targets specific individuals who may be either the intended target or used as a backdoor to gain access to a company’s data. The scammers use social media accounts and information they find online to identify victims and gather profile data as well as personal and business email account addresses, looking for people whose computers may contain high value data or access to it. Then they reach out to the target via phone or email, informing them they need to take urgent action to remedy a problem, then directing them to access a link, website, or call the company to resolve the issue. Some bad actors even create bogus call centers to field the incoming calls of victims responding to fraudulent emails.
A Close Encounter
We recently learned of a risk manager – an expert in this field with access to sensitive company data — who received an email to her personal account from a well-known and widely used data security company, notifying her of a problem authorizing payment of $495 for a subscription many people in her field might use. The email included an attachment and a phone number to call for assistance. Her professional knowledge prevented her from opening the attachment, so she instead called the phone number visible in the preview to learn more.
A live person answered the call, stated the company’s name, and asked “How may I help you?”
She replied that she received a $495 invoice for a subscription she didn’t request. The voice on the other end of the line informed her that her “free trial” of the product expired and asked if she wanted to continue subscribing to their online security service, to which she said she did not order a subscription and they should cancel it. He asked her for the invoice number, which was visible in the email preview, and she provided it.
Next comes the part where her experience paid off. The scam call center agent told her she would need to go to their website to cancel the subscription – he would stay on the line with her and provide her with a code to use on the website to complete the cancellation.
She asked why he could not just cancel it for her, since he had the invoice number? He replied it was a company security measure, to prevent fraudsters from deliberately deactivating her account. When she pushed back further, and asked what the code was for, he said he would have to transfer her to the support center. When she refused, demanding to know the purpose of the code, the fraudster grew angry and hung up on her. Another one that got away.
Had the risk manager followed the instructions, the fraudster on the other end of the line would have gained access to her personal device, and based on her profile, maybe a path to her corporate data, other sensitive information that could lead to a breach or ransomware attack on her company, and even her personal financial accounts, which could then be emptied if they were not protected by two-factor authentication.
Fraud Prevention Steps
To avoid getting spear phished, ask the following questions when receiving an unexpected email or phone call on your work and personal devices:
Q: Do I have a relationship with this company? Yes or No
A: The manager mentioned above did not have a subscription, so she knew immediately this was a scam. However, what if, like millions of other people, she did use one of the company’s products or services, and couldn’t recall the exact name of it? If you are unsure, it’s best to not proceed any further without doing some further research.
Q: Is there a sense of urgency to the message?
A: Yes, they wanted a response within 24 hours. Scammers try to create a sense of urgency to make the phish unsure what may happen if they don’t respond – could they lose their data? Could they get scammed? Would they lose something of value? Their goal is to create a sense of fear and insecurity for not acting.
Q: Is the sender’s email address from a company or a person?
A: In this case it was from a person, not the company. This is a major red flag. Always check the email address to make sure it is legitimate and be vigilant about checking for imposter letters, such as using a capital I in place of a lower-case L. Do not trust phone numbers that appear on your phone purporting to be from a legitimate company. Take the information and hang up. Locate an actual phone number or email from the company website and initiate the communication. Legitimate companies will not call and ask for your account number, passwords, and personal or business data.
Q: Did they instruct you to do anything on your computer or device?
A: Yes, the scammer said he would be happy to cancel the service for her and he then directed her to a specific URL (org) and asked her to enter a code that he would provide in order to cancel the bogus subscription. This is how he could gain access to her computer and take control of it. DO NOT do this! Entering the code provides a connection to your device (desktop, laptop, phone, tablet) that you cannot see, but gets embedded in the device. Once embedded, fraudsters can then monitor all of your activity without your knowledge and gain access to any secured source you accessed while they were monitoring your computer or device.
Additional things to remember to protect yourself against getting scammed
- If you are speaking with a company representative about canceling a service, you should not have to do anything else in order to facilitate it.
- There should never be a fee to cancel a service, so there should be no need to provide account or credit/debit card information.
- If a caller claims to be diagnosing something on your device, do not agree to it, disconnect the call and call the company from a number that is published. If you are having computer issues, take it to a reputable computer repair shop.
Q: Do they know who you are without you telling them your name?
A: If the answer is no, do not give them your name. If the answer is yes, assume your identity has been compromised and follow the tips below.
- If you receive this type of contact:
- Demand to know why they need you to do what they are asking of you. Keep asking until they give you an answer. Do not comply with the request, no matter how urgent the caller is making the situation.
- Refuse to provide any personal information to the person on the other end of the line during a call or resolution you did not initiate.
- Never give out your bank account or credit/debit card information.
- Always call the company they claim to represent directly from a published phone number, not the one in the email.
- Report the incident to the company being fraudulently represented.
- If you happen to cooperate with a scammer, please do the following:
- Assume your device is compromised and do not use it for anything else until it has been scanned and cleaned. Take it to a reputable source such as the Apple Store, Geek Squad, etc., and have the device scrubbed for malware and unauthorized software. It may even be necessary to scrap the device and replace it to ensure your privacy and security.
- Contact your financial institutions and credit card companies and alert them to the incident immediately.
- Update all passwords from a different device as soon as possible.
- Place a fraud alert on your credit report (all 3 bureaus) to prevent new credit from being issued in your name.
Protect Yourself with Lafayette Federal
At Lafayette Federal, we know that the rise of online scams puts more and more people at risk of financial fraud every day. We care about our members’ online and financial safety, and our team members are trained to help you spot potential scams or abuse that could harm your financial wellbeing.
If you have concerns about a potential scam or believe you may be a victim to one, don’t be afraid to ask questions. Come into a branch or learn more about protecting your identity online at Lafayette Federal.