Alerts & Scams
Identity theft occurs when someone uses your personally identifying information, like your name, Social Security number, credit or debit card number, without your permission, to commit fraud or other crimes. Identity theft can happen to anyone, but there are steps you can take to minimize your risk of becoming a victim.
Scam of the Week - The information provided below belongs to and is provided by KnowBe4 and is intended for informational purposes only.
July 26, 2019: Watch Out for "US State Police" Phishing Extortion Scam
Don't let the bad guys scare you into action! If this email makes it through your inbox, do not click the link, do not reply or call the number in the email, and do not send them any money. Be sure to follow your organization's procedures for reporting these types of criminal emails.
July 19, 2019: Beware of Amazon Prime Day Phishing Scams
The bad guys are selling so-called “phishing kits” that make it easy for any aspiring hacker to craft legitimate-looking emails appearing to come from well-known companies. The attackers are using these phishing kits to craft fake emails for Amazon’s Prime Day. The emails include a PDF attachment containing a dangerous phishing link. If you click the link, you’re brought to a fake Amazon login page and prompted to sign in to claim your Prime Day deals. If you sign in to this bogus page, your Amazon account will be compromised. If you use the same or similar passwords for other accounts, those accounts could also be compromised.
Always remember the following to protect yourself from scams like this:
- Never click on links or download attachments from emails you weren’t expecting–even if it appears to be from a legitimate organization.
- When logging in to any online service, never use the link in the email. Always type the web address into the browser yourself or use your normal bookmarks instead.
- Never reuse passwords across multiple sites. Consider using a password manager to keep your login details secure.
- When it comes to Prime Day or any type of “deal”–if something sounds too good to be true, it probably is. Delete suspicious emails or follow the reporting procedures put in place by your organization.
July 12, 2019: Microsoft OneNote Audio Note Phishing Emails
The scam comes in the form of an email with the subject “New Audio Note Received”. It claims you have a new audio message from a contact in your address book. The email prompts you to click on a suspicious link in order to hear the full message. Once you’ve clicked, you’re brought to a fake OneNote Online page that is hosted on Sharepoint. This means the web page’s URL contains “sharepoint.com”, which makes the fraudulent page more convincing. This fake OneNote page contains another link, which you need to click on to finally listen to your "new message".
If you click this second link, you’re prompted to sign in to your Microsoft account from a fake but realistic-looking Microsoft login page that is also hosted on Sharepoint. If you enter your login details here, the bad guys will have full access to your account. They can use this account to steal sensitive data or perform further attacks on your organization.
Don’t fall for this scam! It is important to remember that for Microsoft accounts, Microsoft login forms will only be hosted on the following domains: microsoft.com, live.com, microsoftonline.com, or outlook.com. And as a rule, when logging in to any online service, never use the link in the email. Always type the web address into the browser yourself or use your normal bookmarks instead.
July 5, 2019: Beware of Gmail Calendar Phishing Scam
Here’s how it works: Scammers send a realistic-looking Google Calendar invite complete with a meeting topic and location information. Some of these fake events even claim that you’re entitled to a cash payment. The event details contain a link that you’re prompted to click to “see more information”. At first glance, the link appears to take you to a Google website, but beware! If you click the link your computer could be infected with malware, or your bank (or other) account information could be stolen if you unknowingly provide any data to the scammers.
Remember the following to avoid falling for scams like this:
- Never click links in emails or in calendar notifications that you weren’t expecting. Even if you were expecting an email or an event invite, pick up the phone or use an alternative channel of communication to confirm whether the sender is legitimate.
- Always hover over links to see where they’re taking you before clicking. The link may take you to a different address from the URL that is shown.
- Don’t fall victim by clicking a link to gain something of value–like an unexpected payment. If something sounds too good to be true, it probably is. Delete suspicious emails or follow the reporting procedures put in place by your organization.
June 28, 2019: Look Out for Office 365 “File Deletion” Emails
June 21, 2019: Beware of Voicemail Phishing Scams
If your organization uses online voicemail services, you’ve probably used links in notification emails to check your new messages. Lately, scammers are creating look-alike notification messages that trick you into giving up your login credentials.
The fake voicemail notifications take you through a series of steps. They'll first prompt you to click a link to listen to your "new message". Then, you’re directed to a web page containing another link to click on so you can finally listen to your "new message".
If you click this link, you’re brought to a realistic-looking Microsoft sign-in page where you’re prompted for your email and password. If you enter your login details here, the bad guys will have full access to your account, where they can steal sensitive data or perform further attacks on your organization.
Remember the following to stay safe:
- Before clicking, always hover over links to see where they’re taking you.
- If you’re already logged into your email account, you shouldn’t be prompted to log in again. When asked to log in to an online service you’re using, type the web address into your browser yourself, rather than using unexpected links.
- Get familiar with the format of your voicemail notification emails. If you’re ever in doubt, contact the proper department in your organization before you click on any links or download attachments.
June 14, 2019: Think Before You Tweet
If you’ve ever used social media to make a complaint about a company, you’d know that many organizations are quick to respond to this public expression. But have you ever stopped to question whether the account responding to your concern is really someone from the company?
Recently, fraudsters have taken to social media platforms to trick people into falling for their “help” and giving away their personal information. For example, a woman was upset with her broadband services so she took to Twitter to complain about her provider. She promptly received a response from an account appearing to be the customer service team for this company. The “customer service team” was able to gain personal information, and even banking information from her by using lines like: “I’m having trouble locating your account” and “I’ll first need to ask you a security question”. The woman soon found her bank account emptied out and several loans taken out under her name.
Clearly, this customer service team wasn’t helping anyone aside from themselves.
Remember the following to protect yourself:
- Never trust that an account is legitimate based on their Twitter “handle”, or any other “name” on social media. Just because the company name is present, doesn’t make it valid.
- A legitimate organization would never ask you for sensitive data like your bank account information. If it sounds like a strange request, then it probably is.
- If you’re having trouble with a product or service, log in to your account or reach out to their customer support channels, yourself. Never trust a response you receive after making a public complaint on social media or anywhere else online.
June 7, 2019: Brand Impersonation Attacks Are at an All-Time High
According to recent reports, phishing attacks that use brand impersonation are at an all-time high. Cyber criminals are posing as familiar companies so they can trick you and get access to your account in order to steal sensitive data or target additional employees.
Here’s how it typically happens: Attackers send you a standard-looking email appearing to be from a service or company that you use, such as Office 365. Clicking the link in the email will take you to a fake (but very realistic) login page. The most deceiving part of some of these fake pages is that the web address appears to be safe. The URL may end with a legitimate domain like “windows.net”, because the bad guys are hosting these pages with Microsoft’s Azure cloud services. If you enter your information here, the bad guys will gain access to one or more of your accounts which they can use to steal data or plan further attacks on your organization.
Remember the following to protect yourself from your inbox:
- Look out for strange or suspicious domains in sender addresses. Even if the domain looks legitimate, check again. Does the email say “micronsoft.com” instead of “microsoft.com”?
- Before clicking, always hover over links to see where they are taking you. Never click on a link in a message unless you’re certain the sender is legitimate.
- Whenever you get an email from an online service you use, log in to your account through your browser (not through links in the email) to check whether the email message is valid.