Tag Archives: scams

spotting a scam

How to spot a scam

Recognise the signs someone is trying to scam you, and learn how to check if a message you have received is genuine.

Recognising online scams

Cyber criminals may contact you via email, text, phone call or via social media. They will often pretend to be someone (or an organisation) you trust.

It used to be easier to spot scams. They might contain bad spelling or grammar, come from an unusual email address, or feature imagery or design that feels ‘off’. But scams are getting smarter and some even fool the experts.

How to spot scam messages or calls

Scammers try to quickly gain your trust. They aim to pressure you into acting without thinking.

If a message or call makes you suspicious, stop, break the contact, and consider the language it uses. Scams often feature one or more of these tell-tale signs.

Authority

Is the message claiming to be from someone official? For example, your bank, doctor, a solicitor, or a government department. Criminals often pretend to be important people or organisations to trick you into doing what they want.

Urgency

Are you told you have a limited time to respond (such as ‘within 24 hours’ or ‘immediately’)? Criminals often threaten you with fines or other negative consequences.

Emotion

Does the message make you panic, fearful, hopeful or curious? Criminals often use threatening language, make false claims of support, or tease you into wanting to find out more.

Scarcity

Is the message offering something in short supply, like concert tickets, money or a cure for medical conditions? Fear of missing out on a good deal or opportunity can make you respond quickly.

Current events

Are you expecting to see a message like this? Criminals often exploit current news stories, big events or specific times of year (like tax reporting) to make their scam seem more relevant to you.

How to check if a message is genuine

If you have any doubts about a message, contact the organisation directly. Don’t use the numbers or address in the message – use the details from their official website.

Remember, your bank (or any other official source) will never ask you to supply personal information via email, or call and ask you to confirm your bank account details. If you suspect someone is not who they claim to be, hang up and contact the organisation directly. If you have paper statements or a credit card from the organisation, official contact details are often written on them.

Make yourself a hard target

Criminals use information about you that’s available online (including on social media sites) to make their phishing messages more convincing.

You can reduce the likelihood of being phished by thinking about what personal information you (and others) post about you, and by reviewing your privacy settings within your social media accounts.

How to report suspicious communications

If you have received a suspicious message or call, or visited a suspicious website you should report it.

Report a scam email; text message; website; phone call; advert

corona virus

Victims of coronavirus scams leave UK victims seriously out of pocket

Victims of scams related to the coronavirus outbreak lost nearly €1 million in February, according to the UK’s fraud and cybercrime centre.

In a warning to the public, Action Fraud UK said fraudsters conned people out of more than £800,000 (€918,000) in the month, using the COVID-19 crisis to concoct phishing email scams.

It said since the start of February, 21 cases of fraud have been identified where coronavirus was mentioned.

Ten were reported by victims who were trying to buy facemasks from fraudulent sellers, with one victim losing more than £15,000 on a purchase of masks which was never delivered.

Others were victims of coronavirus-themed phishing emails, where people are tricked into opening malicious attachments or divulging login information.

Some fraudsters have been pretending to be from research organisations associated with the Center for Disease Control and Prevention (CDC) and the World Health Organisation (WHO).

WHO has itself warned people of malicious emails appearing to be from the organisation.

“WHO is aware of suspicious email messages attempting to take advantage of the 2019 novel coronavirus emergency,” it says on its website, warning the emails ask for information such as usernames and passwords, or include malicious links or attachments.

How to steer clear of online scams

  • Don’t click on links or attachments in suspicious emails, says Action Fraud
  • Don’t reveal any personal or financial details during unsolicited messages or calls
  • WHO says you can verify the sender by checking the email address – an official WHO email will be sent only from an address ending in @who.int
  • Don’t feel under pressure to reveal any information – cybercriminals use emergencies such as coronavirus to scare people into making rash decisions
  • The WHO also advises, if you think you may have given personal information mistakenly to a scammer, change your credentials immediately
CAPTCHA Phishing Scam

CAPTCHA Phishing Scam Targets Android Users

A CAPTCHA phishing scam has been detected which is being used to trick users into downloading a malicious file that intercepts multi-factor authentication codes on a user’s smartphone. With the codes, hackers can perform a more extensive attack and gain access to a much wider range of resources such as email and bank accounts.

When a visitor lands on the phishing page, a check is performed to determine what device is being used. If the user is on an Android device, a malicious APK file is downloaded to their device. Any other platform will receive a zip file containing malware.

A fake version of the familiar Google reCAPTCHA is displayed on the phishing page. It closely resembles the legitimate version, although it does not support sound and the images do not change when they are clicked. The fake reCAPTCHA is housed on a PHP webpage and any clicks on the images are submitted to the PHP page, which triggers the download of the malicious file. This campaign appears to be focused on mobile users.

On an Android device, the malicious APK intercepts PIN codes from two-factor authentication messages, which allow the attackers to gain access to the user’s bank account. With these PIN codes, an email account can also be compromised, which would allow further accounts to be compromised by requesting password resets.

A successful attack could see several accounts used by an individual subjected to unauthorized access. Businesses are also attacked in a similar manner. Successful attacks on businesses could give the attackers access to huge volumes of sensitive company data and even infrastructure resources.

This method of delivering malware is nothing new and has been around since 2009. A CAPTCHA phishing campaign was detected in February 2018 attempting to download a malicious file, and a similar campaign was run in 2016.

A method of attack is adopted for a while then dropped. While it is possible to prepare the workforce for phishing attacks such as this through training, security awareness training alone is not enough as tactics frequently change, and new methods of attack are frequently developed.

As this attack shows, two-factor authentication is far from infallible. In addition to this method of obtaining 2FA codes, the SS7 protocol used to send SMS messages has flaws that can be exploited to intercept messages.

Security awareness training and 2FA are important, but what is required on top of these protections is a powerful anti-spam and anti-phishing solution. Such a solution will block phishing emails at the gateway and make sure they are not delivered to inboxes.

It is important to choose a solution that provides protection against impersonation attacks. Many phishing campaigns spoof a familiar brand or known individual. A solution that incorporates Domain-based Message Authentication, Reporting & Conformance (DMARC) will help to ensure that the sender of the message is genuine, by performing checks to make sure that the sender of the message is authorized to send messages from that domain.

Most anti-phishing solutions incorporate an anti-virus component that scans all incoming attachments for malware and malicious code, but cybercriminals are using sophisticated methods to evade detection by AV solutions. Files may include malicious code that is hard to detect. A sandbox is therefore required to execute suspicious attachments in a safe environment where they can be monitored for malicious activity. By testing attachments in the sandbox, malicious files can be identified and more genuine emails and attachments will arrive in inboxes.

Football Fraud

Middlesbrough FC fake football trial scam warning

Fraudsters are targeting young footballers across the world offering them fake trials in return for money.

Middlesbrough Football Club said it had been contacted by would-be professionals saying they had been offered trials by the club.

Club spokesman Paul Dews said in one case $150 (£116) was demanded but no cash was handed over.

A number of other clubs have been targeted and Middlesbrough has informed the Football Association (FA).

Mr Dews said the club had received at least 15 queries – from within the UK, Africa and the Caribbean – asking if the offers were genuine.

“We understand we are one of a number of clubs whose name is being used in this manner and have reported this to both the police and the FA, who we are currently assisting in their investigations,” he said.

Impersonating football agents

The FA said there had been a “number of reported scams/schemes in different areas of the country”.

Young players are promised trials and they or their family are asked for payment in advance to cover “insurance and travel”, it said.

Once the money is sent no more is heard.

The FA said it had alerted clubs and local police, and issued a warning to players and parents.

In the latest scam fraudsters had been impersonating football agents but did not appear to have received any money so far, Middlesbrough said.

Mr Dews said “any invitations for players to join on trial would always be made directly from the club and not from any third parties”.

Call center fraud

Raids mounted on fake Indian tech support centres

More than 50 people have been arrested in India for their alleged involvement in fake security warning scams.

The New York Times said that Delhi police made the arrests during raids on 26 call centres linked to the scams.

Software giant Microsoft helped police trace who was behind the large-scale operations.

It said it received more than 11,000 calls per month about fake security warnings and that many people lost significant sums to the fraudsters.

“This is an organised crime,” Courtney Gregoire, an assistant general counsel in Microsoft’s digital crimes unit told the US newspaper.

Microsoft has estimated that fraudsters make about $1.5bn (£1.2bn) a year through fake Windows support calls.

Raids on 16 call centres were carried out this week and, earlier in November, another 10 locations were visited by police.

The raids were prompted by Microsoft filing complaints with local police in New Delhi about call centres it claimed were involved in the fraudulent operations.

Typically, said Microsoft, attempts to trick people revolved around pop-up warnings that falsely claimed that a person’s computer was infected with a virus.

Fixing the non-existent virus could involve ringing a tech support centre. An operator would talk a victim through a fake fix and then charge them for the work.

In another version of the scam, staff at call centres claimed to be calling from Windows official support saying they had spotted that a person’s computer has been hacked or harboured a virus. Again, victims were expected to pay to fix the non-existent problem.

Some people caught out by the scam paid up to $1,000 for the fake tech support, said the newspaper.

Microsoft has published advice about ways to spot the fake calls and avoid becoming a victim.