CyberheistNews Vol 12 #08 [Eye Opener] Here Are the 4 Traits of Most Scams



 

CyberheistNews Vol 12 #08  |   Feb. 22nd., 2022

[Eye Opener] Here Are the 4 Traits of Most Scams

Written by Roger Grimes

There are a lot of scams in the world, and they seem to be proliferating at an exponential rate. My Facebook friends' accounts are compromised all the time and I get sent scam requests for easy money. I get at least one scam message via SMS every day. My email inbox is full of phishing scams.
I occasionally get phone calls from criminals claiming to be from my bank or some other local provider. I get emails from distraught people who have loved ones caught up in romance scams. Anyone trying to sell something on Craigslist quickly learns that it is overrun by scammers.

If you apply for a job these days, there is a stronger chance that it is a scam job just trying to learn your personal details and get money from you. And who has not been approached by a cryptocurrency scammer claiming they can make you rich, rich, rich for just a small investment?

I think that maybe I am becoming more aware of all these scams as a side effect of being in the scam fighting security awareness training industry. But stats tell a different story. There are more scams than ever coming at us more ways.

Protecting Your Organization Against Scams

I have people ask me what they can do to best protect themselves against social engineering and scams. At an organizational level, the answer is to implement the best defense-in-depth combination of policies, technical defenses and education to prevent social engineering; and education is usually the piece most lacking in the majority of organizations. I wrote about the 3 x 3 Pillars of Computer Security [link below]

If you want to know everything you can do to prevent social engineering and phishing, you can read my 49-page eBook or watch my one-hour webinar on the subject. Pick your poison. Both cover the same material, which is everything I and KnowBe4 could think of to fight social engineering and phishing – every policy, technical defense and security awareness training best practice we could think of, put into a small package.

Protecting Yourself, Co-Workers, Friends and Family

The best thing you can do, at the individual level, is to teach yourself (and everyone else) how to spot a scam. You want everyone to have a healthy level of skepticism and evaluate all incoming messages, no matter how they arrive (be it email, web, SMS, social media, voice calls, etc.), and look for potentially suspicious signs of a social engineering scam. A scam is a scam is a scam. Most scams have the following traits:

 

  • They arrive unexpectedly
  • The ask the receiver to do something the sender has never asked the receiver to do before
  • They indicate a sense of urgency, claiming the receiver will be penalized if they do not take action immediately
  • The requested action could be harmful to the receiver or their organization if the requested action is taken and is malicious

I have summarized the scam warning signs into the following flow chart below.

CONTINUED at this blog post with links and flow chart:
https://blog.knowbe4.com/traits-of-most-scams
[New PhishER Feature] Turn the Tables on the Cybercriminals with PhishFlip

Cybercriminals are always coming up with new, devious phishing techniques to trick your users. PhishFlip is a new PhishER feature that allows you to respond in real time and turn the tables on these threat actors. With PhishFlip, you can now immediately “flip” a dangerous attack into an instant real-world training opportunity for your users.

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. You can now combine your existing PhishRIP email quarantine capability with the new PhishFlip feature that automatically replaces active phishing threats with a new defanged look-alike back into your users’ mailbox.

The new PhishFlip feature is included in PhishER — yes you read that right, no extra cost — so now you can turn the tables on these threat actors and flip targeted phishing attacks into a simulated phishing test for all users. This new feature dramatically reduces data breach risk and the burden on your IT and InfoSec teams.

See how you can best manage your user-reported messages.

Join us TOMORROW, Wednesday, February 23 @ 2:00 PM (ET) for a live 30-minute demonstration of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software.

With PhishER you can:
  • NEW! Automatically flip active phishing attacks into safe simulated phishing campaigns with PhishFlip. You can even replace active phishing emails with safe look-alikes in your user’s inbox
  • Easily search, find, and remove email threats with PhishRIP, PhishER’s email quarantine feature for Microsoft 365 and G Suite
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easy integration with KnowBe4’s email add-in button, Phish Alert, or forwarding to a mailbox works too!

Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: TOMORROW Wednesday, February 23 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3595149/976FEC88FEB58055336AA4EDC21CCEB3?partnerref=CHN2
Meta Files Lawsuit Over Phishing Attacks

Meta (Facebook’s corporate parent) and the digital banking company Chime have filed a joint lawsuit against two Nigerian citizens for allegedly impersonating Chime in phishing attacks, BleepingComputer reports. The defendants are accused of using “more than five Facebook accounts and more than 800 Instagram accounts” to direct users to spoofed Chime login pages in order to harvest their credentials.

“Many of these accounts used the Chime logo as their profile photo and the word 'Chime' with varied spellings in the username, such as ‘_ch_im_e_’ and ‘chime942,” the lawsuit says. “Between no later than March 2020 and October 2021, Defendants used their network of Chime-branded Facebook and Instagram accounts to impersonate Chime in violation of the Terms."

"For example, Defendants used Chime-branded usernames, domains, and/or profile photos in these accounts without Chime’s authorization.”

Blog post with links:
https://blog.knowbe4.com/meta-files-lawsuit-over-phishing-attacks
12 Ways to Defeat Multi-Factor Authentication

Everyone knows that multi-factor authentication (MFA) is more secure than a simple login name and password, but too many people think that MFA is a perfect, unhackable solution. It isn't!

Watch Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, and security expert with over 30-years experience, in this on-demand webinar where he will explore 12 ways hackers can and do get around your favorite MFA solution.

This webinar includes a (pre-filmed) hacking demo by KnowBe4's Chief Hacking Officer Kevin Mitnick, and real-life successful examples of every attack type. It will end by telling you how to better defend your MFA solution so that you get maximum benefit and security.

You'll learn about the good and bad of MFA, and become a better computer security defender in the process, including:

 
  • 12 ways hackers get around multi-factor authentication
  • How to defend your multi-factor authentication solution
  • The role humans play in a blended-defense strategy

Watch the Webinar Now!
https://info.knowbe4.com/webinar-12-ways-to-defeat-mfa-chn
Phishing Attacks on Social Media Doubled Over 2021

Phishing attacks on social media doubled over the course of 2021, according to a new report from PhishLabs by HelpSystems. Most (68%) of these attacks targeted organizations in the financial sector, followed by the telecom sector in second place at 24%.

“According to the findings, the number of social media attacks per target increased 103% from January 2021, when enterprises were experiencing an average of just over one threat per day,” the researchers state. “In December, enterprises averaged over 68 attacks per month, or more than two per day.”

The researchers also observed a significant rise in phishing emails that attempt to trick victims into calling the scammers.

 
  • "Hybrid Vishing (voice phishing) attacks initiated by email increased 554% in volume from Q1 to Q4."
  • "Phishing volume has grown 28% year-over-year, with half of all phishing sites observed in Q4 being staged using a free tool or service."
  • "Malware delivered via email nearly tripled in Q4, led by a resurgence in Qbot and ZLoader attacks."
  • "70% of advertisements for stolen data took place on chat-based services and carding marketplaces in Q4."
  • "The percentage of attacks targeting financial institutions increased from 33.8% in Q1 to 61.3% of all phishing sites observed in Q4."


John LaCour, Principal Strategist at HelpSystems, stated that organizations’ security teams need to be aware of social engineering attacks on social media.

“2021 was another record-setting year for social media as a threat channel,” LaCour said. “Threat actors use social media to commit fraud, impersonate brands and executives, and launch a variety of cyber threats, forcing security teams to monitor a variety of platforms for activity targeting their enterprise."

"Financial Institutions were the most actively targeted by threat actors since their services are often used broadly across several business sectors.” New-school security awareness training enables your employees to recognize phishing and other social engineering attacks.

Blog Post with Links:
https://blog.knowbe4.com/phishing-attacks-on-social-media-doubled-over-2021

Got (Bad) Email?

IT Pros Are Loving This Tool: Mailserver Security Assessment

With email still a top attack vector, do you know if hackers can get through your mail filters? Spoofed domains, malicious attachments and executables to name a few...

Email filters have an average 7-10% failure rate where enterprise email security systems missed spam, phishing and malware attachments.

KnowBe4’s Mailserver Security Assessment (MSA) is a complimentary tool that tests your mailserver configuration by sending 40 different types of email message tests that check the effectiveness of your mail filtering rules.

Here's how it works:

 
  • 100% non-malicious packages sent
  • Select from 40 automated email message types to test against
  • Saves you time! No more manual testing of individual email messages with MSA's automated send, test, and result status
  • Validate that your current filtering rules work as expected
  • Results in an hour or less!

Find out now if your mailserver is configured correctly, many are not!
https://info.knowbe4.com/mailserver-security-assessment-chn

Best New Social Engineering Show on Netflix

Kevin Mitnick just tweeted:

"Just watched the "Inventing Anna" docuseries this weekend. Anna definitely has earned the #2 spot in the Mitnick Social Engineering Hall of Fame. She fooled everyone. Alexei Navalny still is in the #1 spot for his social engineering of the GRU. Fun fact: They are both Russians!"
 

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.



[Hot From The Press] There Is A Whole New Type of Blockchain Scam Called "Ice phishing":
https://blog.knowbe4.com/heads-up-there-is-a-whole-new-type-of-blockchain-scam-called-ice-phishing

 
Quotes of the Week
"Peace cannot be kept by force; it can only be achieved by understanding."
- Albert Einstein - Physicist (1879 - 1955)


"The secret of getting ahead is getting started. The secret of getting started is breaking your complex, overwhelming tasks into smaller manageable tasks, and then starting on the first one."
- Mark Twain - Author (1835 - 1910)

 

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-12-08-eye-opener-here-are-the-4-traits-of-most-scams

Security News
Virtual Meeting Platforms and Business Email Compromise Scams

The US FBI has observed an increase in business email compromise (BEC) scams involving virtual meeting platforms over the past few years.

“Between 2019 through 2021, the FBI IC3 has received an increase of BEC complaints involving the use of virtual meeting platforms to instruct victims to send unauthorized transfers of funds to fraudulent accounts,” the Bureau said in an alert.

“A virtual meeting platform can be defined as a type of collaboration technique used by individuals around the world to share information via audio, video conferencing, screen sharing and webinars. Criminals began using virtual meeting platforms to conduct more BEC related scams due to the rise in remote work because of the COVID-19 pandemic, which caused more workplaces and individuals to conduct routine business virtually.”

The FBI describes the following techniques used by attackers:

 
  • “Compromising an employer or financial director's email, such as a CEO or CFO, and requesting employees to participate in a virtual meeting platform where the criminal will insert a still picture of the CEO with no audio, or ‘deep fake1’ audio, and claim their video/audio is not properly working. They then proceed to instruct employees to initiate transfers of funds via the virtual meeting platform chat or in a follow-up email."
  • “Compromising employee emails to insert themselves in workplace meetings via virtual meeting platforms to collect information on a business's day-to-day operations."
  • “Compromising an employer's email, such as the CEO, and sending spoofed emails to employees instructing them to initiate transfers of funds, as the CEO claims to be occupied in a virtual meeting and unable to initiate a transfer of funds via their own computer.”

The Bureau offers the following recommendations to help people avoid falling for these attacks:
 
  • “Confirm the use of outside virtual meeting platforms not normally utilized in your internal office setting."
  • “Use secondary channels or two-factor authentication to verify requests for changes in account information."
  • “Ensure the URL in emails is associated with the business/individual it claims to be from."
  • “Be alert to hyperlinks that may contain misspellings of the actual domain name."
  • “Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate."
  • “Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender's address appears to match who it is coming from."
  • “Ensure the settings in employees' computers are enabled to allow full email extensions to be viewed."
  • “Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.”

New-school security awareness training can teach your employees to follow security best practices.

The FBI has the story:
https://www.ic3.gov/Media/Y2022/PSA220216
More Advice on Avoiding QR Code Phishing

QR codes should be treated with the same suspicion as unknown links, according to Neil Clauson, Regional CISO at Mimecast. In an interview for Help Net Security, Clauson explained that these links are easy to use, but they’re inherently difficult to scrutinize.

“A QR code can easily be embedded anywhere an image can: into the body of an email, as an attachment, printed onto a sticker, or in a website,” Clauson said. “And just like a malicious URL, they are designed to blend in and not make an unsuspecting user think twice before scanning it."

"Legitimate QR codes are typically leveraged for their ease of use – you simply point your phone's camera at the code and it’s instantly scanned taking you to the desired webpage. These codes seem so convenient on the surface (QR does stand for ‘quick response’ after all) but that’s really what makes them so attractive as a threat vector. It’s easiest to trick someone when they aren’t suspecting it.”

Clauson adds that users should be wary of these codes, especially if they open a login page or ask them to download a file.

“Any QR code that arrives via email is most likely suspicious,” Clauson says. Always use your sound judgement in these situations – is this a ‘too good to be true’ scenario? Is there some artificial urgency involved, trying to get you to ‘act quickly?’

Does the website ask for any credentials or is it ‘out of context’ (did you get an email about work on your personal email, or vice versa?). If it’s a printed QR code, does it look like a second image was ‘pasted over’ the original?

Clauson concludes that a defense-in-depth strategy is the best way to thwart these attacks, which includes employee training. “A strong, multi-layered set of security solutions will resist many types of cyber threats, but as always, end users are the final line of defense against clever attackers,” Clauson said.

“Awareness training begins with teaching end users that QR codes can be used in phishing scams, and then giving them the skills to identify and report anything suspicious to their IT and Security teams. Those teams can be instrumental in early mitigation and recovery, before an issue becomes more widespread.”

Help Net Security has the story:
https://www.helpnetsecurity.com/2022/02/16/qr-code-phishing/

What KnowBe4 Customers Say

"Our law firm recently purchased a subscription to KnowBe4, and I was tasked to learn and implement KnowBe4. Not only am I impressed with your platform, but even more impressed with the support I’ve received.

Our Customer Success Manager, AlexR, has faithfully worked with me every week showing/training me how to use KnowBe4 phishing campaigns, training campaigns, and PhishER. Thanks to him, we are in full swing on our use of your platform.

My thanks for a job well done."

- L.S., Software Support and Training Specialist



 

The 10 Interesting News Items This Week
    1. 3 ways businesses can fight the convergence of information disorder and phishing scams:
      www.securityinfowatch.com/cybersecurity/article/21256287/3-ways-businesses-can-fight-the-convergence-of-information-disorder-and-phishing-scams

    2. How the Russia-Ukraine conflict is impacting cybercrime:
      https://intel471.com/blog/russia-ukraine-conflict-cybercrime-underground/https://intel471.com/blog/russia-ukraine-conflict-cybercrime-underground/

    3. Russia’s Propaganda & Disinformation Ecosystem - 2022 Update & New Disclosures:
      https://miburo.substack.com/p/russias-propaganda-and-disinformation

    4. FBI: BlackByte ransomware breached US critical infrastructure:
      https://www.bleepingcomputer.com/news/security/fbi-blackbyte-ransomware-breached-us-critical-infrastructure/

    5. US says Russian state hackers lurked in defense contractor networks for months:
      https://arstechnica.com/information-technology/2022/02/us-says-russian-state-hackers-lurked-in-defense-contractor-networks-for-months/

    6. We spoke to 7 ex-CIA and Pentagon experts. Here's what they say Putin wants in Ukraine:
      https://news.yahoo.com/we-spoke-to-7-ex-cia-and-pentagon-experts-heres-what-they-say-putin-wants-in-ukraine-100025311.html

    7. Phishing Top Threat to US Healthcare:
      https://www.infosecurity-magazine.com/news/phishing-top-threat-to-us/

    8. Conti ransomware gang takes over TrickBot malware operation:
      https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-over-trickbot-malware-operation/

    9. Ukraine says it’s targeted by ‘massive wave of hybrid warfare’:
      https://www.bleepingcomputer.com/news/security/ukraine-says-it-s-targeted-by-massive-wave-of-hybrid-warfare-/

    10. University Project Cataloged 1,100 Ransomware Attacks on Critical Infrastructure:
      https://www.securityweek.com/university-project-cataloged-1100-ransomware-attacks-critical-infrastructure

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff










  • NEW TRAILER | Marvel Studios' Doctor Strange in the Multiverse of Madness:
    https://www.youtube.com/watch?v=aWzlQ2N6qqg






FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2022 KnowBe4, Inc. All rights reserved.

 


Topics: Cybercrime, KnowBe4



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews