“With a real name and valid email address in hand, hackers have all the information they need to launch targeted phishing attacks against Duolingo’s users,” Spadafora writes. “Unlike regular phishing emails, these messages would be much more personalized since the hackers sending them out have more information to work with. At the same time, they could also try to impersonate Duolingo in their messages in the hope that potential victims would be more likely to click. Besides trying to steal your money, hackers could use these targeted phishing emails to get Duolingo users to install malware on their computers or to provide their credentials or even their payment information since the service does have a paid tier called Super Duolingo.”
Spadafora notes that users should watch out for the signs of social engineering attacks to protect themselves against potential scams.
“In order to avoid falling victim to phishing, you need to carefully examine all of the emails that arrive in your inbox,” Spadafora writes. “This means looking at the sender’s address and checking to see if it’s a legitimate email address used by Duolingo. From here, you'll want to look out for misspelled words and poor grammar as these are a major red flag when it comes to phishing emails. You also want to avoid clicking on any links or downloading any attachments these suspicious emails may contain. Likewise, you'll want to be on the lookout for language that tries to instill a sense of urgency, as hackers and other cybercriminals often use your emotions against you. If you’re worried about a potential deadline or losing access to your Duolingo account, you’re more likely to reply or do what a scammer suggests in their phishing email.”
New-school security awareness training can give your employees a healthy sense of suspicion so they can thwart targeted social engineering attacks.
Tom’s Guide has the story.