Paul Ducklin at Naked Security warned us about a scam that just surfaced and promises a gift by courier from overseas where the other person hasn’t told you what they’re sending – the courier company doesn’t deliver the item directly.
Sometimes you get an email saying that the item is delayed because customs want to inspect it; or there’s import duty; or there’s an extra fee if you can’t collect it from the depot yourself. And to help you get through the paperwork easily, there’s often a tracking code and a clickable link in the email.
You can see where this is going, because cybercooks love to copy real life on the grounds that it’s easier to lull you into a false sense of security when you’re following a process that feels familiar. Like this email that a Naked Security reader received last weekend:
A free Macbook Pro for just $1! Yeah, right.
As we mentioned above, scams like this aren’t so far away from real life, because emails from courier companies that document unexpected import and delivery charges are not that unusual and neither are gifts during the holiday season. Moreover, being gifts, they’re often a surprise that you don’t find about until either you or customs officials open the package. Well, don't fall for this kind of seasonal trick.
I suggest you send the following to your employees, friends and family. Feel free to copy/paste/edit:
ALERT: Bad guys are sending phishing emails that claim you there is a free New Year's gift from overseas waiting for you. It's a scam. Here are a four reminders about phishing emails like this:
- Beware free gifts. Seriously, there is no such things as a free lunch. Don’t give out personal data to organizations or people you’ve never heard of.
- Beware courier emails. When sending or receiving items by courier, get in contact with the recipient or sender by phone – to let them knows about the courier company you’re using and to provide a tracking number you can both trust.
- These days most cybercriminals are using "HTTPS" websites because everyone expects a padlock in the address bar. But the padlock doesn’t mean you are on a legit site, just that you are on a site with an HTTPS certificate.
- Do not click on links in emails. Ever. Go to your browser and type in the address of the site.
If you are a KnowBe4 customer, we have a ready-to-send template for you under our Current Events category. I suggest you send it to your full user population very soon. Here is how it looks:
Let's stay safe out there. Below is a link to our new free Phishing Security Test translated in 20+ languages !
Founder and CEO, KnowBe4, Inc.