Here’s a popular phishing scenario: You receive an email with a link. The link takes you to a phony login page with the name and logo of a legitimate website. Once you submit your username and password, the information is sent straight to the bad guys. Cybercriminals love to use these phony look-alike login pages to steal your credentials and access sensitive information.

Now cybercriminals have developed a way to make look-alike pages even more convincing. Scammers use a special tool to automatically display an organization’s name and logo on the phony login page. They can even use this tool to populate your email address in the corresponding login field. This creates a false sense of security because many legitimate websites remember your username if you have logged in previously.

While this is an advanced attack, you can still stay safe by practicing the tips below:

• Never click a link in an email that you were not expecting.
• Remember that any site, brand, or service can be spoofed or imitated.
• When you’re asked to log in to an account or online service, navigate to the official website and log in. That way, you can ensure you’re logging in to the real site and not a phony look-a-like.

The prevalence of phishing scams is at an all-time high. It is important to question the legitimacy of every email you receive. Below is a list of questions to ask yourself about any links or attachments on the email that may help you realize that you are being phished.

Are there hyperlinks in the email?

• Hover over any links and check the link address. Does it match the website for the sender exactly?
• Did you receive a blank email with long hyperlinks and no further information or context?
• Does the email contain a hyperlink that has a misspelling of a well-known website? (Such as Micorsoft)
• Is the sender’s email from a suspicious external domain? (like micorsoft-support.com rather than microsoft.com)

What about attachments?

• Did the sender include an email attachment that you were not expecting or that makes no sense in relation to the email’s context?
• Does the sender ordinarily send you these types of attachments?
• Did the sender send an email with a possibly dangerous file type? Files with a .TXT extension are typically safe, but beware, files can be disguised with a different type of file extension.

If you notice anything about the email that alarms you, do not click links, open attachments, or reply. You are the last line of defense to prevent cyber criminals from succeeding.

Grocery delivery services have been quite popular during the COVID-19 pandemic. These services help support social distancing, reduce the number of shoppers in each store, and allow at-risk patrons to safely buy essential items. Unfortunately, the popularity of these delivery services has caught the attention of cybercriminals. The bad guys are now spoofing supermarkets that offer delivery services in hopes of stealing your personal information. It starts with a phishing email that urges you to log in to your supermarket’s website using the link provided. Clicking the link takes you to a fake login page for your local supermarket. The page asks you to select your email provider (Gmail, Apple, and so on) and then log in to connect your account. Don’t be fooled! Connecting your account actually delivers your email credentials to the bad guys.

Remember the following tips:

• Never click on a link within an email that you weren’t expecting.
• Remember that email addresses can be spoofed. Even if the email appears to be from a familiar organization, it could be a phishing attempt.
• When an email asks you to log in to an account or online service, log in to your account through your browser-not by clicking the link in the email. That way, you can ensure you’re logging into the real website and not a phony look-alike.

A new phishing email—seemingly sent from your local government funding agency—is offering phony relief grants to those in need. What makes this scam especially sneaky is that the bad guys use a Dropbox link to disguise their malicious attachment. Dropbox is a legitimate and commonly-used file sharing service. Therefore, the email security filters that your organization has in place may not consider the link as a red flag–increasing the chances of this email landing in your inbox.

The phishing email urges you to click a Dropbox link so you can download a file that supposedly contains information about your relief grant payment. The link even includes an expiration date for an added sense of urgency. If you click the link, then, download and open the phony file, you’re taken to a look-a-like Microsoft 365 login page. If you enter any information on this page it will be sent directly to the scammers.

Remember these tips:

• Never click a link or download an attachment from an email that you weren’t expecting. Even if the sender appears to be a legitimate organization, the email address could be spoofed.
• Be cautious of unexpected deadlines. Scammers often create a sense of urgency to spark impulsive clicks.
• Get confirmation before clicking a Dropbox link. If you feel the file could be a legitimate resource for your organization, reach out to the sender another way—like by phone—instead of trusting the email.

Have you ever noticed the blue checkmark on your favorite celebrity’s social media profile? This checkmark shows that the person has provided documentation to verify their identity. Verification helps you know a real account from a fake—but this tool isn’t just for celebrities. Whether you have a personal social media account or manage one for your organization, being verified can be a great benefit.

To become verified, you are required to provide sensitive information which, unfortunately, makes this process the perfect bait for a phishing attack. Cybercriminals spoof popular social media platforms like Twitter, Instagram, and YouTube by sending out fake verification emails. The emails include a link that, when clicked, takes you to a convincing verification form. Here you’ll be asked for things like your username, organization, password, gender, and more. Anything entered on this page is sent directly to the bad guys.

Stay safe from this fake verification scam with these tips:

• This attack exploits the feelings of excitement and validation that comes with becoming verified. Don’t let the bad guys play with your emotions. Think before you click!
• Never click on a link within an email that you weren’t expecting.
• When an email asks you to log in to an account or online service, log in to your account through your browser—not by clicking the link in the email. That way, you can ensure you’re logging into the real website and not a phony look-alike.

The bad guys are automating robocall scams worldwide. Recently, there has been a rise in this type of fraud. They have a variety of attacks that you should watch out for. Here are a few examples:

1. Bank account and credit card scams where the bad guy claims to be an official from your bank or card company
2. Extortion scams where they request payment for a kidnapped friend or family member
3. Callback Scams where you are tricked into calling back a very expensive international number

Remember the following to avoid robocall scams:

• If you receive a call from a company urging you to complete a request, hang up and call back the company directly to investigate.
• Scammers can spoof any number they’d like. Therefore, even if a call looks like its coming from a familiar source, it could be a scam.
• Never provide personal information over the phone unless you’re the one who initiated the call.

Think Before You Pick Up!

The bad guys have come up with a scam to steal your Social Security Number (SSN). These fraudulent vishing, or “voice phishing” attempts often appear to come from the actual Social Security Administration (SSA) number–but the scammers are faking it.

When you answer the phone, the bad guys claim that your SSN has been suspended due to suspicious activity or involvement in criminal activity. They’ll also claim your bank account will be seized, to shock you into action. The scammers will then ask you to confirm your SSN in order to reactivate it–don’t fall for this trick!

Remember the following facts to avoid falling for this SSN scam:

• Your SSN will not be suspended! The SSA would never call to threaten you or your benefits.
• If you receive a suspicious call claiming to be from the SSA, hang up and call the SSA yourself to confirm.
• Never give any part of your SSN (or your bank account or credit card number!) to anyone who contacts you.

Always think twice before sharing your sensitive information with strangers!

If you’ve ever used social media to make a complaint about a company, you’d know that many organizations are quick to respond to this public expression. But have you ever stopped to question whether the account responding to your concern is really someone from the company?

Recently, fraudsters have taken to social media platforms to trick people into falling for their “help” and giving away their personal information. For example, a woman was upset with her broadband services so she took to Twitter to complain about her provider. She promptly received a response from an account appearing to be the customer service team for this company. The “customer service team” was able to gain personal information, and even banking information from her by using lines like: “I’m having trouble locating your account” and “I’ll first need to ask you a security question”. The woman soon found her bank account emptied out and several loans taken out under her name.
Clearly, this customer service team wasn’t helping anyone aside from themselves.

Remember the following to protect yourself:

• Never trust that an account is legitimate based on their Twitter “handle”, or any other “name” on social media. Just because the company name is present, doesn’t make it valid.
• A legitimate organization would never ask you for sensitive data like your bank account information. If it sounds like a strange request, then it probably is.
• If you’re having trouble with a product or service, log in to your account or reach out to their customer support channels, yourself. Never trust a response you receive after making a public complaint on social media or anywhere else online.