BLOG – Email & Phishing Scams
and how to avoid them….
NOTICE! BEWARE! Your Data, Your Security, Your Livelihood is at RISK and YOU’RE letting it happen!
I couldn’t state this more clearly nor more seriously. Everyday you get dozens of emails, many of them are from retail stores, businesses, utilities, and service organizations that you’ve either signed up for or visited their website or purchased something from. Just like the junk mail in your postal mailbox, what do you do with them? You either ignore them or you trash them, because they’re just Junk Mail. Then you open the bills, the birthday cards, and what actually looks important. What’s the difference between the mailbox on your porch or out in front of your house and the email mailbox that you’re accessing on your computer, laptop, tablet, or smartphone? The difference is documents in your mailbox is just paper with information on it and the email you’re accessing online is an OPEN door into your home or business for criminals to take easy advantage of. Your email is a living breathing web page that downloads content from the internet, manipulates your mind and directs you to all the services that runs your livelihood.
We run our lives and businesses online so much that we have a false sense of security, especially with email. We have gotten so used to communicating with our friends, family, businesses, and associates via email or messaging, that we tend to overlook the overwhelming risk that it presents.
Consider this, you get a phone call from someone and the Caller ID shows a business name or a friends name but when you answer it you know by their voice that its not them. What do you do? Typically, you hang up.
You get a piece of mail from the post office that says its from the IRS, you owe the IRS money and you need to call the IRS at a phone number printed on the mail. What do you do? Do you check your tax records or call your tax accountant first? Do you check the phone number to make sure its the IRS before you call it? Do you just call the number and do whatever they tell you to do? Do you tear it up and throw it away? You should do one of the last two.
Now you get an email message from a friend Jane Smith (the sender field shows their name and email address) and the message just says, “Hey this is so funny, take a look at my instagram! https://www.insta.io/AHAJFIUOU/?name=JaneSmith”
What do you do? Most likely you’ll click on it, then everything goes crazy. Your computer starts making noise you get a message on your screen that you’re infected, you need to call Microsoft for assistance, etc… and you did it because you were scared. Why did you click it? Because it came from your friend, you’re a friend with her on instagram, it didn’t look fake, you just seen the name and thought it was OK… Now you’re compromised because you didn’t take a moment to think about it. If you say to yourself, Why did she send me this via email, we usually just text each other or use FB Messenger? That’s odd, she’s never sent me anything like that before. Where did this email come from? Why didn’t I contact her first by ways we usually communicate? DON’T do it!
Most people will have one of these initial reactions to a message like this, but many of them will click the link anyways. DON’T do it! If you have ANY question in your head about an email, its origin, the content, ANYTHING, don’t click any links, don’t open any attachments, and don’t call any phone number that’s in that email message! You have to train yourself over and over to double check your email messages BEFORE you click a link to somewhere or BEFORE you open an attachment. It’s just the world we live in now.
Have you received an email from what appears to be someone using Docusign to send you documents to sign for your bank loan, car loan, banking account, etc. DON’T do it! Verify it first.
Have you received an email thanking you for your purchase of McAfee Security Subscription for $299? If you require any help, feel free to contact us at 1 (866) 555-9797. McAfee Security is included with nearly every computer or tablet now. It’s included with downloads for Adobe Reader, and other programs that everyone uses regularly. So we’re used to seeing it, but you forgot to renew your subscription or cancelled it so what do you do now? Many people actually call the phone number. They are usually really nice and helpful to you, because they’re trying to steal from you and get access to your bank account. DON’T do it! Verify it first.
Have you received an email from Amazon saying there was a problem with your order and you need to login and verify it. Conveniently, they’ve included a link to the Amazon account login and it looks like the real thing. The email looks real, the colors used in the message looks real, the fonts used look real. The Amazon logo is in the email. The disclosure and contact info a the bottom of the message looks real. You click the link and the login page looks real? What do you do? You enter your username (email) and password and click submit to log in but it does nothing. So you try again. Still nothing happens. Next thing you know you have several things order from your Amazon account and its going to some address you don’t recognize, but you didn’t see this until a few hours or days later because you didn’t check your email or Amazon account. How did this happen? You did it to yourself. You got Phished! When you tried to log into your account, you actually provided your login details to a bad actor. Who used your account login info in the middle of the night to place orders knowing you wouldn’t check on it until after the fact. Instead of pulling up your Amazon App or Amazon website directly, logging in there and checking on your orders or account info through the REAL website you just clicked the link in the email, because you thought it was OK and it looked real. Did you look at the actual website URL in the address bar? Did it actually show www.amazon.com/somethingsomethingsomething…, or something else that was very similar or not. Most people don’t even think about the URL address bar to make sure its accurate.
Have you received a Shipping notice from UPS, FedEx, DHL or Amazon that says there was a problem with your shipment and you need to open the attachment or visit their website to authorize/verify the shipment or it has a phone number to call, and it has a link to their website in the message. Again, what do you do? Do you just click the link in the email, call the phone number in the email or do you go to their actual website or do you search for their actual customer service number? DON’T do it! Verify it first. Search for their customer service phone number and call that number to verify the message. Go to the actual website for that business and login. NEVER log in to a website from a link that was provided in an email message, unless you are 100% sure and have verified that the link in the email takes you to the real business website.
With ANY email message, especially something out of the ordinary, questionable, or makes you go “Hmmm…”, take the extra minute to verify it before you act upon it. You’ll be much happier and safer.
In today’s world, you have to change your mindset to be more of a “Zero Trust” when it comes to email. Email is an OPEN door into your data, your security, your finances, your entire livelihood. 100’s or 1000’s of people are scammed by an email message everyday. I get calls weekly from someone that’s been scammed. The criminals always take the easy path and your email is it. Be more aware. Don’t get phished, don’t let it happen to you.
If you have any questions or comments send them to us at info@icoso.com.
Here some tips on how to avoid being scammed or Phished via email.
1. Take a look at the senders email address, hover your mouse over the sender. If its from a foreign domain or even a domain that looks like the real thing but has an odd extension (ie UPS.com.jp, UPS.org.cc, Amazon.anything.xyz) its fake. If it looks like the real thing, always VERIFY with the sender via the old fashion way (call them) to verify that they sent you something.
2. Take a look at the contents of the message – often times these scam/fake messages originate in a foreign country by people who don’t speak or write good English. If the contents of the message are in anyway broken or not proper English, then most likely it is fake.
3. If you have to, look at the headers or the source of the message. Most email client programs and even online email services allow you to view the headers or source code of the messages. This is the tracking and programming code of the message that mail servers use to track and send the messages from person to person. In these headers you can usually find the originating server (IP Address), who actually sent it (in case the sender name has been forged), and other details about the message. You can check the sending server IP address at www.arin.net to find out where it originates from.
4. If the message asks you to open an attachment or click a link for more details, its most likely fake. Most businesses would NEVER send you a word or excel doc as an attachment without securing it or zipping it. These type of messages should NEVER be opened. Even if the attachment is a pdf doc, be very leery of the message, especially if you were not expecting any message from the sender, or if you don’t know the sender, or even if you do know the sender but you weren’t expecting anything. BE AWARE!
5. NEVER reply to an email message that you don’t know the sender and/or haven’t verified the sender. If its a SPAMMER and you reply to them, they now know you’re real and you will forever be bombarded with even more SPAM and SCAMS.
6. The Best Rule to follow, especially this time of year, is simply to be very leery of any message you get that you absolutely are not expecting to get from anyone or any business.
These are some other guidelines to follow and should be in every employee policy.
1. Never Click on Hyperlinks in an Email
2. Never Enter Sensitive Information in a Pop-Up Window
3. Verify HTTPS and website on the Address Bar
4. Educate Your Teams on Phishing Attacks
5. Keep Antivirus Protection Current
6. Utilize Anti-Spam Software
7. Utilize Anti-Spy Software
8. Install and Maintain a Reliable Firewall
9. Protect Against DNS Pharming Attacks
10. Utilize Backup System Copies
11. NEVER install any 3rd party Gadgets, tools, utilities, screensavers, clocks, calendars, anything from anywhere unless you have thoroughly scrutinized its origination, who created, what type of reputation that company has for scam/spam, why you’re using it (if its not for business use DO NOT USE IT), etc.
12. NEVER click on any POP-UPS that you see on a website telling you to install something. JUST DON’T DO IT! If a website is popping something up and telling you to install something, close that website down and NEVER visit it again!
13. ALWAYS call a professional to verify if you’re unsure about something in your email, online, etc.
