Last week, we worked on a computer from someone who fell for a phishing scam. She had received an email from ‘Paypal’ saying she had bought a gun, and the purchase was approved. She immediately called the 800 number listed and complained, as she did not make that purchase. They told her that she was compromised, and needed to get on her machine to see if was hacked. First, she had to send them $100 via Venmo to confirm who she was. She paid the money and then clicked on a link they sent her to run a malware scan. They said it would take some time and just leave the computer alone.
When she said she could see the mouse moving, she asked if they were on her computer. They said no, that was just the Artificial Intelligence engine that was moving the mouse to let them know that the program was still running. After four hours, she turned the computer off as she was extremely nervous, suspended Venmo and all her bank accounts and called us on a recommendation. We wiped the machine, did a complete data wipe and reinstalled from a backup of important files.
Now, think of the work done by the hacker in this case. He sent out a phishing email, got the user to call him and then was allowed to bypass all the security (firewall, anti-virus, etc.), AFTER being paid $100 for the privilege of hacking her computer. These individuals do not even have to have a technical understanding of what they are doing…they just need to be smart enough to run a few pre-programmed scripts and they can take over an unsuspecting person’s machine.
A threat vector is a method that hackers use to gain unauthorized, and typically illegal, access to computer networks and systems. There are many different ways to accomplish this but for the sake of brevity we will talk about three of the more common ones: phishing, social media and password hygiene.
Phishing is one of the most common ways that bad actors are using to get you and your information. This is an exceedingly popular time for messages in your email saying, “your package is delayed”. I recently received an email from “Geek Squad” saying that I had just renewed my subscription for $500 and if I respond within 24 hours, I would not be able to cancel until next year. Here is an image of the email:
While the colors match, here is the Geek Squad logo:
Some other fun things to notice…Geek Squad typically does not use Gmail to send emails out to their customers. Also, further down the email they give a phone number to call. However, if we look at the link, it is not going to a 888 number but rather an 808 number. Calling them would get you a helpful person who will be happy to help you if you let them log into your machine and load some software (see above if you want to know what would happen).
Some of the more common phishing scams:
- Someone tried to get into your Microsoft account, log in below to change your password.
- Amazon is delayed with your package, please click the link to track your package.
- Someone wants to link with you on LinkedIn, please click below to accept the invite.
- This employee has made some changes to their direct deposit account, please make these changes to this other bank.
Tips to avoid Getting Phished
There are clear-cut ways to identify phishing emails:
- Always check the email address it is from. Companies like Walmart and Amazon do not use Gmail or Hotmail.
- Always check all links before you click on them (usually just holding your mouse over them is enough to see them). If the domain is sketchy, don’t click on it. If in doubt, delete it.
- Pick up the phone and call if the email is suspicious. If you receive an email from someone and it does not look correct, please call them. Do not email them in case their email has been compromised (hackers can just respond for them).
- Use common sense. If you are not expecting a package, then there should not be one delay.
I will be honest, social media is one of my biggest pet peeves. I am always amazed at the amount of people who are willing to post some of the most useful information for scammers to use. I sometimes believe that you would be better off walking through your favorite grocery store singing your social security number and bank accounts…it is safer. I saw one of Facebook the other day which was “let’s all list the number one movie the year you were born.” Now, you are giving everyone who sees that post your name and the year you were born both important pieces of information.
Please remember that you are the product being sold. They take all the information you readily give them and use it to market to you. These lists are easily purchased information about your likes, dislikes, location, shopping habits, friends, family, etc. are all readily available to reverse engineer the perfect phishing scam or identity theft.
Password hygiene is one of the most important, yet most ignored functions of security. By definition, laziness is the enemy of security. Having to have a long, complex password for each site you go to is much more difficult than using an easy to type, 8-character password that you use for everything. Unfortunately, the minute that password gets out into the world, everything is compromised. The correct method is to have a unique password for each site. Use a password manager if you need help remembering.
Does this really work? Yes. We did a Dark Web scan for a customer last year and discovered that a password he uses for a specific government bureau was found on the dark web. Since he practiced excellent password hygiene and used unique passwords for every site he has to sign into, we could very easily identify where to find it and he only had to change a single password for one site (funny note, to this day, even with almost 7000 compromised passwords from this government agency, the IT company that contracts with them still denies there was any type of hack…makes you feel safe, doesn’t it).
You can have the best passwords in the world but if the company you are signing into has crappy security, you can be compromised. The scariest stat I have heard recently is that each new generation is more likely to reuse passwords across multiple sites than the generation before. Hackers are lazy, they do not want to brute force a password as it takes too much time when they can just get it from a badly secured site like Ashley Madison, Yahoo, etc.
I apologize that this rant has been this long-winded. It frustrates me when good people get taken advantage. If you want to protect yourself, let’s start with these three simple points:
- Be more wary of phishing scams.
- Be more careful of posting on social media.
- Practice good password hygiene.
If you have any questions or want to hear more horror stories, please feel free to reach out to us at firstname.lastname@example.org.