Don’t Get Scammed

We are consistently bombarded by hackers, spammers or whatever you like to call them.  They use our phone — voice and text — email, social media, and other devices, to attack us.

This is a very lucrative business for the cybercriminals. It is estimated that cybercrime in the U.S. alone brought in over $6 trillion dollars in 2020. 

 Side note: Not all hackers are destructive. You do have “ethical” hackers. Companies sometimes offer up a bug bounty. For example, Apple has offered $1million to anyone who can hack iOS on an iPhone. Many companies will use these hackers to find vulnerabilities in their code before releasing it to the public. There are legitimate jobs in the hacker’s world.

Here are a few scenarios of people who have been scammed by hackers.

Scenario 1: Emails from a Hacked Account

Breaking into a person’s email or social media account is a great tool for tricking people into doing something they think is safe. The hacker goes through all the contacts of that person and sends them messages. The message is from a legitimate source, friend, co-worker, etc., which gets the email past the first line of defense because the source of the message is familiar.

In this scenario, the hacker is using an investment opportunity. The email states there is a great investment opportunity, but you must act fast or you will miss it. Your return on investment will be around $50,000 within six to twelve months. Please send $1000 so you can invest before it’s too late. Purchase money/gift cards,  take a picture and text it to the number provided.

This will not all happen in one email. The hacker will work up to it, building your confidence that you are corresponding with your friend about this opportunity.  

Signs this is a scam:

• Is this something your friend would ever ask you to do?
  • Call your friend if you are concerned about the message.
    • DO NOT respond in the email or instant message. You are just responding to the hacker.
• Are you being rushed to decide? Scare tactics are number one tool in a hacker’s arsenal. 
• NEVER send money cards by picture via text or physically to someone requesting money. It is extremely rare to ever get your money back from those cards once they are in the hands of the hacker.

Scenario 2: Impersonation — If you cannot hack their account, impersonate them

You receive an email from your boss (family member, close friend) who needs money quickly. The request is for you to use a credit card, or purchase gift cards up to $1000.  

The message is often something like this, “I do not have my cell phone with me but have a temporary one that is for texting only. Once you have the gift cards, text a picture of them to this number. I need this done NOW, ASAP!” 

This likely  will be a few emails over time requesting this information. One to make sure they have you hooked and others to make it more believable.  

Signs this a scam:

• Requesting gift card info to be texted to a number.
• Scare tactic — need it ASAP.
• The contact ”doesn’t have their cell phone with them” to verify this is legit.
• Sender’s email address does not match the boss’ (or family member or friend’s) name.

Scenario 3: Tech Support

You receive a phone call (or maybe a text) that tech support has been alerted your system is having issues and needs to be resolved. The person may even throw in a scare tactic that your system has been hacked and “tech support” needs to resolve this issue ASAP.

You will be asked to start up your system and type in a website to download a file that will allow access to your system so, IT can resolve the issue and/or remove the hacker.

This file will give them access to EVERYTHING on your system and then probably encrypt everything on your system. Once they have all your information and the system is encrypted (you are locked out of all your files); they will ask for ransom money to unlock your files.

Some cybercriminals will unlock the files if you pay but many just take your money and leave your system unusable.

Signs this is a scam:

• You are receiving a call from “tech support.”
  • You will never receive a call from Microsoft, HP, Dell, etc. about “an issue detected on your system”Requests could also look as if they are coming from your company.  Check address and web domains carefully.  Often you will see misspellings.
  • Scare tactics are being used to gain access to your system. “You’ve been hacked!” or “Your system is going to crash, without our help,” and so on.

This scenario is not just used in tech support scams but government, IRS and many others.

Scenario 4: Phishing emails / text messages

Some popular messages from cybercriminals include:

• UPS, FedEx, etc. tracking number email — there will be a link for you to click.
  • If you have an item coming, ignore the email and go to the source where you ordered the product. They will have your tracking information if you need it.
• Email inbox is full
• Account password has changed or needs to be changed

Basic rule is never click on a link in an email unless you are expecting it. If the message is referring to a service you use, go to that website and log in. If the email was legitimate, there will be a notice on the website when you log in.

Links to articles we have written about cybercriminals:

• How to Detect a Phishing Email
• Being Nice Can Get You Hacked 
• Email Phishing: Popular with Hackers 

Best Practices

We have gone through a few scenarios but there is an unlimited list of what cybercriminals will try to gain access to your system and/or accounts. Items that will help protect your personal data include:

• Dual authentication — on every site you log into. This is very important; the hacker does not just need your password but also a secondary authentication before they can log into the site.
• Alerts — if the website/service allows alerts, use them. Most financial institutions have alerts you can use to monitor your account.
• Password phrase — instead of the old eight-character password, use a phrase. The longer the password, the harder it is to hack and easier to remember.
  • Never use the same password for everything
  • Use a password manager
  • Article — The Word Is Password
• Beware of links — as stated many times, do not click on links in an email.   Many of the links take you to a fake website, like the login page of Microsoft, IRS, American Express, etc. to make you think you are logging into a legit site.  If a link in an email takes you to a site and you must enter in credentials, Do Not Do It. If the link is requesting to download and install a file, Do Not Do It.
  • The fake site — which you can tell by the URL at the top, will not look correct. IE: fedx.com, CHA5E.com, SENDER0.COM and so on.
    • Article about just this case from ACA
  • Think Before You Click
• Avoid using gift cards for payment — you want to be able to track your payment. Gift cards are usually not trackable. It is unusual for a legitimate business to ask for a gift card in payment.
• Never respond to a hacker — many times the hacker does not know if the email address — or number — they are sending to is valid. By responding to either have fun with them or give them a piece of your mind, you will validate your email address — or cell number. Then they will use different email addresses to keep coming after you and/or sell your email address or number on the dark web.
• Bad grammar — grammar in phishing messages is better now than it was.  Usually, you can find misspelled words or incorrect grammar in the messages the hacker is sending out.
• Scare tactics — are you being rushed to make a quick decision? The hacker does not want you to think too long and figure out what they are up too.  They want you to act quickly without thinking.

David H. Coull
Senior Systems Analyst
210-805-0171