Security Tips

Blueprint of a Phishing Attempt
It would be helpful if content from threat actors came with a flashing red flag. Unfortunately, phishing attempts are better crafted than we'd like to believe. Cyber threat actors are well versed in manipulation and well-crafted techniques to fool unsuspecting users. When a user falls for a phishing message, the attacker achieves their purpose.

Phishing messages can appear in a variety of formats to collect personal information, steal account credentials, or install malware on a user’s device. Let’s look at some examples that highlight how to identify messages as phishing attempts and hopefully thwart this pathway for cybercriminals.

 

 

Subject: Low-Cost Dream Vacation loans!!!

 

Dear John,
We understand that money can be tight and that you may not be able to afford to go on vacation this year. However, we have a solution. My company, World Bank and Trust, is willing to offer low-cost loans to get you through the vacation season. Interest rates are as low at 3% for 2 years. If you are interested in getting a loan, please fill out the attached contact form and send it back to us. We contact you within 2 days to arrange a deposit into your checking account [sic].

 

Please email your completed form to VacationLoans@worldbankandtrust.com.

 

Your dream vacation is just a few clicks away.

 

Stephen Strange
World Bank and Trust
1818 Street, NW Washington, DC 20433 USA
www.worldbankandtrust.com

Subject: Free Amozan Gift Card!!!

 

Dear Sally,
You name has been randomly selected to win a $1000 Amozan gift card. In order to collect you prize, you need to send us your contact information so we can put your prize in the mail. This is a limited time offer, so please respond to the request within 2 business days. Failure to respond will forfeit your prize and we will select another winner. Please email your Name, address, phone # and date of birth to:

 

CustomerService@amozan.com

 

Your gift certificate is just a few clicks away

 

Customer Service
Amozan

 

In the first message, we can see that the phisher wants to give us a low-cost loan with no credit check. We just send him our information, and he gives us the money. This seems too good to be true. If you hover over the link, you see that this is not the email address displayed. It’s the email address of the attacker…

 

In the second message, we see that “Amazon” is misspelled as “Amozan.” If you read the message quickly, you will think it says “Amazon” and respond to get your gift certificate.

 

 

Rule #1: If an offer or deal is too good to be true, it probably is.
Rule #2: Hover over the link to confirm its true origin.
Rule #3: Look for misspellings. If company names are close to the correct spelling, you may not initially notice incorrect spelling.
Rule #4: Type the correct URL in the address bar yourself to ensure you are going to the legitimate site.
Rule #5: Look for misspellings in URLs. Some scammers use slight misspellings or letter substitutions in web addresses so that it is not easily noticed (e.g., 1egitimatebank.com instead of legitimatebank.com).
Rule #6: Never respond to an email with sensitive personal information (birthdate, Social Security Number, etc.). There are always more secure methods that legitimate companies will use to get this information.
Rule #7: Be wary of any message that is urging you to take immediate action.

 

The Federal Trade Commission is the United States entity that collects scam reports and can offer assistance in the event of an attack. If you think you’ve been a victim of a phishing attack or have clicked on a link that may be malicious, you can report a phishing attempt online at www.usa.gov/stopscams-frauds or by placing a call to 1-877-382-4357.

 

Lastly, you can educate yourself about phishing attempts in all their varieties. This includes spear phishing, which is a more targeted form of phishing. You can learn about this type of attack by downloading the MS-ISAC Security Primer on the topic.

The Dime Bank wants to help you keep your information safe. Protecting your personal information is a shared responsibility

Verify it's The Dime Bank. Fraudsters pose as credible companies "phishing" for your information. The Dime Bank will never call to ask for your online login information. If you are unsure, get the individual's name and hang up and call your local branch.

Do not open suspicious texts or emails or click on links within them. Fraudsters impersonate companies to get consumers to click links and provide personal information. Clicking on links can also infect your device with malware.

A password is the first line of defense against cybercriminals. We recommend creating a complex password that is difficult for others to guess but easy for you to remember. Use a different password for each site.

Monitor your accounts regularly, respond to fraud alerts, and report unauthorized transactions promptly.

Ransomware is a type of malicious software, or malware, that prevents access to computer files, systems, or networks and demands a ransom payment for their return.

The simplest way would be to avoid internet connectivity. LOL. Right! As that is not practical in our connected world today, what else can you do?

Auto-install updates. One of the most important controls to protect against ransomware is updating your devices and apps, including browsers (ie: Internet Explorer, Chrome, Edge, etc).

Most software companies regularly release updates for security loopholes. Computers and laptops are configured to scan, patch, and update automatically. Unfortunately, not applying the updates leaves you open to attack. Many ransomware and other malware attacks take advantage of out-of-date software.

One of the most common ways that computers are infected with ransomware is through social engineering. Remember to exercise common sense with suspicious email, websites, and other scams. If it seems suspect, it probably is.

Be unpredictable. There are two common password attacks, brute force and dictionary attacks. Both  involve trying a sequence of numbers and/or common words like 123456, hence, trying to crack a password using “brute force” or common “dictionary” words. To minimize this type of exposure, don’t make your passwords predictable.

Be creative. Related to being unpredictable, consider creating a phrase and use the first or second letter of each word, or substitute a special character for letters and/or numbers. You can use a password generator which provides creative and secure password options.

Be long. The longer the password, the more possible combination, and permutations of the password there are, and thereby the safer they generally are. However, don’t forget the first two tips, because long common words and sequences of numbers are still easier to crack!

Be selfish. Believe it or not, one of the more common reasons passwords are compromised is because people share their credentials. Quite simply – never, ever share your password(s)!

Be mindful. Think before you click. Phishing is where you receive an email or text message asking for you to confirm your details or take some other action where you need to enter your personal credentials. These types of acts are becoming increasingly sophisticated and can look very legitimate, like an email from someone you know. As a good rule of thumb, unless you make a request, don’t ever enter your credentials. Or, if you have any doubts, contact the organization requesting the information directly.

Be unique. You should use different passwords for different logins – yes, a different password for every login. Having a unique password for all your accounts helps prevent that if or when one is compromised the others remain protected. Pro tip: If you can’t remember all your passwords, consider using a secure password manager.

Use the built-in firewall on your computer.

Turn on automatic updates for ALL software you use, including your internet browser(s).

Use antivirus and anti-malware software  and keep it current.

Create a long phrase for your password instead of a short password.

Don’t open suspicious attachments or click unusual links in email, tweets, posts, online ads, messages, or attachments. 

Browse safely.  Don’t visit illicit sites.  They may contain malware or a download that contains malware. 

Refrain from streaming or downloading movies, music, books, or applications that are not from a trusted source.  Pirated material may include malware.

Avoid malware and viruses by only using external devices you own or receive from a trusted source.  

• .exe files can also be disguised in .zip folders - if you receive an email with a .zip, and open the folder to find an .exe, you shouldn't run the file.
• Be careful, some attachments might show the icon for a document, PowerPoint, etc., but they still have the .exe extension.
• Just because a file isn't an .exe, doesn't mean it's not malicious - there have been instances of macro-viruses that hide themselves inside of Office Documents.

If someone says you can only pay by wiring money, putting money on a gift card, or loading money on a cash reload card - it is a scam! Whether someone tells you to pay to claim a prize, deal with tax issues from the (so-called) IRS, says your accounts have been compromised, or asks you to help someone out of trouble, nobody legitimate is ever going to say you have to pay by wiring them money or by putting it on an untraceable gift card of any type. If you comply with their request, you stand to lose a lot of money.

If you receive a phone call, text, email, or letter with this type of request, it is a scam. If someone tells you they are from The Dime Bank and you are unsure, ask for their name and phone number, hang up, and call us immediately at 570-253-1970 or toll free at 1-888-4MY-DIME (1-888-469-3463). If the call was truly from The Dime Bank, you will reach us by calling us back on our published phone numbers.

Please help us safeguard your information. We’re here to help you in any way we can.

Federal Bureau of Investigation (FBI) is warning that as tech support fraud evolves, the number of people falling victim to the crime is on the rise, and so are financial losses. Investigators are seeing an emerging trend in which tech support scammers are convincing victims that their financial accounts have been compromised and their funds need to be moved so the fraudsters can gain control over the victims’ computers and finances.

In tech support scams, fraudsters pose as customer or tech support representatives from reputable well-known tech companies. They may call, email, or text their targets and offer to resolve such issues as a compromised email or bank account, a computer virus, or a software license renewal. Once they convince victims that their financial accounts have been compromised and their funds need to be moved, they gain control over the victims’ computers and ultimately their finances.

Victims are often directed to wire or transfer their funds out of brokerage or bank accounts to the fraudsters accounts. Scammers are also asking victims to install free, remote desktop software on their computers to allow them to monitor, manipulate, and perform actions within the victims’ computers such as opening virtual currency accounts to facilitate the liquidation of their genuine bank accounts.

• Legitimate customer, security, or tech support companies will not initiate unsolicited contact with individuals.
• Ensure computer anti-virus, security and malware protection is up to date and settings are enabled to reduce pop-ups.
• Be cautious of customer support numbers obtained via online searching. Phone numbers listed in a “sponsored” results section are likely boosted as a search of Search Engine Advertising.
• If a pop-up or error message appears with a phone number, don’t call the number. Error and warning messages never include phone numbers.
• Resist the pressure to act quickly. Criminals will urge the victim to act fast to protect their device or account.
• Do not give unknown, unverified persons remote access to devices or accounts.
• Do not download or visit a website that an unknown person may direct you to.
• Do not trust caller ID readings as criminals often spoof names and numbers to appear legitimate. Let unknown numbers go to voice mail and do not call unknown numbers back.
• Never trust any company-tech or otherwise-requesting personal or financial information.