BADDIES ARCHIVE

BADDIES UPDATE (by Lawrence Patterson)

2022

MARCH 2022

March 14
Today we have two local examples of the baddies making use of Blind Trust actions to trick you into being scammed, please review and share.
Here’s how to tell if that CRA phone call is a scam or not! https://dailyhive.com/vancouver/cra-phone-call-scam-or-not
We are all familiar with scam calls at this point. Whether it’s an air duct cleaning service, winning a cruise, or a warrant out for your arrest, you’ve surely received at least one scam call. This year, the CRA is trying to get ahead of scammers by providing tips to make sure you’re speaking to an actual CRA agent.

How to make sure it’s not a scammer on the line

  • Ask the caller for their name, phone number and office address,
  • Hang up the phone,
  • Google the information provided to you to confirm it is factual
  • Call the CRA agent back

How to identify a scammer

  • Caller refuses to provide proof that they work for the CRA (aka, won’t give you their name or phone number)
  • Caller uses aggressive language or pressures you to make an immediate decision
  • Caller asks for payment via pre-paid credit cards, cryptocurrency or gift cards
  • Caller asks for information that is not related to your tax return, such as your credit card number
  • Caller recommends you apply for benefits

Ontario police warn of text-message licence sticker scam https://driving.ca/auto-news/local-content/ontario-police-warn-of-text-message-licence-sticker-scam-in-mississauga-and-brampton

March 1
Are you on Instagram? OPP warn of new phishing scam!
For those of you who have had the opportunity to hear my honest appraisal on how baddies can easily initially victimize us and then continue to re-victimize you and then your family, friends & associates, comes an unfortunate confirmation of that scenario.  Again, be careful on how you respond to all messaging and if you happen to be caught, be aware you need to own it to avoid causing more harm.

https://www.orilliamatters.com/police-beat/are-you-on-instragram-opp-warn-of-new-phishing-scam-5095544

Scammers are sending phishing emails with fraudulent links for fake Instagram login pages; this allows scammers to steal account credentials. Once an account is taken over, suspects blackmail victims to record a video of themselves promoting fake cryptocurrency platforms.

Suspects advise victims that this is the only way they can recover their account. After the video is recorded, it is posted on the victim’s social media accounts with a link for their followers to make a fraudulent investment. Victims will never recover their social media account and their followers are at risk of losing their funds if they invest through the fraudulent cryptocurrency platform.

Warning signs and how to protect yourself:

  • Do not click links or download attachments in text messages or e-mails as these can contain viruses or malware.
  • Beware of fraudulent cryptocurrency investment advertisements promoted through social media.
  • Prior to investing, ask for information on the investment. Research the team behind the offering and analyze the feasibility of the project.
  • Verify if the investment companies are registered with your provincial securities agency or the National Registration Search Tool (www.aretheyregistered.ca).
  • Don’t be afraid to say no!
  • Create different passwords for all online accounts.
  • Enable multi-factor authentication.
  • Only log into your accounts from trusted sources.
  • Don’t reveal personal information over social media.
  • Learn more tips and tricks for protecting yourself.
 

February 21
QR Codes, think first before scanning!

So how do you know if a QR code is legit before you scan, the truth is you don’t.  That said, when you use your phone to scan what appears to be a legitimate QR code, observe what address is being offered and use Wise Trust before deciding to go through with the results.  A couple of points:

  • Watch out for what is now being called the “Parking Meter scam” in which a QR code was placed on Austin parking meters that resulted in banking information being sent to the scammers;

police-tweet

  • Remember that anyone can create and print out a QR code, much like the invoice scams we discussed last week, you need to ask yourself if a QR Code is what it claims to be;
  • Check out QR Codes in the Time of Cybercrime (knowbe4.com) for more details.

 Oh, and here’s a QR code that’ll either make you happy or cringe (don’t say I didn’t warn you).

2021

NOVEMBER 2021

When is a customer complaint an Email scam? See the following article, which has good examples and investigation, along with the following action items:

  • Stop. Think. Connect;
  • Always use official channels for communicating with your staff (i.e. don’t follow the link on the supposedly urgent action messaging);
  • Don’t be seduced by on-screen security promises and visual indicators.

June 7
If you ever wondered why it’s important to be comfortable with properly managing your password, see the article  “How to hack into 5500 accounts… just using “credential stuffing”  https://nakedsecurity.sophos.com/2021/06/04/how-to-hack-into-5500-accounts-just-using-credential-stuffing/amp/  as it reviews how the baddies make quick work whenever they get a hold of encrypted password data.  There’s a number of examples of why we need to be diligent with our password management, including the author’s below conclusions:

  • Don’t re-use passwords. 
  • Consider a password manager. 
  • Turn on 2FA if you can. 
  • Report payment anomalies. 

May 24:
Fraudsters employ Amazon ‘vishing’ attacks in fake order scams. Once again, use Wise Trust (even when you do have an incoming order) to make sure you’re NOT another “spray & pray” victim.  Don’t forget to discuss amongst family and friends, so that we protect the community at large.
https://www.zdnet.com/article/fraudsters-employ-amazon-vishing-attacks-in-fake-order-scams/

May 10
When a headline says it all, there isn’t much to add, other than to emphasize “NOTHING good comes without a price”.  Remember common sense / using Wise Trust (neither of which the student in question used), protects us all.
*   https://www.zdnet.com/article/ryuk-ransomware-finds-foothold-in-bio-research-institute-through-a-student-who-wouldnt-pay-for-software/

April 11

  • Beware of the delayed disconnect phone scam; this is an update to an issue I’ve alerted you about a year or so ago, with further confirmation that the telephone companies are aware but for whatever reason are not able to deal with it (I suspect it has a lot to do with very old (relatively speaking) and expensive to replace equipment that is setup in our neighbourhoods).
  • Inside an International Tech-Support Scam; if you like real-life crime stories, read this longer than normal article on how a “white-hat hacker” has identified and turned the tables on the baddies, and was sometimes able to help people before they were victimized. If you want further proof of a baddie’s intentions, just look at the below picture of several individuals mocking a helpless victim.

April 6

Bogus email gets you to call fake tech support; this scenario typically involves an innocent / simple email that states you have a free service trial (medical services is used in this example) and to call this number to avoid future charges.  The phone call results in the person asking for the subscriber ID (hint, this is the baddies checking you out further), you’re then directed to professional looking site, asking you to fill out a downloadable form, which the same person states you can ignore the warnings from opening the document, and then you’re infected.

LinkedIn – weaponized job offers; this is basically a directed job offer – personalized lure that uses information from your LinkedIn public profile to fool you into believing this is the real deal.  Within the email is an attachment (typically a zip file to get past the spam filters) which opens an application form, and then you’re infected.

Facebook 2019 hack results available to all; understanding that there’s a significant chance your user details are freely available (i.e. the importance of unique passwords), I’m encouraging you to check a long time and trusted tool “have i been pwned” which has now been updated with both the email addresses and phone numbers from this Facebook hack (some of the key identifier is only the telephone number).

Apple iPhone – iPAD users; now would be a good time to proceed with the latest update as it provides a fix for a currently active vulnerability that if you happen upon a baddie site or unintentionally click on a bad link (remember to use Wise Trust on any correspondence).  As quoted from the following site:  “For newer iPhone and iPad users, iOS 14.4.2 is now live and available for download. For older devices like the iPhone 6, iPhone 5s and several discontinued models of iPad, iOS 12.5.2 closes this vulnerability. Apple Watch users will need WatchOS 7.3.3.”.

    FEB 25

Woman loses $340K in wire transfer scam — alleges 4 banks did little to stop it https://www.cbc.ca/amp/1.5917139
Another unfortunate tale, on top of the local Romance scam that was reported last week, with the baddies using multiple means so as to avoid further scrutiny.  Please pass on the below graphic to your family / friends so that we can all use Wise trust actions in our lives.

2020

NOVEMBER 2020

Nov24
As many of you know, I’m big on using Password phrasing (15+ characters, unique to you and just as important, puts a smile to your face) to protect yourself and AFMC from the baddies’ wrath.  In case you’re wondering what it’s like to use a simple password, please check out this article, along with noting the below statement https://www.zdnet.com/article/the-worst-passwords-of-2020-show-we-are-as-lazy-about-security-as-ever/ :

“While vendors need to be reminded that allowing easy and simple combinations do nothing to protect the privacy and security of users, it is also up to us to take responsibility for our own accounts.”

Nov 10
Once again the Baddies are throwing out various ways of infecting our devices, including our mobile phones / tablets.  Use “Wise Trust” with any and all text / SMS messages that are thrown your way (the latest is a “your parcel has been sent out”) and ask yourself why you’re getting this text message.  If by chance you’re waiting on a parcel, do not use that SMS link, and instead go to the Courier’s website using your browser.

See https://www.tomsguide.com/news/wroba-mobile-trojan-ios-android for more details

October 25
Are you sure that’s your colleague / friend? Gather many of you are aware of this past summer’s Twitter hack of celebrity accounts. The investigation is showing that the baddies found a way to contact several Twitter employees and were able to convince one of them that they were IT support, then leverage that contact to speak to others that allowed them the super access to the Twitter system.  The Wise Trust lesson is that anyone can be impersonated and you need to ask the, sometimes uncomfortable, question by calling whoever directly to make sure they are who they say they are.

October 12
In my Scam Avoidance presentations I do emphasize the following uncomfortable point: “Regardless of fault, if you get scammed, you have to own it”, and as per the article’s victims (see link below), there’s no explanation as to why the individuals lost money, even with them stating they’ve followed security recommendations (Two Factor Authentication, unique passwords, avoided opening up suspected emails,  etc.).
Sometimes Wise Trust can only go so far, but you have to look at YOUR risk capability, along with the reputation of the firm you’re working with, to be aware of how they’ll respond to hacking.
https://financialpost.com/investing/robinhood-users-say-they-watched-helplessly-as-their-accounts-got-looted-but-had-no-one-to-call-to-stop-it

September 22
Though it may seem like it’s unlikely to happen to you, the Baddies are watching for potential victims, possibly by tracking your sign up to an in-store text message promotion. 

As outlined in the below article, a couple decided to take advantage of Shoppers Drug Mart promotion with them receiving a weekly text to ‘See if you’re a winner and click on the link!’. Then one time they received a link to enter their PC Optimum login details, which resulted in their points being cashed in.

The couple had their points returned, and Shoppers is claiming that it wasn’t due to one of their texts, it is thought that the couple experienced a “smishing campaign” that is like email phishing, but done over text.  Were the baddies lucky in that this couple happen to receive one of thousands of scam texts that mimic a legitimate service or was it due to some technical hack / research, we may never know?

The takeaway, always be weary of the correspondence you receive personally and professionally, and use Wise Trust to avoid following into a victim trap.

https://www.cbc.ca/amp/1.5725268

September 15
From https://www.cbc.ca/amp/1.5713366 comes this statement:

Fraudsters stole nearly $3,000 — the maximum amount allowed for an e-transfer payment — from 48 Sunova customer accounts, using an ad on Google designed to look like Sunova’s real site and glean users’ banking information if they clicked on it and tried to log in.

Here’s the question / take away:

  1. Would your “Wise Trust” awareness be enough to not click on the first link presented? Be honest, as I’m betting that at least some of us (due to be busy or whatever) wouldn’t have spotted the fake.
  2. The victims have to own the fact that they’re on the hook for $1k deductible, as it was their own actions that resulted in the scam happening.

Lessons learned and please pass the knowledge on how to protect yourself, family and friends.

September 8
Wouldn’t you know it, it’s not enough to be on the lookout for Excel, Word and PDF attachments along with any links that the baddies throw our way, we now have to be aware of legitimate looking Google Drive, Microsoft OneDrive and SharePoint links along with OneNote attachments.  The below article is a good overview on an impersonation attempt with someone you know and the multi-layered steps they take to lure you in.  As the author states quite elegantly  “As we’ve said many times before, the only thing worse that being scammed is being scammed and then realising that the signs were there all along. Crooks don’t always make obvious mistakes, but if they do, make sure you don’t miss them.” https://nakedsecurity.sophos.com/2020/09/02/phishing-scam-uses-sharepoint-and-one-note-to-go-after-passwords/amp/ 

Ever wondered how it is that your login details from an older website breach are readily available and used as another lure to fulfill Blind Trust actions as you believe the baddies have all of your login details (it is very unlikely they have your new login details, which you’ve no doubt already changed, RIGHT?).  If you’re interested in a gentle mental exercise, see the following article from Troy Hunt  https://www.troyhunt.com/we-didnt-encrypt-your-password-we-hashed-it-heres-what-that-means/ and why you need to use unique phrases for your passwords.

September 2

Hello and I’m going to keep this short. Whatever you do, take the time to review the PDF document below, especially for the examples presented and the last page of general advice.  Please forward to your friends and family, so that we can all be aware of what’s hitting us on a regular basis and avoid being the victim.
Zix MId-Year Global Threat Report 2020 (10 MB PDF)

August 25

And now some Cyber prevention tips from the far easterly point in Canada, that is relevant no matter where you’re from in this great country of ours. Regardless if your credentials happen to have been compromised or not, following these tips will help your Wise Trust assessments of the threats we all face.  https://vocm.com/2020/08/21/better-business-bureau-cyber-attack-tips/

 

1.       If aware of a compromise implement a credit freeze / fraud alert with your bank / credit reporting agencies;

2.       Update the passwords for all of your online accounts (especially if you happen to reuse the same password – bad idea by the way);

3.       Monitor your credit card transactions carefully;

4.       Avoid fake emails;

5.       Enable multi-factor authentication where available;

6.       Shakeup your password protocol using unique password phrasing for all accounts;

7.       Play hard to get with strangers (they will do their best to lure you into Blind Trust actions that make you the victim);

8.       If you have to use public Wi-Fi connections only do so cautiously and carefully;

9.       Never click and tell.

 

August 9

Some thoughts to pass along in regards to various messaging scams that are popular, probably a rehash of old techniques:

  • Be careful of “Voice Message / Mail” notifications,
    as the baddies are taking advantage of duplicating standard layouts
    from a variety of providers.  Use Wise Trust before opening and forward
    to me if not sure;
  • In
    today’s video conferencing world, be suspicious of unexpected invites
    to Zoom, Teams or Google Meet / Duo as baddies are using them to catch
    you unaware;
  • And as always, if a message comes from someone you know, but looks odd, call the person to verify.


August 4
Are you at risk of ID theft? Here are 5 tell-tale behaviours https://www.techradar.com/news/are-you-at-risk-of-id-theft-here-are-5-tell-tale-behaviours

Very apropos given one of today’s CBC headline news regarding CERB Payments on hold due to Fraudster with a quick overview of the five behaviours we need to be careful of or avoid entirely:

  1. Not regularly checking credit card / bank statements (the latest email – text notifications from the banks is useful);
  2. Use the same username / email address & easy to remember password (password phrasing, unique password & password manager or securely document your logins);
  3. Never checked your credit report outside of getting a loan (it’s becoming easier to do so and best to do it before asking for that loan);
  4. Use Blind Trust and click on any links getting sent your way (as always, do not trust a link till you use Wise Trust to validate);
  5. Extensive sharing on social media (posting publicly your actions make it easy for the baddies to take over your account)

July 27
Received a message stating the baddie knows your password?

Given the multitude of hacks on big firms (yahoo being one infamous example) it is likely that at least one of your email addresses along with a password is known to the baddie community (see https://haveibeenpwned.com/ to confirm) and such it shouldn’t be considered unusual to get a extortion message (sometimes with very personal like details) with the baddie stating they have proof your laptop is being actively monitored by showing they have a known email / password.  If you or a family / friend receive one of these “Demand for Action” type message, stop, use Wise Trust, and reach out to your techy support to discuss further.

 See the following link for further details, with emphasis on the following three steps:

https://www.forbes.com/sites/daveywinder/2020/07/24/got-an-email-from-a-hacker-with-your-password-do-these-3-things-sextortion-scam-cybercrime-advice/#cd2ca7160c49

  1. Don’t Panic”, as it is most likely an automated message trying to lure you in;
  2. Change that password wherever you have used it”, assuming you haven’t done so already;
  3. Report It”, especially if you’re a victim (Note:  Reporting it, should include passing it on to friends, family and your technical support people.)
 

July 13
PhishingPharmingVishing, Smishing and CONSENT

Wanted to go over the various methods of either obtaining your password or gaining CONSENT as you may use Facebook / Google / Microsoft account to access other vendors:

  • Phishing; using email to fraudulently obtain personal information (for example, verifying Date of Birth) or lure you to another website;
  • Pharming; managing to make changes to your browser that has you redirected to other, sometimes look alike, web sites that ask for personal information;
  • Vishing / Smishing; using your mobile device (voice or text) that either gains your trust or threatens you to obtain information or money;
    • Note, two authority scams were perpetuated in Canada recently, causing the victims to lose $10k & $2k of their hard savings.
  • CONSENT; not all scams are direct, some utilize websites or apps in which it asks you to setup a login by using a Facebook / Google / Microsoft (Parent) account and thereby gains permissions to further infiltrate that Parent account and take it over.

Though this article is a bit dated (you now check the padlock to the left of the web address) it reiterates what to look for and use Wise Trust wherever possible to protect yourself.  Remember to pass the word to family and friends.

https://security.intuit.com/index.php/protect-your-information/phishing-pharming-vishing-and-smishing

  
July 6
Password Reuse: don’t be part of the 65% of Internet users the baddies love. Use unique passwords on all accounts, remembering that Password Phrasing makes life easier.
image.png


https://www.forbes.com/sites/brookecrothers/2020/07/03/password-safety-reset-if-you-do-one-thing-do-this—creating-a-safe-password/#41b309a57396

And another reason for getting the word out to as many people as possible is to warn them of scams.  The following 3 sentences say it all:

At the story’s end, she cried bitter tears, absolutely inconsolable at what she’d done — sending $10,000 to fraudsters posing as the police.  It was her life savings as a cleaner in Canada and the scam left her with 33 cents in her chequing account. Within about an hour Monday, it was all gone.

June 30
As we celebrate Canada Day, find time to discuss with Family and Friends that any Covid-19 app tracing you decide to participate in, comes from official government websites.  Note it may not be easy to distinguish between a government sponsored posting versus a baddie, so please discuss / share official links and avoid any social posting that demands action or looks odd.

June 22
Pretexting – Tailgating; when talking to family and friends about their security discuss the terms Pretexting (the attacker pretending to be an authority or authorized person) & Tailgating (following someone through an opened locked door, pretending to be delivery or repair person).  Either of these techniques depends on someone using “Blind Trust” to gain unauthorized access and making you the victim.  See https://www.csoonline.com/article/3546299/what-is-pretexting-definition-examples-and-prevention.html for further examples (it includes an interesting corporate / legal story).

May 31
Biases in Perceptions; came across this article, and though written from an IT risk perspective, I felt Georgia Crossland PhD researcher’s lessons are shareable to us all as they cover off the following normal human thoughts:

  1. Optimism bias; the impression that we have this under control and not questioning our actions before they’re too late;
  2. Fatalistic thinking; can’t do anything about it so why bother to make the effort to protect ourselves or our family / friends.
 One of Georgia’s last points “cognitive biases are normal mechanisms in human thinking”  is worth reminding us all when we encounter or receive scams and to use our Wise Trust actions so as to avoid being a victim.
 
Georgia’s final word “viewing the human as a solution, rather than a problem” is encouraging us all to contribute in staying safe in an uncertain, physical or electronic, world.
 

May 25
For those of us who are parents, custodians or bearers of advice, you always wonder how many times you can repeat yourself (for parents, saying “No” seems to be a favourite pastime) and such I’m always interested in finding different ways of increasing awareness of how to avoid being scammed. Came across the following article, which in a nutshell reinforces that we all make mistakes (even the author) and such puts a new perspective on being aware.  When you have a chance, check out https://www.infosecurity-magazine.com/blogs/click-here-falls-scams/. I have the following points for you to keep in mind when discussing with family and friends:

  • Some scams are intentionally badly written, so that they can identify gullible people (i.e. this is part of their strategy to fully wring out all available funds from a victim);
  • These are desperate times for a number of our associates and that desperation can lead to Blind Trust decisions that put them further into the hole (be there to support / guide them to use Wise Trust, regardless on how bad things might be);
  • A direct quote to be aware of for all of us: “The trick (from the scammers’ perspective) is to make the scam at least as convincing (if not more so) than the legitimate actions or transactions we make every day.”.

May 19
Once again encouraging you to talk to families and friends about Wise Trust actions, be aware of Covid-19 (or whatever is the news of the day) imitation sites with the purpose of doing harm by harvesting data / pushing out malware and you need to avoid clicking on text / email links that are being spammed out to you. See https://www.zdnet.com/article/crooks-are-using-realistic-looking-webpage-templates-to-trick-you-into-handing-over-personal-data/ for further details.you

April 29
Wanted to share recent news headlines that once again emphasizes that we in the community need to do more to spread the word on Wise Trust / proper password hygiene as the baddies have proven to be inhumanly mean if you don’t:

    • “Over 500,000 Zoom accounts sold on hackers forums”, a recent investigation has shown that users are using the same account credentials (email / password) that have been previously been harvested, some from many years ago, and the baddies are using these same credentials to get hits on Zoom accounts and confirming they still work.    

        • Take away; Use password phrasing or Password Manager to have unique logins for all of your accounts.

    • Keep your personal details on “public” Social Media posts to a minimum as the baddies are reading those same posts and are on the lookout for victims.

The FBI’s Charlotte office released an alert describing how scammers can use personal information on social media to break into online accounts. As people are confined to their homes, many have been drawn to social media where they’re encouraged to share information about themselves, like their pets’ names, the types of cars they’ve owned, and their mothers’ maiden names.

Many of these games are innocent, but they’re also goldmines for criminals seeking answers to account security questions. Even if you haven’t used personal information for security questions, sharing excessive information about yourself can allow attackers to craft targeted social engineering attacks against you.

March 9 
A couple of new baddie techniques to be aware of:

    • Website browsing in what you consider to be safe sites, doesn’t mean a baddie doesn’t have a trap waiting for you (similar to walking a downtown street and being pickpocket).  See the following document for an example of a Fake Security Certificate, that tries to convince you to download a current certificate.  Certificates are handled by the website owner, not by youClose the browser immediately when you encounter this and avoid wherever you were browsing previously;

    • Baddies are using OneNote file attachments as another way of loading malware on to your computer.  Regardless of the attachment, use Wise Trust to think before opening, and if not sure, delete the email.

Scroll to Top