FRAUD WATCH

Fraud Watch

Welcome to our Fraud Watch page. Here you will find information on fraud and scams, and how to spot them. We provide links to official websites that show the numerous ways online thieves are trying to steal your money and/or identity, and websites that can help you prevent fraud or coach you if you become a victim.

No matter how careful we think we are, scammers try to get the upper hand. They prey on our fears and anxieties with scare tactics that can hinder our better judgment. They try to trick us with email attachments that install malware on our computer, or send us links to fake web pages that steal our usernames and passwords.

Be wary of emails, SMS texts, letters, and phone calls from individuals and companies you don’t know, or messages that are unexpected. Be especially careful with “important” messages using scare tactics. And, don’t believe any offers for making a quick buck; if it seems too good to be true, it usually is!

Have you encountered a scam recently? Send an image or forward the email to FraudAlert@opcug.ca. If we haven’t already posted something similar, we’ll feature it on this page. In order to protect your privacy, we will remove your identifiers.

ONLINE RESOURCES

Zix 2020 Mid-Year Global Threat Report (10 MB PDF) – An excellent report on the numerous methods used by scammers and fraudsters to steal our money and identity

DHS package delivery notification  In these COVID-19 times of abundant online shopping, SOPHOS tells us how to avoid this latest email scam.

Here are some websites that list newer and older scams in circulation: 
Canadian Anti-Fraud Centre
Canadian Anti-Fraud Centre (COVID-19 fraud)
10 most costly scams for Canadians in 2018 (with advice from the BBB)

How to protect yourself when banking online: 
Government of Canada

What to do if you become a victim of fraud:
Canadian Anti-Fraud Centre Report a scam or fraud -Government of Ontario (includes a good list of scam types)

HOW SAFE ARE YOUR PASSWORDS?

If you allow Google Chrome to save your passwords, you can check them at https://passwords.google.com/ and see if any are compromised, duplicates, or weak.
See 9 Rules for creating and safeguarding strong passwords (CNET)

If any of your passwords are on this list, you should change them. 
Top100kUsedPasswords (use Ctrl+F to search the list)

Check if your passwords have been pawned:
https://haveibeenpwned.com/Passwords

Check if your email address has been pawned:
https://haveibeenpwned.com/

BADDIE UPDATES (by Lawrence Patterson, lawrence@opcug.ca)

Nov24
As many of you know, I’m big on using Password phrasing (15+ characters, unique to you and just as important, puts a smile to your face) to protect yourself and AFMC from the baddies’ wrath.  In case you’re wondering what it’s like to use a simple password, please check out this article, along with noting the below statement https://www.zdnet.com/article/the-worst-passwords-of-2020-show-we-are-as-lazy-about-security-as-ever/ :

“While vendors need to be reminded that allowing easy and simple combinations do nothing to protect the privacy and security of users, it is also up to us to take responsibility for our own accounts.”

Nov 10
Once again the Baddies are throwing out various ways of infecting our devices, including our mobile phones / tablets.  Use “Wise Trust” with any and all text / SMS messages that are thrown your way (the latest is a “your parcel has been sent out”) and ask yourself why you’re getting this text message.  If by chance you’re waiting on a parcel, do not use that SMS link, and instead go to the Courier’s website using your browser.

See https://www.tomsguide.com/news/wroba-mobile-trojan-ios-android for more details

October 25
Are you sure that’s your colleague / friend? Gather many of you are aware of this past summer’s Twitter hack of celebrity accounts. The investigation is showing that the baddies found a way to contact several Twitter employees and were able to convince one of them that they were IT support, then leverage that contact to speak to others that allowed them the super access to the Twitter system.  The Wise Trust lesson is that anyone can be impersonated and you need to ask the, sometimes uncomfortable, question by calling whoever directly to make sure they are who they say they are.

October 12
In my Scam Avoidance presentations I do emphasize the following uncomfortable point: “Regardless of fault, if you get scammed, you have to own it”, and as per the article’s victims (see link below), there’s no explanation as to why the individuals lost money, even with them stating they’ve followed security recommendations (Two Factor Authentication, unique passwords, avoided opening up suspected emails,  etc.).
Sometimes Wise Trust can only go so far, but you have to look at YOUR risk capability, along with the reputation of the firm you’re working with, to be aware of how they’ll respond to hacking.
https://financialpost.com/investing/robinhood-users-say-they-watched-helplessly-as-their-accounts-got-looted-but-had-no-one-to-call-to-stop-it

September 22
Though it may seem like it’s unlikely to happen to you, the Baddies are watching for potential victims, possibly by tracking your sign up to an in-store text message promotion. 

As outlined in the below article, a couple decided to take advantage of Shoppers Drug Mart promotion with them receiving a weekly text to ‘See if you’re a winner and click on the link!’. Then one time they received a link to enter their PC Optimum login details, which resulted in their points being cashed in.

The couple had their points returned, and Shoppers is claiming that it wasn’t due to one of their texts, it is thought that the couple experienced a “smishing campaign” that is like email phishing, but done over text.  Were the baddies lucky in that this couple happen to receive one of thousands of scam texts that mimic a legitimate service or was it due to some technical hack / research, we may never know?

The takeaway, always be weary of the correspondence you receive personally and professionally, and use Wise Trust to avoid following into a victim trap.

https://www.cbc.ca/amp/1.5725268

September 15
From https://www.cbc.ca/amp/1.5713366 comes this statement:

Fraudsters stole nearly $3,000 — the maximum amount allowed for an e-transfer payment — from 48 Sunova customer accounts, using an ad on Google designed to look like Sunova’s real site and glean users’ banking information if they clicked on it and tried to log in.

And here’s the Google search page (noting it can happen with any search engine):

Here’s the question / take away:

  1. Would your “Wise Trust” awareness be enough to not click on the first link presented? Be honest, as I’m betting that at least some of us (due to be busy or whatever) wouldn’t have spotted the fake.
  2. The victims have to own the fact that they’re on the hook for $1k deductible, as it was their own actions that resulted in the scam happening.

Lessons learned and please pass the knowledge on how to protect yourself, family and friends.

September 8
Wouldn’t you know it, it’s not enough to be on the lookout for Excel, Word and PDF attachments along with any links that the baddies throw our way, we now have to be aware of legitimate looking Google Drive, Microsoft OneDrive and SharePoint links along with OneNote attachments.  The below article is a good overview on an impersonation attempt with someone you know and the multi-layered steps they take to lure you in.  As the author states quite elegantly  As we’ve said many times before, the only thing worse that being scammed is being scammed and then realising that the signs were there all along. Crooks don’t always make obvious mistakes, but if they do, make sure you don’t miss them.” https://nakedsecurity.sophos.com/2020/09/02/phishing-scam-uses-sharepoint-and-one-note-to-go-after-passwords/amp/ 

Ever wondered how it is that your login details from an older website breach are readily available and used as another lure to fulfill Blind Trust actions as you believe the baddies have all of your login details (it is very unlikely they have your new login details, which you’ve no doubt already changed, RIGHT?).  If you’re interested in a gentle mental exercise, see the following article from Troy Hunt  https://www.troyhunt.com/we-didnt-encrypt-your-password-we-hashed-it-heres-what-that-means/ and why you need to use unique phrases for your passwords.

September 2

Hello and I’m going to keep this short. Whatever you do, take the time to review the PDF document below, especially for the examples presented and the last page of general advice.  Please forward to your friends and family, so that we can all be aware of what’s hitting us on a regular basis and avoid being the victim.
Zix MId-Year Global Threat Report 2020 (10 MB PDF)

August 25

And now some Cyber prevention tips from the far easterly point in Canada, that is relevant no matter where you’re from in this great country of ours. Regardless if your credentials happen to have been compromised or not, following these tips will help your Wise Trust assessments of the threats we all face.  https://vocm.com/2020/08/21/better-business-bureau-cyber-attack-tips/

 

1.       If aware of a compromise implement a credit freeze / fraud alert with your bank / credit reporting agencies;

2.       Update the passwords for all of your online accounts (especially if you happen to reuse the same password – bad idea by the way);

3.       Monitor your credit card transactions carefully;

4.       Avoid fake emails;

5.       Enable multi-factor authentication where available;

6.       Shakeup your password protocol using unique password phrasing for all accounts;

7.       Play hard to get with strangers (they will do their best to lure you into Blind Trust actions that make you the victim);

8.       If you have to use public Wi-Fi connections only do so cautiously and carefully;

9.       Never click and tell.

 

August 9

Some thoughts to pass along in regards to various messaging scams that are popular, probably a rehash of old techniques:

  • Be careful of “Voice Message / Mail” notifications,
    as the baddies are taking advantage of duplicating standard layouts
    from a variety of providers.  Use Wise Trust before opening and forward
    to me if not sure;
  • In
    today’s video conferencing world, be suspicious of unexpected invites
    to Zoom, Teams or Google Meet / Duo as baddies are using them to catch
    you unaware;
  • And as always, if a message comes from someone you know, but looks odd, call the person to verify.


August 4
Are you at risk of ID theft? Here are 5 tell-tale behaviours 
https://www.techradar.com/news/are-you-at-risk-of-id-theft-here-are-5-tell-tale-behaviours

Very apropos given one of today’s CBC headline news regarding CERB Payments on hold due to Fraudster with a quick overview of the five behaviours we need to be careful of or avoid entirely:

  1. Not regularly checking credit card / bank statements (the latest email – text notifications from the banks is useful);
  2. Use the same username / email address & easy to remember password (password phrasing, unique password & password manager or securely document your logins);
  3. Never checked your credit report outside of getting a loan (it’s becoming easier to do so and best to do it before asking for that loan);
  4. Use Blind Trust and click on any links getting sent your way (as always, do not trust a link till you use Wise Trust to validate);
  5. Extensive sharing on social media (posting publicly your actions make it easy for the baddies to take over your account)

July 27
Received a message stating the baddie knows your password?

Given the multitude of hacks on big firms (yahoo being one infamous example) it is likely that at least one of your email addresses along with a password is known to the baddie community (see https://haveibeenpwned.com/ to confirm) and such it shouldn’t be considered unusual to get a extortion message (sometimes with very personal like details) with the baddie stating they have proof your laptop is being actively monitored by showing they have a known email / password.  If you or a family / friend receive one of these “Demand for Action” type message, stop, use Wise Trust, and reach out to your techy support to discuss further.

 See the following link for further details, with emphasis on the following three steps:

https://www.forbes.com/sites/daveywinder/2020/07/24/got-an-email-from-a-hacker-with-your-password-do-these-3-things-sextortion-scam-cybercrime-advice/#cd2ca7160c49

  1. Don’t Panic”, as it is most likely an automated message trying to lure you in;
  2. Change that password wherever you have used it”, assuming you haven’t done so already;
  3. Report It”, especially if you’re a victim (Note:  Reporting it, should include passing it on to friends, family and your technical support people.)

 

July 13
PhishingPharmingVishing, Smishing and CONSENT

Wanted to go over the various methods of either obtaining your password or gaining CONSENT as you may use Facebook / Google / Microsoft account to access other vendors:

  • Phishing; using email to fraudulently obtain personal information (for example, verifying Date of Birth) or lure you to another website;
  • Pharming; managing to make changes to your browser that has you redirected to other, sometimes look alike, web sites that ask for personal information;
  • Vishing / Smishing; using your mobile device (voice or text) that either gains your trust or threatens you to obtain information or money;
    • Note, two authority scams were perpetuated in Canada recently, causing the victims to lose $10k & $2k of their hard savings.
  • CONSENT; not all scams are direct, some utilize websites or apps in which it asks you to setup a login by using a Facebook / Google / Microsoft (Parent) account and thereby gains permissions to further infiltrate that Parent account and take it over.

Though this article is a bit dated (you now check the padlock to the left of the web address) it reiterates what to look for and use Wise Trust wherever possible to protect yourself.  Remember to pass the word to family and friends.

https://security.intuit.com/index.php/protect-your-information/phishing-pharming-vishing-and-smishing

  
July 6
Password Reuse: don’t be part of the 65% of Internet users the baddies love. Use unique passwords on all accounts, remembering that Password Phrasing makes life easier.
image.png


https://www.forbes.com/sites/brookecrothers/2020/07/03/password-safety-reset-if-you-do-one-thing-do-this—creating-a-safe-password/#41b309a57396

And another reason for getting the word out to as many people as possible is to warn them of scams.  The following 3 sentences say it all:

At the story’s end, she cried bitter tears, absolutely inconsolable at what she’d done — sending $10,000 to fraudsters posing as the police.  It was her life savings as a cleaner in Canada and the scam left her with 33 cents in her chequing account. Within about an hour Monday, it was all gone.

June 30
As we celebrate Canada Day, find time to discuss with Family and Friends that any Covid-19 app tracing you decide to participate in, comes from official government websites.  Note it may not be easy to distinguish between a government sponsored posting versus a baddie, so please discuss / share official links and avoid any social posting that demands action or looks odd.

June 22
Pretexting – Tailgating; when talking to family and friends about their security discuss the terms Pretexting (the attacker pretending to be an authority or authorized person) & Tailgating (following someone through an opened locked door, pretending to be delivery or repair person).  Either of these techniques depends on someone using “Blind Trust” to gain unauthorized access and making you the victim.  See https://www.csoonline.com/article/3546299/what-is-pretexting-definition-examples-and-prevention.html for further examples (it includes an interesting corporate / legal story).

May 31
Biases in Perceptions; came across this article, and though written from an IT risk perspective, I felt Georgia Crossland PhD researcher’s lessons are shareable to us all as they cover off the following normal human thoughts:

  1. Optimism bias; the impression that we have this under control and not questioning our actions before they’re too late;
  2. Fatalistic thinking; can’t do anything about it so why bother to make the effort to protect ourselves or our family / friends.
 One of Georgia’s last points “cognitive biases are normal mechanisms in human thinking”  is worth reminding us all when we encounter or receive scams and to use our Wise Trust actions so as to avoid being a victim.
 
Georgia’s final word “viewing the human as a solution, rather than a problem” is encouraging us all to contribute in staying safe in an uncertain, physical or electronic, world.
 

May 25
For those of us who are parents, custodians or bearers of advice, you always wonder how many times you can repeat yourself (for parents, saying “No” seems to be a favourite pastime) and such I’m always interested in finding different ways of increasing awareness of how to avoid being scammed. Came across the following article, which in a nutshell reinforces that we all make mistakes (even the author) and such puts a new perspective on being aware.  When you have a chance, check out https://www.infosecurity-magazine.com/blogs/click-here-falls-scams/. I have the following points for you to keep in mind when discussing with family and friends:

  • Some scams are intentionally badly written, so that they can identify gullible people (i.e. this is part of their strategy to fully wring out all available funds from a victim);
  • These are desperate times for a number of our associates and that desperation can lead to Blind Trust decisions that put them further into the hole (be there to support / guide them to use Wise Trust, regardless on how bad things might be);
  • A direct quote to be aware of for all of us: “The trick (from the scammers’ perspective) is to make the scam at least as convincing (if not more so) than the legitimate actions or transactions we make every day.”.

May 19
Once again encouraging you to talk to families and friends about Wise Trust actions, be aware of Covid-19 (or whatever is the news of the day) imitation sites with the purpose of doing harm by harvesting data / pushing out malware and you need to avoid clicking on text / email links that are being spammed out to you. See https://www.zdnet.com/article/crooks-are-using-realistic-looking-webpage-templates-to-trick-you-into-handing-over-personal-data/ for further details.you

April 29
Wanted to share recent news headlines that once again emphasizes that we in the community need to do more to spread the word on Wise Trust / proper password hygiene as the baddies have proven to be inhumanly mean if you don’t:

    • “Over 500,000 Zoom accounts sold on hackers forums”, a recent investigation has shown that users are using the same account credentials (email / password) that have been previously been harvested, some from many years ago, and the baddies are using these same credentials to get hits on Zoom accounts and confirming they still work.    

        • Take away; Use password phrasing or Password Manager to have unique logins for all of your accounts.

    • Keep your personal details on “public” Social Media posts to a minimum as the baddies are reading those same posts and are on the lookout for victims.

The FBI’s Charlotte office released an alert describing how scammers can use personal information on social media to break into online accounts. As people are confined to their homes, many have been drawn to social media where they’re encouraged to share information about themselves, like their pets’ names, the types of cars they’ve owned, and their mothers’ maiden names.

Many of these games are innocent, but they’re also goldmines for criminals seeking answers to account security questions. Even if you haven’t used personal information for security questions, sharing excessive information about yourself can allow attackers to craft targeted social engineering attacks against you.

March 9 
A couple of new baddie techniques to be aware of:

    • Website browsing in what you consider to be safe sites, doesn’t mean a baddie doesn’t have a trap waiting for you (similar to walking a downtown street and being pickpocket).  See the following document for an example of a Fake Security Certificate, that tries to convince you to download a current certificate.  Certificates are handled by the website owner, not by youClose the browser immediately when you encounter this and avoid wherever you were browsing previously;

    • Baddies are using OneNote file attachments as another way of loading malware on to your computer.  Regardless of the attachment, use Wise Trust to think before opening, and if not sure, delete the email.

HOW TO SPOT A SCAM

12 SCAM AVOIDANCE TIPS

by Lawrence Patterson

Social Engineering Red Flags

Reprinted with permision from KnowBe4

Scam Tracking Overview

Submitted by Lawrence Patterson

SCAMS: WHAT HAS CHANGED?

A presentation (PDF) by Lawrence Patterson

SCAMS ENCOUNTERED BY OUR MEMBERS

"SHOPPERS DRUG MART" SCAMS

"We have a surprise"
(it's not a good one!)

E-mail scams with attachments

Malicious code in sheep's clothing

"AIR CANADA" SCAM

"Take our survey"

HOROSCOPE SCAM

"Your stunning horoscope at no charge"

NETFLIX BILLING PROBLEM

Cell phone text scam

INHERITANCE SCAM

Snail mail scam
(If it seems too good to be true, it usually is!)

ROGERS E-MAIL PROBLEM

"You will be blocked"

A COVID-19 scam

Looking for Bitcoin donations