Phishing
Recently, several sophisticated phishing attacks mimicking popular online services such as Office 365 have surfaced. In a recent publication by Cofense, threat actors were found to be luring employees to accept new Terms of Use and Privacy Policies to steal Office 365 login credentials. The malicious actors went to great efforts to spoof the Office 365 login screen and even used a legitimate Microsoft page if the user successfully released their credentials.
Here’s a quick reminder about phishing scams:
Phishing is the term given to the way fraudsters try to lure people into giving away personal data. This is normally done by email but can also be done by letter and by SMS (text message) too. There are few warning signs which can help you detect phishing scams:
- An unusual email address and the recipient’s email address was not shown
- An impersonal greeting
- Grammatical errors
- An unusual sense of urgency in the tone
- An undue sense of secrecy
- Unusual use of flattery.
Vishing
A series of telephone scams are also circulating, prompting a warning from Gloucestershire Constabulary. Fraudsters are running automated messages pretending to be either HMRC or Amazon Prime. The automated messages tell recipients that they owe tax and will be arrested if they fail to pay or their Amazon Prime subscription is due to expire and needs renewing.
Both these scams are called vishing. Vishing is where a fraudster uses a voice call to try and scam the listener into giving away confidential information that can be used for identity theft or transferring funds into the scammer’s account. The scammer will generally pretend to be from a legitimate business, e.g. your bank or credit card company, a company you use (e.g. Microsoft Support) or even the police, and may have already gathered some basic information about the listener through other means (e.g. social media postings) to aid their credibility. They may also imply a sense of urgency for the listener to act. So how can you stay safe?
- Be suspicious – if the caller’s intention or reason for calling sounds implausible to you or seems to offer something that is too good to be true, it probably is!
- Check any details for yourself – Remember, a legitimate, unsolicited call from the police, your bank or a utility company, for example, should not be asking for your card PIN or other secure confidential details. If you have any concerns, hang up and call the actual company or bank back on their official number to check the validity of the request or the status of your account.
Smishing
A TV Licensing SMS scam is also going around. hundreds of UK consumers have been targeted with a sophisticated text message scam offering a ‘Free TV Licence’ for a whole year. The fraud, exposed by the Parliament Street think tank’s cyber research team, is designed to steal the personal financial data of victims. The timing of the new scam coincides with the BBC’s decision to axe the universal free TV licence for over-75s has been axed in a controversial move.
The scam begins with a text message sent to the victim’s phone which reads: “Due to COVID-19 we are able to provide one year free of charge TV Licence service upon application, please visit http://tvlicences-id71839402[DOT]info/apply/”
A form of phishing, smishing is when someone tries to trick you into giving them your private information via a text or SMS message. Smishing is becoming an emerging and growing threat in the world of online security. To protect yourself, you generally don’t want to reply to text messages from people you don’t know.
Whaling
A whaling attack is a method used by cyber criminals to masquerade as a senior player at an organization and directly target senior or other important individuals at an organization, with the aim of stealing money or sensitive information or gaining access to their computer systems for criminal purposes
At the University, this might take the form of an email from the Vice-Chancellor, a Dean or Director. Often these emails have an urgent tone making them easily identifiable when received with caution. All the tips for spotting a phishing scam apply to whaling as well.
Reporting suspicious content
If you have any concerns about suspicious content (emails, texts or phone calls), please feel free to contact the Information Centre at information.centre@stir.ac.uk
We are also investigating ways in which you can automatically report emails in your inbox, more on this soon!
If you would like to see more information and examples of phishing, please look at our IS News Blog