Author Archives: Christopher Johnson

Holiday Shopping 2017: How to avoid fake retail sites and other scams

Via: USAToday.com

1) Stop chasing any and all deals

“We live in an age where we have all these push notifications and emails,” said Steve Koenig, senior director of market research at the Consumer Technology Association, a trade group in Arlington, Va.

The volume of such activity during the holidays, he said, only makes consumers even more vulnerable to clicking on a $100 coupon before thinking twice.

“We’re all moving super fast, we get distracted,” said Tim Helming, director of product management at DomainTools.

When we’re rushing, we might not notice that the website in an email has an odd name.

Brands that continue to be spoofed include Amazon,Walmartand Target. Other brands that are commonly targeted include PayPal, Yahoo and Apple.

Helming told me that consumers need to be wary of fake sites that play up the “Black Friday” frenzy. Dozens of malicious domain registrations that touted a Black Friday connection cropped up last year beginning around Nov. 20, and he’d expect the same this year, too.

2) Learn how to spot a fake

Watch out for a domain decorated with a few extra, possibly even reassuring words or odd spellings. DomainTools listed some brand-abusing domains that have a dot-com at the end but they’re still frauds, such as Amazonsecure-shop, Target-officialsite or  Walmartkt.

Other fakes include: Amazonshop.gq or Targethome.today or Walmart-outlet.ga.

Helming said domains that include a hyphen and words such as shop or secure can be good clues to a phony site, as many brand names use their names alone for their sites.

Other words in a fake URL site that appears to be connected to a well-known name might be something like outlet, discounts or deals.

Many times, the fraudsters use words like “official site” to make their fake sites look legitimate. Or there might be extra letters, such as “Yahooo” or “Walmaart.”

Take care on social media. Phishers can use of “URL shortening” services to obfuscate phishing URLs. As a result a very short URL, can be used in Tweets, which automatically redirect the visitor to a longer “hidden” URL, according to the Anti-Phishing Working Group’s research.

3) Recognize the risks of rushing

Consumers who click on the links or visit malicious sites are typically unknowingly handing over their name, address, and credit card information.

Never click on links in emails or social media to go to a retailer’s website. A better bet: Take a few extra seconds to go directly to the site yourself. Be sure to take a second look at all URLs.

4) Ask yourself why would Amazon be sending you a free gift card? Really?

Yes, one of those free $50 Amazon gift cards popped up in my email the other day. Of course, it’s a spoofed email. So I just hit delete.

Amazon is warning consumers that phishing emails will direct you to a “false website that looks similar to the Amazon website, where you might be asked to provide account information such as your e-mail address and password combination.”

The fake sites can steal sensitive information that can be used without your knowledge to commit fraud, according to Amazon.

Phishers can steal usernames and passwords from one site to engage in fraud on other sites. Too many consumers carelessly use the exact same usernames and passwords across different sites.

Amazon doesn’t send emails that ask for your Social Security number, bank account information, PIN, or your Amazon.com password.

Amazon offers shoppers a way to report suspicious emails and web pages. You can forward the email or send suspicious e-mail as an attachment to stop-spoofing@amazon.com.

More: Are 2017’s Black Friday deals really as amazing as retailers claim?

More: How to find hard-to-get, out-of-stock gifts without getting ripped off

5) As you order gifts online, don’t get tripped up by fake email alerts

As holiday shipping goes up in November and December, the frequency of phishing emails relating to orders or shipments goes up, too.

Walmart warns that if you received an order confirmation email from Walmart but never placed such an order, it may be a “phishing scam attempting to gather information, or in some cases, spread malware.”

FedEx warns consumers about a  “delivery failure” scam email.

Fraudulent emails claiming to be from FedEx or the U.S. Postal Service “regarding a package that could not be delivered.”

The consumer is then asked to open an attachment in order to obtain the invoice needed to pick up their package. The attachment in the email may contain a virus.

Don’t just rush and assume there’s trouble with something that you ordered.

“Be suspicious of incoming email from unknown or unsolicited sources, especially those that have attachments as well as hyperlinks,” said Jeremy Stempien, detective for the City of Novi, Mich., and a special federal deputy marshal for the Southeast Michigan Financial Crimes Task Force.

“The same should apply to incoming phone calls,” he said.

6) Every deal you find online is not a bargain

Con artists tempt consumers with great deals on hard-to-find items or hot gifts. Maybe you’ll spot some extraordinary deal on an Apple iPhone X or find a crazy bargain price on an L.O.L. Surprise! Big Surprise toy.

Or you think you’ve found a great deal on jewelry. The Better Business Bureau and others warned in 2017, for example, about fake sites that offer up to 70% off on Pandora charms.

Charisse Ford, chief marketing officer for Pandora Americas, said shoppers should be aware that counterfeit sites have some clear indicators, including the “About Us” page that can be very generic without descriptions about the business, company mission or current Pandora images or promotions.

Another clue: Try calling and talking with someone in customer service first before placing an order to ask about return policies or the like. Shoppers are less likely to connect with a real person if going through a fraudulent site.

Companies such as Pandora note that they work hard to help identify and shut down counterfeit sites, including those on social media channels.

Con artists use phony websites to sell counterfeit goods — or engage in cybercrime.

It’s no bargain if, when you click on the link, you download malware.

“You think you are getting the discount of a lifetime or an exclusive offer, but this is a phishing attack,” warned Adam Levin, author of Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves.

Remember, bargains abound throughout the holiday season — so there’s no reason to think you absolutely must get all that shopping done right now.

 

Source: https://www.usatoday.com/story/money/columnist/tompor/2017/11/17/fake-amazon-gift-cards-phony-walmart-sites-and-other-cyber-scams-tempt-holiday-shoppers/862083001/

New Email Scam Using Fake Netflix Website

Via: mailguard.com.au

A scam email has appeared today that is pretending to be from Netflix. MailGuard detected the new scam early this morning, and stopped the malicious emails from entering our client’s inboxes.

This scam email is relatively well designed. The scammers are using a template system to generate individualised messages with specific recipient data.

This works like a mail-merge; the body of the email is generic, but the sender field is designed to show the name of the intended victim, which personalises the scam making it more convincing.

In this case the scammer’s system has not worked as well as they hoped and in the example below – screen-captured by our operations team – you can see that the ‘recipient’ field in the email has not been merged successfully. Instead of the victim’s name, it shows the placeholder instead:

 

Screen Shot 2017-11-03 at 11.23.26-1.png

Aside from the error with the recipient name field, this email looks quite convincing. The message tells the intended victim that their Netflix billing information has been invalidated and urges them to update their details on the website. If the recipient clicks the link in the email they are taken to a fake Netflix page, that asks them to log in and then enter their personal information, including credit card details.

Of course, this website is completely bogus and is just a mechanism for the scammers to steal the victim’s identity and credit card information.

The fake Netflix site this scam is using is built on a compromised WordPress blog. Scammers can break into WordPress sites by making use of vulnerabilities in blog plugins and once in, they can make the website look enough like a real Netflix login page to trick their victims – as shown in the screenshot above.

Screen Shot 2017-11-03 at 11.24.52.png

Screen Shot 2017-11-03 at 11.25.22.png

With the detailed data the fake website form asks for: address; credit card details; driver’s license; mother’s maiden name; etc, the scammers could potentially execute an identity theft and gain access to the victim’s bank accounts as well as their credit cards.

Once the fake website has collected all the sensitive data the scammers want, the victim is shown a reassuring ‘reactivation’ screen.

Screen Shot 2017-11-03 at 11.26.15.png

If you receive an email from Netflix today, ‘Chill,’ but don’t click without thinking first. Scammers can make their fake emails and bogus websites look pretty convincing, so it’s always a good idea to check carefully that the email comes from the actual company domain and not a scammer.

Think Before You Click:

– Always hover your mouse over links within emails and check the domain they’re pointing to. If they look suspicious or unfamiliar don’t open them.

– Cybersecurity threats take many different forms from simple spyware downloads to sophisticated ransomware attacks. Your business can be exposed to a wide variety of different vectors: through peripherals; USB devices; networks; attachments; etc. Security best practice recommends a layered defence strategy to protect users against web threats and malware.

Beware of This Apple iPhone Password Phishing Scam

ios security phishing

Apple’s iPhone customers could potentially fall victim to a scam that would see them unwittingly hand over their Apple ID credentials.

Security researcher Felix Krause on Tuesday published a proof-of-concept that shows how easy it is for hackers to replicate the familiar “Sign In to iTunes Store” Apple prompt on the iPhone and steal a user’s password. According to Krause, developers can turn on an alert inside their apps that look identical to the legitimate pop-up requesting a user’s credentials. If the person inputs the password, the malicious app owner could steal the information and users wouldn’t even know they were targeted.

“Users are trained to just enter their Apple ID password whenever iOS prompts you to do so,” Krause wrote in a blog post. “However, those popups are not only shown on the lock screen, and the home screen, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases. This could easily be abused by any app.”

Apple ID alerts are common fare in a typical day using the iPhone. They come up when users want to make an app purchase or when account content, like iCloud data, needs to be accessed. Apple’s legitimate pop-ups display information and then request users input their Apple ID passwords to proceed.

According to Krause, any app developer can create an identical pop-up, and he was able to do just that as part of his research. Users, then, would be hard-pressed to determine whether it was a legitimate password request or one that could leave their credentials open for theft.

Still, Krause said that users can protect themselves by never inputting passwords into pop-ups and instead going into the iPhone’s Settings menu and do it there to ensure it’s a legitimate request. He also suggests clicking the home button when a pop-up is displayed. If the home button closes the app, it was a phishing scam, but if the pop-up remains, it’s a real Apple request.

Looking ahead, Krause believes the best way to fix the problem is by Apple making some tweaks to the way apps ask for Apple ID passwords. Rather than use pop-ups, he says, Apple should ask users to open the Settings app and input their credentials there, thereby eliminating the apps from the process altogether.

(source: http://fortune.com/2017/10/10/apple-iphone-password-phishing-scam/)

Yahoo says all three billion accounts hacked in 2013 data theft

(Reuters) – Yahoo on Tuesday said that all 3 billion of its accounts were hacked in a 2013 data theft, tripling its earlier estimate of the size of the largest breach in history, in a disclosure that attorneys said sharply increased the legal exposure of its new owner, Verizon Communications Inc (VZ.N).

The news expands the likely number and claims of class action lawsuits by shareholders and Yahoo account holders, they said. Yahoo, the early face of the internet for many in the world, already faced at least 41 consumer class-action lawsuits in U.S. federal and state courts, according to company securities filing in May.

John Yanchunis, a lawyer representing some of the affected Yahoo users, said a federal judge who allowed the case to go forward still had asked for more information to justify his clients’ claims.

“I think we have those facts now,” he said. “It’s really mind-numbing when you think about it.”

Yahoo said last December that data from more than 1 billion accounts was compromised in 2013, the largest of a series of thefts that forced Yahoo to cut the price of its assets in a sale to Verizon.

Yahoo on Tuesday said “recently obtained new intelligence” showed all user accounts had been affected. The company said the investigation indicated that the stolen information did not include passwords in clear text, payment card data, or bank account information.

But the information was protected with outdated, easy-to-crack encryption, according to academic experts. It also included security questions and backup email addresses, which could make it easier to break into other accounts held by the users.

Many Yahoo users have multiple accounts, so far fewer than 3 billion were affected, but the theft ranks as the largest to date, and a costly one for the internet pioneer.

Verizon in February lowered its original offer by $350 million for Yahoo assets in the wake of two massive cyber attacks at the internet company.

Some lawyers asked whether Verizon would look for a new opportunity to address the price.

“This is a bombshell,” said Mark Molumphy, lead counsel in a shareholder derivative lawsuit against Yahoo’s former leaders over disclosures about the hacks.

Verizon did not respond to a request for comment about any possible lawsuit over the deal.

Verizon, the likely main target of legal actions, also could be challenged as it launches a new brand, Oath, to link its Yahoo, AOL and Huffington Post internet properties.

In August in the separate lawsuit brought by Yahoo’s users, U.S. Judge Lucy Koh in San Jose, California, ruled Yahoo must face nationwide litigation brought on behalf of owners accounts who said their personal information was compromised in the three breaches. Yanchunis, the lawyer for the users, said his team planned to use the new information later this month to expanding its allegations.

Also on Tuesday, Senator John Thune, chairman of the U.S. Senate Commerce Committee, said he plans to hold a hearing later this month over massive data breaches at Equifax Inc (EFX.N) and Yahoo. The U.S. Securities and Exchange Commission already had been probing Yahoo over the hacks.

The closing of the Verizon deal, which was first announced in July, had been delayed as the companies assessed the fallout from two data breaches that Yahoo disclosed last year. The company paid $4.48 billion for Yahoo’s core business.

A Yahoo official emphasized Tuesday that the 3 billion figure included many accounts that were opened but that were never, or only briefly, used.

The company said it was sending email notifications to additional affected user accounts.

The new revelation follows months of scrutiny by Yahoo, Verizon, cybersecurity firms and law enforcement that failed to identify the full scope of the 2013 hack.

The investigation underscores how difficult it was for companies to get ahead of hackers, even when they know their networks had been compromised, said David Kennedy, chief executive of cybersecurity firm TrustedSEC LLC.

Companies often do not have systems in place to gather up and store all the network activity that investigators could use to follow the hackers’ tracks.

“This is a real wake up call,” Kennedy said. “In most guesses, it is just guessing what they had access to.”

Source: https://www.reuters.com/article/us-yahoo-cyber/yahoo-says-all-three-billion-accounts-hacked-in-2013-data-theft-idUSKCN1C82O1

Netflix Scam Warning

via: malwarebytes

Always be on your toes

While we are used to receiving scam attempts pretending to be from banks, online shops, credit card companies, and international courier services that does not mean all the other emails are safe. Far from it. To demonstrate this point we will show you a scam aimed at Netflix customers which has been used in the Netherlands and is now doing the rounds in the UK but could just as easily spread to the US.

The mail in question

The sender address, in this case, was supportnetflix@checkinformation[.]com and the content of the email informs us that there has been a problem with our last payment. Obviously to those of us who are not customers of Netflix this is the first red flag. The fact that the domain name checkinformation[.]com does not belong to Netflix is another big red flag. In fact, the domain is for sale at the moment of writing.

phishing mail

Netflix

Account disabled!

Dear User,

We’re having some trouble with your current billing information. We’ll try again. But in the meantime you may want to update your payment details. During the next login process, you will be required to provide some informations like (billing info, phone number, payment info)

 

So the email asks us to fill out our payment details on a site. This should always be a red flag for everyone. A security-aware company does not provide you with a clickable button to their site. They will tell you to log into their site and provide you with instructions on how to proceed. They will not provide a direct link to a page with a form to fill out asking for billing information and what not.

Pay attention to

When you have to provide such details always look for the green padlock in the address bar of your browser.

green padlock

Remember that the green padlock is not the sole condition, but it is a must before you proceed.

Another telltale sign is spelling errors, but again, the lack of them is not a definite green light to proceed. Scammers have learned that their efficiency goes up if they pay attention to their spelling.

Also never judge a site by its looks, because phishers are masters in the art of copying the layout and images from legitimate sites. In fact, they usually link to the actual layout and images of the website they are pretending to be.

source: https://blog.malwarebytes.com/cybercrime/2017/09/netflix-scam-warning/

Hackers compromised free CCleaner software, Avast’s Piriform says

via: Reuters

SAN FRANCISCO (Reuters) – Hackers broke into British company Piriform’s free software for optimizing computer performance last month potentially allowing them to control the devices of more than two million users, the company and independent researchers said on Monday.

The malicious program was slipped into legitimate software called CCleaner, which is downloaded for personal computers and Android phones as often as five million times a week. It cleans up junk programs and advertising cookies to speed up devices.

CCleaner is the main product made by London’s Piriform, which was bought in July by Prague-based Avast, one of the world’s largest computer security vendors. At the time of the acquisition, the company said 130 million people used CCleaner.

A version of CCleaner downloaded in August included remote administration tools that tried to connect to several unregistered web pages, presumably to download additional unauthorized programs, security researchers at Cisco’s (CSCO.O) Talos unit said.

Talos researcher Craig Williams said it was a sophisticated attack because it penetrated an established and trusted supplier in a manner similar to June’s “NotPetya” attack on companies that downloaded infected Ukrainian accounting software.

“There is nothing a user could have noticed,” Williams said, noting that the optimization software had a proper digital certificate, which means that other computers automatically trust the program.

In a blog post, Piriform confirmed that two programs released in August were compromised. It advised users of CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 to download new versions. A spokeswoman said that 2.27 million users had downloaded the August version of CCleaner while only 5,000 users had installed the compromised version of CCleaner Cloud.

Piriform said that Avast, its new parent company, had uncovered the attacks on Sept. 12. A new, uncompromised version of CCleaner was released the same day and a clean version of CCleaner Cloud was released on Sept. 15, it said.

The nature of the attack code suggests that the hacker won access to a machine used to create CCleaner, Williams said.

CCleaner does not update automatically, so each person who has installed the problematic version will need to delete it and install a fresh version, he said.

Williams said that Talos detected the issue at an early stage, when the hackers appeared to be collecting information from infected machines, rather than forcing them to install new programs.

Piriform said it had worked with U.S. law enforcement to shut down a server located in the United States to which traffic was set to be directed.

It said the server was closed down on Sept. 15 “before any known harm was done”.

Source: https://www.reuters.com/article/us-security-avast/hackers-compromised-free-ccleaner-software-avasts-piriform-says-idUSKCN1BT0R9

Equifax Breach: Find out if you’re affected

via: Shannon Ortiz, Director of IT Security at Fordham University

Dear Colleagues and Students,

As you may have heard in the news, Equifax, a credit reporting agency widely used by major credit card companies, banks, retailers, and lenders (including lenders of student loans), has suffered a serious data breach affecting over 143 million people. Cybercriminals have stolen names, Social Security numbers, birth dates, addresses, and the numbers of some driver’s licenses.

Educate yourself about the breach: Equifax has set up a website, equifaxsecurity2017.com, with more information about the breach. Included is a page for checking whether your personally identifiable information (PII) was part of the breach.

If your PII was breached, Equifax gives you the option to enroll in their credit monitoring service, TrustedID Premier. Note that during the enrollment process, Equifax requires you to sign a consent form in which you agree to not take any legal action against Equifax related to the breach.

Good online hygiene: Fordham IT will NEVER ask for your username and password, or ask you to click any links to validate or verify your account or password. If you receive questionable or suspicious emails, contact IT Customer Care and allow the UISO to validate the legitimacy of these emails.

Educate yourself some more: Take the UISO’s online, self-paced course, “UISO Security Training.” The course can be accessed in Blackboard, under My Organizations. Login to Blackboard via My.Fordham.edu or directly from Fordham’s Blackboard portal.

If you need more information, please reach out to the University Information Security Office: infosec@fordham.edu

Hurricane-Related Scams (Update)

via: US-CERT

As the peak of the 2017 hurricane season approaches, US-CERT warns users to be watchful for various malicious cyber activity targeting both disaster victims and potential donors. Users should exercise caution when handling emails that relate to recent hurricanes, even if those emails appear to originate from trusted sources. Disaster-related phishing emails may trick users into sharing sensitive information. Such emails could also contain links or attachments directing users to malware-infected websites. In addition, users should be wary of social media pleas, calls, texts, or door-to-door solicitations relating to the recent hurricanes.

To avoid becoming a victim of fraudulent activity, users and administrators should consider taking the following preventive measures:

Source: https://www.us-cert.gov/ncas/current-activity/2017/09/08/Hurricane-Related-Scams

9 scams every college student (and parent) needs to watch for

via: cbsnews.com

Imagine you’re a scam artist looking for a vulnerable group to prey on.

Older people are often good marks, but they’re dispersed throughout the population, so finding a group to victimize can prove problematic. The very young are often protected by parents and may not have enough money to make them worthwhile targets. But college students? Perfect.

College students are old enough to have money, young enough to be vulnerable and likely to be unsupervised and away from home for the first time. Added bonus: because they congregate by the thousands on campuses nationwide, they’re not hard to find.

Now that you’ve gotten inside the head of those who might be preying on you or someone you love, take a few minutes to study some common college scams.

1. Tuition scam

Someone calls claiming to be with your school’s administration or admissions. They warn that your tuition is late and as a result, you’ll be dropped from your classes today. You’re ordered to pay immediately, over the phone, with a credit or prepaid card.

Solution: If you get a call involving money from anyone regarding anything, get off the phone and call the office that was mentioned yourself. Simply explain to whoever is calling that you’ll be calling them back, then check the status of whatever seems to be the problem.

This scam is a variation of the old unpaid bill scam, in which someone gets a call warning of dire consequences if they don’t immediately send money. In another common iteration, it’s a fake IRS agent warning of jail time.

2. Bad behavior

College students are legendary when it comes to finding ways to get into trouble or compromising positions. But now everyone has a smartphone, and therefore a camera. So, everything can, and will, be photographed and/or captured on video. And, yes, there are people who will pretend to like you but are actually setting you up for blackmail.

One only has to recall the Ashley Madison hack of 2015 to imagine what can happen when extremely personal information falls into the wrong hands.

Solution: If you’re going to do anything at college you wouldn’t do in front of your parents or a prospective employer, think twice. If you’re around people you don’t know, and/or you have been drinking, think 10 or 20 times.

3. Fake credit cards … and real ones

The Credit Card Accountability, Responsibility, and Disclosure (CARD) Act of 2009 banned banks from heavy credit card marketing on campus, but that doesn’t mean banks and card companies don’t still actively pursue college students.

Credit cards and other accounts that are heavily solicited are the ones most likely to be loaded with bad terms, big fees and high interest rates. Even worse, some credit card solicitations might be disguising an identity thief. Tread carefully.

Solution: If you need a credit card, don’t respond to one that solicits you. Instead, do your own hunt for the best card. The best deals in many areas of life, including credit cards, are often the least advertised, so look around online (we have a credit card search here) and at local banks and credit unions. Compare fees, terms and conditions, then make an informed decision.

4. Passwords

Everyone knows not to use the same simple or easy-to-guess passwords on multiple sites, or at least everyone should know. So why do we continue to risk our digital lives by using them anyway? Don’t store passwords or other sensitive information on your phone, or laptop, or anything else that can be easily stolen.

Solution: Forget changing passwords often or creating words with special characters — experts now say that advice doesn’t make passwords any harder for a bot to crack. Instead, try to make your password a long series of unrelated words. Also consider using any number of free programs to create, track and change your passwords. You just remember one password, your password manager does the rest.

5. Advance fees

If someone wants to charge you a fat fee in exchange for a loan, job, scholarship, debt counseling, completing a FAFSA (Free Application for Federal Student Aid) or almost anything else, it’s likely either a scam or someone charging too much for doing something you can do yourself.

Solution: Whatever the situation, the higher the fee, the more suspicious you should be. When it comes to scholarship and financial aid scams, the Federal Trade Commission offers these red flags to watch for:

  • “The scholarship is guaranteed or your money back.”
  • “You can’t get this information anywhere else.”
  • “I just need your credit card or bank account number to hold this scholarship.”
  • “We’ll do all the work. You just pay a processing fee.”
  • “The scholarship will cost some money.”
  • “You’ve been selected” by a “national foundation” to receive a scholarship — or “you’re a finalist” in a contest you never entered.

6. Online books

Crooks know textbooks are a huge college expense. So they set up a site, offer great deals, collect your money, then deliver nothing.

Solution: Don’t ever buy books, or anything else, online without first checking out reviews and otherwise validating the site and/or seller. Are they listed with the Better Business Bureau (BBB)? Do they have a physical address and phone number? Do you know anyone who’s used them before?

7. Nonexistent apartments

This scam is simple: Someone offers a great apartment, collects rent and/or a deposit over the phone or online for a place they don’t own, then disappears.

Solution: Don’t ever agree to rent an apartment without seeing it, both inside and out, and meeting the landlord. And don’t hand over money until you’re standing in your new apartment, key in hand.

8. Check cashing

In this scam, a “friend” asks you to cash a check for them. Maybe they even let you keep a little bit of the money for your trouble. You take their check and give them cash. Shortly after you deposit the check, it bounces. They’re long gone, and you’re out the money, as well as a returned check fee.

Solution: If you don’t know someone very well, consider cashing a check for them a gift of money from you, because it’s likely that’s what it will turn out to be.

9. Risks on Wi-Fi

Few groups are more likely than college students to spend time online via Wi-Fi at places like coffee shops, restaurants and parks. Unfortunately, public Wi-Fi subjects you to all manner of potential foul play.

Solution: Slow down hackers and ID thieves by using password protection and encryption software. Still, don’t ever log on to banking or other sensitive sites when on public Wi-Fi. And it’s not just your laptop that’s at risk. Do you have the same protections on your smartphone?

Bottom line: Remember the three golden rules of scam avoidance

While many scams, both on-campus and off, have donned high-tech clothing in recent years, most can be avoided by remembering three old-fashioned rules:

  • If something seems too good to be true, it probably is.
  • Don’t part with personal information unless you’re sure where it’s going.
  • The more someone needs money upfront, the greater the likelihood you’re about to be robbed.

Source: https://www.cbsnews.com/news/9-scams-every-college-student-and-parent-needs-to-watch-for/

MacEwan University loses $11.8 million to scammers in phishing attack

Via: edmontonjournal.com

Low-level MacEwan University staffers were tricked into transferring $11.8 million into scammers’ bank accounts in what one expert said is among the largest publicly disclosed phishing scams.

The majority of the money, $11.4 million, has been traced to bank accounts in Montreal and Hong Kong.

“We are fairly confident that we will be able to recover those funds, the $11.4 million,” MacEwan spokesman David Beharry said Thursday. “It’s a question of how long will it take for the university to retrieve that money.”

He said $6.3 million has been seized from the account in Montreal, and actions are underway to freeze the two accounts in Hong Kong.

The $11.8 million loss represents about one-10th of what MacEwan receives as an annual operating grant from the government of Alberta. In the 2015-16 financial year, the university received $118 million from the province out of its $237.1-million budget.

“I think it’s safe to say that there was a lot of disappointment and frustration because this came down to human error,” Beharry said.

The fraud was discovered Aug. 23 after a supplier said it had not been paid. Beharry would not identify the supplier.

Fraudsters had created a website that resembled the domain site of one of the university’s major supplier. Using that site, the fraudsters impersonated the supplier, asking the university to transfer accounts payable to a new bank account the fraudsters controlled.

Three MacEwan staffers made three payments to the bogus account over a nine-day period ending Aug. 19. The university paid out $1.9 million, $22,000, and finally $9.9 million.

Beharry would not say if the staffers have been disciplined or fired.

“The university does not believe there has been any sort of collusion,” he said. “We really believe this is simply a case of human error.”

The university is working with lawyers in Montreal, London and Hong Kong on civil action to recover the money. The status of the remaining $400,000 is not known.

MacEwan conducted an audit of its business processes after discovering the fraud and put controls in place “to prevent further incidents.” An internal audit group will also investigate the incident.

An early assessment determined that “controls around the process of changing vendor banking information were inadequate, and that a number of opportunities to identify the fraud were missed.”

David Shipley, CEO of Beauceron Security and former cyber-security lead at the University of New Brunswick, said MacEwan was likely the victim of what’s known as a business email compromise scam.

“It’s the single largest publicly disclosed amount I’ve seen,” he said. “That’s not to say there aren’t private companies that aren’t required to disclose this stuff that haven’t had (larger) losses.”

MacEwan spokesman David Beharry says “the university does not believe there has been any sort of collusion.”

Shipley said Facebook and Google fell victim to similar scams, transferring “in the $100-million range” after being invoiced by fake suppliers.

“This is the intersection of people, process and technology,” he said. “People in that they got tricked, process in that being able to transfer that amount of money should have required additional financial controls. Technology played the smallest role — as in why didn’t their email filter it or alert them that (the sender) wasn’t who it said it was.”

Beharry said the university has funds to pay the supplier. The loss would not impact students, he said.

In a statement, Advanced Education Minister Marlin Schmidt said he is “disappointed” the university fell victim to the scam and has instructed all post-secondary institutions to review their financial controls.

“I expect post-secondary institutions to do better to protect public dollars against fraud,” Schmidt said.

Source: http://edmontonjournal.com/news/local-news/11-8-million-transferred-from-macewan-university-accounts-in-phishing-attack