Information Hub‎ > ‎The Bad Guys‎ > ‎

Alerts to Scams

Scams are efforts to entice your action to either bring harm to you, your computer's contents, your computer itself or against someone you may know who is in need of assistance.   Some attacks are crude in form and approach but they all evolve.  Technology is now being used by The Bad Guys to create custom attacks at the individual or community/city level by including stores or locations in your area to add legitimacy to their illegitimate and criminal acts.

Scams may seek to achieve any one, multiple or additional objectives of The Bad Guys, all at your risk:
  • Quick loss of funds and/or exposure to longer term losses
  • A financial company (bank, credit card company, etc.) needs you to give them your information
  • Delayed loss of funds often via promised investment, income or employment opportunities
  • Exposure of personal information (Name, Date of Birth, City/State of Birth, Current Address,
    Cell Phone Number, Social Security Number, Financial Institutions you have accounts with, etc.)

User ID & Password Reminders:
It is unfortunate most people who discover they were the victim of an attack fail to immediately change their sign-on User ID and Password to those financial institutions where there is any potential The Bad Guys may have learned or discovered the credentials.  Most User IDs and Passwords are highly predictable as people continue to use their or a family member's name and one of the 100 most frequently used passwords.

NEVER use a password that can be found in any dictionary of any language including Klingon.  Dictionaries are a finite set of words making it easy to download a dictionary into their computers to guess your password.  AND IT WORKS!  Making a more complex non-word password increases the time to crack a password thus making it more expensive to crack your password.  Time is money so if taking more time to crack you password makes it unprofitable, they move on to the next account to crack.

One form of phishing used on individuals and businesses is to represent yourself as a repair or support person who needs to get something taken care of today as it was an urgent request.  In most cases the person called will violate security policies and provide the User ID and Password to an account or provide remote access to the unverified and unknown caller.  Be suspicious of anyone who calls you about problems in your business, home, computer, alarm systems, etc.  Challenge them to provide specifics on what they were told to do and who reported the problem.  Verify this with their company using a published telephone number seeking the specifics of their work and who requested the service.  If you are hung up on, notify your employer's security office.

Your User ID and Password are often your first and only line of defense.
Make it a good defense!


For more information on passwords visit TheCTGroups.com/info/TechTips/passwords

Below are some of the warning signs to think about when you receive e-mails even if they appear to be legitimate.  You can be one phone call away from stopping an attack against you if you stop and think.  Hopefully the information here can help you raise appropriate questions and, if still in question, make that phone call to protect yourself.

Below is a quick list of "red flags" with a discussion of each "red flag" below as numbered.

          1.  Implicit or Explicit Urgency               Pushing your buttons to insure your participation
          2.  Information Required from You        Fear if you don't give them what you already gave them
          3.  Lack of Personalization                    One scam fits all ... yet people fall victim to this daily
          4.  Reply e-mail Address                       A clue things may not be what they seem
          5.  I won how much and from what?      Money for nothin'?  Just an old song title folks!
          6.  Spelling, Grammar, Punctuation       Clues the e-mail is not likely from any company
          7.  Attachment(s) for Your Action          NEVER OPEN AN UNCONFIRMED E-MAIL ATTACHMENT
          8.  Phone call: You have problems!        Microsoft (or whoever) found you have serious problems
          9.  Phone Message with Link to listen    Who get's e-mail messages about voice mail sent to them?



  1. Implicit or Explicit Urgency
    Something has happened to you or someone you believe you know and something bad will happen to you or them if you do not act quickly to prevent this from happening.  This can be anything from a family member or friend in trouble to a financial company you do business with indicating someone just emptied your account and they need your involvement now or within the next 2 to 3 days.

    STOP AND THINK.

    Creating a perception of urgency is a common trait of a scam as most people accept their "Call to Action" and immediately follow directions without a second thought or hesitation.  People often transition from a "thinking mode" into "action mode" and this is how The Bad Guys take advantage of you.  This approach is used in many different types of e-mail and telephone scams to entice someone to do something they should not do in order to help someone they do not know.  And it has cost individuals and companies alike from theft of monies, information and potentially more.

    Thinking through a problem, even if it is an emergency, can prevent additional injury or loss and help insure correct assistance is being provided.  Stopping to think is the last thing The Bad Guys want for then "their smoke" for you to quickly act starts to vanish.  So why the 2 to 3 days?  It is the simple fear of capture and arrest.  The longer periods spent in one location raises their risks so they want to pick-up and move frequently.  Stupid they are not.



  2. Information Required from You
    They need information to verify your account but they never tell you what account or why they need what they already have.  You may this is from your bank, savings and loan, Credit Union, broker, anyone who extends you credit or holds your money in any form AND YOU ARE AT RISK.  Just fill out the attached form and send it to someone somewhere with all your personal information.  But don't worry, whatever they can take they will and will never send you a thank you card.

    STOP AND THINK.

    Financial organizations have their data so well protected against destruction, corruption or accidental loss ... this alone is a billion dollar a year plus business.  But people panic, and will send their secrets to people unknown every day.  Always think through the e-mail:  Why do they need me to confirm information I they already have?  Reason: It's not them you gave it to!  If in doubt, call the company using the number on your credit card or statements.  Expect the people you call to sound confused and bewildered as they will have no idea what you're talking about or go, "Oh ya, that's going around ... ignore it ... it's a scam ... you didn't open the attachment or send them anything did you?!"



  3. Lack of Personalization
    A company you are doing business with alerts you to a problem.  It may be your account is being
    targeted by hackers, a package has been delayed or lost or damaged, they are needing to update or validate their information about you ... and on and on and on.


    STOP AND THINK.

    I am doing business with them ... they have all the information they need already.
    Any big company has computerized databases that have on-line real-time backup often with only seconds delay in replicating the databases.  Yet you are addressed only as "Dear Customer" or anything but your name or gender.  A package shipment they want to deliver to you never lists your address to confirm it is correct.  The type of account involved is never mentioned.  In short, the e-mail you received could have been sent to tens or hundreds of thousands of people without any change.



  4. Reply e-mail Address
    This is a fabricated example but it has been seen in some scams:
    An e-mail from Microsoft Corporation (or other well global organization) is using a personal e-mail account from a public e-mail provider in a foreign country.


    STOP AND THINK.

    Why is someone from a big company or globally recognized organization using a personal e-mail account from a public e-mail service provider in a country other than where they are headquartered or have a major office?

    For most companies this is prohibited ... all official e-mail goes through company e-mail services.  Microsoft is a global corporation with Corporate Headquarters in the United States and a global e-mail network with e-mail addresses ending with @microsoft.com   Their name is recognized globally.  So why is this e-mail, that appears to be from Microsoft in everything but the e-mail address(es), tied back to a public e-mail provider not using the Microsoft e-mail domain?  Contractors and business partners can be provided Microsoft e-mail addresses for specific needs when involving large public companies.
    ASK YOURSELF:  Does their e-mail address make sense?

    Microsoft is also a good example on how deception can be used.  Some of The Bad Guys created an e-mail account using MICR0S0FT.com which is Microsoft in all capitals with the letter "o" replaced by numeric zero.  Most people never catch this game with your mind and eyes.




  5. I won how much from what?
    You have just won millions of dollars (or Pounds Sterling, or Euros, or other currency) and you are absolutely at a loss as to when or where you entered this but you are now rich if you act fast and worry about the little details later.

    STOP AND THINK.

    Why is this organization giving me this money?
    Sometimes this is humorous when a money strapped organization like the United Nations is giving away millions of dollars to you.  Face it, large well known companies and countries do not simply seek individuals out to make them instant millionaires for no reason at all, not even publicity.  Look at the directions to discover how you are providing information such as your full legal name and Bank Routing and Account Numbers to them someone can provide no evidence as to who they are beyond their typing a name and an e-mail address. 



  6. Spelling, Grammar, Punctuation
    Companies place create effort and expense to insure a pristine communication to the public and their customers to avoid any unnecessary concern, insure full clarity in the communication, and avoid any potential legal issues among other examined areas of any company communication.

    STOP AND THINK.

    Why does a US Company sent a communication with so many obvious language errors?
    When you find spelling errors, confusing sentences, incorrect tense or punctuation errors you can assume this was not a company communication.  English is regarded as one of the more challenging languages to master.  "Hot spots" for scams are growing yet many are from China, poor counties in Africa, the Middle East, former Russia satellite states and people with more greed than morals or ethics who recognize the risk of capture and prosecution is often low.  Many, but not all scam e-mails will reflect a lesser skill level of the English language but a better awareness of large US based corporations or global organizations (such as the United Nations, the World Bank, the North Atlantic Treaty Organization, etc.)  If the message is cumbersome and/or contains misspelled words, poor punctuation/capitalization and/or structure, be suspicious of the e-mails true origin.



  7. Attachments for Your Action
    An attachment is one of the easiest means to infect your computer, steal data from your computer, monitor your computer, control your computer or seriously damage your computer.  Your anti-virus and anti-malware software most likely will be unable to detect any hostile content in advance.  There is a simple explanation why this happens:  you told your computer to open something, you assume all risks of it being opened and thus your computer did as directed and you pay the price.  Ronald Regan said of the Russians, "Trust but Verify".  With the Internet, "Verify then Trust".

    STOP AND THINK.

    For various reasons, people feel compelled to open attachments sent by unknown parties.  It may be similar to the unknown package under the "Christmas Tree" they just have to open.  Opened unexpected attachments from unknown person(s) is often an unwelcomed experience.

    Very few people actually backup their computers and many of those who, do not perform the backup on a regular cycle or retain backup copies beyond the last one.  Photographs of children's birthday parties, family gatherings, deceased loved ones, financial and investment records, important legal documents, certifications, etc. are all at risk by opening on unconfirmed attachment.

    If you receive an attachment, always (a) contact the sender that you personally know or you called from a known and trusted organization, and (b) confirm that they sent you the attachment and confirm the name and size of the attachment.  You would not think twice about turning over the keys to your care to an unknown person on the street who simply approached you.  You should never consider opening an attachment unless you can confirm the source, purpose and content and you trust the source. 
    Yelling at your computer to stop doing things is not an effective counter-measure against a hostile attachment once you open it.



  8. Phone call: You have problems!
    It may be at night, over a week-end or holiday and you are called about a serious problem with your computer pr something else that is accessible via the Internet.  The caller reports Microsoft (or who ever) has detected these problems in your equipment and they can fix the problems for you.  The caller now has your complete attention and your brain stops thinking while your heart is rapidly beating in a panic. 

    STOP AND THINK THEN PAYBACK
     
    Your first critical step is to get your head back into the game that's being played on you as it is very likely will are about to pay to have someone steal your information and potentially harm your computer.  Here are some clues to help you identify this and take countermeasures against them.
            1. Clue:  You will heard indications the caller is inside a Call Center from the many voices in
                        the background all with the same national dialect.

            2. Clue:  Microsoft does not collect real-time "trouble reports" from personal computers and
                        does not provide real-time or other collected information to third parties potentially
                        due to privacy rights exposure across the many counties involved. 

            3. Clue:  The caller says they are Microsoft Certified but is not specific in terms of what they
                        are certified in and does not offer any names or certification numbers to calm any
                        concerns or reluctance you may have.  They will deny being with Microsoft yet they
                        claim Microsoft alerted them to your problem.

            4. Clue:  The caller says they know what your problem is and can fix this for a small fee.
                        The fee is not inexpensive and can be nearly $400 depending on the level of help
                        you elect to purchase to bring this "serious problem" to an end.  Not bad work since
                        nothing is broken except your budget.

            5. Clue:  The caller now wants remote access to your computer.  You are directed to a public
                        web site and are provided a code number to enter once you are at the web site.
            6.           WARNING: Once you enter the code an unknown person will effectively be at your
                                         PC keyboard capable of doing anything they want to do.
                        DO NOT ENTER THE CODE NUMBER ... OTHERWISE GAME OVER AND YOU LOOSE.

              The code number is generated by a third party and is tied back to The Bad Guys under a
              license to the third party.  If not, the licensed software is stolen and needs to be shut down. Record the date and time you were provided the code number and report it back to the web site owners as an illegitimate use of their licensed product.  While they may relocate to a new facility, their licensed use of the product can be terminated.  No company wants to be viewed as a potential co-conspirator in criminal activities.

              Whatever happens, the minute you use that code number to provide them access, you lost.
              They effectively are sitting at your keyboard and the only thing of major impact they cannot do is to disconnect your laptop from the Internet and stop their activities.  This will not stop anything they already started by downloading malware into your computer.
              
                 9.  Undelivered Parcel you say?
                          Notices of parcels/packages which were not delivered are often seen and include a .zip file they
                          want you to download the Delivery Label.  Why do you need a delivery label when the item was
                          not delivered to you should be an immediate giveaway to this scam.  The answer is they must get
                          you motivated to open the attachment to do damage or steal information.  Yet people fall for it.
                          Our plus is The Bad Guys don't know the company in any depth to avoid another trap they laid for
                          themselves and a clue to us it is bogus.  In this case a FedEx parcel could not be delivered to you
                          on the FOURTH OF JULY which is one of the few dates each year FedEx and others in the United
                          States do not pick-up or deliver.


               10.  Voice message waiting for you!
                          You receive an e-mail with the content displayed below.  You nave an Incoming voicemail.
                          Yet, voicemail is not real time ... it is recorded for later playback ... and it's only 8 seconds long.
                          "8 seconds" is a cover encouraging you to take a short amount of time to hear it.  It often takes
                          less than 8 seconds to seriously infect or damage your computer as it transfers a harmful
                          program from an unknown person into your computer.  The link within the Listen button was
                          removed for your safety.  The code does not provide any link to any specific or unique file.


                          Clicking the Listen Link most likely won't get you a voice mail but something else and YOU DO
                          NOT WANT WHAT WILL HAPPEN!  Don't do it!


            Whats App

             

            Incoming voicemail.

             

            Description

             

            Dec 5 6:54 AM
            08 seconds

            Listen

            © Whats App