Tech support and Phishing scams. How to protect yourself?

As stated on Microsoft’s Malware Protection Center blog “The cornerstone of tech support scams is the deception that there is something wrong with your PC. To advance this sham, tech support scams have long abused browsers’ full screen function. Coupled with dialogue loops, the pop-up messages that just won’t go away, and the spoofing of brands like Microsoft, tech support scam websites can be convincing.”

So how do you protect yourself in such events, especially with the tax season in full swing? Typically, the scam will start like any other, either via Vishing (Phone Phishing) or via an email that convinces you to click on the link or by nefarious ads. They all try to get you to go online and click on some link and provide personal information, or in the case of Vishing, they will ask for your personal information on the phone.

 

Case point: Nefarious ads.

When the page loads, you get a pop-up message which directs you to take action.

It is a fake dialogue box that is a website element, so be aware and cautious before clicking on any of the displayed buttons.

If you click OK on the fake dialogue box (or basically anywhere on the page), it goes into full screen mode and brings you to another webpage which opens within your browser.

Do not click on any of these sites, just close (exit) the browser.

 

How to protect yourself.

Make sure you always surf the websites in incognito or secure browsing by turning on the feature from your options within each respective browser. For more details visit

https://www.veracode.com/blog/2013/03/browser-security-settings-for-chrome-firefox-and-internet-explorer

for Microsoft Edge guideline visit http://download.cnet.com/blog/download-blog/how-to-use-the-microsoft-edge-browser-privately-and-securely/

 

Case Point: PDF Attachments

You received a document via email that the Adobe Reader can’t display because it’s a protected file, so you need to enter your email credentials.

One example of the fraudulent PDF attachment is carried out by email messages that pretend to be official communication. For instance, a quote for a product or a service from a legitimate company.

These fraudulent email messages may spoof actual people from legitimate companies to fake authenticity.

When you open the attachment, it’s an actual PDF that is made to appear like an error message. It contains an instruction to “Open document with Microsoft Excel”. But it’s actually a link to a malicious website.

Or

You received a PDF file from Dropbox and need to log in using your email credentials.

In this example, the PDF attachment puts on a pretense that you need to sign in to the online storage provider Dropbox to access your document. Just like the first example, this PDF document does not have malicious a code, but contains a link to “View .PDF online”.

Clicking on the link takes you to a fake Dropbox login page that gives you options to sign in using your Google, Outlook, AOL, Yahoo!, Office 365 or other email credentials.

 

It’s the same level of customization for the other options. For example, for the Google option, the window first asks you to choose whether you’d like to sign in using your organizational or individual account. This step is not present in the actual Google sign in process, but this may be done to help the attackers identify business-related account credentials. It then brings up the sign in page.

If you enter your details, an actual PDF document (hosted in Google Drive, not Dropbox) is opened in a window.

If you go through the link and enter your credentials, the hacker now has all the information needed to get into your account.

So how to stay safe from phishing attacks.

As shown in the above examples, phishing and social engineering are designed to take advantage of possible lapse in making the wrong decisions. Awareness is Key.

Using the PhishPro platform, a plug-in to Office 365, you don’t have to make these decisions. If you’re not sure which email is safe and which aren’t, simply send the details to a PhishPro Security Analyst to evaluate the contents of the emails so they can open and detonate any attachments to validate the information. If it is malicious you will receive a feedback within 24 hours, if it is not, you will get your information back, this will help ensure you are always safe. In addition, if you are the enterprise administrator you can help educate your workflow by increasing awareness by conducting simulated phishing campaigns that mimic the real-life scenarios to help track the details of the campaign and educate those specific individuals that fail the campaigns. This will not only enhance your posture, but also prevent future phishing attacks on your organization – as your workforce is the first line of defense.