Down Left Arrow Logo
Logo

Online Security

Online security is becoming more and more important with recent schemes becoming more and more convincing. With these tools you'll be better equipped to spot a scam.


Be vigilant

Ok, thanks for visiting! Seriously though, this is your most powerful weapon. Those “bad actors” trying to siphon your bank account are going to try all sorts of tricks to get your personal information. Even the smallest bit of personal information can be used to gather more information and add to their profile on you. Now, this post isn’t to make you paranoid, but it should make you think about who you provide your information to, and inform you that just because someone says they are someone, doesn’t mean they are. Phishing These are scams that come through text or email, usually telling you your password has expired or you owe some money to something or someone extremely important.

The goal of a phishing (pronounced Fishing) attack is to get you to provide your username and password freely by fooling you to think you’re logging into something you trust. This can be extremely harmful, especially if they trick a person into providing their credit card, banking, or social security information. All sorts of tricks can be used for any time of online scam. There are several tools an attacker will use to try to get you to hand over your information:

Familiarity

Scammers will pose as someone you know, or a well-known company in order to gain your trust. Common scenarios are messages from your boss asking you to do a secret task for them quickly. Once you reply to the email, the game starts and they can start instructing you to do all manner of things like; purchasing gift cards and sending them the codes on the back. You may have heard of this happening with individuals purchasing thousands of dollars in iTunes gift cards to pay their unpaid taxes to the Federal Government. It sounds ludicrous from the outsider, but it can be hard to notice you’re being scammed, especially with the high-pressure tactics scammers can use to get you stressed, and not thinking straight.

Trust

Scammers will play on your trust in companies and organizations to get what they’re after. They could pose as your boss, the FBI or RCMP, a reputable bank, or a company such as Amazon, Google or Apple. All of these entities garner some form of trust, meaning you know they are a reputable company or agency, so they would never steer you wrong, so when someone posing as one of them, it’s difficult to look beyond the company and see what’s really going on.

Spoofing

This is the term used when someone is acting like someone they aren’t. This can be a form of Phishing, but the tricky part is they will use the same email or phone number as someone you know and without the right skills and that whole being vigilant thing, people can and have been tricked. Things to watch for here are behaviour that isn’t normal for the person the scammer is trying to impersonate. For instance, if the person doesn’t ever text, but you are all of a sudden receiving a text from them. You may want to verify by other means, such as calling the person or talking to them in person. Again, don’t click on any links or respond to the message they’ve sent. A trick to verify is to hover your cursor/mouse pointer/finger over the link in question. That will reveal the actual website you’re being redirected to. Here’s an example for you:

https://www.google.ca

Where did the link bring you? Not where it said, that’s for sure. This tactic can also be used for determining the email address of the sender. It can say one thing and be another. Always be mindful of what you are clicking on, where you are sending your information, and what you are agreeing to.

Phishing

This can come in the form of an e-mail, or text message (phone calls are defined as Vishing). The point of this tactic is to see who will bite, or how many people will take the bait. Generally the bait is pretty bad, meaning these can be obvious, but in the past few years they are getting more and more convincing. The goal behind these phishing texts and e-mails are to fool the user into believing they are providing information to a trusted source. Im sure the fish believes the bait from the fisherman is legit as well until it gets hooked. These messages are usually from some type of financial institution, or a place where personally identifiable information (PII) is being used, such as a bank, insurance company, or even Tax collection agency like the IRS or CRA.

Sometimes its obvious to the user that its phishing, especially when you don't have an account at Bank-X, or being Canadian, you don't pay taxes to the IRS. All the bad guys need is for a few people to fall for it. Maybe you don't have an account at Bank-X, but someone else on their massive e-mail list just might. Clearly some people are biting otherwise they wouldn't keep trying.

What To Do If You're Unsure

If you do receive a message that you're unsure of, and there's no shame in this, some of these messages are difficult to verify, do not click any links provided in the e-mail. As I've shown above, a link can say one thing, and be for a completely different site. Some scammers will go so far as to duplicate a website to look like the site they're tricking you with in order to get your login information. This is why its important that if Bank-X messages you, you need to contact Bank-X yourself and not call or click any links that are provided in the email. Use information you know to be true, and if possible, physically go to the location.

Never trust a message or call from someone asking for your information, no matter how persuasive they are being. Scammers will use all kinds of psychological tactics to get your information. Be vigilant, protect your data, and verify with your institutions if you are unsure. Do not follow the guidance of callers and random messages. Banks, insurance companies, and government agencies will never ask for your information. They will send a letter, or in their email will instruct you to login to their website, and they will never provide a link to click on. They also won't ask to be paid in gift cards or the latest Crypto coin, such as Bitcoin. Governments love cold hard cash. If someone is asking to be paid in something other than cash, it's a good idea to take a minute and think long and hard about what's going on.

If you are in doubt, or if you have your suspisions, call the institution they are claiming to be from. That means getting the correct phone number, or e-mail to contact them. The person on the other end, may insist you use certain contact info. Be strong, remember it's your info, your money, and you have every right to defend it, no matter how persistant and annoyed they may become. Remember, they will try to play on your insecurities.

I'll leave you with some advice from my mother when I was in grade school.

If you get called to the principal's office, and you've done nothing wrong, there's nothing to be nervous or scared about.

Same goes with someone calling you, demanding money. If you're someone who pays their bills, pays their taxes, and isnt in legal trouble, chances are these types of companies arent going to call you and agressively ask you for money. If they do, they'll have a process that does not start with someone shouting with you over the phone to pay them in Apple gift cards.

Real World Example

We had a client report a suspicious e-mail to us recently. The e-mail was from someone they deal with regularly. It came from the correct e-mail address, and even had the correct signature. The message had an attached PDF file which was described as payment info for services rendered.

When the attachment was clicked, it opened a web browser (Warning #1) then prompted the user to input their Microsoft credentials to access the file (Warning #2)

Upon closer inspection of the message, the attachment was simply an image made to appear like an attachment to the untrained, or in this case, trusting eye.

We asked if anyone had clicked the attachment, or even worse, provided their Microsoft account credentials. After some convincing, a staff admitted to doing this, and shockingly the CEO of the organization also admitted to doing this.

What occured when the user provided their credentials was a script, that harvested and stored the information, and simply sent the user to a random looking website, not providing any kind of payment info ((Warning #3) When we were able to login to the comprimised account, the bad-actor did not change their password, but they did sent thousands of e-mails on the behalf of the victim to a pre configured e-mail list, as well as creating a rule that moved any incoming email to an archive folder, and marking them as read. This means the victim would have no idea they were comprimised as nobody could warn them via e-mail.

This sort of threat would also give them access to anything their Microsoft account had access to, such as Sharepoint, OneDrive and beyond. You can see how this could be a massive security problem, especially if someone like a CEO or CFO was comprimised. See my blog post about the Principal of Least Priviledge and why it is extremely important in circumstances such as this.

How would MFA have helped in this example

Even through the victims username and password were comprimised, the MFA requirement would have requested verification on the method setup by the valid user. If the user did not provide access (this requires proper training and understanding), the villain in this scenario would have been stopped in their tracks. However, they still would have the username and password of the victim. Users have a bad habit of using the same password for several online accounts. I always suggest using a password manager such as Bitwarden to create complex passwords for all online accounts.