Every month, hackers, spammers, and phishers get more sophisticated and come up with even more believable scams. There is no doubt you already receive tons of unsolicited email spam that is either easily detectable or removed by spam filters. However, recent phishing scams are becoming more sophisticated, and more difficult to detect.
False Photography Phishing Scams
There are a lot of ways that spammers get email addresses. Usually by running spiders on the web that look for email addresses and put them in a database to automatically email. This has been going on for decades.
A new common scam involves online contact forms or emails pertaining to your website. Recently, we have seen an increase in spam submissions from “photographers” who claim that your website uses one of their photos without appropriate license. The imposter claims that use of the photo is illegal and they require compensation for these photographs.
How to Avoid These Phishing Scams
The emails haven’t been too sophisticated yet; they appear from an individual, not an attorney and are emotional instead of legal. It is important to take any legal inquiry seriously, but a serious notice for any violation would come from an email account that is clearly from an attorney’s office and many attorneys also send copies of notices via postal mail. In contrast, phishing and spam emails typically come from free anonymous accounts like @gmail.com.
These emails may get you to think that it’s possible there was a photo violation or maybe you didn’t have the right license for some content. They may even have “proof,” and provided a link for you to review for more details.
Do not click on any links or download any files from someone you do not know and for something you do not expect. These most likely contain viruses that will allow the scammer to gain access to your computer. Once they have access to your computer, they can lock it and require you to pay a ransom to get access. They might also monitor your computer until you access bank accounts or collect more information from you to exploit.
This is one example of a phishing email you might see.
Password Gathering Scams
You may also be seeing a lot of phishing scams around resetting your password with your bank, with Amazon, or another online retailer. It’s very possible that the links in these emails are nefarious and link you to a scam page to try and collect your actual credentials, so they can then utilize them or link to malware. Don’t click on links in emails from these sources. Instead, go directly to their website to reset your password if you think it’s a valid email.
A handful of phishing and scam tips:
- Never click on a link from an email. Even if it looks innocent, there are ways for a link to appear to be one thing and actually be linked to something else.
- Don’t download unknown documents. Never download a PDF, Word document, or any file from someone you are not expecting something from. If you and Bob had a conversation or past emails and you’re expecting a PDF from him, then you can probably trust it. But, if Bob just sends you a file out of nowhere with a link, image or file with little to no context—do not open it. Bob’s email account may have been hacked and the hacker is using it to send viruses to his contact list.
- Use a service that has a built-in virus scanner. Many email platforms like Gmail and Gsuite can scan attachments for viruses. It’s not 100%, but it can give you a bit of a safety net when it comes to files you receive.
- Keep your computer up-to-date. Often, hackers and scammers will utilize an exploit or issue with old software or operating systems to gain access to your computer. Every time you click “update later” you are increasing your risk. You should regularly update to the latest operating system, install system updates, and update software that needs updating.
- Don’t trust senders. It’s super easy to spoof who an email comes from. You could potentially receive an email from your boss asking you to do something when they did not send it, their computer was not hacked, and their email was not even hacked.
Sophisticated Email Scams
It’s not hard to figure out who the managers are at a business. You can easily find out who the CEO, CFO, COO, CTO are from LinkedIn or the business’s website. It’s also very simple to figure out what a company’s email convention is to send an email to someone. Usually it’s first_name.last_name @ business.com or some variation. When a spammer gets an autoresponder from someone, they may look to leverage that information.
If a hacker spams the CFO with some type of solicitation and receives an email back that they are on vacation for a week, the spammer may decide to do some spear phishing. They might make a Gmail address with the CFOs name in it, find a co-worker, and send them an email. Something like; “I’m on vacation and can’t get to my company email, can you respond to this ASAP and send me X.“ These communications sometimes are small asks or a quick question first to build up trust. By the 3rd email, the spammer may inquire about wiring money.
Remain skeptical and never send anything important over email. Do not email credit card information, bank routing numbers, or anything that you don’t want shared with the world. The majority of the world’s email communication platforms are not secured in transit and at rest.
Practice these security tips to keep from falling victim to scams:
- Antivirus software: It’s not a bad idea to run some sort of antivirus program on your computer. It could prevent you from opening something malicious and can alert you if something is found before it gets to others on your network.
- Use different passwords: It is imperative that you use different passwords for each site that you utilize. Do not use passwords with your pet’s name, your year of birth or your graduation date. Each password must be unique. If someone does obtain your password, it would be terrible if they could then access all of your services. If you sign up for something like Spotify and you use the same account information with your bank, that could be bad news. Consider using something like 1Password to generate completely random passwords, or use a memorable phrase “I like banking and depositing Money!” is a perfectly good password and impossible to guess or use a bot to guess (brute force hack). Whereas, the common convention of a name or word, some numbers and a character are very easy to crack.
- 2 Factor authentication: Turn on 2 factor authentication anywhere you can enable it. It is occasionally inconvenient but it’s a huge safeguard against anyone accessing your account.
- Email password & 2 Factor: Email is actually the most important thing to have a complex password and 2 factor authentication enabled for. If someone accesses your email, they can then request password resets on other websites, reset your password and get access. Have a complex password and use 2 factor authentication with your email.
- Password lock your phone: All of your security measures can be rendered useless if you don’t have a passcode lock on your phone and someone gets their hands on it. Then it is easy to get into your email and start seeing what services you belong to, and start requesting password resets and trying to get access.
- Password lock your Venmo or any payment apps: You can now add an additional level of security to your Venmo app. There are some street / bar scams where someone will “take a picture of you” and access your Venmo account at the same time.
It is 2020 and the hackers, scammers, and spammers are only getting more sophisticated. Technology is moving at a rapid pace and it is only going to get harder and harder to determine what type of communication, email, phone call or text can be trusted.
Good luck, and be extremely wary of any and all communications that come from anonymous email addresses or from phone numbers you do not know.